Nebula comes with a default policy configured with the recommended settings. If you modify a policy, you can revert it back to our defaults with the reset button on the policy edit page. There are default policies available for workstations and servers. This article details all default policy settings so you know what settings come with Nebula and what changes are made when using the reset button.
The following displays the default status for each policy option and operating system:
- ✓ Policy option is enabled.
- ! Policy option is disabled.
- ✕ Policy option is unavailable.
Workstations/Mobile
The following tables display the default settings for a workstation policy.
Endpoint agent
For more information on each policy setting, see Endpoint agent policy settings in Nebula.
| Policy Option | Windows | Mac | Linux | Android | ChromeOS | iOS |
|---|---|---|---|---|---|---|
| Show the ThreatDown icon in the notification area | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Display real-time protection notifications | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Allow users to run a Threat Scan (all threats will be quarantined automatically) | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Show ThreatDown shortcuts on Start menu and desktop to run Threat Scans | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Show ThreatDown option in context menus | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Allow only Administrator level users to interact with the ThreatDown Tray | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Pause Endpoint Agent and Protection Service Updates | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Use memory caching | ✕ | ✕ | ✕ | ✓ | ✓ | ✕ |
| Automatically reboot endpoints when required | ! | ! | ✕ | ✕ | ✕ | ✕ |
| Allow users to postpone a reboot | ! | ! | ✕ | ✕ | ✕ | ✕ |
| Automatically remove unseen endpoints after (90) days | ! | ! | ! | ✕ | ✕ | ✕ |
| Provide all services with additional time to initiate (5 minutes) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Enable service health monitoring | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
Tamper protection
For more information on each policy setting, see Tamper protection policy settings in Nebula.
| Policy Option | Windows | Mac | Linux | Android | ChromeOS | iOS |
| Uninstall and Command Line Protection | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Service and Process Protection | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
Protection settings
| Policy Option | Windows | Mac | Linux | Android | ChromeOS | iOS |
|---|---|---|---|---|---|---|
| Web protection | ✓ | ✓ | ✕ | ✕ | ✕ | ✓ |
| Outbound TCP | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Inbound TCP | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Outbound UDP | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Outbound ICMP | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Inbound ICMP | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Exploit protection | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Block potentially malicious email attachments (Outlook desktop only) | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Malware protection | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ |
| Enable Anti-Malware Scanning Interface | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Ransomware Behavior protection | ✓ | ✕ | ✕ | ✓ | ✓ | ✕ |
| Network-based Ransomware behavior detections | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Block untrusted applications | ✕ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Ad block | ✕ | ✕ | ✕ | ✕ | ✕ | ✓ |
| Delay real-time protection when ThreatDown starts for (15 seconds) | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Windows Action Center (Let ThreatDown apply the best Windows Action Center settings) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Install the Browser Phishing Protection web extension to block malicious websites and filter webpage content | ✓ | ✕ | ✕ | ✕ | ✓ | ✕ |
| Skip extension installation if registry-managed extensions are detected | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Prevent endpoint agent from installing web extension on MDM managed endpoints | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Chrome | ✓ | ✕ | ✕ | ✕ | ✓ | ✕ |
| Microsoft Edge | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Brave | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Mozilla Firefox | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Ads/Trackers | ✓ | ✕ | ✕ | ✕ | ✓ | ✕ |
| Allow end users to access websites blocked due to ads/trackers or telemetry | ! | ✕ | ✕ | ✕ | ! | ✕ |
| Malware | ✓ | ✕ | ✕ | ✕ | ✓ | ✕ |
| Scams | ✓ | ✕ | ✕ | ✕ | ✓ | ✕ |
| Suspicious top-level domains | ! | ✕ | ✕ | ✕ | ! | ✕ |
| Self-Protection | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Enable Self-Protection Module earlier in the boot process | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Enable management of external devices connected to endpoints (Allow full access to the device) | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Automatically scan and quarantine threats when a USB device is inserted | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Block device until a scan has been done | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Block penetration testing attacks | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Enable hardening of MS Office applications | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Enhance anomaly detections | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Enable heuristic detections | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Enhance sandbox protection | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Automatically download and install ThreatDown Protection service update | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Check for protection software updates (1 Hour) | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Protection updates delay (No delay) | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Allow protection updates over expensive networks | ✕ | ✕ | ✕ | ! | ! | ! |
Scan settings
For more information on each policy setting, Scan policy settings options in Nebula.
