Types of scans in Nebula

Malwarebytes Nebula provides a quick Hyper Scan, a more in-depth Threat Scan, and Custom Scans. The Software Inventory Scan updates endpoint information in the console. This article explains the types of scans and the options available for each.

Scans may be run manually across endpoints or scheduled at a time that works best for you. Options for scans are set within a policy.

• For more details on setting up scans, see Scan Options in Configure Settings options in Nebula. 
• For more information on scheduled scans, see Set scheduled scans in Nebula.

Threat Scans

Threat Scans detect the most common threats by scanning conventional locations on an endpoint where threats can occur. Threat Scans use heuristic analysis, a technique that looks for certain malicious behaviors in files that Malwarebytes hasn't seen before. Run a daily Threat Scan to keep your endpoints safe.

Threat Scans check the following on your endpoints:

• Memory Objects: Memory allocated by operating system processes, drivers, and other applications.
• Startup Objects: Executable files and/or modifications made during computer startup.
• Registry Objects: Configuration changes made to the Windows registry.
• File System Objects: Files which may contain malicious programs or harmful code snippets.

You may also select:

• Quarantine found threats automatically: Lets you immediately quarantine threats when they're detected. If not selected, Malwarebytes asks you to choose an action for each threat detected.

Hyper Scans

A Hyper Scan is a quick scan that detects and cleans immediate threats. If a Hyper Scan finds any threats, run a Threat Scan to check for threats at a deeper level.

Hyper Scans check the following:

• Memory Objects: Memory allocated by operating system processes, drivers, and other applications.
• Startup Objects: Executable files and/or modifications made during computer startup.

You may also select:

• Quarantine found threats automatically: Lets you immediately quarantine threats when they're detected. If not selected, Malwarebytes asks you to choose an action for each threat detected.

Custom Scans

Custom Scans enable you to specify precisely what to scan. This scan is configured on the Configure > Schedules screen. When choosing a Custom Scan, the following settings are available:

• Quarantine found threats automatically: Lets you immediately quarantine threats when they're detected. If not selected, Malwarebytes asks you to choose an action for each threat detected.
• Scan memory objects: Scans memory used by operating system processes, drivers, and other applications.
• Scan startup and registry settings: Scans executables that are started at boot and changes to the registry that can affect startup behavior.
• Scan within archives: Archive files are scanned, up to four levels deep. Encrypted archives are not scanned. Archive file types include ZIP, 7Z, RAR, CAB and MSI.
• Scan for rootkits: Scans for rootkits, files invisible to the operating system that can influence system behavior. This may increase the time required to complete a scan or impact system performance.
• Scan all local drives on endpoints: Scans all local drives hosted on an endpoint. Does not scan mounted or external drives unless specified in the Scan Path. 
• PUPs/PUMs: Choose whether Potentially Unwanted Programs and Potentially Unwanted Modifications are considered malware or ignored.
• Scan Path: The top level folder for the Custom Scan.

Software Inventory Scan

An Software Inventory Scan looks at which Software Management settings are enabled in the group policy. The scan then retrieves the specified information from each endpoint and updates the endpoint details in the console. These details are found on the Endpoint Properties screen.

Adjust Software Management settings in a policy

1. On the left navigation menu, go to Configure > Policies.
2. Select a policy, then scroll down to Software Management.
3. Check a box per OS (Windows, Mac, Linux) for each event that you want to be updated by an Software Inventory Scan.
4. Click SAVE.

Information collected during the scan is updated on the Endpoint Properties screen. Information scanned may include:

• Storage Devices: Connected storage, USB storage, and other devices.
• Memory Objects: Physical and virtual memory of the endpoints. 
• Startup Programs: Registry entries for installed startup programs on the endpoint.
• Installed Software: Software installed on the endpoint.
• Software Updates: Software updates that occurred on the endpoint.

To view Endpoint Properties, go to Manage > Endpoints and click on an endpoint name. View more information on the endpoint by selecting the tabs at the top of the Endpoint Properties screen.

For more information on Endpoint Properties, see Manage Malwarebytes Nebula endpoints.

Notes

• Scans can be initiated on a local endpoint by right-clicking on the Malwarebytes tray icon and selecting Start Threat Scan.
• If an endpoint is offline, scan results are stored locally on an endpoint until the system can connect back with Nebula.
• Malwarebytes does not scan network or shared drives across endpoints. 

Return to the Malwarebytes Nebula Administrator Guide.