EDR Core (Total Security Suite) Release Notes

New Features

Signals and Incidents

Incidents are now part of WatchGuard EDR Core. When the Endpoint Security software detects a potential threat, it converts detected security events to signals. To make threat identification and resolution easier, Endpoint Security automatically combines related signals into dynamic incidents. Endpoint Security incidents group signals that previously generated multiple alerts and are part of the same attack.

• This release adds two new tiles on the Security dashboard: Incidents that Require Action and Incident Status. To open a filtered list of all incidents detected across the organization, click a tile.
• For each Endpoint Security incident, you can view the list of signals, the incident graph, and high-level details. You can also review the entities of interest related to the incident.
• You can add or remove and show, hide, or exclude signals.
• When you select a signal, you can view a tree that shows the processes that generated it, and the MITRE techniques and tactics used. You can also review the signal details.
• You can review specific details about the processes that generated signals.
• This release includes a new list that shows all incidents detected by Endpoint Security across the organization. You can filter the list and generate scheduled reports.
• The Detections section of Executive Reports now includes information about incidents: Incidents with Actions Required chart, Incident Status chart, and the Last Pending Incidents table.
• The Incidents list includes two export options: Export and Export List and Details.
• Malicious URLs detected are categorized as signals in incidents.
• An alert message shows on the Security dashboard when there are critical incidents that require immediate review.
• Incidents replace Indicators of Attack (IOAs) in the Endpoint Security management UI. IOA detections are now signals in the context of attacks. We have removed the Indicators of Attack dashboard and list, the IOA settings in My Alerts, IOA information in executive reports, and the recent IOA risk from the management UI. The RDP Attacks Settings and the Advanced IOA toggles remain in the management UI. Incidents in Endpoint Security are not the same as those in ThreatSync. Incidents in Endpoint Security are a group of signals generated from events on the endpoint, as well as Indicators of Attack.

Enhancements

• In the Workstations and Servers security settings, Advanced Protection settings were split into separate sections to simplify configuration: Zero-Trust Application Service, Anti-exploit, and Network Attack Protection. Existing settings profiles automatically reflect the new organization.
• We have updated the data retention policy for Endpoint Security products. This policy defines how long Endpoint Security data is retained on the cloud servers and available in the management UI. For more information on the data retention policy, go to this Knowledge Base article: New Data Retention Periods for Endpoint Security Solutions.
• Patch details now include installation status tiles that show the number of successful installations, download errors, and installation errors. These tiles do not include data from before this release and show data from your network and from the broader WatchGuard community.
• In a patch installation task, you can now configure required conditions that must be met for a patch to be installed. These conditions can include: time elapsed since the patch was released, minimum number of successful installations, maximum number of failed installations, and minimum number of days elapsed since the first successful installation. Each computer assigned the task must meet these conditions before the patch is installed.
• This release includes improvements to the update process for Windows endpoints:
• In Windows Pro editions, Endpoint Security updates no longer apply just before the computers restart, but also when you click Update and Restart or after the countdown in the restart message.
• To minimize disruption, Endpoint Security checks whether the endpoint meets the requirements to update the protection software before it shows an update or restart message. If the conditions are not met, the update does not start and the relevant status shows in the management UI.
• This release includes general improvements to protection and detection capabilities.
• Endpoint Security no longer uses temporary files to identify fileless malware detections. It now generates an incident from real data generated by the processes involved in the detection.
• By default, the Report Blocking to the Computer User setting is disabled.
• In a Workstations and Servers settings profile, Advanced Protection settings were renamed to Zero-Trust Application Service.
• In the Zero-Trust Application Service settings, the Audit operating mode for Windows computers is now renamed to Learning.
• In Patch Management lists, Pending status was changed to Available status.

Resolved Issues

• This release resolves an issue that caused unexpected restarts on Linux servers.
• When you restart an endpoint from the management UI, Windows computers no longer restart multiple times.
• This release resolves an issue in Patch Management tasks where the restart option you configured in the maintenance window was not applied.
• When Patch Management installs patches on Mac computers, app ownership is now correctly assigned.
• You can now configure encryption passwords that include the dollar sign ($)for Mac computers.
• This release resolves an issue that occurred when Patch Management showed new third-party patches for Mac computers.
• You can now move more than 10,000 computers to an Active Directory group at one time.
• This release resolves connection issues to knowledge servers.
• This release resolves an issue that caused the Endpoint Security PSANHost.exe service to crash when the computer recovered from Sleep, Suspension, or Hibernation state.
• This release resolves an issue that caused the security software to incorrectly handle detection IDs in certain contextual detections.
• This release resolves an issue that affected security software updates because of the ELAM (Early Launch Anti-Malware) technology.
• This release improves performance for computers with Advanced Indicators of Attack (IOAs) settings enabled.
• This release resolves BSOD errors caused by:

• Network interception drivers on VPN servers
• NNSPRV.sys network interception driver
• NNSHTTP.sys driver
• Firewall errors
• Device Control configured for removable drives in Block or Allow read access mode (not EDR)

• This release resolves compatibility issues for dock stations with certain laptop models.

