WatchGuard EDR Enhancements and Resolved Issues

Enhancements

• To support more versions of Linux, Event Importer v3.10.00 for Linux now uses Microsoft .NET 8.0 instead of Microsoft .NET Core 3.10. Although Event Importer is compatible with all Linux platforms that support Microsoft .NET 8.0, it has only been certified for these distributions: Ubuntu 24.04 LTS and Red Hat Enterprise Linux 9.5.

Resolved Issues

• Event Importer v3.10.00 for Windows and Linux include changes to the user interface text to improve understanding.
• Minor updates and bug issues.

Enhancements

• In WatchGuard Cloud, Owner and Administrator operators can now include granular access control over functional areas of the EDR management UI. For more information, go to Manage Custom Operator Roles and Default Permissions for Built-In Roles in Help Center.

Enhancements

• Changes made to the Filters and Folders trees on the Computers page now persist if you navigate away from the Computers page.
• Endpoint Security now supports Fedora Linux 41 in Linux protection v3.06.00.0001 or higher.
  • The proxy server configured in the management UI is only used by the Linux protection to communicate with Endpoint Security repositories. It does not affect interaction with the package manager.
  • The Linux protection repository is disabled after you uninstall the security software and is automatically enabled and disabled during the security software update cycles.
• Local alerts now display longer on the endpoint.

Resolved Issues

• This release resolves an issue with Patch Management where, after the security software patched and restarted a computer, it left patch traces in the Patch Management folder.
• This release resolves an issue where the AppMngPatcher.exe patch installation tool stopped working occasionally.
• This release resolves an issue where incomplete tasks prevented new patches from being downloaded.
• This release resolves an issue where patches included in a later patch did not install, and a message appeared that indicated the patch was no longer necessary.
• This release resolves an issue where, if the Endpoint Access Enforcement feature was enabled, it caused high CPU usage by the AgentSVC process.
• This release resolves an issue where signature file traces were left that could not be applied and took up storage space.
• This release resolves an issue where, when the security software sent Active Directory data through Directories and Domain Sync, if any Active Directory item was larger than 125 KB, an error occurred and it was not synchronized.
• This release resolves an issue that prevented installation of the security software from a brand download error.
• This release resolves an issue where you were prompted to restart the computer repeatedly.
• This release resolves an issue where the security software showed the incorrect time in attack graphs.
• This release resolves an issue where users without Total Control permissions could not see applied filters on the Computers page.
• This release resolves an installation issue on computers that run SUSE Linux Enterprise Server 12.1.
• This release resolves an issue that caused high CPU usage by the PSANHost process.
• This release resolves an upgrade issue that caused error 1603.
• This release resolves an issue that caused the security software to show local alerts with no text.
• This release resolves an issue that caused the security software to show incorrect local alerts when it blocked unknown files because of lack of connectivity with the Collective Intelligence servers.
• This release resolves an issue that caused the Network Extension (NEXT] to stop when it encountered HTTP communications with very long URLs.

New Features

• In the Device Control settings, you can now disable AutoPlay on removable storage devices.

Enhancements

• This release includes improvements to the Zero-Trust Application Service.
  • When Endpoint Security blocks an unknown program because the endpoint cannot connect to Collective Intelligence, the History of Blocked Programs list now shows why Endpoint Security blocked the program.
  • When an unknown blocked program is later classified as goodware, the endpoint where the block occurred shows a pop-up notification that prompts the user to try to run the program again.
  • Programs initially blocked and then reclassified as goodware show in the History of Blocked Programs list with the time required for reclassification.
  • When Endpoint Security reclassifies a blocked program, the Blocked Program Details list shows when reclassification occurred, how long it took, and whether it was classified automatically by the WatchGuard Collective Intelligence or manually by WatchGuard.
• Anti-tamper protection now supports Linux computers. When anti-tamper protection is enabled, attackers cannot stop the Endpoint Security software. You can also require a password to uninstall the software from Linux computers.
• Two-factor authentication is now available for Linux computers.
• The Computer Protection Status list now shows the status of the endpoint connection to the Collective Intelligence and URL classification servers for Linux and Mac computers.
• The computer details page for Linux and Mac computers now shows the status of the connection to knowledge servers.
• From the management UI for Linux and Mac computers, you can now remotely uninstall the WatchGuard Agent and the Endpoint Security software installed by the agent.
• When an authorized process loads a library, Endpoint Security does not block the required library, even if it is unknown.
• When an authorized process creates and runs a child process, Endpoint Security allows the child process and does not block it.
• When an authorized .MSI or .EXE installer creates and runs new processes, Endpoint Security considers these child processes authorized and does not block them.

Resolved Issues

• This release resolves an issue that occurred when temporary files created when Microsoft Office files were edited could not be deleted from the server.
• This release resolves a security software self-diagnosis issue that caused an unchecked exception that could lead to service crashes.
• This release resolves an issue that caused Endpoint Security to show multiple blocked page notifications. This prevented the computer screen from being locked and could leave the computer exposed to unauthorized access.
• This release resolves a issue found in protection version 8.00.23, which could allow arbitrary file creation and exposure to a denial-of-service attack.
• This release resolves a BSOD error that occurred on computers with NeuShield drivers.
• This release resolves an issue with the macOS protection that caused the service to hang for approximately 30 seconds on older computers with limited resources.

New Features

Endpoint Security Plug-in for Kaseya Virtual System Administrator (VSA) v1.1

This Endpoint Security Plug-in for Kaseya VSA release updates the steps to install, configure, update, and remove the plug-in.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Endpoint Security Plug-in for Kaseya Virtual System Administrator (VSA).

Enhancements

• On 26 November 2024, if your firewall or proxy server is not configured to allow connections to and from *.pandasecurity.com, then you must update settings to allow connections from EDR Core to some specific required URLs. For more information, go to this Support blog post: Update to URLs Required by WatchGuard Endpoint Security Products.

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.5

This Endpoint Security Plug-in for ConnectWise Automate release updates the steps to install, update, and remove the plug-in.

You can download the plug-in from the Software Downloads page at software.watchguard.com.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Enhancements

• The Endpoint Security software now supports TLS 1.2 protocol natively for Windows 7, Windows Server 2008 R2 (Kernel 6.1), Windows 8, and Windows Server 2012. For more information, go to this Support blog post: End of Support for TLS 1.0 and TLS 1.1.

New Features

Endpoint Access Enforcement

With Endpoint Access Enforcement, you can now monitor connections to Windows computers on the network to help reduce potential infections and attacks from unprotected Windows, Mac, or Linux computers. The Endpoint Access Enforcement dashboard includes several graphs: Connection Map, Top 5 Computers Reporting High-Risk Outbound or Inbound Connections, Number of Connections by Condition, and Number of Connections by Monitored Protocol. Executive reports now include an Endpoint Access Enforcement section.

• By default, Endpoint Access Enforcement monitors inbound connections for SMB and RDP traffic.
• On Windows computers, this feature requires Windows protection v8.00.23.0000 or higher and the Windows agent v1.22.01.0000 or higher; on Mac and Linux computers, it requires the macOS or Linux agent v1.14.01.0000 or higher.
• In the Endpoint Access Enforcement settings profile, you can specify risk conditions for computers and add connection rules for protocols other than those monitored by default.

