What’s the Managed AV & Device Posture about?
A device threat can compromise the security of an electronic device and lead to negative consequences such as data breaches, financial losses, or identity theft.
Guardz ensures that company-managed laptops and desktops are fully protected and monitored from malicious threats.
Device Agent Operational mode & Device Posture Capabilities
Guardz device agent works in two modes depending on the existing AV setup and the operational system:
Device Agent capabilities:
Device Posture: Guardz identifies gaps in security settings, OS updates, AV tool versions, AV signature freshness, firewall status, disk encryption, etc. Any identified issues generate an actionable playbook for administrators to remediate.
File Integrity Check: The agent will install and monitor a "bait" file on the device. Any edit or modification to this file, including encryption, will signal the existence of ransomware or other malware and an issue will be triggered. In the Detection & Response area, the device can be isolated. This will disable all network connections on the endpoint and actively prevent the flow of packets to and from the device early in the attack. The isolated device can later be released.
Active Mode: Managed AV: Windows Defender Policy Settings: Working hand-in-hand with the free Microsoft Defender that comes pre-installed on every Windows device. Guardz monitors & enforces the proper configuration of Windows Defender security settings on each device based on admin preferences. Any discrepancies generate an issue, and if enforcement is enabled, it will automatically adjust the device's settings.
While it will be on by default, the Windows Defender Policy Settings can be turned on and off with the flip of a switch. From the All Customers view, the change will be global. The change can be overridden for specific tenants in the Single Customer view. Switching it off will resolve all of the related issues and the device will stop applying the policies.
Active Mode: Managed AV: Windows Defender Threats: Guardz integrates deeply with Windows Defender to identify antivirus threats and respond in real-time across managed devices. It works with Windows Defender to handle virus and malware threats and to record automated resolutions. If a threat is identified but not handled, administrators can manually remediate it or instruct the Defender to remove the threat automatically.
Device Isolation: Devices with ransomware, other malware, or other suspicious activity can be isolated in the Detection & Response area. This will disable all network connections on the endpoint and actively prevent the flow of packets to and from the device. The isolated device can later be released.
Investigation & Research: Guardz provides snapshots of processes and autoruns per device for security & threat research. Administrators can download a CSV file to see what is actively running on any device at any time.
Device Agent Settings
As part of the initial setup of the Managed AV, you can configure the Microsoft Defender Policies: Security Controls > Endpoint Security > Microsoft Defender Policy Settings.
You can choose to set the policies to a 'Monitor' mode, use the 'Enforce' mode, or adjust the additional settings.
Monitor - If a device is not aligned with the policy you chose and it's set to 'monitor' mode, it'll create an issue alerting on the mismatch.
Enforce - If the device is not aligned with the policy you chose and it's set to 'enforce' mode, the agent will try to enforce the policy on the device. If the agent is not able to enforce the policy, it'll open a new issue. If the agent is able to change the policy successfully, an issue will be created but will be set as closed.
💎 Tip: We recommend adjusting the policies of the Windows Defender in Guardz prior to distributing the Guardz Device Agent
Device Agent Deployment
The Guardz device agent is managed on the organization level to all organization devices. It's available for:
macOS
Windows
Widows Server (supported versions: 2016, 2019, and 2022)
The agent is distributed through:
Script (RMM)
Installer (MSI/PKG)
Each organization is assigned an Org Key that is used as part of the deployment process and should always be kept secret.
Both the Org Key and the manual installation script can be found in the Control Center > Managed AV & Device Posture > Deploy
See more information on the Device Agent Installation Instructions, including how to install and execute the agent remotely.
Update to the Device Agent
When a new device agent version is released by Guardz, as long as the version is 0.0.87 and above, the version of the agent should be updated automatically.
Otherwise, you’ll need to redeploy the agent script through RMM or manually.
To deploy the Mac Powershell script, copy the organization key from Guardz Security Control -> End Protection deploy for the client you wish to deploy and paste between the brackets in place of the word "value" , make sure there is no spaces in front or back of the key,
Device Management for Device Protection
The Device Management table will help you monitor all the devices in your organization using the Guardz agent. It can be a laptop, PC, etc.
Using the filters at the top, you can focus on the devices that require your attention and use the export/print button to continue the issue handling.
