Endpoint Security Essentials Study Guide-Panda
Endpoint Security Essentials Study Guide-Panda
Information in this guide is subject to change without notice. Companies, names, and data used in examples herein are
fictitious unless otherwise noted. No part of this guide may be reproduced or transmitted in any form or by any means,
electronic or mechanical, for any purpose, without the express written permission of WatchGuard Technologies, Inc.
Address
About WatchGuard
505 Fifth Avenue South
WatchGuard® Technologies, Inc. is a global leader in network security, Suite 500
providing best-in-class Unified Threat Management, Next Generation Seattle, WA 98104
Firewall, secure Wi-Fi, and network intelligence products and services
to more than 75,000 customers worldwide. The company’s mission is
to make enterprise-grade security accessible to companies of all types Support
and sizes through simplicity, making WatchGuard an ideal solution for
Distributed Enterprises and SMBs. WatchGuard is headquartered in www.watchguard.com/support
Seattle, Washington, with offices throughout North America, Europe, U.S. and Canada +877.232.3531
Asia Pacific, and Latin America. To learn more, visit WatchGuard.com. All Other Countries +1.206.521.3575
For additional information, promotions and updates, follow WatchGuard
on Twitter, @WatchGuard on Facebook, or on the LinkedIn Company
page. Also, visit our InfoSec blog, Secplicity, for real-time information Sales
about the latest threats and how to cope with them at
www.secplicity.org. U.S. and Canada +1.800.734.9905
All Other Countries +1.206.613.0895
Use this guide in conjunction with instructor-led training, online video training and demos, and the online documentation
to prepare to take the exam.
For a list of recommended documentation and video resources to help you prepare for the exam, see Additional
Resources.
For information about the exam content and format, see About the Endpoint Security Essentials Exam.
Document Conventions
This document uses these formatting conventions to highlight specific types of information:
USE CASE:
This is a use case. It describes how you could configure the product or feature in a real-world scenario.
This is a caution. Read carefully. There is a risk that you could lose data, compromise system
integrity, or impact device performance if you do not follow instructions or recommendations.
This includes:
Hackers focus on endpoints because they store the most sensitive data and have a high potential of vulnerabilities to
exploit. These exploits enable malicious users to find a weakness and get access to the endpoint, then move laterally to
attack other systems in your network.
n The primary focus of hackers is the endpoint because of the high potential of vulnerabilities
to exploit to get access to the network and attack other endpoints and resources.
n The traditional approach to endpoint protection does not detect and respond effectively to
new security threats.
n Advanced endpoint protection uses a combination of traditional methods and powerful
cloud-based analysis and file classification to actively identify and prevent new threats.
n Zero-day attacks — New threats that have never been seen before. Traditional protection systems cannot detect
or defend against zero-day threats because they have an isolated view of only known malware activity and have
limited local resources. Traditional models do not have signatures or evidence of behavior to detect zero-day
threats.
n Fileless malware — Malicious software that runs in memory instead of as a physical file on the endpoint's hard
drive.
n Living-Off-The-Land (LOTL) attacks — Attacks where a malicious user gains access to an endpoint and uses
legitimate installed software, such as Microsoft Word, Java, Adobe Acrobat Reader, or PowerShell, to perform
further attacks.
n Exploits — Common productivity tools, software applications, browsers, and OS components that malicious
users can exploit. For example, hackers often attack Microsoft IIS web server because of its ability to create
multiple web server processes. Microsoft Office macros can enable malicious users to perform screen and key
logging on unsuspecting users.
n Ransomware — Malicious software that encrypts and locks the contents of a computer and demands a ransom
for the encryption key to unlock the data. Ransomware is a persistent and pervasive threat that can spread
quickly to the entire network. Ransomware enters a network most frequently through email and unpatched
vulnerabilities on clients and servers, and is often targeted at a specific company, department, or user.
The best EDR systems enable you to not only classify executables, but also their behavior. Continuous real-
time monitoring enables the analysis and categorization of all executables, and the ability to take immediate
action in response to new threats.
Endpoint detection and response provides the contextual information to recognize and classify a vast array of
potentially anomalous activities on endpoints. It also provides remedial actions or triggers alerts for the
administrator.
n Signature files that only match known existing viruses and malware
n Security features that might require manual configuration
n Alerts sent only about events known to be malware
n Minimal monitoring of any process activity after the malware infects the endpoint
The main issue with traditional security methods is that over 300,000 new viruses and malware are created every day.
The huge growth in the amount of malware in circulation is in itself a massive brute-force attack on security vendors.
Cybercriminals look to increase the window of opportunity for newly developed threats by saturating the resources
employed by security companies to scan malware. This increases the time between the appearance of a new virus and
the release of the appropriate antidote by security companies. Every security strategy must be based on minimizing
malware dwell time. The longer malware exists on the network, the more time it has to complete its objective, such as
industrial espionage and data theft.
A majority of this malicious code is designed to run in the background on a user's computer for a long period of time,
which can conceal the presence of malware on compromised systems. This behavior renders the traditional approach to
endpoint protection gradually ineffective because it cannot detect and respond effectively to new security threats.
Advanced Protection
For the best effectiveness against current and emerging endpoint security threats, you must deploy a combination of
local signature-based technologies, context-based behavioral analysis with the power of cloud-based processing, and
effective remediation to stop the threats.
n Adaptive Defense 360 uses a multi-layer model that combines traditional signature and
heuristic scans with advanced cloud-based analysis, process monitoring and
classification, and threat remediation.
n 100% Attestation Service (also known as the Zero-Trust application service) makes sure
that no applications or processes are trusted until they are analyzed and correctly
classified.
The Panda Adaptive Defense 360 protection model comprises multiple layers of endpoint security technology, including
a unique 100% Attestation Service (Zero-Trust application service), all delivered by powerful cloud-based analytics
servers and a single lightweight software agent that runs on the endpoint.
Adaptive Defense 360 can defend against and perform active remediation of attacks, and allow only software classified
as trusted to run on your network endpoints.
Adaptive Defense 360 provides both an Endpoint Protection Platform (EPP) and Endpoint Detection and Response
(EDR) to:
n Visibility — Data visibility enables you to see what happens on each endpoint and to detect changes, trends, and
anomalies that reflect emerging security threats.
n Detection — Adaptive Defense 360 monitors running processes and performs real-time blocking of zero-day
attacks, targeted attacks, and other advanced threats designed to bypass traditional antivirus and anti-malware
solutions. It collects a large amount of data to support the artificial intelligence that performs context-based
behavioral analysis, predictions, and threat hunting.
n Response — Adaptive Defense 360 uses the collected forensic data to complete in-depth analysis of every
attempted attack. A variety of advanced tools remediate attacks.
n Prevention — To prevent future attacks, Adaptive Defense 360 actively changes the settings of each protection
module and patches any vulnerabilities discovered in installed operating systems and applications on the
endpoint.
Adaptive Defense 360 uses machine learning and other technology to automate real-time inspection of the telemetry
sent by every endpoint. 99.98% of samples are classified automatically, and the rest are classified by a malware
specialist.
The analysis is done in real environments to avoid anti-scan techniques frequently used by malware.
The protection module installed on each endpoint receives the classification and performs the actions required to protect
the endpoint.
Cloud data analysis is much more advanced than the methodology used by traditional solutions that can only detect
known viruses and malware and send any unknown files to the antivirus vendor for manual analysis.
Adaptive Defense 360 analyzes every process that runs on protected endpoints, including legitimate software
processes. Continuously monitoring every process makes sure that malware that masquerades as legitimate software
is correctly classified. Many targeted attacks and other advanced threats operate in stealth mode to evade detection by
traditional protection servers.
n The service relies on contextual analysis of corporate assets, users, applications, and data utilization patterns to
minimize risk to endpoints.
n The service denies any execution of a program until it is confirmed as trusted. This enables you to shift away
from unconditional trust (or some level of confidence in network, users, and application activity) to a secure zero-
trust methodology.
n The service uses a combination of an agent installed on the user's computer and cloud-hosted technologies to
automatically classify most running processes. Malware experts analyze and manually classify the remaining
small percentage of unknown files. This approach enables the service to classify 100% of executable files that
run on endpoints, with no false positives or false negatives.