On the Computer details page, there is a new Monitored Connections tab. The Monitored Connections page shows connections that meet the conditions specified in the Endpoint Access Enforcement rules.

Block Vulnerable Drivers

In a Workstations and Servers settings profile, you can now configure Endpoint Security to block vulnerable drivers. This helps prevent exploitation of the driver by malicious actors. You can exclude detected vulnerable drivers so that they are not detected again. This feature requires Windows protection v8.00.23.0000 or higher.

Enhancements

• Code injection uses anti-exploit techniques to detect exploit attempts in running processes. Code injection now inspects every running process. The inspection could cause performance and compatibility issues for some applications. For more information, go to this Knowledge Base article.
• Anti-exploit protection settings are now easier to configure. In the Advanced Protection section of the Workstations and Servers security settings profile, you now enable anti-exploit protection with the Code Injection toggle. You can exclude specific processes from anti-exploit protection. This feature requires Windows protection v8.00.23.0000 or higher.
• You can now enable advanced scanning with AMSI detection. You can enable AMSI detection technology and exclude specific processes. This feature requires Windows protection v8.00.23.0000 or higher.
• When you configure Risk settings, you can now specify which folder, file, and extension exclusions you want to impact the computer risk level assessment.
• You can now isolate Linux computers on your network. Similar to the Windows and Mac feature, isolated Linux computers only allow WatchGuard Endpoint Security processes to communicate. If an attack occurs, you can isolate the Linux computer from the network to prevent the spread of the threat. If required, you can exclude other processes to allow them to communicate on isolated computers. This feature requires Linux protection v3.05.00.0000 or higher.
• You can now enable and disable local alerts on Mac computers and customize malware, firewall, and device control alerts.
• Android protection now supports Network Access Enforcement.
• You can now use MD5 and SHA-256 hashes when you configure these features: Advanced Protection, Program Blocking, and Authorized Software.
• You can export recipient email addresses configured in the My Alerts settings for all users in an account.
• You can now cancel or delete all tasks at one time.
• Endpoint Security now supports Windows Server 2025 in Windows protection v8.00.23.0000 or higher.
• Endpoint Security now supports macOS 15 Sequoia in macOS protection v3.05.00.0000 or higher.
• Endpoint Security now supports these Linux distributions: OpenSUSE 15.3, 15.4, 15.5, and 15.6; SUSE 15 SP6; Fedora 39 and 40; Red Hat/Oracle/Rocky/Alma 8.9, 8.10, 9.3, and 9.4; Ubuntu 23.10 and 24.04; and Mint 21.2, 21.3, and 22. This feature requires Linux protection v3.05.00.0000 or higher. For more information on distributions, go to Linux.
• On 30 September 2024, protection for Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, as well as macOS Yosemite, El Capitan, Sierra, High Sierra, and Mojave will become End of Sale (EOS). Windows 2008 R2 will continue to be supported. After that date, you will not be able to add devices to the management UI or install the protection software on new computers that run these operating systems versions.
  • On 30 April 2025, our Windows and Mac protection for these OS versions will become End of Life (EOL).
  • After the EOL date, the product license will be automatically removed from all computers that run these OS versions, and you will not be able allocate licenses to affected computers.

Resolved Issues

• This release resolves an issue that caused the security software to send the same alert email notifications repeatedly over several days.
• This release resolves an issue that caused the security software to classify URLs as “unknown category” and block them on some computers.
• This release resolves an issue that prevented user login to a corporate website.
• A fix was made to make sure that security software upgrades after computer shutdown did not take too long. The computer does not wait for the PSANHost process to close.
• This release resolves a BSOD error that occurred on computers with NeuShield drivers.
• This release resolves an issue that caused the security software decoy files to create temporary files and folders after backup sessions.
• This release resolves an issue where ATC.exe did not run on Server Core because of a dependency.
• This release resolves an issue that caused on-demand scans of PDF files to not finish.
• This release resolves a vulnerability found in the security software decoy files.
• This release resolves an issue with Linux protection signature file permissions after a security software upgrade.
• This release resolves a self-diagnosis issue that caused the security software to sometimes incorrectly report an error.
• This release resolves an issue where uninstallation of the security software from a Mac device prompted you to keep the quarantine folder even though it was empty.
• In environments with proxy communications, fixes were made to the network infrastructure to prevent random BSOD errors. [WGUA-4183]
• The decoy files feature no longer causes false positive detections associated with svchost.exe. [WGUA-4287]
• Resource usage issues caused by the Endpoint Access Enforcement feature were resolved. [AETHER-5510]
• A fix was included to prevent a memory leak issue caused by the firewall infrastructure. [WGUA-4281]

Enhancements

• These enhancements are in Windows protection v8.00.22.0025 and higher:
  • Performance improvements for multi-user environments such as RDS environments. [KER-822]

Resolved Issues

• These issues are resolved in Windows protection v8.00.22.0025 and higher:

  • Isolated computers no longer show alert messages when the Do Not Show Alerts option is selected.
  • This release resolves an issue for computers with a protection software error on the Status tab. [WGUA-2680]
  • This release resolves an upgrade issue that stopped protection services.
  • The protection for POP3/SMTP email over IPv6 no longer causes BSOD errors.
  • This release resolves an issue to prevent a rare BSOD error caused by the NNSSTRM.sys driver.
  • For networks detected automatically, this release resolves issues caused by the trusted networks parameters in the Endpoint Security firewall protection settings. [WGUA-2809]

Resolved Issues

• This release resolves an issue that caused immediate and scheduled scans to crash. [WGUA-623]
• The Shadow Copies feature no longer causes the system process to use high CPU after an upgrade. [WGUA-2617]
• This release improves performance issues caused by the firewall infrastructure. These issues sometimes occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-2320, WGUA-2152]
• Performance issues and high CPU usage on Windows servers that are monitored by SysMon are improved. [KER-608 ]
• General high RAM and CPU usage issues are improved. [WGUA-1976]
• Performance issues with Data Control rules-based monitoring of files are improved. [WGUA-991]
• This release resolves an issue that caused third-party antivirus programs to be disabled in Windows Security Center (WSC). [WGUA-2243]
• AMSI detection technology no longer causes issues with WatchGuard Endpoint Security. [WGUA-2246]
• Domain and URL categorization of IPv6 traffic no longer causes issues. [WGUA-1993]
• Firewall infrastructure crashes (BSOD) that reference the NNSDNS.sys driver no longer occur. The BSOD errors occurred when any of these protections were enabled on the affected endpoint: advanced protection, antivirus, firewall protection, or web access control. [WGUA-1881]
• When the user selects, “Do not detect again”, the protection software does not detect Trj/RansomDecoy. [WGUA-2030]
• When the Decoy File feature is enabled, protection software errors on Windows computers with multibyte character sets (MBCS) do not occur. [WGUA-1389]
• This release resolves file transfer errors for Server Message Block (SMB) traffic on domain controller servers. [WGUA-1681]
• When you upgrade the protection software for certain Windows versions, the installed application now appears in Windows Security Center (WSC). [WGUA-1731]
• Connection timeout errors no longer occur for some HTTPS web pages with the protection software installed. [WGUA-1636]
• Self-diagnosis failures in Windows Security Center (WSC) do not cause the PSANHost.exe service to restart. These failures caused the service to restart when it could not get the necessary module configuration information. [WGUA-2746]

Resolved Issues

• Minor bug fixes and improvements to the onboarding applications for the NinjaOne, N-able N-sight, and N-able N-central plug-ins.

