Malwarebytes Nebula offers detailed endpoint management through the Endpoints screen. Select one or more endpoints from the page to perform actions across endpoints in your environment. For more information, see Perform actions on endpoints in Malwarebytes Nebula.
In the left navigation pane, click Endpoints to access your endpoints.
View the endpoints real-time WebSocket communication status indicator to the left of each endpoint name. The indicator shows the following status colors and options:
Online: The green status indicator shows the WebSocket connection on the endpoint is active and displays the last check-in time with Nebula when you mouse over it.
Offline: The gray status indicator shows the WebSocket connection is not active on the endpoint and displays the last check-in time with Nebula when you mouse over it.
- WebSocket real-time communication updates the endpoint status in Nebula to immediately receive and processes tasks or changes.
- 5-Minute Check-in occurs when WebSocket communication is not available or the network is unstable. Endpoints perform periodic communication to receive tasks or changes.
- Endpoints using a proxy only use this communication mode. Filter endpoints by Today in the Last Seen column if a proxy connection is used to verify active communication.
The Status column uses icons to show endpoints needing attention. The table below lists the different endpoint statuses. On the Endpoint screen you can click an icon to view additional details or to act on the endpoint.
Scan needed: Displays the number of endpoints that have not scanned within the last 7 days, including not having a first scan. Regular scans are important to keep endpoints free of threats. Endpoints will scan autonomously, offline, but need to connect to return scan results.
Scan pending: Displays a scan is pending on the endpoint. There will be a Scan Task queued for the endpoint to pickup and execute, which expires after 3 days.
|Scan in progress: Displays a scan is currently running on the endpoint.|
Remediation required: Displays the number of endpoints with infections that require remediation. This is prompted from un-remediated endpoints which have Found detections.
Remediation pending: Displays a remediation of threats is pending on the endpoint. A Remediation Task is queued for the endpoint to execute, this expires after 3 days.
|Remediation in progress: Displays the endpoint is being remediated.|
Restart required: Displays the number of endpoints that need a system reboot. Endpoints must reboot to complete remediation or make changes to software.
Reboot pending: A reboot command is still pending. A Reboot Task is queued for the endpoint to execute, this expires after 3 days.
Suspicious activity: Displays the number of endpoints with suspicious activities found. Investigate suspicious activity to keep your endpoints protected. Your site(s) must have the Malwarebytes Endpoint Detection and Response product to use this feature.
Recommendation: After investigating, click the Remediate or Close Incident options.
Endpoints isolated: Displays the number of endpoints that are isolated. Isolation stops threats from spreading between endpoints by restricting their communication or access. Your site(s) must have the Malwarebytes Endpoint Detection and Response product to use this feature.
Recommendation: After resolving the endpoint issue, click the Remove Isolation option.
Software update available: Displays the number of endpoints that need a Malwarebytes software update.
|Needs attention indicator: Displays if the endpoint is not configured properly or has a problem. To view status indicators, see Status indicator error messages in Malwarebytes Nebula|
Above the endpoints results table is the Export button. After selecting one or more endpoints from the table, you can click this button to download a full endpoint report. Choose either .cvs or .xls format.
For endpoint review, we recommend displaying the following columns on the Endpoints page:
- Endpoint: Filter by the endpoint host name.
- Status: Filter by status icon for each endpoint.
- Last Seen: Filter to determine if endpoints are checking in with Nebula regularly.
- Last Scanned: Filter to investigate last scan time.
- Protection Service Version: Filter to check the endpoint protection service version.
- Operating System Release: Filter for operating systems on each endpoint.
Malwarebytes Nebula uses filters to simplify management tasks across many endpoints. The main area of the Endpoints screen shows the list of all endpoint data. Each column can be filtered to narrow the results. Use these column filters to focus on the most important information.
You can customize data in the results list in the following ways:
- Click Add / Remove Columns above the results list to choose which columns to display.
- Drag and drop certain column headers to the results bar to group data by those parameters.
- Use the filters in the column headers to view specific data or Clear Filters to remove them all.
- Hover your cursor over a column header to reveal a hamburger icon with options to pin and auto-size columns.
The Endpoints filter allows a search by endpoint name. Click the Endpoints filter icon and enter an endpoint host name or alias to narrow the endpoints displayed. Alternatively, you can use the search bar above the top-right corner of the endpoints table to find endpoints by host name or alias.
The Status filter allows a search by current endpoint statuses. Click the Status filter icon and choose a status to narrow the endpoints displayed. You can filter the Status filter column by the following:
- Needs Attention: Displays the number of endpoints that is not configured properly or has a problem. Click View all endpoints that need attention to filter the endpoints page.
- Remediation required: Displays the number of endpoints with threats that need remediation.
- Restart required: Displays the number of endpoints that need a system reboot. Endpoints may need to reboot in order to complete remediation, complete new software installation, or after a software update occurs.
- Scan needed: Displays the number of endpoints that didn't have a scan for at least 7 days. Regular scans are important to keep endpoints free of threats.
- Suspicious Activity Detected: Displays the number of endpoints with suspicious activities found. Investigate suspicious activity to keep your endpoints protected. Your site(s) must have the Malwarebytes Endpoint Detection and Response product to use this feature.
