Skip to content
Find out how we support MDR.

Malwarebytes Endpoint Protection

Log collector

This feature might not be available for all customers yet.

You can integrate Malwarebytes Endpoint Protection with Sophos Central so that it sends data to Sophos for analysis.

This integration uses a log collector hosted on a virtual machine (VM). Together they're called an appliance. The appliance receives third-party data and sends it to the Sophos Data Lake.


You can add multiple instances of Malwarebytes Endpoint Protection to the same appliance.

To do this, set up your Malwarebytes Endpoint Protection integration in Sophos Central, then configure one instance to send logs to it. Then configure your other Malwarebytes Endpoint Protection instances to send logs to the same Sophos appliance.

You don't have to repeat the Sophos Central part of the setup.

The key steps are as follows:

  • Configure an integration for this product. This configures an image to use on a VM.
  • Download and deploy the image on your VM. This becomes your appliance.
  • Configure Malwarebytes Endpoint Protection to send data to the applianceappliance.


Appliances have system and network access requirements. To check that you meet them, see Appliance requirements.

Configure an integration

To integrate Endpoint Protection with Sophos Central, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Integrations > Marketplace.
  2. Click Malwarebytes Endpoint Protection.

    The Malwarebytes Endpoint Protection page opens. You can configure integrations here and see a list of any you've already configured.

  3. In Data Ingest (Security Alerts), click Add Configuration.


    If this is the first integration you've added, we'll ask for details about your internal domains and IPs. See My domains and IPs.

    Integration steps appears.

Configure the VM

In Integration setup steps you configure your VM as an appliance to receive data from Endpoint Protection. You can use an existing VM, or create a new one.

To configure the VM, do as follows:

  1. Add a name and description for the new integration.
  2. Enter a name and description for the appliance.

    If you've already set up a Sophos appliance, you can choose it from a list.

  3. Select the virtual platform. Currently we support VMware ESXi 6.7 Update 3 or later and Microsoft Hyper-V 6.0.6001.18016 (Windows Server 2016) or later.

  4. Specify the IP settings for the Internet-facing network ports. This sets up the management interface for the VM.

    • Select DHCP to assign the IP address automatically.


      If you select DHCP, you must reserve the IP address.

    • Select Manual to specify network settings.

  5. Select the Syslog IP version and enter the Syslog IP address.

    You'll need this syslog IP address later, when you configure Endpoint Protection to send data to your appliance.

  6. Select a Protocol.

    You must use the same protocol when you configure Endpoint Protection to send data to your appliance.

  7. Click Save.

    We create the integration and it appears in your list.

    In the integration details, you can see the port number for the appliance. You'll need this later when you configure Endpoint Protection to send data to it.

    It might take a few minutes for the VM image to be ready.

Deploy the VM


If you're using ESXi, the OVA file is verified with Sophos Central, so it can only be used once. If you have to deploy another VM, you must create an OVA file again in Sophos Central.

Use the VM image to deploy the VM. To do this, do as follows:

  1. In the list of integrations, in Actions, click the download action for your platform, for example Download OVA for ESXi.
  2. When the image download finishes, deploy it on your VM. See Deploy a VM for integrations.

Configure Endpoint Protection

Endpoint Protection gets event data and forwards it as follows:

  • Endpoints report threat detection, quarantine, and other events to Malwarebytes Endpoint Protection.
  • A Malwarebytes syslog communicator endpoint pulls events from Malwarebytes Endpoint Protection.
  • The communication endpoint forwards events to syslog server in CEF format.

Your appliance acts as the syslog server.

Before you start

You need the following:

  • An active subscription or trial for one of the following Malwarebytes Endpoint Protection platform products:

    • Malwarebytes Endpoint Detection and Response
    • Malwarebytes Endpoint Protection
    • Malwarebytes Incident Response
  • The IP address of your appliance.

  • Network access between one of your Malwarebytes syslog communication endpoints and a SIEM or syslog server. TCP over port 514 is used by default.


  1. Go to Settings > Syslog Logging.
  2. Click Add > Syslog Settings.
  3. Fill in the following information about your appliance:

    • IP Address/Host: IP address or hostname of your virtual machine.
    • Port: Port on your virtual machine.
    • Protocol: Choose TCP or UDP protocol.

      You must enter the same settings you entered in Sophos Central when you added the integration.

    • Severity: Choose a Severity from the list. This determines the severity of all Malwarebytes events sent to syslog.

    • Communication Interval: Determines how often the communication endpoint gathers syslog data from the Malwarebytes server, in minutes.

    If the endpoint is unable to contact Malwarebytes, it buffers data from the previous 24 hours. Data older than 24 hours isn't sent.

  4. Click Save.

  5. Go to Endpoints.
  6. Click on your virtual machine.

In the Agent Information section you see the SIEM version number. This confirms the SIEM plugin is active on the endpoint.

The endpoint now sends data to your appliance. It should appear in the Sophos Data Lake after validation.

Change syslog settings

If you need to change your appliance, do as follows:

  1. Go to Settings > Syslog Logging.
  2. Click Remove to demote your virtual machine.
  3. Click Add to promote a new virtual machine. See the steps in the Configuration section.

You can temporarily demote a communication endpoint using the On/Off toggle. Temporarily demoting a communication endpoint can be useful when troubleshooting your syslog settings.