Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP, WatchGuard EDR Core
WatchGuard Endpoint Security provides several remediation tools that help you to resolve issues. Some of these tools are automatic and do not require you to take any action. You can get access to other tools in the Endpoint Security management UI.
| Tool | Platform | Type | Purpose |
|---|---|---|---|
|
Automatic computer scanning and disinfection |
Windows, macOS, Linux, Android |
Automatic |
Detects and disinfects malware when WatchGuard Endpoint Security detects movement in the file system (copy, move, run) or in a supported infection vector. |
|
On-demand computer scanning and disinfection |
Windows, macOS, Linux, Android |
Automatic, Schedule, or Manual |
Detects and disinfects malware in the file system when required, at specific time intervals, or after you create a remediation task. Scan tasks are not available with WatchGuard EDR Core. |
|
On-demand restart |
Windows |
Manual |
Forces a computer restart to apply updates, finish manual disinfection tasks, and fix protection errors. |
|
Computer isolation |
Windows |
Manual |
Isolates a computer from the network, to prevent the exfiltration of confidential information and the spread of threats to other computers. |
| Shadow copies | Windows | Automatic | When enabled, creates a shadow copy every 24 hours. Use shadow copies to return a compromised system to a previous state. Shadow copies are not available with WatchGuard EDR Core. |
| Network Attack Protection | Windows | Automatic | When enabled, scans network traffic in real-time to detect and stop threats. Network attack protection is not available with WatchGuard EDR Core or WatchGuard EPP. |
Automatic Scanning and Disinfection
WatchGuard Endpoint Security automatically detects and disinfects threats found on protected computers and devices. File protection must be enabled in the security settings assigned to the computers and devices.
WatchGuard Endpoint Security automatically detects threats in these security areas:
- Web — Malware downloaded to targeted computers through a web browser
- Email — Malware that reaches email clients as a message attachment
- File System — Malware detected when a file that contains a known or unknown threat in the computer storage system is run, moved, or copied.
- Network — Intrusion attempts from a host on the network or Internet, blocked by the firewall
Advanced Protection in a Workstation and Servers settings profile also blocks the execution of unknown malware. For information on blocking modes and the options available for antivirus scanning, go to Configure Workstations and Servers Security Settings and Configure Antivirus Scanning.
Remediation Actions
When WatchGuard Endpoint Security detects a known threat, it automatically cleans the affected items when there is a disinfection method available. If not, WatchGuard Endpoint Security quarantines the items.
When antivirus and advanced protection modules are enabled, WatchGuard Endpoint Security takes these actions:
| Advanced Protection Mode | Antivirus Protection | Action |
|---|---|---|
| Audit | Enabled | Detection, disinfection, and quarantine |
| Disabled | Detection only | |
| Hardening, Lock | Enabled | Detection, block unknown items, disinfection, and quarantine |
| Disabled | Detection, block unknown items |
On-Demand Scanning and Disinfection
There are two ways to scan and disinfect computers on demand:
- Create a scheduled scan task — For more information, go to Create a Scheduled Scan Task.
- Run an immediate scan — For more information, go to Scan Computers and Devices.
On-Demand Restart (Windows computers)
If you have computers that have to restart to fix a protection problem, you can restart the computers remotely. For more information, go to Restart a Computer (Windows Computers).
Computer Isolation (Windows computers)
You can isolate computers on demand to prevent the spread of threats and to block the exfiltration of confidential data. For more information, go to Isolate a Computer (Windows and Mac Computers).
Shadow Copies (Windows computers)
Shadow copies is a technology included in Windows computers that can create a snapshot of computer files, even when they are in use. When enabled in WatchGuard Endpoint Security, Windows creates a shadow copy every 24 hours. You can use shadow copies to return a compromised system to a previous state. For more information, go to Remove Ransomware and Restore the System.
Network Attack Protection (Windows computers)
Network Attack Protection prevents network attacks that try to exploit vulnerabilities in services that are open to the Internet and in the internal network. For more information, go to Configure Network Attack Protection (Windows computers).