Contents

Configure TDR Signature Overrides

You can specify signature overrides in your TDR configuration for specific files and processes. To specify an override, you can add the MD5 values of files or processes so that TDR considers the file as either safe or malicious. For each signature override you specify, you can select whether to add it to the Whitelist. There are two types of signature overrides:

Whitelist

A whitelist override identifies a file or process that you consider safe and do not want TDR to scan or mitigate (for example to perform the kill or quarantine actions). Existing indicators for files added to the whitelist are assigned a score of 0. TDR does not create new indicators for files that match the MD5 value in a whitelist override.

To add a whitelist signature override, in the signature override settings, select the Whitelist check box.

Threatlist

A threatlist override identifies a file or process that you want TDR to always consider a threat. A signature override applies only after you add it and does not affect the score of that MD5 if it has been detected in the past. Indicators for files on the threatlist are assigned a threat score of 8 if the Host Sensor does not take action to mitigate the threat.

To add a threat signature override, in the signature override settings, make sure the Whitelist check box is not selected.

To add a file that was identified in a previous indicator to the override list, copy the MD5 value for the file from the Indicators page.

To see the MD5 value for an indicator:

  1. In the Indicator column, find the indicator.
  2. Click Additional Information.

To find the MD5 value of any file, you can also use an MD5 file hash calculator utility.

If you execute an action to remove a file from quarantine, the system automatically adds the MD5 value for that file to the Whitelist.

Search for MD5 in Threatlist and Whitelist

On the Signature Overrides page, you can search for an MD5 to see if it is on the Threatlist or Whitelist.

  1. Select Configuration > Signature Overrides.
    The list of currently configured signature overrides appears.
  2. Click Search.
    The Search for MD5 in Threatlist and Whitelist dialog box appears.

  1. Paste the MD5 in the in the text box and click Search.
    The MD5 information appears.

Add a Signature Override

To add a signature override, you must log in as an Analyst.

  1. Select Configuration > Signature Overrides.
    The list of currently configured signature overrides appears.

Screen shot of the Signature Overrides page

  1. Click Add Signature Override.
    The Add Signature Overrides dialog box appears.

Screen shot of the Add Signature Override dialog box

  1. In the MD5 text box, paste the MD5 for the file.
  2. (Optional) In the Comments text box, type a description of this override.
  3. Select the hosts and groups the override applies to.
    1. In the Host Name or Host Group text box, type at least three characters from the name of the host or host group to add. Tip!To specify all hosts, type "All Hosts". This is a built-in default group that includes all hosts that have a Host Sensor installed.
      Host names and group names that include the characters appear.
    2. Select the host or group name to add.
    3. To add other hosts or groups, repeat the previous two steps.
  4. If this override is for a file you consider safe and do not want TDR to scan, select the Whitelist check box.
  5. Click Save.
    The signature override is added to the list.

Back Up or Import Signature Overrides

You can save a backup of all signature overrides to an .XML file. To add the signature overrides to any TDR account, you can import the saved .XML file. This enables a TDR Service Provider to easily copy signature overrides configured in one managed customer account to another managed account. To avoid duplicate overrides, the imported signature overrides are merged with the existing list of signature overrides.

To save the signature overrides to a backup file:

  1. Select Configuration > Signature Overrides.
    The list of currently configured signature overrides appears.
  2. Click Backup.
    The .XML backup file is saved to the downloads folder.

The name of the signature overrides backup file includes the current date and time. For example: 

WatchGuardTDR_SignatureOverrides_2016-12-13_22-39-43.xml

To import signature overrides from a saved signature overrides .XML file:

  1. Click Import.
  2. Select and open the saved backup file.
    A confirmation dialog box appears.
  3. Click Import.
    The signature overrides from the file are added to th Signature Overrides list.

Edit or Remove a Signature Override

To edit a signature override:

  1. At the left side of the column, click the arrow.
    The Edit Signature Overrides dialog box appears.

Screen shot of the Edit Signature Override dialog box

  1. Edit the settings.
  2. Click Save & Close.
    The change is saved, and the Edit settings collapse.

To remove a signature override:

  1. In the row of the signature override to remove, click .
  2. Click Remove Signature Override.
  3. Click Yes, Delete.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search