Advanced Protection

Applies To: WatchGuard EPDR, WatchGuard EDR

In the Advanced Protection settings of a workstations and servers settings profile, you configure settings to track the activity of programs run on your computers and detect and block malicious programs.

The features available vary for each platform. For more information, see Advanced Protection for Devices on Windows, Linux, and macOS Platforms

Screen shot of WatchGuard Endpoint Security, Advanced Protection settings

To configure an Advanced Protection settings:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Settings.
  3. From the left pane, select Workstations and Servers.
  4. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
    The Add Settings or Edit Settings page opens.
  5. Enter a Name and Description for the profile, if required.
  6. Select Advanced Protection.
  7. Enable the Advanced Protection toggle.
  8. Configure these settings, as required:
  9. Click Save.
  10. Select the profile and assign recipients, if required.
    For more information, see Assign a Settings Profile.

Configure Operating Behavior

To configure operating behavior, in the Behavior section:

  1. For Windows computers, select an Operating Mode from the list.
    For more information on operating modes, see Advanced Protection – Operating Modes (Windows computers).

Screen shot of WatchGuard Endpoint Security, Operating mode

  1. To show a message in a pop-up alert on the user computer when advanced protection or anti-exploit features block a file, enable the Report Blocking to Computer Users toggle.
  2. (Optional) Type a custom message to include in the alert.
  3.  For Linux computers, from the Detect Malicious Activity drop-down list, select the action to take when WatchGuard Endpoint Security detects malicious activity.
    • Audit – Reports detected threats, but does not block malware.
    • Block – Reports and blocks detected threats. This is the default option.
    • Do Not Detect – Malware is not detected or reported.

Configure Anti-Exploit Protection

Anti-exploit protection prevents malicious programs from exploiting known and unknown (zero-day) vulnerabilities in applications to get access to computers on the corporate network. For more information, see About Anti-Exploit Protection.

To detect and block vulnerability exploit attacks and metasploit malware, you can enable and configure anti-exploit protection.

We recommend that you enable anti-exploit protection gradually on computers with a third-party security solution already installed to make sure it works properly.

To configure anti-exploit protection, in the Anti-Exploit section

  1. Enable the Anti-Exploit toggle.

Screen shot of WatchGuard Endpoint Security, Anti-exploit protection

  1. For Windows computers, select an Operating Mode from the list
    • Audit – Reports exploit detections in the management UI, but does not take action against them or display information to the user.
    • Block – Blocks exploit attacks. In some cases, it might be necessary to end the compromised process or restart the computer. User receives notification of the blocked attached. WatchGuard Endpoint Security automatically ends the compromised process.
  2. To notify users when anti-exploit protection blocks a compromised process, enable the Report Blocking to the Computer User toggle.

    The user receives a notification, and the compromised process is automatically ended if required.
  3. To prompt users to end a compromised process, enable the Ask the User for Permission to End a Compromised Process toggle.
    Every time a compromised computer needs to restart, the user must provide confirmation, regardless of whether this toggle is enabled.

Many exploits continue to run malicious code until the relevant process ends. An exploit does not appear as resolved in the Exploit Activity tile on the Security dashboard in the management UI until the compromised program terminates.

Configure Privacy

WatchGuard Endpoint Security collects the name and full path of the files it sends to WatchGuard Cloud for analysis, as well as the name of the logged in user. This information is used in the reports and forensic analysis tools shown in the management UI.

To enable data collection, in the Privacy section, enable the toggles.

Screen shot of WatchGuard Endpoint Security, Privacy settings

Configure Network Usage

WatchGuard Endpoint Security sends every unknown executable file found on user computers to WatchGuard Cloud for analysis. This behavior is configured so that it has no impact on the customer’s network bandwidth:

  • WatchGuard Endpoint Security will only send a maximum 50 MB per hour per client to WatchGuard Cloud.
  • The endpoint agent sends each unknown file once only for all customers using WatchGuard Endpoint Security.
  • WatchGuard Endpoint Security has implemented bandwidth management mechanisms to prevent intensive usage of network resources.

To configure network usage, in the Network Usage section:

  • In the Maximum number of MBs that can be transferred in an hour text box, type the maximum number of MB to transfer between the computers and devices on your network and WatchGuard Cloud.

Related Topics

About Anti-Exploit Protection

Manage Settings Profiles

Copy a Settings Profile

Edit a Settings Profile