John_Norton

About

Display Name
John_Norton
Joined
Visits
19
Last Active
Roles
WatchGuard Representative
Points
10
Badges
1

Comments

  • Check out our Secplicity post about the recent Kaseya attack here: https://www.secplicity.org/2021/07/02/breaking-alert-ongoing-msp-targeted-ransomware-attack-kaseya/ Regarding the TDR Agent auto-updating, you can turn that off if you are concerned.…
  • Hi Patrick, EDPR is not a direct replacement for TDR. EDPR is the evolution of Panda AD360 into the WatchGuard Cloud ecosystem, and will be licensed as a separate product, like AD360 is today. You can run the two concurrently, like with TDR+AD360, but bear in mind that EDPR is still technically in the beta phase-- while…
  • Hi Phil, The **best **protection would be with AD360. It combines the endpoint protection of EPP+ with zero-trust anti-ransomware functionality along with deep endpoint telemetry for Windows, MasOS, Linux and Android. You can still utilize DNSWatch for phishing protection and education while behind the firewall-- you can…
  • You can change the account ID using a command line option in a batch script: ON EVERY DEPLOYED HOST SENSOR, there are two ways to go about this: a. Uninstall every host, delete the TDR folder and reinstall b. Use the following commands: net stop TDRSensorService64 cd c:\Program Files (x86)\WatchGuard\Threat Detection and…
  • Kalos-- that isn't a common problem, but is typically seen when there is another AV/anti-malware application installed like McAfee or Symantec. Be sure to add exclusions in TDR for any AV software and exclude TDR in your AV. If the problem persists, support can help you pull detailed triage logs to identify the conflict.
  • Hi Gregg, The Firebox provides for two things in TDR: first, event correlation with network activity, and second, the TDR licenses. The sensors are tied to the account, so you can remove the T50 and add the T35 without any interruption if they are registered to the same partner/customer. This second point is one area that…
  • Hi Brian, APT Blocker is not Cylance, it is LastLine. You may be thinking of Intelligent Antivirus, which is powered by Cylance. Otherwise, you are correct that TDR can complement Cylance AV, and while they do overlap in many ways the detection methodologies are different. RobMSP: There was an older NSS Labs report, but it…
  • Hi Barry, InterceptX and TDR share many of the same features, so if you do want to use both simultaneously you will need to add exclusions in both products to avoid adverse interactions. WatchGuard has tested TDR with a variety of products and produced integration guides. This is one for Sophos AV; InterceptX may have…
  • Look under Settings: General. Try turning off "Generate Uncorrelated Firebox Indicators" and see if that reduces the noise for you. That will suppress display of Firebox actions that do not have an associated actionable process.
  • @Stewy @BrianSteingraber That's essentially what will happen with network indicators-- since they have actually already been resolved by the Firebox, they'll be marked externally remediated for display purposes. The underlying data will still factor into correlated events, but the extra 7's will be hidden.
  • Brian, I'm guessing those 7 indicators you have to manually resolve were from network events. TDR is getting updates to better display network events and reduce the noise they generate in the dashboard.
  • Wildcards work. You could do "c:\windows\temp\WRupdate.exe" or "c:\windows\temp\WRupdate". You can't do just the filename though, you need a path. "WRupdate*.exe" alone will not match. For WebRoot, there's a guide at https://watchguard.com/help/docs/help-center/en-US/Content/Integration-Guides/TDR/webroot_tdr.html. Usually…
  • Hi Stewy, I typed up a long reply and accidentally deleted it when editing to add links. I’ll try to recreate my answer here… It may help to remember that TDR is not a traditional AV type product with Good-Bad signatures. Everything that happens on a host is observed and assigned a score from 0 (whitelist) to 10…
  • I missed the second question re: wildcards. FYI you can add wildcards to path names, e.g. C:\users*\mytempfiles. You can also use variables like %username%, but those can have unexpected results depending on when the OS decides to assign the variable value and when TDR observes an object, so wildcards are safer. One of the…
  • I've deployed on both. Hyper-V hosts have never been a problem for me, but I would suggest creating a group for the hypervisor hosts in case you want to override the general policies and host sensor settings (best practices in general). Backup servers may require more care-- on one hand, it's useful to protect the backup…
  • Greg-- That's why defense in depth is so important! If a password protected zip file can't be scanned by GAV, malware can still be detected by TDR when the file is unzipped on the destination machine. Layered protection is one of the core benefits of Total Security Suite.
  • AD Helper does not have to be installed on a server or even a domain member. It can be installed on any Windows machine that has Java 8 installed, can contact one or more domain controllers via LDAP (TCP/389) or LDAP/s (636), and can reach the target host machines via File and Print Sharing (TCP/445 and TCP/139).…
  • These folders are part of TDR’s Host Ransomware Prevention detection service and are normally hidden. If the Host Sensor detects changes to these files, the Host Sensor reports the event back to TDR as possible ransomware activity. Change the Hidden Files Setting in Windows If you have previously configured Windows to show…
  • Environment variables will often produce unexpected results when used in exclusions. This is because the exclusion is loaded at host sensor startup and reloaded when a change is made to the exclusion list, but environment variables can change or be reset when a new user logs on to the system or makes a manual change to a…
  • The most common cause of excess resource usage by TDR is conflicts with 3rd party antivirus services. These conflicts can be resolved by adding the appropriate exclusions for your antivirus within TDR and within the AV software for TDR to avoid “double scanning” of files and processes. WatchGuard has tested TDR with a…
  • 1) Stop the helper service 2) As an administrator, Open C:\Program Files (x86)\WatchGuard\Active Directory Helper\helper.xml 3) Edit the element (around line 42) and add --httpListenAddress=127.0.0.1 before --httpPort=8080. It should look like this: <arguments>-Xrs -Xmx256m -jar "%BASE%\helper.war"…