Endpoint Security Essentials Study Guide PDF

WatchGuard Training Endpoint Security Essentials Study Guide WatchGuard Endpoint Security with Patch Management, Full Encryption, and the Advanced Reporting Tool Revision Date: October 2024 About This Document Information in this document is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Guide revised: 17 October 2024 Copyright, Trademark, and Patent Information Copyright © 2024 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. About WatchGuard Address 255 S. King St. For 25 years, WatchGuard has pioneered cutting-edge cybersecurity Suite 1100 technology and delivered it as easy-to-deploy and easy-to-manage Seattle, WA 98104 solutions. With industry-leading network and endpoint security, secure Wi-Fi, multi-factor authentication, and network intelligence products and services, WatchGuard enables more than 250,000 small and midsize enterprises from around the globe to protect their Support most important assets including over 10 million endpoints. In a world where the cybersecurity landscape is constantly evolving, and new www.watchguard.com/support threats emerge each day, WatchGuard makes enterprise-grade U.S. and Canada +877.232.3531 cybersecurity technology accessible for every company. All Other Countries +1.206.521.3575 WatchGuard is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. For additional information, follow WatchGuard on social media. Also, Sales visit our InfoSec blog, Secplicity, for real-time information about the U.S. and Canada +1.800.734.9905 latest threats and how to cope with them at www.secplicity.org. All Other Countries +1.206.613.0895 Endpoint Security Essentials Study Guide 2 Contents How to Use This Study Guide 4 Introduction to Endpoint Security 5 Endpoint Security Fundamentals 6 WatchGuard Endpoint Security 9 Get Started with Endpoints 16 Install the WatchGuard Agent 17 Manage Endpoints in WatchGuard Endpoint Security 22 Monitor Threats 29 Endpoint Security Protections and Remediation 40 General Settings 41 Security Settings 53 Endpoint Security Modules 88 WatchGuard Patch Management 89 WatchGuard Full Encryption 104 WatchGuard Advanced Reporting Tool 116 About the Endpoint Security Essentials Exam 130 Sample Exam Questions 134 Additional Resources 139 Endpoint Security Essentials Study Guide 3 How to Use This Study Guide How to Use This Study Guide This guide supports the Endpoint Security Essentials course and is a resource to help you study for the certification exam. Use this guide in conjunction with instructor-led training, online video training and demos, and the online documentation to prepare to take the exam. For a list of recommended documentation and video resources to help you prepare for the exam, go to Additional Resources. For information about the exam content and format, go to About the Endpoint Security Essentials Exam. Document Conventions This document uses these formatting conventions to highlight specific types of information: This is a key point. It highlights or summarizes the key information in a section. This is a note. It highlights important or useful information. This is a best practice. It describes the recommended configuration for a feature. USE CASE: This is a use case. It describes how you could configure the product or feature in a real-world scenario. This is a caution. Read carefully. There is a risk that you could lose data, compromise system integrity, or impact device performance if you do not follow instructions or recommendations. Endpoint Security Essentials Study Guide 4 Introduction to Endpoint Security Introduction to Endpoint Security In this section, you learn about the basics of endpoint security, traditional endpoint protection models, the advantages of the advanced protection model found in WatchGuard Endpoint Security (WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EDR Core, and WatchGuard EPP), and ThreatSync. Advanced features that are only available in WatchGuard Advanced EPDR are not included in this study guide. For information on Advanced EPDR features, go to Supported Features by Endpoint Security Product in Help Center. WatchGuard EDR Core is included in the Firebox Total Security Suite. It includes EDR and adds XDR capabilities via ThreatSync. It includes a subset of the features available with WatchGuard EDR and is a replacement for the Threat Detection and Response (TDR) Host Sensor. For information on the features and limitations of EDR Core, go to About WatchGuard EDR Core in Help Center. WatchGuard provides training and online courseware to help you prepare for the Endpoint Security Essentials exam. In addition to this study guide, the training, and courseware, we strongly recommend that you install and explore the products before you take the exam. For a list of additional resources on these topics, go to Additional Resources. Endpoint Security Essentials Study Guide 5 Introduction to Endpoint Security Endpoint Security Fundamentals To effectively combat current and emerging endpoint security threats, you must deploy a combination of: n Local signature-based technologies. n Context-based behavioral analysis with the power of cloud-based processing. n Effective remediation to stop the threats. An endpoint is any device connected to the network, such as a desktop, laptop, mobile device, or server. Hackers focus on endpoints because they store the most sensitive data and are likely to have vulnerabilities to exploit. These exploits enable malicious users to find a weakness and get access to the endpoint, then move laterally to attack other systems in your network. For these reasons, endpoint users are often considered the weakest security point of a corporate network. Endpoint Security Threats Endpoint security threats continue to evolve and proliferate. These threats include: n Zero-day Attacks and APTs — New threats that have never been seen before. n Fileless Malware — Malicious software that runs in memory instead of as a physical file on the endpoint drive. It is particularly dangerous because it exploits trusted processes in memory in order to remain undetected. n Living off the Land (LotL) Attacks — Attacks where a malicious user gains access to an endpoint and uses legitimately installed software, such as Microsoft Word, Java, Adobe Acrobat Reader, or PowerShell, to perform further attacks. n Exploits — A software tool designed to take advantage of a flaw in a computer system. Malicious users use exploits to attack common productivity tools, software applications, browsers, and OS components. For example, hackers often target Microsoft IIS web server because of its ability to create multiple web server processes. Microsoft Office macros can enable malicious users to log the screen activity and keystrokes of unsuspecting users. n Ransomware — Malicious software that encrypts and locks the contents of files and computers and demands a ransom for the encryption key to unlock the data. Ransomware is a persistent and pervasive threat that can spread quickly to the entire network. Ransomware enters a network most frequently through email and unpatched vulnerabilities on client and server devices, and is often targeted at a specific company, department, or user. Endpoint Security Essentials Study Guide 6 Introduction to Endpoint Security The Protection Cycle WatchGuard Endpoint Security introduces a new security strategy based on the Adaptive Protection Cycle — a set of protection, detection, monitoring, forensic analysis, and remediation services integrated and centralized in a single management UI. This approach aims to prevent or minimize security breaches, and drastically reduce productivity losses and the risk of theft of confidential information. WatchGuard breaks the endpoint security protection cycle into four key steps: Visibility Trace every action taken by running applications. Data visibility enables you to track each endpoint and detect changes, trends, and anomalies that reflect emerging security threats. Detection Monitor active processes and perform real-time blocking of zero-day attacks, targeted attacks, and other advanced threats designed to bypass traditional antivirus and anti-malware solutions. Collect data to support context-based behavioral analysis, predictions, and threat hunting. Remediation and Response Use collected forensic information to complete in-depth analysis of every attempted attack. Prevention Edit the protection model settings and patches for vulnerabilities. Actively change the settings of each protection module and patch any vulnerabilities discovered in installed operating systems and applications on endpoints to prevent future attacks. Traditional Endpoint Security Methods The traditional approach to protect endpoints from security threats uses: n Signature files that match known existing viruses and malware. n Security features that might require manual configuration. n Alerts sent only for events known to be malware. n Minimal monitoring of any process activity after the malware infects the endpoint. Traditional methods for endpoint protection include: n Personal firewalls or managed network firewalls. n Permanent anti-malware software, on-demand and scheduled scans on endpoints. n Managed allowlists and blocklists based on hardware address. n Collective intelligence and pre-execution heuristics. n Web access and content controls. n Anti-spam, anti-phishing, anti-tampering, and email content filters. Endpoint Security Essentials Study Guide 7 Introduction to Endpoint Security The main problem with traditional security methods is that over 300,000 new viruses and malware are created every day. The huge growth in the amount of malware in circulation is in itself a massive brute-force attack on security vendors. Cybercriminals look to increase the window of opportunity for newly-developed threats by saturating the resources employed by security companies to scan malware. This increases the time between the appearance of a new virus and the release of the appropriate antidote by security companies. Each security strategy must minimize malware dwell time. The longer