TDR and Windows Defender Integration Guide
i WatchGuard Technologies, Inc.
TDR and Windows Defender Deployment Overview Threat Detection and Response (TDR) is a collection of advanced malware defense tools that correlate threat indicators from Fireboxes and Host Sensors to enable real-time, automated response to stop known, unknown, and evasive threats. As part of the TDR solution, you install TDR Host Sensors to provide endpoint protection. In some cases, the TDR Host Sensor might have conflicts with the antivirus software installed on your endpoints. To resolve this issue, you can configure exclusions in the antivirus software and in TDR. This document includes information about the integration of a TDR Host Sensor with a host that runs Windows Defender. It does not describe the procedure to set up Threat Detection and Response. For information about how to set up your TDR account, how to enable TDR on a Firebox, and how to install a Host Sensor, see Quick Start Set Up Threat Detection and Response. Integration Summary To avoid conflicts between the TDR Host Sensor and Windows Defender, add these exclusions: Exclusions in TDR for Windows Defender: o C:\Program Files (x86)\watchguard\threat Detection and Response\ Exclusions in Windows Defender for the TDR Host Sensor: o o 64-bit Windows C:\Program Files (x86)\watchguard\threat Detection and Response\ 32-bit Windows C:\Program Files\WatchGuard\Threat Detection and Response\ If the Host Sensor and Windows Defender detect and respond to a threat at the same time, this can cause high utilization of system resources such as CPU, memory, and disk I/O. TDR and Windows Defender Integration Guide 1
Configuration Details To complete this deployment, you must have: An active Threat Detection and Response subscription with Host Sensor licenses Windows 8 or 10 Firebox with Fireware v12.0 or higher TDR Host Sensor 5.2.1.8015 Windows Defender o Antivirus version 1.257.406.0 o Anti-spyware version 1.257.406.0 o Antimalware Client version 4.11.15063.447 o Engine version 1.1.14306.0 o Network Realtime Inspection System Engine version 2.1.14202.0 o Network Realtime Inspection System version 118.1.0.0 The Windows test environment for this deployment included: Windows 8, 10 Enterprise 64-bit Operation System Memory(RAM) 8 GB Processor 4 cores CPU Configure Exclusions in TDR In your TDR account, you can add exclusions to manually identify paths for files and processes that you do not want Host Sensors to monitor. Before you deploy a Host Sensor on computers that have Windows Defender installed, add exclusions for the Windows Defender file paths as TDR Exclusions in your TDR account. To exclude Windows Defender directories, add exclusions with these paths in your TDR account. Folders specified in an exclusion must end with a backslash. C:\ProgramData\Microsoft\Windows Defender\ To add an exclusion in TDR: 1. Log in to your TDR account or managed account as a user with Operator privileges. 2. Select Configuration > Exclusion. 3. Click Add Exclusion. 4. In the Path text box, type the path to exclude. 5. Click Save. 2 WatchGuard Technologies, Inc.
Configure Exclusions in Windows Defender In Windows Defender you add exclusions to identify the paths for files and locations to exclude. To prevent conflicts between the Host Sensor and Windows Defender, we recommend you add exclusions in Windows Defender for the paths used by the TDR Host Sensor. To exclude TDR Host Sensor files on 64-bit Windows add an exclusion for: C:\Program Files (x86)\watchguard\threat Detection and Response\ To add an exclusion in Windows Defender: 1. Open Windows Defender Security Center. 2. Select Virus & threat protection. 3. Click Virus & threat protection settings. 4. In the Exclusions section, select Add or remove exclusions. The Exclusions page appears. 5. Click Add an exclusions. For information about the integration testing methodology, see TDR Testing Methodology. TDR and Windows Defender Integration Guide 3
About This Guide Guide Type Documented Integration WatchGuard or a Technology Partner has provided documentation demonstrating integration. Guide Details WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product. Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc. Guide revised: 1/17/2018 Copyright, Trademark, and Patent Information Copyright 1998 2018 WatchGuard Technologies, Inc. All rights reserved. All trademarks or trade names mentioned herein, if any, are the property of their respective owners. Complete copyright, trademark, patent, and licensing information can be found in the Copyright and Licensing Guide, available online at http://www.watchguard.com/wgrd-help/documentation/overview. About WatchGuard WatchGuard Technologies, Inc. is a global leader in network security, providing best-in-class Unified Threat Management, Next Generation Firewall, secure Wi-Fi, and network intelligence products and services to more than 75,000 customers worldwide. The company s mission is to make enterprisegrade security accessible to companies of all types and sizes through simplicity, making WatchGuard an ideal solution for Distributed Enterprises and SMBs. WatchGuard is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. To learn more, visit WatchGuard.com. For additional information, promotions and updates, follow WatchGuard on Twitter, @WatchGuard on Facebook, or on the LinkedIn Company page. Also, visit our InfoSec blog, Secplicity, for real-time information about the latest threats and how to cope with them at www.secplicity.org. Address 505 Fifth Avenue South Suite 500 Seattle, WA 98104 Support www.watchguard.com/support U.S. and Canada +877.232.3531 All Other Countries +1.206.521.3575 Sales U.S. and Canada +1.800.734.9905 All Other Countries +1.206.613.0895 TDR and Windows Defender Integration Guide 4