EDR Core Blocking RDP

ColBColB
in WatchGuard EPDR/EDR/EPP

Recently we upgraded all our servers from TDR to the EDR Core, I created new settings and removed the network usage limitation.

For a couple of days, we had zero issues but then one by one each server stopped us from remoting onto them, we couldn't even log on locally on the devices and had to manually power cycle them to regain access.

We've now had to remove EDR Core from all devices as the issue reoccurred.

Is there potentially a setting that I've missed that could cause this issue?

Comments

  • Bruce_BriggsBruce_Briggs

    I did the following to allow an app to run which was being blocked by EDR Core. Not sure if there is a better way...

    Create Exclusions in WatchGuard Endpoint Security
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Endpoint-Security/_kb-articles/create-exclusions.html

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @ColB
    I'd suggest opening a technical support case (use the link at the top right of this page to do so.) One of our techs can take a look at your configuration with you.

    -James Carson
    WatchGuard Customer Support

  • ColBColB

    Thanks, I'll open a support case

  • David_David_ WatchGuard Representative

    Hello,

    EDR core should not block files at all. It is prepared to only send notifications when a unknown file is trying to be executed.
    By creating exclusions, you do ignore those excluded files or folders, and will not be noted, no notification will be sent for those files/folders.
    But in any case, should EDR core block executions.
    So I think on these cases, the advice sent by James is the best we can offer, as it needs to be studied in depth, to avoid blockages.

    Kind regards,

    David

  • Bruce_BriggsBruce_Briggs
    edited July 2023

    In my case:

    Threat: PUP (potentially unwanted program)
    Action: Blocked

    And I can select "Do not detect again" to allow it on all computers - OR - add an exclusion for selcted computers.

    Support case opened....

  • David_David_ WatchGuard Representative

    Hello, @Bruce_Briggs
    That sounds like EDR or EPDR, but not EDR Core.
    Thank you for opening a case, we will get back to you through that path, with data requests in order to study this more in depth.

  • Bruce_BriggsBruce_Briggs

    From my now closed case:

    "Please note that EDR Core has the ability to block known malware, including the PUP family"
    and
    "Blocking (EDR Core does not support disinfection.) So all known malware will be blocked."

  • David_David_ WatchGuard Representative

    Yes, I am afraid my explanation was not fully explained:
    EDR core will not block any unknown file. Of course known malware or pups will be blocked. Yes.
    In resume, EDR core will send a notification when an unknown file is being executed, but in no case this unknown file will be blocked.
    But if the file being executed is a well known malware or PUP, then it will be blocked for safety reasons.

    Sorry for the misunderstanding...

    David

  • LHDLHD
    edited September 2023

    Did you ever get this resolved? I just switched from TDR and the same thing is happening

  • David_CarroDavid_Carro WatchGuard Representative

    Hello, LHD,

    Please open a case to support@watchguard.com in order to study your specific case, but if the detection is due to malware or PUPs, you will have to create exclusions for those detected files.

    Regards,

    David

    David Carro | Technical support
    WatchGuard Technologies, Inc. | www.watchguard.com

Sign In to comment.