Advanced Protection – Operating Modes (Windows Computers)

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR

Settings vary for WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, and EPP. Throughout this documentation, WatchGuard Endpoint Security refers generally to all products. If you do not have a setting in the Endpoint Security management UI, it is not supported by your product.

In the Advanced Protection settings of a workstations and servers settings profile, you can configure WatchGuard Endpoint Security to detect and block malicious programs.

Screen shot of WatchGuard Endpoint Security, Advanced Protection settings

The operating mode defines how the advanced protection responds when it detects an unknown file. There are three modes: Audit, Hardening, and Lock.

Audit

  • WatchGuard EDR — Reports detected threats on dashboards and lists, but does not block or disinfect files.
  • WatchGuard Advanced EPDR and EPDR — Prevents the execution of all programs classified as malware and disinfects or deletes programs classified as malware based on antivirus settings. Unknown programs are allowed to run. For more information on the antivirus settings, go to Configure Antivirus Scanning.

Hardening

  • Allows execution of unknown programs already installed on user computers.
  • Blocks unknown programs that originate from an untrusted source (such as the Internet, external storage drives, or other computers on the network) until a classification is returned.
  • Disinfects or deletes programs classified as malware.

When Endpoint Security blocks a program that is then reclassified as goodware, the program no longer shows as blocked. You can see the program in the History of Blocked Items list.

Lock

  • Prevents execution of all programs classified as malware, as well as all unknown programs pending classification. Deletes or disinfects programs already classified as malware.

Decoy Files

Decoy files help detect ransomware. WatchGuard Endpoint Security creates decoy files as bait on computers. If the files are modified, they identify the process that modified them as ransomware. The file ends the process that modified it and reports it as malware.

To create decoy files, enable the Create Decoy Files to Help Detect Ransomware toggle.

This option is available in Advanced Protection for WatchGuard EDR and EDR Core. For WatchGuard Advanced EPDR, EPDR, and EPP, go to Configure Antivirus Scanning.

Report Blocking to Computer Users

To show a message in a pop-up alert on the user computer when advanced protection or anti-exploit features block a file, enable the Report Blocking to Computer Users toggle. Optionally, you can specify a custom message to include in the alert.

Related Topics

Manage Settings Profiles

Copy a Settings Profile

Edit a Settings Profile

Assign a Settings Profile

Configure Workstations and Servers Security Settings