Configure Anti-Exploit Protection (Windows Computers)

Applies To: Endpoint Security Elite, Endpoint Security 360, Endpoint Security Prime, WatchGuard EDR, and EDR Core This topic applies to Endpoint Security Elite, Endpoint Security 360, Endpoint Security Prime, WatchGuard EDR, and EDR Core.

Anti-exploit technology is not available on Windows ARM systems.

Anti-exploit protection prevents malicious programs that exploit known and unknown (zero-day) vulnerabilities in applications to get access to computers on the corporate network. You can enable protection against code injection and protection for vulnerable drivers.

Code Injection is a general term for attacks that insert harmful code into an application that is then interpreted or executed by the application. For more information, go to About Anti-Exploit Protection (Windows Computers).

We recommend that you enable anti-exploit protection gradually on computers with a third-party security solution already installed to make sure it works properly.

When you allocate WatchGuard EDR or EDR Core to a new account, and the account does not have a workstations and servers settings profile assigned, the default profile assigned to the All group has anti-exploit disabled.

Your operator role determines what you can see and do in WatchGuard Cloud. Your role must have the Configure Security for Workstations and Servers permission to view or configure this feature. For more information, go to Manage WatchGuard Cloud Operators and Roles.

To configure anti-exploit protection, from WatchGuard Cloud:

1. Select Configure > Endpoint Security.
2. From the left pane, select Workstations and Servers.
3. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
   The Add Settings or Edit Settings page opens.
4. Enter a Name and Description for the profile, if required.
5. Select Anti-Exploit.
6. Enable the Code Injection toggle.
   If you disable Code Injection, it is disabled in all processes. It also disables PowerShell advanced policies. For information on PowerShell advanced policies, go to Configure Advanced Security Policies (Windows Computers). Advanced security policies are only available with Endpoint Security Elite.
7. If needed, add the file name in the Excluded Processes text box and press Enter.
   Exploit attempts on excluded processes are not detected by anti-exploit protection. We recommend that you only add exclusions for programs that might cause performance issues. When you add an exclusion, Endpoint Security does not scan the specified files and your computers could be at risk of an attack.

To make sure that the Zero-Trust Application Service does not block an unclassified program, add it to the Authorized Software list. For more information, go to Configure Authorized Software Settings (Windows Computers).

8. Select an Operating Mode from the list (Windows computers only):
   • Audit — Reports exploit detections in the management UI, but does not take action against them or display information to the user.
   • Block — Blocks exploit attacks. In some cases, it might be necessary to end the compromised process or restart the computer.
9. To notify users when anti-exploit protection blocks a compromised process, enable the Report Blocking to the Computer User toggle.
   The user receives a notification and the compromised process is automatically ended if required.
10. To prompt users to end a compromised process, enable the Ask the User for Permission to End a Compromised Process toggle.
    Every time a compromised computer needs to restart, the user must provide confirmation, regardless of whether the toggle is enabled.
11. To detect vulnerable drivers that could be exploited, enable the Detect Drivers with Vulnerabilities toggle.
    Vulnerable drivers are drivers that have vulnerabilities that have been used in the threat landscape. This can include outdated drivers that contain security gaps. Drivers supplied by legitimate vendors can contain vulnerabilities that malware could exploit to infect a computer or disable the security software. If the driver detected is part of the Windows boot process, it is not blocked.
12. Select an Operating Mode from the list (Windows computers only):
    • Audit — Reports vulnerable drivers in the Exploit Activity tile on the Security dashboard and shows an alert on the affected computer. No action is taken.
    • Block — Blocks vulnerable drivers from loading and shows an alert on the affected computer. Reports vulnerable drivers in the Exploit Activity tile on the Security dashboard.

To review driver details, select the affected computer in the Exploit Activity list. You can allow the blocked driver to run and stop allowing the driver if it was previously allowed. You can select to not detect the driver again. For more information, go to Allow Blocked Items to Run.

Many exploits continue to run malicious code until the relevant process ends. An exploit does not appear as resolved in the Exploit Activity tile on the Security dashboard until the compromised program terminates.

Related Topics

About Anti-Exploit Protection (Windows Computers)

Zero-Trust Application Service for Windows, Linux, and Mac Devices