malware exists on the network, the more time it has to complete its objective, such as industrial espionage and data theft. The majority of this malicious code is designed to run in the background on a user computer for a long period of time, which can conceal the presence of malware on compromised systems. This behavior makes the traditional approach to endpoint protection ineffective because it cannot detect and respond effectively to new security threats. Advanced Protection Advanced endpoint protection uses a combination of traditional methods and powerful cloud-based analysis and file classification to actively identify and prevent new threats. Advanced protection models are a stronger defense against the latest cyberthreats, such as LotL, fileless malware, zero-day, and ransomware attacks. Advanced protection provides these benefits: n Based on behavioral intelligence from machine learning and cloud analytics n Comprehensive endpoint activity analysis and visibility n Protection against all known and unknown threat types, such as malware, fileless attacks, and other malicious behavior n Protection for computers in your network when they start up and before third-party drivers initialize with early launch anti-malware (ELAM) n Managed service that continuously monitors and categorizes all running applications and processes n Prevention, detection, and remediation services n Detailed forensic information, security audits, and real-time alerts Endpoint Security Essentials Study Guide 8 Introduction to Endpoint Security WatchGuard Endpoint Security A layered approach is essential to secure an endpoint against the modern threat landscape. WatchGuard Endpoint Security is a managed service in WatchGuard Cloud that helps you protect IT assets. With WatchGuard Endpoint Security, you can review detected security problems and develop prevention and response plans for unknown and advanced persistent threats (APTs). In this study guide, we use the term WatchGuard Endpoint Security generally to refer to all of these products: WatchGuard Endpoint Protection Platform (EPP) WatchGuard EPP protects endpoints from threats and reduces the attack surface. It prevents, detects, and responds to known and unknown malware as well as fileless and malwareless attacks. It includes a full range of endpoint protection features, such as antivirus, firewall, device control, and URL filtering. WatchGuard EPP supports these client platforms: Windows (Intel and ARM), Linux, macOS (Intel and ARM), iOS, and Android. WatchGuard Endpoint Detection and Response (EDR) WatchGuard EDR detects and responds effectively to any type of unknown malware, as well as the fileless and malwareless attacks that traditional solutions cannot detect. It uses the Zero-Trust Application Service to prevent applications and processes from running until they are validated as trusted. WatchGuard EDR can coexist with traditional security solutions and can add XDR capabilities through ThreatSync. WatchGuard EDR supports these client platforms: Windows (Intel and ARM), Linux, and macOS (Intel and ARM). WatchGuard Endpoint Protection Detection and Response (EPDR) WatchGuard EPDR prevents, detects, and responds to any type of known and unknown malware, as well as fileless and malwareless attacks. It uses the Zero-Trust Application Service to prevent applications and processes from running until they are validated as trusted. It expands on the capabilities of WatchGuard EDR with a full range of EPP features, such as antivirus, firewall, device control, URL filtering, and more. Endpoints with WatchGuard EPDR installed can send data to ThreatSync. WatchGuard EPDR supports these client platforms: Windows (Intel and ARM), Linux, macOS (Intel and ARM), iOS, and Android. WatchGuard Advanced EPDR Advanced EPDR extends WatchGuard EPDR functionality with additional capabilities that enable security operations teams to discover undetected threats on their customer endpoints. Advanced EPDR includes advanced detection and response features such as Advanced Indicators of Attack (IOAs) and events, centralized management of Indicators of Compromise (IOCs) compatible with STIX and Yara rules, Advanced Security Policies, and remote access to detect, contain, and remediate incidents. Endpoints with Advanced EPDR installed can send data to ThreatSync. Advanced EPDR supports these client platforms: Windows (Intel and ARM), Linux, and macOS (Intel and ARM). Endpoint Security Essentials Study Guide 9 Introduction to Endpoint Security WatchGuard EDR Core is included in the Firebox Total Security Suite. It includes EDR features and adds XDR capabilities through ThreatSync. EDR Core is available for a limited number of endpoints, based on the Firebox model. With a Total Security Suite subscription license, you will see an EDR Core license in WatchGuard Cloud. You can use WatchGuard Cloud to manage EDR Core endpoint allocation and to access the Endpoint Security management UI. For more information, go to About WatchGuard EDR Core in Help Center. Endpoint Security Modules Optional WatchGuard Endpoint Security modules extend the features of your endpoint security product to create a full portfolio of user-centric security products and services that protect people, devices, and networks from malicious websites, malware, spam, and other targeted attacks. WatchGuard EDR Core does not support modules. With an endpoint security product license, you can activate and allocate these endpoint security modules: WatchGuard Full Encryption Available for use in WatchGuard EPP, WatchGuard EDR, WatchGuard EPDR, and WatchGuard Advanced EPDR. Full Encryption encrypts the contents of disks and USB / removable storage drives connected to computers that WatchGuard Endpoint Security manages. It minimizes exposure of corporate data in the event of data loss or theft, and also when you remove storage drives that still contain data. Full Encryption enables you to monitor the encryption status of network computers and centrally manage the corresponding recovery keys. WatchGuard Patch Management Available for use in WatchGuard EPP, WatchGuard EDR, WatchGuard EPDR, and WatchGuard Advanced EPDR. With Patch Management, you can manage patches for operating system and third-party application vulnerabilities on your workstations and servers. WatchGuard Advanced Reporting Tool Available for use in WatchGuard EDR, WatchGuard EPDR, and WatchGuard Advanced EPDR. With Advanced Reporting Tool (ART), you can generate security intelligence and IT insights to pinpoint attacks, unusual behavior, and internal misuse. Endpoint Security Essentials Study Guide 10 Introduction to Endpoint Security WatchGuard Data Control is an optional module available with WatchGuard Advanced EPDR, EPDR, and EDR. It is only available for select European countries and is not covered in this study guide or included in the Endpoint Security Essentials Exam. Layered Protection WatchGuard Endpoint Security uses a protection model based on these layers of technology: n Signature files and heuristic scanners n Contextual detections n Anti-exploit technology n Zero-Trust Application Service - Advanced Protection n Threat Hunting Services - Indicators of Attack and ThreatSync Endpoint Security Essentials Study Guide 11 Introduction to Endpoint Security Signature File and Heuristic Scanners The antivirus engine uses signature files and information gathered through collective intelligence to form the first line of defense in the layered protection. This antivirus layer: n Detects known attacks through traditional signature files and detects malware behavior with heuristic scan methods. n Uses virus and malware signature files to detect known malicious files. n Uses decoy files to act as bait on computers to detect ransomware. n Performs generic and heuristic detection of malware behavior. n Blocks specific ransomware URLs. Endpoint Security Essentials Study Guide 12 Introduction to Endpoint Security Contextual Detections for Fileless Attacks Contextual detections refers to the many components that run in the background and perform behavioral analysis to automatically detect threats, trigger alerts, and block malicious content. The heuristics that run in the antivirus engine are one example of contextual detections, and many similar technologies work behind the scenes throughout WatchGuard Endpoint Security solutions. Examples of fileless attacks include: n Script-based attacks n Web browser vulnerabilities n Attacks that use existing legitimate software tools, such as Java, Adobe Acrobat Reader, Adobe Flash, and Microsoft Office Anti-Exploit Technology for Fileless Attacks Anti-exploit technology protects running processes on endpoints from compromise. This helps to prevent file- less malware from gaining a foothold on the system. Anti-exploit protection can also feed data about running processes back to contextual detections to make them more effective. Zero-Trust Application Service — Advanced Protection The Zero-Trust Application Service is a combination of security solutions and technologies that operate across the network to analyze endpoints, users, data, applications, and cloud communications. It classifies all processes run on Windows computers without ambiguity, false positives, or false negatives. The service relies on contextual analysis of corporate assets, users, applications, and data utilization patterns to minimize risk to endpoints. These technologies automatically classify 99.98% of all running processes. Malware experts manually classify the other 0.02% of processes. This approach allows classification of 100% of all binaries run on your computers, without the creation of false positives or false negatives. Threat Hunting Service — Indicators of Attack and ThreatSync The Threat Hunting Service detects anomalous use of trusted applications on endpoints. It uses hacker detection to find attackers who use living-off-the-land techniques and lateral movements, as well as behavior modeling to identify malicious use by employees. When the WatchGuard Security Team detects a living-off- the-land attack, they notify you. To