WatchGuard Endpoint Security Basic Enhancements and Resolved Issues

Enhancements

• Version 2.02.05 of the WatchGuard Mobile Security app for iOS includes these enhancements:
  • Improved response time when you access the Anti-Theft feature.
  • You no longer need to grant the app the Local Device Access permission when you install it without an MDM solution.
  • Optimized installation of the app when you do not need to grant permissions to the app.

Resolved Issues

• This release resolved an issue where the WatchGuard Mobile Security app for iOS obtained the device location when you opened it.
• This release resolved an issue where the Issues or Protections sections in the main window of the app did not show correctly.
• This release resolved an issue where customer data was incorrectly sent to Support when customers reported an issue with the iOS protection.

Enhancements

• In Full Encryption, only administrators can configure encryption (PIN and password).
• End users without the required permissions can no longer restart a computer from a protection update or from Patch Management alerts. The user must wait for the predefined timeout to expire or restart the computer on their own.
• End users without the require permissions can no longer retry actions from the initial installation window. Endpoint Security Basic will retry the action automatically after a period of time.

Resolved Issues

• This release resolved an issue where the installer did not request privilege elevation in certain cases, which prevented the application of necessary settings.
• This release resolved the CVE-2026-41286 vulnerability, which could cause the WatchGuard Agent to crash when it received invalid communications.
• This release resolved the CVE-2026-41287 vulnerability, which could cause the WatchGuard Agent to crash when it processed certain messages.
• This release resolved the CVE-2026-41288 vulnerability, which could enable a local user to gain elevated privileges in the system.
• This release resolved the CVE-2026-6787 vulnerability, which could enable the execution of processes with elevated privileges on the system.
• This release resolved the CVE-2026-6788 vulnerability, which could enable unauthorized users to gain elevated privileges on the system.

As part of the WatchGuard Endpoint Security portfolio update, WatchGuard EPP is now called WatchGuard Endpoint Security Basic. This change affects all existing versions of the management UI and shows in the local console after the protection is updated on the endpoint. For more information on the new product names, go to this Knowledge Base article: Updates to WatchGuard Endpoint Security product names on 1 April 2026.

New Features

Signals and Incidents

Incidents are now part of Endpoint Security Basic. When the Endpoint Security software detects a potential threat, it converts detected security events to signals. To make threat identification and resolution easier, Endpoint Security automatically combines related signals into dynamic incidents. Endpoint Security incidents group signals that previously generated multiple alerts and are part of the same attack.

• For each Endpoint Security incident, you can view the list of signals, the incident graph, and high-level details. You can also review the entities of interest related to the incident and exclude signals.
• The Detections section of Executive Reports now includes information about incidents: Incidents with Actions Required chart, Incident Status chart, and the Last Pending Incidents table.
• The Incidents list includes two export options: Export and Export List and Details.
• Malicious URLs detected are categorized as signals in incidents.
• An alert message shows on the Security dashboard when there are critical incidents that require immediate review.

Enhancements

• We have updated the data retention policy for Endpoint Security products. This policy defines how long Endpoint Security data is retained on the cloud servers and available in the management UI. For more information on the data retention policy, go to this Knowledge Base article: New Data Retention Periods for Endpoint Security Solutions.
• Patch details now include installation status tiles that show the number of successful installations, download errors, and installation errors. These tiles do not include data from before this release and show data from your network and from the broader WatchGuard community.
• In a patch installation task, you can now configure required conditions that must be met for a patch to be installed. These conditions can include: time elapsed since the patch was released, minimum number of successful installations, maximum number of failed installations, and minimum number of days elapsed since the first successful installation. Each computer assigned the task must meet these conditions before the patch is installed.
• This release includes improvements to the update process for Windows endpoints:
• In Windows Pro editions, Endpoint Security updates no longer apply just before the computers restart, but also when you click Update and Restart or after the countdown in the restart message.
• To minimize disruption, Endpoint Security checks whether the endpoint meets the requirements to update the protection software before it shows an update or restart message. If the conditions are not met, the update does not start and the relevant status shows in the management UI.
• With the release of the Android Mobile Security app v3.13.6, protection for Android 6 and Android 7 is now End-of-Life (EOL). The minimum required OS to install the Android app on new devices is Android 8.
• The WatchGuard Agent automatically updates devices that run Android 8 and higher to the Android Mobile Security app v3.13.6.
• The WatchGuard Agent does not update devices with Android versions lower than Android 8 to the Android Mobile Security app v3.13.6. The previous version of the Android app continues to work.
• This release includes general improvements to protection and detection capabilities.
• This release optimizes detection of attempts to remotely encrypt decoy files. If the security software detects an attempt to encrypt decoy files from a remote IP address, it generates an incident and blocks communications with that IP address for one hour.
• Endpoint Security no longer uses temporary files to identify fileless malware detections. It now generates an incident from real data generated by the processes involved in the detection.
• In Patch Management lists, Pending status was changed to Available status.

Resolved Issues

• This release resolves an issue that caused unexpected restarts on Linux servers.
• If you uninstall the WatchGuard Agent with the generic uninstaller and then do not restart the endpoint, custom branding can now be successfully applied.
• When you restart an endpoint from the management UI, Windows computers no longer restart multiple times.
• This release resolves an issue in Patch Management tasks where the restart option you configured in the maintenance window was not applied.
• When Patch Management installs patches on Mac computers, app ownership is now correctly assigned.
• You can now configure encryption passwords that include the dollar sign ($)for Mac computers.
• This release resolves an issue that occurred when Patch Management showed new third-party patches for Mac computers.
• You can now move more than 10,000 computers to an Active Directory group at one time.
• This release resolves connection issues to knowledge servers.
• This release resolves an issue that caused the Endpoint Security PSANHost.exe service to crash when the computer recovered from Sleep, Suspension, or Hibernation state.
• This release resolves an issue that caused the security software to incorrectly handle detection IDs in certain contextual detections.
• This release resolves an issue that affected security software updates because of the ELAM (Early Launch Anti-Malware) technology.
• This release improves performance for computers with Advanced Indicators of Attack (IOAs) settings enabled.
• This release resolves BSOD errors caused by:
• Network interception drivers on VPN servers
• NNSPRV.sys network interception driver
• NNSHTTP.sys driver
• Firewall errors
• Device Control configured for removable drives in Block or Allow read access mode (not EDR)
• This release resolves compatibility issues for dock stations with certain laptop models.
• When there is no browsing activity, you no longer receive false positives of malicious or disallowed URLs on DNS servers.
• The Device Control feature no longer interferes with the display settings of devices.

Enhancements

• With the release of the iOS Mobile Security app v2.02.03.0006, protection for iOS 13 and iOS 14 will become End-of-Life (EOL). After the EOL date, the minimum requirement to install the iOS app on new devices will be iOS 15.

Resolved Issues

• iOS Mobile Security app v2.02.03.0006 resolves an issue that occurred on supervised iOS devices when an app that calls external authentication systems ran and the error “about:blank – You cannot browse this page because it is restricted” appeared.

Enhancements

• The WatchGuard Mobile Security app for Android devices v3.13.4 and higher includes improvements to the progress screen shown when the device is integrated in to the Endpoint Security management UI.
  • The app shows a message that prompts the user to keep the app open while the device is integrated.
  • The app shows a message to prevent the user from enabling the Device Admin app permission before they change the Battery Optimizations and App Hibernation settings on the device. Users cannot modify these settings when the Device Admin permission is enabled.
  • If required during installation, the app shows a message that informs the user that the Device Admin permission was automatically disabled so that they can change the App Hibernation or Battery Optimizations settings on the device. The user must re-enable the Device Admin permission after the user changes the settings.

Resolved Issues

• These issues were resolved in the WatchGuard Mobile Security app for Android devices v3.13.4 and higher:
  • A fix was included to resolve the CVE-2021-0341 vulnerability that affects Android devices.
  • This release resolves an issue that occurred when the user scanned malformed QR codes.
  • This release resolves an issue that could cause an exception when the user closed the Android app before the integration process was complete.