- Isolated: Displays the number of endpoints that are isolated. Isolation stops threats from spreading between endpoints by restricting their communication or access. Your site(s) must have the Malwarebytes Endpoint Detection and Response product to use this feature.
- Last seen 7+ days ago: Displays the number of endpoints that have not been seen by the Nebula console for 7 or more days.
- Software update available: Displays the number of endpoints that need a Malwarebytes software update.
Endpoints may have more than one status at a time. The status column uses icons to display endpoint information. See above for a description of each icon.
The OS platform filter enables a search by Operating Systems on deployed endpoints. Click the Operating System filter icon and choose one of the following options:
The Group filter enables a search by endpoint groups. Click an assigned group name to filter on that group. If you have many groups, you may enter a group name in the filter box to narrow your search.
Groups can be nested within other groups. When navigating a nested group, click Home or Back to return to the earlier list.
The Policy filter enables searching by policy name. Click the Policy filter and enter a policy name to narrow your search.
The Last Seen filter lists endpoints based on when they last checked in. Times shown are based on your browser time zone.
Add or remove table columns
Click Add / Remove Columns above the results table to choose the column headers displayed on your results table. This will narrow or widen the endpoint information displayed on the results table and allows you to customize your Endpoints page. Click and drag a column header left or right to rearrange the column order. Or, click and drag the edge of a column header to narrow or widen the column. You can add or remove the following column headers:
- Component package
- Device type
- Domain name
- Engine version
- First seen
- IP address/CIDR
- Last asset scan
- Last scan date
- Last seen
- Last user (Windows only)
- MAC address
- OS platform
- OS release name
- OS version
- Protection service version
- Public IP address
- Serial number (Windows only)
Drag columns to define parameters
In the results table, you can drag the column headers to the results bar to group endpoints by those parameters. You can drag and drop the following column headers:
- OS platform
- Engine version
- OS release name
- Device type
- OS version
Pin and auto-size columns
Hover your cursor over a column header to reveal a hamburger icon with options to pin and auto-size columns. These options allow you to further customize your Endpoints results table. Click the the hamburger icon to reveal the following options in the drop-down menu:
- Pin left: Pins selected column to the left side of your results table. Column remains static while scrolling left or right on the results table.
- Pin right: Pins selected column to the right side of your results table. Column remains static while scrolling left or right on the results table.
- Unpin: This option is only visible for left or right pinned columns. This un-pins the column and returns it to its original place in the results table.
- Auto-size this column: Automatically adjusts the selected column's width to fit the text in the cells.
- Auto-size all columns: Automatically adjusts the column width for all of your columns to fit the text in the cells.
Copy Endpoint data to spreadsheet
Data in the Endpoints results table can be copied and pasted into another file or downloaded as a spreadsheet. Click and drag your cursor to select data in the Endpoints results table, then right-click the highlighted data to display a context menu with the following options:
- Download .csv: Downloads the selected data as a .cvs file to your local machine.
- Download .xlsx: Downloads the selected data as a .xlsx file to your local machine.
- Copy: Copies the selected data to your clipboard.
- Copy with Headers: Copies the selected data and the column headers of the selected rows to your clipboard.
In the Endpoints section, click an endpoint name to view the endpoint's properties. Endpoint Properties provides additional details for each of your endpoints.
The following Endpoint Properties tabs are populated during endpoint software installation. These tabs update when there is a software update on the endpoint:
- Overview: Displays the endpoint name, Malwarebytes version information, host and agent information, Operating System, Network Interfaces, Memory information, and Storage device information.
- Detections: Displays all Malwarebytes detections. Selectable by type and actions taken.
- Remediation Required: Displays detections found that need remediation. These detections found either by the Scan + Report action or by a scan with the automatic quarantine option disabled.
- Suspicious Activity: Displays Suspicious Activity events found. Requires an Endpoint Detection and Response subscription.
- Quarantine: Displays files quarantined either by the Scan + Quarantine action or by scans with the automatic quarantine option enabled. Quarantined files are isolated from the endpoint operating system to prevent potential infection. Displays quarantined files up to 30 days old.
- Events: Displays logged activities on the endpoint and their severity.
- Tasks: Displays requested or completed operations on the endpoint and their status.
- Scan History: Displays scan records up to 30 days old, their Total Detections, Type, and Origin.
- Software: Displays the software installed on the endpoint.
- Updates: Displays the latest software updates on the endpoint.
- Startup Programs: Displays startup programs on the endpoints.
All dates and times shown are relative to your browser settings. You may select individual items on these tabs to see more details.
You may refresh assets using Actions > Refresh Assets or schedule an Asset Inventory Scan to force a refresh at a specified time. Scheduled asset refreshes can be useful if you need frequent Endpoint Properties updates.
When you refresh assets on your endpoint, the following tabs/sections update:
- Overview tab
- Memory Objects: Physical and virtual memory of the endpoints.
- Storage Devices: Connected storage, USB storage, and other devices.
- Software tab: Software installed on the endpoint.
- Updates tab: Software updates that occurred on the endpoint.
- Startup Programs tab: Registry entries for installed startup programs on the endpoint.
Return to the Malwarebytes Nebula Administrator Guide.