Dear Heimdal Customer,
Version 3.9.2 of the Heimdal Production dashboard is now live, featuring massive upgrades.
Additionally, a new Heimdal Release Candidate agent version, 3.9.3 RC will be available for download, from the Heimdal dashboard, starting Friday, January 19th 2024. This new R.C version contains a Privileged Access Management fix (also, available in the 3.9.2 Prod agent version) for a corner case issue related to the newly implemented “Disable Windows consent” functionality.
Below is a list of the big features and improvements rolling in with the new 3.9.2 Prod:
|
● Introducing Heimdal® Dashboard Homepage v3
|
In August 2023, we embarked on a journey to create a visually stunning and highly actionable dashboard homepage, and we're thrilled to unveil the result - The Heimdal Dashboard v3.
While it still provides you with the most essential insights and swift action options, we've taken it up a notch, delivering a design that's not only more visually appealing but also robust in functionality.
Discover, interact with, and immerse yourself in all that Dashboard Homepage v3 has to offer. We're confident it's a game-changer, and we can't wait for you to experience it firsthand.
|
● Heimdal® Agent – New Languages Available
|
Starting with the 3.9.2 Prod release, our agent will also be available in Finnish and Swedish.
|
● Heimdal® - ConnectWise integration
|
Automation and efficiency are two important goals that Heimdal has in mind each time we’re developing a new functionality. That’s why, starting with this new Heimdal version, customers and partners using the ConnectWise RMM platform will be able to use a nifty integration that allows users to automate the management of tickets in the ConnectWise platform.
The ConnectWise integration can be enabled by checking the ConnectWise Integration checkbox from Guide > Customer settings -> Integrations > ConnectWise RMM section of the Heimdal dashboard.
|
After the ConnectWise Integration product is enabled, the user must complete the Integration Settings.
In order to do so, the user must fill in the info corresponding to the existing ConnectWise account: Company Identifier (Company ID), Base API URL (ConnectWise URL), Public Key (available in ConnectWise > System > Members > API Keys) and Private Key (available only when a new member is created in ConnectWise).
After the information is filled in, the Configure Operations Board and Configure Cyber Alerts buttons become active and once pressed they will open modal windows in which pre filled ConnectWise service boards information, related to location, department and team lead needs to be selected.
|
The “Configure Operations Service Board” includes the settings used to create the board Heimdal Operations in ConnectWise, while “Configure Cyber Alerts Service Board” includes the settings used to create the board Heimdal Cyber Alerts in ConnectWise.
|
Heimdal® Operations service board
|
The ConnectWise Heimdal Operations board displays all the tickets related to the notifications coming from the Notifications modal window (Active Clients > Standard View of the Heimdal dashboard), which are related to: CPU, Memory, Disk, Microsoft updates, Next-Gen AV, DNS poisoning and Firewall notifications
|
and based on the selection made in the Heimdal dashboard, Guide > Customer settings > Integrations > ConnectWise RMM section.
|
Each time the Heimdal agent generates a notification in “Client Info Notifications”, a new ticket is created in ConnectWise.
In order to visualize the tickets in the ConnectWise RMM, go to Service Desk > Service Board and filter the data from the grid by Service Board: Heimdal Operations.
|
All newly created tickets will have the status “New” and one of the types: CPU, Disk, DNS Poisoning, Firewall, Memory, Microsoft Updates or Next-Gen Antivirus.
