Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, and WatchGuard EDR Core
In the Advanced Protection settings of a workstations and servers settings profile, you can enable anti-exploit protection. Anti-exploit protection is enabled to Block by default.
Anti-exploit technology is not available on Windows ARM systems. The features available for each platform vary. For more information, go to Advanced Protection for Devices on Windows, Linux, and macOS Platforms.
When you allocate WatchGuard EDR or EDR Core to a new account, and the account does not have a workstations and servers settings profile assigned, the default profile assigned to the All group has anti-exploit and decoy files disabled.
Exploit Blocking and Detection
Anti-exploit protection automatically blocks attempts to exploit vulnerabilities found in the active processes on user computers.
Network computers might run trusted processes that include bugs. Although legitimate, these processes are vulnerable because they sometimes do not correctly interpret data received from users or other processes. If a vulnerable process receives malicious inputs from a hacker, a malfunction can occur that enables the attacker to inject malicious code into areas of memory that the vulnerable process manages. The injected code can cause the compromised process to execute actions it was not programmed for and compromise computer security.
WatchGuard Advanced EPDR includes Advanced Code Injection to detect advanced mechanisms to inject code in running processes.
The anti-exploit protection included in WatchGuard Endpoint Security detects attempts to inject malicious code into vulnerable processes run by users, and neutralizes them based on the exploit detected.
Exploit Blocking
WatchGuard Endpoint Security detects the injection attempt while it is still in progress. Because the injection process does not complete, the targeted process is not compromised and there is no risk to the computer. The exploit is neutralized without the need to end the affected process or restart the computer, and there are no data leaks from the affected process. The user of the targeted computer receives a block notification, based on the settings configured by the administrator.
Exploit Detection
WatchGuard Endpoint Security detects the injection after it takes place. Because the vulnerable process already contains malicious code, WatchGuard Endpoint Security must end the process before it performs actions that might put computer security at risk. Regardless of the time between exploit detection and when the compromised process ends, WatchGuard Endpoint Security reports that the computer was at risk. The level of risk depends on the time passed before the process stopped and on the type of malware.
WatchGuard Endpoint Security can either end a compromised process automatically to minimize the negative effects of an attack, or prompt the user to end the process and remove it from memory. This enables the user to save work or critical information before the compromised process stops, or the computer restarts. If it is not possible to end a compromised process, the user is prompted to restart the computer.