Heimdal Security Assistance and Support Help Center home page

Articles in this section

How does DarkLayer Guard - Endpoint work?

Last updated

In this article, you will learn how the DarkLayer Guard - Endpoint module works. 

How does Traffic Filtering work?

When the DarkLayer Guard - Endpoint module is enabled, it creates a local DNS Server that will work as a filtering engine before resolving the DNS Query performed by the user. The DarkLayer Guard DNS Server highjacks the DNS IP Address on the active Network Adapter(s) to scan for infected websites and other web locations (servers, online ads, etc) that can potentially install malware or be used as gateways for cyber-attacks.
The DarkLayer Guard - Endpoint module will change the DNS (Domain Name System) IP Addresses on IPv4 and IPv6.

  • On IPv4, it will change your DNS IP Address from Obtain DNS server addresses automatically (set by a DHCP) or from an already set static DNS IP Address to 127.7.7.x (the DarkLayer Guard DNS IP Address). Your initial DNS IP Address will be backed up in the Windows Registry to be used to solve the DNS Queries after being allowed;
  • On IPv6, it will change your DNS IP Address from Obtain DNS server addresses automatically (set by a DHCP) or from an already set static DNS IP Address to fe80::b49a:9bef:4249:ac2e (the DarkLayer Guard DNS IP Address). Your initial DNS IP Address will be backed up in the Windows Registry to be used to solve the DNS Queries after being allowed.

Once the DNS IP Address is set, every web location you access via the Internet will be processed through a database that is set locally in the HEIMDAL Agent installation path. This database is about 15 MB in size and 95% of the websites blocked are located here.
If the website is identified as being infected, the DarkLayer Guard - Endpoint will block it and you will see this block page (in the browser):

Additionally, if you perform nslookup on a malicious domain, the resolving IP Address will be 52.166.12.23 (our HEIMDAL Security block page):
mceclip0.png
If the website is not blocked after being processed through the local database it will pass but there is a second step. The website will be parsed through another database, in the cloud (about 6GB in size) where it will be checked again. If it’s found to be malicious, DarkLayer Guard - Endpoint will block it. If it’s safe, you’ll just be able to access the website normally.

IMPORTANT

All this filtering process takes place in milliseconds and will not affect your internet connection speed.