combat a LofL attack, you can: n Restrict applications users can access n Remove potentially dangerous applications n Segment networks and restrict network traffic Many of the rules and indicators that this team creates become Indicators of Attack that you can review in your dashboard. Administrators also have several other options available in WatchGuard Endpoint Security to configure firewall and device control rules, or filter web access. These are not enabled by default, and you should consider whether they are appropriate for your environment. Endpoint Security Essentials Study Guide 13 Introduction to Endpoint Security Trials and Licensing In WatchGuard Cloud, you can start a trial of WatchGuard Endpoint Security products and modules. The trials available for an account you manage in WatchGuard Cloud depend on the licenses installed and any trials already in progress or completed. Accounts with an existing license can start these 30-day trials: n If you have WatchGuard EDR Core, you can start a trial of WatchGuard EPP, EDR, EPDR, or Advanced EPDR. n If you have WatchGuard EPP, you can start a trial of WatchGuard EPDR or Advanced EPDR and supported modules. n If you have WatchGuard EDR, you can start a trial of WatchGuard EPDR or Advanced EPDR and supported modules. n If you have WatchGuard EPDR, you can start a trial of Advanced EPDR. n If you have Advanced EPDR, you cannot start a trial of another endpoint security product. After you start the trial, you can install the client software on up to 250 endpoint devices. If the account has an existing Endpoint Security product such as WatchGuard EDR for fewer than 250 endpoints, then the trial includes a maximum of 250 endpoints. If the account has an existing Endpoint Security product such as WatchGuard EDR for more than 250 endpoints, then the trial includes a maximum number of endpoints that matches the product license. When a trial expires, all product trials are unavailable for 90 days. When you have a license for an endpoint security product, you can also start a trial of these modules: n Full Encryption — Available with all endpoint security products n Patch Management — Available with all endpoint security products n Advanced Reporting Tool — Available with Advanced EPDR, WatchGuard EPDR, and WatchGuard EDR n Data Control — Available with Advanced EPDR, WatchGuard EPDR, and WatchGuard EDR, in certain countries only The number of endpoints for a module trial is limited to the number of endpoints you have allocated the endpoint security product to. WatchGuard Endpoint Security products and modules are licensed for each endpoint device. You can convert a trial to a license on the Activate Licenses page at WatchGuard.com. Modules are not available with WatchGuard EDR Core. Licenses work differently for WatchGuard Cloud Subscriber and Service Provider accounts. Subscribers Subscriber accounts can have only one endpoint security product license. When a Subscriber account activates a new license key for an endpoint security product, it modifies the current active endpoint security product license. You can use a new license to add additional endpoints to, or extend the expiration date of, your existing license. Endpoint Security Essentials Study Guide 14 Introduction to Endpoint Security Service Providers Service Providers can have many endpoint security product licenses. When a Service Provider activates a new license key, they can either modify an active license or add a new, separate license. After activation, the endpoint licenses appear in the Service Provider inventory in WatchGuard Cloud. Licensing options for WatchGuard Endpoint Security products and modules include 1- or 3-year term licenses, monthly MSSP points, and monthly subscription licensing. If your license expires, there is a one-week grace period before protections turn off. Endpoint Security Essentials Study Guide 15 Get Started with Endpoints Get Started with Endpoints Each WatchGuard Endpoint Security product includes client software that runs on endpoint devices and a management UI to manage security for the devices and your IT network. In this section, you learn about: n How to deploy the WatchGuard Agent on your computers and devices. n How to use filters and groups to manage your computers and devices. n Settings you can apply to computers and devices. n ThreatSync incidents, risk levels and scoring, actions, and automation policies and templates ThreatSync is a WatchGuard Cloud service that provides eXtended Detection and Response (XDR) technology for WatchGuard Endpoint Security products. For a list of additional resources on these topics, go to Additional Resources. Endpoint Security Essentials Study Guide 16 Get Started with Endpoints Install the WatchGuard Agent The WatchGuard Agent handles communication between managed computers on the same network and the WatchGuard server. The WatchGuard Agent is installed on each endpoint device or computer. It has low CPU, memory, and bandwidth usage and uses less than 2 MB of data each day. To install the client software locally, you download the WatchGuard Agent installer and run the installation wizard on the computer or device. The WatchGuard Agent installs the endpoint security product. There is a single WatchGuard Agent for all Endpoint Security products (Advanced EPDR, WatchGuard EPDR, WatchGuard EDR, WatchGuard EDR Core, and WatchGuard EPP) and modules. You can also create a download link for the installer and send the link to computers and devices on the network. Before you download the installer or create the download link, you select a group. Any computers or devices that you run the installer on are automatically added to the group you select. The security policies assigned to a computer or device depend on the group it belongs to. For more information on settings, go to General Settings and Security Settings. Installation Requirements The WatchGuard Agent supports these client platforms: Windows (Intel & ARM), macOS (Intel & ARM), Linux, Android, and iOS. For detailed information on installation requirements, go to the Endpoint Security Release Notes. Endpoint Security Essentials Study Guide 17 Get Started with Endpoints WatchGuard Endpoint Security requires access to multiple Internet-hosted resources. It requires access to ports 80 and 443. Make sure that the required URLs and ports are open to communication before you install the agent. For more information, go to the Knowledge Base article, URLS Used by Panda and WatchGuard Endpoint Security Products. Installation Options The deployment strategy depends on the number of computers you want to protect, the workstations and servers with a WatchGuard Agent already installed, and your network architecture. Local Installation To install the client software locally, you download the WatchGuard Agent installer and run the installation wizard on the computer or device. The WatchGuard Agent installs the endpoint security product. For Windows computers, you can add computers to a specific group, create groups with IP address assignments, or use the Active Directory path if they are in a domain. You then choose the network settings to apply to these computers by default. The network settings are how you configure the agent to use Endpoint Security network services. Plan how you want to organize an account and add computers before you create the WatchGuard Agent install file. If you have computers in the environment with different requirements, you might have to create multiple files. The install file is an MSI file, so you can easily deploy it with Group Policy or other third-party software deployment solutions. Endpoint Security Essentials Study Guide 18 Get Started with Endpoints You can also create a download link for the installer and send the link to computers and devices on the network. With this Send URL by Email option, you create a download link and send it to users. Users click the link to download the installer to their computers. After the agent installs, the computer appears in the Computers list in the management UI. If it does not show in the list, then the installation might have encountered a problem, or there could be a communication issue between the computer and the WatchGuard server. Remote Installation (Windows Computers) Discovery computers can identify Windows computers and servers that are unmanaged. The Unmanaged Computers Discovered list shows computers discovered on the network that do not have an Endpoint Security product installed, as well as computers where theproduct does not work correctly. Use the Unmanaged Computers Discovered list to identify which computers you need to install the client software on. You can remotely install the WatchGuard Agent and software on computers and servers that meet these requirements: n UDP ports 21226 and 137 must be accessible. n TCP port 445 must be accessible. n NetBIOS over TCP must be enabled. n DNS queries must be allowed. n Access to the Admin$ administrative share must be allowed. You must explicitly enable this feature on Windows Home editions. n You must have domain administrator credentials or credentials for the local administrator account that was created by default when the operating system was installed. n Windows Remote Management must be enabled. You can two methods to deploy the agent to many computers. The first method is to download the MSI installation file and distribute it through a centralized tool, such as Active Directory GPO. On medium-sized and large networks we recommend that you use centralized tools, such as Active Directory Group Policy Object (GPO) to install the client software for Windows computers. The second method is through Discovery computers. A Discovery computer finds devices on the network within its subnet and defined discovery scope, then installs the agent to that computer remotely. For more information on Discovery computers, go to Network Services. Endpoint Security Essentials Study Guide 19 Get Started with Endpoints Remote uninstallation of the WatchGuard Agent is only available for Windows platforms. Installation from a Gold