Enhancements

• The WatchGuard Mobile Security app for Android devices v3.13.4 and higher includes improvements to the progress screen shown when the device is integrated in to the Endpoint Security management UI.
  • The app shows a message that prompts the user to keep the app open while the device is integrated.
  • The app shows a message to prevent the user from enabling the Device Admin app permission before they change the Battery Optimizations and App Hibernation settings on the device. Users cannot modify these settings when the Device Admin permission is enabled.
  • If required during installation, the app shows a message that informs the user that the Device Admin permission was automatically disabled so that they can change the App Hibernation or Battery Optimizations settings on the device. The user must re-enable the Device Admin permission after the user changes the settings.

Resolved Issues

• These issues were resolved in the WatchGuard Mobile Security app for Android devices v3.13.4 and higher:
  • A fix was included to resolve the CVE-2021-0341 vulnerability that affects Android devices.
  • This release resolves an issue that occurred when the user scanned malformed QR codes.
  • This release resolves an issue that could cause an exception when the user closed the Android app before the integration process was complete.

Enhancements

• With the Linux Agent v1.16.01.0000 you can now deploy and manage the WatchGuard MDR Syslog Collector. For information on the Syslog Collector, go to About the Managed Services Portal in Help Center.

Resolved Issues

• This release resolves an issue with the YUM package manager that occurred when the security software was upgraded.

Enhancements

• Linux protection v3.07.00.0001 and higher now supports Linux Rocky v9.7. For more information on supported Linux distributions, go to WatchGuard Endpoint Security Installation Requirements.

Enhancements

Windows Agent v1.24.02.0000 includes these enhancements:

• This release improves memory management for two agent auxiliary processes. This enhancement standardizes security measures for all agent processes.
• The upgrade process now backs up log files. Log files are no longer lost when a reinstallation is required.

Resolved Issues

Windows Agent v1.24.02.0000 includes these resolved issues:

• This release resolves an issue on Windows computers that caused the NDR collector to not install correctly after the latest Windows Subsystem for Linux (WSL) update.
• This release resolves an issue that caused error 1067 when you reinstalled the security software from the management UI.

WatchGuard Agent Plug-in for ConnectWise RMM v1.0

This first release of the WatchGuard Agent Plug-in for ConnectWise RMM enables Service Providers to deploy EDR Core.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Agent Plug-in for ConnectWise RMM.

New Features

Zero-Trust Application Service Report

A new Zero-Trust Application Service Report provides key metrics to evaluate the effectiveness of the service. For more information, go to Zero-Trust Application Service Report in Help Center.

Enhancements

• You can now enable Verbose mode for Linux computers in Audit mode. You can enable this feature for a maximum of 20 computers simultaneously. The feature requires Linux protection v3.06.00.0001 or higher.
• The Endpoint Security window on Windows computers now uses .NET libraries.
• New settings enable you to configure the maintenance windows and time slots when computers restart automatically after software updates or patch installations.
• You can now configure email notification rules for Endpoint Security products in WatchGuard Cloud.
• This release improves detection of malicious .MSI files.
• This release supports Mac endpoints that run macOS 16 Tahoe. Support requires macOS protection v3.07.00.0000 or higher.

• The Endpoint Security window on Mac computers now shows the number of quarantined files instead of scanned files.

Resolved Issues

• This release resolves an issue with how ThreatSync obtained user and domain information.
• This release resolves an issue that caused a memory leak in the AMSI detection technology.
• This release resolves an issue that allowed the PSUA Service to be stopped, even when anti-tamper protection was enabled.
• This release resolves an issue that caused the Windows operating system to start slowly. [KER-1807]
• This release resolves an issue that caused a BSOD error when the security software updated.
• This release resolves an issue that sometimes caused a network slowdown after an update to macOS protection v3.04.
• This release resolves an issue that caused Network Access Enforcement to not work on Mac computers after an update to macOS protection v3.06.00.0001.
• This release resolves an issue that sometimes caused connection problems with WatchGuard servers on Mac computers after an update to macOS protection v3.06.00.0001 or lower.
• This release resolves an issue with logouts intercepted by the firewall to improve stability and compatibility with third-party applications. [WGUA-4277 ]
• This release resolves compatibility issues between the firewall and networks detected automatically through WireGuard/Wintun VPN adapters. [WGUA-5395]
• This release resolves issues that affected immediate and scheduled scans. [WGUA-5422]
• This release resolves an issue that prevented notifications on user computers. [WGUA-5280]

Enhancements

• We have postponed the EOL (End of Life) date for the Windows and macOS protection of our endpoint security products for these OS versions from 30 April 2025 to 30 June 2025:

• Windows: Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. Windows 2008 R2 will continue to be supported.
• macOS: Yosemite, El Capitan, Sierra, High Sierra, and Mojave.