Adaptive Defense 360 can detect anomalies and threats in these system components:
In addition, threat hunting services use artificial intelligence to monitor application behavior to detect fileless attacks and
other advanced threats. These techniques actively process the data gathered by endpoint detection and response
services to discover new threats.
n Uses virus and malware signature files to detect known malicious files
n Performs generic and heuristic detection of malware behavior
n Blocks specific ransomware URLs
Contextual Detections
Detects fileless attacks that do not use physical malware. This includes:
n Script-based attacks
n Web browser vulnerabilities
n Attacks that use existing legitimate software tools
n Common targeted applications, such as Java, Adobe Reader, Adobe Flash, and Microsoft Office
Anti-exploit Technology
Complements contextual detection and patch management through the detection of fileless attacks that exploit
existing vulnerabilities. This detection is based on the anomalous behavior of exploited processes.
All executable files found on user computers that are unknown to Adaptive Defense 360 are sent to our big data
analytics infrastructure for analysis.
For a list of additional resources on these topics, see Adaptive Defense 360 Additional Resources.
Overview
Adaptive Defense 360 protects the security of all workstations and servers in an organization,
without intervention from network administrators. The Aether platform is the ecosystem where
Adaptive Defense 360 runs.
Panda Adaptive Defense 360 is a managed service that enables organizations to:
n Protect IT assets
n Review any security problems detected
n Develop prevention and response plans against unknown and advanced persistent threats (APTs)
Supported Platforms
Adaptive Defense 360 on the Aether platform is compatible with Windows, Linux, Android, and macOS.
To start the activation process, select My WatchGuard > Activate Products, type or paste your activation key, and
then follow the activation steps.
If this is the first time you activate a Panda product, the activation process prompts you to link your Panda account and
your WatchGuard account. If you do not have a Panda account, you create one as part of the activation process.
n If you have a WatchGuard Partner account, you must link your Panda account and your WatchGuard account. If
you do not have a Panda account, you create one as part of the activation process.
n If you have a Panda Partner account, you must create a WatchGuard Partner account before you activate your
license. To get started, go to https://secure.watchguard.com/BecomeAPartner.
n Your license is activated immediately as a pool license. For pool licenses, the expiration date is determined
when you assign the license.
For more information, see this Knowledge Base article, WatchGuard Partners: How do I activate licenses for a Panda
product from the WatchGuard website?
It can take up to 48 hours for an end-user license to become active. The expiration date for this
license is based on the activation date.
To access your product's web console, from Panda Cloud, select the Products on Aether platform tile.
For more information, see this Knowledge Base article, WatchGuard Customers: How do I activate licenses for a
Panda product from the WatchGuard website?
To open the Adaptive Defense 360 management console, select the Adaptive Defense 360 tile.
Multiple Groups
To filter information in the window and only show information collected from computers in the groups you select,
in the upper-right corner, click Multiple groups.
This enables you to focus on a specific group or groups of computers (for example, a group of servers or
computers at a specific location).
General Settings
The General Settings menu is available to the right of Multiple groups.
From the General settings menu, you can select these options:
n Online Help
n Administration Guide
n Technical Support
n Suggestion Box
n License Agreement
n Adaptive Defense 360 Release Notes
n Language
n About
To change the language of the console, from the General settings menu, select Language.
To view the version of Adaptive Defense 360, as well as the version of the protection agents for different
platforms, from the General settings menu, select About.
User Account
The User Account menu is available to the right of the General settings menu.
From the User Account menu, you can select these options:
Device Management
Use the Computers page to view, group, and manage your devices.
You use the management console to organize and display managed computers in order to quickly find a device. Before
you deploy, we recommend that you:
After you deploy, verify URLs that must be opened with URL Checking in the PSInfo tool.
To manage a network device through the management console, the device must have the Aether agent installed.
Adaptive Defense 360 delivers the Aether agent in the installation package for all compatible platforms.
Devices that do not have an Adaptive Defense 360 license but do have the Aether agent installed appear in the
management console. For these devices, protection is either disabled (if a license has been released) or not installed (if
a license has never been assigned before). Scan tasks and other Adaptive Defense 360 resources will not run.
Adaptive Defense 360 does scan computers with expired licenses for threats, but does not update the signature file and
does not apply advanced protection. In this condition, Adaptive Defense 360 is not an effective solution to combat
threats.
To keep the network protected, we strongly recommend that you renew contracted services.
The Computers page has two panes. The left pane includes the Filters and My Organization tabs and the right pane
displays the details page.
Left Pane
Use the Filters tab and My Organization tab to view and organize managed computers.
Filters Tab
On the Filters tab, you can dynamically group computers on the network based on settings and conditions that describe
the characteristics of devices.
You can use logical operators to produce complex filters. For example, you can organize your computers by operating
system, software, or by custom filter with specific rules for settings, protection status, hardware, software, range of IP
addresses, groups, or latest proxies used by the agent.
My Organization Tab
An administrator can manually assign computers to a group. Use the My Organization tab to create a multi-level
structure of groups, subgroups, and computers. The organizational tree can be a custom tree, the company Active
Directory tree, or a combination of the two.
The Active Directory tree is generated automatically. To integrate a computer into a custom
group or into an Active Directory path, you must install an agent on the computer. You can
move computers from one path to another as required.
Right Pane
When you select a computer from the list of computers, the right pane displays details of the hardware and software
installed, as well as the security settings assigned to it.
n Hardware — Hardware installed on the computer, its components and peripherals, as well as resource
consumption and use.
n Software — Software packages installed on the computer, as well as versions and changes.
n Settings — Security settings and other settings assigned to the computer.
n Toolbar — Operations available for the managed computer.
Installation requirements for Adaptive Defense 360 differ for different platforms.
Before you install Adaptive Defense 360, make sure you meet these requirements:
System Requirements
For a list of system requirements, see the appropriate Knowledge Base article:
n Windows — Installation requirements of products based on Aether Platform for Windows
n Linux — Installation requirements of products based on Aether Platform for Linux platforms
n macOS — Installation requirements of products based on Aether Platform for macOS platforms
n Android — Installation requirements of products based on Aether Platform for Android platforms
Communications Requirements
If you have a firewall, proxy server, or other network restrictions, to install and operate Adaptive Defense 360,
you must allow access for communications from the server or console to these servers:
For more information about the requirements for discovery and remote installation, see this Knowledge Base
article: Requirements for the discovery of computers and remote installation in products based on Aether
Platform.
Installation Methods
You can use these methods to install Adaptive Defense 360:
When you uninstall Adaptive Defense 360, the associated counters, such as malware detected, blocked URLs, filtered
mails, and blocked devices, are removed from the management console. When you reinstall the software, the counters
are restored.
View Status
Use the Status page to select dashboards and lists to quickly view information about the
computers you manage.