Enhancements

• With the Linux Agent v1.16.01.0000 you can now deploy and manage the WatchGuard MDR Syslog Collector. For information on the Syslog Collector, go to About the Managed Services Portal in Help Center.

Resolved Issues

• This release resolves an issue with the YUM package manager that occurred when the security software was upgraded.

Enhancements

• Linux protection v3.07.00.0001 and higher now supports Linux Rocky v9.7. For more information on supported Linux distributions, go to WatchGuard Endpoint Security Installation Requirements.

Enhancements

Windows Agent v1.24.02.0000 includes these enhancements:

• This release improves memory management for two agent auxiliary processes. This enhancement standardizes security measures for all agent processes.
• The upgrade process now backs up log files. Log files are no longer lost when a reinstallation is required.

Resolved Issues

Windows Agent v1.24.02.0000 includes these resolved issues:

• This release resolves an issue on Windows computers that caused the NDR collector to not install correctly after the latest Windows Subsystem for Linux (WSL) update.
• This release resolves an issue that caused error 1067 when you reinstalled the security software from the management UI.

WatchGuard Agent Plug-in for ConnectWise RMM v1.0

This first release of the WatchGuard Agent Plug-in for ConnectWise RMM enables Service Providers to deploy WatchGuard Endpoint Security products.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Agent Plug-in for ConnectWise RMM.

Enhancements

• The Android WatchGuard Mobile Security app (Android v3.13.0 and higher) includes these enhancements:
  • Improved detection of large-screen devices to prevent constant screen rotation.
  • Support for devices with Android 15 natively.
• The iOS WatchGuard Mobile Security app (iOS v2.02.01.003 and higher) includes these enhancements:
  • Improved URL categorization.
  • The app now shows a message when there is an error sending log files to Support.
  • Optimized sending of registration messages to WatchGuard servers.

Enhancements

• Web Access Control now supports the QUIC HTTP3 protocol.
• Web Access Control now supports pages protected by content delivery networks (CDNs). A CDN (for example, Cloudflare or Akamai) acts as an intermediary to conceal the true intended destination of a connection. Endpoint Security can now determine the domains of web pages managed by CDNs so that our web filtering and protection technologies can scan them. [WGUA-5280]
• The Endpoint Security window on Windows computers now uses .NET libraries.
• New settings enable you to configure the maintenance windows and time slots when computers restart automatically after software updates or patch installations.
• You can now configure email notification rules for Endpoint Security products in WatchGuard Cloud.
• This release improves detection of malicious .MSI files.
• This release supports Mac endpoints that run macOS 16 Tahoe. Support requires macOS protection v3.07.00.0000 or higher.

• The Endpoint Security window on Mac computers now shows the number of quarantined files instead of scanned files.

Resolved Issues

• This release resolves an issue with how ThreatSync obtained user and domain information.
• This release resolves an issue that caused a memory leak in the AMSI detection technology.
• This release resolves an issue that allowed the PSUAService to be stopped, even when anti-tamper protection was enabled.
• This release resolves an issue that caused the Windows operating system to start slowly. [KER-1807]
• This release resolves an issue that caused a BSOD error when the security software updated.
• This release resolves an issue that sometimes caused a network slowdown after an update to macOS protection v3.04.
• This release resolves an issue that caused Network Access Enforcement to not work on Mac computers after an update to macOS protection v3.06.00.0001.
• This release resolves an issue that sometimes caused connection problems with WatchGuard servers on Mac computers after an update to macOS protection v3.06.00.0001 or lower.
• This release resolves an issue with logouts intercepted by the firewall to improve stability and compatibility with third-party applications. [WGUA-4277 ]
• This release resolves compatibility issues between the firewall and networks detected automatically through WireGuard/Wintun VPN adapters. [WGUA-5395]
• This release resolves issues that affected immediate and scheduled scans. [WGUA-5422]
• This release resolves an issue that prevented notifications on user computers. [WGUA-5280]

New Features

Aether 18 Friends & Family Release Update

The Friends & Family release includes:

• Maintenance window settings to control endpoint restart for patches
• URL filtering support for QUIC HTTP3 protocol in macOS
• Detection of malicious .MSI installers in Windows endpoints
• Minor updates and bug fixes.

To participate in Friends & Family testing, send an email message to the Friends & Family mailbox. For more information, go to the Endpoint Security Friends & Family test community.

New Features

Endpoint Security Plug-in for N-able N-central v1.4

This release of the Endpoint Security Plug-in for N-able N-central introduces a new version of the onboarding application, new service templates, and service monitoring performance improvements.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Endpoint Security Plug-in for N-able N-central.

New Features

Endpoint Security Plug-in for N-able N-central v1.3

This release of the Endpoint Security Plug-in for N-able N-central introduces a new version of the onboarding application, new service templates, and the Mark Clean script for Windows computers.

If you have the Endpoint Security Plug-in for N-able N-central v1.2 or lower, remove v1.2 in N-able N-central before you install v1.3. For more information, go to Manage the WatchGuard Endpoint Security Plug-in for N-able N-central.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Endpoint Security Plug-in for N-able N-central.

Enhancements

• We have postponed the EOL (End of Life) date for the Windows and macOS protection of our endpoint security products for these OS versions from 30 April 2025 to 30 June 2025:

• Windows: Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. Windows 2008 R2 will continue to be supported.
• macOS: Yosemite, El Capitan, Sierra, High Sierra, and Mojave.

After 30 June 2025, the product license will be automatically removed from all computers that run these OS versions. You will not be able to allocate licenses to affected computers. Computers without a license will have all protections disabled, lose access to Collective Intelligence, stop receiving signature file updates, and cease to run assigned tasks. For more information about our End-of-Life policies, go to https://www.watchguard.com/wgrd-trust-center/end-of-life-policy.

Resolved Issues

• Linux Agent v1.15.02.0000 resolves an issue that occurred when the protection software was updated on Linux computers and some unused processes remained in memory.

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.6

This release of the Endpoint Security Plug-in for ConnectWise Automate introduces asynchronous API data sync and updates compatibility requirements for the plug-in. The new plug-in and ConnectWise Automate requirements include:

• Endpoint Security Plug-in v1.4 or v1.5. For plug-in v1.3 or lower, you must remove the old plug-in before you install v1.6.
• .NET framework v4.8 or higher
• Windows Server 2019, 2022, or 2025

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Enhancements

• In WatchGuard Cloud, Owner and Administrator operators can now include granular access control over functional areas of the EPP management UI. For more information, go to Manage Custom Operator Roles and Default Permissions for Built-In Roles in Help Center.

Enhancements

• Changes made to the Filters and Folders trees on the Computers page now persist if you navigate away from the Computers page.
• Endpoint Security now supports Fedora Linux 41 in Linux protection v3.06.00.0001 or higher.
  • The proxy server configured in the management UI is only used by the Linux protection to communicate with Endpoint Security repositories. It does not affect interaction with the package manager.
  • The Linux protection repository is disabled after you uninstall the security software and is automatically enabled and disabled during the security software update cycles.
• Local alerts now display longer on the endpoint.
• The Android app now supports Android 14 natively. This feature requires Android protection v3.11.4 or higher. Previous versions of the Android app also work on Android 14 in compatibility mode only.

Resolved Issues

• This release resolves an issue with Patch Management where, after the security software patched and restarted a computer, it left patch traces in the Patch Management folder.
• This release resolves an issue where the AppMngPatcher.exe patch installation tool stopped working occasionally.
• This release resolves an issue where incomplete tasks prevented new patches from being downloaded.
• This release resolves an issue where patches included in a later patch did not install, and a message appeared that indicated the patch was no longer necessary.
• This release resolves an issue where signature file traces were left that could not be applied and took up storage space.
• This release resolves an issue where, when the security software sent Active Directory data through Directories and Domain Sync, if any Active Directory item was larger than 125 KB, an error occurred and it was not synchronized.
• This release resolves an issue that prevented installation of the security software from a brand download error.
• This release resolves an issue where you were prompted to restart the computer repeatedly.
• This release resolves an issue where users without Total Control permissions could not see applied filters on the Computers page.
• This release resolves an installation issue on computers that run SUSE Linux Enterprise Server 12.1.
• This release resolves an upgrade issue that caused error 1603.
• This release resolves an issue that caused the security software to show local alerts with no text.
• This release resolves an issue that caused the Network Extension (NEXT] to stop when it encountered HTTP communications with very long URLs.
• This release resolves an issue that caused constant screen rotation on devices that had an operating system bug.
• This release resolves an issue that caused a memory leak in the Android protection. This issue occurred when you changed the display size with the WatchGuard Mobile Security app in the foreground.

