Configure Antivirus Scanning

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product.

In the Antivirus settings of a workstations and servers settings profile, you can configure WatchGuard Advanced EPDR, EPDR, and EPP to scan for viruses in files, email messages, and the websites that users visit. You can specify the types of threats to detect and files to scan, as well as enable decoy files.

When WatchGuard Advanced EPDR, EPDR, or EPP detect malware or the WatchGuard anti-malware laboratory identifies a suspicious file, WatchGuard Endpoint Security takes one of these actions:

• Known malware files when disinfection is possible — Replaces the infected file with a clean copy.
• Known malware files when disinfection is not possible — Makes a copy of the infected file and deletes the original file.

To configure antivirus settings:

1. In WatchGuard Cloud, select Configure > Endpoints.
2. Select Settings.
3. From the left pane, select Workstations and Servers.
4. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
   The Add Settings or Edit Settings page opens.
5. Enter a Name and Description for the profile, if required.
6. Select Antivirus.

7. To enable virus scanning of the file system, enable the File Antivirus toggle.

8. To enable virus scanning for email applications, enable the Email Antivirus toggle.
   When you enable Email Antivirus to scan email messages, WatchGuard Endpoint Security detects threats received over the POP3 protocol and encrypted variant. Email Antivirus scans attachments and URLs in the email. When something malicious is detected, WatchGuard Endpoint Security deletes the email or attachment.
9. To enable virus scanning on web browsers to detect threats received over HTTP and HTTPS protocols and encrypted variants, enable the Web Browsing Antivirus toggle.
10. Configure Threats to Detect, as required.
11. To create decoy files, enable the toggle.
    
12. To enable advanced scanning of programs that use Windows Anti-Malware Scan Interface (AMSI), enable the toggle.
13. To exclude scanning of programs that use AMSI and might cause performance issues, in the Programs text box, type the name of the programs, separated by commas. Include the file extension for the program. For example, Chrome.exe.
14. Configure File Types to Scan, as required.
15. Click Save.
16. Select the profile and assign recipients, if required.
    For more information, go to Assign a Settings Profile.

Configure Threats to Detect

Configure the types of threats that WatchGuard Endpoint Security searches for and removes from the file system, mail client, and Endpoint Security management UI installed on user computers. To add an extra layer of protection, you can also enable decoy files.

To configure the threats you want to detect, in the Threats to Detect section:

1. Enable the threats you want to detect and block:
• Detect Viruses — Detects files that contain patterns classified as dangerous.
• Detect Hacking Tools and PUPs — Detects unwanted programs (such as programs with intrusive ads and browser toolbars) and tools used by hackers to gain access to your system.
• Block Malicious Actions — Enables anti-exploit and heuristic technologies that analyze process behavior locally and detect suspicious activity.
• Detect Phishing — Detects fraudulent emails and websites.
2. If you enable Detect Phishing, in the Do Not Detect Threats at the Following Addresses and Domains text box, type IP addresses and domains you want to exclude from phishing scans, separated by commas.
   This text box is not case-sensitive. Access is allowed to all addresses that start with the specified IP addresses and domains, even if the full URL is longer.

Decoy files are used as bait on computers and help detect ransomware. When there is an attempt to modify a decoy file, WatchGuard Endpoint Security identifies the process as ransomware and ends the process. In the Threats to Detect section, enable Create Decoy Files to Help Detect Ransomware.

Configure File Types to Scan

Specify the types of files to be scanned by WatchGuard Endpoint Security. To configure file types to scan, in the File Types section, enable the file types you want to scan.

Scan compressed files in emails

Decompresses email attachments and scans their contents for malware.

Scan compressed files on disk

Decompresses compressed files and scans their contents for malware. All compressed files are scanned when they are extracted, modified, or run. For the best performance, we recommend that you do not scan all compressed files on disk.

Scan all files regardless of their extension when they are created or modified

Many types of data files do not pose a threat to the security of computer networks. When you enable this option, WatchGuard Endpoint Security scans all files when they are created or modified. For best performance, we recommend that you do not enable this option.

Related Topics

Manage Settings Profiles