Settings vary for WatchGuard EPDR, WatchGuard EDR, and WatchGuard EPP. Throughout this documentation, WatchGuard Endpoint Security refers generally to all three products. If you do not see a setting in the web UI, it is not supported by your product.
In the Advanced Protection settings of a workstations and servers settings profile, you can configure WatchGuard Endpoint Security to detect and block malicious programs.
The operating mode defines how the advanced protection responds when it detects an unknown file. There are three modes: Audit, Hardening, and Lock.
Reports detected threats on dashboards and lists, but does not block or disinfect files.
- Allows execution of unknown programs already installed on user computers.
- Blocks unknown programs that originate from an untrusted source (such as the Internet, external storage drives, or other computers on the network) until a classification is returned.
- Disinfects or deletes programs classified as malware.
Prevents execution of all programs classified as malware, as well as all unknown programs pending classification.
Decoy files help detect ransomware. WatchGuard Endpoint Security creates decoy files as bait on computers. If the files are modified, they identify the process that modified them as ransomware. The file ends the process that modified it and reports it as malware.
To create decoy files, enable the Create Decoy Files to Help Detect Ransomware toggle.
This option is available in Advanced Protection for WatchGuard EDR only. For WatchGuard EDPR and WatchGuard EPP, see Configure Antivirus Scanning.
Report Blocking to Computer Users
To show a message in a pop-up alert on the user computer when advanced protection or anti-exploit features block a file, enable the Report Blocking to Computer Users toggle. Optionally, you can specify a custom message to include in the alert.