Troubleshoot an Endpoint Infection
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EPP
When a WatchGuard Endpoint Security product reports malicious software (malware), you can try to use Operating Mode to remove the malware infestation. You can also collect information and report the malware to Support.
Operating Mode
In the Advanced Protection settings of a workstations and servers settings profile, you can configure WatchGuard Endpoint Security to detect and block malicious programs. The Operating Mode setting specifies how the WatchGuard Endpoint Security responds when it detects an unknown file.
There are three available response modes — Audit, Hardening, and Lock.
Audit
Reports detected threats on dashboards and lists, but does not block or disinfect files.
Hardening
- Allows execution of unknown programs already installed on user computers.
- Blocks unknown programs that originate from an untrusted source (such as the Internet, external storage drives, or other computers on the network) until a classification is returned.
- Disinfects or deletes programs classified as malware.
Lock
Prevents execution of all programs classified as malware, as well as all unknown programs pending classification.
To try to resolve a malware issue, make sure that the Operating Mode setting used by the computer is not set to Audit mode. In Audit mode, the endpoint security product tracks programs on your computer, but does not block or disinfect files.
For more information about Advanced Protection settings, go to Advanced Protection – Operating Modes (Windows Computers).
Collect Information
There might be a scenario where you install the endpoint security product on a computer that already has a malware infection. To confirm this, you can use the installation logs that the PSInfo tool gathers to determine the infection date.
In the case of a ransomware infection, when you contact Support with the installation logs that the PSInfo tool gathers, provide an estimate of the date and time of infection. If possible, collect a copy of the ransomware encrypted file. If you cannot obtain a copy of the encrypted file, inform Support of the file extension of the encrypted file and whether the encrypted files are shared network files or local files.
Before you contact Support, enable Support Access to your WatchGuard Cloud account.