Comments

  • I apologize for the confusion and your frustration. I was talking about capabilities that span the portfolio, as ThreatSync is a portfolio-wide product. ;-) Just because an XDR solution has access to the logs to interpret this as an attack does not make it the best place to protect against this specific use case. Detection…
  • WatchGuard Endpoint Security has an IOA called "Brute-force attack against RDP." If the IOA is detected by WatchGuard EDR/EPDR/Advanced EPDR, it will appear as an Incident in ThreatSync. The AuthPoint Indicators still need to be sent to ThreatSync, so there are no AuthPoint-based Incidents yet. Our integration with…
  • Good day Kimmo! The PMs here at WatchGuard have decided that Brute Force Protection belongs in each product line. In our eyes, brute force protection is considered essential protection that our products should offer regardless of their use of ThreatSync. ThreatSync will ingest these brute force detections by each product…
  • Greetings @Watch_This. The plan for the future is to take ThreatSync out of TDR and evolve it into a WGC platform level service. The New ThreatSync will continue to utilize the Firebox for Network data, but will utilize WatchGuard Endpoint Security for Endpoint data. (We recently integrated Panda products into WatchGuard…
  • I have successfully run it on Ubuntu as long as all of the dependencies are met. The Main issue is getting it to start on computer start-up. The start-up scripts included in the RPM are meant for a RedHat installation. If you can create your own start-up scripts based on the command listed in the RedHat start-up scripts,…
  • Good morning Greg. We recommend keeping the Cybercon level at 3 when using the default policies. If you add custom policies, then the cybercon is your choice.
  • Good morning hfwu! First, thank you for the feedback. I will do some research to see if those reporting methods you suggest are viable. For a bit of background, I will explain our scoring system in the hopes of helping clear things up. TDR has a scoring scale to show items that are Suspicious, Potentially Malicious, and…
  • Good morning RVilhelmsen. I am sorry hear you are having issue with TDR. TDR has 2 operating methodologies at play here. What I like to call Pure Detection and Response. In this operating mode file and process events are sent to the cloud and the cloud responds with actions. Because of the periodic heartbeat the host…
  • Good afternoon lwochos. I am curious to know, other than the auto-update, are you having any other connectivity issues between the Host Sensor(Client) and ThreatSync(Cloud)? Specifically when you browse to the TDR Dashboard from the Portal, do your Hosts behind the third party proxy show as available(Green up arrow) in the…
  • Good morning @Sean! WatchGuard is planning on making TDR much more integrated with WatchGuard Cloud (WGC), therefore inheriting many of the features already provided by WGC and described here. Keep a look out for announcements around the midpoint of this year. Enjoy!
  • Good morning! Is the goal here just to reduce the amount of Email, or are you also dis-satisfied with the number of Indicators that are showing up in your TDR Dashboard?
  • Good morning kmstrube81. Both Dimension and WatchGuard Cloud Visibility have a "DHCP Lease Activity" report you can generate on a Scheduled basis.
  • The Action "Externally Remediated" means the Indicator was remediated by Administrators outside of TDR. Since APT blocker is not allowed to submit it for Sandbox File action, we effectively remove the Indicator from the Dashboard by rescoring it to a 1 without actually performing and real remediation actions on the file.…
  • Currently the firebox blocks malicious URLs with one of two services: * WebBlocker * Reputation Enabled Defense After looking through the WebBlocker Configuration on my T70 I noticed you can set a WebBlocker Exception with a disposition of Block. This likely means anything in the exception list is evaluated before querying…
  • The Proxy Exclusions should be FQDN's not URL patterns. You should get rid of the trailing slash(/) and trailing asterisks(*) and it should work.
  • @BrianSteingraber Please put in a Support Case and attach the MD5s. If they are indeed false positives, we need to evaluate them. In the mean time you can whitelist that one so it no longer triggers an indicator. In all honesty though If I were in your shoes I would not trust those files without doing more research on…
  • Good morning all. If the files that are causing issue here were marked as Heuristics: Suspicious and Threat Feed: Not Matched then it is not on our Threat Feed, which is why it was not Quarantined. If these files are an annoyance you can add an exclusion for the directory. Also, these files are eligible for submission to…
  • Good morning oncfirebox! When TDR was released as WatchGuard's first native cloud solution, the idea of account delegation as a use case had not materialized yet. Once Authpoint was released as the first WatchGuard Cloud application it came with account delegation. Instead of re-implementing that feature in TDR it was…
  • Good morning. I just wanted to let you know, we heard you and are looking into solutions to address your needs. In addition, we've initiated a review of the items listed in the HTTPS Content Inspection Exception List. If there is any functionality or behavior that should change, please feel free to provide feedback. For…
  • Good morning Ross. We recommend you submit a Portal Case and work with Support to remediate this potential False Positive.
  • This is fantastic feedback everyone! Since the Icon itself is hidden by Windows by default, it seems what everyone is asking for is the ability to show/hide notifications. If we were to allow the cloud configurations of Icon Notifications, how granular do you want the configurations? 1. Baseline Notifications 2.…
  • Thank you for the feedback Bruce. The System -> Network Events Page is intended to be used as a troubleshooting page to ensure the Log generated by your Firebox made it to TDR. That is the reason why we don't provide any advanced sorting and filtering functionality. It was never intended to be a page to used to take…
  • I will anxiously await your feedback :smile:
  • Hello Gregg! I can add it to the backlog. How would you like the option to be available? Would a simple checkbox to include Network Graphs suffice?
  • Good afternoon @JellyKid. That is fantastic feedback! I'll address each individually. * Support for TDR - I have escalated this comment to Support and will work with them to make sure we provide better support. * Best Practices - Does this documentation address your needs? If not how so? * Trusting items signed by…
  • Good afternoon everyone. As we continue down the path towards merging the experiences of our end host agents we have decided to merge the capabilities of both DNSWatchGO and TDR in that neither system can turn off the System Tray application. This is a common feature for all Endpoint Software like Antivirus and VPN…
  • Good morning Doug. TDR does not use the Cyren engine in any of it's functionality. TDRs Cloud signature list is a combination of various Threat Intelligence sources. Cyren powers our spamBlocker feature in the Firebox SMTP proxy. Would it be possible to post the MD5 of the offending File so we can test it internally? If…
  • @Bruce_Briggs I can confirm that the Logging you are seeing to :4115 is for TDR.
  • Good morning @BrianSteingraber. Please submit this to support immediately. If this is indeed a false positive we want to make sure we remedy this quickly. Please include the MD5 and full path of the problem file. In the mean time you can add it as a whitelist item to your signature overrides. You can accomplish this using…
  • * It should as long as you add it to the list of Allowed Query Types * Not sure what you mean by "policies in the list." If you ever create a Proxy policy and decide the settings defined in any of the default proxy actions are insufficient and need to be changed, you always have to clone an existing action and make…