New Features

• In the Device Control settings, you can now disable AutoPlay on removable storage devices.

Enhancements

• Anti-tamper protection now supports Linux computers. When anti-tamper protection is enabled, attackers cannot stop the Endpoint Security software. You can also require a password to uninstall the software from Linux computers.
• Two-factor authentication is now available for Linux computers.
• The Computer Protection Status list now shows the status of the endpoint connection to the Collective Intelligence and URL classification servers for Linux and Mac computers.
• The computer details page for Linux and Mac computers now shows the status of the connection to knowledge servers.
• From the management UI for Linux and Mac computers, you can now remotely uninstall the WatchGuard Agent and the Endpoint Security software installed by the agent.

Resolved Issues

• This release resolves an issue that occurred when temporary files created when Microsoft Office files were edited could not be deleted from the server.
• This release resolves a security software self-diagnosis issue that caused an unchecked exception that could lead to service crashes.
• This release resolves an issue that caused Endpoint Security to show multiple blocked page notifications. This prevented the computer screen from being locked and could leave the computer exposed to unauthorized access.
• This release resolves a issue found in protection version 8.00.23, which could allow arbitrary file creation and exposure to a denial-of-service attack.
• This release resolves a BSOD error that occurred on computers with NeuShield drivers.
• This release resolves an issue that enabled users to sometimes go to web domains that belong to Web Access Control blocklisted categories.
• This release resolves an issue with detection of certain PUPs by the Endpoint Security protection for macOS.
• This release resolves an issue with the macOS protection that caused the service to hang for approximately 30 seconds on older computers with limited resources.

New Features

Endpoint Security Plug-in for Kaseya Virtual System Administrator (VSA) v1.1

This Endpoint Security Plug-in for Kaseya VSA release updates the steps to install, configure, update, and remove the plug-in.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Endpoint Security Plug-in for Kaseya Virtual System Administrator (VSA).

Enhancements

• On 26 November 2024, if your firewall or proxy server is not configured to allow connections to and from *.pandasecurity.com, then you must update settings to allow connections from EDR Core to some specific required URLs. For more information, go to this Support blog post: Update to URLs Required by WatchGuard Endpoint Security Products.

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.5

This Endpoint Security Plug-in for ConnectWise Automate release updates the steps to install, update, and remove the plug-in.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Enhancements

• The Endpoint Security software now supports TLS 1.2 protocol natively for Windows 7, Windows Server 2008 R2 (Kernel 6.1), Windows 8, and Windows Server 2012. For more information, go to this Support blog post: End of Support for TLS 1.0 and TLS 1.1.

Enhancements

• You can now enable advanced scanning with AMSI detection. You can enable AMSI detection technology and exclude specific processes. This feature requires Windows protection v8.00.23.0000 or higher.
• When you configure Risk settings, you can now specify which folder, file, and extension exclusions you want to impact the computer risk level assessment.
• You can now enable and disable local alerts on Mac computers and customize malware, firewall, and device control alerts.
• You can export recipient email addresses configured in the My Alerts settings for all users in an account.
• You can now cancel or delete all tasks at one time.
• Endpoint Security now supports Windows Server 2025 in Windows protection v8.00.23.0000 or higher.
• Endpoint Security now supports macOS 15 Sequoia in macOS protection v3.05.00.0000 or higher.
• Endpoint Security now supports these Linux distributions: OpenSUSE 15.3, 15.4, 15.5, and 15.6; SUSE 15 SP6; Fedora 39 and 40; Red Hat/Oracle/Rocky/Alma 8.9, 8.10, 9.3, and 9.4; Ubuntu 23.10 and 24.04; and Mint 21.2, 21.3, and 22. This feature requires Linux protection v3.05.00.0000 or higher. For more information on distributions, go to Linux.
• On 30 September 2024, protection for Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, as well as macOS Yosemite, El Capitan, Sierra, High Sierra, and Mojave will become End of Sale (EOS). Windows 2008 R2 will continue to be supported. After that date, you will not be able to add devices to the management UI or install the protection software on new computers that run these operating systems versions.
  • On 30 April 2025, our Windows and Mac protection for these OS versions will become End of Life (EOL).
  • After the EOL date, the product license will be automatically removed from all computers that run these OS versions, and you will not be able allocate licenses to affected computers.

Resolved Issues

• This release resolves an issue that caused the security software to send the same alert email notifications repeatedly over several days.
• This release resolves an issue that caused the security software to classify URLs as “unknown category” and block them on some computers.
• This release resolves an issue that prevented user login to a corporate website.
• A fix was made to make sure that security software upgrades after computer shutdown did not take too long. The computer does not wait for the PSANHost process to close.
• This release resolves a BSOD error that occurred on computers with NeuShield drivers.
• This release resolves an issue that caused the security software decoy files to create temporary files and folders after backup sessions.
• This release resolves an issue where ATC.exe did not run on Server Core because of a dependency.
• This release resolves an issue that caused on-demand scans of PDF files to not finish.
• This release resolves a vulnerability found in the security software decoy files.
• This release resolves an issue with Linux protection signature file permissions after a security software upgrade.
• This release resolves a self-diagnosis issue that caused the security software to sometimes incorrectly report an error.
• This release resolves an issue where uninstallation of the security software from a Mac device prompted you to keep the quarantine folder even though it was empty.
• In environments with proxy communications, fixes were made to the network infrastructure to prevent random BSOD errors. [WGUA-4183]
• The decoy files feature no longer causes false positive detections associated with svchost.exe. [WGUA-4287]

Enhancements

• These enhancements are in Windows protection v8.00.22.0025 and higher:
  • Performance improvements for multi-user environments such as RDS environments. [KER-822]

Resolved Issues

• These issues are resolved in Windows protection v8.00.22.0025 and higher:

  • This release resolves an issue for computers with a protection software error on the Status tab. [WGUA-2680]
  • This release resolves an upgrade issue that stopped protection services.
  • The protection for POP3/SMTP email over IPv6 no longer causes BSOD errors.
  • This release resolves an issue to prevent a rare BSOD error caused by the NNSSTRM.sys driver.
  • For networks detected automatically, this release resolves issues caused by the trusted networks parameters in the Endpoint Security firewall protection settings. [WGUA-2809]

Resolved Issues

• This release resolves an issue that caused immediate and scheduled scans to crash. [WGUA-623]
• The Shadow Copies feature no longer causes the system process to use high CPU after an upgrade. [WGUA-2617]
• This release improves performance issues caused by the firewall infrastructure. These issues sometimes occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-2320 / WGUA-2152]
• Performance issues and high CPU usage on Windows servers that are monitored by SysMon are improved. [KER-608 ]
• General high RAM and CPU usage issues are improved. [WGUA-1976]
• Performance issues with Data Control rules-based monitoring of files are improved. [WGUA-991]
• This release resolves an issue that caused third-party antivirus programs to be disabled in Windows Security Center (WSC). [WGUA-2243]
• AMSI detection technology no longer causes issues with WatchGuard Endpoint Security. [WGUA-2246]
• Domain and URL categorization of IPv6 traffic no longer causes issues. [WGUA-1993]
• Firewall infrastructure crashes (BSOD) that reference the NNSDNS.sys driver no longer occur. The BSOD errors occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-1881]
• When the user selects, “Do not detect again”, the protection software does not detect Trj/RansomDecoy. [WGUA-2030]
• When the Decoy File feature is enabled, protection software errors on Windows computers with multibyte character sets (MBCS) do not occur. [WGUA-1389]
• This release resolves file transfer errors for Server Message Block (SMB) traffic on domain controller servers. [WGUA-1681]
• When you upgrade the protection software for certain Windows versions, the installed application now appears in Windows Security Center (WSC). [WGUA-1731]
• Connection timeout errors no longer occur for some HTTPS web pages with the protection software installed. [WGUA-1636]
• Self-diagnosis failures in Windows Security Center (WSC) do not cause the PSANHost.exe service to restart. These failures caused the service to restart when it could not get the necessary module configuration information. [WGUA-2746]

Resolved Issues

• Minor bug fixes and improvements to the onboarding applications for the NinjaOne, N-able N-sight, and N-able N-central plug-ins.

