EDR Core (Total Security Suite) Release Notes

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.5

This Endpoint Security Plug-in for ConnectWise Automate release updates the steps to install, update, and remove the plug-in.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Enhancements

• The Endpoint Security software now supports TLS 1.2 protocol natively for Windows 7, Windows Server 2008 R2 (Kernel 6.1), Windows 8, and Windows Server 2012. For more information, review this Support blog post: End of Support for TLS 1.0 and TLS 1.1.

New Features

Endpoint Access Enforcement

With Endpoint Access Enforcement, you can now monitor connections to Windows computers on the network to help reduce potential infections and attacks from unprotected Windows, Mac, or Linux computers. The Endpoint Access Enforcement dashboard includes several graphs: Connection Map, Top 5 Computers Reporting High-Risk Outbound or Inbound Connections, Number of Connections by Condition, and Number of Connections by Monitored Protocol. Executive reports now include an Endpoint Access Enforcement section.

• By default, Endpoint Access Enforcement monitors inbound connections for SMB and RDP traffic.
• On Windows computers, this feature requires Windows protection v8.00.23.0000 or higher and the Windows agent v1.22.01.0000 or higher; on Mac and Linux computers, it requires the macOS or Linux agent v1.14.01.0000 or higher.
• In the Endpoint Access Enforcement settings profile, you can specify risk conditions for computers and add connection rules for protocols other than those monitored by default.

On the Computer details page, there is a new Monitored Connections tab. The Monitored Connections page shows connections that meet the conditions specified in the Endpoint Access Enforcement rules.

Block Vulnerable Drivers

In a Workstations and Servers settings profile, you can now configure Endpoint Security to block vulnerable drivers. This helps prevent exploitation of the driver by malicious actors. You can exclude detected vulnerable drivers so that they are not detected again. This feature requires Windows protection v8.00.23.0000 or higher.

Enhancements

• Code injection uses anti-exploit techniques to detect exploit attempts in running processes. Code injection now inspects every running process. The inspection could cause performance and compatibility issues for some applications. For more information, go to this Knowledge Base article.
• Anti-exploit protection settings are now easier to configure. In the Advanced Protection section of the Workstations and Servers security settings profile, you now enable anti-exploit protection with the Code Injection toggle. You can exclude specific processes from anti-exploit protection. This feature requires Windows protection v8.00.23.0000 or higher.
• You can now enable advanced scanning with AMSI detection. You can enable AMSI detection technology and exclude specific processes. This feature requires Windows protection v8.00.23.0000 or higher.
• When you configure Risk settings, you can now specify which folder, file, and extension exclusions you want to impact the computer risk level assessment.
• You can now isolate Linux computers on your network. Similar to the Windows and Mac feature, isolated Linux computers only allow WatchGuard Endpoint Security processes to communicate. If an attack occurs, you can isolate the Linux computer from the network to prevent the spread of the threat. If required, you can exclude other processes to allow them to communicate on isolated computers. This feature requires Linux protection v3.05.00.0000 or higher.
• You can now enable and disable local alerts on Mac computers and customize malware, firewall, and device control alerts.
• Android protection now supports Network Access Enforcement.
• You can now use MD5 and SHA-256 hashes when you configure these features: Advanced Protection, Program Blocking, and Authorized Software.
• You can export recipient email addresses configured in the My Alerts settings for all users in an account.
• You can now cancel or delete all tasks at one time.
• Endpoint Security now supports Windows Server 2025 in Windows protection v8.00.23.0000 or higher.
• Endpoint Security now supports macOS 15 Sequoia in macOS protection v3.05.00.0000 or higher.
• Endpoint Security now supports these Linux distributions: OpenSUSE 15.3, 15.4, 15.5, and 15.6; SUSE 15 SP6; Fedora 39 and 40; Red Hat/Oracle/Rocky/Alma 8.9, 8.10, 9.3, and 9.4; Ubuntu 23.10 and 24.04; and Mint 21.2, 21.3, and 22. This feature requires Linux protection v3.05.00.0000 or higher. For more information on distributions, go to Linux.
• On 30 September 2024, protection for Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, as well as macOS Yosemite, El Capitan, Sierra, High Sierra, and Mojave will become End of Sale (EOS). Windows 2008 R2 will continue to be supported. After that date, you will not be able to add devices to the management UI or install the protection software on new computers that run these operating systems versions.
  • On 30 April 2025, our Windows and Mac protection for these OS versions will become End of Life (EOL).
  • After the EOL date, the product license will be automatically removed from all computers that run these OS versions, and you will not be able allocate licenses to affected computers.