Dashboards
Adaptive Defense 360 collects information and presents it graphically in dashboards in the management console. You
can open dashboards from the left pane menu. Click the data on a dashboard to view more details.
amount of time.
o Outdated Protection: Shows computers whose signature file is more than three days older than the latest one
released by Panda Security. It also displays the computers whose antivirus engine is more than seven days
older than the latest one released Panda Security.
o Protection Status: Shows computers where Adaptive Defense 360 is working properly and those where there
are errors or problems with installation or the protection module.
o Programs Blocked by the Administrator: Shows the number of execution attempts recorded across the IT
network and blocked by Adaptive Defense 360 based on the settings defined by the network administrator.
o Programs Allowed by the Administrator: Shows programs that the administrator allows when a user cannot
wait for an unknown item that is classified as a threat to run.
o Classification of All Programs Run and Scanned: Shows the percentage of goodware and malware items
seen and classified on the customer network during the time period specified by the administrator.
o EDR Activity: Shows the details of malware, PUP and Exploit detections, plus the Currently blocked
programs being classified.
o Exploit Activity: Shows the number of vulnerability exploit attacks suffered by the Windows computers on
the network.
o Exclusions: Shows exclusions, such as Allow blocked items being classified, processes classified as
threats, and detection of malware, PUPs, etc.
n Web access and spam — Shows information about blocked and filtered Internet content and unsolicited email.
n Patch management — Shows updates for the operating system and third-party software installed on your
computers.
n Full encryption — Shows the encryption status of the computer's internal storage.
n Licenses — Shows the status of your licenses. This includes Computer with a license, Computer without a
license, and Excluded.
Licenses Dashboard
When you install the software on a computer on the network, if there are unused licenses, the system assigns a free
license to the computer automatically. You can also assign licenses manually. To view details of contracted licenses,
on the Licenses dashboard, click Assigned.
When you uninstall a product from one of your computers, or when a license expires, the system automatically recovers
the license and returns it to the license pool. You can release licenses manually from the Licenses dashboard when you
remove the product license from the Details tab for a computer.
My Lists
More detailed information is available from the My Lists section in the left pane.
Each list displays information in a table. Most dashboard sections have an associated list, so you can quickly see the
information graphically and then get more in-depth data from the lists.
You can add lists to the left pane for quick access.
Scheduled Reports
Adaptive Defense 360 can send reports, by email, that include security information from the computers it protects. This
makes it easy to share information with other people and departments in your organization, and to keep a history of
events beyond the data storage capacity limits of the management console. These reports can help you to monitor
security status closely without the involvement of administrators.
Automated email reports provide stakeholders with information about all security events. You can create reports based
on a previously created list, directly generate an executive report, or create a report for an existing list of filtered devices.
To add scheduled reports and lists, on the Status page, select Scheduled reports from the left pane.
Settings Management
Use the Settings page to manage general settings and security settings.
General Settings
In the General section, you can manage settings such as users, preferences, network settings and services, and
alerts.
Users
On the Users page, you manage users, roles, and permissions.
n Create users
n Define roles for users
n View the activity logged for a user
n Require users to use two-factor authentication
To force users to enable and use two-factor authentication, the user account from that enforces
two-factor authentication must have the Manage users and roles permissions and access to all
computers on the network.
Per-computer Settings
On the Per-computer Settings page, you set preferences and enable automatic updates.
For more information, see the interactive video, How to Configure a Group of Computers of the
Network Not to Upgrade Automatically.
n Allow the protections to be temporarily enabled or disabled from the computer's local
console (password required)
n Enable anti-tamper protection (prevents users and certain types of malware from
stopping the protections)
Network Settings
On the Network Settings page, you can configure settings templates or configuration profiles.
n Set the language of the Panda agent for one or more computers. You must first create a network settings profile.
n Add the proxy computers you want your computers to use or disable the use of a proxy.
n Enable or disable the real-time communication feature.
n Designate one or more computers on the network with the cache role to automatically download and store all
files required for updates. This enables computers with Adaptive Defense 360 to update the signature file, agent,
and the protection engine without Internet access.
Proxy Types
Adaptive Defense 360 supports various Internet access methods which you can configure to connect to the Panda
Security cloud. When an access method is no longer accessible, Adaptive Defense 360 tries the next method in the list
until it finds one that is valid. If Adaptive Defense 360 gets to the end of the list, it returns to the start and continues until
it has tried all connection methods at least once.
Do not use proxy Direct access to the Internet. Computers access the Panda Security cloud directly to
download updates and send status reports. If you select this option, the Adaptive
Defense 360 software uses the computer settings to communicate with the Internet.
Corporate proxy Access the Internet through a proxy installed on the company network.
Automatic proxy Use DNS or DHCP to query the network to get the discovery URL that points to the
discovery using Web PAC configure file. If needed, you can specify the HTTP or HTTPS resource that hosts
Proxy Autodiscovery the PAC configuration file.
Protocol (WPAD)
Panda Adaptive Defense Access the Internet through the Adaptive Defense 360 agent installed on a computer on
360 proxy the network. This option enables you to centralize all network communications through
a computer with the Panda agent installed.
To configure the network settings for proxy and cache, you must first add the proxy or cache
computers on the Network Services page. For more information, see the interactive video,
How to Add and Configure a Cache Computer.
Network Services
On the Network Services page, you can set a Panda proxy server.
The Panda agent installed on Windows computers on your network can have three different roles:
n Proxy — Enables computers without direct Internet access to use the proxy installed on your network. If no
proxy is accessible, you can assign the proxy role to a computer with Panda Adaptive Defense 360 installed.
n Discovery — Installs and deploys Panda Adaptive Defense 360 across your network through the discovery
feature.
n Cache — Automatically downloads and stores all files required by other computers with Panda Adaptive
Defense 360 installed. This saves bandwidth, because each computer does not have to download updates
separately.
VDI Environments
To facilitate license assignment, on the VDI Environments page, you can specify the maximum number of computers
that can be simultaneously active in a non-persistent virtualization environment.
Virtual Desktop Infrastructure (VDI) is a desktop virtualization solution that hosts virtual machines in a data center
accessed by users from a remote terminal with the aim to centralize and simplify management and reduce maintenance
costs.
n Persistent VDIs — Storage space assigned to each user persists between restarts, including the installed
software, data, and operating system updates.
n Non-persistent VDIs — Storage space assigned to each user is deleted when the VDI instance is restarted,
returning to its initial state and undoing all changes made.
With a non-persistent VDI, storage space assigned to each user is deleted when the VDI
instance restarts. The VDI instance returns to its initial state and all changes are undone.
My Alerts
Email alerts are messages that Adaptive Defense 360 sends to a specified recipient email address when an event
occurs.
On the My Alerts page, you can select which alerts to receive and specify the email address to receive them.
Security Settings
In the Security section, you can also manage security settings for:
General Settings
In the General sub-section, you specify alerts, update options, uninstalled security products, and exclusions.
Local Alerts
Enable malware, firewall, and device control alerts. The administrator can enter text to display in local alerts for
computer isolation, detections (antivirus), detections (by behavior), advanced security policies, and program
blocking.
Updates
Configure options related to product updates.
Exclusions
Configure these types of exclusions:
n File exclusions — Exclude files stored on the hard disk by extension, file name, or directory. Separate
exclusions with commas (,).
For more information, see the Knowledge Base articles on general exclusions and Panda and TDR Host
Sensor exclusions.
n Email exclusions — Make exclusions recommended by Microsoft to improve the performance of
Exchange Server. You can also exclude email attachments by file extension.
Advanced Protection
In the Advanced Protection sub-section, you can enable advanced protection to track the activity of every program on
your computers, and immediately detect and block malicious programs. Advanced protection includes direct monitoring
by Panda lab technicians.
Hardening — Removes malicious and potentially malicious programs. Blocks unknown programs from the
Internet, from other computers on the network, or from external storage drives until the Panda lab determines
whether they are malware. Allows any other unknown program to run while it is analyzed by the lab.
Lock — Prevents all unknown programs from running until they are classified.
You can also report blocking to computer users and add a custom message to alerts.
Unless you know that the detected malicious activity is a legitimate action, we recommend that you
set the mode to Block.
Anti-exploit
Anti-exploit protection prevents access to computers on the corporate network by malicious programs. There are
two modes: Audit and Block.
Audit
Reports detected exploits in the administrative console. Does not take action against the detected programs
or display any information to the user of the computer.
Block
Blocks exploit attacks. This might force the compromised process to end.
Report blocking to the computer user — Notifies the user and automatically ends the compromised
process, if required.
Ask the user for permission to end a compromised process — Prompts the user to end the
compromised process, if necessary.