After 30 June 2025, the product license will be automatically removed from all computers that run these OS versions. You will not be able to allocate licenses to affected computers. Computers without a license will have all protections disabled, lose access to Collective Intelligence, stop receiving signature file updates, and cease to run assigned tasks. For more information about our End-of-Life policies, go to https://www.watchguard.com/wgrd-trust-center/end-of-life-policy.

Resolved Issues

• Linux Agent v1.15.02.0000 resolves an issue that occurred when the protection software was updated on Linux computers and some unused processes remained in memory.

Enhancements

• In WatchGuard Cloud, Owner and Administrator operators can now include granular access control over functional areas of the EDR Core management UI. For more information, go to Manage Custom Operator Roles and Default Permissions for Built-In Roles in Help Center.

Enhancements

• Changes made to the Filters and Folders trees on the Computers page now persist if you navigate away from the Computers page.
• Endpoint Security now supports Fedora Linux 41 in Linux protection v3.06.00.0001 or higher.
  • The proxy server configured in the management UI is only used by the Linux protection to communicate with Endpoint Security repositories. It does not affect interaction with the package manager.
  • The Linux protection repository is disabled after you uninstall the security software and is automatically enabled and disabled during the security software update cycles.
• Local alerts now display longer on the endpoint.

Resolved Issues

• This release resolves an issue with Patch Management where, after the security software patched and restarted a computer, it left patch traces in the Patch Management folder.
• This release resolves an issue where the AppMngPatcher.exe patch installation tool stopped working occasionally.
• This release resolves an issue where incomplete tasks prevented new patches from being downloaded.
• This release resolves an issue where patches included in a later patch did not install, and a message appeared that indicated the patch was no longer necessary.
• This release resolves an issue where, if the Endpoint Access Enforcement feature was enabled, it caused high CPU usage by the AgentSVC process.
• This release resolves an issue where signature file traces were left that could not be applied and took up storage space.
• This release resolves an issue where, when the security software sent Active Directory data through Directories and Domain Sync, if any Active Directory item was larger than 125 KB, an error occurred and it was not synchronized.
• This release resolves an issue that prevented installation of the security software from a brand download error.
• This release resolves an issue where you were prompted to restart the computer repeatedly.
• This release resolves an issue where the security software showed the incorrect time in attack graphs.
• This release resolves an issue where users without Total Control permissions could not see applied filters on the Computers page.
• This release resolves an installation issue on computers that run SUSE Linux Enterprise Server 12.1.
• This release resolves an issue that caused high CPU usage by the PSANHost process.
• This release resolves an upgrade issue that caused error 1603.
• This release resolves an issue that caused the security software to show local alerts with no text.
• This release resolves an issue that caused the security software to show incorrect local alerts when it blocked unknown files because of lack of connectivity with the Collective Intelligence servers.
• This release resolves an issue that caused the Network Extension (NEXT] to stop when it encountered HTTP communications with very long URLs.

New Features

• In the Device Control settings, you can now disable AutoPlay on removable storage devices.

Enhancements

• This release includes improvements to the Zero-Trust Application Service.
  • When Endpoint Security blocks an unknown program because the endpoint cannot connect to Collective Intelligence, the History of Blocked Programs list now shows why Endpoint Security blocked the program.
  • When an unknown blocked program is later classified as goodware, the endpoint where the block occurred shows a pop-up notification that prompts the user to try to run the program again.
  • Programs initially blocked and then reclassified as goodware show in the History of Blocked Programs list with the time required for reclassification.
  • When Endpoint Security reclassifies a blocked program, the Blocked Program Details list shows when reclassification occurred, how long it took, and whether it was classified automatically by the WatchGuard Collective Intelligence or manually by WatchGuard.
• Anti-tamper protection now supports Linux computers. When anti-tamper protection is enabled, attackers cannot stop the Endpoint Security software. You can also require a password to uninstall the software from Linux computers.
• Two-factor authentication is now available for Linux computers.
• The Computer Protection Status list now shows the status of the endpoint connection to the Collective Intelligence and URL classification servers for Linux and Mac computers.
• The computer details page for Linux and Mac computers now shows the status of the connection to knowledge servers.
• From the management UI for Linux and Mac computers, you can now remotely uninstall the WatchGuard Agent and the Endpoint Security software installed by the agent.
• When an authorized process loads a library, Endpoint Security does not block the required library, even if it is unknown.
• When an authorized process creates and runs a child process, Endpoint Security allows the child process and does not block it.
• When an authorized .MSI or .EXE installer creates and runs new processes, Endpoint Security considers these child processes authorized and does not block them.

