Configure TDR Host Sensor Settings

Host Sensor settings control how the Host Sensors operate after they are installed. On the Host Sensor settings page, Administrators and Analysts can configure the default Host Sensor settings for all Host Sensors in a TDR account.

You can configure Host Sensor settings for a group, which take precedence over the global Host Sensor settings. For more information, go to Manage TDR Groups.

The Host Sensor configuration includes these settings:

  • Host Sensor Settings — Specify the allowed actions of the Host Sensor.
  • Host Sensor Tamper Prevention Settings — Specify whether users can modify or uninstall the Threat Detection and Response service.
  • Host Sensor Driver Configuration Settings — Enable and disable settings for the Host Sensor driver. We recommend you keep the default settings unless you have first tested any changes with group-specific Host Sensor Configuration override settings.
  • Host Sensor Icon Settings — Enable and disable settings for the Host Sensor system tray icon.

For more information about recommended Host Sensor settings, go to TDR Deployment Best Practices.

To see more information about each setting, click .

For most Host Sensor settings, a slider shows whether the setting is enabled or disabled.

— The feature is enabled

— The feature is disabled

To change each setting, click the slider. Your changes take effect immediately.

You do not need to click Save to save changes to settings that are enabled and disabled with a slider. Click Save if you made changes to other types of settings, such as the Baselines Maximum Delay Minutes text box.

One Host Sensor setting that is not on the Host Sensor Settings page is the Age Off For Quarantined Files setting. Administrators and Analysts can configure this setting in the Host Sensors configuration page. For more information, go to Configure the Age Off For Quarantined Files.

Configure Host Sensor Settings

To edit the global settings for the Host Sensor:

  1. Log In to TDR.
  2. Select Configure > Threat Detection.
  3. In the Host Sensor section, select Settings.
    The Host Sensor page opens.

Screen shot of the Host Sensor settings page

  1. To enable or disable most settings, in the Enabled column, click the slider.
    Your changes take effect immediately.
  2. From the Host Ransomware Prevention drop-down list, select the Host Ransomware Prevention mode: Tip
  • Off — The feature is not enabled.
  • Detect — Host Sensors identify processes and files that exhibit malicious behavior and report them to your Threat Detection and Response account for manual intervention.
  • Prevent — Host Sensors detect, and then automatically kill processes and quarantine files that exhibit malicious behavior so that ransomware does not take over the system. Host Sensors report this to your Threat Detection and Response account as an indicator that is already mitigated (score of 1).

If you select Prevent, the Host Sensor takes automatic action to prevent ransomware even if the host is not connected to the Internet or cannot communicate with your TDR account.

  1. In the Baselines Maximum Delay Minutes text box, specify the maximum number of minutes after startup that a Host Sensor can delay before it starts the initial baseline scan of processes, directories, registries, and network statistics.

Screen shot of the Baseline Maximum Delay Minutes setting

Each Host Sensor determines the actual delay when it starts. The minimum delay is 0 (no delay) and the maximum delay is the value you specify, maximum of 60 minutes.

  1. Click Save.

Host Sensors automatically retrieve the latest Host Sensor settings at the next heartbeat connection to TDR. An installed Host Sensor sends a heartbeat to your TDR account every 30 seconds.

Back Up or Import Host Sensor Settings

You can save a backup of all Host Sensor settings to an .XML file. To add the Host Sensor settings to any TDR account you can import the saved .XML file. This enables a TDR Service Provider to easily copy Host Sensor settings configured in one managed customer account to another managed account.

To save the Host Sensor settings to a backup file:

  1. Select Configure > Threat Detection.
  2. In the Host Sensor section, select Settings.
    The Host Sensor page opens.
  3. Click Backup.
    The .XML file is saved to the downloads folder.

The name of the backup file includes the current date and time. For example: 

WatchGuardTDR_SettingsHostSensor_2016-12-13_23-11-02.xml

To import Host Sensor settings from an .XML file in WatchGuard Cloud:

  1. Select Configure > Threat Detection.
  2. In the Host Sensor section, select Settings.
    The Host Sensor page opens.
  3. Click Import.
  4. Select and open the .XML backup file.
    A confirmation dialog box appears.
  5. Click Import.
    The Host Sensor settings are updated to the settings from the file.

Related Topics

Configure the Age Off For Quarantined Files

TDR Host Sensor Details

About TDR Host Ransomware Prevention