Every time a compromised computer needs to restart, the user must provide confirmation, regardless of
whether the Ask the user for permission to end n compromised process option is selected.
To make sure that anti-exploit protection works correctly with third-party security solutions
installed, we recommend that you enable it gradually on your computers.
Privacy
Adaptive Defense 360 can include the full name and path of files sent to the cloud for analysis in reports and
forensic analysis tools. If you do not want to send this information to the Panda Security cloud, you can disable
this option.
Adaptive Defense 360 can also show the user who was logged in to the computer on which a detection occurred.
If you do not want to send this information to the Panda Security cloud, disable this option.
Network Usage
Adaptive Defense 360 sends every unknown executable file found on user computers to the Panda Security
cloud for analysis.
This has no impact on the performance of the network. By default, each agent can transfer a maximum of 50 MB
of files in an hour.
Adaptive Defense 360 sends unknown files to the cloud only once for all users. Bandwidth management
mechanisms minimize the impact on the network.
Antivirus
In the Antivirus sub-section, you can configure these settings:
n Antivirus – Enable or disable antivirus protection for files, email, and web browsing.
n Threats to detect – Detect viruses, detect hacking tools and PUPs, block malicious actions, and detect
phishing.
n File types – Scan compressed files in emails, on disk, and all files regardless of their extension when they are
created or modified.
System Rules
Rules that allow or deny data traffic that has specific communication characteristics, such as ports, IP
addresses, or protocols.
Program Rules
Rules that allow or prevent communication from programs installed on user computers to other computers.
n Let computer users configure the firewall – Enable end users to manage the firewall protection from their
local console.
n Network type – Laptops and mobile devices can connect to networks with different security levels, from public
Wi-Fi networks, such as those in Internet cafés, to managed and limited-access networks, such as the one in
your office. Set the default behavior of the firewall to:
o Manually select the type of network that the computers in the configured profile usually connect to.
o Enable Panda Adaptive Defense 360 to select the most appropriate network type.
n Program rules – Specify which programs can communicate with the local network and Internet.
n Connection rules – Define TCP/IP traffic filtering rules. Adaptive Defense 360 extracts the values of some
fields in the headers of each packet that protected computers send and receive, and checks them against the
rules you define. If the traffic matches a rule, Panda Adaptive Defense 360 takes the specified action.
To configure exceptions, select the allowed device and click the Exception icon.
Mailbox Protection
This protection applies to Exchange servers with the Mailbox role, and scans folders and mailboxes in the
background or when the server receives messages and stores them in user folders.
Mailbox protection can manipulate items contained in the body of scanned messages. It can replace any
dangerous item it finds with a clean one and move dangerous items to quarantine.
Mailbox protection scans the Exchange server user folders in the background. This protection uses smart scans
to avoid a rescan of scanned items. Every time a new signature file is published, the protection scans all
mailboxes and the quarantine folder in the background.
Transport Protection
This protection applies to Exchange servers with the Client Access, Edge Transport, and Mailbox roles, and
scans the traffic that goes through the Exchange server.
This protection cannot manipulate items contained in the body of scanned messages. The body of dangerous
messages is treated as a single component. Every action Adaptive Defense 360 takes — delete the message,
quarantine it, let it through without any action, etc. — affects the entire message:
You can specify the action to perform on spam messages, such as let the message through, delete the message, or flag
with SCL (Spam Confidence Level). You can also configure lists of email addresses and domains that you always want
to allow or delete.
Program Blocking
On the Program Blocking page, you can prevent the execution of programs that are dangerous or that you do not want
your users to run. For example, you might decide to block programs that use too much bandwidth, pose a security
threat, or affect user or computer performance. You can identify programs to block by name or MD5 code.
Android Devices
On the Android Devices page, you can specify security settings for Android devices.
Updates
In the Updates sub-section, you can enable Aether updates over Wi-Fi only.
Antivirus
In the Antivirus sub-section, you can enable always-on protection and specify whether to scan applications from
unknown sources before you install them. To add an exclusion, you can enter the name of the Android executable
(com.example.myapp).
Anti-Theft
In the Anti-Theft sub-section, you can enable features that prevent data loss and help users to locate devices in the
event of loss or theft.
For information on the Patch Management page and Data Protection section, see the Panda
Patch Management and Panda Full Encryption learning modules.
Troubleshooting Tools
Troubleshooting tools for Adaptive Defense 360 include remediation tools, the Troubleshooting
Guide, PSInfo, the Knowledge Base, and other documentation.
Remediation Tools
Access remediation tools from the menu in the upper-right corner of the Computers tab. Remediation tools are also
available from the menu beside each computer or device.
To view remediation tools that require action in the management console, on the Computers page, select a computer
and select the more options icon. Available options show in the menu that appears.
Restart
Enables the administrator to restart computers remotely.
Automatic disinfection
Performed by real-time advanced protection and antivirus protection products. When malware is detected, the
products clean the affected items with an appropriate disinfection method. When no method exists, the malware
is quarantined.
Isolate computer
Enables administrators to isolate computers on demand to prevent the spread of threats and the extraction of
confidential data.
Report a problem
Contacts the support team through the management console and automatically sends all the information required
for diagnosis.
Troubleshooting Guide
This online guide provides technicians with information to support customer and partner Adaptive Defense queries.
https://www.pandasecurity.com/enterprise/downloads/docs/product/Webhelp/#t=000.htm
When you submit a case, make sure that you provide PSInfo with the PSInfo tool.
https://www.pandasecurity.com/psinfo
From the Aether console, select the specific computer and click Report a problem.
URL Checker
Inspects URLs required to communicate with Panda servers. Use for installation, update and upgrade
issues.
Force Sync
Use to check connectivity between the endpoint and the console.
Repair Protection
Use to solve protection errors.
Generic Uninstaller
Removes any trace of the protection.
Additional Tools
PSErrorTrace: Use for installation, scans, or third-party issues
WatchGuard partners and customers can also review the Administration Guide and find information in the Panda
Support Center:
https://www.pandasecurity.com/en/support/watchguard-customers/
This table lists available features and the platforms that support them.
General
Web console
Information in dashboards
Frequency of sending detections to the server 15 min 15 min 15 min Immediately after scan
completes
List of detections
Executive reports
Protections
Anti-Tamper protection
Anti-Exploit protection
Firewall
Device control
URL filtering
Settings
Real-Time actions
On-Demand scans
Scheduled scans
Computer restart
Computer isolation
Signature updates
Protection upgrades
Patch Management
Patch Management is a built-in module on the Aether platform that finds computers on the network with known software
vulnerabilities and updates them automatically. It minimizes the attack surface and protects your workstations and
servers from malware that exploits software flaws.
To manage the Patch Management module correctly, in Patch Management settings, select
Disable Windows Update on Computers.
n Requirements
n How to configure settings
n Status dashboard
Patch Management detects both third-party applications with uninstalled patches or in EOL (end-of-life) stage as well as
all patches and updates published by Microsoft for its products (operating systems, databases, Office applications,
etc.).
n Disable Windows Update on Computers — To manage updates exclusively without interference from local
Windows Update settings, enable the Disable Windows Update on Computers toggle.
n Automatically Search for Patches — To enable patch search functionality, enable the Automatically Search
for Patches toggle. If the toggle is not enabled, the lists in the module do not display uninstalled patches.
n Search Frequency — To specify how frequently Patch Management searches the database for uninstalled
patches, from the drop-down menu, select a frequency.
n Patch Criticality — To specify which patches Patch Management searches for, enable the toggles under Patch
criticality.
o No information
o Error installing
o Error
o No license
n Time Since Last Check
o > days
o > 7 days
o > 30 days
n End-of-Life Programs
o Currently in EOL
n Available Patches
o Security Patches — Critical, Important, Moderate, Unspecified
o Other Patches (non-security-related)
o Service Pack
n Last Patch Installation Tasks
Available Patches
In the Available Patches section of the dashboard, below the three types of patches, you can select View All
Available Patches to open the Available Patches page.
