Manage endpoints in Nebula – Malwarebytes Business Support

Nebula offers detailed endpoint management through the Endpoints screen. Select one or more endpoints from the page to perform actions across endpoints in your environment. For more information, see Perform actions on endpoints in Nebula.

On the left navigation pane, go to Manage > Endpoints to access your endpoints.

View the endpoints real-time WebSocket communication status indicator to the left of each endpoint name. The indicator shows the following status colors and options:

Icon

Status

Active: The green status indicator displays when the WebSocket connection on the endpoint is active. Real-time communication occurs between the endpoint and Nebula to receive and process tasks or changes.

Inactive: The gray status indicator displays during any of the following:

Inactive WebSocket connection on the endpoint
Endpoint using a proxy
Network unstable on the endpoint
Endpoint is using any of the following Operating Systems:
- Android
- ChromeOS
- iOS

Note: Endpoints check in with a 5 minute polling interval for tasks and changes. If the status indicator is gray, filter endpoints by Today in the Last Seen column to verify active communication.

The Status column uses icons to show endpoints needing attention. The table below lists the different endpoint statuses. On the Endpoint screen you can click an icon to view additional details or to act on the endpoint.

Icon	Status
	Scan needed: Displays the number of endpoints that have not scanned within the last 7 days, including not having a first scan. Regular scans are important to keep endpoints free of threats. Endpoints will scan autonomously, offline, but need to connect to return scan results. Recommendation: Check that scheduled scans have correct Groups assigned. Enable the Run missed scans as soon as possible option in scheduled scans. Run a manual Scan + Quarantine from the Endpoints page.
	Scan pending: Displays a scan is pending on the endpoint. There will be a Scan Task queued for the endpoint to pickup and execute, which expires after 3 days. Recommendation: If Task is not picked up, check that the Endpoint is powered-up, connected to Internet, Malwarebytes Management Agent [MBAMService] is running. Otherwise, see Troubleshooting section.
	Scan in progress: Displays a scan is currently running on the endpoint.
	Remediation required: Displays the number of endpoints with infections that require remediation. This is prompted from un-remediated endpoints which have Found detections. Recommendation: Initiate a new scan to clear the status. If item does not Quarantine, then investigate and manually delete e.g. it may be on a protected file share.
	Remediation pending: Displays a remediation of threats is pending on the endpoint. A Remediation Task is queued for the endpoint to execute, this expires after 3 days. Recommendation: If the remediation task is not picked up, verify the endpoint is powered on, connected to the network, and the Malwarebytes Management Agent is running.
	Remediation in progress: Displays the endpoint is being remediated.
	Restart required: Displays the number of endpoints that need a system reboot. Endpoints must reboot to complete remediation or make changes to software. Recommendation: Reboot using the Nebula Console Actions or on the endpoint manually. Automatic updates: For workstations, consider setting Policy under Endpoint agent settings, check mark the Automatically download and install Malwarebytes application updates and Allow users to postpone updates
	Reboot pending: A reboot command is still pending. A Reboot Task is queued for the endpoint to execute, this expires after 3 days. Recommendation: If the reboot task is not picked up, verify the endpoint is powered on, connected to the network, and the Malwarebytes Management Agent is running.
	Suspicious activity: Displays the number of endpoints with suspicious activities found. Investigate suspicious activity to keep your endpoints protected. For Malwarebytes Endpoint Detection and Response. Recommendation: After investigating, click the Remediate or Close Incident options.
	Endpoints isolated: Displays the number of endpoints that are have their communication or access restricted to prevent threats from spreading between endpoints. For Malwarebytes Endpoint Detection and Response. Recommendation: After resolving the endpoint issue, click the Remove Isolation option.
	Agent update available: Displays the number of endpoints that need a Malwarebytes agent update. Recommendation: Manual updates: In the Actions menu, click Update MWB Agent. Automatic updates: For workstations, consider setting Policy under Endpoint agent settings, check mark the Automatically download and install Malwarebytes application updates and Allow users to postpone updates.
	Needs attention indicator: Displays if the endpoint is not configured properly or has a problem. To view status indicators, see Status indicator error messages in Nebula

Above the endpoints results table is the Export button. After selecting one or more endpoints from the table, you can click this button to download a full endpoint report. Choose either .cvs or .xls format.

Tips

For endpoint review, we recommend displaying the following columns on the Endpoints page:

Endpoint: Filter by the endpoint host name.
Status: Filter by status icon for each endpoint.
Last Seen: Filter to determine if endpoints are checking in with Nebula regularly.
Last Scanned: Filter to investigate last scan time.
Protection Service Version: Filter to check the endpoint protection service version.
Operating System Release: Filter for operating systems on each endpoint.

Filter endpoints

Malwarebytes Nebula uses filters to simplify management tasks across many endpoints. The main area of the Endpoints screen shows the list of all endpoint data. Each column can be filtered to narrow the results. Use these column filters to focus on the most important information.

You can customize data in the results list in the following ways:

Click Add / Remove Columns above the results list to choose which columns to display.
Drag and drop certain column headers to the results bar to group data by those parameters.
Use the filters in the column headers to view specific data or Clear Filters to remove them all.
Hover your cursor over a column header to reveal a hamburger icon with options to pin and auto-size columns.

The Endpoints filter allows a search by endpoint name. Click the Endpoints filter icon and enter an endpoint host name or alias to narrow the endpoints displayed. Alternatively, you can use the search bar above the top-right corner of the endpoints table to find endpoints by host name or alias.

