Skip to main content

Protection policy settings in Nebula

Updated: 

The Protection policy settings in Nebula determine which defensive measures are enabled on your endpoints. 

Protection settings

To locate the Protection settings tab in your policy:

  1. On the left navigation menu, go to Configure > Policies.
  2. Select a policy.
  3. Select the Protection settings tab to see the specific settings available for each operating system.

For the default settings, see ThreatDown recommended policy for Nebula.

Real-time protection

Real-time protection features are part of your Endpoint Protection or Endpoint Detection and Response subscription.

When you enable Real-time protection features, any needed plugins are automatically installed on your endpoints. We recommend using all Endpoint Protection features for the best protection.

These protection layers block and prevent malicious activity, but false positives can occur where legitimate software or files are being blocked. Report the false positives or use exclusions to mitigate them. For more information, see

Web protection

Blocks access to and from known or suspicious internet addresses on Windows, macOS, and iOS devices. Disabling this feature can affect the safety of your endpoints.

Web protection also has advanced settings used for troubleshooting that should remain enabled. Only disable these with the guidance of ThreatDown Support:

  • Outbound TCP: Enable or disable monitoring of outbound TCP connections.
  • Inbound TCP: Enable or disable monitoring of inbound TCP connections.
  • Outbound UDP: Enable or disable monitoring of outbound UDP connections.

Enabling this setting for macOS devices requires a system extension to be allowed. For more information, see Allow system extension for Web Protection on macOS devices - Nebula.

Exploit Protection

Guards against vulnerability exploits for installed applications. Not available on Windows endpoints running an Advanced RISC Machine (ARM) processor.

When applications launch, Exploit Protection shields them. It can stop attacks that other security applications miss. Additional settings in this section include:

  • Block potentially malicious email attachments: Prevents opening or saving email attachments that contain malicious file extensions in Microsoft Outlook's desktop client. Microsoft Outlook must be enabled in the Anti-exploit protected applications list. 
  • Manage protected Applications: Popular applications are automatically supported and can be seen here. You can also add your applications following this article: Add an application to Exploit Protection in Nebula.
  • Anti-exploit settings: Allows configuration of some anti-exploit measures. The default settings balance endpoint performance and anti-exploit protection. To keep you secure, some of these settings may not be changed.

IMPORTANT: We recommend not changing these settings unless instructed to by Support. For more information, see Anti-Exploit settings in Nebula.

Malware Protection

Malware Protection protects against malicious content that tries to execute on your endpoints. Malware comes from many sources, such as downloads, external drives, and email attachments. We recommend leaving Malware Protection on. Malware Protection is always enabled on Macs using Real-time protection.

Enable Anti-Malware Scanning Interface integrates our real-time protection engine with Windows Anti-Malware Scanning Interface (AMSI). This allows us to effectively detect and block fileless portable executables and the scripts that created them. This feature requires an Endpoint agent version of 2.0.0.225 or higher.

Ransomware Behavior Protection

Ransomware behavior protection safeguards against malicious activities like backup deletion, restore point removal, and file encryption occurring locally on an endpoint. We recommend keeping Ransomware behavior Protection enabled, as disabling it exposes your endpoint to significant risk. This is enabled by default on Android and ChromeOS devices.

Network-based Ransomware behavior detections allows ThreatDown to detect ransomware activity even when the malicious process runs on a one endpoint while file encryption is performed on another. 

Block untrusted applications

Aims to completely block applications from known bad developers, preventing them from running on the endpoint. In this case, the app is not quarantined, but is not capable of running. Enable this feature to prevent potentially malicious apps from executing on your Mac endpoints.

Ad block

Prevents ads and ad trackers from loading on Safari browser for iOS devices.

Additional real-time protection settings 

These options affect when Real-time protection loads and how the endpoint agent registers in the Windows Action Center.

  • Delay real-time protection when ThreatDown starts for: How long the Real-Time Protection service is delayed. Adjust this option based on which services conflict with Real-Time Protection. The delay can range from 15 to 180 seconds.
  • Windows Action Center: The Windows Action Center alerts you when there is an issue needing attention. Choose to register the endpoint agent as the primary Windows security solution on non-server endpoints. This allows the Windows Action Center to show notifications from the endpoint agent.
    Note: To verify which application is set as the primary protection service provider, run the following command in Command Prompt on the endpoint and look for the first or only application listed: 
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
    • Let ThreatDown apply the best Windows Action Center settings: The endpoint agent determines if it should be registered as the primary protection service provider in the Windows Action Center. When the endpoint agent is registered in the Windows Action Center, Windows Defender is disabled. If the endpoint agent is temporarily disabled, Windows Defender re-enables itself. Use Microsoft GPO to keep Defender disabled if required. 
    • Never register ThreatDown in the Windows Action Center: The endpoint agent is set as the secondary antivirus and never appears in Windows Action Center. Windows Defender remains as the primary antivirus.
    • Always register ThreatDown in the Windows Action Center: The endpoint agent is set as the primary antivirus and always appears in Windows Action Center. Windows Defender is disabled as a result

Browser Phishing Protection

Customers on a Core bundle or higher can utilize an additional layer of website protection by enabling Install the Browser Phishing Protection web extension to block malicious websites and filter webpage content. This extension runs on Google Chrome, Microsoft Edge, and the Brave browser for Windows endpoints to block access to phishing and known malicious domains. 

