File Classification — Strategy for New Software

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product.,WatchGuard EDR Core This topic applies to the WatchGuard EDR Core endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product.

If you monitor the installation of programs on network devices, you might want to allow unknown software to run without an increased security risk. This topic describes a strategy for staged installation of new, blocked software.

Step 1. Configure a Test Computer

With a test computer, determine whether the new software is known malware or is unknown to WatchGuard Endpoint Security. Make sure that the test computer has Endpoint Security installed and Advanced Protection configured in Hardening mode.

For information on Hardening mode, go to Advanced Protection – Operating Modes (Windows Computers).

Step 2. Install the New Software

Install the new software on the test computer and open it normally.

If Endpoint Security determines that the software contains an unknown module or program, it blocks the software. A dialog box opens to show that the software was blocked and a new item is added to the Currently Blocked Programs Being Classified list. Endpoint Security sends the binary files to the cloud for analysis.

If no items are blocked in Hardening mode, change the Advanced Protection settings to Lock mode. Open the new software again. If additional items are blocked, they show in the Currently Blocked Programs Being Classified list.

Step 3. Reclassify Blocked Software

When Endpoint Security reclassifies blocked software, you can enable email alerts with information on whether it has unblocked the software or kept the software blocked. For information on alerts and the reclassification policy, go to File Classification and Reclassification.

If all processes are classified as goodware, the installed software is valid for use across the network.

Step 4. Send Blocked Software to WatchGuard Support

When a file is unknown, Endpoint Security sends the binary files to the cloud for analysis. Endpoint Security is designed to prevent network performance issues and could delay when it sends the files to the cloud.

To speed up the classification process, contact WatchGuard Support. A WatchGuard malware expert can manually analyze a sample of the process.

Related Topics

File Classification and Reclassification

Allow Blocked Items to Run