The Status filter allows a search by current endpoint statuses. Click the Status filter icon and choose a status to narrow the endpoints displayed. You can filter the Status filter column by the following:

Needs Attention: Displays the number of endpoints that is not configured properly or has a problem. Click View all endpoints that need attention to filter the endpoints page.
Remediation required: Displays the number of endpoints with threats that need remediation.
Restart required: Displays the number of endpoints that need a system reboot. Endpoints may need to reboot in order to complete remediation, complete new agent installation, or after a agent update occurs.
Scan needed: Displays the number of endpoints that didn't have a scan for at least 7 days. Regular scans are important to keep endpoints free of threats.
Suspicious Activity Detected: Displays the number of endpoints with suspicious activities found. Investigate suspicious activity to keep your endpoints protected. For Malwarebytes Endpoint Detection and Response.
Isolated: Displays the number of endpoints that are have their communication or access restricted to prevent threats from spreading between endpoints. For Malwarebytes Endpoint Detection and Response.
Last seen 7+ days ago: Displays the number of endpoints that have not been seen by the Nebula console for 7 or more days.
Agent update available: Displays the number of endpoints that require a Malwarebytes agent update.

Endpoints may have more than one status at a time. The status column uses icons to display endpoint information. See above for a description of each icon.

The OS platform filter enables a search by Operating Systems on deployed endpoints. Click the Operating System filter icon and choose one of the following options:

All
Windows
macOS
Linux
Android
Chrome OS
iOS

Note: Linux endpoints are counted as Servers.

The Group filter enables a search by endpoint groups. Click an assigned group name to filter on that group. If you have many groups, you may enter a group name in the filter box to narrow your search.

Groups can be nested within other groups. When navigating a nested group, click Home or Back to return to the earlier list.

The Policy filter enables searching by policy name. Click the Policy filter and enter a policy name to narrow your search.

The Last Seen filter lists endpoints based on when they last checked in. Times shown are based on your browser time zone.

Add or remove table columns

Click Add / Remove Columns above the results table to choose the column headers displayed on your results table. This will narrow or widen the endpoint information displayed on the results table and allows you to customize your Endpoints page. Click and drag a column header left or right to rearrange the column order. Or, click and drag the edge of a column header to narrow or widen the column. You can add or remove the following column headers:

Architecture
City
Component package version
Country
Domain name
Endpoint
Agent version
First seen
Group
IP address/CIDR
Last asset scan
Last scan date
Last seen
Last user (Windows and Mac only)
MAC address
OS platform
OS release name
OS type
OS version
Policy
Protection service version
Protection update version
Protection status
Public IP address
Region
Serial number
Status
Timezone

Drag columns to define parameters

In the results table, you can drag the column headers to the results bar to group endpoints by those parameters. You can drag and drop the following column headers:

OS platform
Group
Policy
Agent version
Architecture
OS release name
Device type
OS version

Pin and auto-size columns

Hover your cursor over a column header to reveal a hamburger icon with options to pin and auto-size columns. These options allow you to further customize your Endpoints results table. Click the the hamburger icon to reveal the following options in the drop-down menu:

Pin left: Pins selected column to the left side of your results table. Column remains static while scrolling left or right on the results table.
Pin right: Pins selected column to the right side of your results table. Column remains static while scrolling left or right on the results table.
- Unpin: This option is only visible for left or right pinned columns. This un-pins the column and returns it to its original place in the results table.
Auto-size this column: Automatically adjusts the selected column's width to fit the text in the cells.
Auto-size all columns: Automatically adjusts the column width for all of your columns to fit the text in the cells.

Copy Endpoint data to spreadsheet

Data in the Endpoints results table can be copied and pasted into another file or downloaded as a spreadsheet. Click and drag your cursor to select data in the Endpoints results table, then right-click the highlighted data to display a context menu with the following options:

Download .csv: Downloads the selected data as a .cvs file to your local machine.
Download .xlsx: Downloads the selected data as a .xlsx file to your local machine.
Copy: Copies the selected data to your clipboard.
Copy with Headers: Copies the selected data and the column headers of the selected rows to your clipboard.

Endpoint details

In the table, click an endpoint name to open a slide out with the endpoints details. All dates and times shown are relative to your browser settings. Click See more details at the top to display the following tabs:

Overview/Hardware Assets: Displays the endpoint name, Malwarebytes version information, host and agent information, Operating System, Network Interfaces, Memory information, and Storage device information.

The following additional tabs are populated during endpoint agent installation. These tabs update when there is a agent update on the endpoint.

Detections: Displays all Malwarebytes detections. Selectable by type and actions taken.
Remediation Required: Displays detections found that need remediation. These detections found either by the Scan + Report action or by a scan with the automatic quarantine option disabled.
Suspicious Activity: Displays Suspicious Activity events found. Requires an Endpoint Detection and Response subscription.
Quarantine: Displays files quarantined either by the Scan + Quarantine action or by scans with the automatic quarantine option enabled. Quarantined files are isolated from the endpoint operating system to prevent potential infection. Displays quarantined files up to 30 days old.
Events: Displays logged activities on the endpoint and their severity.
Tasks: Displays requested or completed operations on the endpoint and their status.
Scan History: Displays scan records up to 30 days old, their Total Detections, Type, and Origin.
Software: Displays the software installed on the endpoint.
Updates: Displays the latest software updates on the endpoint.
Startup Programs: Displays startup programs on the endpoints.

Refresh assets using Actions > Refresh Assets or schedule an Asset Inventory Scan to force a refresh at a specified time. Scheduled asset refreshes can be useful if you need frequent Endpoint Properties updates.

When you refresh assets on your endpoint, the following tabs/sections update:

Overview/Hardware Assets
- Memory Objects: Physical and virtual memory of the endpoints.
- Storage Devices: Connected storage, USB storage, and other devices.
Software: Software installed on the endpoint.
Updates: Software updates that occurred on the endpoint.
Startup Programs: Registry entries for installed startup programs on the endpoint.

Return to the Malwarebytes Nebula Administrator Guide.