Image In large networks with many similar computers, you can automate the process to install the operating system and other software with a gold image. This is sometimes referred to as a disk image, base image, or clone image. You then deploy the image to all computers on the network, which eliminates most of the manual work required to set up a new computer. Every computer with Endpoint Security installed has a unique ID assigned. WatchGuard uses this ID to identify the computer in the management UI. If you generate an image from a computer and then copy it to other systems, every computer that receives it inherits the same Endpoint Security ID and the management UI only shows one computer. To avoid this, you can use the Endpoint Agent Tool to delete the ID. WatchGuard Client Software When you run the WatchGuard Agent, it installs the client software on the computer. You can open the client software to verify the installation. On Android and iOS devices, the WatchGuard Agent installs the WatchGuard Mobile Security app. To open the agent on a Windows computer, in the system tray, click the WatchGuard EPDR icon. Endpoint Security Essentials Study Guide 20 Get Started with Endpoints The features available in the client software depend on the settings configured by the administrator. The agent dashboard shows if the agent is working and what it has blocked. From the Start menu on the dashboard, you can: n Specify options for antivirus and advanced protection. n Run a manual scan from the client. n See a history of the agent and any actions it performed on this computer since it was installed. n Sync the agent. The Administrator password is required to open the Administrator panel. In the Administrator panel, you can temporarily enable and disable security settings. Troubleshoot with PSInfo PSInfo is a tool available with the WatchGuard Agent. You can use the PSInfo tool to create a case with WatchGuard Support, who will contact you at the email address you provide and assist with the issue you describe. PSInfo includes some built-in tools such as URL Checker and the AD Sample Test File that you can use to troubleshoot issues. URL Checker tests the communication of the client to various cloud resources. This is useful for installation issues or synchronization problems. When URL Checker runs, you can read a report of which URL addresses worked or failed. When a URL fails, it might be unrelated to the cause of the issue you want to investigate. AD Sample Test File executes a sample process that the agent detects as unknown and blocks. This helps troubleshoot issues because it verifies whether the advanced protection is functional. Endpoint Security Essentials Study Guide 21 Get Started with Endpoints Manage Endpoints in WatchGuard Endpoint Security Use the Computers page to add, group, and manage all the devices managed by WatchGuard Endpoint Security. The Computers page includes a pane to filter and organize computers and devices. Select a computer in the list of computers to open the Computer Details page. To download and deploy the WatchGuard Agent, in the upper-right corner of the page, click Add Computers. Computers List On the Computers page, when you select a filter or group, the list of computers updates. When you select multiple computers in the list, the Computers toolbar appears in the upper-right corner of the page. The Computers toolbar includes buttons for each action you can take on managed computers. Based on the size of the window and the number of actions, some of the actions are available from an options menu. To view the options menu, click. The actions in the toolbar include these remediation tools: n Scan Now — Scans the computer immediately. n Schedule Scan — Schedules a future scan of the computer or device. Endpoint Security Essentials Study Guide 22 Get Started with Endpoints n Restart — Restarts the computer. n Isolate Computer — Blocks all communications established from and to an at-risk Windows computer, except for those required to connect to Endpoint Security. You can isolate a single computer, multiple computers, or groups of computers. n End RDP Attack Containment Mode — Turns off RDP attack containment mode for the computer. External RDP connections are no longer blocked. n View Available Patches — Opens the Available Patches list. This option is only available with the WatchGuard Patch Management module. n Schedule Patch Installation— Opens the Edit Task page, where you can create a task to install a patch. (Only available with the Patch Management module) n Verbose Mode — Generates extended telemetry for the computer. This option is available only on Windows computers in Audit mode. n Reinstall Protection — Opens the Reinstall Protection dialog box, where you can select to reinstall protection immediately or schedule re-installation within the next 8 hours. n Reinstall Agent — Opens the Reinstall Agent dialog box, where you select the discovery computer from which to reinstall the client software on selected computers. Computer Details Page To see detailed information about a computer in the Computer Details page, in the Computers list, select a computer. This section of the page includes information to help you identify the computer, information on the computer risk level, and notifications that might indicate potential problems. Endpoint Security Essentials Study Guide 23 Get Started with Endpoints For Android and iOS devices, the upper half of the details page includes an anti-theft dashboard from which you can start remote actions on a managed device, including: n Locate — With private mode disabled, the WatchGuard server gets the device coordinates and shows the device location on the map. n Snap the Thief (Android only) — Takes a photo of the device user and sends it to a specified email address. n Remote alarm — Sends an audible alarm and message to the device. n Lock — Locks the device and requires the user to enter a code to open the device. n Wipe data — Deletes all content and applications from the device. The lower half of the details page includes these tabs: n Details — Lists a summary of the hardware, software, and security settings of the computer. n Detections — Lists the number of malware, potentially unwanted programs (PUPs), exploits detected, network attack incidents, antivirus and end of life vulnerabilities, available patches and trends, and indicators of attack (IOAs) for a computer or server, filtered by date. n Investigations — Lists the telemetry collected for the computer. (Advanced EPDR only) n Monitored Connections — Lists the inbound connection attempts from remote computers. (Advanced EPDR only) n Hardware — Lists hardware installed on the computer, its components and peripherals, as well as resource consumption and use. n Software — Lists software packages installed on the computer, as well as versions and changes. To show a history of all software changes made to the computer, click the Installations and Uninstallations link. n Settings — Lists security settings and other settings assigned to the computer. To select a different security profile and specify inheritance, click Change. To edit the security profile, click Go to Settings. Isolate Computers You can isolate an at-risk computer to block communication to and from the computer. When you isolate a computer, WatchGuard Endpoint Security blocks all communications, except for those it requires. This feature is available for Windows and Linux workstations and servers. It is not supported on Mac or Android devices. With automation policies, ThreatSync can automate the steps to isolate computers. When a computer is isolated, its communications are restricted except for access to the computer from the Endpoint Security management UI. This enables you to analyze and resolve any detected problems with the tools in WatchGuard Endpoint Security. Filter and Group Computers After you deploy WatchGuard Endpoint Security to the computers on your network, use filters and groups on the Computers page to organize and access your devices. Endpoint Security Essentials Study Guide 24 Get Started with Endpoints In the left pane of the Computers page, you use filters to refine the list of your computers and devices. To create a filter, you specify different computer properties. To find a specific computer, you can add multiple properties to a single filter. Use groups to organize your computers in a custom hierarchy. Use the Search box to search for a filter or group. Filters On the Computers page, use the Filters tab to create dynamic groups to refine the list of computers and devices. When you define a filter, any computers that meet the criteria appear in the list. Endpoint Security Essentials Study Guide 25 Get Started with Endpoints When you create filters with more than one condition, we recommend that you configure a single condition at a time, save the filter to verify it works, and then add the next condition. WatchGuard Endpoint Security can filter a computer into more than one group. When the status of a computer changes and it no longer meets the conditions of the filter, Endpoint Security automatically removes the computer or device from the group defined by the filter. To organize filters in a hierarchical structure, you can create folders. A folder can contain subfolders, which can contain filters. You can copy or move your filters or folders to other folders in the structure. Endpoint Security includes common predefined filters that you can use to organize and locate network computers. You can edit or delete these predefined filters. You cannot recover a predefined filter after you delete it. Predefined filters vary with each Endpoint Security product. If you do not see a predefined filter in the management UI, it is not supported by your product. Groups Use the My Organization tab to create and manage static groups of computers and devices on your network. A computer can only belong to a single group. You might create groups to: n Find computers that meet specific criteria for hardware, software, or security. n Quickly assign security settings profiles. n