Threat Detection and Response is a collection of advanced malware defense tools that correlate threat indicators from Fireboxes and Host Sensors to enable real-time, automated response to stop known, unknown, and evasive threats.
As part of the TDR solution, you install TDR Host Sensors to provide endpoint protection. In some cases, the TDR Host Sensor could have conflicts with the antivirus software installed on your endpoint computers. To resolve this issue, you can configure exclusions in the antivirus software and in TDR.
This document includes information about the integration of a TDR Host Sensor with a host that runs FFRI Yarai. It does not describe the procedure to set up Threat Detection and Response. For information about how to set up your TDR account, how to enable TDR on a Firebox, and how to install a Host Sensor, see Quick Start — Set Up Threat Detection and Response.
To avoid conflicts between the TDR Host Sensor and FFRI Yarai, add these exclusions:
- Exclusions in TDR for FFRI Yarai:
- C:\Program Files (x86)\FFRI\
- C:\Program Files\FFRI\
- C:\Users\All Users\FFRI\
- Exclusions in FFRI Yarai for the TDR Host Sensor— For Windows:
- 64-bit Windows — C:\Program Files (x86)\WatchGuard\Threat Detection and Response\
- 64-bit Windows — C:\Program Files (x86)\WatchGuard\Threat Detection and Response\amd64\host_sensor.exe
- 64-bit Windows — C:\Program Files (x86)\WatchGuard\Threat Detection and Response\amd64\TDRSensorStatus.exe
- 32-bit Windows — C:\Program Files\WatchGuard\Threat Detection and Response\
- 32-bit Windows — C:\Program Files\WatchGuard\Threat Detection and Response\x86\host_sensor.exe
- 32-bit Windows — C:\Program Files\WatchGuard\Threat Detection and Response\x86\TDRSensorStatus.exe
If the Host Sensor and ESET detect and respond to a threat at the same time, this can cause high utilization of system resources, such as CPU, Memory, and Disk I/O.
To complete this deployment, you must have:
- An active Threat Detection and Response subscription with Host Sensor licenses
- FFRI Yarai Home and Business Edition 1.3.2
The TDR and Fireware versions tested for this deployment included:
- TDR Host Sensor 126.96.36.19964
- Firebox with Fireware v12.3 or higher
The Windows test environment for this deployment included:
- Windows 7, 8.1, 10 Enterprise 64-bit Operating System
- Memory (RAM) — 8 GB
- Processor — 2 CPU Cores
Configure Exclusions in TDR
In your TDR account, you can add exclusions to manually identify paths for files and processes that you do not want Host Sensors to monitor. Before you deploy a Host Sensor on computers that have FFRI Yarai installed, add exclusions for the FFRI Yarai file paths as TDR Exclusions in your TDR account. To add the exclusions to TDR, you can either use Predefined Exclusion Sets or add the exclusions manually.
Predefined Exclusion Sets
TDR has predefined AV exclusion sets for the most common third-party AV tools. This AV tool has a predefined exclusion set available. Predefined exclusion sets include all recommended exclusions for the AV tool. TDR updates these exclusion sets as needed. For information about predefined AV exclusion sets, see Configure TDR Exclusions.
You must also add the TDR exclusions to your AV software to avoid potential conflicts.
Manually Add AV Exclusions
If you do not want to exclude all the recommended paths in a predefined exclusion set, you can add exclusions manually.
In your TDR account, add the TDR exclusions for the paths shown in the Integration Summary.
Unless otherwise noted, configure each TDR exclusion with these options, which are selected by default:
- Also exclude subfolders
- Entities to exclude: Files and Processes
To add an exclusion in TDR:
- Log in to your TDR account or managed account as a user with Operator privileges.
- Select Configuration > Exclusion.
- Click Add Exclusion.
The Add Exclusion dialog box opens.
- In the Path text box, type the path to exclude. Folders specified in an exclusion must end with a backslash.
- To apply the exception to all hosts, in the Hosts / Groups text box, specify the group All Hosts.
- Click Save & Close.
Repeat these steps to add each exclusion.
Configure Exclusions in FFRI Yarai
To prevent conflicts between the TDR Host Sensor and FFRI Yarai, we recommend you add exclusions in FFRI Yarai for the paths used by the TDR Host Sensor.
To add exclusions in FFRI Yarai:
- Click Settings.
- Click White List.
- Click Add and, from the drop down list, select Folder. Add these exclusions:
- 32-Bit C:\Program Files\WatchGuard\Threat Detection and Response
- 64-Bit C:\Program Files (x86)\WatchGuard\Threat Detection and Response
- Click Add,and from the drop down list, select File. Add these exclusions:
- 32-Bit C:\Program Files\WatchGuard\Threat Detection and Response\x86\host_sensor.exe
- 32-Bit C:\Program Files\WatchGuard\Threat Detection and Response\x86\TDRSensorStatus.exe
- 64-Bit C:\Program Files (x86)\WatchGuard\Threat Detection and Response\amd64\host_sensor.exe
- 64-Bit C:\Program Files (x86)\WatchGuard\Threat Detection and Response\amd64\TDRSensorStatus.exe
For information about the integration testing methodology, see TDR Testing Methodology.