Troubleshoot Anti-Exploit Detections

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product., WatchGuard EDR Core This topic applies to the WatchGuard EDR Core, available in the Total Security Suite license.

The anti-exploit protection included in WatchGuard Endpoint Security products automatically blocks vulnerabilities found in the active processes on your computer. When you first enable anti-exploit protection, it might detect an exploit in a program on your computer. This topic provides information about potential causes and the actions that you can take. For more information, go to About Anti-Exploit Protection (Windows Computers).

Update Software

Make sure that you install all available updates for your operating system and any affected program. If your WatchGuard Endpoint Security product continues to detect an exploit after you install updates, or if you believe that the detection is a false positive, contact Support. When you contact Support, you can include a memory dump (.DMP) file of when and how the false positive exploit detection occurred.

Automatic Dump Collection

Anti-exploit protection automatically blocks attempts to exploit vulnerabilities found in the active processes on user computers. You should only use the antiexploittechid tool if you know that an exploit detection is a false positive.

You can use the antiexploittechid tool to enable and disable the automatic creation of a .DMP file when a false positive exploit takes place. The tool changes the values of some anti-exploit protection configuration settings and places them in debug mode. When the exploit takes place, the program automatically creates a dump file and saves it to the install folder. The default install folder locations and file names are:

• 32–bit version:
  C:\Program Files\Panda Security\Advanced File Report Generation\Panda_AllFlags_Dump.dmp
• 64–bit version:
  C:\Program Files (x86)\Panda Security\Advanced File Report Generation\Panda_AllFlags_Dump.dmp

To perform an automatic dump collection:

To report the anti-exploit to Support, you must reproduce the false positive anti-exploit detection so that you can generate a DMP file to send to Support. Anti-exploit protection detects if a process tries to exploit a vulnerability and, based on its configuration, blocks the process.

1. Download this installer file:
   https://www.pandasecurity.com/resources/tools/antiexploit/antiexploittechid_configurator_installer_gui.exe
2. Run the antiexploittechid_configurator_installer_gui.exe setup file.
   The installer might take some time to finish installation.
   

3. Click Finish.
4. Take the steps to reproduce the false positive exploit detection.
   When the exploit occurs, the program automatically creates a dump file.
5. Download this installer file:
   https://www.pandasecurity.com/resources/tools/antiexploit/antiexploittechid_feature_disable_recovery_gui.exe
6. To revert the changes to the anti-exploit protection configuration, run the antiexploittechid_feature_disable_recovery_gui.exe file.
   The installer might take some time to finish installation.
7. Click Finish.

8. Compress the dump file and send it to Support.

You can also use the PSInfo tool to provide diagnostic logs to help Support troubleshoot your issue. For more information, go to Get Started with PSInfo.