This article sets the guidelines for navigating the Group Policy interface.
The article will be structured into 3 segments, which illustrate and explain each feature:
- Thor Foresight
- Thor Vigilance
This feature allows the user to add this GP to a specific AD Global Security Group.
The AD Computer Group is the AD Global Security Group where all the machines are. This way, whenever that machine comes online only the policy will be applied.
The AD User Group is the AD Global Security Group where the all the users are. This way, whenever that user logs onto a computer, the policy begins to be applied.
Policy check interval and Licensing check interval - These features also checks if the policy is applied correctly on the machines. The option is designed to push the policy on all the computers at a specified set interval of time. This way, the policy will also be applied to the machines that were offline when a change was made in the dashboard.
Enable proxy settings – This feature is designed to install Thor Enterprise if the user uses a specific proxy server by adding the needed information in the fields displayed. For more information on how to set it up please read here: How Do I Install Thor Enterprise If I'm Behind A Proxy Server?.
Include in Release Candidate Program - This feature, once enabled, it will update the current version of Thor Enterprise to BETA (Release Candidate) version. This will happen only on the machines that are using the Group Policy where this option was checked.
Do not show GUI - This feature is designed to offer the possibility to deploy Thor Enterprise without GUI (Graphical User Interface) or to deploy the Beta version/RC of Thor Enterprise.
Note: We recommend everyone running Thor Foresight on Terminal Servers or Citrix servers to make sure that "Do not show GUI" is checked before the entire policy (Thor Foresight Enterprise installation included) is set to be deployed.
Enforce uninstall password – This feature allows to set up a password that will be required when uninstalling Thor Enterprise from one of the machines related to this Group Policy.
Synchronize with time server – This feature will run two silent commands that will keep the time on the server up to date. These commands will run in the background every time Thor Enterprise Scans the machine. The commands are:
net time /set /y
In order for all the changes made to take effect, remember to click on the Update button on the bottom left side.
This engine is structured into 3 features:
- DarkLayer Guard
- VectorN Detection
- X-ploit Resilience
This section of the Group Policy is designed to administrate the Thor Foresight engine embedded in Thor Enterprise.
By enabling the DarkLayer Guard, Thor Foresight will add the DNS 127.7.7.x to the network adapter’s IPv4. This is basically the network filter that will protect the computer from getting infected.
1. Enable High Compatibility Mode – The option is by default enabled for all accounts. This incurs a 15 ms of delay in applying the Dark Layer Guard filter over the network card (NIC) which currently has internet access, in order to allow all relevant Microsoft Windows OS services to start up normally. The services which are allowed to start up normally are in charge of vital extended environment tasks like domain discovery, network drives authentication, etc. This option enhances functionality in large corporate environments, but it can be disabled if desired.
2. Enable VectorN detection lockdown - this option is recommended to be enabled only if you also have enabled High Compatibility Mode. If enabled, this option will override the High Compatibility Mode option and 127.7.7.x will never be removed from the NIC Card. This option was introduced for users that have the High Compatibility Mode enabled, but Thor Foresight detects a malware pattern on the machine and locks down any gate for this malware, including at reboot or shut down when the user is exposed if he has the High Compatibility Mode option on.
3. Cisco Anyconnect IPv6 compatibility mode - Enabling this feature will reroute traffic from IPv6 to IPv4 on a Cisco Anyconnect adapter, to solve a known bug in Cisco Anyconnect IPv6 filtering.
4. Force DHCP DNS usage - If enabled, this feature will make sure you will always have the NIC Card set to automatic DNS in case Thor Foresight fails to add 127.7.7.x on the NIC Card. This option is recommended to be enabled if:
a. You are using VPN connections in your organization
b. Nobody from your organization uses Static IP.
(We recommend you to contact Support at email@example.com before enabling this option)
5. Use default loopback address: Once checked, DarkLayer GUARD will set your DNS to 127.0.0.1 instead of 127.7.7.x. It will also set ::1 as your loopback address for IPv6. This will enforce DarkLayer GUARD to intercept traffic from a single adapter. This setting helps ensure compatibility between Thor Foresight and certain VPN products, as well as other software you may use, such as virtualization products.
