Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, and WatchGuard EDR Core
Anti-exploit technology is not available on Windows ARM systems. The features available for each platform vary. For more information, go to Endpoint Security Supported Features by Platform.
In the Advanced Protection settings of a workstations and servers settings profile, you enable Code Injection protection. Code Injection is a general term for attacks that insert harmful code into an application that is then interpreted or executed by the application. The malicious code is usually designed to manipulate data flow, which leads to loss of confidentiality and reduced application availability.
If you disable Code Injection protection, it is disabled in processes that affect:
- Exploit detection and code injection
- Advanced IOAs
- Advanced security policies used by PowerShell
We recommend that you enable Code Injection protection and add exclusions for processes that might experience performance or compatibility issues. You should also enable the Detect Drivers with Vulnerabilities toggle to detect vulnerable drivers that could be exploited.
Caution: When you allocate WatchGuard EDR or EDR Core to a new account, and the account does not have a workstations and servers settings profile assigned, the default profile assigned to the All group has anti-exploit protection disabled.
Exploit Blocking and Detection
Anti-exploit protection automatically blocks attempts to exploit vulnerabilities found in the active processes on user computers.
Network computers might run trusted processes that include bugs. Although legitimate, these processes are vulnerable because they sometimes do not correctly interpret data received from users or other processes. If a vulnerable process receives malicious inputs from a hacker, a malfunction can occur that enables the attacker to inject malicious code into areas of memory that the vulnerable process manages. The injected code can cause the compromised process to execute actions it was not programmed for and compromise computer security.
The anti-exploit protection included in Endpoint Security detects attempts to inject malicious code into vulnerable processes run by users, and neutralizes them based on the exploit detected.
Exploit Blocking
Endpoint Security detects the injection attempt while it is still in progress. Because the injection process does not complete, the targeted process is not compromised and there is no risk to the computer. The exploit is neutralized without the need to end the affected process or restart the computer, and there are no data leaks from the affected process. The user of the targeted computer receives a block notification, based on the settings configured by the administrator.
Exploit Detection
Endpoint Security detects the injection after it takes place. Because the vulnerable process already contains malicious code, Endpoint Security must end the process before it performs actions that might put computer security at risk. Regardless of the time between exploit detection and when the compromised process ends, Endpoint Security reports that the computer was at risk. The level of risk depends on the time passed before the process stopped and on the type of malware.
Endpoint Security can either end a compromised process automatically to minimize the negative effects of an attack, or prompt the user to end the process and remove it from memory. This enables the user to save work or critical information before the compromised process stops, or the computer restarts. If it is not possible to end a compromised process, the user is prompted to restart the computer.
Vulnerable Driver Blocking
Vulnerable drivers are drivers with vulnerabilities that have been exploited in the threat landscape. This can include outdated drivers that contain security gaps.
Drivers supplied by legitimate vendors might contain vulnerabilities that malware could exploit to infect a computer or disable the security software. These drivers are not malicious in themselves and could be installed on computers without posing a security threat. Therefore, they are not initially detected as malware. Anti-exploit protection blocks the use of vulnerable drivers, except when the driver loads at operating system startup.