For communication to flow between the Nebula console and endpoints, you must adjust your firewall. This article lists internal network recommendations and our external access requirements.
File and Printer Sharing
We recommend using Administrator shared folders to perform network tasks, such as installations. To use them, you must enable File and Printer Sharing on your endpoints.
The location of File and Printer Sharing options depends on which operating system your endpoint uses. Consult your operating system guide for additional information.
External Access Requirements
Allow the following addresses through your firewall or other security software. Endpoint Agents use the sites below to reach Nebula services.
| Address | Port number | Purpose | Date Added |
|---|---|---|---|
| http://nebula-helix-syslog-mb-prod.s3.us-east-1.amazonaws.com/ | 443 | Used to provide syslog functionality between the endpoint and Nebula. | 6/8/2026 |
| https://nebula-stork-prod-1.s3.us-east-1.amazonaws.com | 443 | Used to download the installation packages. | 6/3/2026 |
| https://detect-remediate.threatdown.com | 443 | Used to provide Endpoint Detection and Response capabilities. | 1/27/2026 |
| http://crl.r2m04.amazontrust.com/r2m04.crl | 80 | Used to validate the SSL certificate for threatdown.com | 10/16/2025 |
| http://crl.r2m03.amazontrust.com/r2m03.crl | 80 | Used to validate the SSL certificate for malwarebytes.com | 10/16/2025 |
| https://detect.threatdown.com | 443 | Used to send portable executables to our servers for threat telemetry. | 10/1/2025 |
| https://hubble.threatdown.com | 443 | Used to validate threats against our servers for better protection and reduce false positives. | 9/16/2025 |
| https://blitz.threatdown.com | 443 | Used to upload files for research and analysis. | 9/16/2025 |
| https://machines.threatdown.com | 443 | Used by the Endpoint Agent to communicate with Nebula. | 4/17/2025 |
| https://api.threatdown.com | 443 | Used to communicate with our Public APIs. | 9/12/2024 |
| https://ars.cloud.threatdown.com | 443 | Used to allow access for Active Response Shell. | 9/12/2024 |
| https://arsws.cloud.threatdown.com | 443 | Used to allow websocket connection for Active Response Shell. | 9/12/2024 |
| https://telemetry.threatdown.com | 443 | Used to communicate telemetry and threat information to our servers. More information on our telemetry can be found on our Privacy Policy. | 9/12/2024 |
| https://cdn.threatdown.com | 443 | Used to deliver updates to products. | 9/12/2024 |
| https://cloud.threatdown.com | 443 | Used to access the Nebula admin console. | 9/9/2024 |
| https://ark.threatdown.com | 443 | Used to deliver updates to products. | 8/29/2024 |
| https://sirius.threatdown.com | 443 | Used to check for updates for both the product version and the protection database. | 8/29/2024 |
| https://*.cloudflare-gateway.com | 443 | Used for the DNS Filtering module. | 2023 |
| https://cosmos-shuriken-samples-mb-prod.s3.amazonaws.com/ | 443 | Used to process samples sent from the endpoint agent. | 2023 |
| https://storage.gra.cloud.ovh.net | 443 | Used to upload suspicious files for sandbox analysis for Endpoint Detection and Response. | 2021 |
| https://socket.cloud.malwarebytes.com | 443 | Used to provide real-time communication between the endpoint agent and Nebula. | 2019 |
| https://downloads.malwarebytes.com | 443 | Used to download packages and unmanaged remediation utilities. | 2019 |
| https://links.malwarebytes.com | 443 | Used to access product documentation through Nebula. | 2019 |
| https://keystone.mwbsys.com | 443 | Used to validate product licensing. | 2019 |
| https://keystone-akamai.mwbsys.com | 443 | Used to validate product licensing. | 2019 |
| https://meps.mwbsys.com | 443 | Used to validate the Ransomware Extinction Prevention system in Nebula. | 2019 |
| https://repositories.mwbsys.com | 443 | Used to download the Linux installation packages. | 2019 |
| https://data-cdn.mbamupdates.com | 443 | Used to deliver updates to products. | 2019 |
| https://data-cdn-static.mbamupdates.com | 443 | Used to deliver updates to products. | 2019 |
| https://nebula-diagnostics-mb-prod.s3.amazonaws.com | 443 | Used to provide diagnostic data from the endpoint agent to Nebula. | 2019 |
Notes:
- The endpoint agent does not allow packet-inspection, as this interferes with the service protocols.
- Bypass inspection is required to bypass packet-inspection on the endpoint agent.
- Proxy configurations are supported using built-in functions.
- Pass-through proxy configuration is recommended.
- Dynamic proxy configuration is not supported.
- To test the Endpoint Agent connection, see: Use the Endpoint Agent Command-line tool with Nebula.
Deprecated URLs
You can safely remove the following URLs from your network firewalls or allowlists, as the Endpoint Agent no longer needs access to them. Deleting these URLs will not affect the agent’s functionality or performance.
| Address | Date deprecated |
|---|---|
| https://nebula-helix-syslog-mb-prod.s3.amazonaws.com | 6/8/2026 |
| https://sirius.mwbsys.com | 1/27/2026 |
| https://hubble.mb-cosmos.com | 1/27/2026 |
| https://cdn.mwbsys.com | 1/27/2026 |
| https://blitz.mb-cosmos.com | 1/27/2026 |
| https://ark.mwbsys.com | 1/27/2026 |
| https://telemetry.malwarebytes.com | 1/27/2026 |
| https://cloud.malwarebytes.com | 1/27/2026 |
| https://api.malwarebytes.com | 1/27/2026 |
| https://arsws.cloud.malwarebytes.com | 1/27/2026 |
| https://ars.cloud.malwarebytes.com | 1/27/2026 |
| https://detect-remediate.cloud.malwarebytes.com | 1/27/2026 |
Exclude Nebula from other applications
We recommend adding specific software exclusions if you use additional security software with Nebula. For more information, see Exclusions for using Nebula with other security applications.