Ransomware Rollback is a Endpoint Detection and Response feature that remediates damage done to your Windows endpoints by ransomware. Ransomware Rollback uses a special restore process to reverse damage done by threats. Together with our Malware Removal Engine, the rollback cache allows the Endpoint Agent to restore files removed or encrypted by malware. With Rollback, a local cache is created on the endpoint to store system file changes, and this cache is used to help revert changes caused by ransomware.
NOTICE - You must enable Suspicious Activity Monitoring to use Ransomware Rollback and enable Server Operating System Monitoring to allow rollback on server endpoints. For Ransomware Rollback usage requirements, see System requirements for Nebula.
Ransomware Rollback settings
To locate the Ransomware Rollback settings in your policy:
- On the left navigation menu, go to Configure > Policies.
- Click New or select an existing policy.
- Select the Endpoint Detection and Response tab.
- Locate Ransomware Rollback to see the specific settings available for each operating system.
Helps recover from ransomware by restoring damaged or encrypted files from local backups. Available options are as follows:
- Ransomware Rollback: Turns Ransomware Rollback on or off.
Advanced settings include additional features for Ransomware Rollback.
Options in this section are as follows:
- Rollback timeframe: Determines how long Malwarebytes stores information in the cache. Increasing this time increases the size of the cache on endpoints, as the cache stores changes made during the chosen period. The default value is 48 hours.
- Rollback free disk space quota: Configures the maximum percentage of free disk space to allocate for file backups. The default setting is set to 30%, but you can adjust between 10-70%. This setting applies to all endpoints attached to the policy.
- Workstation rollback file size: Limits the files backed up in the cache based on file size. Files larger than the maximum size are not backed up. Increasing the maximum file size increases the cache size on each endpoint.
- Server rollback file size: Limits the files backed up in the cache based on file size. Files larger than the maximum size are not backed up. Increasing the maximum file size increases the cache size on each server.
Server rollback location: Provides a custom server backup location for Ransomware Rollback data. The specified folder path must be on a local drive, network drives are not supported. To change the backup location, you can specify a new folder path within the available field. The folder path selected appends \rollback_backup to the ending automatically. The default backup path is: C:\ProgramData\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Backup\
- We advise monitoring the free disk space of hard drives used as an alternative backup location to ensure that enough space is available.
- Each endpoint uses a maximum of 30% of free disk space to prevent issues with the operating system. This is always relative to the "available disk space" on the hard drive. If at some point the hard drive reduces in capacity, then the backup folder automatically resizes to maintain the same percentage, deleting the oldest files to accommodate space.
- You must be a Super Admin or Administrator in order to configure Ransomware Rollback. Other users with policy access may view Rollback settings.
Use rollback to remediate an endpoint
A Remediation action can be triggered for any suspicious activity alert on the Investigate > Suspicious Activity page. When remediation is triggered, a scan is run to clean the identified processes. If the suspicious activity is Ransomware, the ransomware rollback process automatically begins.
The rollback uses the processes identified in the alert to identify the files modified by that process, then copying and overwriting files changed with the prior good copies.
This design takes away the need to discover the exact date and time of the start of the attack.
Return to the Malwarebytes Nebula Administrator Guide.