If a notification is no longer present in the Heimdal dashboard, the ticket status will automatically change to “Closed”.
|
Heimdal® Cyber Alerts service board
|
The ConnectWise Heimdal Cyber Alerts service board displays all the tickets related to all the email alerts coming from the Accounts section of the Heimdal dashboard, except for the ones related to: GP changes and Microsoft Updates and based on the selection made in the Heimdal dashboard, Guide > Customer settings > Integrations > ConnectWise RMM section.
|
Note: in order for the tickets to be automatically created/ closed in the ConnectWise RMM the above mentioned alerts need to be enabled in the Heimdal dashboard.
|
In order to visualize the tickets in the ConnectWise RMM, go to Service Desk > Service Board and filter the data from the grid by Service Board: Heimdal Cyber Alerts.
|
All newly created tickets will have the status “New” and one of the types: Privileged Access Management, Ransomware Encryption, Next-Gen Antivirus, VectorN Detection or Zero - Trust.
|
Heimdal® Threat Prevention Endpoint and Network
|
● Tailor – made custom block page and availability for the Hypertext Transfer Protocol Secure protocol
|
We've revamped our custom block page feature for both TPE and TPN, allowing you to tailor it even more to your needs. Moreover, it's now compatible with web pages running on the HTTPS protocol.
|
Block page fully customizable .html template
|
Dashboard users can easily fully customize the .HTML template of the custom block page by navigating to Endpoint Settings > Threat Prevention > DarkLayer Guard™ tab. Here, you can set your organization's name, craft a personalized message to be displayed on the block page, and incorporate your logo.
Don't forget to preview your Custom Block Page by clicking the "Preview HTML" button.
|
A similar enhancement is available for TPN too (Network Settings > Threat Prevention).
|
Block Page Now Available for HTTPS Web Pages
|
We're pleased to announce that we've resolved a technical limitation that previously prevented users from accessing the block page on HTTPS websites.
To enable the block page for HTTPS websites in TPE, you have two options:
Automatic Installation: Simply check the new "Install Block Page Certificate" option in Endpoint Settings > Threat Prevention > DarkLayer Guard™ tab. This will automatically install the required certificate on all machines associated with the respective GP.
|
Manual Installation: Alternatively, you can download and install the certificate manually. Go to the "Guide" > "Download and Install" tab in the Heimdal dashboard and follow the steps outlined in the dedicated article.
|
Please note that manual installation of the certificate is required if you intend to use the HTTPS block page for TPN.
|
● Optimization of TPN Latest Threats View
|
To enhance dashboard performance, we've optimized the Threat Prevention > Network > Latest Threats view. Specifically:
- for the "DNS Query Blocked" and "All" filter options, the dashboard now displays data for the last 24 hours only.
Don't worry, if you need data from a different timeframe, you can easily access it:
- simply click on the dedicated toaster message with a "click here" option. This will lead you to a dedicated download page where you can obtain hourly .csv files with the corresponding data based on your preferred timeframe.
|
The tool tip next to the Latest Threats .csv download page contains a “click here” URL which, if pressed, will download a guide containing instructions on how to interpret the .csv files data.
|
Heimdal® Patch & Asset Management
|
● Network Windows OS Deployment (iPXE)
|
We're very excited to introduce Network Windows OS Deployment (iPXE) as the latest addition to the Heimdal Patch & Asset Management module. This feature enables our dashboard users to effortlessly deploy operating systems within their network.
The latest Heimdal Patch & Assets addition includes the following key functionalities:
- Repository Management: Easily manage your OS image repository through Network Settings.
- Image Management: Upload and manage images of different operating system instances.
- iPXE Server Promotion: Promote and manage a hostname to function as an iPXE server.
- Inheritance Feature: Inherit repository settings from your reseller.
In order to use the Network OS Deployment feature, you need to have the Infinity Management licensing option enabled and then, just simply enable the new submodule in Network Settings > Network OS Deployment tab by checking the corresponding tick box.