New Features

• In WatchGuard Patch Management, you can now configure computers on the network as test computers. Use test computers to verify patches install successfully before you deploy the patches across the network.
  • You can also configure computers or computer groups to not install patches.
  • When you create a patch installation task, you can select to install patches on only test computers.

Enhancements

• In the Patch Management Installation History list, when a patch requires a computer restart, the patch status shows as Pending Restart. The status now changes to Installed when the computer restarts and completes patch installation.
• The default workstations and servers settings profile now has anti-exploit and decoy files disabled. Endpoint Security applies this profile to the All group by default until you create and assign a new profile. This profile helps prevent issues with third-party antivirus and EDR solutions when you activate the Endpoint Risk Assessment. This change does not affect Endpoint Risk Assessments in progress.
• When an Endpoint Risk Assessment is in progress, and you want to schedule a report, the Risk Assessment Report is now selected by default.
• You can now download signature files over HTTPS.

Resolved Issues

• When the user is not logged in to the endpoint, WatchGuard Endpoint Security can now re-install with a restart after the scheduled wait time is exceeded.
• Duplicate computers no longer display when you use Active Directory to discover unmanaged computers.
• When you filter the Unmanaged Computers Discovered list and then select all filtered computers to install WatchGuard Endpoint Security on, the software now installs only on the computers in the filtered list.
• A fix was made to make sure that WatchGuard Endpoint Security sends executive reports and other scheduled daily reports as expected.
• When you disable a feature that uses the NAHSL network driver (for example, Advanced Protection, Web Access Control, or the Firewall), the NAHSL network driver is disabled.

Enhancements

• These enhancements were made in Windows protection v8.00.22.0024 and higher:
  • The software upgrade process was enhanced to make sure that Windows devices do not receive a BSOD error when WatchGuard EDR cannot stop a driver.
  • Improvements were made to prevent high CPU usage during computer startup when the Shadow Copies feature is enabled.

Resolved Issues

• These issues were resolved in Windows protection v8.00.22.0024 and higher:
  • A fix was made to prevent memory leaks on connections over port 8180 of the Java application that could cause the server to run out of memory.
  • The URL filtering feature prevents access to URLs configured as denied (for example, Facebook or YouTube pages).
  • A fix was made to prevent a rare BSOD error caused by the pskmad.sys driver.
  • The AMSI detection technology now respects the path exclusions configured in the protection software settings.

Resolved Issues

• Fixed a vulnerability in the pskmad_64.sys driver that could enable an attacker with Administrator privileges to run code with SYSTEM privileges on the target computer. For more information, review this Security Advisory Detail. This fix requires Windows protection version 8.00.22.0023 or higher.

Enhancements

• Full Encryption with FileVault Technology is now available for Mac devices with macOS Catalina 10.15 or higher. The Full Encryption license requires as many endpoints as the total number of endpoints encrypted with Windows BitLocker or macOS FileVault. Encryption runs in the background and there is no impact on performance. You can see the encryption status of both Windows and Mac computers on dashboards and in lists.
• You can now isolate Mac computers on your network. Similar to the Windows feature, isolated Mac computers allow only WatchGuard Endpoint Security processes to communicate. If an attack occurs, you can isolate the computer from the network to prevent the spread of the threat. If required, you can exclude other processes to allow them to communicate on isolated computers. This feature requires macOS protection version 3.04.00.0000 or higher.
• To improve anti-tamper protection, you can now require two-factor authentication (2FA) when users try to log in to the management UI from their computers or uninstall the WatchGuard Endpoint Security product from their computer. 2FA uses a QR code you can generate for all computers in a customer account or, if you want to have different authenticator factors for different settings profiles, you can generate multiple QR codes. This feature requires Windows protection version 8.00.22.0023 or higher.
• Anti-tampering features now protect Windows computers when they start in Safe Mode. This setting is enabled by default. You can disable it in the management UI or from the Windows computer. This feature requires Windows protection version 8.00.22.0023 or higher.
• You can now send executable files larger than 50 MB to the Collective Intelligence platform for analysis. These files do not contain personal information. This improvement enables the Zero-Trust Application Service to classify large files more accurately.
• In the Patch Management module, you can now filter the list of available patches by patch release date.
• In the Patch Management module, new columns in the extended installation history export file provide information about the tasks that installed the patches.
• The message text that shows on user computers when a reboot is required to install a patch has changed. The updated text indicates that the reboot is required by the patched software, not the WatchGuard Endpoint Security product or Patch Management module.
• In the list of discovered computers, you can now select all unprotected computers.

Resolved Issues

• When you create a list of patches and sort it by computer, an error no longer occurs when you try to view the patch details.
• When a patch description contains a plus sign (+) , information still appears when you view the patch details.
• When you disable advanced protection, features that depend on advanced protection, such as Anti-exploit or Network Attack Protection, are now disabled.
• When a MAC address is not in uppercase letters, the security software can still discover unprotected computers.
• When you search the network for unprotected computers, the search results do not return protected computers that do not match the name in the list.
• Resolved an issue to make sure that antivirus exclusions are applied to decoy files. This fix requires Windows protection version 8.00.22.0023 or higher.
• Resolved an issue to make sure that URL filtering can classify web pages in IPv6 environments. This fix requires Windows protection version 8.00.22.0023 or higher.
• Resolved an issue that caused a rare BSOD error when the server generated malformed network packages. This fix requires Windows protection version 8.00.22.0023 or higher.
• The zlib version was updated to resolve vulnerabilities in the previous version. This fix requires Windows protection version 8.00.22.0023 or higher.
• Resolved an issue that caused a memory leak in Data Control and customer-defined filters. This fix requires Windows protection version 8.00.22.0023 or higher.
• Performance improvements on virtual servers. This fix requires Windows protection version 8.00.22.0023 or higher.

Resolved Issues

• An updated version of the macOS protection (v3.03.00.0003) is now available. The updated version includes these resolved issues: 
  • Network access enforcement (VPN enforcement) now works for endpoints with macOS v3.03.00.0003 and higher. [WGUA-1913]
  • The network extension no longer stops working and the message that NeXT privileges had not been accepted no longer appears. [WGUA-2048]
  • When analyzing paths and files that contain special characters or emojis, the local console no longer stops working. [WGUA-2119]
  • macOS v3.03.00.0003 includes performance improvements. Goodware items are now correctly added to the cache to optimize the analysis at the next program execution. [WGUA-1629]

Enhancements

• Approved partners with an activated WatchGuard MDR license can now enroll customers in WatchGuard MDR from the Endpoint Security management UI (Configure > Endpoints). For more information, go to Configure WatchGuard MDR.

Resolved Issues

• Minor updates and bug fixes.

New Features

Endpoint Security Integration for NinjaOne

With the new Endpoint Security integration for NinjaOne, Managed Service Providers can remotely deploy Endpoint Security to client devices in their NinjaOne accounts. For more information, go to About the WatchGuard Endpoint Security Integration for NinjaOne in Help Center.

