The Endpoint Detection and Response (EDR) settings in OneView determine which EDR features are enabled. If sites have subscriptions for Endpoint Protection and EDR, we suggest creating a separate policy and group with EDR settings enabled. This ensures endpoints are properly allocated in the site subscription.
Endpoint Detection and Response settings
- On the left navigation menu, go to Configure > Policies.
- Click the New or select an existing policy.
- Select the Endpoint Detection and Response tab to see the specific settings available for each operating system.
For the default settings, see ThreatDown recommended policy for OneView.
Suspicious activity monitoring
Suspicious activity monitoring watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint. It uses machine learning models and cloud-based analysis to detect when questionable activity occurs.
Options in this section are as follows:
- Suspicious activity monitoring: Enables behavioral monitoring for Suspicious Activity on endpoints using machine learning models and cloud-based analysis to detect when questionable activity occurs.
- Suspicious activity monitoring on servers: Enables Suspicious Activity Monitoring for server operating systems. Requires Suspicious activity monitoring to be enabled. Server OS endpoints may experience additional load with Behavioral Monitoring.
Advanced settings
Advanced settings include additional features for activity monitoring.
Options in this section are as follows:
- Very aggressive detection mode: If aggressive detection mode is enabled, a tighter threshold is used for flagging processes as suspicious and is more aggressive in its detections. Aggressive detection mode helps protect endpoints from additional unknown threats but could increase False Positives.
- Collect networking events to include in searching: The network events toggle allows or restricts the collection of network events for suspicious activity monitoring and Flight Recorder searches. Toggling this setting OFF decreases the amount of traffic sent to the cloud. By default, the toggle is set to ON.
- Enable Event Tracing for Windows: This toggle enables the collection of Windows Event Tracing Logs, providing enhanced visibility and detection coverage for suspicious activity.
- Flight Recorder Search: Collects all endpoint events within Flight Recorder Search. Disabled by default. The Collect networking events to include in searching setting must be enabled to search for network data.
Ransomware Rollback
Ransomware Rollback is a feature that remediates damage done to Windows endpoints by ransomware. Ransomware Rollback uses a unique restore process to reverse the damage done by threats. Together with our Malware Removal Engine, the rollback cache allows the Endpoint Agent to restore files removed or encrypted by malware.
A remediation action can be triggered for any suspicious activity alert on the Investigate > Suspicious Activity page. When remediation is triggered, a scan is run to clean the identified processes. If the suspicious activity is Ransomware, the ransomware rollback process automatically begins
The rollback uses the processes identified in the alert to identify the files modified by that process, then copying and overwriting files changed with the prior good copies. This design removes the need to discover the exact date and time of the start of the attack.
NOTICE - Suspicious Activity Monitoring must be enabled to allow rollback on workstations. Suspicious Activity Monitoring and Suspicious activity monitoring on servers must be enabled to allow rollback on servers.
Available options are as follows:
- Ransomware Rollback: Turns Ransomware Rollback on or off.
Advanced settings
Advanced settings include additional features for Ransomware Rollback.
Options in this section are as follows:
- Rollback timeframe: Determines how long the information is stored in the cache. Increasing this time increases the size of the cache on endpoints, as the cache stores changes made during the chosen period. This can be set between 1-7 days and the default value is 3 days.
- Rollback free disk space quota: Configures the maximum percentage of free disk space to allocate for file backups. The default setting is set to 30%, but it can be adjusted between 10-70%. This setting applies to all endpoints attached to the policy.
- Workstation rollback file size: Limits the files backed up in the cache based on file size. Files larger than the maximum size are not backed up. Increasing the maximum file size increases the cache size on each endpoint.
- Server rollback file size: Limits the files backed up in the cache based on file size. Files larger than the maximum size are not backed up. Increasing the maximum file size increases the cache size on each server.
-
Server rollback location: Provides a custom server backup location for Ransomware Rollback data. The specified folder path must be on a local drive; network drives are not supported. To change the backup location, set a new folder path within the available field. The folder path selected appends \rollback_backup to the ending automatically. The default backup path is: C:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Backup\
Notes:
- We advise monitoring the free disk space of hard drives used as an alternative backup location to ensure enough space is available.
- Each endpoint uses a maximum of 70% free disk space to prevent issues with the operating system. This is always relative to the "available disk space" on the hard drive. If the hard drive reduces in capacity at some point, the backup folder automatically resizes to maintain the same percentage, deleting the oldest files to accommodate space.
Endpoint isolation
Endpoint Isolation temporarily stops threats from spreading between endpoints by restricting their communication or access. An isolated endpoint can still communicate with the console and run OneView processes.
Available options are as follows:
- Enable endpoint isolation to allow locking/unlocking of endpoints: Enables admins to lock and unlock supported devices.
Once the policy setting is enabled on the device, those endpoints can be isolated on the Manage > Endpoints page with the Actions > Isolate Endpoint(s) button.
There are three types of isolation that can be enabled separately or combined to further lockdown the device:
- Network Isolation: Prevent the endpoint from communicating with other devices on your network.
- Process Isolation: Restrict which processes can run on the endpoint and prevent processes from interacting.
- Desktop Isolation (Windows only): Prevent end users from accessing the endpoint.
Note: Remove isolation on the Manage > Endpoints page with the Actions > Remove isolation button. Removing isolation will reboot the endpoint which may cause the loss of any unsaved work.
Windows isolation settings
Customize the isolation settings on Windows endpoints with the following options:
- Isolation Title: Customize the title.
- Isolation message: Customize the message so the end-user knows why their machine was isolated or who to contact.
- Image to display to the end-user: Upload a custom image or use a company logo so end-users know the isolation message is legitimate. It must be a BMP file less than 2MB.
Active Response Shell
Active Response Shell can investigate attacks, collect forensic data, and remediate detections on remote endpoints. Authorized Super Admins can securely access their endpoints remotely with OneView.
To view and modify Active Response Shell settings, a Super Admin must have Active Response Shell permission enabled by a Global Admin.
Available options are:
- Active Response Shell: Turns active response shell on or off.
Advanced settings
Advanced settings include additional features for Active Response Shell. Available options are:
-
- Enable secure connections using certificate pinning: Limits which digital certificates are used with the Active Response Shell, providing additional security.
To use Active Response Shell, see Active Response Shell in OneView.