New Features

• In WatchGuard Patch Management, you can now configure computers on the network as test computers. Use test computers to verify patches install successfully before you deploy the patches across the network.
  • You can also configure computers or computer groups to not install patches.
  • When you create a patch installation task, you can select to install patches on only test computers.

Enhancements

• In the Patch Management Installation History list, when a patch requires a computer restart, the patch status shows as Pending Restart. The status now changes to Installed when the computer restarts and completes patch installation.
• Web Access Control settings now include these new Artificial Intelligence content categories: Generative AI – Conversation, Generative AI – Multimedia, Generative AI – Text & Code, and Other AI ML Applications.
• When an Endpoint Risk Assessment is in progress, and you want to schedule a report, the Risk Assessment Report is now selected by default.
• You can now download signature files over HTTPS.

Resolved Issues

• When the user is not logged in to the endpoint, WatchGuard Endpoint Security can now re-install with a restart after the scheduled wait time is exceeded.
• Duplicate computers no longer display when you use Active Directory to discover unmanaged computers.
• When you filter the Unmanaged Computers Discovered list and then select all filtered computers to install WatchGuard Endpoint Security on, the software now installs only on the computers in the filtered list.
• A fix was made to make sure that WatchGuard Endpoint Security sends executive reports and other scheduled daily reports as expected.
• When you disable a feature that uses the NAHSL network driver (for example, Advanced Protection, Web Access Control, or the Firewall), the NAHSL network driver is disabled.

Enhancements

• These enhancements were made in Windows protection v8.00.22.0024 and higher:
  • The software upgrade process was enhanced to make sure that Windows devices do not receive a BSOD error when WatchGuard EPP cannot stop a driver.
  • Improvements were made to prevent high CPU usage during computer startup when the Shadow Copies feature is enabled.

Resolved Issues

• These issues were resolved in macOS protection v3.04.00.0000 and higher:
  • If you close the lid of a MacBook to shut it down and then open the lid to wake it, scans in progress (immediate and scheduled) are no longer affected.
  • A fix was made to make sure that Mac computers with low resources and slow web browsing do not allow access to URLs blocked with the URL filtering feature.
• These issues were resolved in iOS agent v2.01.17.0006 and higher:
  • When you configure time slots in the URL filtering feature, they also apply to the lists of allowed and denied URLs.
  • New URL categories added to the URL filtering feature are now handled correctly and are no longer treated as unknown URLs.
  • WatchGuard EPP on iOS devices now reports the threat type correctly when it detects and blocks phishing URLs.
  • Anti-theft protection for iOS now sounds the correct alarm and can make calls to the phone number specified in the remote alarm feature.
• These issues were resolved in Windows protection v8.00.22.0024 and higher:
  • A fix was made to prevent memory leaks on connections over port 8180 of the Java application that could cause the server to run out of memory.
  • The URL filtering feature prevents access to URLs configured as denied (for example, Facebook or YouTube pages).
  • A fix was made to prevent a rare BSOD error caused by the pskmad.sys driver.
  • The AMSI detection technology now respects the path exclusions configured in the protection software settings.
  • You can now disable URL filtering local alerts.

Resolved Issues

• Fixed a vulnerability in the pskmad_64.sys driver that could enable an attacker with Administrator privileges to run code with SYSTEM privileges on the target computer. For more information, review this Security Advisory Detail. This fix requires Windows protection version 8.00.22.0023 or higher.

Enhancements

• Full Encryption with FileVault Technology is now available for Mac devices with macOS Catalina 10.15 or higher. The Full Encryption license requires as many endpoints as the total number of endpoints encrypted with Windows BitLocker or macOS FileVault. Encryption runs in the background and there is no impact on performance. You can see the encryption status of both Windows and Mac computers on dashboards and in lists.
• To improve anti-tamper protection, you can now require two-factor authentication (2FA) when users try to log in to the management UI from their computers or uninstall the WatchGuard Endpoint Security product from their computer. 2FA uses a QR code you can generate for all computers in a customer account or, if you want to have different authenticator factors for different settings profiles, you can generate multiple QR codes. This feature requires Windows protection version 8.00.22.0023 or higher.
• Anti-tampering features now protect Windows computers when they start in Safe Mode. This setting is enabled by default. You can disable it in the management UI or from the Windows computer. This feature requires Windows protection version 8.00.22.0023 or higher.
• In the Patch Management module, you can now filter the list of available patches by patch release date.
• In the Patch Management module, new columns in the extended installation history export file provide information about the tasks that installed the patches.
• The message text that shows on user computers when a reboot is required to install a patch has changed. The updated text indicates that the reboot is required by the patched software, not the WatchGuard Endpoint Security product or Patch Management module.
• In the list of discovered computers, you can now select all unprotected computers.

Resolved Issues

• When you create a list of patches and sort it by computer, an error no longer occurs when you try to view the patch details.
• When a patch description contains the + symbol, information still appears when you view the patch details.
• When a MAC address is not in uppercase letters, the security software can still discover unprotected computers.
• When you search the network for unprotected computers, the search results do not return protected computers that do not match the name in the list.
• Resolved an issue to make sure that antivirus exclusions are applied to decoy files. This fix requires Windows protection version 8.00.22.0023 or higher.
• Resolved an issue to make sure that URL filtering can classify web pages in IPv6 environments. This fix requires Windows protection version 8.00.22.0023 or higher.
• Resolved an issue that caused a rare BSOD error when the server generated malformed network packages. This fix requires Windows protection version 8.00.22.0023 or higher.
• The zlib version was updated to resolve vulnerabilities in the previous version. This fix requires Windows protection version 8.00.22.0023 or higher.
• Performance improvements on virtual servers. This fix requires Windows protection version 8.00.22.0023 or higher.

Resolved Issues

• An updated version of the macOS protection (v3.03.00.0003) is now available. The updated version includes these resolved issues: 
  • Network access enforcement (VPN enforcement) now works for endpoints with macOS v3.03.00.0003 and higher. [WGUA-1913]
  • The network extension no longer stops working and the message that NeXT privileges had not been accepted no longer appears. [WGUA-2048]
  • When analyzing paths and files that contain special characters or emojis, the local console no longer stops working. [WGUA-2119]
  • macOS v3.03.00.0003 includes performance improvements. Goodware items are now correctly added to the cache to optimize the analysis at the next program execution. [WGUA-1629]

Enhancements

• An updated version of the Android app and communication agent is now available. The updated version includes these enhancements:

  • Users are not prompted to Disable App Hibernation when the app is installed on an MDM profile in Device Owner or Work Profile mode. This enhancement requires Android app v3.8.14 or higher.

  • The Android app v 3.9.3 and higher now support Android 13 natively. Previous versions of the Android app also work on Android 13, but in compatibility mode.

  • A new Show Notifications permission was added to show notifications to users on Android 13 or higher. Requires Android app v3.9.3 or higher.

  • A new privacy policy and notification that describe how we collect, use, and share data processed by the app, and how to access it was added. The policy appears the first time you open the Android app in v3.9.3 or higher. You can also review it from the About page.

New Features

Endpoint Security Integration for NinjaOne

With the new Endpoint Security integration for NinjaOne, Managed Service Providers can remotely deploy Endpoint Security to client devices in their NinjaOne accounts. For more information, go to About the WatchGuard Endpoint Security Integration for NinjaOne in Help Center.