Enhancements

• WatchGuard EDR now supports macOS Sonoma. Requires macOS protection version 3.03.00.0002 or higher.
• If Audit mode is enabled in the workstations and servers settings profile applied to a computer, the security software does not register as an antivirus with Windows Security Center (WSC) and does not disable the Windows Defender antivirus protection.

Resolved Issues

• Resolved an issue that caused an increase in memory usage by the PSANHost process and led to increased CPU usage by the service.
• Made improvements so that our security software registers correctly with Windows Security Center (WSC) after an operating system upgrade.
• Resolved an issue to improve loading of some specific web pages. This issue affects version 8.00.22.0010 or higher of the Windows protection and is resolved in version 8.00.22.0022 or higher.

New Features

Endpoint Security Plug-in for ConnectWise Automate v1.3

This update release for the Endpoint Security plug-in for ConnectWise Automate includes these enhancements:

• You can now select the Auto Deploy by Timer check box on the Map Clients page to automatically install Endpoint Security products on all computers in a client account. The ConnectWise process that schedules installation tasks runs every 12 hours.
• You can now select the Include in Auto Deploy Searches check box on the Map Clients page to use the search and group features in ConnectWise Automate to customize Endpoint Security product deployment.
• You can now search for clients and accounts by name on the Map Clients page.

For more information, go to About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate.

Resolved Issues

• Resolved an issue where the protection service crashes when Decoy Files is enabled and the computer has directory names in Greek. This fix requires Windows protection software v8.00.22.0014 or higher.
• Resolved an issue that causes a memory leak in the PSINReg.sys driver that could lead to a BSOD error. This fix requires Windows protection software v8.00.22.0014 or higher.
• Resolved an issue where scheduled reports do not include the details of available patches.
• Resolved an issue where, when you installed specific Windows operating system patches, the solution did not show the result of the installation task.
• Resolved an issue where, when you excluded network attack performed from certain IP addresses, and then add another exclusion for the same attack from another IP address, the first exclusion was not saved.
• Resolved an issue where executive reports show the incorrect date and time for IOA-related information.

Enhancements

• Updated versions of the Windows and macOS protection software and communication agents are now available. The updated versions include these enhancements:
  • The protection software upgrade process better retains settings defined in a previous version.
  • Windows protection software v8.00.22.0013 and higher include improvements to minimize the possibility that the protection service stops.
  • When WatchGuard Endpoint Security creates decoy files, Windows Defender no longer detects them as malware on servers. This enhancement requires Windows protection software v8.00.22.0013 or higher.
  • Changes to the communications agent enable it to process corrupt messages. This enhancement requires Windows agent v1.21.02.0000 or higher.

• In Patch Management for macOS, users now receive a prompt to enter a password to install operating system patches for macOS with ARM (M1 and M2). This enhancement requires macOS agent v1.12.01.0000 or higher.

Resolved Issues

• In the updated version of the Windows protection software or agent:
  • Resolved an issue in the PSINProt.sys driver that caused a random BSOD. This fix requires Windows protection software v8.00.22.0013 or higher.
  • Resolved an issue that caused a memory leak in a firewall driver. This fix requires Windows protection software v8.00.22.0013 or higher.
  • The operating system, the backup software, and other applications can now create shadow copies on drives other than system drives. This fix requires Windows protection software v8.00.22.0013 or higher.
  • Resolved an issue with the RDP protection to detect and contain brute-force attacks on RDP. This issue affected customers with Windows protection software v8.00.22.0012 and is resolved in Windows protection software v8.00.22.0014 and higher.
  • WatchGuard Endpoint Security can now retrieve Active Directory paths with computer names longer than 15 characters. This fix requires Windows agent v1.21.02.0000 or higher.
• macOS protection software v3.03.00.0001 resolves a rare issue that caused the solution to not show pop-up notifications for malware detections on macOS computers.

New Features

Endpoint Security Plug-in for N-able N-sight

With the new Endpoint Security plug-in for N-able N-sight, you can protect devices on your network, review detected security incidents, and develop prevention and remediation plans against unknown and advanced persistent threats. For more information, go to About the WatchGuard Endpoint Security Plug-in for N-able N-sight in Help Center.

New Features

WatchGuard Advanced EPDR

You can now manage licenses and inventory allocation for the new Endpoint Security product, WatchGuard Advanced EPDR, in WatchGuard Cloud. You can start a trial of Advanced EPDR from the Administration > Trials page. Advanced EPDR includes advanced detection and response features such as Advanced Indicators of Attack (IOAs) and events, centralized management of Indicators of Compromise (IOCs) compatible with STIX and Yara rules, Advanced Security Policies, and remote access to detect, contain, and remediate incidents. For more information, go to the presentation, Introduction to WatchGuard Advanced EPDR.

Vulnerability Assessment

• The new Vulnerability Assessment feature automatically discovers operating system and third-party software vulnerabilities on your Windows, macOS, and Linux workstations and servers. You can run search tasks to check whether vulnerabilities that hackers could exploit are present in your network. For a complete list of possible vulnerabilities, review the list of critical patches.
  • The Vulnerability Assessment dashboard shows detected vulnerabilities on computers in your network. It is only available for customers without the Patch Management module.
  • The Available Patches list shows the number of affected computers.
• To view details about affected computers, to patch vulnerabilities on demand, or to create a recurring task to install patches, you can purchase WatchGuard Patch Management, or start a 30-day free trial of the Patch Management module.

Network Attack Protection (Windows Computers)

• Network Attack Protection scans network traffic in real time to detect and stop threats. It prevents network attacks that attempt to exploit vulnerabilities in services that are open to the Internet and in the internal network. To view a list of the network attacks detected, click here.
• You can configure Network Attack Protection in the Advanced Protection section of a workstations and servers settings profile. By default, Network Attack Protection blocks attacks. If you enable Network Attack Protection in Audit mode, the computer appears as at risk.
  • On the Security dashboard, a new Network Attack Activity tile shows the number of incidents and computers with network attack activity.
  • If needed, you can exclude the detection of a specific network attack on all computers in the organization, as well as network attacks that originate from a specific IP address or IP address range.
  • You can send email alerts when Network Attack Protection detects a network attack.
  • Executive reports include network attack detections.

Audit Mode

• In a workstations and servers settings profile, you can enable Audit mode to detect and report malware, ransomware, and other types of attacks. In Audit mode, Endpoint Security does not block or delete detected threats. Audit mode supports Windows, macOS, and Linux workstations and servers.
  • We recommend you use this mode only to evaluate our Endpoint Security products or to evaluate the security status of a customer protected with another solution. Endpoint Security does not protect computers in Audit mode, so they show as at risk in the management UI.

