Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR
WatchGuard EDR, EPDR, and Advanced EPDR include continuous monitoring of device activity on Windows, macOS, and Linux platforms.
Features included in advanced protection of macOS and Linux computers and devices are:
- Malware and PUPS detection to show their lifecycle.
- Malware activity for macOS and Linux detections. This information helps us identify the source of the infection and identify the actions it has taken.
- Graphical view shows malware activity for macOS and Linux detections, similar to Windows detections.
- Telemetry and malware alerts show in the Advanced Reporting Tool in the Install, Ops, and Alerts tables.
- If you have WatchGuard SIEMFeeder, you will receive macOS and Linux telemetry in the SIEM, in addition to Windows telemetry.
The Zero-Trust Application Service and associated protection modes (Audit, Hardening, and Lock) are only available in Windows. The same is true of Anti-Exploit protection.
In Linux, the ability to detect malicious activity (contextual detection) is included. By default, detected malicious actions will not be blocked to avoid possible issues on some computers. Unless you are sure that the detected malicious activity is a legitimate action, it is recommended that you change the setting to Block mode in the Detect malicious activity (Linux only) settings of the advanced protection. Linux protection version 3.00.00.0000 and higher include this additional protection capability.
The Threat Hunting Investigation Service detects advanced threats and attacks on Windows, macOS, and Linux platforms. With the telemetry received, we can investigate and detect new attacks on Windows, macOS, and Linux.
If an investigation confirms the detection of a new threat, it is consolidated and taken to the endpoint (Windows/macOS/Linux) of all our clients, adding detection in the signature files or in Collective Intelligence, and ideally in contextual detection to stop the new detected attack pattern.