Enhancements

• WatchGuard EPP now supports macOS Sonoma. Requires macOS protection version 3.03.00.0002 or higher.
• If Audit mode is enabled in the workstations and servers settings profile applied to a computer, the security software does not register as an antivirus with Windows Security Center (WSC) and does not disable the Windows Defender antivirus protection.

Resolved Issues

• Resolved an issue that caused an increase in memory usage by the PSANHost process and led to increased CPU usage by the service.
• Made improvements so that our security software registers correctly with Windows Security Center (WSC) after an operating system upgrade.
• Resolved an issue to improve loading of some specific web pages. This issue affects version 8.00.22.0010 or higher of the Windows protection and is resolved in version 8.00.22.0022 or higher.

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.3

This update release for the Endpoint Security plug-in for ConnectWise Automate includes these enhancements:

• You can now select an Auto Deploy by Timer check box on the Map Clients page to automatically install Endpoint Security products on all computers in a client account. The ConnectWise process that schedules installation tasks runs every 12 hours.
• You can now select the Include in Auto Deploy Searches check box on the Map Clients page to use the search and group features in ConnectWise Automate to customize Endpoint Security product deployment.
• You can now search for clients and accounts by name on the Map Clients page.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Resolved Issues

• Resolved an issue where the protection service crashes when Decoy Files is enabled and the computer has directory names in Greek. This fix requires Windows protection software v8.00.22.0014 or higher.
• Resolved an issue where scheduled reports do not include the details of available patches.
• Resolved an issue where, when you installed specific Windows operating system patches, the solution did not show the result of the installation task.

Enhancements

• Updated versions of the Windows and macOS protection software and communication agents are now available. The updated versions include these enhancements:
  • The protection software upgrade process better retains settings defined in a previous version.
  • Windows protection software v8.00.22.0013 and higher include improvements to minimize the possibility that the protection service stops.
  • When WatchGuard Endpoint Security creates decoy files, Windows Defender no longer detects them as malware on servers. This enhancement requires Windows protection software v8.00.22.0013 or higher.
  • Changes to the communications agent enable it to process corrupt messages. This enhancement requires Windows agent v1.21.02.0000 or higher.

• In Patch Management for macOS, users now receive a prompt to enter a password to install operating system patches for macOS with ARM (M1 and M2). This enhancement requires macOS agent v1.12.01.0000 or higher.

Resolved Issues

• In the updated version of the Windows protection software or agent:
  • Resolved an issue in the PSINProt.sys driver that caused a random BSOD. This fix requires Windows protection software v8.00.22.0013 or higher.
  • Resolved an issue that caused a memory leak in a firewall driver. This fix requires Windows protection software v8.00.22.0013 or higher.
  • The operating system, the backup software, and other applications can now create shadow copies on drives other than system drives. This fix requires Windows protection software v8.00.22.0013 or higher.
  • WatchGuard Endpoint Security can now retrieve Active Directory paths with computer names longer than 15 characters. This fix requires Windows agent v1.21.02.0000 or higher.
• macOS protection software v3.03.00.0001 resolves a rare issue that caused the solution to not show pop-up notifications for malware detections on macOS computers.

New Features

Endpoint Security Plug-in for N-able N-sight

With the new Endpoint Security plug-in for N-able N-sight, you can protect devices on your network, review detected security incidents, and develop prevention and remediation plans against unknown and advanced persistent threats. For more information, go to About the WatchGuard Endpoint Security Plug-in for N-able N-sight in Help Center.

New Features

WatchGuard Advanced EPDR

You can now manage licenses and inventory allocation for the new Endpoint Security product, WatchGuard Advanced EPDR, in WatchGuard Cloud. You can start a trial of Advanced EPDR from the Administration > Trials page. Advanced EPDR includes advanced detection and response features such as Advanced Indicators of Attack (IOAs) and events, centralized management of Indicators of Compromise (IOCs) compatible with STIX and Yara rules, Advanced Security Policies, and remote access to detect, contain, and remediate incidents. For more information, go to the presentation, Introduction to WatchGuard Advanced EPDR.

Vulnerability Assessment

• The new Vulnerability Assessment feature automatically discovers operating system and third-party software vulnerabilities on your Windows, macOS, and Linux workstations and servers. You can run search tasks to check whether vulnerabilities that hackers could exploit are present in your network. For a complete list of possible vulnerabilities, review the list of critical patches.
  • The Vulnerability Assessment dashboard shows detected vulnerabilities on computers in your network. It is only available for customers without the Patch Management module.
  • The Available Patches list shows the number of affected computers.
• To view details about affected computers, to patch vulnerabilities on demand, or to create a recurring task to install patches, you can purchase WatchGuard Patch Management, or start a 30-day free trial of the Patch Management module.

Enhancements

• Network Access Enforcement (previously Secure VPN) settings now apply to VPN connections through WatchGuard Fireboxes and Wi-Fi connections through WatchGuard access points. Access points can check that the Endpoint Security software is enabled and running on connecting devices. This feature supports Windows and macOS computers and requires a future Wi-Fi firmware release.
• The Patch Management module now supports macOS and Linux computers.
  • For macOS computers, you can patch both the operating system and third-party applications.Operating system patches for macOS devices with ARM-based processors (M1 and M2) require the computer user password and a forced restart.This updated version of Patch Management also includes automatic patch detection and the ability to patch macOS Catalina, Big Sur, Monterey, and Ventura systems on demand or as scheduled.
    • To optimize bandwidth use and centralize patch downloads, macOS devices can install patches from a Windows cache computer. You can specify these cache computers in the Network Services settings.
  • For Linux computers, you can patch both the operating system and third-party applications. This release adds automatic patch detection and the ability to patch Red Hat 7 and 8, CentOS 7, and SUSE 12 and 15 systems on demand or as scheduled. Future releases will support additional distributions.
    • Linux devices use the caching mechanisms implemented on the system to install patches, not the caching mechanisms configured in Endpoint Security.
  • On the Patch Management dashboard and lists, you can now filter by operating system (Windows, macOS, or Linux). A new Programs with Most Available Patches tile shows programs with patches pending installation. A new Available Patches by Computers list shows patches pending installation on computers on the network.
    • In the Available Patches list, you can filter the list by operating system (Windows, macOS, or Linux). You can also filter by Windows, macOS, and Linux applications that Patch Management can update. By default, recurring patch installation tasks install only Windows patches. To install macOS or Linux patches, you select them manually in the section where you specify the software you want to update. To review a list of the software Patch Management supports, go to the WatchGuard website.
• Partners and Service Providers can define whether the settings profiles they assign to tenant accounts from the multi-tenant Endpoint Security management UI can be edited by the tenant. Tenant accounts can then add exclusions and authorized software to the settings, but cannot delete or edit the list of exclusions or authorized software defined by the Service Provider.
• You can now configure multiple proxies so that computers on the network connect to the Internet through the first proxy computer that works. This feature is supported by Windows, macOS, and Linux workstations and servers
• Linux protection version 3.03.00.0001 and higher now supports these Linux distributions: Ubuntu 22.10 and 23.04, Linux Mint 21.1, Fedora 36, 37, and 38, Oracle Linux 8 UEK R7, 9.0, 9.1, and 9.2, Red Hat Enterprise 8.8 and 9.2, AlmaLinux 8.8 and 9.2, and Rocky Linux 8.8 and 9.2. For more information, go to Linux.
• On computers that run macOS Ventura, you must enable a new permission for the protection to work correctly after a restart. If you do not grant permission, the details page for the macOS computer shows an error.

