TDR Remediation Actions and Threat Scores

The end-of-life date for TDR is 30 September 2023. On this date, the TDR UI in WatchGuard Cloud will no longer be available. Host Sensors will continue to function, but remediation and report generation will be disabled. To upgrade your Host Sensors to Endpoint Security, go to the Host Sensor upgrade to Endpoint Security Knowledge Base article.

When a TDR Host Sensor identifies a threat, the TDR analytics engine assigns a Threat Score. To reduce the Threat Score, you can allow a Host Sensor to execute a remediation action. Or, if the indicator is for a file or process you consider safe, you can add it to the Allowlist.

  • If you add an indicator to the Allowlist, the indicator score changes to 0 (Known Good).
  • If a Host Sensor completes the action required to remediate an indicator, the indicator score changes to 1 (Remediated).

Remediation Actions

To remediate each indicator type, the Host Sensor must complete a specific action.

Indicator type Possible Actions Action Required to Remediate
File Quarantine File
Kill Process
Quarantine File
Process Quarantine File
Kill Process
Quarantine File
Registry Quarantine File
Kill Process
Delete Registry Value
Delete Registry Value
Host Ransomware Prevention Quarantine File
Kill Process
Quarantine File

You can also select the Mark as externally remediated action for an indicator if you have taken some other action to remediate the threat. When an indicator is marked as externally remediated, the threat score changes to 1.

You can view remediated indicators on the Remediations page. For more information, go to Monitor TDR Remediations.

The Sandbox File Action

If the Host Sensor detects suspicious files that do not match a known threat, it requests the Sandbox File action. The Sandbox File action allows Host Sensors to upload suspicious files to a secure sandbox for APT Blocker analysis. Based on the result of the analysis, TDR can increase the score of an indicator so that configured Remediation polices can automatically allow the remediation action. For more information, go to TDR Sandbox Analysis by APT Blocker.

We recommend that you configure a combination of Sandbox and Remediation policies. Your TDR account includes default policies that are configured with recommended settings. For more information, go so Recommended TDR Policies.

Related Topics

About TDR Threat Scores

Manage TDR Indicators

Monitor TDR Remediations

Configure TDR Policies