Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EDR Core, WatchGuard EPP
When a WatchGuard Endpoint Security product reports malicious software (malware), you can try to use Operating Mode to remove the malware infestation. You can also take steps to address the infection, collect information, and report the malware to Support.
Operating Mode
In the Advanced Protection settings of a workstations and servers settings profile, you can configure WatchGuard Endpoint Security to detect and block malicious programs. The Operating Mode setting specifies how the WatchGuard Endpoint Security responds when it detects an unknown file.
There are three available response modes — Audit, Hardening, and Lock.
Audit
Reports detected threats on dashboards and lists, but does not block or disinfect files.
Hardening
- Allows execution of unknown programs already installed on user computers.
- Blocks unknown programs that originate from an untrusted source (such as the Internet, external storage drives, or other computers on the network) until a classification is returned.
- Disinfects or deletes programs classified as malware.
Lock
Prevents execution of all programs classified as malware, as well as all unknown programs pending classification.
To try to resolve a malware issue, make sure that the Operating Mode setting used by the computer is not set to Audit mode. In Audit mode, the endpoint security product tracks programs on your computer, but does not block or disinfect files.
For more information about Advanced Protection settings, go to Advanced Protection – Operating Modes (Windows Computers).
Steps to Address an Endpoint Infection
If an Endpoint Security product reports malicious software (malware), take these steps:
- Make sure that malware protection is installed on all devices connected to the network.
- Reinstall Endpoint Security protection on a device that reports a protection error. For more information, go to Reinstall Endpoint Security (Windows Computers).
- Enable Hardening or Lock mode on devices with WatchGuard Advanced EPDR, EPDR, EDR, or EPP installed. For more information, go to Advanced Protection – Operating Modes (Windows Computers).
- Remove any scan exclusions for specific files and folders that might affect protection. For more information, go to Create Exclusions in WatchGuard Endpoint Security.
- Enable Endpoint Access Enforcement to audit network access from unprotected devices. For more information, go to Endpoint Access Enforcement Dashboard.
- Configure ThreatSync to automatically isolate devices when a malware detection occurs. For more information, go to About ThreatSync.
- Remove device exposure to the Internet.
- Disable remote desktop (RDP), if enabled.
- Review local and domain user accounts for unknown entries.
- Review passwords for all local and domain user accounts, and make sure all passwords are strong and follow any password guidelines.
- Perform software updates for devices on the network.
- Enforce two-factor authentication for the network.
- Use network segmentation on internal networks and filter traffic between subnets. For more information, go to About Network Segmentation.
- Use the PSInfo tool to provide diagnostic logs to help Support troubleshoot your issue. For more information, go to Get Started with PSInfo.
Collect Information
There might be a scenario where you install the endpoint security product on a computer that already has a malware infection. To confirm this, you can use the installation logs that the PSInfo tool gathers to determine the infection date.
In the case of a ransomware infection, when you contact Support with the installation logs that the PSInfo tool gathers, provide an estimate of the date and time of infection. If possible, collect a copy of the ransomware encrypted file. If you cannot obtain a copy of the encrypted file, inform Support of the file extension of the encrypted file and whether the encrypted files are shared network files or local files.
Before you contact Support, enable Support Access to your WatchGuard Cloud account.