Resolved Issues

• This release resolves an issue that caused the security software to send the same alert email notifications repeatedly over several days.
• This release resolves an issue that caused the security software to classify URLs as “unknown category” and block them on some computers.
• This release resolves an issue that prevented user login to a corporate website.
• A fix was made to make sure that security software upgrades after computer shutdown did not take too long. The computer does not wait for the PSANHost process to close.
• This release resolves a BSOD error that occurred on computers with NeuShield drivers.
• This release resolves an issue that caused the security software decoy files to create temporary files and folders after backup sessions.
• This release resolves an issue where ATC.exe did not run on Server Core because of a dependency.
• This release resolves an issue that caused on-demand scans of PDF files to not finish.
• This release resolves a vulnerability found in the security software decoy files.
• This release resolves an issue with Linux protection signature file permissions after a security software upgrade.
• This release resolves a self-diagnosis issue that caused the security software to sometimes incorrectly report an error.
• This release resolves an issue where uninstallation of the security software from a Mac device prompted you to keep the quarantine folder even though it was empty.
• In environments with proxy communications, fixes were made to the network infrastructure to prevent random BSOD errors. [WGUA-4183]
• The decoy files feature no longer causes false positive detections associated with svchost.exe. [WGUA-4287]
• Resource usage issues caused by the Endpoint Access Enforcement feature were resolved. [AETHER-5510]
• A fix was included to prevent a memory leak issue caused by the firewall infrastructure. [WGUA-4281]

Enhancements

• These enhancements are in Windows protection v8.00.22.0025 and higher:
  • Performance improvements for multi-user environments such as RDS environments. [KER-822]

Resolved Issues

• These issues are resolved in Windows protection v8.00.22.0025 and higher:

  • Isolated computers no longer show alert messages when the Do Not Show Alerts option is selected.
  • This release resolves an issue for computers with a protection software error on the Status tab. [WGUA-2680]
  • This release resolves an upgrade issue that stopped protection services.
  • The protection for POP3/SMTP email over IPv6 no longer causes BSOD errors.
  • This release resolves an issue to prevent a rare BSOD error caused by the NNSSTRM.sys driver.
  • For networks detected automatically, this release resolves issues caused by the trusted networks parameters in the Endpoint Security firewall protection settings. [WGUA-2809]

Resolved Issues

• This release resolves an issue that caused immediate and scheduled scans to crash. [WGUA-623]
• The Shadow Copies feature no longer causes the system process to use high CPU after an upgrade. [WGUA-2617]
• This release improves performance issues caused by the firewall infrastructure. These issues sometimes occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-2320 / WGUA-2152]
• Performance issues and high CPU usage on Windows servers that are monitored by SysMon are improved. [KER-608 ]
• General high RAM and CPU usage issues are improved. [WGUA-1976]
• Performance issues with Data Control rules-based monitoring of files are improved. [WGUA-991]
• This release resolves an issue that caused third-party antivirus programs to be disabled in Windows Security Center (WSC). [WGUA-2243]
• AMSI detection technology no longer causes issues with WatchGuard Endpoint Security. [WGUA-2246]
• Domain and URL categorization of IPv6 traffic no longer causes issues. [WGUA-1993]
• Firewall infrastructure crashes (BSOD) that reference the NNSDNS.sys driver no longer occur. The BSOD errors occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-1881]
• When the user selects, “Do not detect again”, the protection software does not detect Trj/RansomDecoy. [WGUA-2030]
• When the Decoy File feature is enabled, protection software errors on Windows computers with multibyte character sets (MBCS) do not occur. [WGUA-1389]
• This release resolves file transfer errors for Server Message Block (SMB) traffic on domain controller servers. [WGUA-1681]
• When you upgrade the protection software for certain Windows versions, the installed application now appears in Windows Security Center (WSC). [WGUA-1731]
• Connection timeout errors no longer occur for some HTTPS web pages with the protection software installed. [WGUA-1636]
• Self-diagnosis failures in Windows Security Center (WSC) do not cause the PSANHost.exe service to restart. These failures caused the service to restart when it could not get the necessary module configuration information. [WGUA-2746]

New Features

• In WatchGuard Patch Management, you can now configure computers on the network as test computers. Use test computers to verify patches install successfully before you deploy the patches across the network.
  • You can also configure computers or computer groups to not install patches.
  • When you create a patch installation task, you can select to install patches on only test computers.