6. Check Interval - by using this feature, you can adjust the time for Thor Foresight to initiate a network scan.
7. Enable domains whitelist – This feature allows the user to whitelist a domain that Thor Foresight blocks the access to due to being suspicious. The domain can be typed in the field that is displayed once the option is ticked and click ADD to whitelist it.
You also can upload a CVS file with multiple domains (divided by "," comma).
facebook.com, youtube.com, amazon.com. That way these domains will be accessible by all machines that are part of the Group Policy.
The domain can be removed from the whitelist by clicking on the red X next to it, it will automatically become blacklisted again once the policy is updated.
8. Enable domains blacklist - This feature allows the user to blacklist a domain that Thor Foresight does not consider a threat. Perhaps you want to prohibit access to a specific domain in your environment. You can use this option to block it. You can add the domain to the field that appears once you tick the feature. Just click on “add” to blacklist it.
You also have the possibility to upload a CVS file with multiple domains (divided by "," comma).
facebook.com, youtube.com, amazon.com. That way these domains will be not accessible by all machines that are part of the Group Policy.
You can remove the domain from the blacklist by clicking on the red X next to it, it will automatically become whitelisted again once this is done.
9. Enabled custom block pages – This feature allows you to add a custom HTML page that will be displayed when Thor Foresight blocks a domain instead of the one shown by Thor Foresight.
This feature is designed to periodically scan the system for malware. For more information regarding this feature and what it does, please download and read the latest whitepaper that can be found here: Announcements or in the Dashboard > Guide > Download and install section.
It will identify patterns of malicious domain requests and filter these accordingly. The computers identified by VectorN as potentially infected are to be ultimately treated as threats by the system administrator, investigated and scanned for threats either manually or automatically.
By enabling the X-Ploit Resilience - 3rd Party Applications module, it will allow the user to install or update a specific software from the list of all the applications that are added to the Group Policy.
In this section, you can also enable Infinity management and Assets View.
To read more about Infinity Management, please access the Guide section in the dashboard then Download and install where you can find a document with details and usage instructions: Infinity Management Guide
When you enable the Assets View option you will have the possibility to track and manage all the software installed on the devices in your organization, even if we do not offer patches for them. After you activate the feature you can administer the applications from Thor Foresight - X-ploit Resilience section.
In order for all the changes made to take effect, you have to click the Update button on the bottom left side.
1. The Manage Applications offers the following actions:
- The user can select to install and update a specific software on the computers from the GPO
- The user can select to monitor the software without letting Thor Foresight patch them automatically. This can be done just by marking the checkbox called "Enable 3rd Party Applications module"
- The user can select to install a specific version of the software if it's required by the system.
- The user can select to only update a specific software on the computers from the GPO. This implies that the software selected is already installed on the machines.
- The user can select to only install specific software on the computers from the GPO. This will only install the latest version of the selected software but will not update it if a new version of it will be released.
- The user can select to update all the pieces of software by checking the option Keep all applications up to date. This option will select all the pieces of software and will update them if they are found on the machines that use the Group Policy. Also, it will gray out and will not allow any modifications or exclusions.
- The user can use the option ALLOW INSTALL – This feature will allow the end-user to install by himself a piece of software that has this option checked in the Group Policy.
Note! Even if no option to Install or Update is selected, Thor Foresight will monitor the found applications from the machines that are also present in our application list. The number of monitored applications can be seen here:
- The user can select one or more days in a Week when Thor Foresight can install the updates
- The user can select one or more days in a month when Thor Foresight can install the updates
- The user can select a certain period of the day or exclude a certain period of the day when the patches to be applied.
Note: If Install All is enabled, when we add new software in Thor Foresight, they will be automatically installed on your machines.
2. Lockdown a certain software version
The Group Policy also allows you to select a certain version of a software and lock it down. That means Thor Foresight will not update it anymore.
Note: If you have a higher version installed and you lock down a lower version, Thor Foresight will not downgrade it, but if you have a lower version of the software and you lock down a higher version, Thor Foresight will update that software to the version you selected.
