About Anti-Exploit Protection

Applies To: WatchGuard EPDR, WatchGuard EDR

In the Advanced Protection settings of a workstations and servers settings profile, you can enable anti-exploit protection. Anti-exploit protection is enabled to Block by default.

Anti-exploit technology is not available on Windows ARM systems. The features available for each platform vary. For more information, see Advanced Protection for Devices on Windows, Linux, and macOS Platforms.

Exploit Blocking and Detection

Anti-exploit protection automatically blocks attempts to exploit vulnerabilities found in the active processes on user computers.

Network computers might run trusted processes that include bugs. Although legitimate, these processes are vulnerable because they sometimes do not correctly interpret data received from users or other processes. If a vulnerable process receives malicious inputs from a hacker, a malfunction can occur that enables the attacker to inject malicious code into areas of memory that the vulnerable process manages. The injected code can cause the compromised process to execute actions it was not programmed for and compromise computer security.

The anti-exploit protection included in WatchGuard Endpoint Security detects attempts to inject malicious code into vulnerable processes run by users, and neutralizes them based on the exploit detected.

Exploit Blocking

WatchGuard Endpoint Security detects the injection attempt while it is still in progress. Because the injection process does not complete, the targeted process is not compromised and there is no risk to the computer. The exploit is neutralized without the need to end the affected process or restart the computer, and there are no data leaks from the affected process. The user of the targeted computer receives a block notification, based on the settings configured by the administrator.

Exploit Detection

WatchGuard Endpoint Security detects the injection after it takes place. Because the vulnerable process already contains malicious code, WatchGuard Endpoint Security must end the process before it performs actions that might put computer security at risk. Regardless of the time between exploit detection and when the compromised process ends, WatchGuard Endpoint Security reports that the computer was at risk. The level of risk depends on the time passed before the process stopped and on the type of malware.

WatchGuard Endpoint Security can either end a compromised process automatically to minimize the negative effects of an attack, or prompt the user to end the process and remove it from memory. This enables the user to save work or critical information before the compromised process stops, or the computer restarts. If it is not possible to end a compromised process, the user is prompted to restart the computer.

See Also

Manage Settings Profiles

Copy a Settings Profile

Edit a Settings Profile

Assign a Settings Profile

Workstation and Server Security Settings