Enhancements

• Network Access Enforcement (previously Secure VPN) settings now apply to VPN connections through WatchGuard Fireboxes and Wi-Fi connections through WatchGuard access points. Access points can check that the Endpoint Security software is enabled and running on connecting devices. This feature supports Windows and macOS computers and requires a future Wi-Fi firmware release.
• The Patch Management module now supports macOS and Linux computers.
  • For macOS computers, you can patch both the operating system and third-party applications.Operating system patches for macOS devices with ARM-based processors (M1 and M2) require the computer user password and a forced restart.This updated version of Patch Management also includes automatic patch detection and the ability to patch macOS Catalina, Big Sur, Monterey, and Ventura systems on demand or as scheduled.
    • To optimize bandwidth use and centralize patch downloads, macOS devices can install patches from a Windows cache computer. You can specify these cache computers in the Network Services settings.
  • For Linux computers, you can patch both the operating system and third-party applications. This release adds automatic patch detection and the ability to patch Red Hat 7 and 8, CentOS 7, and SUSE 12 and 15 systems on demand or as scheduled. Future releases will support additional distributions.
    • Linux devices use the caching mechanisms implemented on the system to install patches, not the caching mechanisms configured in Endpoint Security.
  • On the Patch Management dashboard and lists, you can now filter by operating system (Windows, macOS, or Linux). A new Programs with Most Available Patches tile shows programs with patches pending installation. A new Available Patches by Computers list shows patches pending installation on computers on the network.
    • In the Available Patches list, you can filter the list by operating system (Windows, macOS, or Linux). You can also filter by Windows, macOS, and Linux applications that Patch Management can update. By default, recurring patch installation tasks install only Windows patches. To install macOS or Linux patches, you select them manually in the section where you specify the software you want to update. To review a list of the software Patch Management supports, go to the WatchGuard website.
• WatchGuard SIEMFeeder now receives more detailed events. The updated version provides information about Indicators of Attack (IOAs), as well as the MITRE tactic and technique associated with each IOA.
• On the IOA dashboard, the Indicators of Attack (IOAs) Mapped to the MITRE Matrix tile now includes the MITRE sub-technique, as well as the tactic and technique (TTP). The tactic, technique, and sub-technique enable you to identify the phase of an attack so that you can take timely containment and remediation actions.
• Partners and Service Providers can define whether the settings profiles they assign to tenant accounts from the multi-tenant Endpoint Security management UI can be edited by the tenant. Tenant accounts can then add exclusions and authorized software to the settings, but cannot delete or edit the list of exclusions or authorized software defined by the Service Provider.
• You can now configure multiple proxies so that computers on the network connect to the Internet through the first proxy computer that works. This feature is supported by Windows, macOS, and Linux workstations and servers
• Linux protection version 3.03.00.0001 and higher now supports these Linux distributions: Ubuntu 22.10 and 23.04, Linux Mint 21.1, Fedora 36, 37, and 38, Oracle Linux 8 UEK R7, 9.0, 9.1, and 9.2, Red Hat Enterprise 8.8 and 9.2, AlmaLinux 8.8 and 9.2, and Rocky Linux 8.8 and 9.2. For more information, go to Linux.
• On computers that run macOS Ventura, you must enable a new permission for the protection to work correctly after a restart. If you do not grant permission, the details page for the macOS computer shows an error.
• This release includesupdates to the Advanced Reporting Tool and Data Control user interfaces to improve usability and accessibility, such as new colors and less visual noise.Some sections have changed to tabbed pages and some items are now responsive to the screen size.

Resolved Issues

• A fix was made to make sure that the Available Patches Trend graph reflects the exact number of available patches.
• When the Patch Management module is overallocated, Endpoint Security does not delete patch installation tasks. Tasks are disabled and then re-enabled when the account is no longer overallocated (within a 30-day grace period).
• When the Automatic Deletion of Computers option in Computer Maintenance is enabled, Endpoint Security deletes the computers from the management UI, but does not uninstall the WatchGuard Endpoint Security software.
• A fix was made in risk monitoring to make sure that when Advanced Protection is set to Lock mode, it does not show the risk, “Advanced protection for Windows in Hardening mode”.
• Executive reports for the last 7 days provide the correct information on Indicators of Attack (IOAs).
• WatchGuard Endpoint Security now shows detections made by the decoy files technology in management UI reports.
• WatchGuard Endpoint Security now shows detections made by the anti-exploit technology in the blocked items tile in the Security dashboard.
• Windows protection v8.00.22.0010 or higher includes fixes for vulnerabilities.
• WatchGuard Endpoint Security now identifies the operating system correctly when installed on a server in a Virtual Desktop Infrastructure (VDI) environment.
• In rare cases when there is a timeout error due to no network traffic, the firewall technology in WatchGuard Endpoint Security continues to run.
• A fix was made to cancel the installer when Windows Update updates are in progress.
• A fix was made to make sure that the computer restart message shows the correct number of days left to restart.
• macOS protection v3.03.00.0001 or higher now accepts file path exclusions that include special characters.
• A fix was made to make sure that local alerts show on macOS computers.
• macOS protection v3.03.00.0001 or higher can use the Network Extension (NEXT). This version also includes a fix for macOS Catalina to make sure that the Network Extension (NEXT) enabled by a user is now enabled for other users on the computer.
• When a macOS computer is in Sleep mode, scheduled tasks can now run on the configured dates. Requires macOS protection v3.03.00.0001 or higher.
• On Linux computers with version 9 of CentOS, Red Hat, Rocky Linux, or AlmaLinux running SELinux in Enforcing mode, the scan engine successfully loads. Requires Linux protection v3.03.00.0001 or higher.
• A fix was made to make sure you can connect a Linux computer through Blue Coat ProxySG or FortiProxy devices to the collective intelligence. Requires Linux protection v3.03.00.0001 or higher.
• On Linux computers, the communications agent does not stop due to a memory error, continues to process changes received from the management UI, and can send reports.
• On Linux computers, WatchGuard Endpoint Security does not send duplicate detection reports when the Endpoint Security software upgrades.

Enhancements

• The Windows protection v8.00.21.0005 includes a fix to prevent temporary disruptions of the protection service from affecting other sessions with logged-in users.
• The Windows protection v8.00.21.0005 now optimizes decoy files to not regenerate in closed remote desktop sessions.

Enhancements

• The Linux agent service now restarts automatically after a crash.
• Core files created by the Linux protection and agent are automatically deleted. The Linux agent service now deletes the oldest core files until there is at least 1 GB of free disk space.

Enhancements

• Email alerts now include the customer name and the WatchGuard Cloud account ID.

Enhancements

• WatchGuard EDR now supports iOS 16 / iPadOS 16.

Enhancements

• The Windows protection version 8.0.0.21.0004 is now available. We recommend that you upgrade to the latest version. This version includes:
  • Performance improvements for Windows servers with multiple users working at the same time, such as RDS environments.
  • Performance improvements to the Decoy Files feature for servers with many concurrent users.
  • Correction of an issue where there was a protection service outage with file paths that exceed the maximum length permitted by the operating system.
  • Correction of an issue with the mv.sig signature file that caused slowdowns on certain servers.
  • Fixes for a new vulnerability that affects most anti-virus and EDR vendors. For more information about the vulnerability, go to https://www.safebreach.com/resources/blog/safebreach-labs-researcher-discovers-multiple-zero-day-vulnerabilities.
  • Correction of an issue where the Windows protection stopped working on computers with the FSLogix application installed.
  • Correction of an issue with the VMware VMXNET3 adapter, where files copied over the network were modified (SMB).
• WatchGuard Endpoint Security now includes these categories in the URL filtering feature: Collaboration Office – Apps, Collaboration Office – Documents, Collaboration Office – Drive, and Collaboration Office – Mail.
• The Linux agent version 1.11.04.0001 is now available. We recommend that you upgrade to the latest version. This version includes:
  • Optimization of tasks performed by the Linux agent to prevent performance issues on servers with thousands of active sessions.
  • Correction of an issue where the protection could not be updated.
  • Correction of an issue where there were continuous errors when the event queue became full.