| Policy Option | Windows | Mac | Linux | Android | ChromeOS | iOS |
|---|---|---|---|---|---|---|
| Scan the contents of compressed folders (e.g. .zip, .rar. etc.) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Scan for rootkits on the endpoints | ! | ✓ | ✕ | ✕ | ✕ | ✕ |
| Treat potentially unwanted programs (PUPs) as malware | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Treat potentially unwanted modifications (PUMs) as malware | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Detect signature-less anomalous files | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Detect malware with AI algorithms | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Detect and Report only | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Use deep scanner during a full scan | ✕ | ✕ | ✕ | ✓ | ✓ | ✕ |
| Use power saver during scans | ✕ | ✕ | ✕ | ✓ | ✕ | ✕ |
| Perform scans only while charging | ✕ | ✕ | ✕ | ! | ! | ✕ |
| Scan automatically after reboot | ✕ | ✕ | ✕ | ✓ | ✓ | ✕ |
| Scan automatically after update | ✕ | ✕ | ✕ | ✓ | ✓ | ✕ |
| Select how endpoints should prioritize scans vs system performance (Low Priority: Better multi-tasking response) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Select maximum allocation of CPU resources for scans (Low 25%) | ✕ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Automatically delete quarantined items older than 90 days | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
Endpoint Detection and Response
For more information on each policy setting, see Endpoint Detection and Response policy settings in Nebula.
| Policy Option | Windows | Mac | Linux | Android | ChromeOS | iOS |
|---|---|---|---|---|---|---|
| Suspicious activity monitoring | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ |
| Suspicious activity monitoring on servers | ✓ | ✕ | ! | ✕ | ✕ | ✕ |
| Very aggressive detection mode | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Collect networking events to include in searching | ✓ | ✓ | ! | ✕ | ✕ | ✕ |
| Enable Event Tracing for Windows | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Flight Recorder Search | ! | ! | ! | ✕ | ✕ | ✕ |
| Ransomware Rollback | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Rollback timeframe (3 days) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Rollback free disk space quota (30%) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Workstation rollback filesize (20 MB) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Allow manual endpoint isolation | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ |
| Allow automatic isolation of endpoints when critical suspicious activity is found | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ |
| Network isolation | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ |
| Process isolation | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ |
| Desktop isolation | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Active Response Shell | ✓ | ! | ✓ | ✕ | ✕ | ✕ |
| Enable secure connections using certificate pinning | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
Brute force protection
For more information on each policy setting, see Brute Force Protection policy settings in Nebula.
| Policy Option | Windows | Mac | Linux | Android | ChromeOS | iOS |
| RDP (Port Blank) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| FTP (Port 21) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| IMAP (Port 143/993) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| MSSQL (Port 1433) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| POP3 (Port 110/995) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| SMTP (Port 25/465/587/2525) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| SSH (Port 22) | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| When 5 failed attempts are made within 5 minutes, monitor and detect the incoming IP address for 5 minutes | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Prevent private network connections from being blocked | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Use event tracing for detecting inbound connections | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
Software management
For more information on each policy setting, see Software management policy settings in Nebula.
| Policy Option | Windows | Mac | Linux | Android | ChromeOS | iOS |
|---|---|---|---|---|---|---|
| Allow scanning for known vulnerabilities in installed software (Vulnerability Assessment) | ✓ | ✓ | ✕ | ✕ | ✕ | ✕ |
| Only allow signed installers when updating third-party software | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Allow updating software inventory (Windows and macOS) and applying Windows OS patches (Windows only) | ✓ | ! | ✕ | ✕ | ✕ | ✕ |
| Disable Windows automatic updates for OS patches (Patch Management) | ! | ✕ | ✕ | ✕ | ✕ | ✕ |
| Show deployment progress from the ThreatDown icon (Patch Management) | ✓ | ! | ✕ | ✕ | ✕ | ✕ |
| Force software to close for updates (Patch Management) | ✓ | ! | ✕ | ✕ | ✕ | ✕ |
| Force close time limit (Patch Management, 24 hours) | ✓ | ! | ✕ | ✕ | ✕ | ✕ |
| Force close reminder frequency (Patch Management, 6 hours) | ✓ | ! | ✕ | ✕ | ✕ | ✕ |
| Allow blocking chosen executables from running | ✓ | ✕ | ✕ | ✕ | ✕ | ✕ |
| Connected storage device (USB storage, etc.) | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ |
| Physical and virtual memory of the endpoints | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ |
| Installed startup programs on the endpoints | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ |
| Installed software on the endpoints | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ |
| Software updates installed on the endpoints | ✓ | ✓ | ✓ | ✕ | ✕ | ✕ |
Servers
The following tables display the default settings for a server policy. These default settings may cause performance issues for specific servers roles. For guidance on configuring Nebula for the servers in your environment, see Configure Nebula for Windows server roles.
