Applies To: WatchGuard Advanced Reporting Tool
The Special Applications & Tools tab provides visibility into the executed applications that your IT policies might not authorize. The tiles on this tab list legitimate applications that can be used by attackers. These applications can include administration tools, Windows system tools, and system internal tools.
Sysinternal tools are not included with the Windows OS but are freely available from Microsoft with extra, advanced utilities. Malware attacks sometimes use sysinternal tools (for example, toolsets).
For more information on the specific tools detected, see Special Applications & Tools.
View Admin and System Tools in Use
Admin and system tools can also be used for malicious actions. It is important to know who uses these applications on your network, and when and where they use them.
To view admin and system tools that run on your network, from the WatchGuard EPDR or WatchGuard EDR web UI:
- From the top navigation bar, select Status.
- From the left pane, select Advanced Visualization Tool.
A new browser tab opens.
- From the left pane, select Advanced Reporting > Application Control.
- Select the date range for the data you want to see.
- Click Refresh.
The dashboard shows information for the time period selected.
- Select the Special Applications & Tools tab.
- To identify admin tools that are not validated, in the Admin Tools Executed tiles, review the admin tools that run across the network.
- To identify utilities that are not validated, in the System Tools Executed tiles, review the Windows OS utilities that run across the network.
- To identify sysinternal tools that are not validated, in the System Internal Tools Executed sections, review the sysinternal tools that run across the network.