Configure Authorized Software Settings (Windows Computers)
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR
Authorized software settings can only be assigned to Windows servers or workstations. Authorized software exclusions do not exclude any sub-directories within an excluded directory.
In WatchGuard Endpoint Security, three features prevent program blocking:
Excluded Files and Paths
Excludes specific items or areas on the computer from scans. Unknown software will not be prevented from running. Because this can lead to a security hole, we do not recommended this except where there are problems with computer performance. Only the folder in the specified path is excluded. Subfolders are not excluded.
Unblocking Programs in the Process of Classification
Temporarily allows blocked programs to run but with a reactive approach. The administrator cannot unblock a program unless it has first been blocked.
Because software can consist of several components, and you must unblock each component individually, the process to block and unblock can take some time.
Configure Authorized Software
Proactive unblocking of unknown programs in the process of classification. The administrator can assign settings for programs from a known source which can be used provided no risk is detected. This is the recommended method for unblocking programs.
In an authorized software settings profile, you can configure settings to authorize software or a family of software that you want to allow to run before it is classified. For example, when you know the source of the program and the reason why it has been blocked, you can unblock the program. Examples of programs you might want to unblock include:
- Specific niche programs with very few users
- Programs that update automatically from the vendor website without user interaction
- Programs with functions distributed across hundreds of libraries which are loaded in memory and therefore blocked as and when they are used by the user from program menus
- Client-server model programs, where the client side is hosted on a shared network resource
- Polymorphic software which dynamically generates executable files
Caution: Authorized Software settings enable you to approve the execution of executable binary files, excluding script files, standalone DLLs, and other files. If WatchGuard Endpoint Security blocks a program because it downloads an unknown DLL, authorize the executable file specified in the pop-up message shown on the user computer. After the program is authorized, all DLL files and resources that it uses are also allowed.
After a program has been analyzed, Endpoint Security classifies the program as goodware or malware. If the program represents a threat, it is blocked regardless of whether it was authorized in these settings.
Inherited Authorized Software
By default, you cannot edit or delete the authorized software settings inherited from your Service Provider. The Service Provider can configure the list of authorized software to be editable. The settings profile shows a label, Editable Settings. In this case, you can add authorized software but you cannot delete or edit the list of software defined by the Service Provider.
If your Service Provider changes the status of the settings from editable to non-editable, the authorized software you added will no longer apply. Only the software from the Service Provider applies. If the Service Provider changes the configuration again to be editable, then the authorized software you added are restored and applied.
Configure Authorized Software Settings
To configure authorized software settings:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- From the left pane, select Authorized Software.
- Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
The Add Settings or Edit Settings page opens.
- Enter a Name and Description for the profile, if required.
We recommend that you enter a descriptive name such as Exclude MD5, Exclude program version, or Path excluded. - To create a new rule, click Authorize Programs.
The Authorize Programs dialog box opens.
- To specify the program executable with an MD5 hash code, select MD5 or SHA-256.
- In the text box, type MD5 or SHA-256 hashes for the program you want to add.
For example, for MD5, you could enter 938c2cc0dcc05f2b68c4287040cfcf71. For more information, go to Calculate the MD5 or SHA-256 of One or More Files. - To specify the program you want to add via program properties, select Program Properties.
- Signature – SHA-1 digital signature of the file. For more information, go to Get the Thumbprint of a Signed Program.
- Product Name – Product name value from the header of the file you want to unblock. To view the product name, right-click the program file and select Properties > Details.
- File Path – Path of the program on the server or workstation. System environment variables are accepted. Authorized software exclusions do not exclude sub-directories within an excluded directory. You must specify each file path. For example, C:\panda would only include files at that level of the directory.
- File Name – The name of the file you want to unblock. Wildcards * and ? are accepted.
- File Version – Version from the header of the file you want to unblock. To view the version, right-click the program file and select Properties > Details. For example, you could enter 0.1.777.0 exact version.
- Click Authorize.
- Click Save.
- Select the profile and assign recipients, if required.
For more information, go to Assign a Settings Profile.
Calculate the MD5 or SHA-256 of One or More Files
There are many tools available to calculate the MD5 or SHA-256 of a file. This section describes how to use the PowerShell tool in Windows 10.
- In File Explorer, open the folder with the files.
- Select File > Open Windows PowerShell.
A window with the command line opens.
- Enter the following command and replace $files with the file path. Wildcards * and ? are accepted.
- For md5: PS c:\folder> Get-FileHash -Algorithm md5 -path $files
- For SHA-256: PS c:\folder> Get-FileHash -Algorithm SHA256 -path $files
- To copy the hashes to the clipboard, press and hold the Alt key, and select the hashes with the mouse pointer. Press Ctrl + C.
- To paste all hashes from the clipboard to the Endpoint Security management UI, click the MD5 or SHA-256 field of the authorized software rule and press Ctrl + V.
- Click Authorize.
- Click Save.
The authorized software settings update.
Get the Thumbprint of a Signed Program
- Right-click the file and select Properties.
- In the Properties window, select the Digital signatures tab.
- In the Signature list, select the signature.
- Click Details.
The Digital signature window opens. - In the Digital signature details window, select the General tab and click View certificate.
The Certificate window opens. - In the Certificate path, select the Certification path tab and make sure that the final node of the certification path is selected.
- In the Certificate window, select the Details tab and select the field Thumbprint.
- Select the character string from the text box displayed and press Ctrl + C to copy it to the clipboard.
- Click the Signature field of the authorized software rule and press the keys Ctrl + V to paste the thumbprint to the management UI.
- Click Authorize.
- Click Save.
The authorized software settings update.
Exclude Files and File Paths from Scans