File Classification and Reclassification

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product.,WatchGuard EDR Core This topic applies to the WatchGuard EDR Core endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product.

If a known file is classified as malware, PUP, or exploit and the operating mode is Hardening or Lock, then Endpoint Security blocks the file, unless the administrator allows it to run.

For information on Hardening and Lock modes in Advanced Protection settings, go to Advanced Protection – Operating Modes (Windows Computers).

Action diagram for classification of known files and processes

When an unknown file is in the process of classification and the operating mode is Hardening or Lock, then Endpoint Security:

• Blocks the file if you have not configured the unblocking of files.
  • Allows the file to run if, after classification, the file is determined to be goodware.
  • Prevents the file from running if, after classification, the file is determined to be malware.
• Allows the file to run while the classification process completes if you have configured the unblocking of files. After the process completes classification:
  • If the file is goodware, Endpoint Security continues to allow the file to run.
  • If the file is malware, Endpoint Security allows or does not allow the file to run based on the reclassification policy.

Action diagram for classification of unknown files and processes

File Reclassification

If you unblock an unknown item that was previously blocked by Endpoint Security, the classification process, after some time, catalogs the item as malware or goodware.

• If it is classified as goodware, then there are no additional steps to continue to allow the item to run.
• If it is classified as malware, then the reclassification policy is applied. The reclassification policy enables you to define the behavior that Endpoint Security takes for this item.

Change the Reclassification Policy

The reclassification policy defines the actions Endpoint Security takes when an item that was unblocked by the administrator is reclassified. The reclassification policy applies to all devices on the network. The assigned security settings profiles do not impact the reclassification policy.

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Exclude Threats Temporarily permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

To change the actions that Endpoint Security takes when a file is reclassified:

1. Select Status > Security.
2. In the Programs Allowed by the Administrator tile, select the item type:
   • Malware
   • PUPs
   • Being Classified
   • Exploits
3. In the Programs Allowed by the Administrator dialog box, click Change Behavior.
   

4. Select the action you want to apply:

• Remove It from the List of Programs Allowed by the Administrator — If the unknown file is goodware, then it continues to run normally. If it is malware, the exclusion is removed automatically and the file is blocked, unless the administrator creates an exclusion for the file.
• Keep It on the List of Programs Allowed by the Administrator — A red warning in the Programs Allowed by the Administrator list indicates that this option could lead to potentially dangerous exposure. Whether the unknown file is classified as goodware or malware, the exclusion is maintained and the file continues to run.

We recommend that you do not use the Keep It on the List of Programs Allowed by the Administrator setting, as it could open a security hole that enables malware to run on network devices.

Reclassification of Unblocked Files

If you selected Keep It on the List of Programs Allowed by the Administrator for an item, you should enable alerts and review the history of allowed programs. You can receive an email alert every time an unknown file gets blocked. It is recommend that you configure alerts when a previously unblocked file is reclassified.

To enable email notifications when an unknown file is blocked:

1. Select Settings > My Alerts.
2. Enable the toggles for these alert types:
   • A program that is being classified gets blocked
   • A file allowed by the administrator is finally classified

For more information on alerts, go to Configure Email Alerts.

History of Blocked Programs List

When Endpoint Security blocks a program that is then reclassified as goodware, the program no longer shows as blocked. You can see the reclassified program in the History of Blocked Programs list.

The History of Blocked Programs list includes this information:

Computer

Name of the computer where the program or item was blocked.

Path

The file path and name of the blocked file on the computer.

Action

The last action that Endpoint Security took (for example, Blocked, Reclassified as Goodware, and Malware Blocked Due to Connectivity Failure).

Reclassification Time

The time required to reclassify the blocked item from blocked to goodware in hours, minutes, and seconds, up to 4 hours. If the time required is more than 4 hours, then the value is More than 4 hours.

Data Access

If the blocked file accessed data files, then the circle in this column is red. If the circle is empty, then no data files were accessed.

External Connections

If the blocked file made external connections and exchanged data with other computers, then the circle in this column is red. If the circle is empty, then external connections were not made.

Protection Mode

Advanced protection operating mode when the file was blocked (for example, Audit, Lock, or  Hardening).

Excluded

Indicates whether the administrator excluded the blocked file from advanced protection (Yes or No).

Likelihood of Being Malicious

Indicates whether the blocked file could be malicious (for example, Very High, High, Medium, or Low).

Date

The date when Endpoint Security blocked the program.

Reclassification Time for Unknown Files

The time required for Endpoint Security to unblock a file and then reclassify it as goodware shows in the Reclassification Time field of the Blocked Program Details page. The Reclassification start time is when the blocked file is received by the WatchGuard Cloud servers or when the file was blocked on the user device, whichever time is earlier.

To view reclassification time and other information for an unblocked file, from the Security dashboard:

1. Click Currently blocked programs being classified.

2. Click View History of Blocked Items in the upper, right corner. 
   The History of Blocked Programs list opens. The Action column shows the events that occurred.
3. To open the Blocked Program Details for the program, select a row.
   The Blocked Program Details page shows the reclassification time, as well as the classification technique (automatic or manual) and the date and time when Endpoint Security completed the reclassification. To see the reclassification start date and time, click .

If Endpoint Security blocked an item that has not been reclassified as goodware, you can allow it to run. For more information, go to Allow Blocked Items to Run.

Related Topics

Configure Email Alerts

File Classification — Strategy for New Software

Monitor Threats in WatchGuard Endpoint Security