1. Malwarebytes Support
  2. Business Solutions
  3. Malwarebytes Nebula platform
  4. Learn

Ransomware Rollback in Malwarebytes Endpoint Detection and Response

  • Updated

Ransomware Rollback is a Malwarebytes Endpoint Detection and Response feature that remediates damage done to your Windows endpoints by ransomware. Ransomware Rollback uses a special restore process to reverse damage done by threats. Together with our Malware Removal Engine, the rollback cache allows the Endpoint Agent to restore files removed or encrypted by malware. With Rollback, a local cache is created on the endpoint to store system file changes, and this cache is used to help revert changes caused by ransomware.

You must enable Suspicious Activity Monitoring to use Ransomware Rollback. For Ransomware Rollback usage requirements, see Minimum requirements for Malwarebytes Nebula platform.

To see this feature, go to Settings > Policies > select a policy >Windows tab > Settings tab.

DOC-3593-1.png

Rollback has the following options:

  • Enable/Disable Rollback: Turns Ransomware Rollback on or off.
  • Rolling time to store changes: Determines how long Malwarebytes stores information in the cache. Increasing this time increases the size of the cache on endpoints, as the cache stores changes made during chosen period. The default value is 48 hours.
  • Maximum size for individual file backups: Limits the files backed up in the cache based on file size. Files larger than the maximum size are not backed up. Increasing the maximum file size increases the cache size on each endpoint.

Notes:

  • Each endpoint typically uses 200–500MB for the cache, depending on usage and how you configure Ransomware Rollback.
  • You must be a Super Admin in order to configure Ransomware Rollback. Other users with policy access may view Rollback settings.

Use rollback to remediate an endpoint

Ransomware Rollback is managed through the Suspicious Activity Monitoring screen. Go to Suspicious Activity.

Next to each potential threat, icons display under the Rules Triggered and Actions columns. The table below describes each icon.

DOC-3593-2.png

DOC-3593-3.png

These icons show the activity details screen.

Here you can learn about the cause of the detection, including a process graph of associated activity, rules that triggered the detection, and additional context.

The additional context includes paths, hashes, specific registry modifications, file reads/writes and process IDs.
DOC-3593-4.png

Click this icon to remediate the Suspicious Activity on the endpoint.

During remediation, Malwarebytes analyzes suspicious activity, removes remaining threats, and restores files removed or encrypted by threats. If you have not enabled Ransomware Rollback in your policy, you may not be able to restore all files. The endpoint will reboot automatically to complete remediation.

If an endpoint is currently isolated, you may still perform remediation. For more information on isolation, see Endpoint Isolation in Endpoint Detection and Response.


In some situations, Malwarebytes may not be able to restore all files. If this occurs, you can manually attempt to restore files from the endpoint. Cached files are stored in the folder:

%PROGRAMDATA%\Malwarebytes Endpoint Agent\Plugins\EDRPlugin\Restored Files\

Malwarebytes creates several other folders associated with rollback inside of this folder. Where possible, subfolder names contain the username for the owner of the original file. There is no guarantee a particular file will be recoverable.

Note: If suspicious activities include a component that has been excluded by your policy exclusions, it will not be remediated.
DOC-3593-5.png

DOC-3593-6.png

DOC-3593-7.png

These icons appear after you send a remediation request to an endpoint. The clock icon means the endpoint has a scheduled remediation task that is unfinished. The check mark icon means remediation is complete.
DOC-3593-8.png

This icon enables you to mark the suspicious activity as closed and not perform remediation.

This is particularly useful for False Positives. Not all activity detected is necessarily malicious. Some detections can be triggered by benign operations.

When you mark an activity as closed, you are be prompted to exclude the related process. When you exclude a process, Malwarebytes no longer flags the same behavior as suspicious. If you choose not to exclude the process, the activity is marked as closed, but you may see future events from the same process.

DOC-3593-9.png
DOC-3593-10.png

This icon is shown for activity previously marked as closed.

Clicking on the icon re-opens the activity, where you may remove the process from the Exclusions list. You may also reopen an activity, but leave it excluded.

DOC-3593-11.png

 

Return to the Malwarebytes Nebula platform Administrator Guide