Contents

TDR Deployment Best Practices

A TDR Host Sensor can automatically quarantine files, stop processes, delete registry entries, and isolate hosts from the network if it identifies a file or process as ransomware or another type of threat. Because the Host Sensor takes actions that could affect other applications installed on your hosts, we recommend you consider and test these best practices for your TDR deployment.

To complete the group and override procedures described in this topic you must log in to TDR as an Analyst . To globally change all default Host Sensor settings, an Administrator or Analyst role is required.

Phased Host Sensor Deployment

If the Host Sensor identifies a file or process as a threat, and active TDR policies allow remediation action, the Host Sensor automatically takes action to disable it. To identify potential interactions with other installed software that you trust, we recommend that you first deploy and test Host Sensors on a small set of hosts that run applications commonly used on your network. A small pilot deployment can enable you to identify any interactions between the Host Sensor and other applications, so that you can add exceptions to resolve any interoperability or performance issues before wider deployment.

You must decide how many and what types of hosts to include in your pilot deployment. For each host, install the Host Sensor, and then use other software on the host. Monitor the indicators in your TDR account to see threats and actions reported by the Host Sensors.

If a Host Sensor identifies a threat, you can look at the details in the indicator to see the name of the file or process and why it was considered a threat.

To see indicators for a host:

  1. Select ThreatSync > Indicators.
    The Indicators page appears.
  2. Clear all filters and then filter or search by the host name.
  3. To see more information about an indicator, in the Indicator column, click Additional Information.

For more information about the Indicators page, see Manage TDR Indicators.

If the Host Sensor identifies a trusted application as a threat, you can add the MD5 value to the Signature Overrides as a Whitelist item. TDR does not generate indicators for files you add to the Whitelist.

To add a file to the Whitelist:

  1. On the Indicators page, find the indicator for the application you want to add to the Whitelist.
  2. Select the check box adjacent to the indicator.
  3. From the Actions drop-down list, select Whitelist.
    The Confirm Action dialog box appears.
  4. Click Execute Action.

If the Host Sensor causes performance issues or conflicts with other software that cause the Host Sensor or other software to not function, you can add an exclusion for the installation path of the software. An exclusion causes the Host Sensor to ignore the files in the specified path.

To add an exclusion:

  1. Select Configure > Exclusion.
  2. Click Add.
  3. Specify the path to exclude.

For more information about how to add an exclusion, see Configure TDR Exclusions.

If the Host Sensor quarantines a file, it encrypts the file and stores it in the quarantine directory on the host. To remove a file from quarantine:

  1. On the Indicators page, find the indicator. For an indicator with a successful Quarantine action, the threat score is 1.
  2. Select the indicator.
  3. Select the Unquarantine file or Unquarantine HRP action. The available action depends on whether the file was quarantined by Host Ransomware Prevention (HRP) or as the result of the Quarantine File action.

For more information about how to remove a file from quarantine, see Remove a File from Quarantine.

Add Exclusions for Desktop AV

The TDR Host Sensor and desktop antivirus both detect and prevent threats. To prevent conflicts between the Host Sensor and desktop antivirus software, we recommend that you add exclusions in TDR and your desktop AV software.

Configure Desktop AV Software to Exclude TDR File Paths

In the desktop antivirus software configuration, add the TDR Host Sensor installation directory to the exclusion list or whitelist.

The directories to exclude are:

c:\Program Files (x86)\WatchGuard\Threat Detection and Response\

c:\Program Files\WatchGuard\Threat Detection and Response\

See the documentation from your antivirus software vendor for instructions to edit the exclusions list or whitelist.

Configure TDR to Exclude Desktop AV File Paths

In TDR, add exclusions for the locations where your antivirus software is installed. The paths to exclude are different for each desktop AV vendor and might be different for each OS or AV software version. Test the Host Sensor with your desktop AV solution to make sure you have excluded all necessary paths.

For links to integration guides for TDR and popular desktop AV vendors, see Integration Guides.

For more information about how to add a TDR exclusion, see Host Sensors and AV Software Exclusions.

