Configure Settings options in Malwarebytes Cloud Platform

Document created by bgoddard Employee on Oct 10, 2019Last modified by bgoddard Employee on Nov 13, 2019
Version 13Show Document
  • View in full screen mode

Policies define how Malwarebytes behaves when running a scheduled scan, using Real-Time Protection, or monitoring Suspicious Activity. Policies are applied at the group level, and all endpoints in a group use the same policy. By default, endpoints added to the console belong to the Default Group, and the Default Policy. 


Policies are customizable and have many options. This article covers policy Settings options for all endpoint platforms. 


To view policy settings, go to Settings > Policies. Click Default Policy > choose a platform > Settings.



Includes options for scans, Real-Time Protection, miscellaneous protection, Windows Action Center, and Malwarebytes Endpoint Protection and Response.


Scan Options

Threat Scans are more thorough than a quick Hyper Scan. Threat Scans have these options:

  • Scan Rootkits: The scan searches for rootkits. This may increase the length of the scan.
  • Scan within Archives: The scan checks inside of compressed files.
  • Anomalous File Detection: The scan looks at file behavior in addition to scanning files using known threat information.


These options apply to Threat Scans, Hyper Scans, and Real-Time Protection:

  • Potentially Unwanted Programs (PUPs): Specifies if Potentially Unwanted Programs are treated as malware or ignored.
  • Potentially Unwanted Modifications (PUMs): Specifies if Potentially Unwanted Modifications are treated as malware or ignored. Applies to Windows endpoints only.


Scan Priority (Windows only)

This determines the endpoint system priority for scans. While scans are in progress, the endpoint performance may be affected.


Select which option is most important to you:

  • High priority: Allows scans to run faster, but may affect endpoint system performance.
  • Low priority: Scans requires more time to complete, but have a lesser performance impact.


Real-Time Protection

Real-Time Protection features are part of your Malwarebytes Endpoint Protection or Endpoint Protection and Response subscription.


When you enable Real-Time Protection features, any needed plugins are automatically installed on your endpoints. We recommend using all Malwarebytes Endpoint Protection features for the best protection.


A description of each Real-Time Protection feature follows:

  • Web Protection: Blocks access to and from known or suspicious Internet addresses. Disabling this feature can affect the safety of your endpoints.
  • Exploit Protection: Guards against vulnerability exploits for installed applications. When applications launch, Exploit Protection shields them. It can stop attacks that other security applications miss.
    • Manage Protected Applications: Many popular applications are automatically supported, and can be enabled here. You can also add your own applications which are shown at the bottom of the list.

    • Advanced Settings: Allows configuration of some anti-exploit measures. The default settings balance endpoint performance and anti-exploit protection. To keep you secure, some of these settings may not be changed.

      IMPORTANT: We recommend not changing these settings unless instructed to by Malwarebytes Support. For more information, see Advanced Settings for Exploit Protection in Malwarebytes Cloud Platform.


Malware Protection

This feature protects against malicious content that tries to execute on your endpoints. Malware comes from many sources, such as downloads, external drives, and email attachments. We recommend leaving Malware Protection on. Malware Protection is always enabled on Macs using Real-Time Protection.


Behavior Protection

Behavior Protection safeguards against both known and unknown ransomware. Ransomware often remains undetected until it activates. We recommend keeping Behavior Protection enabled. Behavior Protection is not supported on endpoints with Windows XP or Windows Vista.


Miscellaneous Protection Options (Windows only)

These options affect when Real-Time Protection loads and if Malwarebytes protects itself from tampering.


Available options are as follows:

  • Delay Real-Time Protection: May stop conflicts between Real-Time Protection and other application services.
    • Delay protection for: How long the Real-Time Protection service is delayed. Adjust this option based on which services conflict with Real-Time Protection. The delay can range from 15 to 180 seconds.
    • Enable Self-Protection Module: Lets Malwarebytes create a "safe zone" to prevent malicious control of the Malwarebytes application. The self-protection module has a brief startup period. 
      • Enable Self-Protection Module Early Start: Makes Self-Protection start earlier when the endpoint is booting. This affects the startup order of services and software drivers.


Windows Action Center (Windows only)

The Windows Action Center alerts you when there is an issue needing attention. You can choose to register Malwarebytes as the Windows security solution on non-server endpoints. This allows the Windows Action Center to show Malwarebytes notifications.


Available options are as follows:

  • Let Malwarebytes apply the best Windows Action Center settings based on your system (recommended)
    Malwarebytes determines if it should be registered in Windows Action Center. It does not register if either of the following are true:
    • Microsoft Security Essentials is in use and the version of Windows is 7 or older.
    • Windows Defender is in use and the version of Windows is 8 or newer.
  • Never register Malwarebytes: Malwarebytes never appears in Windows Action Center.
  • Always register Malwarebytes: Malwarebytes always appears in Windows Action Center.


Endpoint Protection & Response (EPR) Settings

Endpoint Protection and Response has three features: Suspicious Activity Monitoring, Ransomware Rollback, and Endpoint Isolation.


Suspicious Activity Monitoring (EPR)

Suspicious Activity Monitoring watches process, registry, file system, and network activity on endpoints for malicious behavior.


Available options are as follows:

  • Suspicious Activity Monitoring: Enables behavioral monitoring for Suspicious Activity on endpoints.
    • Aggressive Mode: Enables a detection mode that uploads file samples to Malwarebytes for analysis as needed. When using this mode, a larger number of suspicious files may be identified, but there is a higher risk of false positives.


Ransomware Rollback (EPR)

Helps recover from ransomware by restoring damaged or encrypted files from local backups.


Available options are as follows:

  • Enable/Disable Rollback: Enables the Rollback feature.
    • Rollback Timeframe: How long to store changes to files. This can range from 24 hours to 72 hours. File changes older than 72 hours are discarded.
    • Rollback File Size: The maximum file size allowed for each backed up file, from 1MB to 100MB.


Endpoint Isolation (EPR)

Stops threats from spreading between endpoints by restricting their communication and network access. Isolated endpoints can still communicate with the console and run Malwarebytes processes. 


Available options are as follows:

  • Lock/Unlock Endpoints: Enables locking and unlocking of endpoints.
    • Isolation Title: Custom title of the message screen displayed on a locked endpoint.
    • Isolation MessageCustom body of the message displayed.
    • Custom Icon Image: Custom icon shown next to the isolation message.


For more information, see Suspicious Activity Monitoring in Malwarebytes Endpoint Protection and Response.


See also



Return to the Malwarebytes Cloud Platform Administrator Guide