WatchGuard Advanced EPDR Enhancements and Resolved Issues

Applies To: WatchGuard Advanced EPDR

For more information about new features, go to the What's New in WatchGuard Endpoint Security PowerPoint.

Protection and Agent Versions for WatchGuard Advanced EPDR 4.40.00

  • Windows protection: 8.00.23.0001 and 8.00.23.0002 for Windows 7, Windows 8, Windows 2008 R2, and Windows 2012, and 8.00.22.0026 for Windows XP, Windows Vista, Windows 2003, and Windows 2008
  • macOS protection: 2.00.10.1000 and 3.05.0050 for macOS Catalina 10.15, Big Sur 11, Monterey 12, Ventura 13, Sonoma 14, and Sequoia 15
  • Linux protection: 3.05.00.0050
  • Android agent and protection: 3.10.0
  • iOS agent and protection: 2.01.16.0007
  • Windows agent: 1.22.02.0000
  • macOS agent: 1.14.02.0000
  • Linux agent: 1.14.04.0000

WatchGuard periodically updates Endpoint Security products and modules to provide enhancements and resolve reported issues. New versions roll out gradually to accounts. Some features and enhancements listed here might not be available to your account. When a new version is available, upgrade notifications appear as alerts in the upper-right corner of the management UI. If an upgrade is available, we recommend that you upgrade to the most recent version. If there is no alert in the management UI and you need to upgrade to the latest version of the product, contact your WatchGuard representative to request an upgrade. For more information, go to the Knowledge Base article: WatchGuard Endpoint Security Upgrade Schedule.

Latest Release

Release Date: 14 November 2024

Enhancements

  • On 26 November 2024, if your firewall or proxy server is not configured to allow connections to and from *.pandasecurity.com, then you must update settings to allow connections from EDR Core to some specific required URLs. For more information, go to this Support blog post: Update to URLs Required by WatchGuard Endpoint Security Products.

Previous Releases

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.5

This Endpoint Security Plug-in for ConnectWise Automate release updates the steps to install, update, and remove the plug-in.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Enhancements

  • The Endpoint Security software now supports TLS 1.2 protocol natively for Windows 7, Windows Server 2008 R2 (Kernel 6.1), Windows 8, and Windows Server 2012. For more information, go to this Support blog post: End of Support for TLS 1.0 and TLS 1.1.

Enhancements

  • On the Investigation tab of the computer details page, you can now run SQL queries on the telemetry collected over the last seven days.
  • On the Indicators of Attack (IOA) details page, a new Investigation tab shows telemetry reported by Windows, Mac, and Linux computers in the days around the date of the event that triggered the IOA. You can run SQL queries on the available telemetry for an IOA.

New Features

Verbose Mode

Verbose mode is now available and enables computers to send extended telemetry to the cloud servers. Verbose mode provides detailed system information for IOA resolution. It is useful for security operators who want to simulate proof-of-concept attacks under the MITRE standard.

    • You can enable Verbose mode on up to 20 Windows computers in Audit mode.
    • This feature requires Windows protection v8.00.23.0000 or higher.

On the Computer details page, there is a new Investigation tab. The Investigation page shows telemetry reported by Windows, Mac, and Linux computers in the last seven days. On this page, you can run SQL queries on the telemetry collected over the last seven days.

Endpoint Access Enforcement

With Endpoint Access Enforcement, you can now monitor connections to Windows computers on the network to help reduce potential infections and attacks from unprotected Windows, Mac, or Linux computers. The Endpoint Access Enforcement dashboard includes several graphs: Connection Map, Top 5 Computers Reporting High-Risk Outbound or Inbound Connections, Number of Connections by Condition, and Number of Connections by Monitored Protocol. Executive reports now include an Endpoint Access Enforcement section.