Take remediation actions on a subset of computers. You can create groups within groups, and you can manually move computers from one group to another. A computer can only belong to a single group. To delete a group, it must be empty. You assign computers to a group. On the My Organization tab, you can create a hierarchy that includes groups, subgroups, and computers. The maximum number of levels in the hierarchy is 10. Before you deploy Endpoint Security to computers, we recommend that you consider the different options for groups, decide how you want to organize the account, and create groups ahead of time as needed. You can create these types of groups: Primary Group This is the root group under which all other groups reside. Endpoint Security Essentials Study Guide 26 Get Started with Endpoints Local Groups These are WatchGuard Endpoint Security groups, some of which are predefined. These groups support all operations (such as move, rename, or delete) and can contain other groups and computers. Active Directory Groups These groups replicate your Active Directory structure. These groups do not support some operations. They can contain other Active Directory groups and computers. Active Directory Root Group This group contains all Active Directory domains configured on your network. It contains Active Directory domain groups. Active Directory Domain Group These groups are Active Directory branches that represent domains. They contain other Active Directory domain groups, Active Directory groups, and computers. You cannot rename the default All group or Active Directory groups. Active Directory Groups For organizations with an Active Directory server, Endpoint Security can automatically replicate the Active Directory structure on the My Organization tab. You cannot create an Active Directory group on the My Organization tab. The tree replicates the groups and organizational units that already exist on your Active Directory server. To make sure the structure is consistent between Active Directory and the My Organization tab, you cannot modify Active Directory groups in Endpoint Security. When you make changes to your Active Directory structure, Endpoint Security automatically updates Active Directory groups within one hour. In Endpoint Security, if you move a computer from an Active Directory group to a group you created in the management UI or to the All group, the synchronization with Active Directory breaks. Any changes you make to Active Directory groups that affect the moved computer are not reflected in Endpoint Security. If you move a computer in Active Directory, it might take up to one hour for Endpoint Security to synchronize the change. Endpoint Security Essentials Study Guide 27 Get Started with Endpoints Apply Settings to Groups You can use groups to apply settings to computers. Groups inherit settings from the higher-level group they belong to. To see the settings for a group: n On the My Organization tab, next to a group name, click > Settings. You can override the settings applied to a group. The computers inside the group inherit the new group settings. Filter Results by Groups You can also use groups to highlight data on a page in the management UI. For example, on a dashboard page, if you select the All folder, you can select the groups you want to see information for on the dashboard. This filter affects the view of the page you are on, as well as any lists you open. Some computer specific settings and tasks only appear based on the group filter you select. When you filter the page, it does not affect task visibility, email alerts, or scheduled executive reports you send. Endpoint Security Essentials Study Guide 28 Monitor Threats Monitor Threats In this section, you learn about the tools available to monitor threats on the Status page. The Status page provides you with an overview of the security status of the network for a specific time period through dashboards and detailed lists. You can use this information to monitor threats to the computers and devices on your network. In this section you learn about the various tools available to monitor threats: n Security Dashboard n Web Access Dashboard n Risks Dashboard n Indicators of Attack Dashboard n Vulnerability Assessment Dashboard n Endpoint Access Enforcement Dashboard n My Lists n Scheduled Reports n Scan Tasks Use dashboards, lists and tasks to monitor threats to the computers and devices on your network. For a list of additional resources on these topics, go to Additional Resources. Security Dashboard The Security dashboard shows an overview of the security status of the network for a specific time period. Several tiles show important information and provide useful links to more detailed information. Click a tile to view detailed information. Endpoint Security Essentials Study Guide 29 Monitor Threats Web Access Dashboard The Web Access dashboard shows information about blocked and filtered Internet content and unsolicited email. It is available in WatchGuard Advanced EPDR, EPDR, and EPP only. Endpoint Security Essentials Study Guide 30 Monitor Threats Tiles on the Web Access dashboard show information about web categories accessed and blocked, including: n Top 10 most accessed categories — This panel displays the number of visits and the number of computers that have accessed the 10 most visited web page categories. Each category shows the total number of visits in the selected date range, and the number of computers that have accessed it one or more times. n Top 10 most accessed categories by computer — This panel shows the number of web page visits, ordered by category, of the 10 computers that used the web the most. n Top 10 most blocked categories — This panel shows the 10 most frequently blocked web page categories, the number of access attempts blocked, and the number of computers that attempted to access them and were blocked. n Top 10 most blocked categories by computer — This panel shows the computer-category pairs with the most visits blocked, the name of the computer, the web content category, and the number of access attempt denied for each computer-category pair. Click a row in a tile to see detailed information about the computers that accessed the category or were blocked. Click See Full Report to open the full report. Endpoint Security Essentials Study Guide 31 Monitor Threats Risks Dashboard The Risks dashboard shows information about the security risk level assigned to computers on your network. It is available in WatchGuard Advanced EPDR, EPDR and EPP only. The Company Risk tile shows the number of computers in the network with an assigned risk level. The graph shows computers with no risk and computers with different levels of risks. n Red — Critical Risk n Orange — High Risk n Yellow — Medium Risk n Green — No Risk Click an area of the tile to open the Risks by Computer list. Click a color on the graph to open the list filtered by the type of risk. In the Risk Trend tile, you can see the number and types of risks as they occurred over time. Use the time period selector to show information in the tile for these time periods: n Last 7 days n Last month n Last year Click any spot on the graph to open the Risks by Computer list. Point to a date to see a summary of the risks for that date, including the date, risk level and number of affected computers. The Detected Risks tile shows the top risks found and the number of computers where each risk was found. This list shows risks in descending order. In the left column, the color of the circle indicates the type of risk (Critical, High, or Medium). To open the Risks by Computer list filtered to a specific risk, click the number of computers where the risk was found. To open a list of all of the risks detected, click View All. Endpoint Security Essentials Study Guide 32 Monitor Threats The Computers at Risk tile shows the 10 computers with the highest number of risks. This list shows in descending order. For each computer, the bar graph indicates the type of risks found and the total number of risks. A computer global risk level is the highest risk level of the risk factors detected on the computer. Select a computer to open the Risks list for the computer. Indicators of Attack Dashboard The Indicators of Attack (IOA) dashboard provides visibility into Threat Hunting Services. It is available in WatchGuard Advanced EPDR, EPDR, and EDR only. The Threat Hunting Service tile shows a summary of the Events, Indicators, and IOAs for all computers and devices on the network, for a selected time, to help you determine if there are intrusion attempts. n Events — Number of actions carried out by programs installed on protected computers and monitored by WatchGuard Advanced EPDR, EPDR, or EDR. n Indicators — Number of suspicious event patterns detected in the event data flow. n Indicators of Attack — Number of indicators that are highly likely to be an attack. The Evolution of Detections tile includes a line and bar graph that shows the number of Indicators, Pending IOAs, and Archived IOAs over time. n Indicators — Number of suspicious patterns detected in the event flow received. n Pending IOAs — Number of suspicious patterns that are highly likely to indicate an attack. An administrator has not analyzed or resolved the IOA. n Archived IOAs — Number of IOAs that an administrator has analyzed or resolved and marked as Archived. The Y-axis on the left measures detected pending and archived IOA. The Y-axis on the right measures indicators detected. This Indicators of Attack Mapped to the MITRE Matrix section shows a table of the numbers of IOA detected during the selected time period, arranged by MITRE tactic and technique. To view the name and code of the technique or the total number of detections, point to a column or box. Tactics are the columns headings. Techniques display below the tactic. Point to the red circle to see the pending IOA. Endpoint Security Essentials Study Guide 33 Monitor Threats Vulnerability Assessment Dashboard Vulnerability Assessment identifies third-party applications that have available patches or have reached