Policies define how Malwarebytes behaves when using Real-time protection. Policies are applied at the group level, and all endpoints in a group use the same policy. By default, endpoints added to the console belong to the Default Group, and the Default Policy.
Protection settings
To locate the Protection settings tab in your policy:
- On the left navigation menu, go to Configure > Policies.
- Click New or select an existing policy.
- Select the Protection settings tab to see the specific settings available for each operating system.
Real-time protection
Real-time protection features are part of your Malwarebytes Endpoint Protection or Endpoint Detection and Response subscription.
When you enable Real-time protection features, any needed plugins are automatically installed on your endpoints. We recommend using all Malwarebytes Endpoint Protection features for the best protection.
Options in this section are as follows:
- Web protection: Blocks access to and from known or suspicious Internet addresses. Disabling this feature can affect the safety of your endpoints.
-
Exploit Protection: Guards against vulnerability exploits for installed applications. When applications launch, Exploit Protection shields them. It can stop attacks that other security applications miss.
- Block potentially malicious email attachments: Blocks against malicious email attachments in Microsoft Outlook's desktop client. Microsoft Outlook must be enabled in the Anti-exploit protected applications list.
- Block penetration testing attacks: Blocks against penetration testing attempts on devices to prevent a breach.
- Manage protected Applications: Popular applications are automatically supported, and can be seen here. You can also add your own applications following this article here: Add an application to Exploit Protection in Nebula.
-
Anti-exploit settings: Allows configuration of some anti-exploit measures. The default settings balance endpoint performance and anti-exploit protection. To keep you secure, some of these settings may not be changed.
IMPORTANT: We recommend not changing these settings unless instructed to by Malwarebytes Support. For more information, see Anti-Exploit settings in Nebula.
- Malware Protection: Protects against malicious content that tries to execute on your endpoints. Malware comes from many sources, such as downloads, external drives, and email attachments. We recommend leaving Malware Protection on. Malware Protection is always enabled on Macs using Real-time protection.
- Behavior protection: Safeguards against both known and unknown ransomware. Ransomware often remains undetected until it activates. We recommend keeping Behavior Protection enabled. Behavior Protection is not supported on endpoints with Windows XP or Windows Vista.
- Block untrusted applications: Aims to completely block applications from known bad developers, preventing them from running on the endpoint. In this case, the app is not quarantined, but is not capable of running. Enable this feature to prevent potentially malicious apps from executing on your Mac endpoints.
- Ad block: Prevents ads and ad trackers from loading on Safari browser for iOS devices.
Additional Protection
These options control if Malwarebytes protects itself from tampering and access to USB drives. These features require Real-time protection to be enabled.
Options in this section are as follows:
-
Self-Protection: Lets Malwarebytes create a "safe zone" to prevent malicious control of the Malwarebytes application. The self-protection module has a brief startup period.
- Boot Process: Makes Self-Protection start earlier when the endpoint is booting. This affects the startup order of services and software drivers.
-
Device Control: Control access when storage drives are connected via USB.
Note: Devices utilizing Media Transfer Protocol and Picture Transfer Protocol are not currently supported.
- Allow full access to the device: Allow copying and modifying files to the device.
- Read only access to the device: Allow copying files from the device and block modifying or copying files to the device.
- Block access to the device: Block modifying and copying files to the device.
Windows protection updates
Windows protection updates are Malwarebytes database updates used by scans and Real-time protection features. For more information on Protection updates, see Malwarebytes Endpoint Protection settings for Protection updates.
Options in this section are as follows:
- Check for protection software updates: How often the endpoint checks Malwarebytes servers for updates. Choose a period from 15 minutes to 7 days.
- Protection updates delay: Postpones the latest Protection Updates by 1, 3, or 5 hours. Choose a delay period or set No delay, which is recommended.
Important: Delays between Protection updates may reduce the risk of encountering a false positive but increase vulnerability to zero-day threats. For more information, see Protection Updates Delay overview.
Additional Windows protection settings (Requires Real-time protection to be enabled)
These options affect when Real-time protection loads and how Malwarebytes registers in the Windows Action Center.
- Delay real-time protection when Malwarebytes starts for: How long the Real-Time Protection service is delayed. Adjust this option based on which services conflict with Real-Time Protection. The delay can range from 15 to 180 seconds.
-
Windows Action Center: The Windows Action Center alerts you when there is an issue needing attention. Choose to register Malwarebytes as the primary Windows security solution on non-server endpoints. This allows the Windows Action Center to show Malwarebytes notifications.
Note: To verify which application is set as the primary protection service provider, run the following command in Command Prompt on the endpoint and look for the first or only application listed:wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
- Let Malwarebytes apply the best Windows Action Center settings: Malwarebytes determines if it should be registered as the primary protection service provider in the Windows Action Center. When Malwarebytes is registered in the Windows Action Center, Windows Defender is disabled. If Malwarebytes is temporarily disabled, Windows Defender re-enables itself. Use Microsoft GPO to keep Defender disabled if required.
- Never register Malwarebytes in the Windows Action Center: Malwarebytes is set as the secondary antivirus and never appears in Windows Action Center. Windows Defender remains as the primary antivirus.
- Always register Malwarebytes in the Windows Action Center: Malwarebytes is set as the primary antivirus and always appears in Windows Action Center. Windows Defender is disabled as a result.
Mobile protection updates
Mobile protection updates are Malwarebytes database updates used by scans, ad blocking, and Real-time protection features. The database updates every hour when available. Options in this section are as follows:
- Allow protection updates over expensive networks: Allow protection updates to occur over cellular data.
Return to the Malwarebytes Nebula Administrator Guide.