    • By default, Endpoint Access Enforcement monitors inbound connections for SMB and RDP traffic.
    • On Windows computers, this feature requires Windows protection v8.00.23.0000 or higher and the Windows agent v1.22.01.0000 or higher; on Mac and Linux computers, it requires the macOS or Linux agent v1.14.01.0000 or higher.
    • Connections are allowed only if the configured conditions are met.
    • In the Endpoint Access Enforcement settings profile, you can specify risk conditions for computers and add connection rules for protocols other than those monitored by default. You can also select the action to take on computers at risk (Audit or Block).

On the Computer details page, there is a new Monitored Connections tab. The Monitored Connections page shows connections that meet the conditions specified in the Endpoint Access Enforcement rules.

Block Vulnerable Drivers

In a Workstations and Servers settings profile, you can now configure Endpoint Security to block vulnerable drivers. This helps prevent exploitation of the driver by malicious actors. You can exclude detected vulnerable drivers so that they are not detected again. This feature requires Windows protection v8.00.23.0000 or higher.

Enhancements

  • Code injection uses anti-exploit techniques to detect exploit attempts in running processes. Code injection now inspects every running process. The inspection could cause performance and compatibility issues for some applications. For more information, go to this Knowledge Base article.
  • Anti-exploit protection settings are now easier to configure. In the Advanced Protection section of the Workstations and Servers security settings profile, you now enable anti-exploit protection with the Code Injection toggle. You can exclude specific processes from anti-exploit protection. This feature requires Windows protection v8.00.23.0000 or higher.
  • You can now enable advanced scanning with AMSI detection. You can enable AMSI detection technology and exclude specific processes. This feature requires Windows protection v8.00.23.0000 or higher.
  • When you configure Risk settings, you can now specify which folder, file, and extension exclusions you want to impact the computer risk level assessment.
  • Remote control now supports Linux and Mac computers. The same Windows remote control features are available for Linux and Mac computers (for example, remote shell, list of running processes, list of computer services, and bidirectional file transfer). This feature requires v1.14.01.0000 or higher of the Linux or Mac agent.
  • You can now isolate Linux computers on your network. Similar to the Windows and Mac feature, isolated Linux computers only allow WatchGuard Endpoint Security processes to communicate. If an attack occurs, you can isolate the Linux computer from the network to prevent the spread of the threat. If required, you can exclude other processes to allow them to communicate on isolated computers. This feature requires Linux protection v3.05.00.0000 or higher.
  • You can now enable and disable local alerts on Mac computers and customize malware, firewall, and device control alerts.
  • Android protection now supports Network Access Enforcement.
  • You can now use MD5 and SHA-256 hashes when you configure these features: Advanced Protection, Program Blocking, and Authorized Software.
  • You can export recipient email addresses configured in the My Alerts settings for all users in an account.
  • You can now cancel or delete all tasks at one time.
  • Endpoint Security now supports Windows Server 2025 in Windows protection v8.00.23.0000 or higher.
  • Endpoint Security now supports macOS 15 Sequoia in macOS protection v3.05.00.0000 or higher.
  • Endpoint Security now supports these Linux distributions: OpenSUSE 15.3, 15.4, 15.5, and 15.6; SUSE 15 SP6; Fedora 39 and 40; Red Hat/Oracle/Rocky/Alma 8.9, 8.10, 9.3, and 9.4; Ubuntu 23.10 and 24.04; and Mint 21.2, 21.3, and 22. This feature requires Linux protection v3.05.00.0000 or higher. For more information on distributions, go to Linux.
  • On 30 September 2024, protection for Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, as well as macOS Yosemite, El Capitan, Sierra, High Sierra, and Mojave will become End of Sale (EOS). Windows 2008 R2 will continue to be supported. After that date, you will not be able to add devices to the management UI or install the protection software on new computers that run these operating systems versions.
    • On 30 April 2025, our Windows and Mac protection for these OS versions will become End of Life (EOL).
    • After the EOL date, the product license will be automatically removed from all computers that run these OS versions, and you will not be able allocate licenses to affected computers.

