Configure Authorized Software Settings in WatchGuard Endpoint Security

Applies To: WatchGuard EPDR, WatchGuard EDR

In Hardening and Lock modes of Advanced Protection, WatchGuard EPDR and WatchGuard EDR prevent the execution of programs that are unknown by WatchGuard until they are classified. This can create delays for users, even when you know the source of the program and the reason it was blocked.

For example, by default WatchGuard Endpoint Security blocks these programs:

  • Specific niche programs with very few users.
  • Programs that update automatically from the vendor website without user interaction.
  • Programs with functions distributed across hundreds of libraries which are loaded in memory and blocked when used by the user from program menus.
  • Programs that operate on a client-server model, where the client side is hosted on a shared network resource.
  • Polymorphic software which dynamically generates executable files.

Authorized Software and Exclusions

In WatchGuard Endpoint Security, three features prevent program blocking:

Excluded Files and Paths

Excludes specific items or areas on the computer from scans. Unknown software will not be prevented from running. Because this can lead to a security hole, we do not recommended this except where there are problems with computer performance.

Unblocking Programs in the Process of Classification

Temporarily allows blocked programs to run but with a reactive approach. The administrator cannot unblock a program unless it has first been blocked.

Because software can consist of several components, and you must unblock each component individually, the process to block and unblock can take some time.

Configure Authorized Software

Proactive unblocking of unknown programs in the process of classification. The administrator can assign settings for programs from a known source which can be used provided no risk is detected. This is the recommended method for unblocking programs.

Authorized Software Settings

To access the settings:

  1. From the top navigation bar, select Settings.
  2. From the left pane, select Authorized Software
  3. Click Add.
    The Add settings page opens.
  4. Click Authorize Programs
    The Authorize Programs dialog box opens.

Configure Authorized Software Settings

Authorized software settings consist of one or more rules, each of which refers to a single software component or family of programs which WatchGuard Endpoint Security allows to run before it is classified. For more information on how to create a security settings profile for authorizes software, see Configure Authorized Software Settings (Windows computers).

Field Description
Name Rule name.
MD5 MD5 hashes of the files WatchGuard EPDR or EDR allows to run.
Product name The Product name field from the header of the file to unblock. To get this value, right-click the program and select Properties > Details.
File path Path of the program on the server or workstation. Environment variables are accepted.
File name File name. Wildcards * and ? are accepted.
File version The version field from the header of the file to be unblocked. To get this value, right-click the program and select Properties > Details.
Signature The digital signature of the file.

Delete an Authorized Software Security Settings Profile

  1. Next to the authorized software rule to delete, click .
  2. Click Save.
    The authorized software settings update.

Edit an Authorized Software Security Settings Profile

  1. Click the name of the authorized software rule.
    The Authorize Programs dialog box opens.
  2. Edit the rule properties and click Authorize.
  3. Click Save.
    The authorized software settings update.

Copy an Authorized Software Security Settings Profile

  1. Click Copy next to the authorized software rule to copy.
    The Authorize programs dialog box opens. The name contains the name of the rule with the prefix Copy of.
  2. Edit the rule properties and click Authorize.
  3. Click Save.
    The authorized software settings update.

Calculate the MD5 of One or More Files

There are many tools available to calculate the MD5 of a file. This section describes how to use the PowerShell tool in Windows 10.

  1. In File Explorer, open the folder with the files.
  2. Select File > Open Windows PowerShell.
    A window with the command line opens.

Screen shot of the PowerShell window

  1. Enter the following command and replace $files with the file path. Wildcards * and ? are accepted.

PS c:\folder> Get-FileHash -Algorithm md5 -path $files

  1. To copy the MD5 hashes to the clipboard, press and hold the Alt key, and select the hashes with the mouse pointer. Press Ctrl + C.
  2. To paste all MD5 hashes from the clipboard to the WatchGuard Endpoint Security web UI, click the MD5 field of the authorized software rule and press Ctrl + V.
  3. Click Authorize.
  4. Click Save.
    The authorized software settings update.

Get the Thumbprint of a Signed Program

  1. Right-click the file and select Properties.
  2. In the Properties window, select the Digital signatures tab.
  3. In the Signature list, select the signature.
  4. Click Details.
    The Digital signature window opens.
  5. In the Digital signature details window, select the General tab and click View certificate.
    The Certificate window opens.
  6. In the Certificate path, select the Certification path tab and make sure that the final node of the certification path is selected.
  7. In the Certificate window, select the Details tab and select the field Thumbprint.
  8. Select the character string from the text box displayed and press Ctrl + C to copy it to the clipboard.
  9. Click the Signature field of the authorized software rule and press the keys Ctrl + V to paste the thumbprint to the WatchGuard Endpoint Security web UI.
  10. Click Authorize.
  11. Click Save.
    The authorized software settings update.