To view recent high and critical vulnerabilities for which exploits are available, select Currently Exploited
Vulnerabilities at the top of the page.
To show filter options for available patches, on the Available Patches page, click Filters.
Below the filters, select a computer from the list, then click at the end of the row to see options.
n Install — Creates a quick task to immediately install the patch on the computer.
n Schedule Installation — Creates a scheduled task to install the patch on the computer.
n Isolate Computer — Isolates the computer from the network.
n View all Available Patches for the Computer — Show all available patches for the computer that have not
been installed.
n View which Computers have the Patch Available — Shows all computers that have the patch available for
installation.
Below Available Patches on the Patch Management dashboard, you can select View Installation History to view
your patch installation history.
Full Encryption
This sections describes how to use Full Encryption to manage encryption on network computers protected by Adaptive
Defense 360.
Full Encryption uses BitLocker software installed on some versions of Windows 7 and higher to encrypt and decrypt the
data stored on the computer drives. Full Encryption installs BitLocker automatically on compatible server versions.
n Encryption concepts
n Supported authentication types
n Supported storage devices
n Requirements
n How to configure settings
n Dashboard
Encryption Concepts
The following concepts are key for proper use of Full Encryption.
TPM
TPM (Trusted Platform Module) is a chip included in the motherboards of some desktops, laptops, and servers.
TPM chips protect sensitive data, stored passwords, and other information used to log in.
Passphrase
A passphrase is an 8 to 255 alphanumeric password, equivalent to an extended PIN.
USB Key
A USB key enables you to store an encryption key on a USB device formatted with NTFS, FAT, or FAT32.
When connected to a computer, the USB key bypasses the entry of a password to start up the computer.
Recovery Key
When Full Encryption detects an irregular situation on a computer it protects, or if you forget the password, the
computer asks you for a 48-digit recovery key. The recovery key is a managed password — a network
administrator can obtain the recovery key and send it to the user.
System Partition
A system partition is a small, unencrypted portion of the hard disk in a computer that is required for the computer
to correctly complete the startup process. Full Encryption automatically creates a system partition if it does not
already exist.
Encryption Algorithm
The encryption algorithm in Full Encryption is AES-256. Computers with drives that users encrypted with other
algorithms are also compatible.
n TPM + PIN — Compatible with all supported versions of Windows. The TPM chip must be enabled in the BIOS
and a PIN must exist.
n Only TPM — Compatible with all supported versions of Windows. The TPM chip must be enabled in the BIOS
(automatically enabled in Windows 10).
n USB Key — Requires a USB device and that the computer can access USB drives during start up.
The USB Key authentication method is required on Windows 7 computers without a TPM chip.
Hardware Requirements
n TPM v1.2 (and higher when using TPM authentication method)
n USB key and a computer that can read USB devices from the BIOS in Windows 7
n If the computer is encrypted with Full Encryption and Encrypt all Hard Disks on Computers is disabled, all
encrypted drives are decrypted.
n If the computer is encrypted but not with Full Encryption, and Encrypt all Hard Disks on Computers is
disabled, there is no change.
n If the computer is encrypted but not with Full Encryption, and Encrypt all Hard Disks on Computers is
enabled, the internal encryption settings change to coincide with the encryption methods supported by Full
Encryption.
This setting enables password authentication when the computer starts. Based on the operating system and whether
the computer has TPM hardware, the user must provide these types of passwords:
If this option is set to No and the computer does not have access to a compatible TPM security
processor, the disks will not be encrypted.
This setting prevents the use of USB devices supported by Full Encryption for authentication.
To minimize the encryption time, you can restrict encryption to the sectors of the hard disk that are in use. Sectors
released after a user deletes a file remain encrypted, but the space that was free before the encryption of the hard disk
remains unencrypted and accessible to third parties that use tools to recover deleted files.
Opens a window that prompts the user to encrypt the external mass storage devices and USB keys connected to the
computer.
The Full Encryption dashboard shows the encryption status for all computers, which computers support encryption,
which computers are encrypted, and which authentication methods are applied:
n Status
o Enabled
o No information
o Error
o Disabled
o Error installing
o No license
n Computers Supporting Encryption
o Workstation
o Laptop
o Server
n Encrypted Computers
o Encrypted Disks
Overview
For network administrators, it can be difficult to monitor the vast amount of data, logs, alarms, and notifications from
different systems and respond to immediate security threats from zero-day malware.
The Advanced Reporting Tool is a real-time monitor service that uses the information collected from your endpoints by
Adaptive Defense 360. It automatically generates security intelligence data and provides tools to detect and analyze
security threats. The Advanced Reporting Tool can also determine what network users do with their computers, such as
application installation and execution, and bandwidth usage.
Key Benefits
The key benefits of the Advanced Reporting Tool include:
Search
n Quickly perform advanced searches of the data generated by Adaptive Defense 360 to maximize visibility of
all events that occur on your network
n Access historical data to analyze resource security and usage indicators
n Get in-depth information to identify security risks and insider misuse of the network infrastructure
Diagnose
n Reduce the number of tools and data sources required to understand security issues on endpoint devices
and the use of corporate assets
n Extract resource usage and user behavior patterns to help shape your organization's usage and security
policies
Alert
n Send real-time alerts and notifications about security events on your endpoints and network
n Detect security issues and behavior or internal misuse of your networks as they happen
n Define custom alerts based on your own criteria
Report
n Generate detailed customized reports to help you analyze your company’s security infrastructure
n Identify misuse of corporate assets and find behavioral anomalies
n Show the status of key security indicators and track their evolution over time as you apply corrective actions
n Security Incidents — Shows malware detected across the network and related information about specific
infected endpoints.
n Application Control — Offers detailed information about the applications installed and run on your users'
computers.
n Data Access Control — Displays information about data that leaves your network so you can detect data leaks
and theft.
Alerts
You can configure alerts based on events that indicate a security breach or an infringement of your corporate data
management policy. The alert features include:
n Default alerts that indicate high-risk situations, and the ability to create custom alerts based on your own specific
criteria.
n Several delivery methods available to send alerts to recipients, such as email, HTTP-JSON, Service Desk, Jira,
Pushover, PagerDuty, and Slack.
n Anti-flooding settings to prevent alert floods.
Web Console
The Advanced Reporting Tool web console helps you to visualize the security status of your network, based on the data
gathered by Adaptive Defense 360.
Customized data panels and widgets enable you to view and analyze your security data based on your own
requirements and criteria.
Search Data
The search capabilities of the Advanced Reporting Tool enable you to:
Use the filters and data operations to quickly search for specific incidents, vulnerabilities,
applications, and computers. You can create alerts based on your data search query.
Adaptive Defense 360 organizes all the information it collects into knowledge tables. This page shows the knowledge
tables available for you to search.
Table Description
alert Shows the incidents displayed in the Activity panel of the Adaptive Defense dashboard.
install Logs all the information generated when the Adaptive Defense 360 agent installs on users'
computers.
monitoredopen Logs the data files accessed by applications on users' computers, and the processes that
accessed user data.
monitoredregistry Logs every attempt to modify the registry, and includes registry access related to
permissions, passwords, certificate stores, and other areas.
Table Description
notblocked Logs items that Adaptive Defense 360 did not scan because of exceptional situations, such
as service timeout on start, configuration changes, and so on.
registry Logs all operations performed on registry entries typically used by malicious programs to
persist after a computer restarts.
socket Logs all network connections established by the processes seen on the network.
toastblocked Contains a record for each process blocked because Adaptive Defense 360 has not yet
returned a relevant classification.
urldownload Contains information on HTTP downloads performed by processes seen on the network.
vulnerableappsfound Logs every vulnerable application found on each computer on the network.
Each row in the table is a monitored event. A set of fields provides the details of each event, such as when the event
occurred, the computer where it was detected, IP address information, and more.