Resolved Issues

  • This release resolves an issue that caused the security software to send the same alert email notifications repeatedly over several days.
  • This release resolves temporary performance issues on Windows Server 2016.
  • This release resolves an issue that caused the security software to classify URLs as “unknown category” and block them on some computers.
  • This release resolves an issue that prevented user login to a corporate website.
  • A fix was made to make sure that security software upgrades after computer shutdown did not take too long. The computer does not wait for the PSANHost process to close.
  • This release resolves a BSOD error that occurred on computers with NeuShield drivers.
  • This release resolves an issue that caused the security software decoy files to create temporary files and folders after backup sessions.
  • This release resolves an issue where ATC.exe did not run on Server Core because of a dependency.
  • This release resolves an issue that caused on-demand scans of PDF files to not finish.
  • This release resolves a vulnerability found in the security software decoy files.
  • This release resolves an issue with Linux protection signature file permissions after a security software upgrade.
  • This release resolves a self-diagnosis issue that caused the security software to sometimes incorrectly report an error.
  • This release resolves an issue where uninstallation of the security software from a Mac device prompted you to keep the quarantine folder even though it was empty.
  • In environments with proxy communications, fixes were made to the network infrastructure to prevent random BSOD errors. [WGUA-4183]
  • The decoy files feature no longer causes false positive detections associated with svchost.exe. [WGUA-4287]
  • Resource usage issues caused by the Endpoint Access Enforcement feature were resolved. [AETHER-5510]
  • A fix was included to prevent a memory leak issue caused by the firewall infrastructure. [WGUA-4281]

Enhancements

  • These enhancements are in Windows protection v8.00.22.0025 and higher:
    • Performance improvements for multi-user environments such as RDS environments. [KER-822]

Resolved Issues

  • These issues are resolved in Windows protection v8.00.22.0025 and higher:

    • Isolated computers no longer show alert messages when the Do Not Show Alerts option is selected.
    • This release resolves an issue for computers with a protection software error on the Status tab. [WGUA-2680]
    • This release resolves an upgrade issue that stopped protection services.
    • The Registry Modifications to Run When Windows Starts advanced policy no longer affects the protection software system tray icon.
    • The protection for POP3/SMTP email over IPv6 no longer causes BSOD errors.
    • This release resolves an issue to prevent a rare BSOD error caused by the NNSSTRM.sys driver.
    • For networks detected automatically, this release resolves issues caused by the trusted networks parameters in the Endpoint Security firewall protection settings. [WGUA-2809]

Resolved Issues

  • This release resolves an issue that caused immediate and scheduled scans to crash. [WGUA-623]
  • The Shadow Copies feature no longer causes the system process to use high CPU after an upgrade. [WGUA-2617]
  • This release improves performance issues caused by the firewall infrastructure. These issues sometimes occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-2320 / WGUA-2152]
  • Performance issues and high CPU usage on Windows servers that are monitored by SysMon are improved. [KER-608 ]
  • General high RAM and CPU usage issues are improved. [WGUA-1976]
  • Performance issues with Data Control rules-based monitoring of files are improved. [WGUA-991]
  • This release resolves an issue that caused third-party antivirus programs to be disabled in Windows Security Center (WSC). [WGUA-2243]
  • AMSI detection technology no longer causes issues with WatchGuard Endpoint Security. [WGUA-2246]
  • Domain and URL categorization of IPv6 traffic no longer causes issues. [WGUA-1993]
  • Firewall infrastructure crashes (BSOD) that reference the NNSDNS.sys driver no longer occur. The BSOD errors occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-1881]
  • When the user selects, “Do not detect again”, the protection software does not detect Trj/RansomDecoy. [WGUA-2030]
  • When the Decoy File feature is enabled, protection software errors on Windows computers with multibyte character sets (MBCS) do not occur. [WGUA-1389]
  • This release resolves file transfer errors for Server Message Block (SMB) traffic on domain controller servers. [WGUA-1681]
  • When you upgrade the protection software for certain Windows versions, the installed application now appears in Windows Security Center (WSC). [WGUA-1731]
  • Connection timeout errors no longer occur for some HTTPS web pages with the protection software installed. [WGUA-1636]
  • Self-diagnosis failures in Windows Security Center (WSC) do not cause the PSANHost.exe service to restart. These failures caused the service to restart when it could not get the necessary module configuration information. [WGUA-2746]

Resolved Issues

  • Minor bug fixes and improvements to the onboarding applications for the NinjaOne, N-able N-sight, and N-able N-central plug-ins.

