The Malwarebytes Nebula best practices guide is intended to provide recommended settings for configuring your Nebula console. This guide covers settings for both workstations and servers for Incident Response, Endpoint Protection, and Endpoint Detection and Response.
For scheduled scans, we recommend creating a Daily Software Inventory Scan, Daily Threat Scan and Weekly Custom Scan in Nebula. For new accounts, these are created by default. For more information, see Types of scans in Malwarebytes Nebula.
If you create additional groups in Nebula and assign endpoints to them, revisit your schedules to include those groups in the scans. Scheduled scans run using the endpoint’s locally configured time.
Exclude your software applications from being flagged or monitored by Malwarebytes with the Exclusions page. For more information, see Overview of exclusions in Nebula.
We recommend toggling on Exclude GPO PUMs. This setting prevents Malwarebytes from flagging intentional Group Policy registry modifications. For a list of keys included in this toggle, see Group Policy registry keys detected as PUMs in Endpoint Protection.
Policy configuration determines how Malwarebytes interacts with your endpoints. The default policy created with Nebula serves as a foundation for all settings. For more information, see Nebula default policy.
This section covers settings for scans like the types of files detected and if potentially unwanted programs and potentially unwanted modifications should be treated as malware. For more information, see Configure Scan settings options in Nebula.
We recommend keeping everything enabled here except Scan for rootkits, as enabling this will prolong scans and is not necessary for identifying threats.
Tamper Protection adds an additional layer of protection to Malwarebytes, should a malicious actor enter your environment. We recommend using a different password than any Nebula or administrator password in case of account compromise. For more information, see Configure Tamper protection options in Nebula.
Endpoint agent settings control how the Malwarebytes Endpoint Agent software interfaces with the endpoint. For more information, see Configure Endpoint agent settings in Nebula.
We recommend configuring the following settings on Workstation and Server endpoints:
Protection Settings (EP)
Protection settings control which protection layers are enabled to protect your devices in real-time, we recommend to keep these enabled in your policy. Additional services such as the Self Protection and Device control, we recommend enabling these features for endpoints. For more information, see Configure Protection settings in Nebula.
For servers, protection settings must be configured based on the server type. For more information, see Configure Windows server roles for Nebula.
Brute Force Protection (EP)
We recommend enabling Brute Force Protection (BFP) on your console to protects Windows endpoints from suspicious connections via remote devices. For servers, enable and configure each server-only protocol as it applies to your environment. For more information, see Configure Brute Force Protection in Nebula.
When BFP is configured to Block, Windows Firewall is required and automatically enabled. If you are unable or unwilling to have Windows Firewall enabled, you can still configure BFP to Monitor and detect. Once enabled by block mode, Windows Firewall must be manually turned off as disabling BFP or switching to Monitor and detect will not turn the Windows Firewall off.
Endpoint Detection and Response (EDR)
We recommend the enabling Suspicious Activity Monitoring, Collect network events to include in searching, Flight Recorder Search, Ransomware Rollback, and Endpoint Isolation for Endpoint Detection and Response. For more information, see Configure Endpoint Detection and Response options in Nebula.
For servers, you must check Suspicious activity monitoring on servers to utilize EDR for Servers.