In this article, you will learn everything you need to know about the Next-Gen Antivirus with XTP module.
1. Description
2. How does Next-Gen Antivirus with XTP work?
3. Incompatibilities
4. How do Next-Gen Antivirus scans work?
5. Known behaviors
DESCRIPTION
Next-Gen Antivirus with XTP is dual, consisting of a switch of the default engine of the Heimdal Next-Gen Antivirus from Avira to Microsoft Windows Defender, as well as the addition of the new Heimdal XTP engine as a boosted layer of protection. The former change has been made in order to leverage even more Windows OS native capabilities. The addition of the XTP engine will supercharge the current Next-Gen Antivirus with Extended Threat Protection (XTP) capabilities, thus supplying you with evidence-based information about sophisticated cybersecurity risks, offering a holistic view of weaknesses, categorized on MITRE ATT&CK tactics and techniques and, ultimately, providing boundless levels of state of the art protection. The new version of Heimdal’s Next-Gen Antivirus offers more Windows OS native capabilities, as well as the XTP engine with its aforementioned benefits. Some settings from the previous Avira engine such as heuristics and real-time protection data will be removed due to the switch to Windows Defender, which does not contain them. The basic detection engine enhancements are subject to the Operating System versions that your machines are equipped with, being available for Windows 10 and Windows 11 in the case of endpoints, and for Windows Server 2016, Windows Server 2019, and Windows Server 2022 OS instances in the case of servers. The XTP offering is compatible with all operating system versions. The new base engine and supercharged XTP component integrate the same as before with the NGAV product, as well as the Heimdal unified product suite as a whole. NGAV will still be complementary with DNS Security and Privileged Access Management, as well as all Heimdal services.
HOW DOES THE NEW NEXT-GEN ANTIVIRUS WITH XTP WORK?
Next-Gen Antivirus with XTP includes real-time malware protection, which runs in the background on a system, searching for threats downloaded from the internet. It detects threats when they reach the point of infection and it also includes on-demand scanning, which searches for offline threats introduced via USB or network drive and malware that already exists on the system. Next-Gen Antivirus uses various methods to detect and prevent malware from infecting your device, such as these:
- Signature-based detection: Signature-based detection is one of the oldest forms of antivirus protection. It compares files coming into devices to known malware, looking for signature matches. For the software to be effective, the antivirus database must stay up to date with the latest malware.
- Heuristic-based detection: Heuristic-based detection is similar to signature-based detection in that it scans incoming files and programs for matches to known malware. However, while signature detection looks for exact matches, heuristic detection looks for similar tendencies or patterns in a file’s code. As a result, it catches malware that signature detection may have missed.
- Behavior-based detection: This form of detection examines how files and programs act, looking for anything out of the ordinary.
On top of that, the Extended Threat Protection (XTP) stores information based on the system's audit policies. These events are analyzed by the XTP engine, which can tell when a suspicious event occurred. The product collects information from any computer in your environment using the Heimdal XTP service and compares them against the 1400+ sigma rules that are defined in the MITRE ATT&CK knowledge base. It gives you a description of each rule that the endpoint is not complying with and offers you a small solution on how to mitigate the issue. XTP uses the sysmon Windows addon to log information, which might conflict with other applications that also use sysmon.
INCOMPATIBILITIES
If you use Next-Gen Antivirus with XTP alongside incompatible applications, the applications may not work properly and operating system errors may occur. We recommend removing these applications before turning on Next-Gen Antivirus with XTP. A list of incompatibilities is described below:
- Palo Alto's Global Protect - although Global Protect offers VPN capabilities, it comes with an anti-malware check mechanism that prevents the VPN product from connecting to the server if the endpoint's real-time protection is disabled. With the new Next-Gen Antivirus with XTP you need to make sure that the older Heimdal Thor Agent anti-malware check is disabled so that Global Protect does not stop the user from being allowed to connect to the VPN:
This can be done from the Global Protect's configuration, under HIP Object -> Malware, where only the Windows Defender product needs to be listed: - Cisco AnyConnect Secure Mobility Client - similar to Global Protect, Cisco comes with the ability to assess an endpoint's compliance for antivirus, antispyware, and firewall software installed on the host. Network access can be restricted until the endpoint becomes compliant with these requirements. To prevent an endpoint from being restricted access, make sure you adjust the configuration so that the Cisco client checks the status of the Windows Defender instead of the old Heimdal Thor Agent's engine.
HOW DO NEXT-GEN ANTIVIRUS SCANS WORK?
You can set up regular, scheduled antivirus scans on devices. These scheduled scans are in addition to always-on, real-time protection and on-demand antivirus scans. When you schedule a scan, you can specify the type of scan, and when the scan should occur. You can also set up special scans to complete remediation actions if needed.
The scan types you can choose are described below:
Quick Scan - A quick scan checks the processes, memory, profiles, and certain locations on the device. Together with always-on real-time protection, a quick scan helps provide strong coverage both for malware that starts with the system and kernel-level malware. Real-time protection reviews files when they're opened and closed, and whenever a user navigates to a folder.
Active Processes Scan - The active processes scan looks at the processes that are currently running on the endpoint;
Full Scan - A full scan starts by running a quick scan and then continues with a sequential file scan of all mounted fixed disks and removable/network drives. A full scan can take a few hours or days to complete, depending on the amount and type of data that needs to be scanned. When a full scan begins, it uses the security intelligence definitions installed at the time the scan starts. If new security intelligence updates are made available during the full scan, another full scan is required to scan for new threat detections contained in the latest update. Because of the time and resources involved in a full scan, in general, we don't recommend scheduling full scans. One thing to keep in mind here is the fact that the CPU usage you see in Task Manager might sporadically increase over the limit that we set in the Heimdal Dashboard. This behavior is expected since this limit isn’t a hard limit but rather a guide for the scanning engine to not exceed this maximum on average.
Hard Drive Scan - A Hard Drive scan looks at all the files on the hard drive while ignoring the files on all external media types;
Local Drive Scan - Scans all local disks including the hard drives, optical drives, and external storage;
Removable Drive Scan - Scans files stored on flash, optical, or external drives;
System Scan - A system scan looks at all the locations where there could be malware registered to start with the system, such as registry keys and known Windows startup folders. It scans the system directory;
Network Drive Scan - scans files on Mapped Network Drives, it detects the infection(s), but NO action will be performed because the Next-Gen Antivirus cannot remove something from a network location to place it in the local Quarantine folder.
KNOWN BEHAVIORS
1. Items skipped during scan
While a scan operation is taking place, there could be situations where you might notice the following warning: Items skipped during scan. The Microsoft Defender Antivirus scan skipped an item due to exclusion or network scanning settings.
This happens when the scan operation is trying to scan files/folders that are already excluded from the scan. It can also occur when you have no exclusions added to the Exclusion list because the HEIMDAL Agent files/folders are hard-coded to be excluded from being scanned.
This behavior can be bypassed by enabling the Hide Windows Defender Interface under the Endpoint Settings -> Your GP -> Endpoint Detection -> Next-Gen Antivirus. This way, warnings are not displayed anymore.
2. No progress is seen on the Files Scanned or the progress bar
During a scan operation, you might notice that there is no progress displayed in the Active Scan window, where the progress bar stays at 0%, while no Files Scanned are displayed.
This happens because of a limitation of the Windows Defender that prevents the HEIMDAL Agent from taking live data from the Antivirus engine.
3. The virus definition files fail to get updated
This might happen due to restrictions/limitations on the Windows Updates, which fail to download the latest Security Intelligence updates that are available for Windows Defender.