3. Delay a Patch
This option offers you the possibility to delay a patch with 1, 3, 7, 15 or 30 days. That means the patch will be applied to your machine after the selected days since we added in Thor Foresight's X-Ploit Resilience.
In order to improve the performance of computers, you can delay the patching after the machine has started.
4. Uninstall Applications
Another feature that the patching system offers is the Uninstall Applications.
This feature allows the user to:
- Uninstall a specific application by writing its name in the field and pressing Add or Enter.
For example, maybe you need to remove Adobe Acrobat Reader DC from all the machines.
In this case, you need to add the full name of the application in the field and press Add or Enter.
- If the “Starts with” option is selected before pressing Add, Thor Foresight will uninstall everything from the computer that begins with the word “Adobe”. That is why you should know exactly what software needs removing. An example will be Adobe Acrobat Reader DC. That way, you can ensure that Thor Foresight will only remove the software Adobe Acrobat Reader DC.
- If you need to remove a software app from the Managed Application list from all the computers, then you need to make sure that the option to ”Install” or “Update” is not selected in order for it to work.
Then that happens because, in the Managed Application list, Adobe Reader is still selected to perform one of the following actions: Install or Update. Removing these actions will allow the software to be uninstalled.
2. This feature allows uninstalling software that is not on the Managed Application list. It can be any other software from the computer. As mentioned previously, you have to write the full name of the software (as it appears in Control panel) before pressing Add.
For more information about this feature please click here: UNINSTALL APPLICATION Feature Explained.
In order for all the changes made to take effect, remember to click on the Update button on the bottom left side.
With Thor Enterprise you can now apply Microsoft updates to the Windows computers in your company’s environment.
With X-ploit Resilience you can now apply Microsoft updates to the Windows computers in your company’s environment.
Thor Foresight allows the management of these patches, select which ones to deploy on the computers under the respective GP, to delete or hide them and select to suppress the reboot of the machines after the installation is complete as well as schedule when the computers to be restarted if required.
When Microsoft Vulnerability reporting only is enabled this section will only display the updates available but without applying them to the machines.
The updates will be removed from the list once they have been installed on the computers in the Group Policy.
The Install no restart required updates only will push automatically all the patches that do not require a restart after completion.
Suppress and install everything will install all Windows updates, no matter if they require a reboot and without restarting the computer automatically unless the reboot scheduler is activated.
If Enable Agent notifications for reboot is activated a message will be displayed by the Thor agent on the end user's computer that a restart is necessary to finish the installation.
Server Source allows Heimdal Security to download the updates from the servers you chose. If Default is selected the updates will be downloaded from the source configured on the machine and if Windows Updates is selected any other 3rd party or WSUS will be bypassed so that the updates are fetched from Microsoft servers.
The Enable Delaying Windows Updates option allows postponing the updates for a number of days after their release, selecting from 1 to 31 days. This setting will override the customisation of the scheduler.
For the Microsoft updates the user has control when they should be deployed, being allowed to set a schedule.
This schedule allows the selection of a timeframe when devices will be restarted after each update that requires a reboot was installed.
Force reboot during time selection will restart the computer no more than once in the selected timeframe even if there were no updates installed requiring a reboot.
After everything has been selected and adjusted, the user must Update Policy for the changes to take effect.
Windows Updates Check Interval - this option will allow you to control how often should Heimdal check for available Windows Updates. The minimum is 720 min.
Force Reboot Delay - When a force reboot is detected the agent will display a popup notification with the remaining minutes until rebooting. This reboot cannot be canceled.
This option will allow you to control how fast the computer will be rebooted after an update that requires a reboot has been installed.
The interval is between 5 and 60 min.
By enabling this feature, the antivirus will turn ON.
Enable Real-Time Protection – The endpoints will be scanned in real-time to catch both known and unknown threats. This feature will scan all actions performed on any file, such as read, write or execute so that malicious activities can be detected immediately.
Allow Manual Scan - provides the option to start any scan by the user directly from the agent.
