WatchGuard Advanced EPDR Security Dashboard
Applies To: WatchGuard Advanced EPDR
The WatchGuard Advanced EPDR Security dashboard shows an overview of the security status of the network for a specific time period. Several tiles show important information and provide links to more details.
Time Period Selector
The dashboard shows information for the time period you select from the drop-down list at the top of the Status page.
You can select these time periods:
- Last 24 hours
- Last 7 days
- Last month
- Last year
Some tiles do not show information for the last year. If information from the last year is not available for a specific tile, a notification appears.
The Security dashboard includes these tiles:
- Protection Status
- Offline Computers
- Outdated Protection
- Detected Items Allowed by the Administrator
- Programs Blocked by the Administrator
- Classification of All Programs Run and Scanned
- Detections by Advanced Security Policies
- Malware Activity, PUP Activity, Exploit Activity
- Network Attack Activity
- Currently Blocked Programs Being Classified
- Threats Detected by Antivirus
Click a tile to view detailed information.
Status Icons
The icons in the Advanced Protection, Antivirus, Updated Protection, and Knowledge columns indicate their status:
- — Installing
- — Enabled
- — Disabled
- — Error
- — No License
- — Not Available
- — Pending Restart
Protection Status
The Protection Status tile shows:
- Computers where WatchGuard Advanced EPDR works correctly and where it does not.
- Computers with installation errors or problems.
- Computers with audit mode enabled.
The total number of computers and devices at the center of the tile includes iOS devices. The tile includes no other information about iOS devices. iOS devices do not have advanced or antivirus protection. For more information, go to Configure iOS Device Settings.
Click the tile to open the Computer Protection Status list.
Not all columns are available for each type of device.
To filter the Computer Protection Status list:
- Click Filters.
- Select the Computer Type.
- Specify platform, connection, and protection parameters.
- Select the Protection Status.
- Select the Isolation Status.
- Click Filter.
Offline Computers
The Offline Computers tile shows the number of computers that have not connected to the cloud for a number of days.
Click the tile to see details of the computers that might be susceptible to security problems and require attention.
For more information on the icons used in this list, go to Icons.
Outdated Protection
The Outdated Protection tile shows the number of computers with a signature file that is more than three days older than the latest released file. The tile also shows the number of computers with an antivirus engine that is more than seven days older than the latest released engine.
- Protection — The computer has had a version of the antivirus engine older than the latest released engine for at least seven days.
- Knowledge — The computer has not updated its signature file for at least three days.
- Pending Restart — The computer requires a restart to complete the update.
Click the progress bar in the tile to see the list of computers associated with each status:
- Computers with out-of-date protection
- Computers with out-of-date knowledge
- Computers pending restart
Detected Items Allowed by the Administrator
The Detected Items Allowed by the Administrator tile shows the number of programs the administrator allows which WatchGuard Advanced EPDR initially prevented from running. WatchGuard Advanced EPDR classified these programs as a threat (malware, PUP, or exploit) or as unknown files in the process of classification.
Click the tile to show specific information in a list.
To see all events related to threats and unknown files in the process of classification that the administrator allowed to run, click History.
Programs Blocked By the Administrator
The Programs Blocked by the Administrator tile shows the number of programs blocked by the administrator on the computers on the network.
Click the tile to show specific information in a list.
Classification of All Programs Run and Scanned
This tile shows the processes and programs run in your organization for the selected time period and their classification (for example, trusted programs or malware).
The data in this tile is for the entire IT network, not only computers that the administrator has permissions for.
Programs under classification appear in the tile after WatchGuard Advanced EPDR classifies them.
Program Classification
- Trusted Programs — Programs run in the selected period that WatchGuard Advanced EPDR classified as trusted.
- Malware — Programs that tried to run in the selected period, and WatchGuard Advanced EPDR classified as malware, zero-day threats, or targeted attacks.
- Exploits — Exploit attacks that compromised or tried to compromise trusted programs on computers.
- PUPs (Potentially Unwanted Programs) — Programs that tried to run in the selected period, and WatchGuard Advanced EPDR classified as PUPs.
Detections by Advanced Security Policies
This tile shows the total number of blocked suspicious scripts and unknown programs that used advanced infection techniques.
For each computer, Advanced EPDR reports a maximum of one incident every 24 hours for detections caused by the PowerShell with obfuscated parameters rule configured with the Block action. For other rules, Advanced EPDR reports one incident for each computer every 24 hours as long as a maximum of 50 incidents every 24 hours is not exceeded.
If you define program blocking rules, Advanced EPDR reports an incident every 24 hours for each hash detected on each computer.
