Allow Blocked Items to Run

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

WatchGuard Endpoint Security automatically analyzes and classifies all unknown processes in the first 24 hours after detection on a workstation or server. This process classifies the process as goodware or malware and shares the classification with all customers.

To strengthen the security of the computers on the network, Endpoint Security provides Hardening and Lock modes in the Advanced Protection settings. In both modes, Endpoint Security blocks processes during the classification process to prevent potential risks. Users cannot run a blocked process until the classification process completes. Classification is performed in two ways:

  • Automated Analysis — Primary method of classification. Takes place automatically in real time.
  • Manual Analysis — If the automated analysis cannot return a classification of the unknown process with 99.999% certainty, then a WatchGuard malware expert manually analyzes a sample of the process. This analysis can take a short period of time to complete.

In circumstances where classification is not immediate, you can allow a blocked item after Endpoint Security detects and blocks it.

We do not recommend that you allow the execution of unclassified items because this could pose a risk to the integrity of company data and IT systems.

When an attack or program is blocked by Endpoint Security, the number of items on the corresponding tile of the Security dashboard increases. From each of these tiles, you can enable a blocked item to run:

  • Currently Blocked Programs Being Classified— Unblock items in the process of classification.
  • Malware Activity — Allow the execution of programs classified as malware.
  • PUP Activity — Allow the execution of programs classified as PUPs.
  • Exploit Activity — Allow the execution of exploit techniques.
  • Threats Detected by the Antivirus — Restore, from quarantine, items that Endpoint Security deleted that matched a signature in the signature file.
  • Network Attacks — Allow traffic classified as dangerous by Network Attack Protection. (Network Attack Protection is not available with EDR Core or WatchGuard EPP.)

If you want to make sure that a new process or program is not blocked, you can proactively authorize the software or program. For information on how to add a program to the authorized software list, go to Configure Authorized Software Settings (Windows Computers).

When Endpoint Security blocks a program that is then reclassified as goodware, the program no longer shows as blocked. You can see the program in the History of Blocked Items list.

Unblock Items Pending Classification

In general, it is not recommended to allow the execution of unclassified items as this could pose a risk to the integrity of the company data and IT systems. If users cannot wait for classification of an item, the administrator can unblock it manually.

To allow the execution of an unknown item in the process of classification:

  1. Select Status > Security.
  2. Click the Currently Blocked Programs Being Classified tile.
  3. Select the item you want to unblock from the list.

Screen shot of Current Blocked Programs Being Classified list

  1. On the Blocked Program Details page, click Unblock.
    Screen shot of Current Blocked Program Details pageA dialog box opens to inform you of the risk of unblocking an unknown item and the assessment of its risk level.
  2. Click Unblock.

Screen shot of Unblock dialog box

Endpoint Security performs these actions:

  • Allows the item to run on all managed computers on the IT network.
  • Continues to analyze the item until it is classified.
  • Allows all libraries and binary files used by the program to run, except those already known and classified as threats.
  • Removes the item from the Currently Blocked Programs Being Classified list.
  • Adds the item to the Detected Items Allowed by the Administrator list.

Allow the Execution of Items Classified as Malware, PUP, or Exploit

Administrators can allow software and processes that Endpoint Security classified as a threat (for example, a toolbar with extra search capabilities classified as a PUP).

To allow execution of a program classified as malware, PUP, or exploit:

  1. Select Status > Security.
  2. Click the Malware Activity, PUP Activity, or Exploit Activity tile.
  3. From the list, select the threat that you want to allow to run.
  4. On the details page, click the info icon next to the action.
    A pop-up dialog box describes the action taken by Endpoint Security.

Screen shot of Exploit Detection page with pop-up

  1. Click Do Not Detect Again.

Endpoint Security performs these actions:

  • Allows the item to run on all computers managed by the administrator. With exploits, you allow the execution of the specific exploit technique that was used on the specific vulnerable program.
  • Allows all libraries and binary files used by the program to run, except those already known and classified as threats.
  • Adds the item to the Detected Items Allowed by the Administrator list.
  • Stops generating incidents for the item in the Malware, PUP, and Exploit tiles.

Do Not Detect a Network Attack Again

When Endpoint Security detects traffic behavior that it suspects to be a network attack, Network Attack Protection prevents this traffic from reaching user computers. For information on the type of attacks detected, go to Network Attack Protection — Types of Attacks Detected (Windows Computers).

If you do not consider the traffic behavior a threat, you can create an exclusion for the source IP address and the type of attack. The exclusion applies to all computers managed by Endpoint Security.

To stop blocking an item and create an exclusion for Network Attack activity:

  1. Select Status > Security.
  2. Click the Network Attack Activity tile.
  3. From the list, select the type of network attack you want to allow.
  4. On the Network Attack Detection page, click the info icon next to the action.
    A pop-up dialog box opens explaining the action taken by Endpoint Security.

Screen shot of Network Attack Detection page with pop-up

  1. Click Do Not Detect Again.
    The Do Not Detect Again dialog box opens. It shows the type of attack (for example, Man in the Middle Attack) and the source IP address .

Screen shot of Do Not Detect Again dialog box

  1. In Allow This Type of Network Attack from These IP Addresses text box, enter the source IP addresses from which you want to allow inbound traffic for the attack type.
    You can enter individual IP addresses separated by commas or IP address ranges separated by a dash. If you want to allow any IP address to send traffic of the specified attack type, leave the text box empty.
  2. Click Do Not Detect Again.

Endpoint Security performs these actions:

  • Allows inbound traffic corresponding to the attack type to enter the network if the source IP address is on the list.
  • Stops generating detections for this traffic.
  • Includes the attack type in the Detected Items Allowed by the Administrator list.

Restore or Stop Detecting Programs Classified as Viruses

If users have to use certain features provided by a program whose signature file was classified as a threat, and you determine that the danger posed to the integrity of the managed IT network is low, you can allow the program to run.

To restore deleted programs from the quarantine or backup area and not detect them again:

  1. Select Status > Security.
  2. Click the Threats Detected by the Antivirus tile.
  3. From the list, select the item that you want to allow to run.
  4. On the Threat Details page, click the info icon next to the action.
    A pop-up dialog box opens explaining the action taken by Endpoint Security.

Screen shot of Threat Details page with pop-up

  1. Click Restore and Do Not Detect Again.

Endpoint Security performs these actions:

  • Copies the item from quarantine or the backup area to its original location on the computers in the network.
  • Allows the item to run and does not generate any detections.
  • Adds the item to the Detected Items Allowed by the Administrator list.

Stop Allowing the Execution of Previously Allowed Items

To block a previously allowed item again:

  1. Select Status > Security.
  2. In the Detected Items Allowed by the Administrator tile, select the type of item you want to stop allowing (for example, Malware, PUP, Exploit, Being Classified, or Network Attacks).
  3. In the Detected Items Allowed by the Administrator list, click to the right of the item that you want to stop allowing to run.

Endpoint Security performs these actions:

  • Adds an entry to the Detected Items Allowed by the Administrator list. The Action column shows Exclusion Removed by the User.
  • If the item is an unknown item in the process of classification, it reappears in the Currently Blocked Programs Being Classified list.
  • Adds the item back to the corresponding list (for example, Malware Activity, PUP Activity, Exploit Activity, or Network Attack Activity).
  • If it is virus, the item reappears in the Threats Detected by the Antivirus list.
  • Resumes generating incidents for the item.

Related Topics

Manage Blocked Threats

Manage Quarantined Files