This FAQ explains how to activate, deploy, and manage ThreatDown (powered by Malwarebytes) through Atera. It outlines available modules, supported systems, billing details, and key operational guidance for MSPs using the OneView console for endpoint protection and threat response.
General Overview
Q: What is ThreatDown?
A: ThreatDown, powered by Malwarebytes, is a multi-layered endpoint security platform designed for MSPs. Managed through the OneView console, it offers Endpoint Protection, Incident Response, EDR/MDR, Vulnerability Assessment, Patch Management, DNS Filtering, and more—all within a multi-tenant framework integrated with Atera.
Q: How is ThreatDown different from other antivirus or EDR tools?
A: ThreatDown combines antivirus, EDR, and vulnerability management in a single console, providing lightweight agents, competitive pricing, and native integration with Atera for simplified deployment and billing.
Q: Is ThreatDown multi-tenant?
A: Yes, the OneView dashboard is built for MSPs, allowing centralized management of multiple customers and sites.
Activation & Setup
Q: How do I activate ThreatDown in Atera?
A: Go to App Center → ThreatDown → Get Started, enter your admin email, and follow the activation email steps to set a password and enable 2FA. Once activated, sync your Atera sites with ThreatDown for automatic customer mapping.
Q: Can I migrate an existing ThreatDown account to Atera?
A: Yes. Choose Request migration during activation and provide your existing account email. Atera Support will assist within two business days.
Q: What happens if I miss the activation email?
A: Activation emails expire after three days—request a new one from the Threatdown support team.
Q: Is there a trial period?
A: Yes, Atera offers a 15-day full-function trial. After the trial, convert sites from Trial to Paid manually in OneView; this process is not automatic.
Q: Does ThreatDown require two-factor authentication (2FA)?
A: Yes, 2FA is mandatory during first-time login to the OneView console.
Deployment & Supported Platforms
Q: How do I deploy ThreatDown via Atera?
A: From the Devices or Customers page, select devices, choose Malwarebytes → Antivirus → Install, and enter your ThreatDown site name. Installation is silent, requires no reboot, and applies to Windows endpoints only.
Q: Can I bulk deploy ThreatDown to multiple devices?
A: Yes, bulk installation is supported for Windows endpoints through Atera’s device and site management pages.
Q: Does ThreatDown require a reboot after installation?
A: No, installations are silent and do not trigger restarts.
Q: Which operating systems are supported?
A: Atera currently supports Windows installations. For Mac, Linux, Android, iOS, or Chromebook, manual deployment methods are available in ThreatDown’s documentation.
Q: What should I do if the installation fails?
A: Ensure admin privileges, remove legacy antivirus products, and check the logs at%ProgramData%\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt for detailed error information.
Features & Modules
Q: What products or modules are available in ThreatDown?
A:
Endpoint Protection (for workstations and servers)
Incident Response (IR)
Endpoint Detection and Response (EDR)
Managed Detection and Response (MDR)
Vulnerability Assessment & Patch Management
DNS Filtering
Application Block
Managed Threat Hunting
Mobile Security
Q: What is the difference between EDR and MDR?
A:
EDR enables your team to detect, isolate, and remediate threats manually.
MDR adds 24/7 expert monitoring and response, available per site/customer. Once enabled, it applies to all endpoints at that site.
Q: Is Incident Response included?
A: Yes, Incident Response is bundled with endpoint protection licenses from Atera’s ThreatDown offer.
Q: What is DNS Filtering?
A: DNS Filtering blocks access to harmful or unwanted websites and allows customizable policies for each customer.
Q: What is Managed Threat Hunting?
A: It proactively identifies unknown or overlooked threats using human-led analysis and threat intelligence.
Q: What is Application Block?
A: It lets you restrict unapproved, risky, or unproductive applications from running on protected endpoints.
Q: Can ThreatDown be used for mobile protection?
A: Yes, ThreatDown supports Android, iOS, iPadOS, and Chromebooks.
Q: Does ThreatDown offer automated patch remediation?
A: Yes, the Vulnerability and Patch Management module provides automatic or manual patch deployment.
Q: Can I customize detection and isolation policies?
A: Yes, advanced policy customization is available in the OneView console for detection thresholds, isolation rules, and remediation behavior.
Q: Why am I being asked for a Tamper Protection password?
A: When Tamper Protection is active, uninstalling or modifying the agent requires a Tamper Protection password to prevent unauthorized changes. In this article you can see how to enable, change the settings for the tamper protection and what to do in cases where you forget it: Enable Tamper Protection on Windows devices.
Billing & Licensing
Q: How does billing for ThreatDown work through Atera?
A: Billing is monthly, based on the previous month’s usage (per endpoint). Invoices and CSV breakdowns are available under Admin > Subscription > Invoices in Atera.
Q: When does billing begin?
A: Billing starts automatically once the trial ends or when you convert a site from Trial to Paid in the OneView console.
Q: Where can I view pricing?
A: Pricing per endpoint/module is listed in the ThreatDown page under Atera’s App Center.
Q: Are invoices unified with other Atera services?
A: Yes, newer Atera accounts have unified billing; older ones may still receive separate invoices per app.
Q: Can I export usage and billing data?
A: Yes, export detailed CSVs from Atera’s invoice dashboard for reporting and analysis.
Management & Reporting
Q: How do I sync ThreatDown sites with Atera customers?
A: After activation, enable sync to map ThreatDown sites automatically to Atera customers for centralized deployment and management.
Q: Do expired or “inactive” nodes affect billing or protection?
A: No. “Expired” status relates to a Site Contract End Date field in OneView and is informational only.
Q: How do I reverse EDR isolation or response actions?
A: In the OneView console, locate the incident under Suspicious Activity and follow the remediation workflow to reverse isolation or response actions.
Q: What reporting capabilities does ThreatDown include?
A: Generate detailed reports on endpoint health, vulnerabilities, threats, and licensing directly in OneView, or export for client sharing.
Q: Are notifications available?
A: Yes. You can configure notifications for alerts, threat activity, and endpoint events, and optionally integrate them with Atera’s alerting system.
Account & Support
Q: How do I manage or pause my ThreatDown subscription?
A: Go to Admin > Subscription > ThreatDown in Atera to deactivate or modify your subscription.
Q: Can I deactivate ThreatDown sites from the console?
A: Yes, admin users can deactivate sites directly in OneView.
Q: What if migration or activation gets stuck?
A: Contact Atera Support for troubleshooting sync or migration issues.
Q: Who provides support for ThreatDown?
A:
Atera Support: Activation, billing, integration, and installation troubleshooting.
ThreatDown (Malwarebytes) Support: Technical product issues, EDR/MDR incidents, and OneView console features.
Q: Where can I find setup guides and training?
A: Check Atera’s Help Center, the ThreatDown OneView Onboarding Guide or join webinars for best-practice configuration and advanced features.
