Suspicious Activity Monitoring in Malwarebytes Endpoint Protection and Response

Document created by bgoddard Employee on Aug 27, 2019Last modified by jgolomb on Sep 26, 2019
Version 8Show Document
  • View in full screen mode

One of the premium features included in Malwarebytes Endpoint Protection and Response is Suspicious Activity Monitoring. This feature watches the processes, registry, file system, and network activity on the endpoint for potentially malicious behavior.


Suspicious Activity detections are triggered by questionable activity on the endpoint based on observed behaviors. These detections are highlighted for your review in the menu pane under Suspicious Activity. Not all activity detected is guaranteed to be malicious; some detections are triggered by benign operations.


The Suspicious Activity screen provides additional context around each detection to help determine whether the activity is truly malicious. Once an administrator has some understanding of what triggered the detection, they may choose to remediate the threat or close the incident as an expected behavior.


Enable Suspicious Activity Monitoring

For Suspicious Activity Monitoring to protect your endpoints:

  • Enable Suspicious Activity Monitoring at the policy level.

  • Add the policy to a group.

  • Move endpoints to the group.


Create a Suspicious Activity Monitoring enabled policy

  1. Go to Settings > Policies.

  2. Click New to create a new policy.

  3. Enter a unique policy name.

  4. Click the WindowsSettings tab and scroll to the bottom.

  5. Switch Suspicious Activity Monitoring to ON.

  6. Ensure the rest of the policy settings are to your liking.

  7. In the upper right, click SAVE.



Add the new policy to a group

After creating a policy with Suspicious Activity Monitoring enabled, add it to a group to protect all the group's endpoints.

  1. Go to Settings > Groups.

  2. Select an existing group or create a new group.

  3. From the Policy Name drop-down menu, select the new policy you created above.

  4. Click Save.


Move endpoints to the group

  1. Go to Endpoints > Manage Endpoints.

  2. Check the boxes next to endpoints you want to protect with Malwarebytes Endpoint Protection and Response; this includes Suspicious Activity Monitoring.

  3. Click Move.

  4. Select the group using the new policy created above.

  5. Click Save.


Group and policy changes take effect the next time the endpoint checks in with the Malwarebytes Cloud console.


Remediate or close Suspicious Activity

  1. Log into the Malwarebytes Cloud console as a Super Administrator.

  2. Click Suspicious Activity.

  3. Review Suspicious Activity details including machines with detections, severity of the threats, and date/time of the detections. From this screen, you may choose to take action on an item, or drill down into the cause of a detection.

  4. Take action on a Suspicious Activity item. Choose one of the following under the Actions column:

    Displays further details of the activity, similar to the Triggered Rules described below.

    Remediates the threat found on the endpoint. Once selected, this icon will change to indicate the remediation status.

    Marks the detected Suspicious Activity to benign/expected. Activities that have been marked as expected will not trigger further Suspicious Activity items. Click again to remove the benign/expected mark.

  5. Drill down on a Suspicious Activity item to learn about the cause of the detection. Click the icon in the Rules Triggered column to display a process graph of associated activity, rules that triggered the detection, and additional context. The additional context includes paths, hashes, specific registry modifications, file reads/writes and process IDs.