Additionally, we're offering an opt-in "Inherit Reseller Repository" functionality. Corporate customers will find this option grayed out unless their reseller has enabled the “Repository distribution” functionality from their Network Settings.
|
When activated, corporate customers gain access to all ISO files uploaded by the reseller (Source: Inherited) as well as those they upload themselves (Source: Owner). However, they can only edit and delete the OS images that they have uploaded themselves.
|
The ability to use the Network OS Deployment feature is strictly tied to having a repository of optical disc images of OS instances. You can build the repository by uploading valid ISO files. Post pressing the "Upload OS Image" button, a modal window is displayed and you will be allowed to select an ISO file from your machine, import/ upload it and add a description (“friendly name”).
|
Once the upload button is pressed, the selected .iso file starts uploading to the cloud. It's important to keep the browser page open until the upload is finished, otherwise the upload will be stopped.
|
As soon as you built your OS Images Repository, you can, from the Active Clients -> Standard View, chose one machine and designate it as an iPXE deployment server (“Select what action to take” drop-down list > “Add iPXE Server”). You can also edit - “Config iPXE Server” or delete - “Remove iPXE Server”, machines that had already been designated as iPXE servers.
Note: The device designated as an iPXE server will continue to function as an iPXE server despite hostname changes (unless the “Remove iPXE Server” command is applied to the hostname).
|
Configuring the iPXE Server
|
After clicking "Add iPXE Server" or when editing a previously selected iPXE server, a modal window will appear. In this window, you can configure the iPXE server.
- Check time interval - sets the time in minutes to check for changes
- Enforce User Authentication - the end user will have to use the set credentials (username and password) in order to have access to the OS image repository
- Download Path - sets the default location for downloading ISO files. Make sure that the drive of the selected path has enough free space to accommodate the number of ISO files that are set to be downloaded
By pressing the "Add OS Image" button, the user can select from the current available ISO images, sitting on the OS image repository. All the available for download ISO images are displayed in a grid (there are also options do edit and delete already downloaded ISO images).
|
Post hitting the “Confirm” button and syncing the GP (“Sync GP” button in the agent), on the end users’ endpoints two new services will become active: Heimdal IPXE and Heimdal IPXE Checker.
|
The "Heimdal IPXE" directory is downloaded at the Heimdal installation path.
|
Client Endpoints Connection to the Server:
- Set the Correct Boot Order: on the client (end user) endpoints set the boot priority, from BIOS to Network first;
- Initiate Connection: make sure that the iPXE Server is turned on and visible within the network. Start the client endpoint;
- Authentication: on the (end user) client side, enter the username and password if asked;
- Load Windows PE (WinPE): the system will load the Windows Preinstallation Environment;
- Select OS Image: choose the desired OS instance for installation;
- Start Windows Setup: proceed with normal Windows setup;
|
● Enhancement: Windows OS -> 3rd Party Patch Management Install Delay Pop-up
|
As part of our ongoing commitment to improving the Heimdal user experience, we've enhanced the 3rd party patch management "Install delay pop-up" feature. This enhancement makes the feature available at the "standard applications” level (software that is monitored and patched by Heimdal Patch & Assets) .
To access this feature, go to Endpoint Settings > Windows GP > Patch & Assets > 3rd Party Patch Management tab, where you'll find a new column titled "Install delay pop-up" in the "standard applications” list.
|
Note: The applications without the “install delay” option enabled will be installed first, with no prompt to the user, followed by the applications that were marked with the “install delay” option enabled. The settings for the “Install delay pop-up” option (minutes of delay and number of delays) remain unchanged.
The end user pop-up window message was also improved and is now displaying the top 5 applications (having the “Install delay pop-up” enabled) that are going to be installed on the machine.
|
● Operating System Updates, Windows OS – Assets View
|
The functionality announced and described in the 3.7.0 Release Note, which has been postponed, deployment wise, due to its magnitude and the fact that we wanted to make sure that the Quality Assurance standards were fully met, is now available in the new 3.9.0 RC version, so do make sure you check it out as it comes along with some pivotal benefits like keeping your IT estate safe and compliant.
|
Heimdal® Privileges & App. Control
|
● Privileged Access Management - Bypass Windows UAC and File Elevation Enhancement
|
We're also thrilled to announce a significant enhancement in our PAM module. With the introduction of the Kernel mini-filter driver, you can now perform PAM & Application Control elevations using the logged-in user's context instead of the system user's context. Starting from the 3.9.2 Prod release, you can initiate single file elevations for applications that require elevation with a simple double-click, eliminating the need for the right-click context menu.
