Overview
On Wednesday, June 18th, 2025, Addigy will release an update to the existing ThreatDown Malwarebytes Integration, that will include two new additional profiles. Please review the following information to understand the impact this may have on your devices.
MDM Profiles
These MDM Profiles are detailed below, but you can find images of these profiles contents at the end of this article.
- Malwarebytes DNS Filtering - v1 (DNS Filtering Certificate Payload, DNS Proxy Filter, System Extension for DNS Proxy)
- Malwarebytes Malicious Web Access Control - v1 (System Extension for Web Protection -- UPDATE: We will not include the Content Filter Service for Web Protection to limit network disruptions.)
Impact
In certain conditions, users may receive a pop-up, or may have a internet disruption. These profiles whitelist network and content filtering services from ThreatDown Malwarebytes.
NOTE: If your ThreatDown (Malwarebytes) OneView Policies are not enforcing Web Protection, no Network Filtering should be performed and as a result no Network Disruption.
Also, If you are not using DNS Filtering Add-On, the DNS Filtering Profile Deployment will not impact you.
You can check this by navigating in ThreatDown (Malwarebytes) OneView:
Check this In Malwarebytes > Configure > Policies > Default + Extras + > Protection Settings > Web Protection > Apple Logo > Make sure its not check
Malwarebytes turned this setting off for everyone, two weeks ago. So unless it was manually enabled, it should be off in your Malwarebytes Policy.
The Content Filter Pop Up, will still be required to approve the Content Filter for end-users (We did not deploy the Content Filter to prevent internet disruption):
If the Content Filer is allowed, and the user cannot connect to the internet after allowing the content filter, turn off the Security Extension and turn it back on (This is done in General > Login Items & System Extensions > Network and System Security Extensions):
Conditions
The below conditions will be relevant if you had Web Protection Enabled (ThreatDown enabled this setting and reverted it for all customers, but it may be turned off now. This should not impact any network connectivity), you still have Web Protection Enabled, or you have DNS Filtering Add-On enabled:
- User did not approve the previous Web Protection Prompt triggered by ThreatDown
- In our testing, user should see little impact. The Profiles should authorize the Extensions and Content Filter. If the Policy is not enforcing Web Protection, no Network Filtering should be performed.
- User did approve the previous Web Protection Prompt triggered by ThreatDown
- In our testing, the user may see an internet disruption. The user will need to disable the content filter that was previously active. We show a screenshot of how to find this section in the Content Filter section at the end of this article under
Content Filter Check.
- In our testing, the user may see an internet disruption. The user will need to disable the content filter that was previously active. We show a screenshot of how to find this section in the Content Filter section at the end of this article under
Admin deployed an independent profile for whitelisting this profile.
In our testing, if there is a duplicate content filter, you would need to remove the duplicate. If there is an existing MDM Profile enforcing this, neither can be disabled and you must remove the duplicate profile enforcing the Content Filter you manually deployed. You can Disable the Security Extensions go into safe mode, to disable the duplicate content filter.
Solution
The profile we are deploying is the only method to whitelist this process outside of manual approval. Unfortunately, the roll out of the Web Protection Feature from ThreatDown Malwarebytes, has caused an emergency deployment of this.
Alternatively, turn off Web Protection if it was manually enabled prior to the roll out. You should be able to turn it back on thereafter.
Artifacts
Additional artifacts for review are attached below.
MDM Profiles
Scripts
Below are scripts to help identify the state of your devices before this release.
System Extension Check
One-Liner Command:
Check the system extension status to verify the status of this extension:
systemextensionsctl list | grep com.malwarebytes.ncep.engine.sys.ext
If it's running, it would output something similar to this:
* * GVZRY6KDKR com.malwarebytes.ncep.engine.sys.ext (5.6.0/5.6.0.589) Malwarebytes Engine [activated enabled]
Script:
#!/bin/bash
EXT_ID="com.malwarebytes.ncep.engine.sys.ext"
EXT_STATUS=$(systemextensionsctl list | grep "$EXT_ID")
if [[ -n "$EXT_STATUS" ]]; then
if echo "$EXT_STATUS" | grep -q "\[activated enabled\]"; then
echo "✅ Malwarebytes system extension is active and enabled."
else
echo "⚠️ Malwarebytes system extension is present but not fully active/enabled."
fi
else
echo "❌ Malwarebytes system extension not found."
fiExecuted Result:
Content Filter Check
Check the NCEP Web content filter extension status to verify the status of this extension:
One-Liner Command:
defaults read /Library/Preferences/com.apple.networkextension.plist 2>/dev/null | grep -A5 "com.malwarebytes.ncep.engine.host.app" | awk '/Enabled/ {print $3}' | sed 's/;//'When it comes to .plist files, Apple typically uses 1 as enabled and 0 as disabled.
Script:
#!/bin/bash
enabled=$(defaults read /Library/Preferences/com.apple.networkextension.plist 2>/dev/null | \
grep -A5 "com.malwarebytes.ncep.engine.host.app" | \
awk '/Enabled/ {print $3}' | sed 's/;//')
# Apple USES 1 as enabled and 0 as disabled
if [[ "$enabled" == "1" ]]; then
echo "✅ Malwarebytes Web Content Filter is ENABLED."
else
echo "❌ Malwarebytes Web Content Filter is DISABLED or not found."
fiChecking using the Interface
Network > Content Filters (Expected after deployment—EDR, MWAC, DNS Filtering):
Duplicate Content Filters Enforced with MDM and Manual (One Grayed Out, One Manageable):
Duplicate Content Filters Enforced using MDM Profiles (Grayed Out):
General > Login Items & System Extensions > Network and System Security Extensions
Web Protection Extension (Turn this off and on, to help with internet disruption):
EDR Extension (You do not need to modify this one, it should not be impacted):