end-of-life (EOL), as well as patches and updates released by Microsoft (for example, operating systems, databases, Office applications). It is available in accounts that do not have the WatchGuard Patch Management module. The Vulnerability Assessment dashboard shows the patch status of Windows, Linux, and macOS computers in your network. Endpoint Access Enforcement Dashboard Endpoint Access Enforcement monitors connections to computers on your network to reduce infections from unprotected devices (Windows, macOS, and Linux). The Endpoint Access Enforcement dashboard shows information about connections between computers on the network that meet conditions you configure in the Endpoint Access Enforcement settings. Endpoint Security Essentials Study Guide 34 Monitor Threats My Lists The My Lists section of the Status page provides quick links to detailed lists that are filtered to show specific information. Most dashboard tiles have an associated list, so you can quickly see information graphically in the tile and then get more detail from the list. Some predefined lists appear by default in the left pane. Click next to a list to open the options menu. From the options menu, you can make a copy of a list, rename it, delete it, export it to a CSV file, and schedule and email a report of the list results. Scheduled Reports You can email a report of security information from the computers protected by Endpoint Security. You can schedule reports to send daily, weekly, or monthly on specific days and at specific times. This option allows you to closely monitor the security status without the need for administrators to access the management UI. Endpoint Security Essentials Study Guide 35 Monitor Threats The Preview Report option is only displayed when the Executive Report is selected. This link opens a new tab in your browser and contains the contents of the report to view before you schedule it to be sent, downloaded, or printed. For lists, the format is CSV and the preview option is not available. For some reports, you can select a Summary Report or Full Report. Endpoint Security Essentials Study Guide 36 Monitor Threats Scan Tasks On the Tasks page, you can create tasks to scan the computers and devices on your network for malicious programs and viruses. You can configure tasks to run immediately or at a later time. Tasks can run once or repeatedly through specified time intervals. You can also start a scan or schedule a scan for a specific device from the Computers list. These are the high-level steps to run a scheduled scan task: 1. Create and configure the task. 2. Publish the task. When the configured conditions are met, Endpoint Security runs the task. Create and Configure a Task Endpoint Security enables you to scan the computers and devices on your network for malicious programs and viruses. You can assign immediate or scheduled scan tasks to all computers in a group and its subgroups. To scan a computer or group now, on the Computers page, next to the computer or group of computers you want to scan, click and then select Scan Now. To scan critical areas for active viruses, such as memory, running processes, and cookies, select Critical areas. To schedule a scan task from the Tasks page, click Add Task > Scheduled Scan, and specify the recipients, schedule, and frequency for the task. In the options in the New Task dialog box, you can also select how long to retain the scan task when the computer is not connected to the WatchGuard Cloud at the selected time. Endpoint Security Essentials Study Guide 37 Monitor Threats In the Scan Options section, you specify these scan engine options: Scan Type Select Entire Computer to run an in-depth scan of the computer that includes all connected storage devices. Select Critical Areas to run a quick scan of these areas: o %WinDir%\system32 o %WinDir%\SysWow64 o Memory o Boot system o Cookies Select Specific Items to run a scan of a selected storage device. WatchGuard Endpoint Security scans the specified path and every folder and file it contains. Detect Viruses Enable this toggle to detect programs that enter computers with malicious purposes. This toggle is always enabled. Detect Hacking Tools and PUPs Enable this toggle to detect potentially unwanted programs, as well as programs that hackers can use to carry out actions that cause problems for the user of the affected computer. Detect Suspicious Files Scheduled scans can scan computer software statically without the need to run the software. This reduces the likelihood that the scan detects some types of threats. Enable this toggle to use heuristic scan algorithms and improve detection rates. Endpoint Security Essentials Study Guide 38 Monitor Threats Scan Compressed Files Enable this toggle to decompress compressed files and scan their contents. Exclude the Following Files from Scans In these text boxes, specify the files and paths you do not want to scan: o Extensions — Enter multiple file extensions separated by commas. o Files — Enter multiple file names separated by commas. o Folders — Enter multiple folders separated by commas. Select the Do not scan files excluded from the permanent protections check box to not scan files that the administrator allowed to execute, as well as any file that is globally excluded in the management UI. Publish the Task After you create and configure a task, it appears in the list of configured tasks. The status shows as Unpublished and it is not yet active. The task cannot run until you publish it and add it to the scheduler queue. To publish a task, on the Tasks page, select the task you created to open it, and then click No Recipients Selected Yet. Add the groups and computers you want to publish the task for and click Publish. Endpoint Security Essentials Study Guide 39 Endpoint Security Protections and Remediation Endpoint Security Protections and Remediation In this section, you learn about the endpoint security protections available with your WatchGuard Endpoint Security product. This includes: n General Settings and Alerts n Workstation and Server Settings n Endpoint Detection and Response n Indicators of Attack n Risks n Antivirus Protection n Device Control n Firewall Protection n Web Access Control n Program Blocking n Authorized Software n Endpoint Access Enforcement n Mobile Devices n Vulnerability Assessment For a list of additional resources on these topics, go to Additional Resources. Endpoint Security Essentials Study Guide 40 Endpoint Security Protections and Remediation General Settings On the Settings page, you can configure security, productivity, and connectivity parameters for the computers and devices you manage. After you create a group and assign computers and devices to the group, you configure security settings and assign them to the group. The final step is to deploy the security settings to the computers and devices in the group. In this section you learn about: n User Audit Logs n Per-Computer Settings n Network Settings n Network Services n Computer Maintenance n Alerts Settings vary for WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, and EPP. If you do not see a setting in the management UI, it is not supported by your product. Settings Inheritance Each settings profile relates to an area of security protection, such as network services or network settings. You can create as many settings profiles with different settings as necessary to manage network security for different types of computers and devices. We recommend that you create separate settings profiles for groups of computers with similar protection needs. By default, all computers and devices on the Computers > My Organization tab inherit the Endpoint Security default settings assigned to the All group. When you assign new security settings to a subgroup, the new settings replace the default settings for all groups and computers in the subgroup. In large networks, this feature saves you time because the settings automatically apply to many computers and devices. If you do not want to automatically apply settings to a subgroup or if you want to assign different settings to a specific computer or subgroup, you can manually or directly assign settings. Manually assigned settings take precedence over inherited settings. When you manually assign a new settings profile to a group, all computers and devices below that group use the manually assigned settings, not the inherited or default ones. Changes you make to settings in a higher-level group affect the groups, computers, and devices that inherit the settings differently, based on whether they have existing manually assigned or inherited settings. Endpoint Security Essentials Study Guide 41 Endpoint Security Protections and Remediation Subgroups and Computers with No Manually Assigned Settings When you change settings in a group that are inherited by subgroups and computers that have no manual settings applied, the new settings automatically apply to all subgroups, computers, and devices in the group. Subgroups and Computers with Manually Assigned Settings When you change settings in a group that are inherited by subgroups and computers that have manually assigned settings applied, any subgroups or computers with manually assigned settings do not inherit the new settings, regardless of the level. WatchGuard Endpoint Security prompts you to specify whether to keep the manually assigned settings or inherit the settings. Keep All Settings When you select this option, new settings apply only to groups and computers that do not have manually assigned settings. Existing manual settings are retained and the application of new inherited settings stops at the first group or computer with manually configured settings. Make All Inherit These Settings When you select this option, all groups and computers inherit the new settings. Endpoint Security overwrites all manual settings and removes all manually assigned settings below the group. If you move a single computer with manually assigned settings, the settings move with the computer to the new location. If you move a computer with inherited settings, the inherited