New Features

  • In WatchGuard Patch Management, you can now configure computers on the network as test computers. Use test computers to verify patches install successfully before you deploy the patches across the network.
    • You can also configure computers or computer groups to not install patches.
    • When you create a patch installation task, you can select to install patches on only test computers.

Enhancements

  • In the Patch Management Installation History list, when a patch requires a computer restart, the patch status shows as Pending Restart. The status now changes to Installed when the computer restarts and completes patch installation.
  • Web Access Control settings now include these new Artificial Intelligence content categories: Generative AI – Conversation, Generative AI – Multimedia, Generative AI – Text & Code, and Other AI ML Applications.
  • When an Endpoint Risk Assessment is in progress, and you want to schedule a report, the Risk Assessment Report is now selected by default.
  • Subscriber accounts with EDR Core allocated to their endpoints, but not deployed, can now start a trial of WatchGuard EPDR or Advanced EPDR and activate an Endpoint Risk Assessment.
  • You can now download signature files over HTTPS.

Resolved Issues

  • When the user is not logged in to the endpoint, WatchGuard Endpoint Security can now re-install with a restart after the scheduled wait time is exceeded.
  • Duplicate computers no longer display when you use Active Directory to discover unmanaged computers.
  • When you filter the Unmanaged Computers Discovered list and then select all filtered computers to install WatchGuard Endpoint Security on, the software now installs only on the computers in the filtered list.
  • A fix was made to make sure that WatchGuard Endpoint Security sends executive reports and other scheduled daily reports as expected.
  • When you disable a feature that uses the NAHSL network driver (for example, Advanced Protection, Web Access Control, or the Firewall), the NAHSL network driver is disabled.

Enhancements

  • These enhancements were made in Windows protection v8.00.22.0024 and higher:
    • The software upgrade process was enhanced to make sure that Windows devices do not receive a BSOD error when WatchGuard Advanced EPDR cannot stop a driver.
    • Improvements were made to prevent high CPU usage during computer startup when the Shadow Copies feature is enabled.

Resolved Issues

  • These issues were resolved in macOS protection v3.04.00.0000 and higher:
    • If you close the lid of a MacBook to shut it down and then open the lid to wake it, scans in progress (immediate and scheduled) are no longer affected.
    • A fix was made to make sure that Mac computers with low resources and slow web browsing do not allow access to URLs blocked with the URL filtering feature.
  • These issues were resolved in iOS agent v2.01.17.0006 and higher:
    • When you configure time slots in the URL filtering feature, they also apply to the lists of allowed and denied URLs.
    • New URL categories added to the URL filtering feature are now handled correctly and are no longer treated as unknown URLs.
    • WatchGuard EPDR on iOS devices now reports the threat type correctly when it detects and blocks phishing URLs.
    • Anti-theft protection for iOS now sounds the correct alarm and can make calls to the phone number specified in the remote alarm feature.
  • These issues were resolved in Windows protection v8.00.22.0024 and higher:
    • A fix was made to prevent memory leaks on connections over port 8180 of the Java application that could cause the server to run out of memory.
    • The URL filtering feature prevents access to URLs configured as denied (for example, Facebook or YouTube pages).
    • A fix was made to prevent a rare BSOD error caused by the pskmad.sys driver.
    • The AMSI detection technology now respects the path exclusions configured in the protection software settings.
    • You can now disable URL filtering local alerts.

Resolved Issues

  • Fixed a vulnerability in the pskmad_64.sys driver that could enable an attacker with Administrator privileges to run code with SYSTEM privileges on the target computer. For more information, review this Security Advisory Detail. This fix requires Windows protection version 8.00.22.0023 or higher.