Resolved Issues

• This release resolves an issue that occurred when temporary files created when Microsoft Office files were edited could not be deleted from the server.
• This release resolves a security software self-diagnosis issue that caused an unchecked exception that could lead to service crashes.
• This release resolves an issue that caused Endpoint Security to show multiple blocked page notifications. This prevented the computer screen from being locked and could leave the computer exposed to unauthorized access.
• This release resolves a issue found in protection version 8.00.23, which could allow arbitrary file creation and exposure to a denial-of-service attack.
• This release resolves a BSOD error that occurred on computers with NeuShield drivers.
• This release resolves an issue with the macOS protection that caused the service to hang for approximately 30 seconds on older computers with limited resources.

New Features

Endpoint Security Plug-in for Kaseya Virtual System Administrator (VSA) v1.1

This Endpoint Security Plug-in for Kaseya VSA release updates the steps to install, configure, update, and remove the plug-in.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Endpoint Security Plug-in for Kaseya Virtual System Administrator (VSA).

Enhancements

• On 26 November 2024, if your firewall or proxy server is not configured to allow connections to and from *.pandasecurity.com, then you must update settings to allow connections from EDR Core to some specific required URLs. For more information, go to this Support blog post: Update to URLs Required by WatchGuard Endpoint Security Products.

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.5

This Endpoint Security Plug-in for ConnectWise Automate release updates the steps to install, update, and remove the plug-in.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Enhancements

• The Endpoint Security software now supports TLS 1.2 protocol natively for Windows 7, Windows Server 2008 R2 (Kernel 6.1), Windows 8, and Windows Server 2012. For more information, review this Support blog post: End of Support for TLS 1.0 and TLS 1.1.

New Features

Endpoint Access Enforcement

With Endpoint Access Enforcement, you can now monitor connections to Windows computers on the network to help reduce potential infections and attacks from unprotected Windows, Mac, or Linux computers. The Endpoint Access Enforcement dashboard includes several graphs: Connection Map, Top 5 Computers Reporting High-Risk Outbound or Inbound Connections, Number of Connections by Condition, and Number of Connections by Monitored Protocol. Executive reports now include an Endpoint Access Enforcement section.

• By default, Endpoint Access Enforcement monitors inbound connections for SMB and RDP traffic.
• On Windows computers, this feature requires Windows protection v8.00.23.0000 or higher and the Windows agent v1.22.01.0000 or higher; on Mac and Linux computers, it requires the macOS or Linux agent v1.14.01.0000 or higher.
• In the Endpoint Access Enforcement settings profile, you can specify risk conditions for computers and add connection rules for protocols other than those monitored by default.

On the Computer details page, there is a new Monitored Connections tab. The Monitored Connections page shows connections that meet the conditions specified in the Endpoint Access Enforcement rules.

Block Vulnerable Drivers

In a Workstations and Servers settings profile, you can now configure Endpoint Security to block vulnerable drivers. This helps prevent exploitation of the driver by malicious actors. You can exclude detected vulnerable drivers so that they are not detected again. This feature requires Windows protection v8.00.23.0000 or higher.

Enhancements

• Code injection uses anti-exploit techniques to detect exploit attempts in running processes. Code injection now inspects every running process. The inspection could cause performance and compatibility issues for some applications. For more information, go to this Knowledge Base article.
• Anti-exploit protection settings are now easier to configure. In the Advanced Protection section of the Workstations and Servers security settings profile, you now enable anti-exploit protection with the Code Injection toggle. You can exclude specific processes from anti-exploit protection. This feature requires Windows protection v8.00.23.0000 or higher.
• You can now enable advanced scanning with AMSI detection. You can enable AMSI detection technology and exclude specific processes. This feature requires Windows protection v8.00.23.0000 or higher.
• When you configure Risk settings, you can now specify which folder, file, and extension exclusions you want to impact the computer risk level assessment.
• You can now isolate Linux computers on your network. Similar to the Windows and Mac feature, isolated Linux computers only allow WatchGuard Endpoint Security processes to communicate. If an attack occurs, you can isolate the Linux computer from the network to prevent the spread of the threat. If required, you can exclude other processes to allow them to communicate on isolated computers. This feature requires Linux protection v3.05.00.0000 or higher.
• You can now enable and disable local alerts on Mac computers and customize malware, firewall, and device control alerts.
• Android protection now supports Network Access Enforcement.
• You can now use MD5 and SHA-256 hashes when you configure these features: Advanced Protection, Program Blocking, and Authorized Software.
• You can export recipient email addresses configured in the My Alerts settings for all users in an account.
• You can now cancel or delete all tasks at one time.
• Endpoint Security now supports Windows Server 2025 in Windows protection v8.00.23.0000 or higher.
• Endpoint Security now supports macOS 15 Sequoia in macOS protection v3.05.00.0000 or higher.
• Endpoint Security now supports these Linux distributions: OpenSUSE 15.3, 15.4, 15.5, and 15.6; SUSE 15 SP6; Fedora 39 and 40; Red Hat/Oracle/Rocky/Alma 8.9, 8.10, 9.3, and 9.4; Ubuntu 23.10 and 24.04; and Mint 21.2, 21.3, and 22. This feature requires Linux protection v3.05.00.0000 or higher. For more information on distributions, go to Linux.
• On 30 September 2024, protection for Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, as well as macOS Yosemite, El Capitan, Sierra, High Sierra, and Mojave will become End of Sale (EOS). Windows 2008 R2 will continue to be supported. After that date, you will not be able to add devices to the management UI or install the protection software on new computers that run these operating systems versions.
  • On 30 April 2025, our Windows and Mac protection for these OS versions will become End of Life (EOL).
  • After the EOL date, the product license will be automatically removed from all computers that run these OS versions, and you will not be able allocate licenses to affected computers.

