Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR
Authorized software settings can only be assigned to Windows servers or workstations. Authorized software exclusions do not exclude any sub-directories within an excluded directory.
In WatchGuard Endpoint Security, three features prevent program blocking:
Excluded Files and Paths
Excludes specific items or areas on the computer from scans. Unknown software will not be prevented from running. Because this can lead to a security hole, we do not recommended this except where there are problems with computer performance. Only the folder in the specified path is excluded. Subfolders are not excluded.
Unblocking Programs in the Process of Classification
Temporarily allows blocked programs to run but with a reactive approach. The administrator cannot unblock a program unless it has first been blocked.
Because software can consist of several components, and you must unblock each component individually, the process to block and unblock can take some time.
Configure Authorized Software
Proactive unblocking of unknown programs in the process of classification. The administrator can assign settings for programs from a known source which can be used provided no risk is detected. This is the recommended method for unblocking programs.
In an authorized software settings profile, you can configure settings to authorize software or a family of software that you want to allow to run before it is classified. For example, when you know the source of the program and the reason why it has been blocked, you can unblock the program. Examples of programs you might want to unblock include:
- Specific niche programs with very few users
- Programs that update automatically from the vendor website without user interaction
- Programs with functions distributed across hundreds of libraries which are loaded in memory and therefore blocked as and when they are used by the user from program menus
- Client-server model programs, where the client side is hosted on a shared network resource
- Polymorphic software which dynamically generates executable files
Caution: Authorized software settings enable you to approve the execution of executable binary files, excluding script files, standalone .DLLs, and other files. If Endpoint Security blocks a program because it downloads an unknown .DLL, you can authorize the executable file specified in the pop-up message shown on the user computer. After the program is authorized, all .DLL files and resources that it uses are also authorized. This same behavior applies to files that originate from an authorized .MSI installer or self-extracting .EXE file. Processes created by the .MSI or .EXE are also authorized.
After a program has been analyzed, Endpoint Security classifies the program as goodware or malware. If the program represents a threat, it is blocked regardless of whether it was authorized in these settings.
Inherited Authorized Software Settings
By default, you cannot edit or delete the authorized software settings inherited from your Service Provider. When the Service Provider configures the list of authorized software to be editable, the settings profile shows an Editable Settings label. In this case, you can add authorized software but you cannot delete or edit the list of software defined by the Service Provider.
If your Service Provider changes the status of the settings from editable to non-editable, the authorized software you added no longer applies. Only the software from the Service Provider applies. If the Service Provider changes the configuration again to be editable, then the authorized software you added is restored and applied.
Configure Authorized Software Settings
Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Configure Authorized Software permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.
To configure authorized software settings:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- From the left pane, select Authorized Software.
- Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
The Add Settings or Edit Settings page opens.
- Enter a Name and Description for the profile, if required.
We recommend that you enter a descriptive name such as Exclude MD5, Exclude program version, or Path excluded. - To create a new rule, click Authorize Programs.
The Authorize Programs dialog box opens.
- To specify the program executable with an MD5 hash code, select MD5 or SHA-256.
- In the text box, type MD5 or SHA-256 hashes for the program you want to add.
For example, for MD5, you could enter 938c2cc0dcc05f2b68c4287040cfcf71. For more information, go to Calculate the MD5 or SHA-256 of One or More Files. - To specify the program you want to add via program properties, select Program Properties.
- Signature – SHA-1 digital signature of the file. For more information, go to Get the Thumbprint of a Signed Program.
- Product Name – Product name value from the header of the file you want to unblock. To view the product name, right-click the program file and select Properties > Details.
- File Path – Path of the program on the server or workstation. System environment variables are accepted. Authorized software exclusions do not exclude sub-directories within an excluded directory. You must specify each file path. For example, C:\panda only includes files at that level of the directory.
- File Name – The name of the file you want to unblock. Wildcards * and ? are accepted.
- File Version – Version from the header of the file you want to unblock. To view the version, right-click the program file and select Properties > Details. For example, you could enter 0.1.777.0 exact version.
- Click Authorize.
- Click Save.
- Select the profile and assign recipients, if required.
For more information, go to Assign a Settings Profile.
Calculate the MD5 or SHA-256 of One or More Files
There are many tools available to calculate the MD5 or SHA-256 of a file. This section describes how to use the PowerShell tool in Windows 10.
- In File Explorer, open the folder with the files.
- Select File > Open Windows PowerShell.
A window with the command line opens.
- Enter the following command and replace $files with the file path. Wildcards * and ? are accepted.
- For md5: PS c:\folder> Get-FileHash -Algorithm md5 -path $files
- For SHA-256: PS c:\folder> Get-FileHash -Algorithm SHA256 -path $files
- To copy the hashes to the clipboard, press and hold the Alt key, and select the hashes with the mouse pointer. Press Ctrl + C.
- To paste all hashes from the clipboard to the Endpoint Security management UI, click the MD5 or SHA-256 field of the authorized software rule and press Ctrl + V.
- Click Authorize.
- Click Save.
The authorized software settings update.
Get the Thumbprint of a Signed Program
- Open Windows PowerShell.
- Navigate to the directory where the signed program is located.
- Run the command Get-AuthenticodeSignature -FilePath ApplicationName.exe, where ApplicationName is the name of the signed program.
- Select the character string and copy it to the Windows clipboard.
- Open a text document and paste the string in the document.
- Remove the extra spaces between the characters.
- Copy the string without spaces.
- In Authorize Programs dialog box, select Program Properties.
- In the Signature text box, paste the string without extra spaces.
- Click Authorize.
- Click Save.
The authorized software settings update.
Exclude Files and File Paths from Scans