In order to achieve this, we added a new setting in the Endpoint Settings > Privileges & App Control > Privileged Access Management, Run as administrator section of the PAM GP, named “Disable Windows consent”:
|
Note: This checkbox is alterable (enable/ disable) only if the “User token elevation” functionality is enabled
When enabled, this feature will stop (except for rare, specific cases) the Windows consent flow and replace it with a custom window, which will trigger the single file elevation mechanism.
One thing to note, when this feature is enabled, the existing “Run with Admin Privileges” setting in the right click context menu will no longer be displayed and the “Run as administrator” Windows entry will be replaced by the custom, Heimdal one.
|
The Heimdal PAM icon will be displayed on the Run as Administrator context item (in Windows 11, it will only be displayed after clicking “Show more options”).
When “Disable Windows consent” is enabled and Heimdal PAM detects the need for elevation, the following end user UAC window will be shown and the user won’t have the introduce his Microsoft Windows login credentials anymore:
|
This brand new custom UAC displays more information about the application which is about to be elevated and prompts the end user for action, making sure that the end user actually intended to elevate that app. The user can opt out of elevation by clicking “Cancel”.
When you click "Elevate," the existing elevation workflow will be initiated based on the configuration set in the PAM GP. For instance, if approval via the dashboard is enabled, the elevation request will be sent to the dashboard and will await approval. Similarly, if "require reason" is enabled, a popup will prompt you to provide a reason.
Note: there are exceptions to this workflow. One such exception is in the “Programs and Features” section of “Control Panel”. When trying to uninstall an application from this section, the standard Windows consent window will still be shown, prompting for elevation.
|
● Application Control - "Allow Auto Elevation" licensing update
|
Beginning with the 3.9.0 RC release, the "Allow auto elevation" functionality will require a Privileged Access Management (PAM) module license. Moving forward, this feature will only be accessible to customers with a valid PAM license, allowing them to create App Control rules with "Allow auto elevation" without any restrictions.
Note: If a customer has at least one group policy on which the functionality is already enabled, we will continue to allow the “auto elevation” feature to work and the creation of new App Control rules with the “auto elevation” option, even if the PAM module is not licensed
|
Heimdal® Email Security Suite
|
● Email Security - ESEC Homepage and Outliers Detection
|
We're excited to announce improvements to our Email Security product, enhancing both user experience (UX) and detection capabilities. With the 3.9.2 Prod release, you now have the flexibility to switch between two views:
- Homepage View: This high-level view showcases relevant data from the ESEC module.
- Details View: The familiar "Details" view allows for in-depth data analysis.
These enhancements provide you with greater control and insights into your email security.
|
Note: The data displayed on the ESEC homepage is not dependent on the dashboard timeframe (upper section of the page).
The new homepage displays several stats and graphs that provide a streamlined understanding of the usage and activity of the email addresses and domains:
- Summary Report tile - brief info about the total no. of malicious, inbound and outbound emails, over the last 90 days. These are further broken down by “Status” and expressed in percentiles;
- User Anomalies tile – shows, sorted is descending order, the top 8 email addresses on which outliers have been detected (SPAM, Virus and ATP); each entry (email address) will have 3 bars, displaying the no. of emails from this category, over the last month, 2 and 3 months ago (from the current date). For more details regarding a certain email address, the dashboard user can click on the bar chart section and a detailed linear graph is displayed below;
- Domain status tile - lists all the email domains, with their corresponding TAC risk score and their MX, SPF and DMARC authentication methods’ statuses;
- The bottom row tiles display a month to month comparison of Quarantined, Rejected, Spam, Virus and ATP emails. The stats are computed by comparing the past 30 days from the current date vs. the previous 30 days. Each tile displays the increase/ decrease, in the number of emails (both as number and as percentage) and a chart presenting the activity for each interval.
|
● Email Security – End user console and option to Release and add emails to personal Allow and Blocklists
|
With this brand new functionality our Email Security end users will have a dedicated ESEC console and a few options to manage their emails and mailbox settings (Release, Allowlist and Blocklist), even without having a Heimdal dashboard account.
