Remediation Tools in WatchGuard Endpoint Security

Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP

WatchGuard Endpoint Security provides several remediation tools that help you to resolve issues. Some of these tools are automatic and do not require you to take any action. You can get access to other tools in the Endpoint Security management UI.

Tool Platform Type Purpose

Automatic computer scanning and disinfection

Windows, macOS, Linux, Android

Automatic

Detects and disinfects malware when WatchGuard Endpoint Security detects movement in the file system (copy, move, run) or in a supported infection vector.

On-demand computer scanning and disinfection

Windows, macOS, Linux, Android

Automatic, Schedule, or Manual

Detects and disinfects malware in the file system when required, at specific time intervals, or after you create a remediation task. Scan tasks are not available with WatchGuard EDR Core.

On-demand restart

Windows

Manual

Forces a computer restart to apply updates, finish manual disinfection tasks, and fix protection errors.

Computer isolation

Windows

Manual

Isolates a computer from the network, to prevent the exfiltration of confidential information and the spread of threats to other computers.

Shadow copies Windows Automatic When enabled, creates a shadow copy every 24 hours. Use shadow copies to return a compromised system to a previous state. Shadow copies are not available with WatchGuard EDR Core.
Network Attack Protection Windows Automatic When enabled, scans network traffic in real-time to detect and stop threats. Network attack protection is not available with WatchGuard EDR Core or WatchGuard EPP.

Automatic Scanning and Disinfection

WatchGuard Endpoint Security automatically detects and disinfects threats found on protected computers and devices. File protection must be enabled in the security settings assigned to the computers and devices.

WatchGuard Endpoint Security automatically detects threats in these security areas:

  • Web — Malware downloaded to targeted computers through a web browser
  • Email — Malware that reaches email clients as a message attachment
  • File System — Malware detected when a file that contains a known or unknown threat in the computer storage system is run, moved, or copied.
  • Network — Intrusion attempts from a host on the network or Internet, blocked by the firewall

Advanced Protection in a Workstation and Servers settings profile also blocks the execution of unknown malware. For information on blocking modes and the options available for antivirus scanning, go to Configure Workstations and Servers Security Settings and Configure Antivirus Scanning.

Remediation Actions

When WatchGuard Endpoint Security detects a known threat, it automatically cleans the affected items when there is a disinfection method available. If not, WatchGuard Endpoint Security quarantines the items.

When antivirus and advanced protection modules are enabled, WatchGuard Endpoint Security takes these actions:

Advanced Protection Mode Antivirus Protection Action
Audit Enabled Detection, disinfection, and quarantine
Disabled Detection only
Hardening, Lock Enabled Detection, block unknown items, disinfection, and quarantine
Disabled Detection, block unknown items

On-Demand Scanning and Disinfection

There are two ways to scan and disinfect computers on demand:

On-Demand Restart (Windows computers)

If you have computers that have to restart to fix a protection problem, you can restart the computers remotely. For more information, go to Restart a Computer (Windows Computers).

Computer Isolation (Windows computers)

You can isolate computers on demand to prevent the spread of threats and to block the exfiltration of confidential data. For more information, go to Isolate a Computer.

Shadow Copies (Windows computers)

Shadow copies is a technology included in Windows computers that can create a snapshot of computer files, even when they are in use. When enabled in WatchGuard Endpoint Security, Windows creates a shadow copy every 24 hours. You can use shadow copies to return a compromised system to a previous state. For more information, go to Remove Ransomware and Restore the System.

Network Attack Protection (Windows computers)

Network Attack Protection prevents network attacks that try to exploit vulnerabilities in services that are open to the Internet and in the internal network. For more information, go to Configure Network Attack Protection (Windows Computers).

Related Topics

Monitor Threats in WatchGuard Endpoint Security

Manage Tasks