Enhancements

  • Full Encryption with FileVault Technology is now available for Mac devices with macOS Catalina 10.15 or higher. The Full Encryption license requires as many endpoints as the total number of endpoints encrypted with Windows BitLocker or macOS FileVault. Encryption runs in the background and there is no impact on performance. You can see the encryption status of both Windows and Mac computers on dashboards and in lists.
  • You can now isolate Mac computers on your network. Similar to the Windows feature, isolated Mac computers allow only WatchGuard Endpoint Security processes to communicate. If an attack occurs, you can isolate the computer from the network to prevent the spread of the threat. If required, you can exclude other processes to allow them to communicate on isolated computers. This feature requires macOS protection version 3.04.00.0000 or higher.
  • To improve anti-tamper protection, you can now require two-factor authentication (2FA) when users try to log in to the management UI from their computers or uninstall the WatchGuard Endpoint Security product from their computer. 2FA uses a QR code you can generate for all computers in a customer account or, if you want to have different authenticator factors for different settings profiles, you can generate multiple QR codes. This feature requires Windows protection version 8.00.22.0023 or higher.
  • Anti-tampering features now protect Windows computers when they start in Safe Mode. This setting is enabled by default. You can disable it in the management UI or from the Windows computer. This feature requires Windows protection version 8.00.22.0023 or higher.
  • You can now send executable files larger than 50 MB to the Collective Intelligence platform for analysis. These files do not contain personal information. This improvement enables the Zero-Trust Application Service to classify large files more accurately.
  • In the Patch Management module, you can now filter the list of available patches by patch release date.
  • In the Patch Management module, new columns in the extended installation history export file provide information about the tasks that installed the patches.
  • The message text that shows on user computers when a reboot is required to install a patch has changed. The updated text indicates that the reboot is required by the patched software, not the WatchGuard Endpoint Security product or Patch Management module.
  • In the list of discovered computers, you can now select all unprotected computers.

Resolved Issues

  • When you create a list of patches and sort it by computer, an error no longer occurs when you try to view the patch details.
  • When a patch description contains a plus sign (+) , information still appears when you view the patch details.
  • When you disable advanced protection, features that depend on advanced protection, such as Anti-exploit or Network Attack Protection, are now disabled.
  • When a MAC address is not in uppercase letters, the security software can still discover unprotected computers.
  • When you search the network for unprotected computers, the search results do not return protected computers that do not match the name in the list.
  • Resolved an issue to make sure that antivirus exclusions are applied to decoy files. This fix requires Windows protection version 8.00.22.0023 or higher.
  • Resolved an issue to make sure that URL filtering can classify web pages in IPv6 environments. This fix requires Windows protection version 8.00.22.0023 or higher.
  • Resolved an issue that caused a rare BSOD error when the server generated malformed network packages. This fix requires Windows protection version 8.00.22.0023 or higher.
  • The zlib version was updated to resolve vulnerabilities in the previous version. This fix requires Windows protection version 8.00.22.0023 or higher.
  • Resolved an issue that caused a memory leak in Data Control and customer-defined filters. This fix requires Windows protection version 8.00.22.0023 or higher.
  • Performance improvements on virtual servers. This fix requires Windows protection version 8.00.22.0023 or higher.
  • To prevent issues in specific scenarios with third-party antivirus and EDR solutions, when you start a new Endpoint Risk Assessment, these settings for the All group are now automatically disabled:
    • Decoy files
    • Anti-exploit technology

    This change does not affect existing risk assessments.