Click the tile to open a list of items blocked by advanced security policies. When you select an item in the list, the Blocked by Advanced Security Policy page opens. For more information, go to Detections by Advanced Security Policies — Block Details.
Advanced Security Policies
- PowerShell with Suspicious Parameters — Number of times the PowerShell interpreter received suspicious parameters that could result in the execution of dangerous operations on the protected computer.
- PowerShell Run by the User — Number of attempts to run a monitored PowerShell script by an interactive account capable of executing dangerous operations on the protected computer.
- Unknown Script — Number of attempts to run a script that has not yet been classified by the WatchGuard security intelligence team.
- Locally Compiled Program — Number of attempts to run a program that is unknown to the WatchGuard security intelligence team because it has been compiled on the user’s computer.
- Document with Macros — Number of attempts to open an Office document with macros.
- Registry Modification to Run when Windows Starts — Number of times a program tried to add a Windows registry key to gain persistence on the computer and load itself along with the operating system on every system restart.
- Program Blocking by MD5 or SHA-256 Value — Number of times a program was blocked because it was included in the MD5 or SHA-256 blocklist set by the administrator.
- Program Blocking by Name — Number of times a program was blocked because it was included in the name blocklist set by the administrator.
Malware Activity, PUP Activity, and Exploit Activity
These tiles show incidents detected in processes run by the workstations and servers on the network, as well as their file systems. Incidents are reported by real-time scans as well as on-demand scan tasks.
WatchGuard Advanced EPDR shows an incident in the Malware Activity and PUP Activity tiles for each computer or threat pair found on the network. If an incident occurs multiple times in five minutes, WatchGuard Advanced EPDR only registers the first incident. The same incident can register a maximum of two times every 24 hours.
- Run shows the number of malware that successfully ran on the network.
- Accessed Data shows the number of times in which the threat accessed user information on the computer hard disk.
- External Connections shows the number of times there were connections to other computers.
-
The threats copied from computers on the network show the IP address of the computer from which an infection originated, as well as the number of times that IP address was the source of a detection (in parentheses). To open the corresponding list, click the IP address.
- To open the Malware Activity or PUP Activity list to show a list of the affected computers and malware or PUP incidents, click the tile.
When a computer is in Audit mode and the user allows a blocked malware incident, the action shows in the Malware Activity list as Allowed (Audit mode). To allow a blocked incident, click the Malware Activity tile and select the affected computer from the list. Next to the Action, click and in the pop-up that opens, click Do Not Detect Again.
Exploit Activity
The Exploit Activity tile shows the number of vulnerability exploit attacks against Windows computers on the network, including vulnerable driver detections. WatchGuard Advanced EPDR reports an incident in the Exploit Activity tile for each computer or different exploit attack pair found on the network. If an attack repeats several times, WatchGuard Advanced EPDR reports a maximum of 10 incidents every 24 hours for each computer-exploit pair found.
Click the tile to open the Exploit Activity list to show a list of the affected computers and exploit incidents.
Network Attack Activity
The Network Attack Activity tile shows the number of attempted network attacks against Windows computers on the network. WatchGuard Advanced EPDR creates a single incident per hour for each group of attacks of the same type with the same source IP address.
To open the Network Attack Activity list to show a list of the affected computers and network attack incidents, click the tile.
Currently Blocked Programs Being Classified
The Currently Blocked Programs Being Classified tile shows the number of programs that WatchGuard Advanced EPDR currently blocks.
Blocked applications have one of these colors:
- Orange — Applications with a medium probability of being malware.
- Dark Orange — Applications with a high probability of being malware.
- Red — Applications with a very high probability of being malware.
The threats copied from computers on the network show the IP address of the computer from which an infection originated, as well as the number of times that IP address was the source of a detection (in parentheses). To open the corresponding list, click the IP address.
Click the tile to see a list of files that WatchGuard Advanced EPDR determined to be risky before classification. To remove a program from the list, from the options menu for a computer, select Delete from list.
WatchGuard Endpoint Security continues to consider deleted items as unknown. If they attempt to run again, they reappear in the Currently Blocked Programs Being Classified list.
Threats Detected by Antivirus
This tile shows all intrusion attempts that WatchGuard Advanced EPDR detected in the selected time period. The data covers all infection vectors and all supported platforms. Administrators can get specific data (volume, type, form of attack) related to the malware.
Click the tile to see detailed information about detected threats.
About My Lists in WatchGuard Endpoint Security
Unmanaged Computers Discovered List
Network Attack Protection — Types of Attacks Detected (Windows Computers)