WatchGuard Panda Adaptive Defense 360

Although it was recently rebranded when its parent company, Panda, was acquired by WatchGuard Technologies, Adaptive Defense 360 remains a great endpoint protection solution. It's fully cloud-managed and supports Windows, macOS, Linux, and Android devices. While Apple’s iOS is left out, that's a forgivable sin, since Apple offers third-party developers very little support here.

A defining characteristic of Adaptive Defense 360 is its "Zero-Trust" protection model. While traditional endpoint protection products will generally let a normal-looking program launch unless it matches a known malware signature and will only quarantine it once it starts doing unsavory things, Watchguard assumes every program is suspect by default. It will only allow a program to run after it has fully analyzed it (up to and possibly including detonating it in a sandbox to see what it does) and given it the green light). 

However, Adaptive Defense 360's strength can also be its Achilles heel. Because of its Zero-Trust policy, it also produces the most false positives when compared to similar products. It's also a little on the pricey side, all of which combines to keep it just inches behind our Editors' Choice winners in this space, Bitdefender GravityZone Ultra, F-Secure Elements, and Sophos Intercept X.

WatchGuard Panda Adaptive Defense 360 Pricing and Plans

WatchGuard Adaptive Defense 360 starts at $69 per user per year. However, this is only for its baseline endpoint feature set. There's a wide variety of other add-ons or pricing tiers, and unfortunately, WatchGuard doesn't disclose most of them on its website. For example, patch management is available as an add-on for $24 per license, and you can have full encryption for another $18 per license. Additionally, WatchGuard also mixes various features in different packages, which also have different pricing. So while you can get Panda Patch Management for the price above, you can also get it as part of Panda Fusion 360 along with several other IT security tools. Your price will differ depending on how you buy it.

Compared to other competitors in this roundup, this a la carte pricing style can make WatchGuard an expensive choice. With its base price already hitting almost $70 per endpoint per year, making necessary add-ons into extra-cost options—especially patch management, encryption, and advanced reporting—doesn't do WatchGuard any favors in the value department. Especially when you compare it to our Editors' Choice winners, like Bitdefender, which boasts a comprehensive feature set including encryption and reporting for $57 per user per year. Similarly, Sophos Intercept X offers comparable features but sells for between $20 and $40 per user per year.

Getting Started

The first thing you see when you log in is the WatchGuard Cloud dashboard. From here, you can manage all your WatchGuard services, activate licenses, and navigate between products. When you click through to Endpoint Protection, it begins with the Security tab and displays a dashboard detailing the most important items about your protection status. Graphs of infection frequency are grouped into the categories of Viruses and Spyware, Hacking Tools, Phishing Attempts, Suspicious Items, and Other. There is also a handy set of indicators at the top that show which computers have not connected to the cloud recently and are potentially running with outdated protection. With the added drill-down capabilities of the graphs, we found Adaptive Defense 360 struck the right balance of aesthetics and functionality.

The next option down on the left-hand side is Web Access. This is a section that details the kinds of websites your users are visiting and whether those sites were blocked. For a company that's only just starting to manage web access control, this is a handy way to get a feel for what categories need focus when setting policies.

Next down is the Indicators of Attack page. This is a new feature that goes beyond simple virus and malware scanning. It uses data from your endpoints to attempt to determine whether a person or program is engaging in behavior that could indicate an attack. While the system doesn't deal with these potential threats automatically, it’s good to keep an eye on this page to monitor suspicious activity and decide whether further investigation is required. Each indicator is broken down into a MITRE Matrix, which lays out the full process of attack from initial access to final impact.

It's not included in the core product, but it's worth noting that patch management is extremely easy to use. The UI shows a chart of Windows computers that are being tracked, as well as the number of available patches. By clicking on Available Patches, you can check the ones to apply for each system and either install them immediately or schedule them for later. In addition, you can get a better idea of the attack surface that your unpatched software is providing by clicking View for currently exploited vulnerabilities. Although it's unfortunate that patch management is an additional cost, this is not unusual. Avast Business Pro Plus’ patch management is similarly an add-on, but it's also cheaper.

The Computers tab reveals a group-based device management UI. You can easily add devices by downloading the client or emailing a link to a new user. You can also track licenses from here, so if the number of systems added exceeds the current license allotment, you can take action. Systems can be collected together into groups and subgroups. You can then apply policies to those groups, rather than to individual systems. This is very similar to how F-Secure and Bitdefender both operate.

The Settings tab lets you add and edit policies that apply to groups of devices. Each policy contains a well-thought-out series of options. Basic settings such as scheduled scans, updates, and alerts can all be configured from the corresponding operating system option. Windows, Linux, macOS, and Android each have their own individual controls. The Antivirus section offers the option of enabling or disabling various file, mail, and web protection settings. The firewall, likewise, has most of the options you would expect. You can configure it to allow specific apps, or to block or allow network activity based on custom rules. There are also many smart intrusion prevention settings that you can enable or disable, depending on your needs.

