The Endpoint Detection and Response (EDR) settings in Nebula determine which EDR features are enabled. If you have subscriptions for both Endpoint Protection and EDR, we suggest you create a separate policy and group with EDR settings enabled. This ensures your endpoints are properly allocated to the correct subscription.
Endpoint Detection and Response settings
To locate the Endpoint Detection and Response settings tab in your policy:
- On the left navigation menu, go to Configure > Policies.
- Click the New or select an existing policy.
- Select the Endpoint Detection and Response tab to see the specific settings available for each operating system.
Suspicious activity monitoring
Suspicious activity monitoring watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint. It uses machine learning models and cloud-based analysis to detect when questionable activity occurs.
Options in this section are as follows:
- Suspicious activity monitoring: Enables behavioral monitoring for Suspicious Activity on endpoints using machine learning models and cloud-based analysis to detect when questionable activity occurs.
- Suspicious activity monitoring on servers: Enables Suspicious Activity Monitoring for server operating systems. Server OS endpoints may cause extra load with Behavioral Monitoring.
Advanced settings
Advanced settings include additional features for activity monitoring.
Options in this section are as follows:
- Enables a very aggressive detection mode: If aggressive detection mode is enabled, a tighter threshold is used for flagging processes as suspicious and is more aggressive in its detections. Aggressive detection mode helps protect your endpoints from additional unknown threats, but could increase False Positives.
- Collect networking events to include in searching: The network events toggle lets you allow or restrict the collection of network events to include in Flight Recorder searches. Toggling this setting OFF decreases the amount of traffic sent to the cloud. By default, the toggle is set to ON.
- Flight Recorder Search: Collects all endpoint events within Flight Recorder Search. Disabled by default.
Ransomware Rollback
Ransomware Rollback is a feature that remediates damage done to your Windows endpoints by ransomware. Ransomware Rollback uses a unique restore process to reverse the damage done by threats. Together with our Malware Removal Engine, the rollback cache allows the Endpoint Agent to restore files removed or encrypted by malware.
A rollback is initiated by remediating suspicious activity on the Investigate > Suspicious Activity page. The rollback uses the processes identified in the alert to identify the files modified by that process, then copying and overwriting files changed with the prior good copies. This design removes the need to discover the exact date and time of the start of the attack.
NOTICE - Suspicious Activity Monitoring must be enabled to allow rollback on workstations. Suspicious Activity Monitoring and Suspicious activity monitoring on servers must be enabled to allow roll back on servers.
Available options are as follows:
- Ransomware Rollback: Turns Ransomware Rollback on or off.
Advanced settings
Advanced settings include additional features for Ransomware Rollback.
Options in this section are as follows:
- Rollback timeframe: Determines how long the information is stored in the cache. Increasing this time increases the size of the cache on endpoints, as the cache stores changes made during the chosen period. The default value is 48 hours.
- Rollback free disk space quota: Configures the maximum percentage of free disk space to allocate for file backups. The default setting is set to 30%, but you can adjust between 10-70%. This setting applies to all endpoints attached to the policy.
- Workstation rollback file size: Limits the files backed up in the cache based on file size. Files larger than the maximum size are not backed up. Increasing the maximum file size increases the cache size on each endpoint.
- Server rollback file size: Limits the files backed up in the cache based on file size. Files larger than the maximum size are not backed up. Increasing the maximum file size increases the cache size on each server.
-
Server rollback location: Provides a custom server backup location for Ransomware Rollback data. The specified folder path must be on a local drive, network drives are not supported. To change the backup location, set a new folder path within the available field. The folder path selected appends \rollback_backup to the ending automatically. The default backup path is: C:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Backup\
Notes:
- We advise monitoring the free disk space of hard drives used as an alternative backup location to ensure enough space is available.
- Each endpoint uses a maximum of 30% free disk space to prevent issues with the operating system. This is always relative to the "available disk space" on the hard drive. If the hard drive reduces in capacity at some point, the backup folder automatically resizes to maintain the same percentage, deleting the oldest files to accommodate space.
Endpoint isolation
Endpoint Isolation temporarily stops threats from spreading between endpoints by restricting their communication or access. An isolated endpoint can still communicate with the console and run Nebula processes.
Available options are as follows:
- Enable endpoint isolation to allow locking/unlocking of endpoints: Enables you to lock and unlock devices. This is done on the Manage > Endpoints page with the Actions > Isolate Endpoint(s) button.
Windows isolation settings
You can customize the isolation settings on Windows endpoints with the following options:
- Isolation Title: Customize the title.
- Isolation message: Customize the message so the end-user knows why their machine was isolated or who to contact.
- Image to display to the end-user: Upload a custom image or use your company logo so your end-users know the isolation message is legitimate. It must be a BMP file less than 2MB.
Active Response Shell
Active Response Shell provides the ability to investigate attacks, collect forensic data, and remediate detections on remote endpoints. Authorized Super Admins can securely access their endpoints remotely with Nebula.
To view and modify Active Response Shell settings, a Super Admin must have Active Response Shell permission enabled by the Nebula Account Owner. For more information, see Manage Users in Nebula.
Available options are:
- Active Response Shell: Turns active response shell on or off.
Advanced settings
Advanced settings include additional features for Active Response Shell. Available options are:
- Enable secure connections using certificate pinning: Limits which digital certificates are used with the Active Response Shell, providing additional security.