Resolved Issues

• A fix was made to make sure that the Available Patches Trend graph reflects the exact number of available patches.
• When the Patch Management module is overallocated, Endpoint Security does not delete patch installation tasks. Tasks are disabled and then re-enabled when the account is no longer overallocated (within a 30-day grace period).
• When the Automatic Deletion of Computers option in Computer Maintenance is enabled, Endpoint Security deletes the computers from the management UI, but does not uninstall the WatchGuard Endpoint Security software.
• WatchGuard Endpoint Security now shows detections made by the decoy files technology in management UI reports.
• Windows protection v8.00.22.0010 or higher includes fixes for vulnerabilities.
• WatchGuard Endpoint Security now identifies the operating system correctly when installed on a server in a Virtual Desktop Infrastructure (VDI) environment.
• In rare cases when there is a timeout error due to no network traffic, the firewall technology in WatchGuard Endpoint Security continues to run.
• A fix was made to cancel the installer when Windows Update updates are in progress.
• A fix was made to make sure that the computer restart message shows the correct number of days left to restart.
• macOS protection v3.03.00.0001 or higher now accepts file path exclusions that include special characters.
• A fix was made to make sure that local alerts show on macOS computers.
• macOS protection v3.03.00.0001 or higher can use the Network Extension (NEXT). This version also includes a fix for macOS Catalina to make sure that the Network Extension (NEXT) enabled by a user is now enabled for other users on the computer.
• This release resolves an issue on macOS computers when URL Filtering was enabled. When you connect to a macOS computer with AnyDesk, a warning message (URL https://AnyDesk was “Uncategorized”) no longer appears and disconnects the computer. Requires macOS protection v3.03.00.0001 or higher.
• When a macOS computer is in Sleep mode, scheduled tasks can now run on the configured dates. Requires macOS protection v3.03.00.0001 or higher.
• On Linux computers with version 9 of CentOS, Red Hat, Rocky Linux, or AlmaLinux running SELinux in Enforcing mode, the scan engine successfully loads. Requires Linux protection v3.03.00.0001 or higher.
• A fix was made to make sure you can connect a Linux computer through Blue Coat ProxySG or FortiProxy devices to the collective intelligence. Requires Linux protection v3.03.00.0001 or higher.
• On Linux computers, the communications agent does not stop due to a memory error, continues to process changes received from the management UI, and can send reports.
• On Linux computers, WatchGuard Endpoint Security does not send duplicate detection reports when the Endpoint Security software upgrades.
• On devices that run Android 12 or higher, when the security app installs on a managed profile (work profile), the app does not prompt the user to disable the App Hibernation permission.

Enhancements

• The Android app version 3.8.10 is now available. We recommend that you upgrade to the latest version. This version includes:
  • Ability to use Snap the Thief on locked devices.
  • New permission requirements for Ignore Battery Optimizations and Disable App Hibernation.
  • To comply with Google’s security policies, we have removed the feature to automatically install Android apps from unknown sources. These apps are installed after they are scanned.
  • We have improved log generation to speed up incident resolution.
• The iOS app version 2.01.16.0006 is now available. We recommend that you upgrade to the latest version. This version includes:
  • Access to our knowledge base for URL filtering on HTTPS.
  • Logs are more detailed to speed up incident resolution.

Resolved Issues

• In version 3.8.10 of our Android app, we resolved an issue that occurred on certain devices when you scanned the QR code to install and integrate our app for Android.
• These issues were resolved in version 2.01.16.0006 of our iOS app:
  • The app now requests geolocation permissions when required.
  • The app now requests permission to send notifications when required.
  • In the installation wizard for iOS devices, the Installation Complete screen always shows at completion.
  • The Web Access Control feature no longer blocks multiple web pages.

Enhancements

• The Windows protection v8.00.21.0005 includes a fix to prevent temporary disruptions of the protection service from affecting other sessions with logged-in users.
• The Windows protection v8.00.21.0005 now optimizes decoy files to not regenerate in closed remote desktop sessions.

Enhancements

• The Linux agent service now restarts automatically after a crash.
• Core files created by the Linux protection and agent are automatically deleted. The Linux agent service now deletes the oldest core files until there is at least 1 GB of free disk space.

Enhancements

• Email alerts now include the customer name and the WatchGuard Cloud account ID.

Enhancements

• WatchGuard EPP now supports iOS 16 / iPadOS 16.

Enhancements

• The Windows protection version 8.0.0.21.0004 is now available. We recommend that you upgrade to the latest version. This version includes:
  • Performance improvements for Windows servers with multiple users working at the same time, such as RDS environments.
  • Performance improvements to the Decoy Files feature for servers with many concurrent users.
  • Correction of an issue where there was a protection service outage with file paths that exceed the maximum length permitted by the operating system.
  • Correction of an issue with the mv.sig signature file that caused slowdowns on certain servers.
  • Fixes for a new vulnerability that affects most anti-virus and EDR vendors. For more information about the vulnerability, go to https://www.safebreach.com/resources/blog/safebreach-labs-researcher-discovers-multiple-zero-day-vulnerabilities.
  • Correction of an issue where the Windows protection stopped working on computers with the FSLogix application installed.
  • Correction of an issue that prevented the creation of firewall rules on servers.
  • Correction of an issue with the VMware VMXNET3 adapter, where files copied over the network were modified (SMB).
• WatchGuard Endpoint Security now includes these categories in the URL filtering feature: Collaboration Office – Apps, Collaboration Office – Documents, Collaboration Office – Drive, and Collaboration Office – Mail.
• The Linux agent version 1.11.04.0001 is now available. We recommend that you upgrade to the latest version. This version includes:
  • Optimization of tasks performed by the Linux agent to prevent performance issues on servers with thousands of active sessions.
  • Correction of an issue where the protection could not be updated.
  • Correction of an issue where there were continuous errors when the event queue became full.

New Features

Risk Assessment

• A new Risk dashboard enables you to monitor risks on managed computers. The dashboard includes tiles that show the risk level for each computer in the organization, the risk trend, the most detected risks, and the top 10 computers at risk.

• Risk settings enable you to specify the risk types you want to detect on computers. You can disable risk types that you do not want to detect. We recommend a risk level for each risk type that you can change, if required.
• WatchGuard Endpoint Security detects these risk types automatically: Computer Protection Status, Inadequate Settings, and Detection of Indicators of Attack (IOA). If you have the Patch Management module, WatchGuard Endpoint Security also detects Critical Patches Pending Installation.
• The computer details page for each endpoint now includes risk information, such as the overall risk level.
• This release adds two new lists: Detected Risks and Risks by Computer.
• You can include risk information in the executive report.

Discovery of Unmanaged Computers through Active Directory

• Discovery computers can use up to three Active Directory servers to find computers registered in Active Directory. Unprotected computers found in Active Directory show in the Unmanaged Computers Discovered list. You can remotely install the endpoint security software on unmanaged computers from the management UI.
• In the Unmanaged Computers Discovered list, the computers you find with Active Directory show the Active Directory path where they are located. The Active Directory path also appears for macOS and Linux computers.
• The installation page for macOS and Linux computers now includes the option to add computers to their Active Directory path.
• The Move to Active Directory Path option is now available for macOS and Linux computers.

Automatic Deletion of Computers

• On the Computer Maintenance page, you can configure VDI environments and now also configure WatchGuard Endpoint Security to automatically delete computers from the management UI based on a filter. Every day, WatchGuard Endpoint Security automatically deletes all computers that meet the criteria in the filter. Deleted computers that reconnect to the platform reappear in the management UI.
• WatchGuard Endpoint Security tracks deletions in System Events.

Patch Management — Available Patches Trend Graph

• On the Patch Management dashboard, an Available Patches Trend graph shows the number of patches that are available for installation on the computers on the network, over time (seven days, one month, one year). This information also shows for individual computers on the Detections tab of the computer details page.
• You can filter the Available Patches Trend tile by computer type (laptop, workstation, and server) and patch type (operating system patches and app patches).
• In the Available Patches list, you can export trend data about patches pending installation to a file for analysis.
• The executive report now includes the Available Patches Trend tile.
• In the Restart options section of an install patches task, you can now specify the maximum time that the system waits before it forces a restart on the computer to complete the installation of the patch (the default time is four hours). You can restart immediately when the task is scheduled or delay the restart up to seven days.

