The Endpoint Detection and Response (EDR) settings in Nebula determine which EDR features are enabled. If you have subscriptions for both Endpoint Protection and EDR, we suggest you create a separate policy and group with EDR settings enabled. This ensures your endpoints are properly allocated to the correct subscription.
Endpoint Detection and Response settings
To locate the Endpoint Detection and Response settings tab in your policy:
- On the left navigation menu, go to Configure > Policies.
- Select a policy.
- Select the Endpoint Detection and Response tab to see the specific settings available for each operating system.
For the default settings, see ThreatDown recommended policy for Nebula.
Suspicious activity monitoring
Suspicious activity monitoring watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint. It uses machine learning models and cloud-based analysis to detect when questionable activity occurs.
Options in this section are as follows:
- Suspicious activity monitoring: Enables behavioral monitoring for Suspicious Activity on endpoints using machine learning models and cloud-based analysis to detect when questionable activity occurs.
- Suspicious activity monitoring on servers: Enables Suspicious Activity Monitoring for server operating systems. Requires Suspicious activity monitoring to be enabled. Server OS endpoints may experience additional load with Behavioral Monitoring.
Advanced settings
Advanced settings include additional features for activity monitoring.
Options in this section are as follows:
- Very aggressive detection mode: If aggressive detection mode is enabled, a tighter threshold is used for flagging processes as suspicious and is more aggressive in its detections. Aggressive detection mode helps protect your endpoints from additional unknown threats, but could increase False Positives.
- Collect networking events to include in searching: The network events toggle lets you allow or restrict the collection of network events for suspicious activity monitoring and Flight Recorder searches. Toggling this setting OFF decreases the amount of traffic sent to the cloud. By default, the toggle is set to ON.
- Enable Event Tracing for Windows: This toggle enables the collection of Windows Event Tracing Logs, providing enhanced visibility and detection coverage for suspicious activity.
- Flight Recorder Search: Collects all endpoint events within Flight Recorder Search. Disabled by default. The Collect networking events to include in searching setting must be enabled to search for network data.
Ransomware Rollback
Ransomware Rollback is a feature that remediates damage done to your Windows endpoints by ransomware. Ransomware Rollback uses a unique restore process to reverse the damage done by threats. Together with our Malware Removal Engine, the rollback cache allows the Endpoint Agent to restore files removed or encrypted by malware.
A remediation action can be triggered for any suspicious activity alert on the Investigate > Suspicious Activity page. When remediation is triggered, a scan is run to clean the identified processes. If the suspicious activity is Ransomware, the ransomware rollback process automatically begins
The rollback uses the processes identified in the alert to identify the files modified by that process, then copying and overwriting files changed with the prior good copies. This design removes the need to discover the exact date and time of the start of the attack.
NOTICE - Suspicious Activity Monitoring must be enabled to allow rollback on workstations. Suspicious Activity Monitoring and Suspicious activity monitoring on servers must be enabled to allow rollback on servers.
Available options are as follows:
- Ransomware Rollback: Turns Ransomware Rollback on or off.
Advanced settings
Advanced settings include additional features for Ransomware Rollback.
Options in this section are as follows:
- Rollback timeframe: Determines how long the information is stored in the cache. Increasing this time increases the size of the cache on endpoints, as the cache stores changes made during the chosen period. This can be set between 1-7 days and the default value is 3 days.
- Rollback free disk space quota: Configures the maximum percentage of free disk space to allocate for file backups. The default setting is set to 30%, but you can adjust between 10-70%. This setting applies to all endpoints attached to the policy.
- Workstation rollback file size: Limits the files backed up in the cache based on file size. Files larger than the maximum size are not backed up. Increasing the maximum file size increases the cache size on each endpoint.
- Server rollback file size: Limits the files backed up in the cache based on file size. Files larger than the maximum size are not backed up. Increasing the maximum file size increases the cache size on each server.
-
Server rollback location: Provides a custom server backup location for Ransomware Rollback data. The specified folder path must be on a local drive, network drives are not supported. To change the backup location, set a new folder path within the available field. The folder path selected appends \rollback_backup to the ending automatically. The default backup path is: C:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Backup\
Notes:
- We advise monitoring the free disk space of hard drives used as an alternative backup location to ensure enough space is available.
- Each endpoint uses a maximum of 70% free disk space to prevent issues with the operating system. This is always relative to the "available disk space" on the hard drive. If the hard drive reduces in capacity at some point, the backup folder automatically resizes to maintain the same percentage, deleting the oldest files to accommodate space.
Endpoint isolation
Endpoint Isolation temporarily stops threats from spreading between endpoints by restricting their communication or access. An isolated endpoint can still communicate with the console and run Nebula processes.
Available options are as follows:
- Enable endpoint isolation to allow locking/unlocking of endpoints: Enables you to lock and unlock devices.
Once the policy setting is enabled on the device, those endpoints can be isolated on the Manage > Endpoints page with the Actions > Isolate Endpoint(s) button. For more information, see Isolate endpoints in Nebula.
There are three types of isolation that can be enabled separately or combined to further lockdown the device:
- Network Isolation: Prevent the endpoint from communicating with other devices on your network.
- Process Isolation: Restrict which processes can run on the endpoint and prevent processes from interacting.
- Desktop Isolation (Windows only): Prevent end users from accessing the endpoint.
Note: Remove isolation on the Manage > Endpoints page with the Actions > Remove isolation button. Removing isolation will reboot the endpoint which may cause the loss of any unsaved work.
Windows isolation settings
You can customize the isolation settings on Windows endpoints with the following options:
- Isolation Title: Customize the title.
- Isolation message: Customize the message so the end-user knows why their machine was isolated or who to contact.
- Image to display to the end-user: Upload a custom image or use your company logo so your end-users know the isolation message is legitimate. It must be a BMP file less than 2MB.
Active Response Shell
Active Response Shell provides the ability to remotely investigate attacks, collect forensic data, and remediate detections on Windows and Linux endpoints. Authorized Super Admins can securely access their endpoints remotely with Nebula.
To view and modify Active Response Shell settings, a Super Admin must have Active Response Shell permission enabled by the Nebula Account Owner. For more information, see Manage Users in Nebula.
Available options are:
- Active Response Shell: Turns active response shell on or off.
Advanced settings
Advanced settings include additional features for Active Response Shell. Available options are:
- Enable secure connections using certificate pinning: Limits which digital certificates are used with the Active Response Shell, providing additional security.