Enhancements

• In the Patch Management Installation History list, when a patch requires a computer restart, the patch status shows as Pending Restart. The status now changes to Installed when the computer restarts and completes patch installation.
• The default workstations and servers settings profile now has anti-exploit and decoy files disabled. Endpoint Security applies this profile to the All group by default until you create and assign a new profile. This profile helps prevent issues with third-party antivirus and EDR solutions when you activate the Endpoint Risk Assessment. This change does not affect Endpoint Risk Assessments in progress.
• When an Endpoint Risk Assessment is in progress, and you want to schedule a report, the Risk Assessment Report is now selected by default.
• Subscriber accounts with EDR Core allocated to their endpoints, but not deployed, can now start a trial of WatchGuard EPDR or Advanced EPDR and activate an Endpoint Risk Assessment.
• You can now download signature files over HTTPS.

Resolved Issues

• When the user is not logged in to the endpoint, WatchGuard Endpoint Security can now re-install with a restart after the scheduled wait time is exceeded.
• Duplicate computers no longer display when you use Active Directory to discover unmanaged computers.
• When you filter the Unmanaged Computers Discovered list and then select all filtered computers to install WatchGuard Endpoint Security on, the software now installs only on the computers in the filtered list.
• A fix was made to make sure that WatchGuard Endpoint Security sends executive reports and other scheduled daily reports as expected.
• When you disable a feature that uses the NAHSL network driver (for example, Advanced Protection, Web Access Control, or the Firewall), the NAHSL network driver is disabled.

Enhancements

• These enhancements were made in Windows protection v8.00.22.0024 and higher:
  • The software upgrade process was enhanced to make sure that Windows devices do not receive a BSOD error when EDR Core cannot stop a driver.
  • Improvements were made to prevent high CPU usage during computer startup when the Shadow Copies feature is enabled.

Resolved Issues

• These issues were resolved in Windows protection v8.00.22.0024 and higher:
  • A fix was made to prevent memory leaks on connections over port 8180 of the Java application that could cause the server to run out of memory.
  • The URL filtering feature prevents access to URLs configured as denied (for example, Facebook or YouTube pages).
  • A fix was made to prevent a rare BSOD error caused by the pskmad.sys driver.
  • The AMSI detection technology now respects the path exclusions configured in the protection software settings.

Resolved Issues

• Fixed a vulnerability in the pskmad_64.sys driver that could enable an attacker with Administrator privileges to run code with SYSTEM privileges on the target computer. For more information, review this Security Advisory Detail. This fix requires Windows protection version 8.00.22.0023 or higher.

Enhancements

• You can now isolate Mac computers on your network. Similar to the Windows feature, isolated Mac computers allow only WatchGuard Endpoint Security processes to communicate. If an attack occurs, you can isolate the computer from the network to prevent the spread of the threat. If required, you can exclude other processes to allow them to communicate on isolated computers. This feature requires macOS protection version 3.04.00.0000 or higher.
• To improve anti-tamper protection, you can now require two-factor authentication (2FA) when users try to log in to the management UI from their computers or uninstall the WatchGuard Endpoint Security product from their computer. 2FA uses a QR code you can generate for all computers in a customer account or, if you want to have different authenticator factors for different settings profiles, you can generate multiple QR codes. This feature requires Windows protection version 8.00.22.0023 or higher.
• Anti-tampering features now protect Windows computers when they start in Safe Mode. This setting is enabled by default. You can disable it in the management UI or from the Windows computer. This feature requires Windows protection version 8.00.22.0023 or higher.
• In the list of discovered computers, you can now select all unprotected computers.

Resolved Issues

• When a MAC address is not in uppercase letters, the security software can still discover unprotected computers.
• When you search the network for unprotected computers, the search results do not return protected computers that do not match the name in the list.
• Resolved an issue to make sure that antivirus exclusions are applied to decoy files. This fix requires Windows protection version 8.00.22.0023 or higher.
• Resolved an issue that caused a rare BSOD error when the server generated malformed network packages. This fix requires Windows protection version 8.00.22.0023 or higher.
• The zlib version was updated to resolve vulnerabilities in the previous version. This fix requires Windows protection version 8.00.22.0023 or higher.
• Performance improvements on virtual servers. This fix requires Windows protection version 8.00.22.0023 or higher.

Resolved Issues

• An updated version of the macOS protection (v3.03.00.0003) is now available. The updated version includes these resolved issues: 
  • Network access enforcement (VPN enforcement) now works for endpoints with macOS v3.03.00.0003 and higher. [WGUA-1913]
  • The network extension no longer stops working and the message that NeXT privileges had not been accepted no longer appears. [WGUA-2048]
  • When analyzing paths and files that contain special characters or emojis, the local console no longer stops working. [WGUA-2119]
  • macOS v3.03.00.0003 includes performance improvements. Goodware items are now correctly added to the cache to optimize the analysis at the next program execution. [WGUA-1629]

New Features

Endpoint Security Integration for NinjaOne

With the new Endpoint Security integration for NinjaOne, Managed Service Providers can remotely deploy Endpoint Security to client devices in their NinjaOne accounts. For more information, go to About the WatchGuard Endpoint Security Integration for NinjaOne in Help Center.