In order for the end users to be able to access the dedicated ESEC console, a new checkbox, called “End user console”, found in Network Settings > Email Protection -> Email Security, Quarantine Settings tab, needs to be enabled.
|
Note: In order for the “End user console” functionality to be alterable (enabled/ disabled) the “User Quarantine Report by Email” checkbox needs to be enabled.
The access authorization in the end user portal is made using a secure token. In order to generate a token, the end user must receive at least one Quarantine report after the “End user console” option was enabled (the report can be either sent automatically or using the Get Report option).
Upon enabling the GP option, the choice to access the end user portal is available in the Quarantine report:
|
Note: The safe access token is valid for 24 hours (from the moment it was generated) and in case the token expires until the end user accesses the end user console, upon clicking on the expired URL, they will receive an email message in which they’ll be able to re generate the access token.
|
Another option for accessing the ESEC end user console is through an admin user. This user (with access to the Heimdal dashboard and the access control enabling them to access the ESEC group policy area) can also provide a link generation URL, by accessing the using the “click here” option, available in the corresponding info bubble:
|
When clicking the link form the info bubble, the admin user is directed to an ESEC webpage where a new end user console access URL can be generated. The admin user must input the end user’s email address and if the email is valid, an email with an access link, to the end user console, is sent to the inputted end user email address.
|
If a token is generated for the end user’s mailbox, the URL will redirect the end user to the end user portal where the end user will see all the inbound/ outbound emails related to their email address. In this dedicated webpage, the end user can visualize info using the timeframe selection, the search and the advanced filter search + download the data in .csv format (similar to the Heimdal dashboard). The actions that the end user can take in this page are: “Release” (available only for emails with the “Quarantine” status) and “Show details” (with the same, “Release” option available, if the email is quarantined).
|
From the “Show Details” modal window, the end user can also add items to Allowlist and/ or Blocklist. The blocklisted items are added with the default action from the Heimdal dashboard - Reject and the end user cannot select a different action (due to security reasons).
Once the items are added to the end users allow/ blocklist, they are displayed in the corresponding view (Allowlist/ Blocklist). The only action that the end user can perform in the Allow/ Blocklist views is the “Delete” action (deleting the entry/ entries from the table).
|
In the Heimdal dashboard the emails that were allowed or blocked from the end user console will display a specific message when hovering over the status column, as showed in the below screenshot:
|
Note: the settings are applied only for the mailbox of the end user and have priority over the general domain settings set up in the Heimdal dashboard.
E.g.: email address test@domain.com is blocklisted in the domain settings, but added to the end user’s personal allowlist, in the end user console => end user will receive emails from the mentioned allowlisted address while, all the other users will not (unless they performed allowlist actions, on the same mailbox, in their end user console) as the email will be blocklisted by the Heimdal dashboard domain settings.
|
● Email Security – End user console and option to Release and add emails to personal Allow and Blocklists
|
The option to select specific actions on detection, for different file extensions, is now available in the Network Settings > Email Protection > Email Security -> Attachment Settings tab, Filtering by extension section of the ESEC GP.
|
When adding new extensions, a freshly developed dropdown menu, “Action on Detection”, can be used, allowing the dashboard user to select one of four different actions: None, Quarantine, TagSubject or Reject. Also, a new column was also added to the existing table, in order to display the selected action.
