Wednesday, December 10, 2025

Remote Software Deployment and Malware Cleanup w/ Action1 - Help Desk Simulation

Remote Software Deployment and Malware Cleanup w/ Action1 - Help Desk Simulation

This walkthrough demonstrates how to simulate and resolve a common help desk security issue: a user reporting a suspicious file and potential malware on their workstation.

The goal of this exercise is to practice:

  • Safely simulating a malware-related incident on a Windows 10 workstation using an EICAR test file

  • Collecting user-reported symptoms through a help desk ticketing system (ServiceNow)

  • Verifying endpoint status and inventory using an RMM/endpoint management tool (Action1)

  • Remotely deploying security software to a single endpoint

  • Running a malware scan and performing threat cleanup

  • Verifying endpoint health after remediation

  • Writing clear, professional help desk ticket documentation

This lab reflects realistic Tier 1–Tier 2 help desk responsibilities involving endpoint management, incident response, and user communication in a controlled environment.

Step 1 — Simulate Malware on the Employee Workstation VM 

On your Windows 10 VM:

  1. Press Windows + R  Type notepad → Enter

  1. Use the EICAR Test String ( used to test antivirus tools and not actual malware, but antivirus tools treat it as malware). Paste this exact line into the notepad file:

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*



  1. Save the file by clicking File Save As.

  • Location: Desktop 

  • File name: eicar_test.com

  • Save as type: All Files 

  • Encoding: ANSI 

  1. Click Save.


  1. Sometimes Windows Defender will automatically remove the EICAR test file, so you should add an exclusion. Go to Windows Security.

  1. Go to Virus & threat protection.

  1. Click Manage settings.

  1. Scroll to Exclusions and click Add or remove exclusions.

  1. Click Add an exclusion.

  1. Click File type.

  1. Type the extension of your EICAR test file and click Add.



Now, Windows Defender won’t remove the EICAR file and Malwarebytes will detect this “malware”.

Step 2 — Create the help-desk ticket as the user and confirm the ticket as the systems administrator

On ServiceNow logged in as the employee user:

  1. Open your ticketing system (ServiceNow) and create a new ticket to report the issue:



  • Urgency: 2-Medium

  • More information: There is an unknown file on my desktop. I logged in this morning and saw a file called "eicar_test" on my desktop and am worried it might be malware. I didn't download it. I don't know how it got there. Please check it out.

  1. Click Submit.

On ServiceNow logged in as System Administrator:

  1. Go to Incidents and locate the new ticket from the employee.

  1. Change State to In Progress and then click Update

Step 3 — Confirm endpoint state in Action1

  1. In Action1 → Endpoints, find Desktop2.SimoTech.com

  1. Verify status Connected, OS, IP, and Last boot time.



  1. Pull quick inventory: Installed software, running processes, disk free space.

  1. Run this short Process check via Run Script (PowerShell):

     Get-Process | Sort-Object CPU -Descending | Select-Object -First 10 | Format-Table -AutoSize Get-EventLog -LogName Application -Newest 20 | Select TimeGenerated, EntryType, Source, Message



  1.  → Review output for suspicious processes or errors.

Based on the output, there are no suspicious processes related to potential malware.

Step 4 — Prepare the installer and install Malwarebytes Remotely to the Endpoint using Action1

Use vendor download URL. Use the official Malwarebytes download link (https://downloads.malwarebytes.com/file/mb4_offline) and let the endpoint download directly. This avoids hosting files and is simpler than other alternatives. 

  1. Go to Endpoints, click the box of the target machine, and then click Run Script.

  1. Change the script language to Command - Windows. 

  1. Copy and paste the script below into the form, Script to execute

powershell -Command "New-Item -ItemType Directory -Path C:\Temp -Force" 

  • The first command opens PowerShell and creates a new directory called C:\Temp. We create the directory because we need a place to store the installer file. “-Force” makes it so it has to work: either create the folder if it doesn’t exist or not fail if it already exists. 

powershell -Command "Invoke-WebRequest -Uri https://downloads.malwarebytes.com/file/mb4_offline -OutFile C:\Temp\MalwarebytesInstaller.exe"

  • The second command uses PowerShell to download the installer file directly from the vendor site and then saves it as MalwarebytesInstaller.exe. This allows the endpoint to install the software by itself without the use of file sharing, USB, or manual download. 

C:\Temp\MalwarebytesInstaller.exe /silent

  • The last command runs the Malwarebytes installer. /silent makes the installation happen in the background, with no popups, so the employee can continue their work on their machine without interruption. 


  1. After inputting the script then click Next Step.

  1. Make sure the target endpoint is selected and click Next Step.

  1. Name the automation and make sure it’s set to Run now. Click Finish.

  1. Confirm that the script is Running and wait for it to finish. After some minutes, the status will be Completed.

  1. Click View Details in the far right and confirm it is a Success.

  1. Go to the Windows 10 VM and confirm that Malwarebytes was successfully installed. Check the Desktop and you should see the shortcut. Go to Services and you should see it running. 

Malwarebytes has been successfully remotely installed by Action1 in the employee’s machine. 

Step 5 — Run Malwarebytes Scan & Quarantine the Threat

On the Windows 10 Employee VM (Desktop2/Simotech.com):

  1. Open Malwarebytes from the Desktop shortcut.

  1. If prompted, skip sign-in or trial activation (free scan is sufficient). Click Maybe later and then Get started.

  1. On the main dashboard, click Scan.

  1. Allow Malwarebytes to run a Threat Scan (this may take a few minutes).

  1. Malwarebytes should detect the EICAR test file

  1. Click Quarantine to safely remove the “malware”. 

The simulated malware is now in quarantine.

Step 6 — Verify Cleanup & Endpoint Health

A. Verify the File Is Removed from the Desktop

On the Windows 10 VM:

  • Check the Desktop and confirm that eicar_test.com is gone.

B. Verify in Malwarebytes

Inside Malwarebytes:

  1. Go to Detection History

  1. Confirm it is Quarantined.



The endpoint is now verified clean.

Step 7 — Document Actions in ServiceNow & Resolve the Ticket

On ServiceNow, logged in as Systems Administrator:

  1. Type incident.list and then open the relevant ticket.



  1. Add the following notes in Work Notes:

  1. User reported an unknown file on desktop and possible malware.

  2. Confirmed endpoint status via Action1.

  3. Remotely deployed Malwarebytes using Action1 endpoint management.

  4. Performed malware scan which detected a suspicious file.

  5. Threat was successfully quarantined.

  6. Verified endpoint is clean and operational.


  1. Change State to Resolved



  1. Resolution Code: Resolved by Request & Resolution Notes : Security Issue – Malware Removed

  1. Click Update

The ticket is now closed.

Final Outcome

  • Malware was safely simulated using the EICAR test string

  • Action1 was used to remotely deploy security software

  • Malwarebytes successfully detected and removed the threat

  • Endpoint health was verified

  • Ticket was properly documented and resolved in ServiceNow
at
Labels: , , ,

Popular Posts