Enhancements

• EDR Core now supports macOS Sonoma. Requires macOS protection version 3.03.00.0002 or higher.
• If Audit mode is enabled in the workstations and servers settings profile applied to a computer, the security software does not register as an antivirus with Windows Security Center (WSC) and does not disable the Windows Defender antivirus protection.

Resolved Issues

• Resolved an issue that caused an increase in memory usage by the PSANHost process and led to increased CPU usage by the service.
• Made improvements so that our security software registers correctly with Windows Security Center (WSC) after an operating system upgrade.
• Resolved an issue to improve loading of some specific web pages. This issue affects version 8.00.22.0010 or higher of the Windows protection and is resolved in version 8.00.22.0022 or higher.

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.3

This update release for the Endpoint Security plug-in for ConnectWise Automate includes these enhancements:

• You can now select an Auto Deploy by Timer check box on the Map Clients page to automatically install Endpoint Security products on all computers in a client account. The ConnectWise process that schedules installation tasks runs every 12 hours.
• You can now select the Include in Auto Deploy Searches check box on the Map Clients page to use the search and group features in ConnectWise Automate to customize Endpoint Security product deployment.
• You can now search for clients and accounts by name on the Map Clients page.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Resolved Issues

• Resolved an issue where the protection service crashes when Decoy Files is enabled and the computer has directory names in Greek. This fix requires Windows protection software v8.00.22.0014 or higher.
• Resolved an issue that causes a memory leak in the PSINReg.sys driver that could lead to a BSOD error. This fix requires Windows protection software v8.00.22.0014 or higher.
• Resolved an issue where scheduled reports do not include the details of available patches.
• Resolved an issue where, when you installed specific Windows operating system patches, the solution did not show the result of the installation task.
• Resolved an issue where, when you excluded network attack performed from certain IP addresses, and then add another exclusion for the same attack from another IP address, the first exclusion was not saved.
• Resolved an issue where executive reports show the incorrect date and time for IOA-related information.

Enhancements

• Updated versions of the Windows and macOS protection software and communication agents are now available. The updated versions include these enhancements:
  • The protection software upgrade process better retains settings defined in a previous version.
  • Windows protection software v8.00.22.0013 and higher include improvements to minimize the possibility that the protection service stops.
  • When WatchGuard Endpoint Security creates decoy files, Windows Defender no longer detects them as malware on servers. This enhancement requires Windows protection software v8.00.22.0013 or higher.
  • Changes to the communications agent enable it to process corrupt messages. This enhancement requires Windows agent v1.21.02.0000 or higher.

• In Patch Management for macOS, users now receive a prompt to enter a password to install operating system patches for macOS with ARM (M1 and M2). This enhancement requires macOS agent v1.12.01.0000 or higher.

Resolved Issues

• In the updated version of the Windows protection software or agent:
  • Resolved an issue in the PSINProt.sys driver that caused a random BSOD. This fix requires Windows protection software v8.00.22.0013 or higher.
  • Resolved an issue that caused a memory leak in a firewall driver. This fix requires Windows protection software v8.00.22.0013 or higher.
  • The operating system, the backup software, and other applications can now create shadow copies on drives other than system drives. This fix requires Windows protection software v8.00.22.0013 or higher.
  • Resolved an issue with the RDP protection to detect and contain brute-force attacks on RDP. This issue affected customers with Windows protection software v8.00.22.0012 and is resolved in Windows protection software v8.00.22.0014 and higher.
  • WatchGuard Endpoint Security can now retrieve Active Directory paths with computer names longer than 15 characters. This fix requires Windows agent v1.21.02.0000 or higher.
• macOS protection software v3.03.00.0001 resolves a rare issue that caused the solution to not show pop-up notifications for malware detections on macOS computers.

New Features

Endpoint Security Plug-in for N-able N-sight

With the new Endpoint Security plug-in for N-able N-sight, you can protect devices on your network, review detected security incidents, and develop prevention and remediation plans against unknown and advanced persistent threats. For more information, go to About the WatchGuard Endpoint Security Plug-in for N-able N-sight in Help Center.

