Home  >  APT29  >  Results  >  Malwarebytes  >  Configuration

Malwarebytes Configuration

Product Versions

Malwarebytes Endpoint Protection & Response (EPR)

Description

Malwarebytes Endpoint Protection & Response (EPR) is designed to provide customers with a simple, yet powerful Endpoint Protection (EP) and Detection & Response (EDR) solution. It supports features such as exploit mitigation, malware detection via anomaly detection, granular endpoint isolation, cloud sandbox detonation, rollback of ransomware damages, application behavior monitoring, complete artifact remediation and a visual representation of suspicious activity. Malwarebytes EDR delivers an easy to use interface, with excellent detection capabilities.

With granular isolation, users can isolate any endpoint with a combination of three modes: network isolation (prevents inbound/outbound communication), process isolation (prevents any new processes from being spawned), and desktop isolation(prevents all user interaction). This level of granularity allows users to customize the isolation process while still maintaining control during an incident investigation.

Malwarebytes EDR uploads undetected suspicious executable files to the Malwarebytes cloud sandbox environment, where they are detonated for further analysis. By applying additional behavioral detection rules to the uploaded files, Malwarebytes provides an additional layer of protection against these suspicious files.

By backing up critical user files and registry settings, Malwarebytes can quickly recover(on the first sign of a possible ransomware attack) and revert affected files to their original uncompromised state. Ransomware rollback removes the need for organizations to recover using traditional, costly, and time-consuming re-imaging while maintaining file integrity.

Malwarebytes EDR provides robust detections through the use of behavioral rules which trigger suspicious activity on a series of connected windows events. These rules are optimized to effectively cover the MITRE ATT&CK tactics and techniques. Additionally, there is a detailed graphical representation which shows the connections, spawned processes, and/or downloaded files that are part of the potential attack. Malwarebytes provides easy to use information about detected suspicious activity, such as all processes, files, and registry changes associated with it. Every suspicious activity is assigned a severity, which allows admins to filter out the “noise” and focus on items that need immediate attention.”

Finally, Malwarebytes EDR quickly detects any suspicious activity in customer’s environments, classifies it, and provides detailed information to let admins make informed decisions on how to mitigate the threat, saving both time and money while providing world class protection.

Product Configuration

  1. Set policies to Default Policy
  2. Enable restarts if required for detection removal
  3. Disable all Real-Time Protection Modules in order to test only the EDR detection technology
    • Disable Web Protection
    • Disable Exploit Protection
    • Disable Malware Protection
    • Disable Behavior Protection
  4. Enable High Priority for Detection Scans
  5. Enable Endpoint Detection & Response (EDR) module
    • Enable Suspicious Activity Monitoring
    • Enable Server OS Monitoring
    • Enable Aggressive Mode
    • Enable Endpoint Isolation
  6. Enable hourly threat scans