- The default scan action on infected – This allows you to set up the action that you want the antivirus to take upon detecting a threat: Deny, Quarantine or Allow.
- The default scan action on suspicious - This allows you to set up the action that you want the antivirus to take upon detecting a suspicious file: Deny, Quarantine or Allow
Be advised that the Deny option is available only if Enable Real-Time Protection is activated in the Group Policy.
Update virus definitions interval [min] – The default time interval is 120 min but can be modified up to 360 min. This feature is designed to check whether there are new virus definitions files (VDF’s) within the Thor Enterprise cloud. If a new VDF is available, this gets automatically downloaded to the local agent database. It is recommended to have the limit set to 120 min in order to update the database as soon as possible.
As the name states, this section allows you to schedule a scan that suites your needs. You can start creating a schedule by pressing ADD NEW SCAN button on the right side.
Scan Profile Name – In this section you can add the name for the profile you want to create.
Scan Type – This allows you to chose what type of scan you wish Thor Vigilance to run in the profile created.
- Full scan – profile will scan all the local files on the endpoints that have the policy applied
- Quick scan – profile will scan critical OS locations and the most usual target folders which are known for virus activity:
C:\Program Files\Common Files
C:\Program Files (x86)\Common Files
- Hard Drive scan – profile will scan all files on the hard drive while ignoring the files on all external media types
- Local Drive scan – the profile will scan all local disks including the hard drives, optical drives and external storage
- System scan – profile will scan system directory
- Removable Drive scan – profile will only scan for files that become accessible from flash, optical or external drives
- Network Drive Scan – will scan the network mapped folders
- Active Processes Scan – profile will only scan for processes currently running on the target machine
- Custom Scan - available only on the user's computer from the agent, allows the scan of any file by using the right-click context menu then selecting Scan with Thor Vigilance which will open a new window with the result
Once the Scan Profile Name and Scan type have been chosen, Heimdal Dashboard allows you to set the timeframe when Thor Vigilance antivirus will start to run.
You can choose which days of the week you want the antivirus to run on.
You can also choose which days of the month you want the antivirus to run on. Usually, this option is used in corporations that have a very strict maintenance policy.
Choose time interval - This allows you to set up a timeframe for when Thor Vigilance should run the created scan profile.
- The scan profile does not apply automatically in the policy after clicking the “set scan” button. The administrator needs to confirm this by clicking the “update-policy” button. If the update is not clicked, the defined scan profile will be lost if the current page is left before updating the policy.
- Multiple scan profiles can be created inside a single Thor Vigilance policy. However, the scan type is exclusive. This means that it is not possible to create multiple profiles with the same scan type. Example: no 2 scan profiles can be defined to perform full scans in the same policy.
This feature allows you to add exclusions that Thor Vigilance will ignore during scanning.
There are 3 types of exclusions that are allowed:
- Filename – This option is used if you want Thor Vigilance to ignore a specific suspicious file from being scanned or from any actions being taken upon it by our antivirus.
- File Path - This option is used if you want Thor Vigilance to ignore a specific File Path from being scanned or from any actions being taken upon it by our antivirus.
- Directory - This option is used if you want Thor Vigilance to ignore a specific Directory from being scanned or from any actions being taken upon it by our antivirus.
Real Time Exclusion List - the items added here will be excluded directly from the realtime driver. Only use this when the regular exclusion doesn't work. Adding too many items here may affect performance.
It is recommended to use this feature for applications, external drives to avoid having their files/folders blocked instantly by the AV scanning but to have them in the normal Exclusion List if they are used regularly and for longer periods of time.
General Quarantine List
This feature allows you to add a specific file or path to quarantine. It is used to define a certain AV behaviour when a certain file with a distinct file name is created on the hard drive. Also, it can be tweaked to only apply to files in a certain physical location.
Basically, the administrator is telling the agent that whenever a suspicious file is found on the hard drive, the file gets automatically quarantined. As already stated, this is also valid for file paths: whenever a file is detected on a certain path, that file gets quarantined immediately.
See how to apply a certain Grop Policy to your machines here: https://support.heimdalsecurity.com/hc/en-us/articles/360001861477