Enhancements

• The WatchGuard EPP management UI now opens in the WatchGuard Cloud user interface, instead of in a new browser tab.
• When a new version becomes available, a notification appears in the management UI that enables users to begin the upgrade on demand.
• On the Security dashboard, the Malware Activity, PUP Activity, and Currently Blocked Programs Being Classified tiles show when a computer visible to you is infected after a file was copied from another computer on the network. The information includes the IP address of the computer where the infection originated.
• You can export tasks in the account to a .CSV file to easily identify tasks in progress, affected computers and groups, and other task information. You can filter the task list by task status (No recipients, In progress, Finished, and Canceled). When you copy a task, you can copy its settings with or without the recipients.
• Secure VPN is now available for computers with macOS. With Secure VPN, all VPN connections must meet specified security requirements before they connect to VPN networks.
• On macOS computers, a progress dialog box now opens during installation.
• The process that communicates with Windows Security Center (WSC) in Windows 11 is protected at all times with ELAM to meet a future requirement of Windows 11 22H2.
• WatchGuard Endpoint Security now supports macOS Ventura 13. macOS Ventura requires macOS protection v3.02.00.0000 or higher.
• WatchGuard Endpoint Security now supports these Linux distributions: CentOS Stream, Alma Linux, and Rocky Linux. These distributions require Linux protection v3.02.00.0000 or higher.
• This release includes performance improvements on Linux servers with high workload. These improvements require Linux protection v3.02.00.0000 or higher.
• You can now export a simplified computer list to a .CSV file that does not include configuration details.
• From the Computers page, on the Filter tab, you can now search filters by name.
• Anti-tamper protection improvements for Windows now prevent the deletion of WatchGuard Endpoint Security files through registry modifications that run when the computer starts. This also prevents changes to WatchGuard Endpoint Security process permissions. These improvements require Windows protection v8.00.21.0000 or higher.
• This release includes updates to third-party libraries to fix vulnerabilities. These improvements require Windows protection v8.00.21.0000 or higher.

Resolved Issues

• To prevent false positives with Office 365 and some backup programs, when a decoy file is opened exclusively, the WatchGuard Endpoint Security does not detect it as a write action.
• To avoid continuous synchronization with OneDrive, decoy files are not identified as Office files
• WatchGuard Endpoint Security does not stop working when you run Sandbox on Windows.
• A fix was made to make sure that WatchGuard Endpoint Security always blocks URLs that belong to a denied category in URL Filtering.
• If there is a data error in a report, WatchGuard Endpoint Security dismisses the error and sends the report.
• The macOS protection continues to respond when Time Machine performs Incremental backups in the background.
• When the macOS protection updates to Catalina, the Endpoint Protection Network driver also updates.
• The macOS protection continues to work when you scan Catalina systems on demand.
• This release resolves an error that canceled the installation of the protection on a Red Hat Enterprise Linux 6.7 (Santiago) server shortly after he installation started.
• You can now change the recipients of a recurrent task (scan or patch installation tasks).
• You can filter the Hardware Inventory list by any supported operating system (Windows, macOS, Linux, Android, and iOS). The exported information contains data from all systems.
• If a machine uses the IPv6 protocol to communicate, the management UI now shows the full IP address.
• Improvements were made for Linux systems to make sure that we do not report malware when we are monitoring suspect behaviors that are not confirmed as malware.
• Fixed issue on Linux systems that caused errors in the psanhost process.

New Features

Endpoint Security Plug-in for N-able N-central

With the new Endpoint Security plug-in for N-able N-central, you can protect devices on your network, review detected security incidents, and develop prevention and remediation plans against unknown and advanced persistent threats. For more information, see About the WatchGuard Endpoint Security Plug-in for N-able N-central in Help Center.

Enhancements

• The Linux protection software includes multiple performance improvements that are particularly noticeable on servers with heavy workloads.
• The Linux protection software now supports the latest versions of supported Linux distributions (Fedora 35, Red Hat 8.6, and Ubuntu 22.04). Requires Linux protection version 3.01.00.0003 or higher. For more information, see WatchGuard Endpoint Security Installation Requirements.

Resolved Issues

• For the Linux protection software, we resolved an issue encountered when you update kernel modules in SUSE.

New Features

• You can now centrally manage iOS smart phones and tablets with WatchGuard EPP. The new WatchGuard Mobile Security client app enables:
  • Anti-theft protection for iOS devices with device geolocation, remote wipe, remote lock, and remote alarm in the event of theft or loss of the device.
  • URL filtering for iOS devices in supervised mode. This includes the ability to deny access to pages by category on specified days and at specified times. You can also add URLs to the exceptions list. For more information, see About Supervised Mode on iOS Devices in Help Center.
  • Web protection for iOS devices in supervised mode. This includes the ability to filter malicious URLs and prevent phishing attacks. For more information, see About Supervised Mode on iOS Devices in Help Center.
  • Hardware and software inventory for iOS devices in the web UI.
• A new WatchGuard mobile device management (MDM) solution provides access to all protection features available with the WatchGuard Mobile Security app. For more information, see About the WatchGuard MDM Solution in Help Center.
• The Android client app was rebranded to WatchGuard Mobile Security from version 3.7.0. For Android 11 or higher, the app is customized based on the platform where your solution is integrated.
• In a Per-Computer Settings profile, you can now enable shadow copies. Shadow Copies is a Microsoft Windows feature that enables you to restore previous versions of files. Requires Windows protection version 8.00.20.0001 or higher.
• In the Antivirus settings of a Workstations and Servers Settings profile, you can enable decoy files to use as bait to detect attacks that change files stored on computers. Decoy files require Windows protection version 8.00.20.0001 or higher.
• This release includes new deep learning technology that provides an additional machine learning technique in the protection model. Requires Windows protection version 8.00.20.0001 or higher.
• In Network Services, you can enable secure VPN. With secure VPN, all VPN connections must meet specified security requirements before they connect to VPN networks.
• This release includes new protection (v3.00.00.0000 or higher) for macOS computers that run macOS Catalina 10.15 or higher. The protection includes a new local UI and uses network extension technology to intercept network traffic. This can intercept traffic when connected by VPN, so web protection and URL filtering is available when you use any VPN. The network extension technology replaces SQUID, which was removed in macOS protection v3.00.00.0000 or higher.

Enhancements

• You can now select the type of device to run scan tasks on (laptop, workstation, server, or mobile device).
• You can now select the type of device to run patch installation tasks on (laptop, workstation, server, or mobile device).
• A new column shows the number of antivirus detections of a reported attack.
• If an error occurs during the installation of the Linux and macOS software, detailed information shows in the Protection Status list. The protection status list also shows information about the status of the advanced protection for Linux systems.
• The computer details page now shows the public IP address of the computer (Windows, macOS, Linux) or mobile device
• In the Patch Management dashboard, a new tile shows information on the computers with the most vulnerabilities.
• In the Patch Management dashboard, a new tile shows information on most available patches for computers in the organization.
• The Patch Management dashboard now shows the number of computers that require a restart to finish installation of a patch.
• In the Patch Management Available Patches and Installation History lists, a new filter enables you to filter operating system patches and third-party software patches.
• In the Full Encryption dashboard, you can now use the encrypted device ID to search for recovery keys.
• The process to validate the certificates required to communicate with specific domains safely was improved. Requires Windows protection version 8.00.20.0001 or higher.
• The anti-tamper protection was improved with ELAM (Early Launch Anti-Malware) technology on Windows 10 and Windows Server 2019 or higher operating systems. Requires Windows protection version 8.00.20.0001 or higher.
• To speed up data loading, the list of detections made by the Device Control module is now limited to the last seven days.

