malwarebytes ransomware rollback technology

Configure Ransomware Retraction in Malwarebytes Nebula

Ransomware rollback is a Malwarebytes Endpoint Response and Detection feature that repairs damage caused by ransomware to your Windows endpoints. Ransomware Rollback employs a special restore procedure to reverse the damage caused by threats. The rollback cache, which is used in conjunction with the Malware Removal Engine allows the Endpoint Agents to recover files that have been deleted or encrypted by the malware. Rollback creates a local cache on the endpoint that stores system file changes. This cache can be used to reverse ransomware-related changes.To use Ransomware rollback, you must enable Suspicious Activity Monitor. For Ransomware Rollback usage requirements, see Minimum requirements for Malwarebytes Nebula.

Follow the steps below to follow this article experience new policies with to the Policies page.

If you have the new policies experience disabled, locate these policy settings by referring to Malwarebytes Nebula policy with new experience disabled.

Ransomware rollback settings

Locate the Ransomware Rollback settings within your policy

  1. Go toSettings>Policies.
  2. ClickNeueYou can also choose an existing policy.
  3. Choose theEndpoint Detection & ResponseTab.
  4. FindRansomware RollbackTo see the settings for each operating system, click here

Ransomware rollback

This tool helps you recover from ransomware. It restores encrypted or damaged files from your local backups. These are the options available:

  • Ransomware Rollback: Turns Ransomware Rollerback on or off

Advanced settings

Ransomware Rollback can be enabled in advanced settings.

These are the options available in this section:

  • Timeframe for rolling back determines how long Malwarebytes stores information within the cache. This setting increases the cache size on endpoints. The cache stores changes made within a specified time period. The default value for this parameter is 48 hours.
  • Rollback free disk space quota: Sets the maximum amount of disk space that can be used for file backups. You can adjust the default setting to 30 percent or change it to 10-70%. This setting applies to all policy endpoints.
  • File size for workstation rollbackFile size limits the files that can be saved to the cache. Files larger than the maximum file size are not backed up. The cache size for each server and endpoint increases by increasing the file size.


  • To ensure sufficient space, we recommend monitoring the disk space on hard drives that are used as backup locations.
  • To prevent problems with the operating system, each endpoint can only use a maximum of 30% amount of disk space. This number is dependent on the amount of disk space available. If the hard drive’s capacity decreases, the backup folder automatically resizes to keep the same percentage and deletes the oldest files to make room.
  • Ransomware Rollback can only be configured by Super Administrators or Administrators. Rollback settings may be viewed by other users who have policy access.

Rollback can be used to correct an endpoint

Ransomware Rollback can be managed by the Suspicious Activity Monitoring screen. Go to suspicious Activity.

You can quickly take immediate action for each threat.

Click the ellipsis symbol in the Actions column to choose one to take immediate action or close the Incident.