Contents

Configure TDR Exclusions

Some TDR features described in this version of Fireware Help are available only to participants in the WatchGuard Beta program. If a feature described in this section is not available in your TDR account, it is a beta-only feature. For information about how to enable beta features, see Enable TDR Beta Features.

You can enable TDR exclusions for software or files that that you want the TDR Host Sensor to ignore..

In some cases, the TDR Host Sensor might have conflicts with the antivirus (AV) software installed on your endpoints. To resolve this issue, you must add exclusions in the AV software and in TDR. TDR makes this easier with predfined exclusion lists for interoperability with popular third-party AV software.

If there are additional files or processes that you want the Host Sensor to ignore you can configure custom exclusions to identify paths for files and processes that you do not want Host Sensors to monitor.

Host Sensors do not send events to Threat Detection and Response (TDR) for files and processes on the Exclusion list.

Whitelist vs. Exclusion List

It is important to understand the difference between the Whitelist and the Exclusion list.

Whitelist

The Whitelist identifies specific files and processes you consider safe. For changes to a file or process on the Whitelist, the Host Sensor sends the event to TDR. ThreatSync heuristics do not include changes to files on the Whitelist as incidents or indicators. ThreatSync assigns events on the Whitelist a score of 0.

You add a file or process to the Whitelist as a signature override. For more information, see Configure TDR Signature Overrides

Exclusion

An exclusion identifies a path that you want all Host Sensors to ignore for file and process events. When you add an exclusion, Host Sensors ignore any file-created or process-created events that originate from the specified directory. Exclusions also apply to baseline scans.

Manage Predefined AV Exclusions

TDR has predefined AV exclusion sets for the most common third-party AV tools. These exclusion sets include all of the recommended exclusions for the AV.

After you enable the AV exclusions in TDR, you must add the TDR exclusions to your AV software to prevent potential conflicts.

Configure Antivirus Software to Exclude the TDR Host Sensor

To avoid conflicts between TDR and your desktop antivirus software, you must also configure exclusions for TDR directories in your desktop AV software.

In the desktop antivirus software configuration, add the TDR Host Sensor installation directory to the exclusion list or whitelist.

The directories to exclude are:

c:\Program Files (x86)\WatchGuard\Threat Detection and Response\

c:\Program Files\WatchGuard\Threat Detection and Response\

See the documentation from your antivirus software vendor for instructions to edit the exclusions list or whitelist.

Manage Custom Exclusions

If there are other paths or processes you need to exclude, you can add a custom exclusion. WatchGuard has tested TDR with many popular products. WatchGuard integration guides describe how to configure TDR and other products to interoperate. Often, this involves adding a custom exclusion to TDR. For information about these integrations, see Threat Detection and Response Integration Guides.

When you add a custom exclusion: 

  • You can include wildcards in the path to exclude
  • You can select whether to include all subdirectories of the specified path

Back Up or Import Custom Exclusions

You can save a backup of your custom exclusions to an .XML file. To add the exclusions to any TDR account, you can import the saved .XML file. This enables a TDR Service Provider to copy custom exclusions configured in one managed customer account to another managed account. To avoid duplicate exclusions, the imported exclusions are merged with the existing list of exclusions.

See Also

TDR Deployment Best Practices

Configure TDR Policies

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search