Endpoint agent
For more information on each policy setting, see Endpoint agent policy settings in Nebula.
| Policy Option | Windows | Mac | Linux |
|---|---|---|---|
| Show the ThreatDown icon in the notification area | ✓ | ✓ | ✕ |
| Display real-time protection notifications | ✓ | ✓ | ✕ |
| Allow users to run a Threat Scan (all threats will be quarantined automatically) | ✓ | ✓ | ✕ |
| Show ThreatDown shortcuts on Start menu and desktop to run Threat Scans | ! | ✕ | ✕ |
| Show ThreatDown option in context menus | ✓ | ✕ | ✕ |
| Allow only Administrator level users to interact with the ThreatDown Tray | ✓ | ✕ | ✕ |
| Pause Endpoint Agent and Protection Service Updates | ! | ✕ | ✕ |
| Automatically reboot endpoints when required | ! | ! | ✕ |
| Allow users to postpone a reboot | ! | ! | ✕ |
| Automatically remove unseen endpoints after (90) days | ! | ! | ! |
| Provide all services with additional time to initiate | ✓ | ✕ | ✕ |
| Enable service health monitoring | ✓ | ✕ | ✕ |
Tamper protection
For more information on each policy setting, see Tamper protection policy settings in Nebula.
| Policy Option | Windows | Mac | Linux |
| Uninstall and Command Line Protection | ✓ | ✓ | ✕ |
| Service and Process Protection | ✓ | ✕ | ✕ |
Protection settings
For more information on each policy setting, see Protection policy settings in Nebula.
| Policy Option | Windows | Mac | Linux |
|---|---|---|---|
| Web protection | ✓ | ✓ | ✕ |
| Outbound TCP | ✓ | ✕ | ✕ |
| Inbound TCP | ✓ | ✕ | ✕ |
| Outbound UDP | ✓ | ✕ | ✕ |
| Outbound ICMP | ✓ | ✕ | ✕ |
| Inbound ICMP | ✓ | ✕ | ✕ |
| Exploit protection | ✓ | ✕ | ✕ |
| Block potentially malicious email attachments (Outlook desktop only) | ! | ✕ | ✕ |
| Malware protection | ✓ | ✓ | ✓ |
| Enable Anti-Malware Scanning Interface | ✓ | ✕ | ✕ |
| Ransomware Behavior protection | ✓ | ✕ | ✕ |
| Network-based Ransomware behavior detections | ✓ | ✕ | ✕ |
| Block untrusted applications | ✕ | ✓ | ✕ |
| Delay real-time protection when ThreatDown starts for (15 seconds) | ! | ✕ | ✕ |
| Windows Action Center (Let ThreatDown apply the best Windows Action Center settings) | ✓ | ✕ | ✕ |
| Install the Browser Phishing Protection web extension to block malicious websites and filter webpage content | ✓ | ✕ | ✕ |
| Skip extension installation if registry-managed extensions are detected | ✓ | ✕ | ✕ |
| Prevent endpoint agent from installing web extension on MDM managed endpoints | ! | ✕ | ✕ |
| Chrome | ✓ | ✕ | ✕ |
| Microsoft Edge | ✓ | ✕ | ✕ |
| Brave | ✓ | ✕ | ✕ |
| Mozilla Firefox | ✓ | ✕ | ✕ |
| Ads/Trackers | ✓ | ✕ | ✕ |
| Malware | ✓ | ✕ | ✕ |
| Scams | ✓ | ✕ | ✕ |
| Suspicious top-level domains | ! | ✕ | ✕ |
| Self-Protection | ✓ | ✕ | ✕ |
| Enable Self-Protection Module earlier in the boot process | ! | ✕ | ✕ |
| Enable management of external devices connected to endpoints (Block access to the device) | ✓ | ✓ | ✕ |
| Automatically scan and quarantine threats when a USB device is inserted | ! | ✕ | ✕ |
| Block device until a scan has been done | ! | ✕ | ✕ |
| Block penetration testing attacks | ! | ✕ | ✕ |
| Enable hardening of MS Office applications | ! | ✕ | ✕ |
| Enhance anomaly detections | ! | ✕ | ✕ |
| Enable heuristic detections | ! | ✕ | ✕ |
| Enhance sandbox protection | ! | ✕ | ✕ |
| Automatically download and install ThreatDown Protection service updates | ✓ | ✓ | ✕ |
| Check for protection software updates (1 Hour) | ✓ | ✓ | ✕ |
| Protection updates delay (No delay) | ✓ | ✓ | ✕ |
Scan settings
For more information on each policy setting, Scan policy settings options in Nebula.
