Ransomware Rollback is a Malwarebytes Endpoint Detection and Response feature that remediates damage done to your Windows endpoints by ransomware. Ransomware Rollback uses a special restore process to reverse damage done by threats. Together with our Malware Removal Engine, the rollback cache allows the Endpoint Agent to restore files removed or encrypted by malware. With Rollback, a local cache is created on the endpoint to store system file changes, and this cache is used to help revert changes caused by ransomware.
You must enable Suspicious Activity Monitoring to use Ransomware Rollback. For Ransomware Rollback usage requirements, see Minimum requirements for Malwarebytes Nebula platform.
To see this feature, go to Settings > Policies > select a policy >Windows tab > Settings tab.
Rollback has the following options:
- Enable/Disable Rollback: Turns Ransomware Rollback on or off.
- Rollback Timeframe: Determines how long Malwarebytes stores information in the cache. Increasing this time increases the size of the cache on endpoints, as the cache stores changes made during chosen period. The default value is 48 hours.
- Rollback Free Disk Space Quota: Configures the maximum percentage of free disk space to allocate for file backups. The default setting is set to 30%, but you can adjust between 10-70%. This setting applies to all endpoints attached to the policy.
- Rollback File Size: Limits the files backed up in the cache based on file size. Files larger than the maximum size are not backed up. Increasing the maximum file size increases the cache size on each endpoint.
Notes:
- Each endpoint uses a maximum of 30% of free disk space to prevent issues with the operating system. This is always relative to the "available disk space" on the hard drive. If at some point the hard drive reduces in capacity, then the backup folder automatically resizes to maintain the same percentage, deleting the oldest files to accommodate space.
- You must be a Super Admin or Administrator in order to configure Ransomware Rollback. Other users with policy access may view Rollback settings.
Use rollback to remediate an endpoint
Ransomware Rollback is managed through the Suspicious Activity Monitoring screen. Go to Suspicious Activity.
Next to each potential threat, you can perform immediate actions quickly.
In the Rules Triggered column, click the Suspicious Activity Rule(s) icon ( 
) to display the suspicious activity status and a Process Graph.
In the Actions column, click the ellipsis icon to either Remediate or Close Incident.
Return to the Malwarebytes Nebula platform Administrator Guide.