WatchGuard Support Center

Knowledge Base - Article

 How to prevent ransomware and other malicious malware with your Firebox

How do I prevent ransomware such as CryptoWall and CryptoLocker and other types of similar malicious malware?
Ransomware is a type of malware that spreads through phishing emails containing malicious attachments or download links. If ransomware infects your computer, it can encrypt your files making them inaccessible, then display a message that you must pay to obtain the encryption key to decrypt your files.

To protect your network and computers from ransomware and other similar types of malicious malware, you must use a layered defense strategy and enable several of the services available on your Firebox.

In addition to using the services on your Firebox, you should also perform these basic security tasks:
  • Make sure you have an aggressive backup and recovery strategy to recover infected or lost files.
  • If you allow users to bring their own devices to your network environment, make sure they are segmented into a separate area of the network and you only allow the specific protocols and ports needed for them to perform their jobs.
  • Run antivirus software on all your client endpoints.

For more information, see:

Use Your Firebox to Prevent Malicious Malware

Use these security subscription services together on your Firebox to help prevent ransomware and other malicious malware from entering your network.

Signature Updates

  • Make sure the signatures or updates for Gateway AntiVirus, IntelligentAV, Botnet Detection, IPS, and Application Control are up to date.
  • Enable automatic updates for all your security services.
For more information, see Subscription Service Update Server.

User-added image

Intrusion Prevention Service (IPS)

IPS uses signatures to provide real-time protection against network attacks.
  • Enable IPS on all outbound policies, especially the default Outgoing policy if your configuration includes it.
  • Make sure your IPS signatures are up to date. IPS signatures are always changing to keep up with new threats, and you can enable automatic signature updates so that you always have the latest version of signatures. You can search and view the current WatchGuard threat database at
  • In some high security environments you might want to use a more aggressive action for Critical and High threat levels, and set them to Block. The Block action adds the source of the IPS intrusion to the Blocked Sites List for 20 minutes.
  • Select the Alarm and Log check boxes for each threat level so that you receive email notifications when a malware threat is detected.
You can choose from two different scan modes:
  • Full Scan — Scan all packets for policies that have IPS enabled.
  • Fast Scan — Scan fewer packets to improve performance. This option greatly improves the throughput for scanned traffic, but does not provide the comprehensive coverage of Full Scan mode. This is the default setting.
In Fireware OS v11.8 and higher, Fast Scan is the default scan mode for IPS. In environments with high value data, you can switch to Full Scan mode. Performance will be affected when you use the Full Scan option. 

For more information, see Configure Intrusion Prevention.
User-added image

Application Control

Application Control enables you to monitor and control the use of applications on your network
  • Enable Application Control on all outgoing policies including the default Outgoing policy if your configuration includes it. 
  • The Crypto Admin application in the Network Protocols (2) category detects CryptoWall, CryptoLocker, and their variants. Make sure you set the action for this application to Drop.
  • We recommend that you also block access to these applications that can spread malicious malware:
  • BitComet
  • BitLord
  • BitTorrent Series
  • aMule
  • easyMule
  • eMule
  • eMule Plus
For more information, see Configure Application Control.
User-added image


WebBlocker enables you to restrict the websites that are available to your users. WebBlocker uses the WebBlocker Cloud service that contains 130 website categories.
  • To protect your web traffic, enable WebBlocker on your HTTP and HTTPS proxy policies.
  • To block access to malware sites, make sure that you select the Deny action for all subcategories in these two WebBlocker categories:
  • Extended Protection
  • Security
For more information, see Configure WebBlocker.

Gateway AntiVirus

Gateway AntiVirus prevents viruses from entering your network through an email message, web, or FTP traffic.
  • Enable Gateway AntiVirus on your HTTP, FTP, SMTP, POP3, IMAP, and TCP-UDP proxy policies.
  • Make sure your Gateway AntiVirus signatures are up to date. Enable automatic signature updates so that you always have the latest version of signatures.
  • In the HTTP Response > Content Types proxy action settings for Gateway AntiVirus, make sure you set the action to AV Scan for pdf, javascript, and shockwave-flash content types. 
  • In the HTTP Response > Body Content Types proxy action settings for Gateway AntiVirus, make sure you set the action to Deny or AV Scan for .exe files.
  • For each proxy, we recommend you add similar file types that can contain malware such as scripts, Windows system files, and office application macros.
For more information, see Configure the Gateway Antivirus Service.
User-added image


IntelligentAV uses artificial intelligence and machine learning to identify and block known and unknown malware.
  • If your Firebox supports IntelligentAV, enable it in the IntelligentAV settings.
  • Make sure you have the latest IntelligentAV updates. Enable automatic updates so that you always have the latest version.
For more information, see Enable IntelligentAV.
User-added image

Reputation Enabled Defense

Use Reputation Enabled Defense on your HTTP-proxy policies to block access to URLs with poor reputations.

In an HTTP proxy action, in the Reputation Enabled Defense category:
  • Select the Immediately block URLs that have a bad reputation check box.
  • Select the Alarm and Log check boxes to enable notifications and logging for reports.
For more information, see Configure Reputation Enabled Defense.
User-added image

APT Blocker 

APT Blocker uses cloud-based scanning of files to detect zero-day malware. The APT Blocker subscription service is included in the Total Security Suite.
  • Enable APT Blocker on your HTTP, FTP, SMTP, and POP3 proxy policies.
  • Make sure that the High, Medium, and Low threat levels use the default action of Drop.
  • To receive a notification by email when APT malware is detected and to log the event for reports, select the Alarm and Log check boxes.
For more information, see Configure APT Blocker.
User-added image User-added image


spamBlocker uses a combination of rules, pattern matching, and sender reputation to accurately identify and block spam messages

  • Enable spamBlocker on your SMTP, IMAP, and POP3 proxies.

For more information, see Configure spamBlocker.

User-added imageUser-added image

Botnet Detection

With Botnet Detection, your Firebox automatically blocks connections to known IP addresses used by botnets to control infected workstations.

  • Enable Botnet Detection in your configuration.
  • Make sure your Botnet Detection database is up to date. Enable automatic updates so that you always have the latest version.
To learn more, see About Botnet Detection.
User-added image

Threat Detection and Response (TDR)

TDR Host Sensors for Windows include Host Ransomware Prevention (HRP), which can identify and automatically quarantine files and stop processes with malicious behavior that is characteristic of ransomware.  

  • Enable TDR on the Firebox and install the TDR Host Sensor on hosts.
  • In the TDR Host Sensor Settings, configure the Host Ransomware Protection Mode on Host Servers setting to Prevent.
For more information, see About Host Ransomware Protection.

User-added image


DNSWatch monitors DNS requests through the Firebox to prevent connections to known malicious domains. 

Before you enable DNSWatch, it is important to understand how it works with other DNS settings in your Firebox configuration, and to plan how it will integrate into your network. For more information, see About DNSWatch.

User-added image

WatchGuard Cloud and Dimension

Use the WatchGuard Cloud or Dimension dashboards, logs, and reports to monitor for malware activity. The Security Dashboard provides an overview of blocked malware.
 User-added image

User-added image