New Product Announcement: Endpoint Protection and Response
Endpoint Protection and Response is our new easy-to-use solution that allows you to extend your existing Endpoint Protection with new endpoint detection and response (EDR) capabilities. Purchase of Endpoint Protection and Response enables the following features and changes within the cloud management console:
- Flight Recorder – Continuously monitors and stores endpoint events in the cloud. Administrators can track file system events, network connections, process events and registry activities, and can view full command line details of executed processes on the endpoint. Automatically displays suspicious activity in cloud console. Flight Recorder is enabled via policy setting:
- Endpoint Isolation – Provides administrators with the ability to isolate or remove isolation from one or more endpoints. Endpoint Isolation locks down the desktop, network activity, and process activity. When isolation is activated, a pre-defined message is displayed on the end-user’s machine until isolation is removed. Endpoint Isolation is enabled via policy setting:
- Ransomware Rollback – Leverages just-in-time backups to provide administrators with the capability to roll back changes and restore files that were encrypted, deleted, or modified in an attack for up to 72 hours (default 48 hours). Administrators can expand protection by adjusting two options that trade off disk space for additional storage—rollback time and maximum file size. Ransomware Rollback is enabled via policy setting:
- Added two new tiles to the cloud console Dashboard page:
- Suspicious Activity detections over the past 24 hours
- Top 10 Suspicious Activity rules that have been triggered in the past 24 hours
- Added Suspicious Activity page to the cloud console which displays suspicious activities on endpoints across the network. Administrators can see the location, severity, affected endpoint, status, date and time, the detection rules that triggered for the detection verdict, and available actions—including the ability to view additional details, remediate/rollback an item, or mark an item as a false positive:
- Added Suspicious Activity tab on the Endpoints Properties page which shows all suspicious activity detections specific to that endpoint with location, severity, status, date and time, detection rules that triggered, and available actions (view additional details, remediate/rollback, mark as a false positive):
- Added Suspicious Activity Details page, allowing administrators to drill down to a specific detection to view additional details such as child processes and the detection rules triggered:
- Added notifications for high severity Suspicious Activity detections
- Added ability for administrators to manually mark a Suspicious Activity item as a false positive and add it to the exclusions list or reverse this and mark a false positive as a Suspicious Activity (and remove it from the exclusion list)
- New status indicators in the cloud console Endpoints page show administrators which endpoints have suspicious activity and which endpoints are isolated
New Features
- Added capability for Endpoint Agent diagnostic logs to be easily generated from the endpoint. An end-user can hold the CTRL button while right-clicking on the endpoint agent tray icon, producing a new menu to appear with an option to “Generate Diagnostic Logs”. The logs will be available as a zip file on the user’s desktop when complete.
Improvements
- Improved new Nebula accounts so their installers will be imminently available (prior to this, it could take up to 10 minutes for the installers to be available for a new Nebula account)
- Added mb-clean-results.txt to the diagnostic log package
- Added dbupdate.log and Mb_setup.log to the diagnostic log package
- Fixed: Some pagination drop-down elements were unnecessarily wide in appearance
- Fixed: Sometimes users received multiple website Real-Time Protection block notifications when a block event occurred
- Fixed: Some customers reported that upon boot, their users would be loaded into a temporary profile. This was due to MBCloudEA.exe opening NTUSER.DAT with sharemode set to none
Known Issues
- Endpoint Protection for Mac: Scheduled scans could be triggered incorrectly
- Endpoint Protection for Mac: Was not sending up Agent Information
- Endpoint Protection for Mac: Protection Updates version was reporting SDK version instead of DB version in Scan History, not reporting in Endpoint Details
- Endpoint Protection for Mac: User interface does not stay minimized during on-demand scans if initiated from endpoint
- Endpoint Protection for Mac: Non-administrative users are unable to interact with the tray icon
- Endpoint Protection for Mac: Free Physical memory is being reported as “0” in the Overview tab of Endpoint Properties
- Endpoint protection for Mac: Scan History tab does not get information populated if Threat Scan does not detect any threats
- Endpoint Protection for Mac: Timestamps in Scan History tab for macOS endpoints are in GMT, and not the web browser’s locale
- Endpoint Protection for Mac: Endpoint Protection plugin stuck in "busy" state if a scan is triggered immediately after startup
- Endpoint Protection for Mac: Endpoint Agent does not report update_package_version on fresh Endpoint Protection install