Apt blocker

APT Blocker detects advanced malware that uses zero-day exploits, and combines with the other security services on your Firebox to provide another layer of defense against network threats. To use APT Blocker, you must have a feature key that enables APT Blocker and Gateway AntiVirus. APT Blocker and Gateway AntiVirus APT Blocker uses the same scan process as Gateway AntiVirus. You must have Gateway AntiVirus enabled on your Firebox to enable APT Blocker on the device. Then, if a proxy policy is configured to enable Gateway AntiVirus to scan the traffic through the policy, and you enable APT Blocker for the policy, the traffic is also scanned by APT Blocker. Only files that have been scanned and processed as clean by Gateway AntiVirus are scanned by APT Blocker. APT Blocker scans compatible file types if they are enabled in the Gateway AntiVirus configuration. APT Blocker and Reputation Enabled Defense (RED) WatchGuard RED uses a cloud-based WatchGuard reputation server that assigns a reputation score between 1 and 100 to every URL source. When APT Blocker detects a threat, this information is shared with the WatchGuard Reputation server as virus statistics for the source. For more information on RED, go to Configure Reputation Enabled Defense. APT Blocker and WebBlocker An important defense against advanced malware is to detect botnet activity and any command and control traffic from inside your network to external servers. WebBlocker uses a database of website addresses (identified by content categories) to allow or block website traffic. WatchGuard recommends that you configure the WebBlocker service to block traffic for these security URL categories to detect and prevent this type of activity: Security Malicious Websites Spyware Phishing and Other Frauds Keyloggers Potentially Unwanted Software Bot Networks Malicious Embedded Link Malicious Embedded iFrame Suspicious Embedded Link Mobile Malware Advanced Malware Command and Control Elevated Exposure Emerging Exploits Potentially Damaging Content Dynamic DNS For more information, go to About WebBlocker. About Gateway AntiVirus About Reputation Enabled Defense

Incoming files are processed by security services in this order: Gateway AntiVirus > APT Blocker > Data Loss Prevention APT Blocker checks only occur when the file is allowed by Gateway AntiVirus scanning. To use APT Blocker, you must have a feature key that enables APT Blocker and Gateway AntiVirus. Data Loss Prevention actions are only applied if Gateway AntiVirus or APT Blocker allowed the file. Troubleshoot APT Blocker File Submission When first examined, an MD5 hash check of the file occurs. If there is no match to any previously analyzed files, the file must be submitted to the data center for analysis. When the file is submitted successfully, it is assigned a task uuid as a reference and included in the log message: Allow 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 34063 80 msg="ProxyAllow: HTTP File submitted to APT analysis server" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/test/sample.exe" md5="dd0af53fec2267757cd90d633acd549a" task_uuid="35c8ac1aaeee4e5186d584318deb397b" (HTTP-proxy-00) When the file is submitted to the data center and the file is identified as a threat, this event log is generated to inform you that the APT Blocker notification has been sent. APT threat notified. Details='Policy Name: HTTPS-proxy-00 Reason: high APT threat detected Task_UUID: d09445005c3f4a9a9bb78c8cb34edc2a Source IP: 10.0.1.2 Source Port: 43130 Destination IP: 67.228.175.200 Destination Port: 443 Proxy Type: HTTP Proxy Host: analysis.lastline.com Path: /docs/apt_sample.exe' This type of log message appears when APT Blocker detects a threat. The log message specifies the threat level, threat name, threat class, malicious activities, destination hostname, and URI path. Deny 2-Internal-traffic 4-External-traffic tcp 192.168.2.20 192.168.3.30 48120 80 msg="ProxyDrop: HTTP APT Detected" proxy_act="HTTP-Client.1" host="192.168.3.30" path="/apt_sample.exe" md5="2e77cadb722944a3979571b444ed5183" This type of log message appears when a file is scanned and determined as clean and free of malware by the hash file check or upload to the data center: Allow 2-Internal 0-External tcp 172.16.182.27 172.16.180.32 52816 80 msg="ProxyAllow: HTTP File reported safe from APT hash check" proxy_act="HTTP-Client.Standard.1" host="172.16.180.32" path="/VOD/5k_end.zip" md5="221f11af6a29be878ad54f164304f1f2" task_uuid="d1eb81f2519c466e93db4827167dd935" (HTTP-proxy-00) See Also About APT Blocker Configure APT Blocker

Above the dashboard, click the PDF icon .The file downloads or a confirmation message opens. If the report does not download automatically, select to open or save the file. Enable Logging for this Dashboard Logging for cloud-managed Fireboxes is automatically enabled. For locally-managed Fireboxes, you must manually enable logging in Fireware Web UI or Policy Manager. For more information, see Set Logging and Notification Preferences. To collect the data required for this report for locally-managed Fireboxes, in Fireware Web UI or Policy Manager: In the Logging and Notification settings for all packet filters, select Send a log message for reports. For more information, see Set Logging and Notification Preferences. In the General Settings for all proxy actions, select Enable logging for reports. In all APT Blocker actions, select the Log check boxes for threat levels. For more information, see Configure APT Blocker. In all WebBlocker actions, select the Log check box for all categories and select the When a URL is uncategorized, Log this action check box. For more information, see Configure WebBlocker Categories. WatchGuard Cloud Device Reports List

Threat actors are patient. In an advanced persistent threat (APT), an adversary – often a nation-state or state-sponsored group – invests significant time and resources into establishing a long-term presence in your network, often with the aim of exfiltrating sensitive data.Emsisoft’s APT Protection combines multiple protection technologies – including Behavior Blocker, Application Hardening and Advanced Heuristics – to detect and terminate APTs before damage can be inflicted. Fileless malware protection Fileless malware is a type of malware that executes directly from a computer’s memory. No malicious content ever is written to disk, which helps it elude some security solutions and obstruct investigation attempts.Emsisoft solutions use a combination of technologies to detect and neutralize this evasive threat, including Behavior Blocker, Application Hardening, Registry scanning and script monitoring. Anti-Ransomware Ransomware is one of the most serious and most costly cyber threats facing organizations today.Emsisoft solutions feature a range of anti-ransomware technologies that work together to intercept ransomware before it can encrypt any files. Our Behavior Blocker features a dedicated Anti-Ransomware layer that looks for ransomware-specific actions, while our intelligence-gathering networks mean that we’re often among the first in the industry to provide signature-based detection for new ransomware variants. Endpoint Detection and ResponseGain total visibility of your Emsisoft-protected endpoints. Emsisoft EDR continuously monitors your IT environment and collects valuable telemetry that can be used to triage and investigate incidents.Emsisoft EDR comprises multiple protection layers that work together to identify suspicious behavior, automatically block attacks and provide security personnel with critical information about potential threats. Behavior AI (cloud)Emsisoft harnesses the power of AI to give Business and Enterprise users a holistic view of every endpoint across their entire workspace – including the ability to track a threat’s lateral movement.Our centralized incident management provides a deep view of potential threats, along with key intel about suspicious files. Unlock the tools you need to investigate an incident, including process execution trees, workspace-wide attack timelines and a raw data browser that you can use to perform a root cause analysis post breach. MITRE ATT&CK patterns (cloud)Emsisoft solutions leverage the MITRE ATT&CK framework, a globally accessible knowledge base