What is traffic scanning?
This Heimdal engine provides two options: Traffic Filtering and Automatically disable Traffic Filtering
By turning this engine ON or OFF you will ENABLE or DISABLED both Traffic Filtering and Automatically disable Traffic Filtering
How does Traffic Filtering work?
When this engine is enabled, the Heimdal™ Threat Prevention - Endpoint module will apply a filter on the network adapter that will scan for infected websites and other web locations (servers, online ads, etc) that can potentially install malware or be used as gateways for cyber-attacks.
How it works:
1. Heimdal will change the DNS (Domain Name System) for IPv4 and IPv6.
- For the IPv4 it will change it from „Obtain DNS server addresses automatically” or from an already set DNS (that will be backed up in a registry) to 127.7.7.x
- For the IPv6 it will change it to: fe80::b49a:9bef:4249:ac2e
2. Once the DNS is set, then every web location you access via the Internet will be processed through a database that is set locally on the Heimdal Thor Agent install path. This database is about 15 MB in size and 95% of the websites blocked are located here.
3. If the website is identified as being infected, Thor will block it and you will see this message:
4. If the website is not blocked after being processed through the local database it will pass but there is a second step. The website will be parsed through another database, in the cloud (about 6GB in size) where it will be checked again. If it’s found to be malicious, Threat Prevention Endpoint will block it. If it’s safe, you’ll just be able to see the website/banner normally.
All this filtering process takes place in milliseconds and will not affect your internet connection speed.
What is 'High Compatibility mode'?
If this option is enabled Heimdal Thor Agent will run in the network filtering mode, that gives the highest compatibility to any computing environment. This reduces the risk of compatibility issues on older network hardware or software, but slightly reduces the protections. Can be combined with VectorN detection lockdown, to increase security when infections occur.
This is how the view will look: