John_Norton

About

Display Name
John_Norton
Joined
Visits
6
Last Active
Roles
WatchGuard Representative
Points
9
Badges
1

Comments

  • Hi Gregg, The Firebox provides for two things in TDR: first, event correlation with network activity, and second, the TDR licenses. The sensors are tied to the account, so you can remove the T50 and add the T35 without any interruption if they are…
  • Hi Brian, APT Blocker is not Cylance, it is LastLine. You may be thinking of Intelligent Antivirus, which is powered by Cylance. Otherwise, you are correct that TDR can complement Cylance AV, and while they do overlap in many ways the detection met…
  • Hi Barry, InterceptX and TDR share many of the same features, so if you do want to use both simultaneously you will need to add exclusions in both products to avoid adverse interactions. WatchGuard has tested TDR with a variety of products and pro…
  • Look under Settings: General. Try turning off "Generate Uncorrelated Firebox Indicators" and see if that reduces the noise for you. That will suppress display of Firebox actions that do not have an associated actionable process.
  • @Stewy @BrianSteingraber That's essentially what will happen with network indicators-- since they have actually already been resolved by the Firebox, they'll be marked externally remediated for display purposes. The underlying data will still factor…
  • Brian, I'm guessing those 7 indicators you have to manually resolve were from network events. TDR is getting updates to better display network events and reduce the noise they generate in the dashboard.
  • Wildcards work. You could do "c:\windows\temp\WRupdate.exe" or "c:\windows\temp\WRupdate". You can't do just the filename though, you need a path. "WRupdate*.exe" alone will not match. For WebRoot, there's a guide at ht…
  • Hi Stewy, I typed up a long reply and accidentally deleted it when editing to add links. I’ll try to recreate my answer here… It may help to remember that TDR is not a traditional AV type product with Good-Bad signatures. Everything that happens on…
  • I missed the second question re: wildcards. FYI you can add wildcards to path names, e.g. C:\users*\mytempfiles. You can also use variables like %username%, but those can have unexpected results depending on when the OS decides to assign the variabl…
  • I've deployed on both. Hyper-V hosts have never been a problem for me, but I would suggest creating a group for the hypervisor hosts in case you want to override the general policies and host sensor settings (best practices in general). Backup serv…
  • Greg-- That's why defense in depth is so important! If a password protected zip file can't be scanned by GAV, malware can still be detected by TDR when the file is unzipped on the destination machine. Layered protection is one of the core benefit…
  • AD Helper does not have to be installed on a server or even a domain member. It can be installed on any Windows machine that has Java 8 installed, can contact one or more domain controllers via LDAP (TCP/389) or LDAP/s (636), and can reach the targe…
  • These folders are part of TDR’s Host Ransomware Prevention detection service and are normally hidden. If the Host Sensor detects changes to these files, the Host Sensor reports the event back to TDR as possible ransomware activity. Change the Hidden…
  • Environment variables will often produce unexpected results when used in exclusions. This is because the exclusion is loaded at host sensor startup and reloaded when a change is made to the exclusion list, but environment variables can change or be…
  • The most common cause of excess resource usage by TDR is conflicts with 3rd party antivirus services. These conflicts can be resolved by adding the appropriate exclusions for your antivirus within TDR and within the AV software for TDR to avoid “do…
  • 1) Stop the helper service 2) As an administrator, Open C:\Program Files (x86)\WatchGuard\Active Directory Helper\helper.xml 3) Edit the element (around line 42) and add --httpListenAddress=127.0.0.1 before --httpPort=8080. It should look like th…