Notes

  • Malwarebytes Browser Guard is automatically disabled if it's already installed when enabling Browser Phishing Protection.
  • The extension must be manually installed on Brave browser. For more information, see Install Browser Phishing Protection on Brave browser - Nebula
  • Users should expect minimal impact on performance with Browser Phishing Protection:
    • ~128Mb memory usage
    • <12% CPU usage
    • Maximum 14% CPU usage under intense load

Advanced Settings for Browser Phishing Protection

The following advanced configurations are available for Browser Phishing Protection:

  • Prevent endpoint agent from installing web extension on MDM managed endpoints: Only check this box if you already manage and install browser extensions through a Mobile Device Management (MDM) tool. For more information on adding Browser Phishing Protection through MDM, see Browser Phishing Protection MDM Deployment - Nebula.
  • Web protection layers: Configure which protection layers for Browser Phishing Protection are enabled.
    • Ads/Trackers: Block intrusive ads and tracking scripts that monitor use activity across websites. Helps improve privacy and page load speed.
    • Malware: Prevents access to websites known to host malicious software, including viruses, trojans, and ransomware.
    • Scams: Blocks access to phishing sites, tech support scams, fake giveaways, and other fraudulent websites.
    • General top-level domains (gTLDs): Restricts access to websites with specific high-risk top-level domains which are often used for spam, malware, and scams.
  • Web extension footer message: Customize the message displayed in the footer of the interface on the ThreatDown Browser Phishing Protection web extension
  • Block page: Customize the look and feel of the block page displayed to end users when visiting a page blocked by Browser Phishing Protection. 
    • Organization name: Name of your company.
    • Logo URL: Link to a logo.
    • Header text: Title text.
    • Message: Body message.

Additional Protection

These options control if the endpoint agent protects itself from tampering and access to USB drives. These features require Real-time protection to be enabled.

Self-Protection

Self-Protection lets the endpoint agent create a "safe zone" to prevent malicious control of the application. The self-protection module has a brief startup period. 

Enable Self-Protection Module earlier in the boot process makes Self-Protection start earlier when the endpoint is booting. This affects the startup order of services and software drivers.

Device Control

Device Control manages access to removable storage volumes, a mountable volume with a file system on a storage device, connected via USB to Windows endpoints. macOS devices and devices utilizing Media Transfer Protocol or Picture Transfer Protocol are not currently supported. This includes various devices such as smartphones, cameras, scanners, and SD card readers.

The options in this section are as follows:

  • Automatically scan and quarantine threats when a USB device is inserted: Checks for and removes threats found on USB devices when inserted. 
  • Allow full access to the device: Allow copying and modifying files to the device.
    • Block device until a scan has been done: Prevent USB device activity until the scan is complete. 
  • Read-only access to the device: Allow copying files from the device and block modifying or copying files to the device. Customize a message to display for your users when a USB device is blocked.
    • Block device until a scan has been done: Prevent USB device activity until the scan is complete. 
  • Block access to the device: Block modifying and copying files to the device. Customize a message to display for your users when a USB device is blocked.

Note: Device Control automatically disables Windows AutoRun via these 3 registry keys:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoAutoplayfornonVolume
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoAutorun
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer|NoDriveTypeAutoRun

Aggressive protection settings

Aggressive protection settings are advanced security measures that can be enabled to provide enhanced protection against cyber attacks. These settings may result in more false positives and are ideal for devices that are often compromised.

CAUTION - These settings are disabled by default and should only be enabled after careful consideration of the impact on your devices.

  • Block penetration testing attacks: Aggressive exploit protection settings to detect penetration attacks. This setting is ideal to be enabled during security audits. Legitimate processes may be blocked when this setting is enabled. Exploit protection must be enabled in the policy.
  • Enable hardening of MS Office applications: Disables macro execution from within MS Office applications. Recommended to be used on devices that require more robust security. Exploit protection must be enabled in the policy.
  • Enhance anomaly detections: Enables aggressive configuration for the anomaly detection technology. Malware protection must be enabled in the policy.
  • Enhance heuristic detections: Enables aggressive heuristic rules. Malware protection must be enabled in the policy.
  • Enhance sandbox detections: Enables aggressive configuration for our sandbox emulator. Malware protection must be enabled in the policy.

Protection updates 

Protection updates are endpoint database updates, sometimes called protection rules updates, used by scans and Real-time protection features.

Endpoints check for Protection Updates at the following intervals:

  • System startup - At a random time during the first five minutes after boot up.
  • Once per hour - Throughout the day. This is the default. 
  • Prior to running a scan - Before every scan, endpoint agents check to ensure they have the latest Protection Updates.

The following options are available:

  • Check for protection software updates: How often the Windows endpoint checks Nebula servers for updates. Choose a period from 15 minutes to 7 days. 
  • Protection updates delay: Windows only. Postpones the latest Protection Updates by 1, 3, or 12 hours. Choose a delay period or set No delay, which is recommended. For more information, see Protection Updates Delay overview.

Important: Delays between Protection updates may reduce the risk of encountering a false positive but increase vulnerability to zero-day threats. 

Mobile protection updates

Mobile protection updates are endpoint database updates used by scans, ad blocking, and Real-time protection features. The database updates every hour when available. Options in this section are as follows:

  • Allow protection updates over expensive networks: Allow protection updates to occur over cellular data. 

Still have questions?

Support is available via chat, phone or by creating a ticket. You can also use our virtual assistant for guided assistance.

Learn more