Resolved Issues

  • An updated version of the macOS protection (v3.03.00.0003) is now available. The updated version includes these resolved issues: 
    • Network access enforcement (VPN enforcement) now works for endpoints with macOS v3.03.00.0003 and higher. [WGUA-1913]
    • The network extension no longer stops working and the message that NeXT privileges had not been accepted no longer appears. [WGUA-2048]
    • When analyzing paths and files that contain special characters or emojis, the local console no longer stops working. [WGUA-2119]
    • macOS v3.03.00.0003 includes performance improvements. Goodware items are now correctly added to the cache to optimize the analysis at the next program execution. [WGUA-1629]

Enhancements

  • An updated version of the Android app and communication agent is now available. The updated version includes these enhancements:

    • Users are not prompted to Disable App Hibernation when the app is installed on an MDM profile in Device Owner or Work Profile mode. This enhancement requires Android app v3.8.14 or higher.

    • The Android app v 3.9.3 and higher now support Android 13 natively. Previous versions of the Android app also work on Android 13, but in compatibility mode.

    • A new Show Notifications permission was added to show notifications to users on Android 13 or higher. Requires Android app v3.9.3 or higher.

    • A new privacy policy and notification that describe how we collect, use, and share data processed by the app, and how to access it was added. The policy appears the first time you open the Android app in v3.9.3 or higher. You can also review it from the About page.

New Features

WatchGuard Endpoint Risk Assessment

The WatchGuard Endpoint Risk Assessment is now available for partners and customers with a trial of WatchGuard EPDR or WatchGuard Advanced EPDR. Partners can use the WatchGuard Endpoint Risk Assessment to evaluate the cybersecurity posture of managed accounts that use a third-party endpoint security solution. The assessment enables partners and customers to identify threats, vulnerabilities, and other security risks. It is not available for partners or customers with an existing Endpoint Security product or EDR Core license. For more information, go to WatchGuard Endpoint Risk Assessment.

Enhancements

  • Approved partners with an activated WatchGuard MDR license can now enroll customers in WatchGuard MDR from the Endpoint Security management UI (Configure > Endpoints). For more information, go to Configure WatchGuard MDR.

Resolved Issues

  • Minor updates and bug fixes.

New Features

Endpoint Security Integration for NinjaOne

With the new Endpoint Security integration for NinjaOne, Managed Service Providers can remotely deploy Endpoint Security to client devices in their NinjaOne accounts. For more information, go to About the WatchGuard Endpoint Security Integration for NinjaOne in Help Center.

Enhancements

  • Advanced EPDR now supports macOS Sonoma. Requires macOS protection version 3.03.00.0002 or higher.

  • If Audit mode is enabled in the workstations and servers settings profile applied to a computer, the security software does not register as an antivirus with Windows Security Center (WSC) and does not disable the Windows Defender antivirus protection.

Resolved Issues

  • Resolved an issue that caused an increase in memory usage by the PSANHost process and led to increased CPU usage by the service.
  • Made improvements so that our security software registers correctly with Windows Security Center (WSC) after an operating system upgrade.
  • Resolved an issue to improve loading of some specific web pages. This issue affects version 8.00.22.0010 or higher of the Windows protection and is resolved in version 8.00.22.0022 or higher.

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.3

This update release for the Endpoint Security plug-in for ConnectWise Automate includes these enhancements:

  • You can now select an Auto Deploy by Timer check box on the Map Clients page to automatically install Endpoint Security products on all computers in a client account. The ConnectWise process that schedules installation tasks runs every 12 hours.
  • You can now select the Include in Auto Deploy Searches check box on the Map Clients page to use the search and group features in ConnectWise Automate to customize Endpoint Security product deployment.
  • You can now search for clients and accounts by name on the Map Clients page.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Resolved Issues

  • Resolved an issue where the protection service crashes when Decoy Files is enabled and the computer has directory names in Greek. This fix requires Windows protection software v8.00.22.0014 or higher.
  • Resolved an issue that causes a memory leak in the PSINReg.sys driver that could lead to a BSOD error. This fix requires Windows protection software v8.00.22.0014 or higher.
  • Resolved an issue where scheduled reports do not include the details of available patches.
  • Resolved an issue where, when you installed specific Windows operating system patches, the solution did not show the result of the installation task.
  • Resolved an issue where, when you excluded network attack performed from certain IP addresses, and then add another exclusion for the same attack from another IP address, the first exclusion was not saved.
  • Resolved an issue where executive reports show the incorrect date and time for IOA-related information.