settings in the new location overwrite the currently inherited settings. Endpoint Security Essentials Study Guide 42 Endpoint Security Protections and Remediation User Audit Logs On the Users > Activity page, you can see log information for user sessions and actions in the management UI, as well as system events. These columns are available for different types of activities. Sessions The Sessions tab shows information on access to the management UI, such as when a user logs in and logs out. Date — The date and time when the activity occurred. User — The name of the user who completed the activity. Activity — The activity completed (for example, log in or log out). IP Address —The IP address of the endpoint device. User Actions The User Actions tab shows user actions, such as when a user creates or edits a security settings profile or task, deletes a computer, or changes the group that a computer belongs to. Date — The date and time when the action occurred. User — The name of the user who completed the action. Action — The user action completed (for example, allow threat). Item Type — The type of device the action was performed on (for example, computer or non-persistent computer). Item — The name of the computer that the action occurred on. System Events The System Events tab shows all events that occur in Endpoint Security that were not initiated by a user, such as when a computer registers with the server for the first time or after computer deletion or reinstallation. Date — The date and time when the system event occurred. Event — The action taken by Endpoint Security. Type — The object that the action was taken on (for example, a computer or non-persistent computer). Item — The name of the computer that the system event occurred on. Endpoint Security Essentials Study Guide 43 Endpoint Security Protections and Remediation You can export activity logs to a comma-separated value (CSV) file that you can use in other applications. Per-Computer Settings On the Per-Computer Settings page, you create settings profiles that specify how often to install software on workstations and servers. You can also define settings to prevent tampering and unauthorized uninstallation of the software and enable shadow copies to create snapshots of computer files. The Per-Computer Settings page includes these sections: Preferences Show or hide the WatchGuard icon in the system tray of computers where Endpoint Security is installed. Updates Configure the time and frequency of updates of the client software. Update options are not configurable for Android and iOS devices. From the If a Restart Is Necessary to Complete the Update Process list, you specify whether and when to restart a computer or server after an upgrade. n Do Not Restart Automatically — A restart dialog box on the target computer prompts the user to restart the computer. The dialog box continues to open until the computer restarts. n Automatically Restart Workstations Only — Computers automatically restart after the update completes. Servers do not restart automatically. n Automatically Restart Servers Only — Servers automatically restart after the update completes. Computers do not restart automatically. Endpoint Security Essentials Study Guide 44 Endpoint Security Protections and Remediation n Automatically Restart Workstations and Servers — Computers and servers automatically restart after the update completes. Anti-Tamper Protection Configure security against tampering to make sure that only authorized users can uninstall, disable, or uninstall Endpoint Security. In a Per-Computer Settings profile, you can specify a password that is required to perform advanced administrative actions locally from protected computers. We recommend that you configure a password if you enable any of these options: Require a password to uninstall the protection locally from the protected computer If you enable this option, users must enter the configured password to uninstall the Endpoint Security or the WatchGuard Agent from any computer that has these settings applied. This prevents unauthorized uninstallations. Allow the protections to be temporarily enabled or disabled from the protected computer If you enable this option, users must enter the configured password to get access to the administrator panel on the protected computer. In the Endpoint Security window, users can temporarily enable and disable Endpoint Security. After the specified time period, the changes revert to the settings specified in the profile applied to the computer. Enable anti-tamper protection If you enable this option, the configured password is required to disable anti-tamper protection locally from the protected computer. Safe Mode Protection Some types of malware force Windows computers to restart in Safe Mode with networking enabled. In this mode, antivirus is automatically disabled and computers are vulnerable. If you enable this option, Endpoint Security protects computers when they start in Safe Mode with networking enabled, so that all configured protections remain active and work normally. Two-Factor Authentication If you enable this option, two-factor authentication is required in AuthPoint or another authenticator app to log in to the local management UI or to uninstall the protection software from a device. Shadow Copies Shadow Copies is a technology included on Windows computers that can create snapshots of computer files, even when they are in use. If you enable this option, Windows creates a shadow copy every 24 hours. Endpoint Security retains up to 7 copies at a given time. To restore a previous version of the file, use the Windows Shadow Copies app on your computer. This feature is available for computers that run Windows Vista or Windows 2003 Server, and higher. Endpoint Security Essentials Study Guide 45 Endpoint Security Protections and Remediation Network Settings On the Network Settings page, you create settings profiles to specify the language of Endpoint Security installed on computers and devices. You can also define the type of connection to the WatchGuard server with proxies and add cache computers that act as repositories for signature files and other components. Proxies List A proxy acts as an intermediary for the communication between two computers — a client on an internal network (an intranet, for example) and a server on an extranet or the Internet. In the network settings profile, you can add Windows computers as proxies and then specify the order in which Windows, Linux, and Mac computers in the subnet use the proxies. When there are multiple computers, the first available computer in the list is the proxy. If it becomes unavailable, your computers try the next proxy computer on the list until they reach the end of the list, then they try the first computer again until they can connect. Proxies cannot download patches or updates through the Patch Management module. Only computers with direct access to the WatchGuard server or with indirect access through a corporate proxy can download patches. You can add three types of proxies: Corporate Proxy Access to the Internet is through a proxy installed on the company network. Automatic Proxy Discovery Using Web Proxy Autodiscovery Protocol (WPAD) Access to the Internet is through a proxy that is discoverable through Web Proxy Auto-Discovery (WPAD) protocol. This method uses DNS or DHCP to query the network and get the discovery URL that points to the proxy auto-configuration (PAC) file. WPAD protocol is primarily used in networks where clients are only allowed to communicate externally through a proxy. WatchGuard Proxy If you select no proxy, access to the Internet is direct, not through a proxy. Endpoint Security uses the computer settings to communicate with the WatchGuard server. Endpoint Security Essentials Study Guide 46 Endpoint Security Protections and Remediation Cache Computer List After you designate a computer as a cache computer, on the Network Settings page, you can change the order of cache computers that other computers and devices in your network will use. The first available computer will be the cache they use. However, if it becomes unavailable, your computers and devices will try the next computer on the list. Network Services On the Network Services page, you specify how Endpoint Security communicates with computers on the network and with WatchGuard Cloud. The Network Services page includes these tabs: WatchGuard Proxy On the WatchGuard Proxy tab, you define computers that act as a WatchGuard proxy that enables the WatchGuard Agent on computers with restricted Internet access to reach WatchGuard Cloud. After you designate a computer as a WatchGuard proxy it can be added to the list of available proxies in a network settings profile. We recommend that you configure a WatchGuard proxy only to enable isolated computers (those without an Internet connection, either direct or through a corporate proxy) to access WatchGuard Cloud. Cache On the Cache tab, you define computers that act as a cache for signature files, security patches, and other components used to update Endpoint Security installed on other computers and devices on the network. If you have more than one cache computer, computers use them based on availability. Access to cache computers can speed up updates and patch downloads. Cache computers save bandwidth because not every computer has to separately download the updates they need. Cache computers download all updates centrally for other computers that require them. A computer designated with the cache role can cache these items: n Signature Files — Cached until they are no longer valid n Installation Packages — Cached until they are no longer valid Endpoint Security Essentials Study Guide 47 Endpoint Security Protections and Remediation n Update Patches for Patch Management — Cached for 30 days The capacity of a cache computer depends on the number of simultaneous connections it can accommodate and the type of traffic it manages (such as signature file downloads or installer downloads). A cache computer can serve approximately 1,000 computers