Advanced Protection

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, and WatchGuard EDR Core This topic applies to WatchGuard Advanced EPDR, WatchGaurd EPDR, WatchGuard EDR, and WatchGuard EDR Core.

In the Advanced Protection settings of a workstations and servers settings profile, you configure settings to track the activity of programs run on your computers and detect and block malicious programs.

The features available vary for each platform. For more information, go to Advanced Protection for Devices on Windows, Linux, and macOS Platforms.

To configure an Advanced Protection settings:

1. In WatchGuard Cloud, select Configure > Endpoints.
2. Select Settings.
3. From the left pane, select Workstations and Servers.
4. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
   The Add Settings or Edit Settings page opens.
5. Enter a Name and Description for the profile, if required.
6. Select Advanced Protection.
7. Enable the Advanced Protection toggle.
8. Configure these settings, as required:
   • Configure Operating Behavior
   • Configure Advanced Security Policies (Windows Computers)
   • Configure Anti-Exploit Protection
   • Configure Network Attack Protection (Windows computers)
   • Configure Privacy
   • Configure Network Usage
9. Click Save.
10. Select the profile and assign recipients, if required.
    For more information, go to Assign a Settings Profile.

Configure Operating Behavior

Operating mode is not available with EDR Core or WatchGuard EPP.

To configure operating behavior, in the Behavior section:

1. For Windows computers, select an Operating Mode from the list (Audit, Hardening, Lock).
   For more information on operating modes, go to Advanced Protection – Operating Modes (Windows Computers).

2. To show a message in a pop-up alert on the user computer when advanced protection or anti-exploit features block a file, enable the Report Blocking to Computer Users toggle.
3. (Optional) Type a custom message to include in the alert.
4.  For Linux computers, from the Detect Malicious Activity drop-down list, select the action to take when WatchGuard Endpoint Security detects malicious activity.
   • Audit — Reports detected threats, but does not block malware.
   • Block — Reports and blocks detected threats. This is the default option.
   • Do Not Detect — Malware is not detected or reported.

Configure Anti-Exploit Protection

Anti-exploit technology is not available on Windows ARM systems.

Anti-exploit protection prevents malicious programs from exploiting known and unknown (zero-day) vulnerabilities in applications to get access to computers on the corporate network. For more information, go to About Anti-Exploit Protection. To detect and block vulnerability exploit attacks and metasploit malware, you can enable and configure anti-exploit protection.

When you allocate WatchGuard EDR or EDR Core to a new account, and the account does not have a workstations and servers settings profile assigned, the default profile assigned to the All group has anti-exploit and decoy files disabled.

We recommend that you enable anti-exploit protection gradually on computers with a third-party security solution already installed to make sure it works properly.

WatchGuard Advanced EPDR includes Advanced Code Injection to detect advanced mechanisms to inject code in running processes.

To configure anti-exploit protection, in the Anti-Exploit section:

1. Enable the Anti-Exploit toggle.

2. For Windows computers, select an Operating Mode from the list:
   • Audit — Reports exploit detections in the management UI, but does not take action against them or display information to the user.
   • Block — Blocks exploit attacks. In some cases, it might be necessary to end the compromised process or restart the computer. User receives notification of the blocked attached. WatchGuard Endpoint Security automatically ends the compromised process.
3. To notify users when anti-exploit protection blocks a compromised process, enable the Report Blocking to the Computer User toggle.
   The user receives a notification, and the compromised process is automatically ended if required.
4. To prompt users to end a compromised process, enable the Ask the User for Permission to End a Compromised Process toggle.
   Every time a compromised computer needs to restart, the user must provide confirmation, regardless of whether this toggle is enabled.

Many exploits continue to run malicious code until the relevant process ends. An exploit does not appear as resolved in the Exploit Activity tile on the Security dashboard in the management UI until the compromised program terminates.

Configure Network Attack Protection (Windows computers)

Network Attack Protection is not available with EDR Core or WatchGuard EPP.

Many security incidents begin with attacks that exploit vulnerabilities in Internet-exposed services. If malicious actors achieve their goal and infect computers in your organization, you must stop the attack. This feature is enabled by default to block attacks in new accounts with WatchGuard Endpoint Security.

Network Attack Protection scans network traffic in real time to detect and stop threats. It prevents network attacks that attempt to exploit vulnerabilities in services that are open to the Internet and in the internal network.

If you disable Network Attack Protection, it appears as a risk on the Risks dashboard. For more information, go to Security Risks Status in WatchGuard Endpoint Security.

To enable network attack protection, enable the toggle. You can select the operating mode:

• Audit — Allows network attacks
• Block — Blocks network attack before they can perform actions

For a list of the attacks that WatchGuard Endpoint Security detects, go to Network Attack Protection — Types of Attacks Detected.

You can send email alerts when Network Attack Protection detects a network attack. For more information, go to Configure Email Alerts.

Configure Privacy

WatchGuard Endpoint Security collects the name and full path of the files it sends to WatchGuard Cloud for analysis, as well as the name of the logged in user. This information is used in the reports and forensic analysis tools shown in the management UI.

To enable data collection, in the Privacy section, enable the toggles.

Configure Network Usage

WatchGuard Endpoint Security sends every unknown executable file found on user computers to WatchGuard Cloud for analysis. This behavior is configured so that it has no impact on the customer’s network bandwidth:

• WatchGuard Endpoint Security only sends a maximum 50 MB of files to WatchGuard Cloud each hour for each client.
• The WatchGuard Agent sends each unknown file once only for all customers who use WatchGuard Endpoint Security.
• WatchGuard Endpoint Security implements bandwidth management mechanisms to prevent intensive usage of network resources.

To configure network usage, in the Network Usage section:

• In the Maximum number of MBs that can be transferred in an hour text box, type the maximum number of MB to transfer between the computers and devices on your network and WatchGuard Cloud.

Related Topics

About Anti-Exploit Protection

Manage Settings Profiles

Copy a Settings Profile

Edit a Settings Profile