Each device holds the fields below:
Hostname - The name of the device
Status - If the issues are critical or high, the status is ‘Risky’; medium or low, the status will be medium, and no issues will be ‘Safe’
Serial Number - The unique identifier of each device
Users- The device's user. If this field isn't manually updated, it will say "N/A" by default. Select the user related to the device by clicking the edit button.
OS - Apple / Microsoft
OS version
Agent version - The Guardz agent version installed on the device
First seen - The first date the device agent started sending data to Guardz.
Last seen - What was the most recent time the device agent sent data to Guardz.
Link to Issues page - When hovering over a specific device or row in the table, an action button allows admins to link directly to the issues page filtered by the particular device.
When linking to the issue page, the “Device View” is applied, adding device serial numbers to the table to filter and quickly identify relevant issues per device.
Remove Device: The device will be removed from the devices page, but will not uninstall the Guardz agent completely from the actual device (follow the steps in Guardz Device Uninstallation Instructions article to remove the agent from the device).
If the device agent connects to Guardz after deletion, it will be added back to this page.
Defender Exclusions
MSPs can configure specific exclusions in Microsoft Defender's antivirus scanning process therefore preventing trusted files, directories, and processes from becoming false positives and triggering unnecessary security alerts. MSPs can define paths, processes, and extensions, across their customers, that should be excluded from antivirus scans within the device settings.
Key Features:
Global or Per-Customer Configuration Options: MSPs can choose whether to apply exclusions globally or customize them by company.
Configure and Manage Scan Exclusions: The ability to fine-tune Windows Defender by specifying paths, processes, and extensions to exclude from scans.
Simplify Management & Review: View and manage exclusions in one place, sorted by type, name, and the date they were added.
How to Configure:
Security Controls -> Endpoint Security -> Microsoft Defender Exclusions
Prerequisites:
To use this feature, the agent must be updated to version 1.3.0. Your Customer Success Manager can assist you with this update.
Note: All exclusions set up with third-party tools will be removed to ensure no conflicts occur. If necessary, you can disable these settings to maintain compatibility with other tools.
FAQ Managed AV & Device Posture
Question: How can I install the agent on Windows Server?
📍Answer: To install the Windows Server agent, go to the Security Controls page, open the Endpoint Security control, and click "Deploy." For more information, go to the Device Agent Installation Instructions.
Question: How does Guardz decide which device agent will operate on the device?
📍Answer: Guardz's operational mode depends on the existing AV setup and the device OS:
When Windows Defender is the sole AV on a device, Guardz will manage the AV functionalities.
If another AV tool is present alongside Defender, Guardz manages Defender, while the other AV tool may work as the primary one.
Guardz' smart agent will adjust itself automatically, so if you're another AV exists, then we'll go into a passive mode.Guardz agent will work side by side with the 3rd party AV and will report if the device is protected or not (not do the job of the 3rd party - e.g. if the 3rd party signatures are out of date, deactivated etc).
In the absence of Defender, Guardz switches to a passive mode, only monitoring device posture, processes and autoruns.
If Defender is the only AV on a device but is disabled, Guardz will attempt to enable Defender. If unsuccessful, it reverts to the passive mode as in #3.
On Mac devices, Guardz functions in tandem with the native XProtect, monitoring device posture, processes and autoruns.
Question: Why do I still see the device in the Devices List after I removed the device using the 'Remove Device' option?
📍Answer: The 'Remove Device' option will remove the device from the device list but will not delete the agent from the device.
In the 'Device management page', click on 'Remove device' to disconnect it from the org.
Question: Which devices can be protected with Guardz device agent?
📍Answer: At the moment, we support only Apple and Windows computers and Windows Servers. Mobile phones are not supported today.
Question: when will SentinelOne be included with the aguarda device agent?
📍Answer: SentinelOne is slated to be released in September of 2024
Question: Can I manually activate an endpoint scan?
📍Answer: There is not a way to trigger a manual scan. Scans happen automatically and continuously. If an automated scan detects any discrepancies or vulnerabilities, it will generate an issue with an actionable playbook for manual remediation.
Question: Can I export a list of all protected devices?
📍Answer: Yes, you can export a CSV list of all devices by following these steps:
After logging in, navigate to the left sidebar and click on "Detection & Response."
Use the filter to select "Security Control," then choose "Device Protection."
On the right side of the screen, click the export button and select "Export to CSV."