Remediation Tools

Applies To: WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

WatchGuard Endpoint Security provides several remediation tools that help you to resolve issues. Some of these tools are automatic and do not require you to take any action. You can get access to other tools in the web UI.

Tool Platform Type Purpose

Automatic computer scanning and disinfection

Windows, macOS, Linux, Android


Detects and disinfects malware when WatchGuard Endpoint Security detects movement in the file system (copy, move, run) or in a supported infection vector.

On-demand computer scanning and disinfection

Windows, macOS, Linux, Android

Automatic, Schedule, or Manual

Detects and disinfects malware in the file system when required, at specific time intervals, or after you create a remediation task.

On-demand restart



Forces a computer restart to apply updates, finish manual disinfection tasks, and fix protection errors.

Computer isolation



Isolates a computer from the network, to prevent the exfiltration of confidential information and the spread of threats to other computers.

Shadow copies Windows Automatic When enabled, creates a shadow copy every 24 hours. Use shadow copies to return a compromised system to a previous state.

Automatic Scanning and Disinfection

WatchGuard Endpoint Security automatically detects and disinfects threats found on protected computers and devices. File protection must be enabled in the security settings assigned to the computers and devices.

WatchGuard Endpoint Security automatically detects threats in these security areas:

  • Web — Malware downloaded to targeted computers through a web browser
  • Email — Malware that reaches email clients as a message attachment
  • File System — Malware detected when a file that contains a known or unknown threat in the computer storage system is run, moved, or copied.
  • Network — Intrusion attempts from a host on the network or Internet, blocked by the firewall

Advanced Protection in a Workstation and Servers settings profile also blocks the execution of unknown malware. For information on blocking modes and the options available for antivirus scanning, see Workstation and Server Security Settings and Configure Antivirus Scanning.

Remediation Actions

When WatchGuard Endpoint Security detects a known threat, it automatically cleans the affected items when there is a disinfection method available. If not, WatchGuard Endpoint Security quarantines the items.

When antivirus and advanced protection modules are enabled, WatchGuard Endpoint Security takes these actions:

Advanced Protection Mode Antivirus Protection Action
Audit Enabled Detection, disinfection, and quarantine
Disabled Detection only
Hardening, Lock Enabled Detection, block unknown items, disinfection, and quarantine
Disabled Detection, block unknown items

On-Demand Scanning and Disinfection

There are two ways to scan and disinfect computers on demand:

On-Demand Restart (Windows computers)

If you have computers that have to restart to fix a protection problem, you can restart the computers remotely. For more information, see Restart a Computer (Windows computers).

Computer Isolation (Windows computers)

You can isolate computers on demand to prevent the spread of threats and to block the exfiltration of confidential data. For more information, see Isolate a Computer (Windows computers).

Shadow Copies (Windows computers)

Shadow copies is a technology included in Windows computers that can create a snapshot of computer files, even when they are in use. When enabled in WatchGuard Endpoint Security, Windows creates a shadow copy every 24 hours. You can use shadow copies to return a compromised system to a previous state. For more information, see Remove Ransomware and Restore the System.

See Also

Monitor Threats

Manage Tasks