Use the operations toolbar to filter the results or perform other data operations.
For example, based on the criteria you specify, you can create a new column, filter the data, and group data together.
You can also create alerts directly from your search query. For more information, see Configure Alerts.
This example filters the data to show only Windows computers, based on the endpoint machine name.
n Security Incidents
n Application Control
n Data Access Control
Security Incidents
The Security Incidents application dashboard enables you to analyze malware activity on your users' computers, and
generate baseline data for forensic analysis of malware incidents.
You can use security incident data to monitor malware detections and execution, and update your
organization’s security policies as required.
n Malware, exploits, potentially unwanted programs (PUPs), and anomalous processes detected and their
execution status.
n Endpoints with most infection attempts and detected malware.
n Endpoints with vulnerable applications.
This dashboard also provides visibility into the executed applications that are not authorized by your organization's IT
policies:
n Most and least frequently executed applications, such as script-based applications (PowerShell, Linux shell,
Windows cmd shell)
n Remote access applications, such as TeamViewer and VNC
n Unwanted freeware applications, such as Emule and torrent
Detailed Information
Provides detailed information about the security incidents caused by malware on your endpoints.
Application Control
The Application Control dashboard offers detailed information about the applications installed and executed on your
users' computers.
Use Application Control data to identify applications that are unwanted, unauthorized, unlicensed,
have known vulnerabilities, consume a high amount of bandwidth, or are scripting, remote
access, or system tools.
You can track the resource usage patterns of your users to enforce and enhance your organization's security policies:
IT Applications
Shows which applications have executed on your users' computers, and provides basic control of Microsoft
Office licenses in use on your network.
Vulnerable Applications
Indicates the vulnerable applications installed or executed on your users' computers. Use this chart to prioritize
these computers when you update software with known vulnerabilities.
Data Access Control provides information that enables you to track bandwidth usage, identify
data leaks, and monitor file access and execution activity.
User Activity
Displays information about network activity by authenticated users.
Bandwidth Consumers
Displays the application processes and users that used the most inbound and outbound network bandwidth.
Configure Alerts
With the Advanced Reporting Tool, you can configure alerts based on events that indicate a security risk or the
infringement of your corporate data management policy. Alerts help you to react quickly to immediate security risks,
without the need to continuously monitor Adaptive Defense 360 from the management console.
You can define the events that generate an alert, the delivery methods, the frequency of alerts (to
avoid notification floods), and powerful filters to modify alerts before they are sent. This helps you
identify the most critical security events you want the Advanced Reporting Tool to notify you
about.
You can customize the alerts system to configure the conditions that generate an alert, the frequency of alerts, and the
delivery method to alert recipients.
Create an Alert
Define the type of event from the knowledge table that generates an alert.
n Anti-flooding policy
n Delivery schedule and method
Create an Alert
Alerts are tasks that monitor active queries to find and report on specific events or conditions.
The system provides several default alerts that are generated by malware detection, bandwidth consumption, and
outbound data detection.
Default Alerts
You can manage the default alerts and the custom alerts you create. To manage alerts, select Administration > Alert
Configuration.
Custom Alerts
To create custom alerts, you can use the Data Search page to search for data and then apply a query filter based on
your specified criteria.
Open the required data table, then query the data with the operations and filters necessary to identify the alert condition.
For more information, see Search Data.
Click , then select New Alert Definition from the settings drop-down list.
Configure the alert parameters, such as the alert notification message summary, description, category tag, priority, and
the frequency (period and threshold) settings.
For example, if you configure the frequency with a period of 5 minutes and a threshold of 30, the
Advanced Reporting Tool does not send an alert until 30 events occur in the 5 minute period. If
60 events occur in that 5 minute period, a second alert is generated. When the period is
complete, the event counter resets.
You can send alerts in various ways, such as email, HTTP-JSON, Service Desk, Jira, Pushover, PagerDuty, and
Slack.
To configure delivery methods, select Administration > Alert Configuration, then select the Delivery Methods tab.
The default anti-flooding policy sends a single alert to a recipient up to five times in a period of one hour. If the event
persists, the recipient receives a reminder after another hour.
To configure the anti-flooding policy, select Administration > Alert Configuration, select the Alert Policies tab, then
select Anti-Flooding Policy.
To configure the sending policy, select Administration > Alert Configuration, select the Alert Policies tab, then
select Sending Policy.
For example, you can change the priority of an alert to High if the event is a high priority security event that you want to
be quickly notified about, such as a high number of port scans in a specific period of time. A single alert can have one or
several post filters.
To configure post filters, select Alerts from the menu, then click the Post Filters tab.
Find an occurrence of the alert you want to create the post filter for. From the Actions column, open the menu, then
select New Filter.
These are the actions you can perform when the alert meets your specified criteria:
Alert Management
To view and manage your generated alerts, select Alerts from the menu.
Click the Alerts Dashboard tab to see the Alerts Overview widget that displays informative charts about generated
alerts, and the Alerts History widget that shows a list of generated alerts.
Click a filter or time range to filter the alerts. You can also click on a column to sort the alerts.
Data Control
Data Control is only supported in certain European countries. Although Data Control is included
in Endpoint Security Essentials technical training, there are no questions about Data Control on
the Endpoint Security Essentials technical certification exam.
If Data Control is not supported in your country, you do not need to complete this section.
This section describes how to use Data Control to collect detailed information about files that include PII (Personally
Identifiable Information). The Threat Intelligence Platform receives information from Data Control, processes and
enriches it, then sends it to the Advanced Visualization Tool for advanced visualization and presentation.
Features
Data Control includes these features:
Data Discovery
n Creates an inventory of unstructured files that includes personally identifiable information, along with the number
of times that each information type appears in order to assess its relevance
Data Monitoring
n Monitors actions carried out on PII files (data in use)
n Provides up-to-date inventory of the PII files found on each computer on the network (data at rest)
n Shows the history of attempts to copy or transfer files between computers (data in motion) as well as the means
used in the operation (email client, Web browser, FTP, etc.)
Data Visualization
n Real-time synchronization to the Data Control server to show the results of the discovery and continuous
monitoring of files
Supported Countries
n Germany
n Austria
n Belgium
n Denmark
n Spain
n Finland
n France
n Hungary
n Ireland
n Italy
n Norway
n Netherlands
n Portugal
n Sweden
n Switzerland
n United Kingdom
Network Administrator
The Network Administrator computer used to manage Data Control.
Dashboards/Applications
Relevant information for the IT team appears on the dashboard accessible from the web management console:
n PII file inventory — Provides a daily snapshot of files discovered on workstations and servers on the
network and compares their evolution over time.
n Files and machines with PII — Identifies PII files on the network, and shows the computers they are on
and the actions taken.
n User operations on PII files — Shows the operations that users take on PII files, and provides details of
the physical device they are on (hard disk, USB drive, etc.)
n Risk of PII extraction — Shows actions that could represent a leak of personal data.
n Raw data storage — Data Control monitors workstations and servers, along with security intelligence
information generated by the Adaptive Defense 360 server.
n Continuous storage — All processes are continuously monitored and the information sent for storage.
n Real-time storage — Data Control uses real time storage in the PII Knowledge Table as the base to
generate applications and charts in the Adaptive Visualization Tool, and enables you to filter and transform
that data into groups, organization, searches, etc..
Supported Platforms
Data Control supports these Microsoft Windows operating systems:
Key Concepts
Indexing Process
The indexing process inspects and stores the contents of files supported by Data Control, and generates an
inventory of PII files to enable content-based searches of files. Indexing processes have a low impact on
computer performance but might take considerable time. For this reason, you can schedule the start of the
indexing task or limit its scope to expedite the process and improve the results returned by searches.
