Configure Advanced Security Policies (Windows Computers)

Applies To: WatchGuard Advanced EPDR

In the Advanced Protection settings of a workstations and servers settings profile, you enable Advanced Security Policies to detect and block suspicious scripts and unknown programs that use advanced infection techniques.

Advanced Security Policies include:

  • PowerShell with Suspicious Parameters — Detects the number of times the PowerShell interpreter received suspicious parameters that could result in the execution of dangerous operations on the protected computer. This option requires that you enable the anti-exploit protection.
  • PowerShell Run by the User — Detects the number of attempts to run a monitored PowerShell script by an interactive account capable of executing dangerous operations on the protected computer. This option requires that you enable the anti-exploit protection.
  • Unknown Scripts — Detects attempts to run a script that the WatchGuard security intelligence team has not classified. This policy helps provide visibility into scripts run on the network, secure servers where program execution is restricted, and prevent the spread of malware on the network if infection is suspected. If an unknown script should be allowed, you could exclude the file from scans. For more information, go to Exclude Files and File Paths from Scans.
  • Locally Compiled Programs — Detects the number of attempts to run a program that is unknown to the WatchGuard security intelligence team because it was compiled on the user computer.
  • Documents with Macros — Detects the number of attempts to open a Microsoft Office document with macros.
  • Registry Modification to Run when Windows Starts — Detects the number of times a program tried to add a Windows registry key to gain persistence on the computer and to load with the operating system on every system start.
  • Program Blocking by Name — Detects the number of times Endpoint Security blocked a program included in the name blocklist.
  • Program Blocking by MD5 or SHA-256 Value — Detects the number of times Endpoint Security blocked a program included in the MD5 or SHA-256 blocklist.

To configure Advanced Security Policies settings:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Settings.
  3. From the left pane, select Workstations and Servers.
  4. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
    The Add Settings or Edit Settings page opens.
  5. Enter a Name and Description for the profile, if required.
  6. Select Advanced Protection.
  7. Select the Advanced Protection toggle to enable it.
  8. Select the Enable Advanced Policies toggle to enable it.
  9. For each policy, select to Audit, Block, or Do Not Detect the threat:
    • Audit — Detects the policy and generates feedback for the administrator in lists and dashboard tiles.
    • Block — Prevents the program from running.
    • Do not detect — Does not detect the policy or generate any feedback for users or administrators.
  10. Configure block programs.
    For more information, go to Block Suspicious Programs.
  11. Click Save.
  12. Select the profile and assign recipients, if required.
    For more information, go to Assign a Settings Profile.

Block Suspicious Programs

To increase the security of Windows computers on the network, you can prevent the use of programs you consider dangerous or suspicious. These programs include:

  • Programs which, due to the way they run, use too much bandwidth or establish too many connections, negatively impacting company connectivity if run simultaneously by multiple users.
  • Programs that enable users to access contents that might contain security threats.
  • Programs that enable users to access contents not related to company activity and which might affect user performance.

To block unwanted software for productivity or compliance reasons, you can configure block programs in a program blocking settings profile. For more information, go to Configure Program Blocking Security Settings (Windows Computers).

To configure block programs:

  1. In WatchGuard Cloud, select Configure > Endpoints.
  2. Select Settings.
  3. From the left pane, select Workstations and Servers.
  4. Select an existing security settings profile to edit, copy an existing profile, or in the upper-right corner of the window, click Add to create a new profile.
    The Add Settings or Edit Settings page opens.
  5. Enter a Name and Description for the profile, if required.
  6. Select Advanced Protection.
  7. Select the Advanced Protection toggle to enable it.
  8. Select the Enable Advanced Policies toggle to enable it.
  9. In the Block Programs section, enter the file names, MD5, or SHA-256 codes of programs you want to block. You can paste a list of file names or codes separated by line breaks.
  10. To Notify computer users about blocked applications, enable the toggle.
    A pop-up message shows on user computers when they try to run a blocked application.
  11. (Optional) In the text box, enter a custom message to show users when Advanced EPDR blocks a program.
  12. Click Save.
  13. Select the profile and assign recipients, if required.
    For more information, go to Assign a Settings Profile.

When a program is blocked, it is included in the Detections by Advanced Security Policies tile on the Security dashboard. Select the tile to view the From the Detections by Advanced Security Policies list. From the list, select an item to open the Block by Advanced Security Policy details page. For information on the details page, go to Detections by Advanced Security Policies — Block Details.

Related Topics

Manage Settings Profiles

Copy a Settings Profile

Edit a Settings Profile

Assign a Settings Profile

Configure Workstations and Servers Security Settings