Applies To: Endpoint Security Elite, Endpoint Security 360, Endpoint Security Prime, WatchGuard EDR, WatchGuard EDR Core, Endpoint Security Basic
Endpoint Security provides several remediation tools that help you to resolve issues. Some of these tools are automatic and do not require you to take any action. You can get access to other tools in the Endpoint Security management UI.
| Tool | Platform | Type | Purpose |
|---|---|---|---|
|
Automatic computer scanning and disinfection |
Windows, macOS, Linux, Android |
Automatic |
Detects and disinfects malware when Endpoint Security detects movement in the file system (copy, move, run) or in a supported infection vector. |
|
On-demand computer scanning and disinfection |
Windows, macOS, Linux, Android |
Automatic, Schedule, or Manual |
Detects and disinfects malware in the file system when required, at specific time intervals, or after you create a remediation task. Scan tasks are not available with EDR Core. |
|
On-demand restart |
Windows |
Manual |
Forces a computer restart to apply updates, finish manual disinfection tasks, and fix protection errors. |
|
Computer isolation |
Windows |
Manual |
Isolates a computer from the network, to prevent the exfiltration of confidential information and the spread of threats to other computers. |
| Shadow copies | Windows | Automatic | When enabled, creates a shadow copy every 24 hours. Use shadow copies to return a compromised system to a previous state. Shadow copies are not available with EDR Core. |
| Network Attack Protection | Windows | Automatic | When enabled, scans network traffic in real-time to detect and stop threats. Network attack protection is not available with EDR Core or WatchGuard Endpoint Security Basic. |
Automatic Scanning and Disinfection
Endpoint Security automatically detects and disinfects threats found on protected computers and devices. File protection must be enabled in the security settings assigned to the computers and devices.
Endpoint Security automatically detects threats in these security areas:
- Web — Malware downloaded to targeted computers through a web browser.
- Email — Malware that reaches email clients as a message attachment.
- File System — Malware detected when a file that contains a known or unknown threat in the computer storage system is run, moved, or copied.
- Network — Intrusion attempts from a host on the network or Internet, blocked by the firewall.
The Zero-Trust Application Service in a workstations and servers settings profile also blocks the execution of unknown malware. For information on blocking modes and the options available for antivirus scanning, go to Windows Operating Mode Behaviors and Configure Antivirus Scanning.
Remediation Actions
When WatchGuard Endpoint Security detects a known threat, it automatically cleans the affected items when there is a disinfection method available. If not, Endpoint Security quarantines the items.
When antivirus and the Zero-Trust Application Service are enabled, Endpoint Security takes these actions:
| Operating Mode | Antivirus Protection | Action |
|---|---|---|
| Learning | Enabled | Detection, disinfection, and quarantine |
| Disabled | Detection only | |
| Hardening, Lock | Enabled | Detection, block unknown items, disinfection, and quarantine |
| Disabled | Detection, block unknown items |
On-Demand Scanning and Disinfection
There are two ways to scan and disinfect computers on demand:
- Create a scheduled scan task — For more information, go to Create a Scheduled Scan Task.
- Run an immediate scan — For more information, go to Scan Computers and Devices.
On-Demand Restart (Windows computers)
If you have computers that have to restart to fix a protection problem, you can restart the computers remotely. For more information, go to Restart a Computer from Endpoint Security (Windows Computers).
Computer Isolation (Windows computers)
You can isolate computers on demand to prevent the spread of threats and to block the exfiltration of confidential data. For more information, go to Isolate a Computer in Endpoint Security.
Shadow Copies (Windows computers)
Shadow copies is a technology included in Windows computers that can create a snapshot of computer files, even when they are in use. When enabled in WatchGuard Endpoint Security, Windows creates a shadow copy every 24 hours. You can use shadow copies to return a compromised system to a previous state. For more information, go to Remove Ransomware and Restore the System.
Network Attack Protection (Windows computers)
Network Attack Protection prevents network attacks that try to exploit vulnerabilities in services that are open to the Internet and in the internal network. For more information, go to Configure Network Attack Protection (Windows Computers).