Resolved Issues

• This release resolves an issue that caused the security software to send the same alert email notifications repeatedly over several days.
• This release resolves an issue that caused the security software to classify URLs as “unknown category” and block them on some computers.
• This release resolves an issue that prevented user login to a corporate website.
• A fix was made to make sure that security software upgrades after computer shutdown did not take too long. The computer does not wait for the PSANHost process to close.
• This release resolves a BSOD error that occurred on computers with NeuShield drivers.
• This release resolves an issue that caused the security software decoy files to create temporary files and folders after backup sessions.
• This release resolves an issue where ATC.exe did not run on Server Core because of a dependency.
• This release resolves an issue that caused on-demand scans of PDF files to not finish.
• This release resolves a vulnerability found in the security software decoy files.
• This release resolves an issue with Linux protection signature file permissions after a security software upgrade.
• This release resolves a self-diagnosis issue that caused the security software to sometimes incorrectly report an error.
• This release resolves an issue where uninstallation of the security software from a Mac device prompted you to keep the quarantine folder even though it was empty.
• In environments with proxy communications, fixes were made to the network infrastructure to prevent random BSOD errors. [WGUA-4183]
• The decoy files feature no longer causes false positive detections associated with svchost.exe. [WGUA-4287]
• Resource usage issues caused by the Endpoint Access Enforcement feature were resolved. [AETHER-5510]
• A fix was included to prevent a memory leak issue caused by the firewall infrastructure. [WGUA-4281]

Enhancements

• These enhancements are in Windows protection v8.00.22.0025 and higher:
  • Performance improvements for multi-user environments such as RDS environments. [KER-822]

Resolved Issues

• These issues are resolved in Windows protection v8.00.22.0025 and higher:

  • Isolated computers no longer show alert messages when the Do Not Show Alerts option is selected.
  • This release resolves an issue for computers with a protection software error on the Status tab. [WGUA-2680]
  • This release resolves an upgrade issue that stopped protection services.
  • The protection for POP3/SMTP email over IPv6 no longer causes BSOD errors.
  • This release resolves an issue to prevent a rare BSOD error caused by the NNSSTRM.sys driver.
  • For networks detected automatically, this release resolves issues caused by the trusted networks parameters in the Endpoint Security firewall protection settings. [WGUA-2809]

Resolved Issues

• This release resolves an issue that caused immediate and scheduled scans to crash. [WGUA-623]
• The Shadow Copies feature no longer causes the system process to use high CPU after an upgrade. [WGUA-2617]
• This release improves performance issues caused by the firewall infrastructure. These issues sometimes occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-2320 / WGUA-2152]
• Performance issues and high CPU usage on Windows servers that are monitored by SysMon are improved. [KER-608 ]
• General high RAM and CPU usage issues are improved. [WGUA-1976]
• Performance issues with Data Control rules-based monitoring of files are improved. [WGUA-991]
• This release resolves an issue that caused third-party antivirus programs to be disabled in Windows Security Center (WSC). [WGUA-2243]
• AMSI detection technology no longer causes issues with WatchGuard Endpoint Security. [WGUA-2246]
• Domain and URL categorization of IPv6 traffic no longer causes issues. [WGUA-1993]
• Firewall infrastructure crashes (BSOD) that reference the NNSDNS.sys driver no longer occur. The BSOD errors occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-1881]
• When the user selects, “Do not detect again”, the protection software does not detect Trj/RansomDecoy. [WGUA-2030]
• When the Decoy File feature is enabled, protection software errors on Windows computers with multibyte character sets (MBCS) do not occur. [WGUA-1389]
• This release resolves file transfer errors for Server Message Block (SMB) traffic on domain controller servers. [WGUA-1681]
• When you upgrade the protection software for certain Windows versions, the installed application now appears in Windows Security Center (WSC). [WGUA-1731]
• Connection timeout errors no longer occur for some HTTPS web pages with the protection software installed. [WGUA-1636]
• Self-diagnosis failures in Windows Security Center (WSC) do not cause the PSANHost.exe service to restart. These failures caused the service to restart when it could not get the necessary module configuration information. [WGUA-2746]

New Features

• In WatchGuard Patch Management, you can now configure computers on the network as test computers. Use test computers to verify patches install successfully before you deploy the patches across the network.
  • You can also configure computers or computer groups to not install patches.
  • When you create a patch installation task, you can select to install patches on only test computers.