New Features

Risk Assessment

• A new Risk dashboard enables you to monitor risks on managed computers. The dashboard includes tiles that show the risk level for each computer in the organization, the risk trend, the most detected risks, and the top 10 computers at risk.

• Risk settings enable you to specify the risk types you want to detect on computers. You can disable risk types that you do not want to detect. We recommend a risk level for each risk type that you can change, if required.
• WatchGuard Endpoint Security detects these risk types automatically: Computer Protection Status, Inadequate Settings, and Detection of Indicators of Attack (IOA). If you have the Patch Management module, WatchGuard Endpoint Security also detects Critical Patches Pending Installation.
• The computer details page for each endpoint now includes risk information, such as the overall risk level.
• This release adds two new lists: Detected Risks and Risks by Computer.
• You can include risk information in the executive report.

Discovery of Unmanaged Computers through Active Directory

• Discovery computers can use up to three Active Directory servers to find computers registered in Active Directory. Unprotected computers found in Active Directory show in the Unmanaged Computers Discovered list. You can remotely install the endpoint security software on unmanaged computers from the management UI.
• In the Unmanaged Computers Discovered list, the computers you find with Active Directory show the Active Directory path where they are located. The Active Directory path also appears for macOS and Linux computers.
• The installation page for macOS and Linux computers now includes the option to add computers to their Active Directory path.
• The Move to Active Directory Path option is now available for macOS and Linux computers.

Automatic Deletion of Computers

• On the Computer Maintenance page, you can configure VDI environments and now also configure WatchGuard Endpoint Security to automatically delete computers from the management UI based on a filter. Every day, WatchGuard Endpoint Security automatically deletes all computers that meet the criteria in the filter. Deleted computers that reconnect to the platform reappear in the management UI.
• WatchGuard Endpoint Security tracks deletions in System Events.

Patch Management — Available Patches Trend Graph

• On the Patch Management dashboard, an Available Patches Trend graph shows the number of patches that are available for installation on the computers on the network, over time (seven days, one month, one year). This information also shows for individual computers on the Detections tab of the computer details page.
• You can filter the Available Patches Trend tile by computer type (laptop, workstation, and server) and patch type (operating system patches and app patches).
• In the Available Patches list, you can export trend data about patches pending installation to a file for analysis.
• The executive report now includes the Available Patches Trend tile.
• In the Restart options section of an install patches task, you can now specify the maximum time that the system waits before it forces a restart on the computer to complete the installation of the patch (the default time is four hours). You can restart immediately when the task is scheduled or delay the restart up to seven days.

Enhancements

• The WatchGuard EDR management UI now opens in the WatchGuard Cloud user interface, instead of in a new browser tab.
• When a new version becomes available, a notification appears in the management UI that enables users to begin the upgrade on demand.
• You can export tasks in the account to a .CSV file to easily identify tasks in progress, affected computers and groups, and other task information. You can filter the task list by task status (No recipients, In progress, Finished, and Canceled). When you copy a task, you can copy its settings with or without the recipients.
• Secure VPN is now available for computers with macOS. With Secure VPN, all VPN connections must meet specified security requirements before they connect to VPN networks.
• On macOS computers, a progress dialog box now opens during installation.
• The process that communicates with Windows Security Center (WSC) in Windows 11 is protected at all times with ELAM to meet a future requirement of Windows 11 22H2.
• WatchGuard Endpoint Security now supports macOS Ventura 13. macOS Ventura requires macOS protection v3.02.00.0000 or higher.
• WatchGuard Endpoint Security now supports these Linux distributions: CentOS Stream, Alma Linux, and Rocky Linux. These distributions require Linux protection v3.02.00.0000 or higher.
• This release includes performance improvements on Linux servers with high workload. These improvements require Linux protection v3.02.00.0000 or higher.
• You can now export a simplified computer list to a .CSV file that does not include configuration details.
• From the Computers page, on the Filter tab, you can now search filters by name.
• Anti-tamper protection improvements for Windows now prevent the deletion of WatchGuard Endpoint Security files through registry modifications that run when the computer starts. This also prevents changes to WatchGuard Endpoint Security process permissions. These improvements require Windows protection v8.00.21.0000 or higher.
• This release includes updates to third-party libraries to fix vulnerabilities. These improvements require Windows protection v8.00.21.0000 or higher.

Resolved Issues

• To prevent false positives with Office 365 and some backup programs, when a decoy file is opened exclusively, the WatchGuard Endpoint Security does not detect it as a write action.
• To avoid continuous synchronization with OneDrive, decoy files are not identified as Office files
• WatchGuard Endpoint Security does not stop working when you run Sandbox on Windows.
• A fix was made to make sure that WatchGuard Endpoint Security can always communicate in real time with isolated computers.
• If there is a data error in a report, WatchGuard Endpoint Security dismisses the error and sends the report.
• The macOS protection continues to respond when Time Machine performs Incremental backups in the background.
• When the macOS protection updates to Catalina, the Endpoint Protection Network driver also updates.
• The macOS protection continues to work when you scan Catalina systems on demand.
• This release resolves an error that canceled the installation of the protection on a Red Hat Enterprise Linux 6.7 (Santiago) server shortly after he installation started.
• You can now change the recipients of a recurrent task (scan or patch installation tasks).
• You can filter the Hardware Inventory list by any supported operating system (Windows, macOS, Linux, Android, and iOS). The exported information contains data from all systems.
• If a machine uses the IPv6 protocol to communicate, the management UI now shows the full IP address.
• Improvements were made for Linux systems to make sure that we do not report malware when we are monitoring suspect behaviors that are not confirmed as malware.
• Fixed issue on Linux systems that caused errors in the psanhost process.

New Features

Endpoint Security Plug-in for N-able N-central

With the new Endpoint Security plug-in for N-able N-central, you can protect devices on your network, review detected security incidents, and develop prevention and remediation plans against unknown and advanced persistent threats. For more information, see About the WatchGuard Endpoint Security Plug-in for N-able N-central in Help Center.

Enhancements

• The Linux protection software includes multiple performance improvements that are particularly noticeable on servers with heavy workloads.
• The Linux protection software now supports the latest versions of supported Linux distributions (Fedora 35, Red Hat 8.6, and Ubuntu 22.04). Requires Linux protection version 3.01.00.0003 or higher. For more information, see Installation Requirements.

Resolved Issues

• For the Linux protection software, we resolved an issue encountered when you update kernel modules in SUSE.

