In this article, you will learn everything you need to know about the Next-Gen Antivirus with XTP module.
Next-Gen Antivirus with XTP is dual, consisting of a switch of the default engine of the Heimdal Next-Gen Antivirus from Avira to Microsoft Windows Defender, as well as the addition of the new Heimdal XTP engine as a boosted layer of protection. The former change has been made in order to leverage even more Windows OS native capabilities. The addition of the XTP engine will supercharge the current Next-Gen Antivirus with Extended Threat Protection (XTP) capabilities, thus supplying you with evidence-based information about sophisticated cybersecurity risks, offering a holistic view of weaknesses, categorized on MITRE ATT&CK tactics and techniques and, ultimately, providing boundless levels of state of the art protection. The new version of Heimdal’s Next-Gen Antivirus offers more Windows OS native capabilities, as well as the XTP engine with its aforementioned benefits. Some settings from the previous Avira engine such as heuristics and real-time protection data will be removed due to the switch to Windows Defender, which does not contain them. However, these features are more marketing vectors rather than actual functionality advantages. The basic detection engine enhancements are subject to the Operating System versions that your machines are equipped with, being available for Windows 10+ in the case of endpoints, and for Windows Server 2016+ OS instances in the case of servers. However, please note that Windows Server 2016 will not be available in the initial phase of the launch. The XTP offering is compatible with all operating system versions. The new base engine and supercharged XTP component integrate the same as before with the NGAV product, as well as the Heimdal unified product suite as a whole. NGAV will still be complementary with Threat Prevention and Privileged Access Management, as well as all Heimdal services.
HOW DOES THE NEW NEXT-GEN ANTIVIRUS WITH XTP WORK?
Next-Gen Antivirus with XTP includes real-time malware protection, which runs in the background on a system, searching for threats downloaded from the internet. It detects threats when they reach the point of infection and it also includes on-demand scanning, which searches for offline threats introduced via USB or network drive and malware that already exists on the system. Next-Gen Antivirus uses various methods to detect and prevent malware from infecting your device, such as these:
- Signature-based detection: Signature-based detection is one of the oldest forms of antivirus protection. It compares files coming into devices to known malware, looking for signature matches. For the software to be effective, the antivirus database must stay up to date with the latest malware.
- Heuristic-based detection: Heuristic-based detection is similar to signature-based detection in that it scans incoming files and programs for matches to known malware. However, while signature detection looks for exact matches, heuristic detection looks for similar tendencies or patterns in a file’s code. As a result, it catches malware that signature detection may have missed.
- Behavior-based detection: This form of detection examines how files and programs act, looking for anything out of the ordinary.
On top of that, the Extended Threat Protection (XTP) stores information based on the system's audit policies. These events are analyzed by the XTP engine, which can tell when a suspicious event occurred. The product collects information from any computer in your environment using the Heimdal XTP service and compares them against the 1400+ sigma rules that are defined in the MITRE ATT&CK knowledge base. It gives you a description of each rule that the endpoint is not complying with and offers you a small solution on how to mitigate the issue. XTP uses the sysmon Windows addon to log information, which might conflict with other applications that also use sysmon.
If you use Next-Gen Antivirus with XTP alongside incompatible applications, the applications may not work properly and operating system errors may occur. We recommend removing these applications before turning on Next-Gen Antivirus with XTP. A list of incompatibilities is described below:
- Microsoft Defender for Endpoint / Windows Defender ATP - the Next-Gen Antivirus with XTP cannot run at the same time as the Microsoft Defender for Endpoint / Windows Defender ATP as they are using the same baseline engine. To solve this situation, you need to disable Microsoft Defender for Endpoint / Windows Defender ATP;
- Palo Alto's Global Protect - although Global Protect offers VPN capabilities, it comes with an anti-malware check mechanism that prevents the VPN product from connecting to the server if the endpoint's real-time protection is disabled. With the new Next-Gen Antivirus with XTP you need to make sure that the older Heimdal Thor Agent anti-malware check is disabled so that Global Protect does not stop the user from being allowed to connect to the VPN:
This can be done from the Global Protect's configuration, under HIP Object -> Malware, where only the Windows Defender product needs to be listed:
- Cisco AnyConnect Secure Mobility Client - similar to Global Protect, Cisco comes with the ability to assess an endpoint's compliance for antivirus, antispyware, and firewall software installed on the host. Network access can be restricted until the endpoint becomes compliant with these requirements. To prevent an endpoint from being restricted access, make sure you adjust the configuration so that the Cisco client checks the status of the Windows Defender instead of the old Heimdal Thor Agent's engine.