Enhancements

• In the Patch Management Installation History list, when a patch requires a computer restart, the patch status shows as Pending Restart. The status now changes to Installed when the computer restarts and completes patch installation.
• The default workstations and servers settings profile now has anti-exploit and decoy files disabled. Endpoint Security applies this profile to the All group by default until you create and assign a new profile. This profile helps prevent issues with third-party antivirus and EDR solutions when you activate the Endpoint Risk Assessment. This change does not affect Endpoint Risk Assessments in progress.
• When an Endpoint Risk Assessment is in progress, and you want to schedule a report, the Risk Assessment Report is now selected by default.
• Subscriber accounts with EDR Core allocated to their endpoints, but not deployed, can now start a trial of WatchGuard EPDR or Advanced EPDR and activate an Endpoint Risk Assessment.
• You can now download signature files over HTTPS.

Resolved Issues

• When the user is not logged in to the endpoint, WatchGuard Endpoint Security can now re-install with a restart after the scheduled wait time is exceeded.
• Duplicate computers no longer display when you use Active Directory to discover unmanaged computers.
• When you filter the Unmanaged Computers Discovered list and then select all filtered computers to install WatchGuard Endpoint Security on, the software now installs only on the computers in the filtered list.
• A fix was made to make sure that WatchGuard Endpoint Security sends executive reports and other scheduled daily reports as expected.
• When you disable a feature that uses the NAHSL network driver (for example, Advanced Protection, Web Access Control, or the Firewall), the NAHSL network driver is disabled.

Enhancements

• These enhancements were made in Windows protection v8.00.22.0024 and higher:
  • The software upgrade process was enhanced to make sure that Windows devices do not receive a BSOD error when EDR Core cannot stop a driver.
  • Improvements were made to prevent high CPU usage during computer startup when the Shadow Copies feature is enabled.

Resolved Issues

• These issues were resolved in Windows protection v8.00.22.0024 and higher:
  • A fix was made to prevent memory leaks on connections over port 8180 of the Java application that could cause the server to run out of memory.
  • The URL filtering feature prevents access to URLs configured as denied (for example, Facebook or YouTube pages).
  • A fix was made to prevent a rare BSOD error caused by the pskmad.sys driver.
  • The AMSI detection technology now respects the path exclusions configured in the protection software settings.

Resolved Issues

• Fixed a vulnerability in the pskmad_64.sys driver that could enable an attacker with Administrator privileges to run code with SYSTEM privileges on the target computer. For more information, review this Security Advisory Detail. This fix requires Windows protection version 8.00.22.0023 or higher.

Enhancements

• You can now isolate Mac computers on your network. Similar to the Windows feature, isolated Mac computers allow only WatchGuard Endpoint Security processes to communicate. If an attack occurs, you can isolate the computer from the network to prevent the spread of the threat. If required, you can exclude other processes to allow them to communicate on isolated computers. This feature requires macOS protection version 3.04.00.0000 or higher.
• To improve anti-tamper protection, you can now require two-factor authentication (2FA) when users try to log in to the management UI from their computers or uninstall the WatchGuard Endpoint Security product from their computer. 2FA uses a QR code you can generate for all computers in a customer account or, if you want to have different authenticator factors for different settings profiles, you can generate multiple QR codes. This feature requires Windows protection version 8.00.22.0023 or higher.
• Anti-tampering features now protect Windows computers when they start in Safe Mode. This setting is enabled by default. You can disable it in the management UI or from the Windows computer. This feature requires Windows protection version 8.00.22.0023 or higher.
• In the list of discovered computers, you can now select all unprotected computers.

Resolved Issues

• When a MAC address is not in uppercase letters, the security software can still discover unprotected computers.
• When you search the network for unprotected computers, the search results do not return protected computers that do not match the name in the list.
• Resolved an issue to make sure that antivirus exclusions are applied to decoy files. This fix requires Windows protection version 8.00.22.0023 or higher.
• Resolved an issue that caused a rare BSOD error when the server generated malformed network packages. This fix requires Windows protection version 8.00.22.0023 or higher.
• The zlib version was updated to resolve vulnerabilities in the previous version. This fix requires Windows protection version 8.00.22.0023 or higher.
• Performance improvements on virtual servers. This fix requires Windows protection version 8.00.22.0023 or higher.