Resolved Issues

• In a scheduled scan on Android devices, detections are reported only when the task runs correctly.
• When a user with restricted privileges modifies hardware and detected threats reports, the reports are not sent by email.
• When a user with read-only permissions tries to export the Computers list, all information is now exported.
• In Patch Management, this release improves the reporting of patch installation tasks on computers with an incorrect date and computers where the time was changed.
• In silent installations, the First Installation window no longer appears when a temporary signature update error occurs.
• When you try to install the software with the option to update signature files disabled, the installation does not freeze.
• Exclusions for the permanent protection now apply to Windows AMSI (AntiMalware Scan Interface).
• This release significantly improves performance when you open Microsoft Access files.
• The computer does not stop working on rare occasions when network packets are inconsistent.
• The computer does not stop working if you open Outlook while it is scanning inconsistent network packets.
• This release improves the management of URLs in blocklists.
• This release resolves a POP3 issue to enable connections when the email protection is active.
• IPv6 public IP addresses now show correctly in the web UI.
• When you install patches that require a restart and user consent and several days pass without a user response, and then you try to install new patches that require a restart, the communications agent does not crash.
• If you install the agent on an ARM-based Windows 11 Education computer, the protection now installs.
• When you try to install the software on extremely slow computers, there is no longer a double installation which uninstalled the installed antivirus and caused an unnecessary restart.
• The new macOS protection (version 3.00.00.0000 or higher) for systems that run macOS Catalina 10.15 or higher includes a new network interceptor that optimizes browsing speed and enables you to open URLs which, in TLS 1.3 connections, could not open with the SQUID technology.
• The new macOS protection (version 3.00.00.0000 or higher) for systems that run macOS Catalina 10.15 or higher resolves issues when you log in to online services such as OneDrive or Google Drive.

Enhancements

• When you start a trial of WatchGuard EPP or a module, the license can now be used for up to 250 endpoints.

Resolved Issues

• Patch Management has entered into End of Life (EOL) for these operating systems: Windows XP, Windows Vista, and Windows Server 2003.

New Features

Endpoint Security Modules

With a license of WatchGuard EPP, you can now activate licenses for these endpoint security modules:

• WatchGuard Full Encryption — Encrypts and decrypts disks and USB drives centrally, without impact to end users
• WatchGuard Patch Management — Manages operating system and third-party application vulnerabilities on your workstations and servers

For more information, see WatchGuard Endpoint Security Modules.

Enhancements

• In the Firewall settings of a Workstations and Servers settings profile, you can now add exclusions by IP address or an IP address range to the blocked intrusions list. Requires Windows protection version 8.00.19.0010 or higher.
• When you select Computers > Add Computers, you can now specify when the Windows installer file expires. After the expiration date, if users try to start the installer, a message informs them that the installer is expired, and they should download a new one or contact their administrator.
• A computer with the cache role can now send patches to every computer in the customer network, regardless of the subnet it belongs to. You can also filter the Patch Management Installation History list for Last 7 days and Last month. Partners can send this report to their customers as part of the managed service they offer.
• On Windows Legacy operating systems (Windows Vista, Windows 7, and Windows Server 2008), only SHA-256 signed drivers are allowed. To install a protection version higher than 8.00.19.0001, the Windows Legacy operating system of the target computer must be up to date and compatible with SHA-256 driver signing. For more information, see Update Required to Support SHA-256 Signed Drivers.
• Anti-tamper protection now leverages Early Launch Anti-Malware (ELAM) technology included in Windows 10 and Server 2019 or higher operating systems.

Resolved Issues

• In the web console (for example, Computer Details), Windows 11 devices now show correctly as Windows 11.
• Windows protection v8.00.19.0010 is required for new installations on ARM processors with Windows 11 (used in Surface devices and some specific laptops).
• A BSOD error no longer appears when you install the NeuShield software. Requires Windows protection version 8.00.19.0010 or higher.
• A BSOD error no longer appears when the SSL header of a message fragments into multiple network packets. Requires Windows protection version 8.00.19.0010 or higher.
• When you enable the network discovery feature in the firewall, the defined configuration and Internet connectivity are not lost.
• When you install patches that require a restart, the pending restart notification now disappears after a period of time.
• When you create a weekly report, the dates in the report schedule are correct, not one day before the configured dates.
• The Automatic proxy discovery using Web Proxy Autodiscovery Protocol (WPAD) setting is now applied correctly.

Enhancements

• WatchGuard EPP now includes support for macOS 12 Monterey and Android 12.

New Feature

Endpoint Security Plug-in for Kaseya VSA

With the Endpoint Security plug-in for Kaseya VSA, you can protect devices on your network, review detected security incidents, and develop prevention and remediation plans against unknown and advanced persistent threats. For more information, see About the WatchGuard Endpoint Security Plug-in for Kaseya VSA in Help Center.

Endpoint Security Plug-in for ConnectWise Automate v1.1

This update release for the Endpoint Security plug-in for ConnectWise Automate includes these enhancements:

• A new Reports tab enables you to access detected threat details for a customer and filter by threat type and time period
• You can now configure the events and security incidents that generate an alert or a ticket in ConnectWise
• Detected threats now include data on Exploits and Indicators of Attack (IoA)
• The Assign Security Configurations action now supports both Computers and Android devices

For more information, see About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate in Help Center.

Enhancements

• WatchGuard EPP now includes support for Windows 11 and Windows Server 2022.

New Features

Endpoint Security Modules (Beta)

With this beta feature, you can start, extend, upgrade, and cancel trials for these endpoint security modules in WatchGuard Cloud:

• WatchGuard Full Encryption — Encrypts and decrypts disks and USB drives centrally, without impact to end users
• WatchGuard Patch Management — Manages operating system and third-party application vulnerabilities on your workstations and servers

To start a module trial, you must have a WatchGuard EPP license. The number of endpoint devices allocated in a module trial cannot exceed the number of devices in the endpoint security product license. The number of endpoint devices allocated in the trial, however, can be less than the number of devices in the endpoint security product license.

To learn more or to report an issue, go to WatchGuard Endpoint Security Beta test community.

Enhancements

• WatchGuard EPP now includes support for Oracle Linux distributions and kernel versions, including Oracle Linux 6.X, 7.X, and 8.X.

Enhancements

• On the computer details page, a new Detections tab shows detections, unpatched vulnerabilities, indicators of attack, and more. The information available on the tab depends on the WatchGuard Endpoint Security product.
• On the Tasks page, you can now cancel and delete multiple tasks at the same time.
• You can now schedule scans to run on any day of the week or month, at the time you specify.
• On the Computers > My Organization tab, you can now search the list of groups.
• For some reports, you can schedule and send a full or summary version of the exported list (for example, the software inventory list).
• In the Computer Protection Status list, a new Connection to Knowledge column shows the status of computer communications with the Collective Intelligence servers and the servers used for URL classification. This column is available for Windows computers only.
• WatchGuard Endpoint Security now scans programs launched on Windows startup to make sure that all programs loaded in memory are trusted.
• This release includes optimizations to the Web Access Control module cache to reduce cloud queries when URLs are classified.
• The WatchGuard Endpoint Security firewall now includes support for IPv6 traffic filtering for all protocols.
• This release includes support for the latest versions of supported Linux distributions (Fedora, Red Hat, CentOS, etc.).
• This release includes support for SUSE 11 SP2 and later, SUSE 12, and SUSE 15.
• The Linux agent installer now includes a new parameter to specify proxy settings.
• The Linux protection automatically upgrades when necessary after an upgrade of the Linux kernel or installation of the distribution.
• This release includes performance improvements to the Linux protection for specific distributions where management of multiple threads was not optimal.
• In the Web Access lists, when you select a custom range, you are now limited to one month of data.
• Exchange Server protection is now end of life and no longer included in new accounts. Upgraded accounts still see Exchange Server protection settings and tiles, and customers that had the settings prior to July 2021 will continue to receive them.

Resolved Issues

• When you select the All filter in the Currently Blocked Programs Being Classified list, all items now show instead of only items for the last month.
• On the Status > Security dashboard, when you click the Malware activity tile, and then click the VirusTotal link, an information page for the specific malware now opens.
• WatchGuard Endpoint Security continues to work when it encounters inconsistent DNS network packets or when rare errors occur when the Automatically Detect the Network Type setting is enabled.
• When you create a filter that includes hardware and software fields, you can now select multiple computers.
• If you disabled protection upgrades in the Per-Computer Settings, an upgrade error does not display in the computer details page. A message indicates that upgrades are disabled.
• Group names now display correctly on the Computers > My Organization tab when there are multiple subgroups in a group at the top level and one of the subgroups is collapsed.
• Users no longer receive a second prompt to restart the computer after the computer upgrades and restarts.
• WatchGuard Endpoint Security now correctly detects Windows 10 version 21H1.

• Initial release of product. For information on WatchGuard EPP, see WatchGuard Endpoint Security Help.