WatchGuard EDR Core Features
Applies To: WatchGuard EDR Core
WatchGuard EDR Core is included in the Firebox Total Security Suite license. EDR Core includes a subset of WatchGuard EDR features and supports XDR capabilities through ThreatSync. You can install EDR Core alongside third-party endpoint products to detect and protect against fileless and malwareless attacks, including ransomware and APTs. EDR Core also includes anti-tampering and anti-exploit protection, as well as contextual detections, decoy files, and VPN validation.
For information on ThreatSync, go to About ThreatSync.
EDR Core includes a subset of the features available with WatchGuard EDR and is a replacement for the Threat Detection and Response (TDR) Host Sensor. EDR Core does not include a firewall, antivirus, web access or device control, shadow copies, Endpoint Access Enforcement, or program blocking. You must upgrade to WatchGuard Advanced EPDR or EPDR to take advantage of these features, the Zero-Trust Application Service, and endpoint security modules.
When you purchase and activate Passport or an endpoint security subscription license for WatchGuard EPDR, the existing EDR Core license with Total Security Suite automatically upgrades to WatchGuard EPDR. The EDR Core license becomes inactive. For information on how to upgrade your EDR Core license to WatchGuard EPDR, go to Activate Additional Licenses.
EDR Core supports these client platforms:
- Windows (Intel and ARM)
- Linux
- macOS (Intel and ARM)
For more information, go to Installation Requirements (external) in the WatchGuard Endpoint Security Release Notes.
EDR Core Basic Features
You can create security settings profiles in EDR Core similar to the profiles you create in WatchGuard EDR. For more information, go to Manage Settings.
These basic features are available with EDR Core and you can assign them to your endpoints through security settings profiles:
- Anti-tampering protection
- Visibility into the hardware and software on an endpoint
- Remote restart and reinstallation of the endpoint agent and protection software on the endpoint
- Isolation of an endpoint
- Discovery of unprotected endpoints
- Tracking of user actions in the Endpoint Security management UI
If you plan to use EDR Core with third-party antivirus software, you should add exclusions in both the third-party product and EDR Core to make sure that they do not overlap or create false detections. For information on how to create exclusions in EDR Core, go to Create Exclusions in WatchGuard Endpoint Security.
EDR Core Security Features
The security features of EDR Core are similar to those included with WatchGuard EDR. These security features are available with EDR Core:
- Contextual detections, including Host Ransomware Prevention detections
- Decoy files
- Collective intelligence look-up and APT Blocker (programs that run are sent to the cloud and executed in our sandbox to detect unknown threats)
- Anti-exploit protection
- Audit mode only on endpoints (Hardening and Lock mode require the Zero-Trust Application Service which is not available in EDR Core.)
- Blocking (EDR Core does not support disinfection.)
- Network access enforcement
These security features are not available with EDR Core:
- Web access control
- Firewall
- Endpoint access enforcement
- Antivirus
- Shadow copies
- Device control
- Zero-Trust Application Service (EDR Core does not classify unknown applications.)
- Scan tasks
- Program blocking
- Authorized software
Feature Comparison
To take advantage of the Zero-Trust Application Service, anti-virus, endpoint security modules such as Full Encryption and Patch Management, and other features listed in this table, we recommend that you upgrade EDR Core to WatchGuard EPDR.
EDR Core | EDR | EPDR | Advanced EPDR | |
---|---|---|---|---|
Network access enforcement | ✓ | ✓ | ✓ | ✓ |
Cross-product detections (ThreatSync) | ✓ | ✓ | ✓ | ✓ |
Response actions: Quarantine, kill, or isolate (ThreatSync) | ✓ | ✓ | ✓ | ✓ |
Contextual detections (fileless malware) | ✓ | ✓ | ✓ | ✓ |
Anti-exploit | ✓ | ✓ | ✓ | ✓ |
Threat Hunting Service and IOA | Partial | ✓ | ✓ | ✓ |
Disinfection after blocked attack | × | ✓ | ✓ | ✓ |
Detect malware when files are copied or downloaded | × | × | ✓ | ✓ |
Endpoint access enforcement | × | ✓ | ✓ | ✓ |
Zero-Trust Application Service | × | ✓ | ✓ | ✓ |
Vulnerability assessment | × | ✓ | ✓ | ✓ |
Network attack protection | × | ✓ | ✓ | ✓ |
Shadow copies | × | ✓ | ✓ | ✓ |
Device control | × | × | ✓ | ✓ |
Firewall including IDS, application rules, and systems rules | × | × | ✓ | ✓ |
URL filtering | × | × | ✓ | ✓ |
Anti-phishing | × | × | ✓ | ✓ |
Web protection | × | × | ✓ | ✓ |
Mobile protection (Android and iOS) | × | × | ✓ | ✓ |
Advanced security policies | × | × | × | ✓ |
IOC and Yara rules | × | × | × | ✓ |
Remote access through command prompt | × | × | × | ✓ |
Detect Advanced IOA (MITRE TTPs) | × | × | × | ✓ |
Optional modules (Patch Management, Full Encryption, and ART) | × | ✓ | ✓ | ✓ |