The Detections page in Nebula displays information on all threats, and potential threats, with the action taken for each item found on endpoints in your environment. Clicking into each detection provides further information.
Detections are an audit trail, so items cannot be deleted on this page. Multiple detections can occur with the same threat name on an endpoint for the following reasons:
- A scan is reporting an item is found and a repeated scan is reporting an item as quarantined.
- A threat name shows up multiple times in the detections page with the same timestamp.
Select one of the following topics to learn more:
- Detection and threat types
- View detections
- Actions taken
- Create exclusions
- Filter and sort detections
Detection and threat types
Malwarebytes protects your environment by detecting, blocking, or quarantining threats. Each detection includes a clickable link that provides details of the threat and similar common threats. For a detailed list of Malwarebytes threat information, see Malwarebytes Labs Detections.
For information on Potentially Unwanted Programs or PUP's, see What is a PUP? - How to avoid potentially unwanted programs.
View detections
You can see the list of all detections in descending order up to a 90 days prior. On the left navigation menu, go to Monitor > Detections to view this section in the Nebula console.
Actions taken
The Actions taken column on the Detections page shows what action occurred for each detected item. Refer to the table below for an explanation of each action:
Action taken | Description |
Blocked |
Malwarebytes blocked the action and stopped the threat. Types of detections blocked:
|
Found |
Malwarebytes reported the detection, though no action was taken. Types of detections found:
The Remediation Required status displays for endpoints when a Malware, PUM, PUP, or Ransomware threat is detected with no action taken. Run the Remediation action on the endpoint to clear the Remediation Required status. For more information, see Manage endpoints in Nebula. |
Deleted |
Quarantined item was deleted from the endpoint, as a result of a delete task in the quarantine. |
Quarantined |
Malwarebytes detected an item, made an encrypted copy of the item to local quarantine and deleted the original. Types of quarantined detections:
See Quarantine page in Malwarebytes Nebula for further details about managing the Quarantine function |
Restored |
Quarantine item was restored on the endpoint to its original location. |
Create exclusions
A Super Admin can create an exclusion from the Detections page to prevent the item from being detected again. For more information on exclusions, see Overview of exclusions in Nebula. To create an exclusion from the Detections page:
- Check the checkboxes for the detected items to be excluded.
- In the top-right, click Create Exclusions.
- To enable the exclusion once it's created, toggle on Enable/disable.
- Confirm the selected entries and add a comment if desired.
- Select whether or not to apply the exclusion to all policies.
- Click Validate.
- Review the exclusions and click Save.
Filter and sort detections
The main area of the Detections screen shows the list of all detected threat data. Each column can be filtered to narrow the results. Use these column filters to focus on the most important information.
You can customize data in the results list in the following ways:
- Click Add / Remove Columns above the results list to choose which columns to display.
- Drag and drop certain column headers to the results bar to group data by those parameters.
- Hover your cursor over a column header to reveal a hamburger icon
with options to pin and auto-size this column or all columns.
Click on a column filter icon to narrow the results. When clicking on the filter icon, the filter list at the top of the screen shows which filters are applied. Click on a filtered item to remove it, or Clear Filters to remove them all.
You can filter columns for the following values:
- Action Taken: The action that Malwarebytes took on the detection. Filter by blocked, found, quarantined, deleted, or restored
- Agent version: Version of the Malwarebytes Endpoint agent.
- Category: The protection that was triggered by the detection. Filter by malware, PUP, PUM, exploit, ransomware, remote intrusion, or website detections.
- Date: The date and time of the detection. Filter to sort by today, yesterday, last 7 days, last 30 days, or a custom date range.
- Endpoint: Click the endpoint name to go to the Overview page for the endpoint.
- Group: Click the name of the group to view the endpoints that belong to that group on the Endpoints screen.
- IP Address/CIDR: If the detection is a Malicious Website, this field shows the website's IP Address.
- Location: The location of the detection on the endpoint. Contents change with the type of detection.
- MD5 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- OS platform: Detected endpoints operating system.
- OS release name: Detected endpoints operating system release name.
- OS type: Workstation or Server.
- OS version: Detected endpoints operating system version number or build number.
- SHA256 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- Threat name: Click the name to open a glossary explanation of the detection.
- Type: The type of detection. Filter by by exploit, extension, file, folder, inbound connection, module, outbound connection, process, registry key, or registry value.
- User: Logged in user during this detected activity.
Group detection details
One or more column headers may be dragged onto the group results bar, to refine and collate results. Columns which may be grouped are:
- Action taken
- Category
- Device type
- Endpoint
- Group
- OS platform
- Type
Expand detection details
Under the Threat Name column, click one of the listed detection names to view more details. In the Detection Details window, you can view the following information:
- Action Taken: The action that Malwarebytes took on the detection.
- Affected Applications: Detected application name.
- Category: The protection that was triggered by the detection.
- Detection Name: Click the name to open a glossary explanation of the detection.
- Domain: If the detection is a Malicious Website, this field shows the web url.
- Endpoint: Click the endpoint name to go to the Overview page for the endpoint.
- Group Name: Click the name of the group to view the endpoints that belong to that group on the Endpoints screen.
- IP Address: If the detection is a Malicious Website, this field shows the website's IP Address.
- Location: The location of the detection on the endpoint. Contents change with the type of detection.
- MD5 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- Port: If the detection is a Malicious Website, this field shows the port the connection used.
- Process Name: The file path of the process.
- Reported At: The time and date Malwarebytes reported the detection.
- SHA256 Hash: Cryptographically generated unique number identifying a file. May show as empty if a file was not present. Use as a key to search in Flight Recorder or to search external threat intelligence sites such as: www.virustotal.com
- Scanned At: The date and time the detection was scanned.
- Type: The type of detection, such as a file or outbound connection.
Return to the Malwarebytes Nebula Administrator Guide.