Control Host Sensor Actions

Threat Detection and Response (TDR) includes several features that work together to control the actions an installed Host Sensor can take on a host.

For recommendations and best practices, see TDR Deployment Best Practices.

Host Sensor Settings

Global Host Sensor settings are configured with recommended values by default. You can also configure Host Sensor settings for a group to override the global Host Sensor settings. The Host Ransomware Prevention Mode applies to Windows Host Sensors. When configured in Prevent mode, Windows Host Sensors take automatic action to prevent ransomware, even if the host is not connected to the Internet or cannot communicate with your TDR account.

For information about Host Ransomware Prevention, see About TDR Host Ransomware Prevention.

For information about how to configure global Host Sensor settings, see Configure TDR Host Sensor Settings

For information about how to configure Host Sensor settings for a group that take precedence over the global settings, see Manage TDR Groups.

Policies

Policies define the actions that a Host Sensor can take automatically based on a CYBERCON threshold and a Threat Score threshold. You can configure policies for individual hosts or groups.

For information about how configure policies for TDR, see Configure TDR Policies

For information about Threat Scores, see About TDR Threat Scores

CYBERCON Level

The CYBERCON level specifies which of the configured policies are active.

For information about CYBERCON levels, see About TDR Cybercon Levels

Exclusions

An exclusion identifies a path that you want all Host Sensors to ignore for file and process events. When you add an exclusion, Host Sensors ignore any events created by a file or process that originate from the specified directory. You can also include all subdirectories in the exclusion.

For more information about Exclusions, see Configure TDR Exclusions

Signature Overrides

You can also configure TDR signature overrides. Signature overrides do not affect which files are scanned by TDR, but they do affect how ThreatSync assigns a score to an event that is reported by a Host Sensor. When you add a signature override, you specify the MD5 values of a file or process and then specify whether to treat the file as safe (on the Whitelist) or malicious.

For more information, see Configure TDR Signature Overrides.

Give Us Feedback  •   Get Support  •   All Product Documentation  •   Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.