New Features

• In a Per-Computer Settings profile, you can now enable shadow copies. Shadow Copies is a Microsoft Windows feature that enables you to restore previous versions of files. Requires Windows protection version 8.00.20.0001 or higher.
• In the Antivirus settings of a Workstations and Servers Settings profile, you can enable decoy files to use as bait to detect attacks that change files stored on computers. Decoy files require Windows protection version 8.00.20.0001 or higher.
• This release includes new deep learning technology that provides an additional machine learning technique in the protection model. Requires Windows protection version 8.00.20.0001 or higher.
• In Network Services, you can enable secure VPN. With secure VPN, all VPN connections must meet specified security requirements before they connect to VPN networks.
• This release includes new protection (v3.00.00.0000 or higher) for macOS computers that run macOS Catalina 10.15 or higher. The protection includes a new local UI and uses network extension technology to intercept network traffic. This can intercept traffic when connected by VPN, so web protection and URL filtering is available when you use any VPN. The network extension technology replaces SQUID, which was removed in macOS protection v3.00.00.0000 or higher.

Enhancements

• You can now select the type of device to run patch installation tasks on (laptop, workstation, server, or mobile device).
• If an error occurs during the installation of the Linux and macOS software, detailed information shows in the Protection Status list. The protection status list also shows information about the status of the advanced protection for Linux systems.
• The computer details page now shows the public IP address of the computer (Windows, macOS, Linux) or mobile device.
• In the Patch Management dashboard, a new tile shows information on the computers with the most vulnerabilities.
• In the Patch Management dashboard, a new tile shows information on most available patches for computers in the organization.
• The Patch Management dashboard now shows the number of computers that require a restart to finish installation of a patch.
• In the Patch Management Available Patches and Installation History lists, a new filter enables you to filter operating system patches and third-party software patches.
• In the Full Encryption dashboard, you can now use the encrypted device ID to search for recovery keys.
• The process to validate the certificates required to communicate with specific domains safely was improved. Requires Windows protection version 8.00.20.0001 or higher.
• The anti-tamper protection was improved with ELAM (Early Launch Anti-Malware) technology on Windows 10 and Windows Server 2019 or higher operating systems. Requires Windows protection version 8.00.20.0001 or higher.

Resolved Issues

• When a user with restricted privileges modifies hardware and detected threats reports, the reports are not sent by email.
• When a user with read-only permissions tries to export the Computers list, all information is now exported.
• In Patch Management, this release improves the reporting of patch installation tasks on computers with an incorrect date and computers where the time was changed.
• In silent installations, the First Installation window no longer appears when a temporary signature update error occurs.
• When you try to install the software with the option to update signature files disabled, the installation does not freeze.
• Exclusions for the permanent protection now apply to Windows AMSI (AntiMalware Scan Interface).
• The computer does not stop working on rare occasions when network packets are inconsistent.
• The computer does not stop working if you open Outlook while it is scanning inconsistent network packets.
• This release improves the management of URLs in blocklists.
• This release resolves a POP3 issue to enable connections when the email protection is active.
• IPv6 public IP addresses now show correctly in the web UI.
• When you install patches that require a restart and user consent and several days pass without a user response, and then you try to install new patches that require a restart, the communications agent does not crash.
• If you install the agent on an ARM-based Windows 11 Education computer, the protection now installs.
• When you try to install the software on extremely slow computers, there is no longer a double installation which uninstalled the installed antivirus and caused an unnecessary restart.
• The new macOS protection (version 3.00.00.0000 or higher) for systems that run macOS Catalina 10.15 or higher includes a new network interceptor that optimizes browsing speed and enables you to open URLs which, in TLS 1.3 connections, could not open with the SQUID technology.
• The new macOS protection (version 3.00.00.0000 or higher) for systems that run macOS Catalina 10.15 or higher resolves issues when you log in to online services such as OneDrive or Google Drive.

Enhancements

• When you start a trial of WatchGuard EDR or a module, the license can now be used for up to 250 endpoints.

New Features

WatchGuard SIEMFeeder

WatchGuard SIEMFeeder is now available for use with WatchGuard EPDR and WatchGuard EDR. With SIEMFeeder, you can integrate security intelligence and context of processes executed in your workstations and servers into your corporate SIEM. You can no manage WatchGuard SIEMFeeder licenses in WatchGuard Cloud. For more information, see About SIEMFeeder and Activate an Endpoint Security Product in the WatchGuard Help Center.

Resolved Issues

• Patch Management has entered into End of Life (EOL) for these operating systems: Windows XP, Windows Vista, and Windows Server 2003.

New Features

Endpoint Security Modules

With a license of WatchGuard EDR, you can now activate licenses for these endpoint security modules:

• WatchGuard Full Encryption — Encrypts and decrypts disks and USB drives centrally, without impact to end users
• WatchGuard Patch Management — Manages operating system and third-party application vulnerabilities on your workstations and servers
• WatchGuard Advanced Reporting Tool — Generates security intelligence and IT insights to pinpoint attacks, unusual behavior, and internal misuse
• WatchGuard Data Control — Discovers and monitors personal and sensitive data across endpoints and servers to help you comply with data protection regulations

For more information, see WatchGuard Endpoint Security Modules.

Enhancements

• When you select Computers > Add Computers, you can now specify when the Windows installer file expires. After the expiration date, if users try to start the installer, a message informs them that the installer is expired, and they should download a new one or contact their administrator.
• A computer with the cache role can now send patches to every computer in the customer network, regardless of the subnet it belongs to. You can also filter the Patch Management Installation History list for Last 7 days and Last month. Partners can send this report to their customers as part of the managed service they offer.
• On Windows Legacy operating systems (Windows Vista, Windows 7, and Windows Server 2008), only SHA-256 signed drivers are allowed. To install a protection version higher than 8.00.19.0001, the Windows Legacy operating system of the target computer must be up to date and compatible with SHA-256 driver signing. For more information, see Update Required to Support SHA-256 Signed Drivers.
• Advanced protection now classifies files included in MSI installers signed with a trusted digital signature as trusted files.
• Anti-tamper protection now leverages Early Launch Anti-Malware (ELAM) technology included in Windows 10 and Server 2019 or higher operating systems.

Resolved Issues

• In the web console (for example, Computer Details), Windows 11 devices now show correctly as Windows 11.
• Windows protection v8.00.19.0010 is required for new installations on ARM processors with Windows 11 (used in Surface devices and some specific laptops).
• A BSOD error no longer appears when you install the NeuShield software. Requires Windows protection version 8.00.19.0010 or higher.
• When you install patches that require a restart, the pending restart notification now disappears after a period of time.
• When you create a weekly report, the dates in the report schedule are correct, not one day before the configured dates.
• The Automatic proxy discovery using Web Proxy Autodiscovery Protocol (WPAD) setting is now applied correctly.

Enhancements

• WatchGuard EDR now includes support for macOS 12 Monterey.

New Feature

Endpoint Security Plug-in for Kaseya VSA

With the Endpoint Security plug-in for Kaseya VSA, you can protect devices on your network, review detected security incidents, and develop prevention and remediation plans against unknown and advanced persistent threats. For more information, see About the WatchGuard Endpoint Security Plug-in for Kaseya VSA in Help Center.