Resolved Issues

• An updated version of the macOS protection (v3.03.00.0003) is now available. The updated version includes these resolved issues: 
  • Network access enforcement (VPN enforcement) now works for endpoints with macOS v3.03.00.0003 and higher. [WGUA-1913]
  • The network extension no longer stops working and the message that NeXT privileges had not been accepted no longer appears. [WGUA-2048]
  • When analyzing paths and files that contain special characters or emojis, the local console no longer stops working. [WGUA-2119]
  • macOS v3.03.00.0003 includes performance improvements. Goodware items are now correctly added to the cache to optimize the analysis at the next program execution. [WGUA-1629]

New Features

Endpoint Security Integration for NinjaOne

With the new Endpoint Security integration for NinjaOne, Managed Service Providers can remotely deploy Endpoint Security to client devices in their NinjaOne accounts. For more information, go to About the WatchGuard Endpoint Security Integration for NinjaOne in Help Center.

Enhancements

• EDR Core now supports macOS Sonoma. Requires macOS protection version 3.03.00.0002 or higher.
• If Audit mode is enabled in the workstations and servers settings profile applied to a computer, the security software does not register as an antivirus with Windows Security Center (WSC) and does not disable the Windows Defender antivirus protection.

Resolved Issues

• Resolved an issue that caused an increase in memory usage by the PSANHost process and led to increased CPU usage by the service.
• Made improvements so that our security software registers correctly with Windows Security Center (WSC) after an operating system upgrade.
• Resolved an issue to improve loading of some specific web pages. This issue affects version 8.00.22.0010 or higher of the Windows protection and is resolved in version 8.00.22.0022 or higher.

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.3

This update release for the Endpoint Security plug-in for ConnectWise Automate includes these enhancements:

• You can now select an Auto Deploy by Timer check box on the Map Clients page to automatically install Endpoint Security products on all computers in a client account. The ConnectWise process that schedules installation tasks runs every 12 hours.
• You can now select the Include in Auto Deploy Searches check box on the Map Clients page to use the search and group features in ConnectWise Automate to customize Endpoint Security product deployment.
• You can now search for clients and accounts by name on the Map Clients page.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Resolved Issues

• Resolved an issue where the protection service crashes when Decoy Files is enabled and the computer has directory names in Greek. This fix requires Windows protection software v8.00.22.0014 or higher.
• Resolved an issue that causes a memory leak in the PSINReg.sys driver that could lead to a BSOD error. This fix requires Windows protection software v8.00.22.0014 or higher.
• Resolved an issue where scheduled reports do not include the details of available patches.
• Resolved an issue where, when you installed specific Windows operating system patches, the solution did not show the result of the installation task.
• Resolved an issue where, when you excluded network attack performed from certain IP addresses, and then add another exclusion for the same attack from another IP address, the first exclusion was not saved.
• Resolved an issue where executive reports show the incorrect date and time for IOA-related information.

Enhancements

• Updated versions of the Windows and macOS protection software and communication agents are now available. The updated versions include these enhancements:
  • The protection software upgrade process better retains settings defined in a previous version.
  • Windows protection software v8.00.22.0013 and higher include improvements to minimize the possibility that the protection service stops.
  • When WatchGuard Endpoint Security creates decoy files, Windows Defender no longer detects them as malware on servers. This enhancement requires Windows protection software v8.00.22.0013 or higher.
  • Changes to the communications agent enable it to process corrupt messages. This enhancement requires Windows agent v1.21.02.0000 or higher.

• In Patch Management for macOS, users now receive a prompt to enter a password to install operating system patches for macOS with ARM (M1 and M2). This enhancement requires macOS agent v1.12.01.0000 or higher.

Resolved Issues

• In the updated version of the Windows protection software or agent:
  • Resolved an issue in the PSINProt.sys driver that caused a random BSOD. This fix requires Windows protection software v8.00.22.0013 or higher.
  • Resolved an issue that caused a memory leak in a firewall driver. This fix requires Windows protection software v8.00.22.0013 or higher.
  • The operating system, the backup software, and other applications can now create shadow copies on drives other than system drives. This fix requires Windows protection software v8.00.22.0013 or higher.
  • Resolved an issue with the RDP protection to detect and contain brute-force attacks on RDP. This issue affected customers with Windows protection software v8.00.22.0012 and is resolved in Windows protection software v8.00.22.0014 and higher.
  • WatchGuard Endpoint Security can now retrieve Active Directory paths with computer names longer than 15 characters. This fix requires Windows agent v1.21.02.0000 or higher.
• macOS protection software v3.03.00.0001 resolves a rare issue that caused the solution to not show pop-up notifications for malware detections on macOS computers.

New Features

Endpoint Security Plug-in for N-able N-sight

With the new Endpoint Security plug-in for N-able N-sight, you can protect devices on your network, review detected security incidents, and develop prevention and remediation plans against unknown and advanced persistent threats. For more information, go to About the WatchGuard Endpoint Security Plug-in for N-able N-sight in Help Center.