| Policy Option | Windows | Mac | Linux |
|---|---|---|---|
| Scan the contents of compressed folders (e.g. .zip, .rar. etc.) | ✓ | ✕ | ✕ |
| Scan for rootkits on the endpoints | ! | ✓ | ✕ |
| Treat potentially unwanted programs (PUPs) as malware | ✓ | ✓ | ✕ |
| Treat potentially unwanted modifications (PUMs) as malware | ✓ | ✕ | ✕ |
| Detect signature-less anomalous files | ✓ | ✕ | ✕ |
| Detect malware with AI algorithms | ✓ | ✕ | ✕ |
| Detect and Report only | ! | ✕ | ✕ |
| Select how endpoints should prioritize scans vs system performance (SmartPriority: Scans at high priority when the system is idle. Otherwise, scans at Low Priority) | ✓ | ✕ | ✕ |
| Select maximum allocation of CPU resources for scans (Low 25%) | ✕ | ✓ | ✕ |
| Automatically delete quarantined items older than 90 days | ! | ✕ | ✕ |
Endpoint Detection and Response
For more information on each policy setting, see Endpoint Detection and Response policy settings in Nebula.
| Policy Option | Windows | Mac | Linux |
|---|---|---|---|
| Suspicious activity monitoring | ✓ | ✓ | ✓ |
| Suspicious activity monitoring on servers | ✓ | ✕ | ✓ |
| Very aggressive detection mode | ! | ✕ | ✕ |
| Collect networking events to include in searching | ✓ | ✓ | ! |
| Enable Event Tracing for Windows | ! | ✕ | ✕ |
| Flight Recorder Search | ! | ! | ! |
| Ransomware Rollback | ✓ | ✕ | ✕ |
| Rollback timeframe (3 days) | ✓ | ✕ | ✕ |
| Rollback free disk space quota (30%) | ✓ | ✕ | ✕ |
| Workstation rollback filesize (20 MB) | ✓ | ✕ | ✕ |
| Server rollback filesize (100 MB) | ✓ | ✕ | ✕ |
| Allow manual endpoint isolation | ✓ | ✓ | ✓ |
| Allow automatic isolation of endpoints when critical suspicious activity is found | ✓ | ✓ | ✓ |
| Network isolation | ✓ | ✓ | ✓ |
| Process isolation | ✓ | ✓ | ✓ |
| Desktop isolation | ✓ | ✕ | ✕ |
| Active Response Shell | ✓ | ! | ✓ |
| Enable secure connections using certificate pinning | ✓ | ✕ | ✕ |
Brute force protection
For more information on each policy setting, see Brute Force Protection policy settings in Nebula.
| Policy Option | Windows | Mac | Linux |
| RDP (Port Blank) | ✓ | ✕ | ✕ |
| FTP (Port 21) | ✓ | ✕ | ✕ |
| IMAP (Port 143/993) | ✓ | ✕ | ✕ |
| MSSQL (Port 1433) | ✓ | ✕ | ✕ |
| POP3 (Port 110/995) | ✓ | ✕ | ✕ |
| SMTP (Port 25/465/587/2525) | ✓ | ✕ | ✕ |
| SSH (Port 22) | ✓ | ✕ | ✕ |
| When 5 failed attempts are made within 5 minutes, monitor and detect the incoming IP address for 5 minutes | ✓ | ✕ | ✕ |
| Prevent private network connections from being blocked | ! | ✕ | ✕ |
| Use event tracing for detecting inbound connections | ! | ✕ | ✕ |
Software management
For more information on each policy setting, see Software management policy settings in Nebula.
| Policy Option | Windows | Mac | Linux |
|---|---|---|---|
| Allow scanning for known vulnerabilities in installed software (Vulnerability Assessment) | ✓ | ✓ | ✕ |
| Only allow signed installers when updating third-party software | ! | ✕ | ✕ |
| Allow updating software inventory (Windows & macOS) and applying Windows OS patches (Windows only) | ✓ | ! | ✕ |
| Disable Windows automatic updates for OS patches | ! | ✕ | ✕ |
| Show deployment progress from the ThreatDown icon (Patch Management) | ✓ | ! | ✕ |
| Force software to close for updates (Patch Management) | ! | ! | ✕ |
| Force close time limit (Patch Management, 24 hours) | ! | ! | ✕ |
| Force close reminder frequency (Patch Management, 6 hours) | ! | ! | ✕ |
| Allow blocking chosen executables from running (Application Block) | ✓ | ✕ | ✕ |
| Connected storage device (USB storage, etc.) | ✓ | ✓ | ✓ |
| Physical and virtual memory of the endpoints | ✓ | ✓ | ✓ |
| Installed startup programs on the endpoints | ✓ | ✓ | ✓ |
| Installed software on the endpoints | ✓ | ✓ | ✓ |
| Software updates installed on the endpoints | ✓ | ✓ | ✓ |