TDR and Avast

Deployment Overview

Threat Detection and Response (TDR) is a collection of advanced malware defense tools that correlate threat indicators from Fireboxes and Host Sensors to enable real-time, automated response to stop known, unknown, and evasive threats.

As part of the TDR solution, you install TDR Host Sensors to provide endpoint protection. In some cases, the TDR Host Sensor might have conflicts with the antivirus software installed on your endpoints. To resolve this issue, you can configure exclusions in the antivirus software and in TDR.

This document includes information about the integration of a TDR Host Sensor with a host that runs Avast software. It does not describe the procedure to set up Threat Detection and Response. For information about how to set up your TDR account, how to enable TDR on a Firebox, and how to install a Host Sensor, see Quick Start — Set Up Threat Detection and Response.

Integration Summary

To avoid conflicts between the TDR Host Sensor and Avast Pro Antivirus (Windows) and Avast Security (Mac), add these exclusions:

  • Exclusions in TDR for Avast Pro Antivirus — For Windows:
    • C:\Program Files\AVAST Software\Avast\
    • C:\ProgramData\AVAST Software\
    • C:\Users\<username>\AppData\Local\AVAST Software\
    • C:\Users\<username>\AppData\Roaming\AVAST Software\Avast\
  • Exclusions in TDR for Avast Security— For Mac:
    • /Library/Application Support/Avast/
  • Exclusions in Avast Pro Antivirus for the TDR Host Sensor — For Windows:
    • 64-bit Windows — C:\Program Files (x86)\WatchGuard\Threat Detection and Response\
    • 32-bit Windows — C:\Program Files\WatchGuard\Threat Detection and Response\
  • Exclusions in Avast Security for the TDR Host Sensor — For Mac:
    • /usr/local/watchguard/

If you installed Avast Pro Antivirus before you installed the TDR Host Sensor, when you install the TDR Host Sensor a pop-up alert appears in Avast. The alert identifies the TDR Host Sensor as a threat. To add an exception for the Host Sensor and continue, click More Options and select Create Exception. Avast then marks the TDR Host Sensor as safe so you do not have to manually add an exclusion for the Host Sensor later.

If the TDR Host Sensor and Avast Antivirus software detect and respond to a threat at the same time, you might see high utilization of system resources, such as the CPU, memory, and disk I/O.

Configuration Details

To complete this deployment, you must have:

  • An active Threat Detection and Response subscription, with Host Sensor licenses
  • Avast Pro Antivirus 19.8.2393
  • Avast Security 14.3
    • Virus definitions: 19121900

The TDR and Fireware versions tested for this deployment included:

  • TDR Host Sensor
  • Firebox with Fireware v12.5 or higher

The Windows test environment for this deployment included:

  • Windows 7, 8.1, 10 Enterprise 64-bit Operating System
  • Memory (RAM) — 8 GB
  • Processor — 2 CPU Cores

The Mac test environment for this deployment included:

  • macOS 10.13
  • Memory (RAM) — 8 GB
  • Processor — Intel Core i5

Configure Exclusions in TDR

In your TDR account, add exclusions to identify paths for files and processes that you do not want Host Sensors to monitor. Before you deploy a Host Sensor on computers that have Avast Pro Antivirus (Windows) or Avast Security (Mac) installed, add exclusions for the Avast Pro Antivirus (Windows) or Avast Security (Mac) file paths as TDR Exclusions in your TDR account. To add the exclusions to TDR, you can either use Predefined Exclusion Sets or add the exclusions manually.

Predefined Exclusion Sets

TDR has predefined AV exclusion sets for the most common third-party AV tools. This AV tool has a predefined exclusion set available. Predefined exclusion sets include all recommended exclusions for the AV tool. TDR updates these exclusion sets as needed. For information about predefined AV exclusion sets, see Configure TDR Exclusions.

You must also add the TDR exclusions to your AV software to avoid potential conflicts.

Manually Add AV Exclusions

If you do not want to exclude all the recommended paths in a predefined exclusion set, you can add exclusions manually.

In your TDR account, add the TDR exclusions for the paths shown in the Integration Summary.

Unless otherwise noted, configure each TDR exclusion with these options, which are selected by default:

  • Also exclude subfolders
  • Entities to exclude: Files and Processes

To add an exclusion in TDR:

  1. Log In to TDR in WatchGuard Cloud as an Owner.
  2. Select Configure > Threat Detection.
  3. In the Host Sensor section, select Exclusions.
    The Exclusion page opens with the Custom tab selected.
  4. Click + Add Exclusion.
    The Add Exclusion dialog box opens.
  5. In the Path text box, type the path to exclude. Folders specified in an exclusion must end with a backslash.
  6. (Optional) In the Description text box, type a description for this exclusion.
  7. To apply the exception to all hosts, in the Hosts / Groups text box, type All Hosts.
  8. Click Save & Close.

Repeat these steps to add each exclusion.

Configure Exclusions in Avast

In Avast, add the exclusions to identify the paths for files and locations to exclude. To prevent conflicts between the Host Sensor and Avast, we recommend you add exclusions in Avast for the paths used by the TDR Host Sensor.

To exclude directories used by the TDR Host Sensor, add the exclusions for the paths listed in the Integration Summary.

To add an exclusion in Avast Pro Antivirus — For Windows:

  1. Open Avast user interface.
  2. Select Menu > Settings > General.
  3. Click Exceptions.
  4. In the Exceptions section, click Add Exception.
  5. Type the directories to exclude, click Add Exception.

To add an exclusion in Avast Security — For Mac:

  1. Open Avast Security in client.
  2. Click Menu in the uppper right corner.
  3. Click Preferences > Core Shields.
  4. In the File Shield section, click Add Exceptions.
  5. Select the path to exclude.
  6. Click Open.
  7. Switch to the Scans nearby Core Shields.
  8. In the Mac Scan section, click Add Exceptions.
  9. Select the path to exclude.
  10. Click Open.
  11. In the Deep Scan section, click Add Exceptions.
  12. Select the path to exclude.
  13. Click Open.
  14. In the Targeted Scan section, click Add Exceptions.
  15. Select the path to exclude.
  16. Click Open.

Test results might also apply to these Windows products, which were not tested:

  • Avast Endpoint Protection Antivirus
  • Avast Endpoint Protection Antivirus Pro Plus
  • Avast Endpoint Protection Suite
  • Avast Endpoint Protection Suite Plus

For information about the integration testing methodology, see TDR Testing Methodology.