Troubleshoot an Endpoint Infection

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product., WatchGuard EDR Core This topic applies to the WatchGuard EDR Core, available in the Total Security Suite license.

When a WatchGuard Endpoint Security product reports malicious software (malware), you can try to use Operating Mode to remove the malware infestation. You can also collect information and report the malware to Support.

Operating Mode

In the Advanced Protection settings of a workstations and servers settings profile, you can configure WatchGuard Endpoint Security to detect and block malicious programs. The Operating Mode setting specifies how the WatchGuard Endpoint Security responds when it detects an unknown file.

There are three available response modes — Audit, Hardening, and Lock.

Audit

Reports detected threats on dashboards and lists, but does not block or disinfect files.

Hardening

• Allows execution of unknown programs already installed on user computers.
• Blocks unknown programs that originate from an untrusted source (such as the Internet, external storage drives, or other computers on the network) until a classification is returned.
• Disinfects or deletes programs classified as malware.

Lock

Prevents execution of all programs classified as malware, as well as all unknown programs pending classification.

To try to resolve a malware issue, make sure that the Operating Mode setting used by the computer is not set to Audit mode. In Audit mode, the endpoint security product tracks programs on your computer, but does not block or disinfect files.

For more information about Advanced Protection settings, go to Advanced Protection – Operating Modes (Windows Computers).

Collect Information

There might be a scenario where you install the endpoint security product on a computer that already has a malware infection. To confirm this, you can use the installation logs that the PSInfo tool gathers to determine the infection date.

In the case of a ransomware infection, when you contact Support with the installation logs that the PSInfo tool gathers, provide an estimate of the date and time of infection. If possible, collect a copy of the ransomware encrypted file. If you cannot obtain a copy of the encrypted file, inform Support of the file extension of the encrypted file and whether the encrypted files are shared network files or local files.