Configure Host Groups

By default, the global Host Sensor settings and default TDR policies apply to all deployed Host Sensors. We recommend that you configure Host Groups so that you can easily configure different Host Sensor settings and policies for each group. You can use Host Groups to group together hosts that have a similar OS version, hardware, applications or user type. For example, you could create groups for Servers, Windows 7 Desktops, Laptops, Sales, Finance, Support, and so on. After you configure Host Groups you can change the Host Sensor settings for each group, and you can use the group names in your TDR policies. We recommend that you test a few hosts in each group as part of your initial deployment phase.

You can manage host group membership from the Devices > Hosts page or the Configuration > Groups page. From the Hosts page you can select multiple hosts from a list to add them to a new or existing Host Group.

To change the Host Group for one or more Hosts:

  1. Select Devices >  Hosts.
  2. Select the check box adjacent to one or more hosts in the list.
  3. Select Actions > Change Host Group.
    The Change Host Group dialog box appears.

  1. Start to type the name of the group. This can be an existing group or a new group.
    As you type. the names of existing groups and the option to add a new group appear below the text box.
  2. Select the group, or select the option to add the new group with the name you typed.
    The selected hosts are added to the group you selected. If you selected the option to add a new group, the Host Group is added.

To remove one or more Host Sensors from a Host Group.

  1. Select the check box adjacent to one or more hosts in the list.
  2. Select Actions > Change Host Group.
    The Change Host Group dialog box appears.
  3. Select No Group.
    Each selected host is removed from the Host Group it was previously a member of.

For more information about the Hosts page, see Manage TDR Hosts and Host Sensors.

Configure Host Sensor Settings for Host Groups

For each Host Group you can configure the Host Sensor settings to use for hosts in that group. In the Host Group configuration, you can override the global Host Sensor settings, and specify different Host Sensor settings for the group.

To configure Host Sensor settings for a Host Group:

  1. Select Configuration > Groups.
  2. Adjacent to the group name, click .
  3. Select the Host Sensor Configuration tab.
  4. Click the Override Host Sensor settings for this group switch.
  5. Configure the Host Sensor settings for the group.

Screen shot of the Host Sensor Configuration for a group, with Override enabled

TDR Host Sensor Settings Examples

WatchGuard provides suggested Host Sensor configuration settings as a guideline. We recommend you test these settings with a small set of hosts first, to identify any issues.

The best Host Sensor settings to use for your hosts might be different based on the installed OS and applications, physical or virtual hardware, and other aspects of your host environment.

Recommended Host Sensor Settings for Most Windows Hosts

These settings provide a good mix of malware prevention and performance and are suggested for most systems.

Host Sensor Settings ENABLED
Allow Events on Host Sensors ON
Host Ransomware Prevention Mode On Host Sensors PREVENT
Allow Heuristics on Host Sensors ON
Allow Loaded Modules on Host Sensors OFF
Allow Baselines on Host Sensors ON
Host Sensor Tamper Prevention Settings ENABLED
Prevent Host Sensor Service Changes ON
Prevent Host Sensor Uninstallation ON
Host Sensor Driver Configuration Settings ENABLED
Enable Kernel Process Events ON
Enable Kernel File Events ON
Enable Kernel Registry Events ON
Enable Kernel Kill Process Action ON
Enable Kernel Delete File Action ON
Enable Kernel Host Containment Action ON
Enable Kernel File Handle Enumeration ON
Enable Kernel Module Scanning OFF
Host Sensor Icon Settings ENABLED
Enable Users to Pause Host Sensor Protection ON

Recommended Host Sensor Settings for Best Protection

These settings provide the highest level of malware prevention and remediation and do not allow users to pause or disable the Host Sensor Service.

