Network Attack Protection — Types of Attacks Detected (Windows Computers)
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR
Network Attack Protection scans network traffic in real-time to detect and stop threats. It prevents network attacks that try to exploit vulnerabilities in services that are open to the Internet and in the internal network.
Network Attack Protection detects these attacks and exploits:
DCShadow
Enables a hacker with access to compromised privileged credentials to register a rogue domain controller. The attacker can then push changes through replication, such as changes to give themselves elevated rights and create persistence.
EternalBlue
Exploits the CVE-2017-0144 vulnerability in the Microsoft Server Message Block (SMB) protocol. Windows computers that are not patched against the vulnerability can allow illegitimate data packets with malware such as a trojan or ransomware.
BlueKeep
Exploits the CVE-2019-0708 vulnerability that affects Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows XP. This threat has the potential to devastate networks because it can spread from computer to computer as a worm.
Zerologon
Exploits the CVE-2020-1472 vulnerability in the cryptography of the Microsoft Netlogon process to enable an attack against Microsoft Active Directory domain controllers. Zerologon makes it possible for a hacker to impersonate any computer, including the root domain controller.
Exclusions
If needed, you can exclude the detection of a specific network attack on all computers in the account. When you exclude a network attack, Endpoint Security still protects your computers from the other network attacks in the list.
To add an exclusion:
- Next to the network attack Action, click the tooltip.
- In the pop-up that opens, click Do not detect again.
- In the dialog box that opens, you can enter IP addresses of the specific devices you want to exclude from detection.