Configure policy Settings options in Malwarebytes Cloud Platform

Document created by bgoddard Employee on Oct 10, 2019Last modified by bgoddard Employee on Oct 11, 2019
Version 5Show Document
  • View in full screen mode

Policies define how Malwarebytes behaves when running a scheduled scan, using Real-Time Protection, or monitoring Suspicious Activity. Policies are applied at the group level; all endpoints in a group use the same policy. Unless you specify otherwise, endpoints belong to the Default Group, which uses the Default Policy. 


Policies are customizable and have many options. This article covers policy Settings options for all endpoint platforms. You may also be interested in these articles:


To view policy settings, go to Settings > Policies. Click Default Policy > choose a platform > Settings to view the options described below.



Includes options for scans, Real-Time Protection and additional protection options, the Windows Action Center, and Malwarebytes Endpoint Protection & Response.


Scan Options

Threat Scans are the most robust preconfigured scan, and provide these additional options:

  • Scan Rootkits: Threat Scans search for rootkits. Enabling this option can increase the length of the scan.
  • Scan within Archives: Threat Scans check the contents of compressed files.  
  • Anomalous File Detection: Threat Scans check for file anomalies based on file behavior instead of threat signatures.


These options apply to Threat Scans, Hyper Scans, and Real-Time Protection:

  • Potentially Unwanted Programs (PUPs): Specifies whether PUPs will be treated as malware or ignored.
  • Potentially Unwanted Modifications (PUMs): Specifies whether PUMs will be treated as malware or ignored. Applies to Windows endpoints only.


Scan Priority (Windows only)

This determines the system priority for scans. Scans in progress may impact endpoint performance.


Select which option is most important to you:

  • High priority: Allows scans to run as quickly as possible, but may affect the performance of other tasks.
  • Low priority: Requires more time to run, but has a lesser effect on other applications.


Real-Time Protection

Real-Time Protection features require a Malwarebytes Endpoint Protection or Endpoint Protection and Response subscription.


When you enable Real-Time Protection features, the appropriate plugin is automatically installed on your endpoints. We recommend using all Malwarebytes Endpoint Protection features to best protect your endpoints.


A description of each Real-Time Protection feature follows:

  • Web Protection: Blocks access to and from known or suspicious Internet addresses. Disabling this feature can compromise the safety of your endpoints.
  • Exploit Protection: Guards against vulnerability exploits for installed applications. When applications launch, exploit protection shields them. It can stop attacks that other security applications miss.
    • Manage Protected Applications: Many popular applications have been pre-configured for shielding, and can be enabled or disabled here. You can also add your own applications which are shown at the bottom of the list.

    • Advanced Settings: Allows configuration of some anti-exploit measures. The default settings balance endpoint performance and anti-exploit protection. To keep you secure, you may change some of these settings but not others.

      IMPORTANT: We recommend you do not change these settings unless instructed to by a Malwarebytes Support technician. For additional information on these advanced settings, see Advanced Settings for Exploit Protection in Malwarebytes Cloud Platform.


Malware Protection

This feature protects against malicious content that tries to execute on your endpoints. Malware can come from many sources, including downloads, external drives or devices, and email attachments. We recommend leaving Malware Protection on. Malware Protection is always enabled on Macs using Real-Time Protection.


Behavior Protection

Behavior Protection safeguards against both known and unknown ransomware. Because ransomware often remains undetected until it is triggered, we recommend keeping Behavior Protection enabled.


Note: Behavior Protection is not supported on Windows XP or Windows Vista endpoints.


Miscellaneous Protection Options (Windows only)

These options affect the timing of when Real-Time Protection loads, and whether Malwarebytes uses a special mode to protect it from application tampering.


Available options are as follows:

  • Delay Real-Time Protection: Enabling this option can resolve conflicts between Real-Time Protection services and other application services.
    • Delay protection for: This determines how long you can delay the Real-Time Protection service. You will need to adjust this option depending on which services conflict with Real-Time Protection. The delay setting is adjustable from 15–180 seconds.
  • Enable Self-Protection Module: Enabling this option lets Malwarebytes create a "safe zone" to prevent malicious control of the Malwarebytes application. The self-protection module requires a brief startup period to enable itself. 
    • Enable Self-Protection Module Early StartWhen early start is enabled, the self-protection module will start earlier in the endpoint boot process. This affects the order of services and drivers loaded at startup.


Windows Action Center (Windows only)

The Windows Action Center alerts you when your computer has an issue that needs attention. Malwarebytes can be registered as the security solution on non-server Windows endpoints, and use the Windows Action Center to show notifications.


Available options are as follows:

  • Let Malwarebytes apply the best Windows Action Center settings based on your system (recommended)
    Malwarebytes will determine if it should be registered in Action Center. It will not register if either of the following are true:
    • Microsoft Security Essentials is in use and the version of Windows is 7 or older.
    • Windows Defender is in use and the version of Windows is 8 or newer.
  • Never register Malwarebytes: Malwarebytes will never appear in Windows Action Center.
  • Always register Malwarebytes: Malwarebytes will always appear in Windows Action Center.


Endpoint Protection & Response (EPR) Settings

Endpoint Protection & Response is available on Windows endpoints. It is comprised of three features: Suspicious Activity Monitoring, Ransomware Rollback, and Endpoint Isolation.


Suspicious Activity Monitoring (EPR)

This watches the processes, registry, file system, and network activity on endpoints for potentially malicious behavior.


Available options are as follows:

  • Suspicious Activity Monitoring: Enables Behavioral Monitoring for Suspicious Activity on endpoints.
    • Aggressive Mode: Enables an aggressive detection mode that uploads samples of files to Malwarebytes for further analysis when needed. While additional suspicious files may be identified, there is also a higher risk of a false positive when using this mode.


Ransomware Rollback (EPR)

Helps recover from damaged or encrypted ransomware files by restoring these important files from local backups.


Available options are as follows:

  • Enable/Disable Rollback: Enables Ransomware Rollback.
    • Rollback Timeframe: How long to store changes, from 24 hours to 72 hours. Changes older than 72 hours are removed from the system.
    • Rollback File Size: The maximum file size allowed for each backed up file, from 1MB to 100MB.


Endpoint Isolation (EPR)

Temporarily stops threats from spreading between endpoints by restricting their communication and network access. Isolated endpoints can still communicate with the cloud console and run Malwarebytes processes. 


Available options are as follows:

  • Lock/Unlock Endpoints: Enables locking/unlocking of endpoints.
    • Isolation Title: Custom title of the message screen displayed on a locked endpoint.
    • Isolation MessageCustom body of the message displayed.
    • Custom Icon Image: Custom icon shown next to the isolation message.


For more information on Suspicious Activity Monitoring and related options, see Suspicious Activity Monitoring in Malwarebytes Endpoint Protection and Response.