EDR Core (Total Security Suite) Release Notes

For more information about new features, go to the What's New in Endpoint Security PowerPoint presentation.

Latest EDR Core Update 10 June 2024
Release Notes Revision Date

10 June 2024

Protection and Agent Versions for WatchGuard EDR Core 4.30.00

  • Windows protection: 8.00.22.0025
  • macOS protection: 2.00.10.1000 and 3.04.01.0000 for macOS Catalina, Big Sur, Monterey, Ventura, and Sonoma
  • Linux protection: 3.03.00.0001
  • Android agent and protection: 3.9.6
  • iOS agent and protection: 2.01.17.0006
  • Windows agent: 1.21.03.0000
  • macOS agent: 1.13.10.0000
  • Linux agent: 1.13.00.0000

WatchGuard periodically updates Endpoint Security products and modules to provide enhancements and resolve reported issues. New versions roll out gradually to accounts. Some features and enhancements listed here might not be available to your account. When a new version is available, upgrade notifications appear as alerts in the upper-right corner of the management UI. If an upgrade is available, we recommend that you upgrade to the most recent version. If there is no alert in the management UI and you need to upgrade to the latest version of the product, contact your WatchGuard representative to request an upgrade. For more information, go to the Knowledge Base article: WatchGuard Endpoint Security Upgrade Schedule.

Latest Release

Release Date: 10 June 2024

Enhancements

  • These enhancements are in Windows protection v8.00.22.0025 and higher:
    • Performance improvements for multi-user environments such as RDS environments. [KER-822]

Resolved Issues

  • These issues are resolved in Windows protection v8.00.22.0025 and higher:

    • Isolated computers no longer show alert messages when the Do Not Show Alerts option is selected.
    • This release resolves an issue for computers with a protection software error on the Status tab. [WGUA-2680]
    • This release resolves an upgrade issue that stopped protection services.
    • The protection for POP3/SMTP email over IPv6 no longer causes BSOD errors.
    • This release resolves an issue to prevent a rare BSOD error caused by the NNSSTRM.sys driver.
    • For networks detected automatically, this release resolves issues caused by the trusted networks parameters in the Endpoint Security firewall protection settings. [WGUA-2809]

Previous Releases

Resolved Issues

  • This release resolves an issue that caused immediate and scheduled scans to crash. [WGUA-623]
  • The Shadow Copies feature no longer causes the system process to use high CPU after an upgrade. [WGUA-2617]
  • This release improves performance issues caused by the firewall infrastructure. These issues sometimes occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-2320 / WGUA-2152]
  • Performance issues and high CPU usage on Windows servers that are monitored by SysMon are improved. [KER-608 ]
  • General high RAM and CPU usage issues are improved. [WGUA-1976]
  • Performance issues with Data Control rules-based monitoring of files are improved. [WGUA-991]
  • This release resolves an issue that caused third-party antivirus programs to be disabled in Windows Security Center (WSC). [WGUA-2243]
  • AMSI detection technology no longer causes issues with WatchGuard Endpoint Security. [WGUA-2246]
  • Domain and URL categorization of IPv6 traffic no longer causes issues. [WGUA-1993]
  • Firewall infrastructure crashes (BSOD) that reference the NNSDNS.sys driver no longer occur. The BSOD errors occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-1881]
  • When the user selects, “Do not detect again”, the protection software does not detect Trj/RansomDecoy. [WGUA-2030]
  • When the Decoy File feature is enabled, protection software errors on Windows computers with multibyte character sets (MBCS) do not occur. [WGUA-1389]
  • This release resolves file transfer errors for Server Message Block (SMB) traffic on domain controller servers. [WGUA-1681]
  • When you upgrade the protection software for certain Windows versions, the installed application now appears in Windows Security Center (WSC). [WGUA-1731]
  • Connection timeout errors no longer occur for some HTTPS web pages with the protection software installed. [WGUA-1636]
  • Self-diagnosis failures in Windows Security Center (WSC) do not cause the PSANHost.exe service to restart. These failures caused the service to restart when it could not get the necessary module configuration information. [WGUA-2746]

New Features

  • In WatchGuard Patch Management, you can now configure computers on the network as test computers. Use test computers to verify patches install successfully before you deploy the patches across the network.
    • You can also configure computers or computer groups to not install patches.
    • When you create a patch installation task, you can select to install patches on only test computers.

