To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Watchguard TDR and F-Secure Deepguard issue

Options
Denis_TD-Group
Denis_TD-Group W/ Alumni Posts: 2 Security Scout
in Business Suite

Hello All,

We are F-Secure & Watchguard partners.

We are encountering an "issue" between Watchguard TDR (Threat Detection and Response) and F-Secure Deepguard inside F-Secure Client Security (AFAIK this is still the case with latest 13.00 version).

Watchguard TDR is a cloud based behavior detection against specificaly Advanced threat such as crypto-virus or cryto-worms (more info here). Basically it is divided in a local host sensor (host_sensor.exe) and a Cloud Plateform which is communicating whith. As from Watchguard, TDR is designed to work alongside with "classic" Antivirus/Antimalware products (even advanced one such as F-Secure Business Product). Stricto senso, TDR is NOT an antimalware and is not replacing this kind of products.

The "issue" we are encountering is that F-Secure Deepguard is doing its job Smiley Happy What I meen is simply that it detects TDR ("host_sensor.exe") as a potentiel risk due to its behavior (exactly what they are both supposed to do). If the user allows TDR inside Deepguard, all is working without any trouble.

The watchguard best practices are suggesting to exclude Antimalware folder from TDR (done), and the F-Secure TDR folder (or host_sensor.exe process) from Antimalware solution. What is annoying is that TDR is updating itself on a regular basis. Each update is detected each time as a new risk by Deepguard because - I guess - the exe signature is changing. So regulary the F-Secure Client Security user has a popup from Deepguard asking what to do with "host_sensor.exe".

Except if I am wrong, basically there is currently no way for an F-Secure Policy Manager Admin like me to exclude host_sensor.exe process from Deepguard.

Any solution/workaround ?

Maybe it could be very useful for F-Secure to have a bidirectionnal communication with Watchguard to make your products working better together (e.g. including TDR signatures inside Deepguard database updates).

Thanks.

Denis

Comments

  • Denis_TD-Group
    Denis_TD-Group W/ Alumni Posts: 2 Security Scout
    Options

    Thanks for replying.

     

    The fact is it is my first post here (wasn't aware of supplying a sample was so easy Smiley Happy).

     

    Moreover the sample will be effective for the current TDR version, but what about updates (signature remains the same but hash will be different) ?

     

    Thanks for clarifications Smiley Happy

     

    Denis

This discussion has been closed.

Categories