Watchguard TDR and F-Secure Deepguard issue

Scholar

Watchguard TDR and F-Secure Deepguard issue

Hello All,

We are F-Secure & Watchguard partners.

We are encountering an "issue" between Watchguard TDR (Threat Detection and Response) and F-Secure Deepguard inside F-Secure Client Security (AFAIK this is still the case with latest 13.00 version).

Watchguard TDR is a cloud based behavior detection against specificaly Advanced threat such as crypto-virus or cryto-worms (more info here). Basically it is divided in a local host sensor (host_sensor.exe) and a Cloud Plateform which is communicating whith. As from Watchguard, TDR is designed to work alongside with "classic" Antivirus/Antimalware products (even advanced one such as F-Secure Business Product). Stricto senso, TDR is NOT an antimalware and is not replacing this kind of products.

The "issue" we are encountering is that F-Secure Deepguard is doing its job Smiley Happy What I meen is simply that it detects TDR ("host_sensor.exe") as a potentiel risk due to its behavior (exactly what they are both supposed to do). If the user allows TDR inside Deepguard, all is working without any trouble.

The watchguard best practices are suggesting to exclude Antimalware folder from TDR (done), and the F-Secure TDR folder (or host_sensor.exe process) from Antimalware solution. What is annoying is that TDR is updating itself on a regular basis. Each update is detected each time as a new risk by Deepguard because - I guess - the exe signature is changing. So regulary the F-Secure Client Security user has a popup from Deepguard asking what to do with "host_sensor.exe".

Except if I am wrong, basically there is currently no way for an F-Secure Policy Manager Admin like me to exclude host_sensor.exe process from Deepguard.

Any solution/workaround ?

Maybe it could be very useful for F-Secure to have a bidirectionnal communication with Watchguard to make your products working better together (e.g. including TDR signatures inside Deepguard database updates).

Thanks.

Denis

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Superuser

Re: Watchguard TDR and F-Secure Deepguard issue

Dear Denis,

 

The advice is alway the same: submit file sample here, so that F-Secure's Virus Lab can make a whitelist entry centrally, based on digital signature:

 

https://www.f-secure.com/en/web/labs_global/submit-a-sample

 

You will struggle for ever and ever if you try to solve these kind of issues locally.

 

Best regards: Tamas Feher, Hungary.

View solution in original post

2 REPLIES 2
Highlighted
Superuser

Re: Watchguard TDR and F-Secure Deepguard issue

Dear Denis,

 

The advice is alway the same: submit file sample here, so that F-Secure's Virus Lab can make a whitelist entry centrally, based on digital signature:

 

https://www.f-secure.com/en/web/labs_global/submit-a-sample

 

You will struggle for ever and ever if you try to solve these kind of issues locally.

 

Best regards: Tamas Feher, Hungary.

View solution in original post

Scholar

Re: Watchguard TDR and F-Secure Deepguard issue

Thanks for replying.

 

The fact is it is my first post here (wasn't aware of supplying a sample was so easy Smiley Happy).

 

Moreover the sample will be effective for the current TDR version, but what about updates (signature remains the same but hash will be different) ?

 

Thanks for clarifications Smiley Happy

 

Denis