New Features

WatchGuard Advanced EPDR

You can now manage licenses and inventory allocation for the new Endpoint Security product, WatchGuard Advanced EPDR, in WatchGuard Cloud. You can start a trial of Advanced EPDR from the Administration > Trials page. Advanced EPDR includes advanced detection and response features such as Advanced Indicators of Attack (IOAs) and events, centralized management of Indicators of Compromise (IOCs) compatible with STIX and Yara rules, Advanced Security Policies, and remote access to detect, contain, and remediate incidents. For more information, go to the presentation, Introduction to WatchGuard Advanced EPDR.

Audit Mode

• In a workstations and servers settings profile, you can enable Audit mode to detect and report malware, ransomware, and other types of attacks. In Audit mode, EDR Core does not block or delete detected threats. Audit mode supports Windows, macOS, and Linux workstations and servers.
  • We recommend you use this mode only to evaluate EDR Core or to evaluate the security status of a customer protected with another solution. EDR Core does not protect computers in Audit mode, so they show as at risk in the management UI.

Enhancements

• Network Access Enforcement (previously Secure VPN) settings now apply to VPN connections through WatchGuard Fireboxes and Wi-Fi connections through WatchGuard access points. Access points can check that EDR Core is enabled and running on connecting devices. This feature supports Windows and macOS computers and requires a future Wi-Fi firmware release.
• Partners and Service Providers can define whether the settings profiles they assign to tenant accounts from the multi-tenant management UI can be edited by the tenant. Tenant accounts can then add exclusions and authorized software to the settings, but cannot delete or edit the list of exclusions or authorized software defined by the Service Provider.
• You can now configure multiple proxies so that computers on the network connect to the Internet through the first proxy computer that works. This feature is supported by Windows, macOS, and Linux workstations and servers
• Linux protection v3.03.00.0001 and higher now supports these Linux distributions: Ubuntu 22.10 and 23.04, Linux Mint 21.1, Fedora 36, 37, and 38, Oracle Linux 8 UEK R7, 9.0, 9.1, and 9.2, Red Hat Enterprise 8.8 and 9.2, AlmaLinux 8.8 and 9.2, and Rocky Linux 8.8 and 9.2. For more information, go to Linux.
• On computers that run macOS Ventura, you must enable a new permission for the protection to work correctly after a restart. If you do not grant permission, the details page for the macOS computer shows an error.

Resolved Issues

• When the Automatic Deletion of Computers option in Computer Maintenance is enabled, EDR Core deletes the computers from the management UI, but does not uninstall the EDR Core software.
• EDR Core now shows detections made by the decoy files technology in management UI reports.
• EDR Core now shows detections made by the anti-exploit technology in the blocked items tile in the Security dashboard.
• Windows protection v8.00.22.0010 or higher includes fixes for vulnerabilities.
• EDR Core now identifies the operating system correctly when installed on a server in a Virtual Desktop Infrastructure (VDI) environment.
• In rare cases when there is a timeout error due to no network traffic, the firewall technology in EDR Core continues to run.
• A fix was made to cancel the installer when Windows Update updates are in progress.
• A fix was made to make sure that the computer restart message shows the correct number of days left to restart.
• macOS protection v3.03.00.0001 or higher now accepts file path exclusions that include special characters.
• A fix was made to make sure that local alerts show on macOS computers.
• macOS protection v3.03.00.0001 or higher can use the Network Extension (NEXT). This version also includes a fix for macOS Catalina to make sure that the Network Extension (NEXT) enabled by a user is now enabled for other users on the computer.
• When a macOS computer is in Sleep mode, scheduled tasks can now run on the configured dates. Requires macOS protection v3.03.00.0001 or higher.
• On Linux computers with version 9 of CentOS, Red Hat, Rocky Linux, or AlmaLinux running SELinux in Enforcing mode, the scan engine successfully loads. Requires Linux protection v3.03.00.0001 or higher.
• A fix was made to make sure you can connect a Linux computer through Blue Coat ProxySG or FortiProxy devices to the collective intelligence. Requires Linux protection v3.03.00.0001 or higher.
• On Linux computers, the communications agent does not stop due to a memory error, continues to process changes received from the management UI, and can send reports.
• On Linux computers, EDR Core does not send duplicate detection reports when the EDR Core software upgrades.
• When you exclude blocked malware and PUPs in EDR Core, they are now allowed to run.

Enhancements

• Email alerts now include the customer name and the WatchGuard Cloud account ID.

• Initial release. WatchGuard EDR Core is an endpoint security service available with the Total Security Suite subscription for your Firebox. For more information on EDR Core, you can review the PowerPoint presentation, Introduction to WatchGuard EDR Core, or go to About WatchGuard EDR Core in Help Center.