Watchguard TDR and F-Secure Deepguard issue
We are F-Secure & Watchguard partners.
We are encountering an "issue" between Watchguard TDR (Threat Detection and Response) and F-Secure Deepguard inside F-Secure Client Security (AFAIK this is still the case with latest 13.00 version).
Watchguard TDR is a cloud based behavior detection against specificaly Advanced threat such as crypto-virus or cryto-worms (more info here). Basically it is divided in a local host sensor (host_sensor.exe) and a Cloud Plateform which is communicating whith. As from Watchguard, TDR is designed to work alongside with "classic" Antivirus/Antimalware products (even advanced one such as F-Secure Business Product). Stricto senso, TDR is NOT an antimalware and is not replacing this kind of products.
The "issue" we are encountering is that F-Secure Deepguard is doing its job What I meen is simply that it detects TDR ("host_sensor.exe") as a potentiel risk due to its behavior (exactly what they are both supposed to do). If the user allows TDR inside Deepguard, all is working without any trouble.
The watchguard best practices are suggesting to exclude Antimalware folder from TDR (done), and the F-Secure TDR folder (or host_sensor.exe process) from Antimalware solution. What is annoying is that TDR is updating itself on a regular basis. Each update is detected each time as a new risk by Deepguard because - I guess - the exe signature is changing. So regulary the F-Secure Client Security user has a popup from Deepguard asking what to do with "host_sensor.exe".
Except if I am wrong, basically there is currently no way for an F-Secure Policy Manager Admin like me to exclude host_sensor.exe process from Deepguard.
Any solution/workaround ?
Maybe it could be very useful for F-Secure to have a bidirectionnal communication with Watchguard to make your products working better together (e.g. including TDR signatures inside Deepguard database updates).
etomcat Posts: 1,319 Superuser
The advice is alway the same: submit file sample here, so that F-Secure's Virus Lab can make a whitelist entry centrally, based on digital signature:
You will struggle for ever and ever if you try to solve these kind of issues locally.
Best regards: Tamas Feher, Hungary.7 2Like
Thanks for replying.
The fact is it is my first post here (wasn't aware of supplying a sample was so easy ).
Moreover the sample will be effective for the current TDR version, but what about updates (signature remains the same but hash will be different) ?
Thanks for clarifications