The protection included in WatchGuard EDR and WatchGuard EPDR includes continuous monitoring of device activity on Windows, macOS, and Linux platforms. This enables us to offer advanced protection in these systems, although the scope is not the same in all systems.
Features included in advanced protection of macOS and Linux computers and devices are:
- Malware and PUPS detection to show their lifecycle.
- Malware activity for macOS and Linux detections. This information helps us to identify the source of the infection, and to identify the actions it has taken.
- Graphical view shows the activity of the malware for macOS and Linux detections, similar to Windows detections.
The Zero-Trust Application Service and associated protection modes (Audit, Hardening, and Lock) are only available in Windows. The same is true of Anti-Exploit protection.
In Linux, the ability to detect malicious activity (contextual detection) is included. By default, detected malicious actions will not be blocked to avoid possible issues on some computers. Unless you are sure that the detected malicious activity is a legitimate action, it is recommended that you change the setting to Block mode in the Detect malicious activity (Linux only) settings of the advanced protection. Linux protection version 3.00.00.0000 and higher include this additional protection capability.
The Threat Hunting Investigation Service detects advanced threats and attacks on Windows, macOS, and Linux platforms. With the telemetry received, we can investigate and detect new attacks on Windows, macOS, and Linux.
If an investigation confirms the detection of a new threat, it is consolidated and taken to the endpoint (Windows/macOS/Linux) of all our clients, adding detection in the signature files or in Collective Intelligence, and ideally in contextual detection to stop the new detected attack pattern.