Configure TDR Signature Overrides

You can specify signature overrides in your TDR configuration for specific files and processes. To specify an override, you can add the MD5 values of files or processes so that TDR considers the file as either safe or malicious. For each signature override you specify, you can select whether to add it to the Whitelist. Signature overrides can serve two different purposes:

Whitelist

A whitelist override identifies a file or process that you consider safe and do not want TDR to scan or mitigate (for example to perform the kill or quarantine actions). Indicators for files on the whitelist are assigned a score of 1.

To add a whitelist signature override, in the signature override settings, select the Whitelist check box.

Threatlist

A threatlist override identifies a file or process that you want TDR to always consider a threat. A signature override applies only after you add it and does not affect the score of that MD5 if it has been detected in the past. Indicators for files on the threatlist are assigned a threat score of 8 if the Host Sensor does not take action to mitigate the threat.

To add a threat signature override, in the signature override settings, make sure the Whitelist check box is not selected.

To add a file that was identified in a previous indicator to the override list, copy the MD5 value for the file from the Indicators page.

To see the MD5 value for an indicator:

  1. In the Indicator column, find the indicator.
  2. Click Additional Information .

To find the MD5 value of any file, you can also use an MD5 file hash calculator utility.

Add a Signature Override

To add a signature override, you must log in with Operator credentials.

  1. Select Configuration > Signature Overrides.
    The list of currently configured signature overrides appears.

Screen shot of the Signature Overrides page

  1. Click Add Signature Override.
    The Add Signature Override dialog box appears.

Screen shot of the Add Signature Override dialog box

  1. In the MD5 text box, paste the MD5 for the file.
  2. (Optional) In the Comments text box, type a description of this override.
  3. If this override is for a file you consider safe and do not want TDR to scan, select the Whitelist check box.
  4. Click Save.
    The signature override is added to the list.

Back Up or Import Signature Overrides

You can save a backup of all signature overrides to an .XML file. To add the signature overrides to any TDR account, you can import the saved .XML file. This enables a TDR Service Provider to easily copy signature overrides configured in one managed customer account to another managed account. To avoid duplicate overrides, the imported signature overrides are merged with the existing list of signature overrides.

To save the signature overrides to a backup file:

  1. Select Configuration > Signature Overrides.
    The list of currently configured signature overrides appears.
  2. Click Backup.
    The .XML backup file is saved to the downloads folder.

The name of the signature overrides backup file includes the current date and time. For example: 

WatchGuardTDR_SignatureOverrides_2016-12-13_22-39-43.xml

To import signature overrides from a saved signature overrides .XML file:

  1. Click Import.
  2. Select and open the saved backup file.
    A confirmation dialog box appears.
  3. Click Import.
    The signature overrides from the file are added to th Signature Overrides list.

Edit or Remove a Signature Override

To edit a signature override:

  1. At the left side of the column, click the arrow.
    The Edit Signature Override settings appears.

Screen shot of the Edit Signature Override dialog box

  1. Edit the settings.
  2. Click Save & Close.
    The change is saved, and the Edit settings collapse.

To remove a signature override:

  1. In the row of the signature override to remove, click .
  2. Click Remove Signature Override.
  3. Click Yes, Delete.

Give Us Feedback     Get Support     All Product Documentation     Technical Search