File Searches
Data Control find files by name, extension, or content on the indexed storage drives of computers on the
network. Searches run in real time — as soon as you launch a search task, it deploys to the target computers
and starts to send results before the task completes.
n Allow data searches on computers — Enables you to search for files by name or contents, if they are
previously indexed. When you select this option, Data Control starts to index the files stored on user
computers.
n Monitor personal data in email — Monitors the actions executed on personal data stored in email.
n Index text only — only text is indexed unless it is part of an entity recognized by Data Control. With this option
selected, searches by content will be more limited. Index text only is recommended if you only want to generate
an inventory of PII files across the network.
n Index all content — text and alphanumeric characters are indexed. Index all content is recommended if you
want to perform accurate content searches and generate an inventory of PII files across the network.
n Deployment Status — Shows computers where Data Control runs correctly and computers with errors. The
colored circles and associated counters show the status of the computer. The Deployment Status panel shows
computer status in graphical and percent form.
n Offline Computers
o > 3 days
o > 7 days
o > 30 days
n Update Status
o Updated
o Pending restart
n Indexing Status
o Indexed
o Indexing
o Not indexed
n Features Enabled on Computers
o Searches
o Monitoring
o Inventory
n Files Deleted by the Administrator
o Pending Deletion
o Deleted
o Pending Restore
o Passport Numbers
o Credit Card Numbers
o Bank Account Numbers
o Driver's License Numbers
o Social Security Numbers
o Email Addresses
o IPs
o First and Last Names
o Addresses
o Phone Numbers
Data Control is only supported in certain European countries. Although Data Control is included
in Endpoint Security Essentials technical training, there are no questions about Data Control on
the Endpoint Security Essentials technical certification exam.
Key Concepts
To successfully complete the Endpoint Security Essentials exam, you must understand these key concepts:
Exam Description
Content
50 multiple choice (select one option), multiple selection (select more than one option), true/false, and matching
questions
Passing score
75% correct
Time limit
Two hours
Reference material
You cannot look at printed or online materials during the exam.
Test environment
This exam is proctored through Kryterion, with two testing options:
Prerequisites
The Endpoint Security Essentials technical exam focuses heavily on applied knowledge and troubleshooting of
the product. We strongly recommend you take available courses and practice with the product before you take
the exam.
Instructor-Led Training
To get hands-on experience, we recommend that you attend an instructor-led training class. Classes are often held in-
region, sponsored by sales or a local WatchGuard distributor. We also offer complimentary VILT technology-based
training classes for partners. WatchGuard end-users can register for a class with our network of WatchGuard Certified
Training Partners (WCTPs).
Self-Study Course
WatchGuard offers online and video-based courseware that you can study to help you prepare for the exam. To prepare
for this exam, complete the Endpoint Security Essentials course.
The Endpoint Security Essentials courseware is available on the WatchGuard Portal (login required). To see the
content:
n Partners — Log in to the Learning Center and go to Technical Training > Endpoint Security > Endpoint Security
Essentials.
n End users — Go to the Courseware page in WatchGuard Support Center.
Assessment Objectives
The Endpoint Security Essentials Exam evaluates your knowledge of the categories in the list below. For each
category, the Weight column indicates the approximate percentage of exam questions from that category.
Some exam questions require skills or knowledge from more than one category. The weight
does not correspond exactly to the percentage of exam questions.
Endpoint Understand the cyberthreat context and the evolution in Endpoint Security 15%
Security technologies that define our protection model.
Technology
n Threats
Basics
n Protection models
n Multi-layered detection technologies
Adaptive Understand the Adaptive Defense 360 protection cycle, learn how to install, deploy, 45%
Defense 360 and configure the protection and manage the security of your network from the web
console.
Advanced Interpret the Advanced Reporting Tool dashboards and the specific information they 15%
Reporting Tool provide about your network.
Basics
n Web console data panels and widgets to view and analyze security data
n Advanced searches of the data generated by Adaptive Defense 360 and other
events
n Preconfigured application dashboards to analyze security incidents, control
of IT, vulnerable, bandwidth-consuming or special application or tools
Patch Understand how to use Patch Management to find and update computers on the 20%
Management network with known software vulnerabilities.
Basics
n Requirements
n Dashboards, lists, end-of-life programs, available patches, filters, and
actions menus.
n Download, install, and uninstall patches.
n Settings (Windows updates, automatic search, frequency, criticality, etc.)
Full Encryption Understand how to use Full Encryption to manage encryption on network computers 20%
Basics protected with Adaptive Defense 360.
n Encryption Concepts (TPM, PIN, passphrase, USB, key, recovery key, etc.)
n Supported authentication types
n Supported storage devices
n Requirements (operating system versions and hardware)
n Settings
n Dashboards and lists
Questions
1. Which of the following statements about Full Encryption are false? (Select four.)
a. The recovery keys are 32 characters long.
b. All encrypted volumes have the same recovery key.
c. The console does not display the recovery keys for computers encrypted by users.
d. The computer asks you for the recovery keys if you forgot the password.
e. The recovery keys are stored locally on each computer.
f. The recovery keys can be reset by booting into Safe Mode.
2. To install Adaptive Defense 360, you must make sure your network computers have required ports open.
a. True
b. False
3. With Adaptive Defense 360, you can schedule reports but not run reports on demand.
a. True
b. False
4. You activate new Adaptive Defense 360 licenses from WatchGuard Support Center.
a. True
b. False
5. Adaptive Defense 360 includes several remediation actions for a computer or group of selected computers. From
this list, select the valid remediation options. (Select five.)
a. Scan computer
b. Reinstall protection
c. Send to quarantine
d. Restart computer
e. Isolate
f. Reinstall agent
g. Disinfect
h. Log off user
6. With Patch Management, what AD360 configuration option can you use to prevent the installation of a patch on a
specific computer?
a. Isolate computer
b. Uninstall patch
c. Quarantine computer
d. Exclude computer
e. Schedule installation
7. In Advanced Reporting Tool, which of these settings do you configure in a sending policy for alerts? (Select
three.)
a. Anti-flooding policy
b. Post filter
c. Delivery schedule
d. Delivery method
8. You can install Adaptive Defense 360 and Patch Management on the same computer.
a. True
b. False
9. Fileless malware is extremely dangerous because it encrypts the user drive.
a. True
b. False
10. A customer in your organization reported that they see a Protection Error when they open Adaptive Defense 360
on their local computer. What PSInfo tools can you use to try to resolve the error? (Select two.)
a. Force Sync
b. Repair Protection
Enable/Disable Advanced Logs
c. Panda URL Checker
d. PSErrorTrace
e. Advanced Firewall Technology
Answers
1. a, b, e, and f
2. True
3. False
4. True
5. a, b, d, e, and f
6. d
7. a, c, and d
8. True
9. False
10. a and b
Additional Resources
This guide provides a summary of the basic information covered in training classes, videos, and product documentation.
To increase your skills and knowledge, we recommend that you get hands-on practice with the products and review
other technical resources. This appendix provides a list of additional resources but you should explore the product
documentation for additional details beyond the suggested topics.
n Partners — Log in to the Learning Center and go to Technical Training > Endpoint Security > Endpoint
Security Essentials.
n End users — Go to the Courseware page in WatchGuard Support Center.
For a list of additional resources for each section of this guide, see:
n Overview chapter
https://www.pandasecurity.com/rfiles/enterprise/solutions/adaptivedefense/latest/ADAPTIVEDEFENSE360o
AP-guide-EN.pdf
Online Help:
To interpret the information in the management console accurately and draw conclusions that
help to bolster corporate security, certain technical knowledge of the Windows environment is
required with respect to processes, the file system, and the registry, as well as understanding
the most commonly used network protocols. The primary audience for the guide is network
administrators who manage corporate IT security.