Enhancements

  • Updated versions of the Windows and macOS protection software and communication agents are now available. The updated versions include these enhancements:
    • The protection software upgrade process better retains settings defined in a previous version.
    • Windows protection software v8.00.22.0013 and higher include improvements to minimize the possibility that the protection service stops.
    • When WatchGuard Endpoint Security creates decoy files, Windows Defender no longer detects them as malware on servers. This enhancement requires Windows protection software v8.00.22.0013 or higher.
    • Changes to the communications agent enable it to process corrupt messages. This enhancement requires Windows agent v1.21.02.0000 or higher.
  • In Patch Management for macOS, users now receive a prompt to enter a password to install operating system patches for macOS with ARM (M1 and M2). This enhancement requires macOS agent v1.12.01.0000 or higher.

Resolved Issues

  • In the updated version of the Windows protection software or agent:
    • Resolved an issue in the PSINProt.sys driver that caused a random BSOD. This fix requires Windows protection software v8.00.22.0013 or higher.
    • Resolved an issue that caused a memory leak in a firewall driver. This fix requires Windows protection software v8.00.22.0013 or higher.
    • The operating system, the backup software, and other applications can now create shadow copies on drives other than system drives. This fix requires Windows protection software v8.00.22.0013 or higher.
    • Resolved an issue with the RDP protection to detect and contain brute-force attacks on RDP. This issue affected customers with Windows protection software v8.00.22.0012 and is resolved in Windows protection software v8.00.22.0014 and higher.
    • WatchGuard Endpoint Security can now retrieve Active Directory paths with computer names longer than 15 characters. This fix requires Windows agent v1.21.02.0000 or higher.
  • macOS protection software v3.03.00.0001 resolves a rare issue that caused the solution to not show pop-up notifications for malware detections on macOS computers.

New Features

Endpoint Security Plug-in for N-able N-sight

With the new Endpoint Security plug-in for N-able N-sight, you can protect devices on your network, review detected security incidents, and develop prevention and remediation plans against unknown and advanced persistent threats. For more information, go to About the WatchGuard Endpoint Security Plug-in for N-able N-sight in Help Center.

New Features

Initial Release — WatchGuard Advanced EPDR

WatchGuard Advanced EPDR is now publicly available. You can manage Advanced EPDR licenses and inventory allocation in WatchGuard Cloud. Start a trial of Advanced EPDR from the Administration > Trials page. Advanced EPDR includes advanced detection and response features such as:

  • Advanced Indicators of Attack (IOAs) and events
  • Centralized management of Indicators of Compromise (IOCs) compatible with STIX and Yara rules
  • Advanced security policies
  • Remote access to detect, contain, and remediate incidents

For more information, go to the presentation, Introduction to Advanced EPDR.

Enhancements

If you are upgrading from another WatchGuard Endpoint Security product to Advanced EPDR, note that Advanced EPDR includes all of the same enhancements in WatchGuard EPDR. For more information on enhancements, go to WatchGuard EPDR Enhancements and Resolved Issues.

Resolved Issues

If you are upgrading from another WatchGuard Endpoint Security product to Advanced EPDR, note that Advanced EPDR includes all of the same resolved issues in WatchGuard EPDR. For more information on resolved issues, go to WatchGuard EPDR Enhancements and Resolved Issues.

New Features

WatchGuard Advanced EPDR (Beta)

WatchGuard Advanced EPDR is now available for beta testing. Advanced EPDR expands the capabilities of WatchGuard EPDR with advanced detection and response features such as Advanced Indicators of Attack (IOAs) and events, centralized management of Indicators of Compromise (IOCs) compatible with STIX and Yara rules, Advanced Security Policies, and remote access to detect, contain, and remediate incidents.

To get started, enable the beta toggle in WatchGuard Cloud and then start a trial of Advanced EPDR. To learn more or to report an issue, go to the WatchGuard Endpoint Security beta test community.