Enhancements

  • In the Patch Management Installation History list, when a patch requires a computer restart, the patch status shows as Pending Restart. The status now changes to Installed when the computer restarts and completes patch installation.
  • The default workstations and servers settings profile now has anti-exploit and decoy files disabled. Endpoint Security applies this profile to the All group by default until you create and assign a new profile. This profile helps prevent issues with third-party antivirus and EDR solutions when you activate the Endpoint Risk Assessment. This change does not affect Endpoint Risk Assessments in progress.
  • When an Endpoint Risk Assessment is in progress, and you want to schedule a report, the Risk Assessment Report is now selected by default.
  • Subscriber accounts with EDR Core allocated to their endpoints, but not deployed, can now start a trial of WatchGuard EPDR or Advanced EPDR and activate an Endpoint Risk Assessment.
  • You can now download signature files over HTTPS.

Resolved Issues

  • When the user is not logged in to the endpoint, WatchGuard Endpoint Security can now re-install with a restart after the scheduled wait time is exceeded.
  • Duplicate computers no longer display when you use Active Directory to discover unmanaged computers.
  • When you filter the Unmanaged Computers Discovered list and then select all filtered computers to install WatchGuard Endpoint Security on, the software now installs only on the computers in the filtered list.
  • A fix was made to make sure that WatchGuard Endpoint Security sends executive reports and other scheduled daily reports as expected.
  • When you disable a feature that uses the NAHSL network driver (for example, Advanced Protection, Web Access Control, or the Firewall), the NAHSL network driver is disabled.

Enhancements

  • These enhancements were made in Windows protection v8.00.22.0024 and higher:
    • The software upgrade process was enhanced to make sure that Windows devices do not receive a BSOD error when EDR Core cannot stop a driver.
    • Improvements were made to prevent high CPU usage during computer startup when the Shadow Copies feature is enabled.

Resolved Issues

  • These issues were resolved in Windows protection v8.00.22.0024 and higher:
    • A fix was made to prevent memory leaks on connections over port 8180 of the Java application that could cause the server to run out of memory.
    • The URL filtering feature prevents access to URLs configured as denied (for example, Facebook or YouTube pages).
    • A fix was made to prevent a rare BSOD error caused by the pskmad.sys driver.
    • The AMSI detection technology now respects the path exclusions configured in the protection software settings.

Resolved Issues

  • Fixed a vulnerability in the pskmad_64.sys driver that could enable an attacker with Administrator privileges to run code with SYSTEM privileges on the target computer. For more information, review this Security Advisory Detail. This fix requires Windows protection version 8.00.22.0023 or higher.

Enhancements

  • You can now isolate Mac computers on your network. Similar to the Windows feature, isolated Mac computers allow only WatchGuard Endpoint Security processes to communicate. If an attack occurs, you can isolate the computer from the network to prevent the spread of the threat. If required, you can exclude other processes to allow them to communicate on isolated computers. This feature requires macOS protection version 3.04.00.0000 or higher.
  • To improve anti-tamper protection, you can now require two-factor authentication (2FA) when users try to log in to the management UI from their computers or uninstall the WatchGuard Endpoint Security product from their computer. 2FA uses a QR code you can generate for all computers in a customer account or, if you want to have different authenticator factors for different settings profiles, you can generate multiple QR codes. This feature requires Windows protection version 8.00.22.0023 or higher.
  • Anti-tampering features now protect Windows computers when they start in Safe Mode. This setting is enabled by default. You can disable it in the management UI or from the Windows computer. This feature requires Windows protection version 8.00.22.0023 or higher.
  • In the list of discovered computers, you can now select all unprotected computers.

Resolved Issues

  • When a MAC address is not in uppercase letters, the security software can still discover unprotected computers.
  • When you search the network for unprotected computers, the search results do not return protected computers that do not match the name in the list.
  • Resolved an issue to make sure that antivirus exclusions are applied to decoy files. This fix requires Windows protection version 8.00.22.0023 or higher.
  • Resolved an issue that caused a rare BSOD error when the server generated malformed network packages. This fix requires Windows protection version 8.00.22.0023 or higher.
  • The zlib version was updated to resolve vulnerabilities in the previous version. This fix requires Windows protection version 8.00.22.0023 or higher.
  • Performance improvements on virtual servers. This fix requires Windows protection version 8.00.22.0023 or higher.

Resolved Issues

  • An updated version of the macOS protection (v3.03.00.0003) is now available. The updated version includes these resolved issues: 
    • Network access enforcement (VPN enforcement) now works for endpoints with macOS v3.03.00.0003 and higher. [WGUA-1913]
    • The network extension no longer stops working and the message that NeXT privileges had not been accepted no longer appears. [WGUA-2048]
    • When analyzing paths and files that contain special characters or emojis, the local console no longer stops working. [WGUA-2119]
    • macOS v3.03.00.0003 includes performance improvements. Goodware items are now correctly added to the cache to optimize the analysis at the next program execution. [WGUA-1629]

New Features

Endpoint Security Integration for NinjaOne

With the new Endpoint Security integration for NinjaOne, Managed Service Providers can remotely deploy Endpoint Security to client devices in their NinjaOne accounts. For more information, go to About the WatchGuard Endpoint Security Integration for NinjaOne in Help Center.