Note: For the already existing extensions (old entries), the default action on detection will be set by using the value from the existing “Action on Detection” option, present in the “Filtering by Type” section. The user may delete “old” entries and add new entries with the new desired action.
|
● Email Security – Option to “Copy settings” to all domains at once
|
This enhancement, related to the “Copy settings” ESEC feature, consists of the possibility to select “All domains” from the corresponding dropdown, instead of marking each domain one at a time and applying the desired settings in one click of a button, to all the domains from ESEC.
|
Note: The new option is available only when there are at least 3 domains created in ESEC.
|
● Email Security – SPF Soft fail and Allowlist enhancements
|
The Network Settings > Email Protection > Email Security, Additional Domain Settings tab, “SPF” checkbox has been enhanced with an additional verification (checkbox called “SPF SoftFail”) that can be performed on emails that have the SPF SoftFail status result.
|
Note: The setting is available as a sub-option of “SPF” and can be altered only when the main setting is enabled.
We’ve also enhanced the allowlisting functionality, in the sense that two new options are available when the “Details” command (corresponding to each email) is pressed and the Main tab is accessed: “Add Header Sender to Allowlist” and “Add Header Domain to Allowlist”.
|
When adding items to Allowlist, using one of the above-mentioned options, the entries are added to the Allowlist with the option Check Header default enabled.
|
In order to be able to use these functionalities, you need to have the Network Settings > Email Protection > Email Security > Quarantine Settings, General Quarantine Report Settings section of the ESEC GP, “Allowlist based on header from” checkbox enabled.
|
Note: This is an Admin Setting, not visible in the dashboard; in order for it to be enabled/ disabled please reach out to Customer Support or to your account manager.
|
Other improvements & fixes:
|
● Heimdal® Threat-hunting & Action Center (TAC) - Homepage infinity scroll
|
The TAC homepage, available to both reseller and corporate customers, now features an infinity scroll functionality. This enhancement enables users to visualize not just the TOP 5 CUSTOMERS/ENDPOINTS by RISK SCORE but ALL CUSTOMERS/ENDPOINTS within their estate.
|
● Endpoint Detection, Next – Gen AV + XTP and MDM – Improved basic detection engine available for Windows Server 2016 OS
|
As previously announced in the 3.5.0 Release Notes, the enhanced detection engine of our Next-Gen AV + XTP & MDM is now available for Windows Server 2016. This empowers you to enhance and complement the native capabilities of the Microsoft OS.
Note: in order for the Next – Gen AV + XTP and MDM engine to work on the Windows Server 2016 operating system, you need to make sure that your machine has the latest OS updates installed.
|
● Patch & Asset management -> 3rd Party Patch Management -> Windows OS – New applications added to the Heimdal standard patching list
|
The following software has been added to the Heimdal “standard” patching list (monitored and patched by Heimdal):
- Power Automate for desktop
- Power BI Report Builder
- WinZip x64
- Dell Display Manager
- Airtame
Also, we’d like to inform you that the NemID Nøglefilsprogram software has reached end-of-life, being replaced with the mobile-only MitID app.
|
● Reintroduction of the Firewall, Brute Force Attacks info. in the Accounts -> Next-Gen Antivirus email alerts
|
We’re delighted to inform you that the Brute Force Attacks information was reincluded in the Next-Gen Antivirus email alerts starting with this new production version.
|
● Patch & Assets module -> 3rd Party Patch Management -> Windows OS – Data Visualization Enhancements
|
Starting with this new version, you’ll be able to enjoy more versatile methods of visualizing the Patch & Assets related data; it is now available not only in the grid/ table format, but also in a pie chart and matrix visualization formats in the 3rd party patch management > Assets view.
|
● Privileges & App Control -> Privileged Access Management - Addition of the elevation ID in the PAM elevation request email subject
|
We've made a small yet valuable enhancement in Privileged Access Management. Starting now, the elevation ID is included in the PAM elevation request email subject. This improvement benefits users who require efficient reporting in their own BI and reporting tools.
|
If you need help with anything, don’t hesitate to contact corpsupport@Heimdalsecurity.com.
Best regards,
The Heimdal team.
|
In order to ensure the correct functioning of the new features, please clear the browser’s cookies and other site data, as well as the cached images and files, prior to accessing the Heimdal dashboard.
|
|