simultaneously. Discovery On the Discovery tab, you define computers that discover unprotected computers on the network. The first Windows computer that you add to Endpoint Security is automatically designated as the discovery computer. Discovery not only identifies computers without an agent installed, but you can also enter Active Directory credentials and the discovery computer will install the WatchGuard Agent on the other computer for you remotely. You can configure the discovery computer to run at regular intervals or you can run a discovery task on demand. In the Discovery Scope section, you can select an option to limit where the discovery computer searches: Search across the entire network The discovery computer uses the network mask configured on the interface to scan its subnet for unmanaged computers. Search only the following IP addresses Enter an IP address or IP address range, separated by commas. IP ranges must include dash or hyphen in the middle (for example, 192.168.1.1-192.168.1.254). You can only specify private IP address ranges. Search for computers in the following domains Enter the Windows domains for the discovery computer to search, separated by commas. Discovery computers can only scan their own subnet even if you set this to the entire network. To search for unmanaged devices across all subnets on the network, add at least one discovery computer from each subnet. If you limit the discovery computer to specific IP addresses then it is further restricted. Network Access Enforcement Configure settings for Network Access Enforcement on your Firebox. All VPN connections must meet specified security requirements before they connect to the network. Your system must meet these requirements before you enable Network Access Enforcement: n Endpoint enforcement on the Firebox is enabled. (Enter a unique identifier (UUID) and authentication key.) Endpoint Security Essentials Study Guide 48 Endpoint Security Protections and Remediation n Computers you want to enable Network Access Enforcement for must run one of these operating systems: o Windows 8.1 or higher o macOS High Sierra 10.13 or higher o Android 6 or higher n Computers you want to enable Network Access Enforcement for must have Endpoint Security installed and running with a Workstations and Servers settings profile with Advanced Protection in hardening or lock mode or antivirus enabled and running. (EDR Core must have antivirus enabled and running.) Network Access Enforcement is not compatible with Linux. Computer Maintenance On the Computer Maintenance page, you can configure Endpoint Security to automatically delete endpoints from the management UI based on a filter. To delete endpoints from the management UI, you create a filter to identify computers and devices you want to delete and then enable computer maintenance. When you define a filter, any endpoints that match the criteria appear in the filter group. Endpoint Security automatically deletes endpoints that meet the criteria in the filter daily between 01:00 AM and 03:00 AM UTC. When you delete computers: Endpoint Security Essentials Study Guide 49 Endpoint Security Protections and Remediation n You no longer see deleted computers or related information in the management UI. n The computers are unprotected. n The endpoint security software and WatchGuard Agent remain on the computer. n Encrypted computers remain encrypted but you cannot get the recovery keys. n Deleted computers show as deleted in system events. We recommend that you turn off a computer after Endpoint Security deletes it. If you do not turn off the computer, it will appear in the Endpoint Security management UI when it reconnects to the WatchGuard Cloud servers. Information generated by the device is not permanently deleted from the WatchGuard Cloud servers. If you reassign a license to the device, the information shows in the management UI when the device reconnects. Alerts On the My Alerts page, you configure alerts to send to the network administrator by email. My Alerts are user specific, so each administrator in the account can choose which emails they want to receive. The content of an alert email varies based on the managed computers that the recipient can see. You can select or send alerts when these events occur: n Endpoint Security detects a malware specimen, PUP, or exploit n Endpoint Security detects a network attack n There is an attempt to use an unauthorized external device n Endpoint Security reclassifies an unknown item (malware or PUP) n Endpoint Security detects and blocks an unknown process during classification n Endpoint Security detects Indicators of Attack n Endpoint Security detects network attack activity n There is a license status change n There are installation errors or a computer is unprotected Endpoint Security Essentials Study Guide 50 Endpoint Security Protections and Remediation If an email recipient wants to opt out of the notifications, but does not have access to the Endpoint Security management UI, or appropriate permissions, the recipient can unsubscribe from a link in the email message. Alert Types Malware Detections (Windows Computers) Sends an alert for each malware detected in real time on a computer. Endpoint Security sends a maximum of two messages for each computer each day. Exploit Detections (Windows Computers) Sends an alert for each exploit attempt detected. Endpoint Security sends a maximum of 10 alerts for each computer-exploit each day. PUP Detections (Windows Computers) Sends an alert for each PUP detected in real time on a computer. Endpoint Security sends a maximum of two alerts for each computer-PUP each day. A Program that is Being Classified Gets Blocked (Windows Computers) Sends an alert for each unknown program detected in real time on the file system. Programs Blocked by the Administrator (Windows Computers) Sends an alert every time Endpoint Security blocks a program. A File Allowed by the Administrator is Finally Classified Sends an alert when Endpoint Security classifies a file that the administrator previously allowed. Administrator-allowed files are files which the administrator allowed to run although Endpoint Security blocked them. As soon as Endpoint Security completes the classification, it informs the administrator of the verdict so that the file can be allowed or blocked, based on the reclassification policy. A Malware URL is Blocked Sends an alert when Endpoint Security detects a URL that points to malware. Endpoint Security sends a message every 15 minutes with a summary of all detected threats. Phishing Detections Sends an alert when Endpoint Security detects a phishing attack. Endpoint Security sends a message every 15 minutes with a summary of all detected threats. An Intrusion Attempt Gets Blocked (Windows Computers) Sends an alert when the IDS module blocks an intrusion attempt. Endpoint Security sends a message every 15 minutes with a summary of all detected threats. Endpoint Security Essentials Study Guide 51 Endpoint Security Protections and Remediation Blocked Devices Sends an alert when a user tries to access a device or peripheral that the administrator blocked. Endpoint Security sends a message every 15 minutes with a summary of all detected threats. Compatible with Windows, Linux, Mac, iOS, and Android devices. Network Attack Detections Sends an alert when Endpoint Security detects a network attack. Indicators of Attack Sends an alert when Endpoint Security detects an Indicator of Attack. Computers with Protection Errors Sends an alert every time Endpoint Security finds an unprotected computer on the network or a computer with a protection or installation error. Computers without a License Sends an alert every time Endpoint Security fails to assign a license to a computer when there is no free license. Install Errors Sends an alert when an event occurs that causes computer status to change from protected to unprotected. If Endpoint Security detects several events at the same time that could cause a computer status to change from protected to unprotected, it generates only one alert with a summary of all the events. Discovery of an Unmanaged Computer Sends an alert every time a discovery computer finishes a discovery task or a discovery task finds a never- seen-before computer on the network. Status Change Alerts These computer statuses trigger an alert: n Protection with Errors — The status of the antivirus or advanced protection installed on a computer shows an error. This only applies to computers with an operating system that supports antivirus or advanced protection. n Installation Error — An installation error occurs that requires user intervention, such as insufficient disk space. Transient errors that can be resolved autonomously after a number of retries do not generate an alert. n No License — A computer does not receive a license after registration because there are no free licenses. Endpoint Security Essentials Study Guide 52 Endpoint Security Protections and Remediation Security Settings On the Settings page, you can configure security settings profiles to specify how Endpoint Security protects the computers on your network against threats and malware. In this section you learn about: n Endpoint Detection and Response n Workstation and Server Settings n Antivirus Protection n Device Control n Firewall Protection n Web Access Control n Indicators of Attack n Risks n Program Blocking n Authorized Software n Endpoint Access Enforcement n Mobile Devices n Vulnerability Assessment Settings vary for WatchGuard Advanced EPDR, EPDR, EDR, EDR Core, and EPP. If you do not see a setting in the management UI, it is not supported by your product. Endpoint Security Essentials Study Guide 53 Endpoint Security Protections and Remediation About Endpoint Detection and Response Endpoint Detection and Response (EDR) combines traditional preventive methods with advanced technologies to prevent, detect, and automatically respond to advanced threats, as well as investigation capabilities. Endpoint secu

Endpoint Security Essentials Study Guide PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue