Threat Detection and Response Release Notes Latest TDR Update: 14 March 2018 Release Notes Revision Date 14 March 2018 TDR Cloud 5.3.2 Host Sensor for 5.3.2 Host Sensor for Linux 5.3.2 Host Sensor for Mac 5.3.2 AD Helper 5.3.2 Introduction Threat Detection and Response (TDR) is a cloud-based subscription service that integrates with your Firebox. TDR is included in the Total Security subscription or is available as a separate subscription service for your Firebox. TDR minimizes the consequences of data breaches and penetrations through early detection and automated remediation of security threats. TDR collects and analyzes forensic data from the Firebox, and from endpoints on your network, to proactively detect and respond to security threats. For a full description of TDR features and functionality, see Fireware Help. WatchGuard periodically updates the Threat Detection and Response service to provide additional functionality and resolve reported issues. For information on the enhancements and resolved issues in each update, see the Enhancements and section. This release supports these features, which are currently in beta: Mac Host Sensor Email Notification Rules For information about how to participate in the TDR beta, join our Beta test community. This release includes a new version of the, Mac, and Linux Host Sensors and a new version of AD Helper. AD Helper and the and Mac Host Sensors automatically upgrade to the latest version, when an upgrade is available. The Linux Host Sensor does not automatically upgrade. For information about how to manually update the Host Sensor for Linux, see Upgrade Notes.
Enhancements and Enhancements and Latest Version Version 5.3.2: 14 March 2018 Improvements and Usability Enhancements Email notifications now include the TDR Account Name the Host belongs to. Email notifications now include the Host Group, if the Host is a member of a group. You can now test a test email to the recipients in a saved Notification Rule. To send a test notification, on the Notification Rules page click the Gear icon on the right and select "Sent Test Email". Automatic updates to the Host Sensor no longer fail for Host Sensors deployed through Group Policy Objects. When you click the Manual Remediations count in the TDR Dashboard, the Remediations page now shows all manually remediated indicators. Previous Versions Version 5.3.1: 15 February 2018 Improvements and Usability Enhancements Remediation policies are now applied on a per Indicator basis instead of a per Incident basis. This means that a policy applies to all new indicators that match the policy rules, but does not apply to other indicators that are part of the same incident. On the TDR Dashboard, you can now click items in the Remediations widget to see a filtered view of the Remediations page. The mouseover text for the Host Sensor status icons has been updated to match the documentation. The Linux Host Sensor has been tested on and is now supported on CentOS7. Performance and Security Enhancements Reallocated cloud resources to improve the performance of event analytics. APT Blocker results now appear in the Additional Details for indicators on the Remediations page The action Mark as externally remediated now succeeds when more than one indicator is selected. Version 5.3.0: 24 January 2018 Usability Enhancements You can now clear the unique identifier of a Host Sensor to prepare it for use in an IT OS image. You can use a new Host Sensor command line option to clear the unique identifier that 2 WatchGuard Technologies, Inc.
Enhancements and identifies each Host Sensor in the cloud before you create your master image. The Host Sensor automatically generates a new unique identifier the next time it launches. Japanese text is now rendered correctly in graphs exported from the top of the Indicators and Remediations pages. Version 5.2.2: 3 January 2018 Performance and Security Enhancements Improved performance of MD5 calculations on Mac and Linux Host Sensors. Reduced memory utilization for the, Mac, and Linux Host Sensors. Reduced CPU utilization for the Host Sensor. Usability Enhancements A new page, Threatsync > Remediations shows information about remediated threats. On the Resolved Indicator Timeline, you can now click a bubble to go to the Remediations page. You can now uninstall the Mac Host Sensor from the desktop. On the Mac, select Applications > WatchGuard > TDR > TDRHostSensorUninstall. Fixed an issue that caused on-demand reports to remain in a pending state. Fixed an issue that caused scheduled reports not to be generated. Fixed an issue that caused scheduled reports to be generated on disabled accounts. Version 5.2.1: 6 December 2017 Performance and Security Enhancements New indicators with an APT Blocker threat level of Clean will now be rescored to 0. Added support for UTF8mb4 for improved performance for Asian languages Host Sensor performance improvement network connection polling code was optimized to reduce CPU utilization. All Host Sensors performance improvement implemented file scan caching to reduce the volume of files scanned during a baseline scan. Once a file has been scanned for heuristics, if the same file is identified by MD5, the file is not scanned. Usability Enhancements Improved management of Host Groups: The Hosts page now has a Host Group column that shows the Host Group a host is a member of. On the Hosts page, you can select the Change Host Group action to change the Host Group for selected hosts. On the Groups page, when you expand a Host Group, Active Directory Group or IP Subnet group, you can select the Change Host Group action to change the Host Group for selected hosts. The Sandbox Analysis by APT Blocker feature is now called APT Blocker and is labeled consistently throughout the UI. Release Notes 3
Known Issues and Limitations The Indicators page has a new Previous Score column which shows the previous threat score for a remediated indicator. The column is not enabled by default. Click Choose Columns to see and enable it. On the Hosts page, you can now select the action to remove a Mac Host Sensor, just as you can for a Host Sensor. Service Provider Administrators and Operators now stay on the same page when they switch between managed accounts. The Quarantine File action no longer fails if the path contains double-byte characters. Version 5.2.0: 25 October 2017 Performance and Security Enhancements Updates to support the Mac Host Sensor beta Email for scheduled reports in Japanese now uses the correct encoding Known Issues and Limitations Known issues for Threat Detection and Response, the TDR Host Sensor client, and AD Helper, including workarounds where available, can be found on the Technical Search > Knowledge Base tab. To see known issues for TDR, from the Product & Version filters select TDR. 4 WatchGuard Technologies, Inc.
Host Sensor and AD Helper Operating System Compatibility Host Sensor and AD Helper Operating System Compatibility Last revised: 11 Nov 2017 TDR Component Microsoft 7, 8, 10 Microsoft 2008 and 2012 Microsoft Terminal Server 2012 Microsoft Server 2016 CentOS 6, 7 Mac OS X 10.10, 10.11 macos 10.12, 10.13 AD Helper* Host Sensor for Host Sensor for Linux Host Sensor for Mac * AD Helper requires Java 8, which is compatible with these operating systems: 10 (8u51 and above) 8.x (Desktop) 7 SP1 Server 2008 R2 SP1 (64-bit) Server 2012 and 2012 R2 (64-bit) You must log in to your TDR account to install these components. This software is not available from the WatchGuard Software Downloads page. Release Notes 5
Upgrade Notes Upgrade Notes Threat Detection and Response includes two installable components, Host Sensor and AD Helper. AD Helper and the Host Sensor for automatically upgrade to the latest version, when an upgrade is available. The Host Sensor for Linux does not automatically upgrade to the latest version. Upgrade the Linux Host Sensor The Host Sensor for Linux does not automatically upgrade to the latest version. To upgrade the Host Sensor, you must manually update the Host Sensor for Linux. To update an existing installation of the Linux Host Sensor: 1. Download the.rpm installation file from your TDR account to the Linux computer. 2. Start a Command Prompt as a user with root credentials. 3. To update the Host Sensor, type this command: yum update [SENSOR_RPM_PATH] Replace [Sensor_RPM_PATH] with the name and path of the.rpm file you downloaded. Reinstall AD Helper for Another TDR Account or Region You must remove the AD Helper files before you reinstall AD Helper for another TDR account or region. To uninstall AD Helper: 1. On the computer where AD Helper is installed, select Control Panel > Programs and Features. 2. Find the WatchGuard Active Directory Helper application. 3. Right-click the application and select Uninstall. AD Helper is uninstalled. To manually remove the local files created by AD Helper, delete this folder: c:\\system32\config\systemprofile\helperapp\ 6 WatchGuard Technologies, Inc.
Technical Assistance Technical Assistance For technical assistance, contact WatchGuard Technical Support by telephone or log in to the WatchGuard Portal on the Web at https://www.watchguard.com/wgrd-support/overview. When you contact Technical Support, you must supply your registered Product Serial Number or Partner ID. Phone Number U.S. End Users 877.232.3531 International End Users +1 206.613.0456 Authorized WatchGuard Resellers 206.521.8375 Release Notes 7
Technical Assistance Release Notes 8