Enhancements

  • EDR Core now supports macOS Sonoma. Requires macOS protection version 3.03.00.0002 or higher.
  • If Audit mode is enabled in the workstations and servers settings profile applied to a computer, the security software does not register as an antivirus with Windows Security Center (WSC) and does not disable the Windows Defender antivirus protection.

Resolved Issues

  • Resolved an issue that caused an increase in memory usage by the PSANHost process and led to increased CPU usage by the service.
  • Made improvements so that our security software registers correctly with Windows Security Center (WSC) after an operating system upgrade.
  • Resolved an issue to improve loading of some specific web pages. This issue affects version 8.00.22.0010 or higher of the Windows protection and is resolved in version 8.00.22.0022 or higher.

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.3

This update release for the Endpoint Security plug-in for ConnectWise Automate includes these enhancements:

  • You can now select an Auto Deploy by Timer check box on the Map Clients page to automatically install Endpoint Security products on all computers in a client account. The ConnectWise process that schedules installation tasks runs every 12 hours.
  • You can now select the Include in Auto Deploy Searches check box on the Map Clients page to use the search and group features in ConnectWise Automate to customize Endpoint Security product deployment.
  • You can now search for clients and accounts by name on the Map Clients page.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Resolved Issues

  • Resolved an issue where the protection service crashes when Decoy Files is enabled and the computer has directory names in Greek. This fix requires Windows protection software v8.00.22.0014 or higher.
  • Resolved an issue that causes a memory leak in the PSINReg.sys driver that could lead to a BSOD error. This fix requires Windows protection software v8.00.22.0014 or higher.
  • Resolved an issue where scheduled reports do not include the details of available patches.
  • Resolved an issue where, when you installed specific Windows operating system patches, the solution did not show the result of the installation task.
  • Resolved an issue where, when you excluded network attack performed from certain IP addresses, and then add another exclusion for the same attack from another IP address, the first exclusion was not saved.
  • Resolved an issue where executive reports show the incorrect date and time for IOA-related information.

Enhancements

  • Updated versions of the Windows and macOS protection software and communication agents are now available. The updated versions include these enhancements:
    • The protection software upgrade process better retains settings defined in a previous version.
    • Windows protection software v8.00.22.0013 and higher include improvements to minimize the possibility that the protection service stops.
    • When WatchGuard Endpoint Security creates decoy files, Windows Defender no longer detects them as malware on servers. This enhancement requires Windows protection software v8.00.22.0013 or higher.
    • Changes to the communications agent enable it to process corrupt messages. This enhancement requires Windows agent v1.21.02.0000 or higher.
  • In Patch Management for macOS, users now receive a prompt to enter a password to install operating system patches for macOS with ARM (M1 and M2). This enhancement requires macOS agent v1.12.01.0000 or higher.

Resolved Issues

  • In the updated version of the Windows protection software or agent:
    • Resolved an issue in the PSINProt.sys driver that caused a random BSOD. This fix requires Windows protection software v8.00.22.0013 or higher.
    • Resolved an issue that caused a memory leak in a firewall driver. This fix requires Windows protection software v8.00.22.0013 or higher.
    • The operating system, the backup software, and other applications can now create shadow copies on drives other than system drives. This fix requires Windows protection software v8.00.22.0013 or higher.
    • Resolved an issue with the RDP protection to detect and contain brute-force attacks on RDP. This issue affected customers with Windows protection software v8.00.22.0012 and is resolved in Windows protection software v8.00.22.0014 and higher.
    • WatchGuard Endpoint Security can now retrieve Active Directory paths with computer names longer than 15 characters. This fix requires Windows agent v1.21.02.0000 or higher.
  • macOS protection software v3.03.00.0001 resolves a rare issue that caused the solution to not show pop-up notifications for malware detections on macOS computers.

New Features

Endpoint Security Plug-in for N-able N-sight

With the new Endpoint Security plug-in for N-able N-sight, you can protect devices on your network, review detected security incidents, and develop prevention and remediation plans against unknown and advanced persistent threats. For more information, go to About the WatchGuard Endpoint Security Plug-in for N-able N-sight in Help Center.

