Best Practices — Installation Tips for Groups and Settings

Applies To: WatchGuard Advanced EPDR This topic applies to the WatchGuard Advanced EPDR endpoint security product., WatchGuard EPDR This topic applies to the WatchGuard EPDR endpoint security product., WatchGuard EDR This topic applies to the WatchGuard EDR endpoint security product., WatchGuard EPP This topic applies to the WatchGuard EPP endpoint security product.

When the client software is installed on the computer or device, WatchGuard Endpoint Security applies the group security settings to the computer or device. During installation, you select a target group for the computer with the required network settings. If the network settings for the selected group differ from the settings specified during installation, the installation settings apply.

We recommend that you configure groups and define group settings before you deploy the endpoint software.

1. Define the group structure for your network, for example, by department or location.
• All devices in a group inherit the group settings, but you can also set up exceptions for specific devices or sub-groups. For more information, go to Manage Groups and Settings Inheritance in Subscriber Accounts.
2. Decide if you want to use an Active Directory tree or if you prefer to have static groups.
• For more information about the different types of groups, go to Manage Computers and Devices in Groups.
3.  Configure these required network and security settings:
• Network Settings
• Per-Computer Settings
• Workstations and Servers Settings
• Indicators of Attack Settings
4. Test the settings on a smaller group that includes computers representative of your environment.

Network Settings

On the Network Settings page, you create settings profiles to specify the language of WatchGuard Endpoint Security installed on computers and devices. You can also define the type of connection to WatchGuard Cloud with proxies and add cache computers that act as repositories for signature files and other components.

Create a network settings profile and assign recipient groups to the profile before you deploy the endpoint software. For more information, go to Configure Network Settings.

Per-Computer Settings

On the Per-Computer Settings page, you create settings profiles that specify how often to install protection software updates on workstations and servers. You can also define settings to prevent tampering and unauthorized uninstallation of the protection software.

You cannot modify default settings. You can copy default settings and then modify them as needed.

Automatic Updates

We recommend that you enable automatic updates for WatchGuard Endpoint Security software. Schedule updates when they will not interfere with other updates, backups, etc. Avoid Endpoint Security updates at the same time as Windows updates. Windows updates will take precedence and could cause the Endpoint Security update to fail.

You can also specify the time interval when the software can update and specify whether to restart devices automatically after an update. The actual time when the restart begins is four hours after the time you specify here. If a Windows update requires a reboot at the same time as the Endpoint Security update, then the WatchGuard Agent will not restart and the upgrade will fail.

For more information, go to Configure Updates.

WatchGuard deploys the latest WatchGuard Endpoint Security version available to customers and partners in phases. Contact your WatchGuard Sales Representative to request a version update.

To find out which WatchGuard Endpoint Security version is installed:

1. In WatchGuard Cloud, select Configure > Endpoints.
2. In the upper-right corner, click .
3. From the menu that appears, select About.
   There are different version numbers: WatchGuard Endpoint Security product version, Protection version by platform, and Agent version by platform.

To find out which version is installed on a computer or device:

1. On the Computers page, select the computer you want to see the protection version for.
2. On the Details tab, in the Security section, review the Protection Version.

For information on changes in each release, go to the WatchGuard Endpoint Security Release Notes.

You can also plan and run the update process gradually in your network. Consider these guidelines when you plan an update:

• Create a new per-computer security settings profile with automatic updates enabled.
• Assign the new profile to a test group that includes computers representative of your environment.
• Monitor the computers for one or two weeks to make sure the update process is successful and the applications work as expected.
• Split the deployment of the endpoint software updates on your network progressively. For example, you could complete the process in two or three phases, based on your network characteristics.

Anti-Tampering

Configure security against tampering to make sure that only authorized users can uninstall, disable, or uninstall WatchGuard Endpoint Security. For more information, go to Configure Security Against Tampering.

Workstations and Servers Settings

Configure these workstation and server settings:

• Automatic Knowledge Updates
• Uninstall Other Security Products
• Advanced Protection
• Authorized Software
• Anti-Exploit Protection

Settings vary for WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, and EPP. Throughout this documentation, WatchGuard Endpoint Security refers generally to all products. If you do not have a setting in the Endpoint Security management UI, it is not supported by your product.

Automatic Knowledge Updates

Configure automatic signature file updates. WatchGuard Endpoint Security uses signature files to identify threats. The WatchGuard Agent downloads signature files (knowledge updates) to help identify the newest security threats. For more information, go to Configure Automatic Knowledge (Signature File) Updates.

We recommend that you do not disable automatic updates. A computer with out-of-date signatures becomes more vulnerable to malware and advanced threats over time.

Uninstall Other Security Products

If you want to install WatchGuard Endpoint Security on a computer that already has an antivirus solution from another vendor, you can first remove the current solution and install WatchGuard Endpoint Security. You can also choose to not remove the current solution, so that the WatchGuard and third-party products coexist on the computer. When you uninstall a third-party antivirus product, you might have to restart the computer. For more information, go to Automatic Removal of Security Products.

You do not have to remove any pre-existing third-party solution when you start a WatchGuard Endpoint Security trial. For information on trials, go to Manage Trials – Service Providers.

For a list of the third-party security products that WatchGuard Endpoint Security uninstalls automatically, go to Programs Automatically Uninstalled by WatchGuard Endpoint Security.

Advanced Protection

In the Advanced Protection settings of a workstations and servers settings profile, you can configure WatchGuard Endpoint Security to detect and block malicious programs. There are three available operating modes: Audit, Hardening, and Lock.

For maximum security and efficiency, we recommend that you combine Advanced Protection in Lock mode with authorized software rules.

Initially, you can configure the Advanced Protection in Hardening mode to start the Zero-Trust Application Service learning and classification process. After a few weeks, you can change the mode to Lock mode. In Lock mode, WatchGuard Endpoint Security prevents all software that is in the process of classification or is already classified as malware from running.

Authorized Software

Configure Authorized Software settings to allow software or a family of software to run before it is classified. If the program represents a threat, WatchGuard Endpoint Security blocks it regardless of whether it was authorized in these settings. For more information, go to Configure Authorized Software Settings (Windows Computers).

Anti-Exploit Protection

Enable anti-exploit protection to automatically block attempts to exploit vulnerabilities found in the active processes on user computers. For more information, go to About Anti-Exploit Protection (Windows Computers).

Indicators of Attack Settings

In an Indicators of Attack settings profile, you can configure the behavior when WatchGuard Endpoint Security identifies an RDP attack. Configure the Advanced settings to either report and block RDP or report only, based on your needs. For more information, go to Configure RDP Attack Settings.

Related Topics

Manage Groups

Assign a Settings Profile

About Multi-Tenant Management in WatchGuard Endpoint Security