The Ransomware Rollback feature in Endpoint Detection and Response (EDR) allows you to revert file changes made by malware or ransomware on Windows endpoints. This article provides a deeper understanding of the EDR backup and remediation solution and how to troubleshoot it.
Checking the EDR service
To ensure EDR backups are being created, check that the EDR plugin service is running:
- In the console.
- Go to Manage > Endpoints.
- Click on an affected endpoint.
- Check the Agent and plugins section for the following:
- Presence of Endpoint Detection and Response plugin.
- Date listed for Agent info last refreshed is the current day.
- Example:
Agent and plugins
Agent info last refreshed: 06/23/2023 10:50:09 AM*
Agent version:
Endpoint Detection and Response:
- On the endpoint.
- Check the About screen.
- Hold control and right-click the system tray icon on the endpoint and click About.
- Verify the Endpoint Detection and Response version in the list.
- Check with command prompt.
- Open command prompt.
- Run the following commands.
- SC QUERY MBEndpointAgent
- SC QUERY flightrecorder
- Check with Powershell
- Open PowerShell.
- Run the following command.
- Get-Service -Name flightrecorder,MBEndpointAgent.
- Check the About screen.
Before a file is modified or a registry entry is changed, a backup is made in the following folder:
- C:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Backups\
For servers, this path can be modified to a separate drive. For more information, see Endpoint Detection and Response policy settings in Nebula.
- The folder and contents are self-protected by our drivers against attack, preventing even local administrators from deleting the folder.
- Each backup is encrypted to avoid interference and scanning by other security products.
- Exclude this folder from other security products to avoid unwanted detections and false positives. For more information, see Network access requirements and firewall settings for Nebula.
- All file types can be backed up (docs, xls, json, xml, exe, dll, etc.)
- There is a 14-day self-learning process. After that period, for disk space and performance optimization, backups are ignored for trusted processes. For example:
- A document edited by Word.exe would be ignored
- Backups would occur for a document edited by an untrusted or malicious process
- There is a 14-day self-learning process. After that period, for disk space and performance optimization, backups are ignored for trusted processes. For example:
- Files are named like 0000001670324876267_2D7E74B2.frb.
- The first part of the name contains the backup time with a Unix timestamp. (0000001670324876267 = Tue Dec 06 2022 22:07:56). For information on converting the timestamp, see
- The second part of the name (2D7E74B2) is randomly generated.
- The extensions are either Flight Recorder Backup (FRB) and Flight Recorder Backup Registry (FRBR).
- The file's datetime viewed by Windows, is the creation date of the original or source file, not the backup time.
- Backups are to a local drive for very fast recovery.
Self cleaning
The Endpoint Agent triggers self-cleaning to meet the disk space and days duration thresholds set in the Endpoint Detection and Response policy configuration.
A task runs every 10 minutes to check the disk quota and delete old backups or unindexed files if the quota is exceeded. This activity is logged in the following location:
- C:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt.
The following is an example of successful cleanups.
INFO FRCoreManager [FRSDK] Running cleanup ALL. RollbackTTL: 72 LearningMode: 2
INFO FRCoreManager [FRSDK] FR cleanup ALL started. Cleaning up events older than 2022-11-28 17:22:34+1100. Current backup files total number: 1579 and disk stats size/free/usage/quota/quota%: 84880125952/1781522432/537416136/695681570/30%
INFO FRCoreManager [FRSDK] FR cleanup ALL finished. Deleted 11574 backup events and 298 backup files. New backup files total number: 1281 and disk size/free/usage/quota/quota%: 84880125952/1902772224/390548912/687996340/30%
INFO FRCoreManager [FRSDK] Next backup cleanup scheduled for 2022-12-02 17:22:33+1100
INFO FRCoreManager Checking for orphaned backup files under "C:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Backup"
INFO FRCoreManager Finished checking for orphaned backup files under "C:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Backup"
Backup folder exceeds configured quota
This issue was resolved with Endpoint agent version and the EDR plugin
Check for updates if the agent or plugin is on a previous version to resolve the issue. If the backup folder is still larger than expected after updating, complete the following:
- Check the Windows Services and verify the Endpoint Agent service is Running, as this service controls cleaning.
- Use Windows service manager, Services.msc, to locate and start the service.
- If the service fails to start and you are receiving error 14001, see Error 14001: The application has failed to start because its side-by-side configuration is incorrect.
- Enable debug logging. For more information, see Enable debug logging on the Endpoint Agent.
- Check the C:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt for the following:
- The self cleaning process running every 10 minutes.
DEBUG FRCoreManager FRCallbackWrapper -- Received Message: Disk size/free/usage/quota/quota%: 510823661568/404060053504/476145280/121360859635/30%
DEBUG FRCoreManager FRCallbackWrapper -- Received Message: Disk size/free/usage/quota/quota%: 510823661568/404060053504/476145280/121360859635/30% - Any log messages containing ERROR FRCoreManager.
- The self cleaning process running every 10 minutes.
- Contact Support. For more information, see Contact Support.
Manual cleanup of backup folder
In case it is urgent to free up disk space, complete the following:
- Collect diagnostic logs. For more information, see Collect Endpoint Agent diagnostic logs.
- Report the issue to Support.
- Clean up the backup folder with one of the following methods:
- Disable and re-enable EDR in the policy settings.
- Create a Policy with all EDR policy settings disabled. For more information, see Endpgoint Detection and Response policy settings in Nebula.
- Create a Group with the new policy assigned.
- Move the affected endpoints into that group. This will force the EDR plugin to unload and clean up. A reboot may be required.
- Move the affected endpoints back to the previous group, and EDR will reinstall.
- Uninstall and reinstall the endpoint agent.
- Use Add or Remove Programs.
- Use the Discovery and Deployment Tool.
- Disable and re-enable EDR in the policy settings.
Contact Support
When submitting a support case, the following information is required:
- Endpoint names.
- Diagnostic logs. For more information, see Collect Endpoint Agent diagnostic logs.
- If you are unable to collect the Diagnostic logs, manually obtain the following files:
- C:\ProgramData\Malwarebytes Endpoint Agent\Logs\EndpointAgent.txt
- C:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Database\2B455663142B495843A6F3DCB6B55CCE
- If you are unable to collect the Diagnostic logs, manually obtain the following files: