TDR and Symantec Integration Guide
i WatchGuard Technologies, Inc.
TDR and Symantec Deployment Overview Threat Detection and Response (TDR) is a collection of advanced malware defense tools that correlate threat indicators from Fireboxes and Host Sensors to enable real-time, automated response to stop known, unknown, and evasive threats. As part of the TDR solution, you install TDR Host Sensors to provide endpoint protection. In some cases, the TDR Host Sensor might have conflicts with the antivirus software installed on your endpoints. To resolve this issue, you can configure exclusions in the antivirus software and in TDR. This document includes information about the integration of a TDR Host Sensor with a host that runs Symantec. It does not describe the procedure to set up Threat Detection and Response. For information about how to set up your TDR account, how to enable TDR on a Firebox, and how to install a Host Sensor, see Quick Start Set Up Threat Detection and Response. Integration Summary To avoid conflicts between the TDR Host Sensor and Symantec, add these exclusions: Exclusions in TDR for Symantec For Windows: o C:\Program Files (x86)\watchguard\threat Detection and Response\ Exclusions in Symantec for the TDR Host Sensor For Windows: o 64-bit Windows C:\Program Files (x86)\watchguard\threat Detection and Response\ o 32-bit Windows C:\Program Files\WatchGuard\Threat Detection and Response\ Exclusions in TDR for Symantec For Mac: o /Library/Application Support/Symantec/ o /private/var/folders/zz/zyxvpxvq6csfxvn_ n0000000000000/c/pkinstallsandboxmanager/*.activesandbox/root/applications/syman tec Solutions/ Exclusions in Symantec for the TDR Host Sensor For Mac: o /Applications /WatchGuard If the Host Sensor and Symantec detect and respond to a threat at the same time, this can cause high utilization of system resources such as CPU, memory, and disk I/O. TDR and Symantec Integration Guide 1
Configuration Details To complete the tested deployment, you must have: An active Threat Detection and Response subscription with Host Sensor licenses. Windows 7, 8 or Windows 10. Firebox with Fireware v12.0 or higher. TDR Host Sensor 5.2.1.8015. Symantec Endpoint Protection 14.0.2415.0.200, for both Windows and Mac. The Windows test environment for this deployment included: Windows 7 8, 10 Enterprise 64-bit Operating System Memory (RAM) 8 GB Processor 4 CPU Cores The Mac test environment for this deployment included: macos 10.13 Memory (RAM) 8 GB Processor Intel core i5 2 WatchGuard Technologies, Inc.
Configure Exclusions in TDR In your TDR account, add the exclusions to manually identify paths for files and processes that you do not want Host Sensors to monitor. Before you deploy a Host Sensor on computers that have Symantec installed, add exclusions for the Symantec file paths as TDR Exclusions in your TDR account. To exclude Symantec directories, add exclusions with these paths in your TDR account. Folders specified in an exclusion must end with a backslash. Exclusions for Windows: C:\ProgramData\Symantec\ C:\Program Files (x86)\symantec\symantec Endpoint Protection\ C:\Program Files (x86)\symantec\symantec Endpoint Protection Manager\ Exclusions for Mac: /Library/Application Support/Symantec/ /private/var/folders/zz/zyxvpxvq6csfxvn_ n0000000000000/c/pkinstallsandboxmanager/*.activesandbox/root/applications/symantec Solutions/ To add an exclusion in TDR: 1. Log in to your TDR account or managed account as a user with Operator privileges. 2. Select Configuration > Exclusion. 3. Click Add Exclusion. The Add Exclusion dialog box appears. 4. In the Path text box, type the path to exclude. 5. Click Save. Repeat these steps to add each exclusion. TDR and Symantec Integration Guide 3
Configure Exclusions in Symantec In Symantec add exclusions to identify the paths for files and locations to exclude. To prevent conflicts between the Host Sensor and Symantec, we recommend you add exclusions in Symantec for the paths used by the TDR Host Sensor. To exclude TDR Host Sensor files on 64-bit Windows add an exclusion for: C:\Program Files (x86)\watchguard\threat Detection and Response\ To add an exclusion in Symantec For Windows: 1. Open Symantec Endpoint Protection. 2. Click Change Settings. 3. Click Configure Settings in Exceptions. 4. Click Add - Security Risk Exceptions-Folder to add the exclusions. To exclude TDR Host Sensor files on macos add an exclusion for: /Applications /WatchGuard To add an exclusion in Symantec For Mac: 1. Click Finder > Applications > Symantec Solutions > Symantec Endpoint Protection. 2. Click Settings. 3. Click Configure under Scan Zone Settings. 4. Enable Don't Scan. 5. Click Add to add the exclusions. For information about the integration testing methodology, see TDR Testing Methodology. 4 WatchGuard Technologies, Inc.
About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration. Guide Details WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product. Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Guide revised: 1/18/2018 Copyright, Trademark, and Patent Information Copyright 1998 2018 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at http://www.watchguard.com/wgrd-help/documentation/overview. About WatchGuard WatchGuard Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat Management, Next Generation Firewall, secure Wi-Fi, and network intelligence products and services to more than 75,000 customers worldwide. The company s mission is to make enterprisegrade security accessible to companies of all types and sizes through simplicity, making WatchGuard an ideal solution for Distributed Enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com. For additional information, promotions and updates, follow WatchGuard on Twitter, @WatchGuard on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Address 505 Fifth Avenue South Suite 500 Seattle, WA 98104 Support www.watchguard.com/support U.S. and Canada +877.232.3531 All Other Countries +1.206.521.3575 Sales U.S. and Canada +1.800.734.9905 All Other Countries +1.206.613.0895 TDR and Symantec Integration Guide 5