Ransomware Rollback in Malwarebytes Endpoint Protection and Response

Document created by bgoddard Employee on Oct 29, 2019Last modified by bgoddard Employee on Nov 13, 2019
Version 11Show Document
  • View in full screen mode

Ransomware Rollback is a subset of the Suspicious Activity Monitoring feature. Ransomware Rollback uses a special restore process to reverse damage done by threats. Together with our Malware Removal Engine, the rollback cache allows the Endpoint Agent to restore files removed or encrypted by malware. With Rollback, a local cache is created on the endpoint to store system file changes, and this cache is used to help revert changes caused by a threat.


Ransomware Rollback requires Suspicious Activity Monitoring to be enabled. For Ransomware Rollback usage requirements, see Minimum requirements for Malwarebytes Cloud Platform.



Rollback has the following options:

  • Enable/Disable Rollback: Turns Ransomware Rollback on or off.
  • Rolling time to store changes: Determines how long Malwarebytes stores information in the cache. Increasing this time increases the size of the cache on endpoints, as the cache stores changes made during chosen period. The default value is 48 hours.
  • Maximum size for individual file backups: Limits the files backed up in the cache based on file size. Files larger than the maximum size are not backed up. Increasing the maximum file size increases the cache size on each endpoint.



  • Each endpoint typically uses 200–500MB for the cache, depending on usage and how you configure Ransomware Rollback.
  • You must be a Super Admin in order to configure Ransomware Rollback. Other users with policy access may view Rollback settings.


Use rollback to remediate an endpoint

Ransomware Rollback is managed through the Suspicious Activity Monitoring screen. Go to Suspicious Activity.


Icons are displayed next to each potential threat to show the activity detected. The table below describes each icon.


These icons show the activity details screen.


Here you can learn about the cause of the detection, including a process graph of associated activity, rules that triggered the detection, and additional context.


The additional context includes paths, hashes, specific registry modifications, file reads/writes and process IDs.


This icon means remediation is occurring on the endpoint.


During remediation, Malwarebytes analyzes suspicious activity, removes remaining threats, and restores files removed or encrypted by threats. If you have not enabled Ransomware Rollback in your policy, you may not be able to restore all files. The endpoint will reboot automatically to complete remediation.


If an endpoint is currently isolated, you may still perform remediation. For more information on isolation, see Endpoint Isolation in Malwarebytes Cloud Platform.

In some situations, Malwarebytes may not be able to restore all files. If this occurs, you can manually attempt to restore files from the endpoint. Cached files are stored in the folder:

%PROGRAMDATA%\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Restored Files\


Malwarebytes creates several other folders associated with rollback inside of this folder. Where possible, subfolder names contain the username for the owner of the original file. There is no guarantee a particular file will be recoverable.


Note: If suspicious activities include a component that has been excluded by your policy exclusions, it will not be remediated.


These icons appear after you send a remediation request to an endpoint. The clock icon means the endpoint has a scheduled remediation task that is unfinished. The check mark icon means remediation is complete.

This icon enables you to mark the suspicious activity as closed and not perform remediation.


This is particularly useful for a False Positive. Not all activity detected is guaranteed to be malicious. Some detections can be triggered by benign operations.


When you mark an activity as closed, you are be prompted to exclude the related process. When you exclude a process, Malwarebytes ignores future behavior from it. If you choose not to exclude the process, the activity is marked as closed, but you may see future events from the same process.

This icon is shown for activity previously marked as closed.


Clicking on the icon re-opens the activity, where you may remove the process from the Exclusions list. You may also re-open an activity, but leave it excluded.


See also



Return to the Malwarebytes Cloud Platform Administrator Guide