Online Help
http://www.pandasecurity.com/enterprise/downloads/docs/product/help/adaptivedefense360/latest/en/index.ht
m
Knowledge Base
https://www.pandasecurity.com/en/support/busqueda_completa_
enterprise?idIdioma=2&idSolucion=212&idProducto=196&idArea=1
Overview
Administration Guide:
n Overview chapter
https://www.pandasecurity.com/rfiles/enterprise/solutions/adaptivedefense/latest/ADAPTIVEDEFENSE360o
AP-guide-EN.pdf
Online Help:
n http://www.pandasecurity.com/enterprise/downloads/docs/product/help/adaptivedefense360/latest/en/index.ht
m
Knowledge Base:
Knowledge Base:
n Information regarding non-validated accounts for Panda Cloud products and services
n How to enable and configure Two Factor Authentication in Panda Adaptive Defense and Endpoint Protection
products?
n Frequently Asked Questions regarding the Panda Account in Panda Cloud products
n How can I access the Web console of Adaptive Defense and Endpoint Protection products?
Online Help:
n https://www.pandasecurity.com/enterprise/downloads/docs/product/help/adaptivedefense360/v10/en/index.ht
m#t=033.htm
Knowledge Base:
n How to create an image for Windows persistent and non-persistent environments (VDI) with products based on
Aether Platform
n How to uninstall products based on Aether platform in Windows, Linux, macOS and Android
n Can I install Adaptive Defense 360 on Aether on computers with Adaptive Defense and Endpoint Protection
products?
n How does the automatic discovery of computers work in Aether-based products?
n How to fix errors in the protection and agent of products based on Aether Platform?
n How to install the agent of products based on Aether Platform in Windows, Linux, MacOS and Android?
n Which programs are automatically uninstalled by Adaptive Defense and Endpoint Protection products?
Requirements
n List of compatible browsers to access the console of products based on Aether Platform
n Installation requirements of products based on Aether Platform for macOS platforms
n URLs and ports required for products based on Aether Platform to communicate with server
n Requirements for the discovery of computers and remote installation in products based on Aether Platform
n Requirements for the proxy and language settings in products based on Aether Platform
n Installation requirements of products based on Aether Platform for Android platforms
Videos:
View Status
Administration Guide:
Online Help:
n https://www.pandasecurity.com/enterprise/downloads/docs/product/help/adaptivedefense360/latest/en/index.h
tm#t=126.htm
n https://www.pandasecurity.com/enterprise/downloads/docs/product/help/adaptivedefense360/latest/en/index.h
tm#t=130.htm
n https://www.pandasecurity.com/enterprise/downloads/docs/product/help/adaptivedefense360/latest/en/index.h
tm#t=178.htm
Knowledge Base:
Videos:
View Computers
Administration Guide:
Online Help:
n https://www.pandasecurity.com/enterprise/downloads/docs/product/help/adaptivedefense360/latest/en/index.h
tm#t=047.htm
Knowledge Base:
n How can you manage the computers and devices of your organization? Filters, My organization and Active
Directory
n How do manual and automatic assignment of settings work in products based on Aether Platform?
n How does the automatic assignment to groups by IP work in Aether?
n What is the RAM unit to be entered when you create a filter in Aether Platform?
Videos:
Settings
Administration Guide:
Online Help:
n https://www.pandasecurity.com/enterprise/downloads/docs/product/help/adaptivedefense360/latest/en/index.h
tm#t=074.htm
n https://www.pandasecurity.com/enterprise/downloads/docs/product/help/adaptivedefense360/latest/en/index.h
tm#t=207.htm
Knowledge Base:
Videos:
Remediation Tools
Administration Guide:
Online Help:
n https://www.pandasecurity.com/enterprise/downloads/docs/product/help/adaptivedefense360/latest/en/index.h
tm#t=205.htm
Videos:
Troubleshooting
Knowledge Base:
Installation Errors
n Error messages during the installation or upgrade of products based on Aether Platform
n Communication error when installing a product based on Aether
n Error messages upon discovering computers and installing remotely in Aether-based products
n Error 12175 during the installation of the protection of products based on Aether Platform
n Information regarding non-validated accounts for Panda Cloud products and services
n How to report issues related to products based on Aether Platform from the console?
Windows
n How to integrate a TDR Host Sensor with a host running Panda Security
n Creating exclusions for products based on Aether Platform
n List of Adaptive Defense/Endpoint Protection details to exclude from system or computer restore software
n How to set up a password against unauthorized protection tampering?
Android
n How to report an issue in Android devices protected with products based on Aether Platform?
n How to install the protection from an EMM compatible with the Android Enterprise features in products based on
Aether
Knowledge Base
https://www.pandasecurity.com/en/support/busqueda_completa_
enterprise?idIdioma=2&idSolucion=219&idProducto=203&idArea=1
Administration Guide
https://www.pandasecurity.com/rfiles/enterprise/solutions/adaptivedefense/latest/ADAPTIVEDEFENSE360o
AP-guide-EN.pdf
Knowledge Base
https://www.pandasecurity.com/en/support/busqueda_completa_
enterprise?idIdioma=2&idSolucion=220&idProducto=204&idArea=1
Administration Guide
https://www.pandasecurity.com/rfiles/enterprise/solutions/adaptivedefense/latest/ADAPTIVEDEFENSE360o
AP-guide-EN.pdf
Knowledge Base
https://www.pandasecurity.com/en/support/busqueda_completa_
homeusers?idIdioma=2&idSolucion=218&idProducto=202&idArea=1
Knowledge Base
https://www.pandasecurity.com/en-us/support/advanced-reporting-tool.htm
Videos
https://www.youtube.com/watch?v=knHOKAijof8
Knowledge Base:
Data Search
Online Help:
n Search data
n Building a query
n Working in the search window
Knowledge Base:
n How to get updated information about a file's classification in Advanced Reporting Tool
Advanced Reporting
Administration Guide:
Knowledge Base:
Alerts
Administration Guide:
n Chapter 6: Alerts
http://resources.pandasecurity.com/enterprise/solutions/adaptivedefense/ADVANCEDREPORTINGTOOL-
Guide-EN.pdf
Online Help:
Knowledge Base:
n How to modify and disable the Advanced Reporting Tool predefined alerts
Online Help
http://documents.managedprotection.pandasecurity.com/Help/v77000//Partners/en-us/index.htm
Overview
Administration Guide:
n Part 1: Introduction to Panda Partner Center and Access and Authorization in Panda Partner Center chapter
http://documents.managedprotection.pandasecurity.com/AdvancedGuide/PARTNERCENTER-Manual-EN.pdf
Online Help:
n http://documents.managedprotection.pandasecurity.com/Help/v77000//Partners/en-us/index.htm#t=001.htm
n http://documents.managedprotection.pandasecurity.com/Help/v77000//Partners/en-us/index.htm#t=015.htm
License Management
Administration Guide:
Online Help:
n http://documents.managedprotection.pandasecurity.com/Help/v77000//Partners/en-us/index.htm#t=029.htm
Status
Administration Guide:
n Part 2: The Management Console and Client Management chapter > Monitoring Clients section
http://documents.managedprotection.pandasecurity.com/AdvancedGuide/PARTNERCENTER-Manual-EN.pdf
Online Help:
n http://documents.managedprotection.pandasecurity.com/Help/v77000//Partners/en-us/index.htm#t=007.htm
n http://documents.managedprotection.pandasecurity.com/Help/v77000//Partners/en-us/index.htm#t=027.htm
Clients
Administration Guide:
Online Help:
n http://documents.managedprotection.pandasecurity.com/Help/v77000//Partners/en-us/index.htm#t=023.htm
Settings
Administration Guide:
Online Help:
n http://documents.managedprotection.pandasecurity.com/Help/v77000//Partners/en-us/index.htm#t=059.htm
n http://documents.managedprotection.pandasecurity.com/Help/v77000//Partners/en-us/index.htm#t=066.htm
Reports
Administration Guide:
n Reports chapter
http://documents.managedprotection.pandasecurity.com/AdvancedGuide/PARTNERCENTER-Manual-EN.pdf
Online Help:
n http://documents.managedprotection.pandasecurity.com/Help/v77000//Partners/en-us/index.htm#t=077.htm