Endpoint Security Plug-in for ConnectWise Automate v1.1

This update release for the Endpoint Security plug-in for ConnectWise Automate includes these enhancements:

• A new Reports tab enables you to access detected threat details for a customer and filter by threat type and time period
• You can now configure the events and security incidents that generate an alert or a ticket in ConnectWise
• Detected threats now include data on Exploits and Indicators of Attack (IoA)
• The Assign Security Configurations action now supports both Computers and Android devices

For more information, see About the WatchGuard Endpoint Security Plug-in for ConnectWise Automate in Help Center.

Enhancements

• WatchGuard EDR now includes support for Windows 11 and Windows Server 2022.

New Features

Endpoint Security Modules (Beta)

With this beta feature, you can start, extend, upgrade, and cancel trials for these endpoint security modules in WatchGuard Cloud:

• WatchGuard Full Encryption — Encrypts and decrypts disks and USB drives centrally, without impact to end users
• WatchGuard Patch Management — Manages operating system and third-party application vulnerabilities on your workstations and servers
• WatchGuard Advanced Reporting Tool — Generates security intelligence and IT insights to pinpoint attacks, unusual behavior, and internal misuse
• WatchGuard Data Control — Discovers and monitors personal and sensitive data across endpoints and servers to help you comply with data protection regulations

To start a module trial, you must have a WatchGuard EDR license. The number of endpoint devices allocated in a module trial cannot exceed the number of devices in the endpoint security product license. The number of endpoint devices allocated in the trial, however, can be less than the number of devices in the endpoint security product license.

To learn more or to report an issue, go to WatchGuard Endpoint Security Beta test community.

Enhancements

• WatchGuard EDR now includes support for Oracle Linux distributions and kernel versions, including Oracle Linux 6.X, 7.X, and 8.X.

New Features

Network administrators now have visibility into WatchGuard Threat Hunting Services, the protection layer that enables WatchGuard Endpoint Security to detect compromised machines, early-stage attacks, and suspicious activities. Detection by Threat Hunting Services now show in the web UI as indicators of attack (IOA). For every IOA, advanced investigations, attack graph views, the MITRE ATT&CK tactic and technique, recommendations to stop the attack, and more show in the web UI. For more information, see Indicators of Attack (IOA) in Help Center.

• The Status > Indicators of Attack (IOA) dashboard provides visibility into IOA — anomalous behaviors detected on computers that are highly likely to be an attack. The dashboard includes tiles with the number of events, indicators, and confirmed IOA. Information related to IOA is now available in executive reports and email alerts.

• On the dashboard, each indicator of attack maps to a tactic and technique from the MITRE ATT&CK matrix. The matrix enables you to easily identify the stage of an attack and its characteristics, and provides you with recommended actions.

• From the Indicators of Attack list or an attack details page, you can archive an IOA that you have managed or mark an IOA as pending review.

• On the attack details page, you can open an advanced attack investigation report or attack graph. The report lists compromised users and computers, helps determine the root cause of the attack, provides information such as the URLs and IP addresses involved in the attack, and gives a view of the overall impact of the attack on the entire organization. The attack graph is a graphical display of the events involved in the attack that can help you identify the root cause.

• WatchGuard Endpoint Security can automatically detect and contain brute force attacks on the RDP protocol with RDP Attack Containment mode. On the Settings > Indicators of Attack page, you can create a settings profile to configure IOA and the action to take when WatchGuard Endpoint Security identifies an RDP attack. You can also specify a list of trusted IP addresses and disable any IOA that generates false positives on computers. On the computer details page, you can manually end RDP Attack Containment mode for a computer.

Enhancements

• On the computer details page, a new Detections tab shows detections, unpatched vulnerabilities, indicators of attack, and more. The information available on the tab depends on the WatchGuard Endpoint Security product.
• On the Tasks page, you can now cancel and delete multiple tasks at the same time.
• You can now schedule scans to run on any day of the week or month, at the time you specify.
• You can now delete blocked programs from the Currently Blocked Programs Being Classified list. This is useful when there are blocked files that could not be sent to the cloud because they are too large or are no longer available. The status of the file shows in the list.
• On the Computers > My Organization tab, you can now search the list of groups.
• For some reports, you can schedule and send a full or summary version of the exported list (for example, the software inventory list).
• In the Computer Protection Status list, a new Connection to Knowledge column shows the status of computer communications with the Collective Intelligence servers and the servers used for URL classification. This column is available for Windows computers only.
• When you export the Computer Protection Status list, a new Status column shows the status of advanced protection (Audit, Hardening, or Lock).
• In Workstation and Server settings profiles, anti-exploit protection is enabled in Block mode by default. WatchGuard Endpoint Security does not modify anti-exploit protection settings configured prior to this release. We recommend that you enable anti-exploit protection in all settings profiles.
• In Workstation and Server settings profiles, advanced protection for Linux is now enabled in Block mode by default. This makes sure that all malicious actions detected by the behavior scanner are blocked and provide maximum protection.
• WatchGuard Endpoint Security now has better integration with the Windows 10 AntiMalware Scan Interface (AMSI). AMSI provides WatchGuard Endpoint Security with telemetry and additional information about script and macro execution.
• WatchGuard Endpoint Security now scans programs launched on Windows startup to make sure that all programs loaded in memory are trusted.
• This release includes optimizations to the Web Access Control module cache to reduce cloud queries when URLs are classified.
• The WatchGuard Endpoint Security firewall now includes support for IPv6 traffic filtering for all protocols.
• This release includes support for the latest versions of supported Linux distributions (Fedora, Red Hat, CentOS, etc.).
• This release includes support for SUSE 11 SP2 and later, SUSE 12, and SUSE 15.
• On Linux devices, this release includes improved monitoring of network events. This provides more context information for applications and improves detection.
• On Linux devices, this release includes improved monitoring to enrich telemetry with more process execution data. This provides more context information for applications and improves detection.
• The Linux agent installer now includes a new parameter to specify proxy settings.
• The Linux protection automatically upgrades when necessary after an upgrade of the Linux kernel or installation of the distribution.
• This release includes performance improvements to the Linux protection for specific distributions where management of multiple threads was not optimal.
• In the Web Access lists, when you select a custom range, you are now limited to one month of data.
• Exchange Server protection is now end of life and no longer included in new accounts. Upgraded accounts still see Exchange Server protection settings and tiles, and customers that had the settings prior to July 2021 will continue to receive them.

Resolved Issues

• When you select the All filter in the Currently Blocked Programs Being Classified list, all items now show instead of only items for the last month.
• On the Status > Security dashboard, when you click the Malware activity tile, and then click the VirusTotal link, an information page for the specific malware now opens.
• WatchGuard Endpoint Security continues to work when it encounters inconsistent DNS network packets or when rare errors occur when the Automatically Detect the Network Type setting is enabled.
• When you create a filter that includes hardware and software fields, you can now select multiple computers.
• If you disabled protection upgrades in the Per-Computer Settings, an upgrade error does not display in the computer details page. A message indicates that upgrades are disabled.
• Group names now display correctly on the Computers > My Organization tab when there are multiple subgroups in a group at the top level and one of the subgroups is collapsed.
• Users no longer receive a second prompt to restart the computer after the computer upgrades and restarts.
• WatchGuard Endpoint Security now correctly detects Windows 10 version 21H1.

• Initial release of product. For information on WatchGuard EDR, see WatchGuard Endpoint Security Help.