Host Sensor Settings ENABLED
Allow Events on Host Sensors ON
Host Ransomware Prevention Mode On Host Sensors PREVENT
Allow Heuristics on Host Sensors ON
Allow Loaded Modules on Host Sensors ON
Allow Baselines on Host Sensors ON
Host Sensor Tamper Prevention Settings ENABLED
Prevent Host Sensor Service Changes ON
Prevent Host Sensor Uninstallation ON
Host Sensor Driver Configuration Settings ENABLED
Enable Kernel Process Events ON
Enable Kernel File Events ON
Enable Kernel Registry Events ON
Enable Kernel Kill Process Action ON
Enable Kernel Delete File Action ON
Enable Kernel Host Containment Action ON
Enable Kernel File Handle Enumeration ON
Enable Kernel Module Scanning OFF
Host Sensor Icon Settings ENABLED
Enable Users to Pause Host Sensor Protection OFF

Recommended Host Sensor Settings for Best Performance

For lowest resource utilization by the Host Sensor service, these settings can be applied. Note that these settings disable some Host Sensor features and might reduce detection and remediation functionality.

Host Sensor Settings ENABLED
Allow Events on Host Sensors ON
Host Ransomware Prevention Mode On Host Sensors PREVENT
Allow Heuristics on Host Sensors ON
Allow Loaded Modules on Host Sensors OFF
Allow Baselines on Host Sensors OFF
Host Sensor Tamper Prevention Settings ENABLED
Prevent Host Sensor Service Changes OFF
Prevent Host Sensor Uninstallation OFF
Host Sensor Driver Configuration Settings ENABLED
Enable Kernel Process Events ON
Enable Kernel File Events ON
Enable Kernel Registry Events ON
Enable Kernel Kill Process Action ON
Enable Kernel Delete File Action ON
Enable Kernel Host Containment Action ON
Enable Kernel File Handle Enumeration ON
Enable Kernel Module Scanning OFF
Host Sensor Icon Settings ENABLED
Enable Users to Pause Host Sensor Protection ON

Recommended Safe Mode Host Sensor Settings

These settings are suggested for systems that experience issues with system functionality when kernel drivers are enabled. This provides basic malware protection and is suggested for troubleshooting purposes only.

Host Sensor Settings ENABLED
Allow Events on Host Sensors ON
Host Ransomware Prevention Mode On Host Sensors OFF or DETECT
Allow Heuristics on Host Sensors ON
Allow Loaded Modules on Host Sensors OFF
Allow Baselines on Host Sensors OFF
Host Sensor Tamper Prevention Settings ENABLED
Prevent Host Sensor Service Changes OFF
Prevent Host Sensor Uninstallation OFF
Host Sensor Driver Configuration Settings ENABLED
Enable Kernel Process Events OFF
Enable Kernel File Events OFF
Enable Kernel Registry Events OFF
Enable Kernel Kill Process Action OFF
Enable Kernel Delete File Action OFF
Enable Kernel Host Containment Action OFF
Enable Kernel File Handle Enumeration OFF
Enable Kernel Module Scanning OFF
Host Sensor Icon Settings ENABLED
Enable Users to Pause Host Sensor Protection OFF

For more information about Host Sensor Settings, see Configure TDR Host Sensor Settings.

Configure Policies for Host Groups

Each TDR account has default policies enabled by default. These policies enable Host Sensors to take automated remediation actions for different levels of threats based on the Cybercon level you set in your TDR account. The default TDR policies apply to the built-in All Hosts group and define automated actions that the Host Sensor can perform for all hosts. For more granular control over automated actions, you can add policies for specific Host Groups or even specific hosts to change the actions Host Sensors can perform.

For example, if you have a Servers group, and do not want the Host Sensors on servers in that group to make changes to the registry, you can add a policy for the Servers group that specifies that Host Sensors cannot perform the Delete Registry Value action. Or, if you do not want Host Sensors for a group to take any automated remediation action, add a policy for the group that specifies Host Sensors cannot perform the Quarantine File, Kill Process, or Delete Registry Value actions.

If you add a policy for a Host Group, make sure that policy has a higher priority in the policy list than other policies that apply to All Hosts.

For information about the default and recommended TDR policies, see Recommended TDR Policies

See Also

Configure TDR Policies

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search