WatchGuard EDR Core Enhancements and Resolved Issues

Resolved Issues

• This release resolves an issue that caused immediate and scheduled scans to crash. [WGUA-623]
• The Shadow Copies feature no longer causes the system process to use high CPU after an upgrade. [WGUA-2617]
• This release improves performance issues caused by the firewall infrastructure. These issues sometimes occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-2320 / WGUA-2152]
• Performance issues and high CPU usage on Windows servers that are monitored by SysMon are improved. [KER-608 ]
• General high RAM and CPU usage issues are improved. [WGUA-1976]
• Performance issues with Data Control rules-based monitoring of files are improved. [WGUA-991]
• This release resolves an issue that caused third-party antivirus programs to be disabled in Windows Security Center (WSC). [WGUA-2243]
• AMSI detection technology no longer causes issues with WatchGuard Endpoint Security. [WGUA-2246]
• Domain and URL categorization of IPv6 traffic no longer causes issues. [WGUA-1993]
• Firewall infrastructure crashes (BSOD) that reference the NNSDNS.sys driver no longer occur. The BSOD errors occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-1881]
• When the user selects, “Do not detect again”, the protection software does not detect Trj/RansomDecoy. [WGUA-2030]
• When the Decoy File feature is enabled, protection software errors on Windows computers with multibyte character sets (MBCS) do not occur. [WGUA-1389]
• This release resolves file transfer errors for Server Message Block (SMB) traffic on domain controller servers. [WGUA-1681]
• When you upgrade the protection software for certain Windows versions, the installed application now appears in Windows Security Center (WSC). [WGUA-1731]
• Connection timeout errors no longer occur for some HTTPS web pages with the protection software installed. [WGUA-1636]
• Self-diagnosis failures in Windows Security Center (WSC) do not cause the PSANHost.exe service to restart. These failures caused the service to restart when it could not get the necessary module configuration information. [WGUA-2746]

Resolved Issues

• Minor bug fixes and improvements to the onboarding applications for the NinjaOne, N-able N-sight, and N-able N-central plug-ins.

New Features

Endpoint Security Plug-in for N-able N-sight

With the new Endpoint Security plug-in for N-able N-sight, you can protect devices on your network, review detected security incidents, and develop prevention and remediation plans against unknown and advanced persistent threats. For more information, go to About the WatchGuard Endpoint Security Plug-in for N-able N-sight in Help Center.

New Features

WatchGuard Advanced EPDR

You can now manage licenses and inventory allocation for the new Endpoint Security product, WatchGuard Advanced EPDR, in WatchGuard Cloud. You can start a trial of Advanced EPDR from the Administration > Trials page. Advanced EPDR includes advanced detection and response features such as Advanced Indicators of Attack (IOAs) and events, centralized management of Indicators of Compromise (IOCs) compatible with STIX and Yara rules, Advanced Security Policies, and remote access to detect, contain, and remediate incidents. For more information, go to the presentation, Introduction to WatchGuard Advanced EPDR.

Audit Mode

• In a workstations and servers settings profile, you can enable Audit mode to detect and report malware, ransomware, and other types of attacks. In Audit mode, EDR Core does not block or delete detected threats. Audit mode supports Windows, macOS, and Linux workstations and servers.
  • We recommend you use this mode only to evaluate EDR Core or to evaluate the security status of a customer protected with another solution. EDR Core does not protect computers in Audit mode, so they show as at risk in the management UI.

Enhancements

• Network Access Enforcement (previously Secure VPN) settings now apply to VPN connections through WatchGuard Fireboxes and Wi-Fi connections through WatchGuard access points. Access points can check that EDR Core is enabled and running on connecting devices. This feature supports Windows and macOS computers and requires a future Wi-Fi firmware release.
• Partners and Service Providers can define whether the settings profiles they assign to tenant accounts from the multi-tenant management UI can be edited by the tenant. Tenant accounts can then add exclusions and authorized software to the settings, but cannot delete or edit the list of exclusions or authorized software defined by the Service Provider.
• You can now configure multiple proxies so that computers on the network connect to the Internet through the first proxy computer that works. This feature is supported by Windows, macOS, and Linux workstations and servers
• Linux protection v3.03.00.0001 and higher now supports these Linux distributions: Ubuntu 22.10 and 23.04, Linux Mint 21.1, Fedora 36, 37, and 38, Oracle Linux 8 UEK R7, 9.0, 9.1, and 9.2, Red Hat Enterprise 8.8 and 9.2, AlmaLinux 8.8 and 9.2, and Rocky Linux 8.8 and 9.2. For more information, go to Linux.
• On computers that run macOS Ventura, you must enable a new permission for the protection to work correctly after a restart. If you do not grant permission, the details page for the macOS computer shows an error.

Resolved Issues

• When the Automatic Deletion of Computers option in Computer Maintenance is enabled, EDR Core deletes the computers from the management UI, but does not uninstall the EDR Core software.
• EDR Core now shows detections made by the decoy files technology in management UI reports.
• EDR Core now shows detections made by the anti-exploit technology in the blocked items tile in the Security dashboard.
• Windows protection v8.00.22.0010 or higher includes fixes for vulnerabilities.
• EDR Core now identifies the operating system correctly when installed on a server in a Virtual Desktop Infrastructure (VDI) environment.
• In rare cases when there is a timeout error due to no network traffic, the firewall technology in EDR Core continues to run.
• A fix was made to cancel the installer when Windows Update updates are in progress.
• A fix was made to make sure that the computer restart message shows the correct number of days left to restart.
• macOS protection v3.03.00.0001 or higher now accepts file path exclusions that include special characters.
• A fix was made to make sure that local alerts show on macOS computers.
• macOS protection v3.03.00.0001 or higher can use the Network Extension (NEXT). This version also includes a fix for macOS Catalina to make sure that the Network Extension (NEXT) enabled by a user is now enabled for other users on the computer.
• When a macOS computer is in Sleep mode, scheduled tasks can now run on the configured dates. Requires macOS protection v3.03.00.0001 or higher.
• On Linux computers with version 9 of CentOS, Red Hat, Rocky Linux, or AlmaLinux running SELinux in Enforcing mode, the scan engine successfully loads. Requires Linux protection v3.03.00.0001 or higher.
• A fix was made to make sure you can connect a Linux computer through Blue Coat ProxySG or FortiProxy devices to the collective intelligence. Requires Linux protection v3.03.00.0001 or higher.
• On Linux computers, the communications agent does not stop due to a memory error, continues to process changes received from the management UI, and can send reports.
• On Linux computers, EDR Core does not send duplicate detection reports when the EDR Core software upgrades.
• When you exclude blocked malware and PUPs in EDR Core, they are now allowed to run.

Enhancements

• Email alerts now include the customer name and the WatchGuard Cloud account ID.

• Initial release. WatchGuard EDR Core is an endpoint security service available with the Total Security Suite subscription for your Firebox. For more information on EDR Core, you can review the PowerPoint presentation, Introduction to WatchGuard EDR Core, or go to About WatchGuard EDR Core in Help Center.