Device control is also easy to configure. It’s divided into six categories: Removable storage, mobile devices, CD/DVD/Blu-ray drives, image capture, Bluetooth, and modems. You can explicitly allow or block each category, but you can also allow specific devices without restrictions if blocking an entire category is too overbearing. It would have been nice to see a denylist here as well, but overall, this configuration works.

Multiple Levels of Security

Worthy of note are the three modes that WatchGuard can run in:

• Audit mode just watches and takes notes, without taking any protective action. It's really only useful for testing performance, so we were glad to see that it's no longer the default.
• Hardening mode treats any executable originating outside the network as suspicious. The executable will remain blocked until it is flagged as goodware by WatchGuard’s Zero-Trust Service in the cloud.
• Locked mode goes one step beyond Hardening. Any executable at all that is not known and trusted will be blocked until proven good. Using this mode puts WatchGuard in its most battle-hardened state.

You can set these operating modes by applying policies to servers and workstations. As of this version, Hardening mode is the default.

While WatchGuard claims that its approach makes malware attacks a thing of the past, it also rather narrowly defines malware as binary executables. These days, malware can take many forms, including scripts for various scripting engines. The problem here is that a scripting engine may have been classified as goodware, but the scripts it executes could still be malicious. Fortunately, Watchdog has begun to roll protection from script-based attacks into its detection engine, as evidenced by our tests.

A few other features are also worth mentioning. Like most solutions, Adaptive Defense 360 allows you to isolate infected machines from the rest of the network, which is helpful to keep an infection from spreading. More notable is its Data Protection module, which scans files for personally identifiable information—such as names, bank and credit card numbers, IP addresses, passport numbers, and so on—so that you can control how that data is transmitted and stored via policy. This can be a huge aid in complying with data privacy laws, such as the EU's General Data Protection Regulation (GDPR).

And then there's reporting. Adaptive Defense 360's reporting capabilities are a bit odd. You have the ability to run and schedule reports, but there are only two types. The first is a list of devices based on a filter, which could be a specific OS, a certain piece of software, or a specific system type. The other is an "Executive Report," which is a conglomeration of every dashboard and indicator in Watchguard. While neither report lacks for detail, there's no way to drill down to specific details that you might care about. We'd have liked to see much more attention given to reporting.

Threat Performance Testing

To measure Adaptive Defense 360's performance, we used a standard set of tests for endpoint security products.

First is a simulated phishing attack. For this, we tested 10 verified phishing links from PhishTank. No additional setup was required aside from ensuring the policy had web access control enabled, since Adaptive Defense 360 doesn’t require a browser plugin. All 10 websites were blocked by Watchguard.

We next launched browser-based attacks using Metasploit’s Autopwn 2 feature and a known vulnerable version of Chrome with the Java 1.7 runtime installed. The goal of these attacks was to gain a remote shell, one of the most serious exploits. Fortunately, none succeeded.

Our third attack involved a compromised binary of Windows Calculator with a standard Meterpreter binary smuggled inside of it. Our plan was to try to execute it, but Adaptive Defense 360's aggressive Zero-Trust policy wouldn't even let us copy it to the desktop. The same was true of a collection of Veil 3.0-encoded Meterpreter binaries that included PowerShell, Auto-IT, Python, and Ruby, among others. Our attempts to execute them were thwarted before we could even load them onto the test system.

For our last test, we disabled network connectivity on our VM, extracted a set of known malware executables called TheZoo, and tried to run them. While WatchGuard quarantined all of them before they could run, we did have to extract each compressed zip file before WatchGuard would recognize the malware. As part of this test, we also isolated the machine and tried to run several versions of the CryptoLocker ransomware. We were pleased to see that all of the variants were blocked on or before execution.

Among third-party research, AV-Comparatives tested Panda in its September of 2021 Malware Protection Test and the results were acceptable but a little unnerving. Panda only had a 50.3% offline detection rate, paired with an 83.5% overall detection rate, which suggests it's not the best at spotting threats before they become active. That said, it did score a 99.93% overall protection rate. That's because Adaptive Defense 360 is actually very good at blocking malicious behaviors and eliminating malware after it launches, so it never has a chance to do actual harm. You'll have to gauge your own comfort level with this approach.

The system also took a knock because of an unusually large number of false positives. To be fair, erring on the side of caution is fully in keeping with the Zero-Trust concept, but it might mean you spend more time manually authorizing programs than you would with another product.

Great Protection But Pricey

WatchGuard Panda Adaptive Defense 360 is a unique product that is trying to promote a new philosophy of endpoint protection. While it does a good job of blocking the damaging effects of malware, its approach might make you nervous if you'd prefer to have malware recognized before it runs. You also run the risk of false positives because of the Zero-Trust environment. That said, if Adaptive Defense 360 has been on your radar for a while, the latest version brings many improvements to its ability to detect script-based attacks and an easy UI for authorizing applications. If you demand the strictest possible security levels, it may well be the product for you. If you'd prefer a more traditional approach to endpoint security, on the other hand, you should look to our three Editors' Choice winners.