New Features

WatchGuard Advanced EPDR

You can now manage licenses and inventory allocation for the new Endpoint Security product, WatchGuard Advanced EPDR, in WatchGuard Cloud. You can start a trial of Advanced EPDR from the Administration > Trials page. Advanced EPDR includes advanced detection and response features such as Advanced Indicators of Attack (IOAs) and events, centralized management of Indicators of Compromise (IOCs) compatible with STIX and Yara rules, Advanced Security Policies, and remote access to detect, contain, and remediate incidents. For more information, go to the presentation, Introduction to WatchGuard Advanced EPDR.

Audit Mode

• In a workstations and servers settings profile, you can enable Audit mode to detect and report malware, ransomware, and other types of attacks. In Audit mode, EDR Core does not block or delete detected threats. Audit mode supports Windows, macOS, and Linux workstations and servers.
  • We recommend you use this mode only to evaluate EDR Core or to evaluate the security status of a customer protected with another solution. EDR Core does not protect computers in Audit mode, so they show as at risk in the management UI.

Enhancements

• Network Access Enforcement (previously Secure VPN) settings now apply to VPN connections through WatchGuard Fireboxes and Wi-Fi connections through WatchGuard access points. Access points can check that EDR Core is enabled and running on connecting devices. This feature supports Windows and macOS computers and requires a future Wi-Fi firmware release.
• Partners and Service Providers can define whether the settings profiles they assign to tenant accounts from the multi-tenant management UI can be edited by the tenant. Tenant accounts can then add exclusions and authorized software to the settings, but cannot delete or edit the list of exclusions or authorized software defined by the Service Provider.
• You can now configure multiple proxies so that computers on the network connect to the Internet through the first proxy computer that works. This feature is supported by Windows, macOS, and Linux workstations and servers
• Linux protection v3.03.00.0001 and higher now supports these Linux distributions: Ubuntu 22.10 and 23.04, Linux Mint 21.1, Fedora 36, 37, and 38, Oracle Linux 8 UEK R7, 9.0, 9.1, and 9.2, Red Hat Enterprise 8.8 and 9.2, AlmaLinux 8.8 and 9.2, and Rocky Linux 8.8 and 9.2. For more information, go to Linux.
• On computers that run macOS Ventura, you must enable a new permission for the protection to work correctly after a restart. If you do not grant permission, the details page for the macOS computer shows an error.

Resolved Issues

• When the Automatic Deletion of Computers option in Computer Maintenance is enabled, EDR Core deletes the computers from the management UI, but does not uninstall the EDR Core software.
• EDR Core now shows detections made by the decoy files technology in management UI reports.
• EDR Core now shows detections made by the anti-exploit technology in the blocked items tile in the Security dashboard.
• Windows protection v8.00.22.0010 or higher includes fixes for vulnerabilities.
• EDR Core now identifies the operating system correctly when installed on a server in a Virtual Desktop Infrastructure (VDI) environment.
• In rare cases when there is a timeout error due to no network traffic, the firewall technology in EDR Core continues to run.
• A fix was made to cancel the installer when Windows Update updates are in progress.
• A fix was made to make sure that the computer restart message shows the correct number of days left to restart.
• macOS protection v3.03.00.0001 or higher now accepts file path exclusions that include special characters.
• A fix was made to make sure that local alerts show on macOS computers.
• macOS protection v3.03.00.0001 or higher can use the Network Extension (NEXT). This version also includes a fix for macOS Catalina to make sure that the Network Extension (NEXT) enabled by a user is now enabled for other users on the computer.
• When a macOS computer is in Sleep mode, scheduled tasks can now run on the configured dates. Requires macOS protection v3.03.00.0001 or higher.
• On Linux computers with version 9 of CentOS, Red Hat, Rocky Linux, or AlmaLinux running SELinux in Enforcing mode, the scan engine successfully loads. Requires Linux protection v3.03.00.0001 or higher.
• A fix was made to make sure you can connect a Linux computer through Blue Coat ProxySG or FortiProxy devices to the collective intelligence. Requires Linux protection v3.03.00.0001 or higher.
• On Linux computers, the communications agent does not stop due to a memory error, continues to process changes received from the management UI, and can send reports.
• On Linux computers, EDR Core does not send duplicate detection reports when the EDR Core software upgrades.
• When you exclude blocked malware and PUPs in EDR Core, they are now allowed to run.

Enhancements

• Email alerts now include the customer name and the WatchGuard Cloud account ID.

• Initial release. WatchGuard EDR Core is an endpoint security service available with the Total Security Suite subscription for your Firebox. For more information on EDR Core, you can review the PowerPoint presentation, Introduction to WatchGuard EDR Core, or go to About WatchGuard EDR Core in Help Center.