New Features

WatchGuard Advanced EPDR

You can now manage licenses and inventory allocation for the new Endpoint Security product, WatchGuard Advanced EPDR, in WatchGuard Cloud. You can start a trial of Advanced EPDR from the Administration > Trials page. Advanced EPDR includes advanced detection and response features such as Advanced Indicators of Attack (IOAs) and events, centralized management of Indicators of Compromise (IOCs) compatible with STIX and Yara rules, Advanced Security Policies, and remote access to detect, contain, and remediate incidents. For more information, go to the presentation, Introduction to WatchGuard Advanced EPDR.

Audit Mode

  • In a workstations and servers settings profile, you can enable Audit mode to detect and report malware, ransomware, and other types of attacks. In Audit mode, EDR Core does not block or delete detected threats. Audit mode supports Windows, macOS, and Linux workstations and servers.
    • We recommend you use this mode only to evaluate EDR Core or to evaluate the security status of a customer protected with another solution. EDR Core does not protect computers in Audit mode, so they show as at risk in the management UI.

Enhancements

  • Network Access Enforcement (previously Secure VPN) settings now apply to VPN connections through WatchGuard Fireboxes and Wi-Fi connections through WatchGuard access points. Access points can check that EDR Core is enabled and running on connecting devices. This feature supports Windows and macOS computers and requires a future Wi-Fi firmware release.
  • Partners and Service Providers can define whether the settings profiles they assign to tenant accounts from the multi-tenant management UI can be edited by the tenant. Tenant accounts can then add exclusions and authorized software to the settings, but cannot delete or edit the list of exclusions or authorized software defined by the Service Provider.
  • You can now configure multiple proxies so that computers on the network connect to the Internet through the first proxy computer that works. This feature is supported by Windows, macOS, and Linux workstations and servers
  • Linux protection v3.03.00.0001 and higher now supports these Linux distributions: Ubuntu 22.10 and 23.04, Linux Mint 21.1, Fedora 36, 37, and 38, Oracle Linux 8 UEK R7, 9.0, 9.1, and 9.2, Red Hat Enterprise 8.8 and 9.2, AlmaLinux 8.8 and 9.2, and Rocky Linux 8.8 and 9.2. For more information, go to Linux.
  • On computers that run macOS Ventura, you must enable a new permission for the protection to work correctly after a restart. If you do not grant permission, the details page for the macOS computer shows an error.

Resolved Issues

  • When the Automatic Deletion of Computers option in Computer Maintenance is enabled, EDR Core deletes the computers from the management UI, but does not uninstall the EDR Core software.
  • EDR Core now shows detections made by the decoy files technology in management UI reports.
  • EDR Core now shows detections made by the anti-exploit technology in the blocked items tile in the Security dashboard.
  • Windows protection v8.00.22.0010 or higher includes fixes for vulnerabilities.
  • EDR Core now identifies the operating system correctly when installed on a server in a Virtual Desktop Infrastructure (VDI) environment.
  • In rare cases when there is a timeout error due to no network traffic, the firewall technology in EDR Core continues to run.
  • A fix was made to cancel the installer when Windows Update updates are in progress.
  • A fix was made to make sure that the computer restart message shows the correct number of days left to restart.
  • macOS protection v3.03.00.0001 or higher now accepts file path exclusions that include special characters.
  • A fix was made to make sure that local alerts show on macOS computers.
  • macOS protection v3.03.00.0001 or higher can use the Network Extension (NEXT). This version also includes a fix for macOS Catalina to make sure that the Network Extension (NEXT) enabled by a user is now enabled for other users on the computer.
  • When a macOS computer is in Sleep mode, scheduled tasks can now run on the configured dates. Requires macOS protection v3.03.00.0001 or higher.
  • On Linux computers with version 9 of CentOS, Red Hat, Rocky Linux, or AlmaLinux running SELinux in Enforcing mode, the scan engine successfully loads. Requires Linux protection v3.03.00.0001 or higher.
  • A fix was made to make sure you can connect a Linux computer through Blue Coat ProxySG or FortiProxy devices to the collective intelligence. Requires Linux protection v3.03.00.0001 or higher.
  • On Linux computers, the communications agent does not stop due to a memory error, continues to process changes received from the management UI, and can send reports.
  • On Linux computers, EDR Core does not send duplicate detection reports when the EDR Core software upgrades.
  • When you exclude blocked malware and PUPs in EDR Core, they are now allowed to run.

Enhancements

  • Email alerts now include the customer name and the WatchGuard Cloud account ID.
  • Initial release. WatchGuard EDR Core is an endpoint security service available with the Total Security Suite subscription for your Firebox. For more information on EDR Core, you can review the PowerPoint presentation, Introduction to WatchGuard EDR Core, or go to About WatchGuard EDR Core in Help Center.