Suspicious Activity Monitoring in Malwarebytes Endpoint Protection and Response

Document created by bgoddard Employee on Aug 27, 2019Last modified by bgoddard Employee on Nov 13, 2019
Version 18Show Document
  • View in full screen mode

Suspicious Activity Monitoring is a premium feature included in Malwarebytes Endpoint Protection and Response. It watches for potentially malicious behavior by monitoring the processes, registry, file system, and network activity on the endpoint.


Detections for Suspicious Activity occur when there is questionable activity on the endpoint. What is considered suspicious is based on Malwarebytes observed behaviors of a file or processes.


Detections are highlighted for your review in the menu pane under Suspicious Activity. Not all activity detected is guaranteed to be malicious, some detections are triggered by well-intentioned operations on the system.


The Suspicious Activity screen gives context for each detection to help determine whether the activity is truly malicious. Once an administrator understands what triggered the detection, they may choose to remediate the threat or close the incident as an expected behavior.


Suspicious Activity Monitoring uses machine learning models and cloud-based analysis. For optimal performance,  reserve 1.1Mbps of network bandwidth for every 100 endpoints that use Suspicious Activity Monitoring.


Enable Suspicious Activity Monitoring

For Suspicious Activity Monitoring to protect your endpoints:

  • Enable Suspicious Activity Monitoring at the policy level.
  • Add the policy to a group.
  • Move endpoints to the group.


Create a Suspicious Activity Monitoring enabled policy

  1. Go to Settings > Policies.

  2. Click New to create a new policy.

  3. Enter a unique policy name.

  4. Click the WindowsSettings tab and scroll to the bottom.

  5. Switch Suspicious Activity Monitoring to ON.

  6. Ensure the rest of the policy settings are to your liking.

  7. In the upper right, click SAVE.


Aggressive Mode

With Aggressive Mode enabled, Malwarebytes uses a lower threshold for flagging processes as suspicious, and is therefore more aggressive in its detections. Increased aggressivity can help protect your endpoints from additional unknown threats, but may increase False Positives. You should only enable Aggressive Mode for your most sensitive assets.


Add the new policy to a group

After creating a policy with Suspicious Activity Monitoring enabled, apply it to a group to protect all the endpoints in the group.

  1. Go to Settings > Groups.

  2. Select an existing group or create a new group.

  3. From the Policy Name drop-down menu, select the new policy you created above.

  4. Click Save.


Move endpoints to the group

  1. Go to Endpoints.

  2. Check the boxes next to endpoints you want to protect with Malwarebytes Endpoint Protection and Response; this includes Suspicious Activity Monitoring.

  3. Click Move.

  4. Select the group using the new policy created above.

  5. Click Save.


Group and policy changes take effect the next time the endpoint checks in with the console.


Remediate or close Suspicious Activity

  1. Log into the Malwarebytes Cloud console as a Super Administrator.

  2. Click Suspicious Activity.

  3. Review Suspicious Activity details including machines with detections, severity of the threats, and date/time of the detections. From this screen, you may take action on an item or drill down into the cause of a detection.

  4. Take action on a Suspicious Activity item. Choose one of the following under the Actions column:

    Displays further details of the activity, similar to the Triggered Rules described below.

    Remediates the threat found on the endpoint. When selected, this icon will change to indicate the remediation status.

    Marks the detected Suspicious Activity as benign/expected. Activities that have been marked as expected will not trigger further Suspicious Activity items. Click again to remove the benign/expected mark.

  5. Drill down on a Suspicious Activity item to learn about the cause of the detection. Click the icon in the Rules Triggered column to display a process graph of associated activity, rules that triggered the detection, and additional context. The additional context includes paths, hashes, specific registry modifications, file reads/writes and process IDs.


In addition to identifying suspect activity on your endpoints, Suspicious Activity Monitoring allows you to roll back damage done by a threat. To help stop threats from spreading, you may choose to isolate endpoints from the rest of your network.


See also



Return to the Malwarebytes Cloud Platform Administrator Guide