TDR Indicator Actions and Outcomes
The end-of-life date for TDR is 30 September 2023. On this date, the TDR UI in WatchGuard Cloud will no longer be available. Host Sensors will continue to function, but remediation and report generation will be disabled. To upgrade your Host Sensors to Endpoint Security, go to the Host Sensor upgrade to Endpoint Security Knowledge Base article.
The Indicators page shows a list of indicators with status information and requested actions. For each indicator, you can view these actions and outcomes:
TDR Action Requested
The Action Requested column indicates the action recommended by TDR for an indicator from a Host Sensor. The available actions are:
Mark as Externally Remediated
Select this action if you have remediated the threat on the system itself. For example, if you have manually removed the file or ended the process specified in the indicator.
Delete Registry Value
Select this action to make the Host Sensor delete the registry value for the file or process specified in the indicator. This action deletes the registry value that references a malicious file.
Kill Process
Select this action to make the Host Sensor end the process specified in the indicator. This action applies to URL Match, Process, or Host Ransomware Prevention indicators. After the Host Sensor identifies the communication port, the Host Sensor ends the process that supports communication to the network port.
Quarantine File
Select this action to make the Host Sensor quarantine the file specified in the indicator. This action uses XOR to encrypt the content of a file so the file is not executable. The quarantined file remains on the host for the number of days specified in the Age Off For Quarantined Files setting. For more information, go to Configure the Age Off For Quarantined Files.
If the Host Sensor quarantines a file, and you later decide the file is not a threat, you can go to the Hosts page to remove the file from quarantine. For more information, go to Remove a File from Quarantine.
Allowlist
Select this action to add this indicator to the Allowlist as a known safe file or process. When you select this action, an allowlist signature override is created with the MD5 of the indicator. For more information about the Allowlist, go to Configure TDR Signature Overrides.
Sandbox File
Select this action to make the Host Sensor upload the suspicious file to the sandbox for analysis. For more information, go to TDR Sandbox Analysis by APT Blocker.
The Kill Process, Quarantine File, Delete Registry Value, and Sandbox File actions are the same actions you can configure in a policy. When you select these actions on the Indicators or Hosts pages, these actions are categorized as manual actions.
File Search
Select this action to make the host sensor identify files associated with this network indicator.
Process Search
Select this action to make the host sensor identify the process that generated the network connection associated with this indicator.
TDR Outcomes
The Outcome column indicates the status of the action listed in the Action Requested column. These are the available outcomes:
No Policy
Indicates that there is no policy to take action on this threat.
Successful
Indicates the action was successful and the threat was remediated.
Failure
Indicates that the action failed due to a permissions issue or because the threat was remediated by another action.
In Progress
Indicates that the requested action is currently In progress.
Blocked by Policy
Indicates a remediation policy blocked the requested remediation action.
Failed
Indicates that the action failed due to a permissions issue or because the threat was remediated by another action.
Throttled
The requested action has been delayed due to a high volume of requests.
Pending
the requested action has been completed and that the host sensor is waiting for the results.