In this article, you will learn everything you need to know about the settings you can perform on the HEIMDAL client-side products from the HEIMDAL Dashboard -> Endpoint Settings. To go to the Endpoint Settings, you have to log in to the HEIMDAL Dashboard, click the Endpoint Settings button (top-right corner), and select a Group Policy.
1. Endpoint Settings
2. General
3. Threat Prevention
4. Patch & Assets
5. Endpoint Detection
6. Privileges & App Control
7. Email Protection
8. Remote Desktop
ENDPOINT SETTINGS
In the Endpoint Settings, you have a section dedicated to Windows endpoints where you can create and manage Group Policies that are applied to the endpoints inside your organization. In the Windows GP tab, you can change their priorities according to your needs (by using drag & drop), you can duplicate/enable/disable a Group Policy or you can use the Group Policy Inheritance mode feature and the Opt-in Reseller Master GP feature (if activated by your reseller).
Group Policy Inheritance
Group Policy Inheritance works only for the 3rd Party Patch Management product and merges the settings for the 3rd Party Application list (automatic install/automatic update/manual install) across multiple Group Policies (it does NOT merge Delay, Version, Scheduler, or Application Blocklist settings). This feature does NOT apply to endpoints that are manually applying a Group Policy (specific Group Policy). Thus, the inheritance will only work on endpoints that are automatically applying a Group Policy. Group Policy Inheritance also considers the AD Groups membership of an endpoint if the HEIMDAL Dashboard Group Policies are linked to AD Groups (AD Computer Group/AD User Group, but not Azure AD Groups) to achieve a more granular customization of the Group Policy settings that will apply to an endpoint or multiple endpoints.
When Group Policy Inheritance is enabled, an endpoint will apply the 3rd Party Application settings (automatic install/automatic update/manual install) specified in the Group Policy that is applying to it, but it will also apply the 3rd Party Application settings (automatic install/automatic update/manual install) from the rest of the Group Policies that match the endpoint (from the highest priority to the lowest priority). The criteria that will merge from other Group Policies are the Install, Update, Allow Install checkboxes, and the Infinity Management checkbox.
In case the same application is managed by 2 Group Policies, the Group Policy with the highest priority will take priority. In the case below, if Group Policy A (Google Chrome x64 is set to install the Latest Version) has a priority of 5 and Group Policy B (Google Chrome x64 is set to stay on Version 112.0.5615.50) has a priority of 6, the HEIMDAL Agent will keep Google Chrome x64 on version 112.0.5615.50 because Group Policy B is the group policy with the highest priority.
SCENARIO 1 - AN ENVIRONMENT WHERE THE GROUP POLICIES ARE APPLIED BASED ON PRIORITIES
a. An endpoint that is applying Group Policy A (priority 6, the highest) will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Group Policy B, Group Policy C, Custom 2, Custom 1.
b. An endpoint that is applying Group Policy B (priority 5) will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Group Policy B, Group Policy C, Custom 2, Custom 1.
c. An endpoint that is applying Group Policy C (priority 4) will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Group Policy B, Group Policy C, Custom 2, Custom 1.
SCENARIO 2 - AN ENVIRONMENT WHERE THE GROUP POLICIES ARE APPLIED BASED ON AD COMPUTER/USER GROUPS
a. An endpoint that is applying Group Policy A (priority 6) due to the fact that the endpoint is a member of the Development AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Custom 2, Custom 1 (Group Policy A is automatically applied to the endpoint, while Custom 2 and Custom 1 are also merged because they are not linked to any AD Computer/User Groups).
b. An endpoint that is applying Group Policy B (priority 5) due to the fact that the endpoint is a member of the Marketing AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy B, Custom 2, Custom 1 (Group Policy B is automatically applied to the endpoint, while Custom 2 and Custom 1 are also merged because they are not linked to any AD Computer/User Groups).
c. An endpoint that is applying Group Policy C (priority 4) due to the fact that the endpoint is a member of the Support AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy C, Custom 2, Custom 1 (Group Policy C is automatically applied to the endpoint, while Custom 2 and Custom 1 are also merged because they are not linked to any AD Computer/User Groups).
d. In the snippet below, an endpoint that is applying Group Policy A (priority 3) due to the fact that the endpoint is a member of the Development AD Computer Group will apply the 3rd Party Application settings (automatic install/automatic update/manual install) from Group Policy A, Custom 1 and Custom 2 (Group Policy A is automatically applied to the endpoint, while Custom 1 and Custom 2 are also merged because they are not linked to any AD Computer/User Groups).
e. In case the endpoint is applying a Group Policy where Applications Blocklist is targeting (for uninstall) a 3rd Party Application that is managed/merged from another inherited Group Policy, that 3rd Party Application will be disregarded if enabled for install/update.
Reseller Master GP Distribution
Reseller Master GP Distribution is a feature that allows resellers to deploy a Reseller Group Policy to all the customers that have selected to opt-in to the Reseller Master GP. The Reseller Master GP Distribution feature can be activated only from the Reseller account and enables the Opt-in Reseller Master GP functionality on the reseller's customers. A reseller can create one or multiple Reseller GPs.
Opt-in Reseller Master GP allows the customer (or the reseller) to apply the Group Policy settings configured by the Reseller in the Reseller Master GP. This GP cannot be edited or disabled by an Enterprise customer, but its priority can be changed in the Group Policy list.
The Download button allows you to download an Excel file with all the Group Policies and the settings in each Group Policy.
GENERAL
In the General tab, you can configure Group Policy settings that refer to GP assigning, check intervals, thresholds, and other additional settings.
Policy Name - set the name of the Group Policy;
Language - allows you to select the language of the HEIMDAL Agent to be enforced on the endpoints;
Priority - shows you the priority of the Group Policy in the Group Policy list. It can be set by using Drag and Drop in the GP list;
AD Computer Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP;
AD User Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP;
External IPs - this option allows you to assign the Group Policy based on an External IP or more External IPs. Adding multiple IPs is done by separating them by using a comma but you can also add an IP range (1.1.1.1 - 1.1.1.254) :
Specific Azure Groups - allows you to bind the current GPs assigning to an Azure Active Directory Group or multiple Azure Active Directory Groups (Microsoft 365 Groups, Distribution Groups, Mail-enabled Security Groups, Security Groups). The users that are members of the specified Azure Active Directory Group(s), will get the current Heimdal Group Policy;
Policy check interval - sets the Group Policy check interval that is automatically performed by the HEIMDAL Agent to communicate with the HEIMDAL Dashboard and servers. The default time for the Policy check interval is 180 min ;
Licensing check interval - sets the HEIMDAL license check interval that is automatically performed by the HEIMDAL Agent;
CPU Threshold - allows you to set the CPU Threshold for the waning notifications displayed in the Status column of each endpoint (in the Active Clients view). The default setting for CPU Threshold is 50%;
Memory Threshold - allows you to set the Memory Threshold for the waning notifications displayed in the Status column of each endpoint (in the Active Clients view);
- Example: The memory is running at 65 % | The CPU is running at 55 %
Proxy Settings
This feature is designed to allow the HEIMDAL Agent to communicate with the HEIMDAL Dashboard if the endpoint(s) is/are placed behind a Proxy Server. It allows you to specify the proxy settings by adding the needed information in the displayed fields.
Use system default - the HEIMDAL Agent will automatically pick up the Proxy settings from the computer's Internet Settings. If this option is enabled, the HEIMDAL Agent will impersonate the user that is currently logged in on the computer to pick up the Proxy configuration. If no user is logged in, the HEIMDAL Agent will not be able to collect the Proxy information;
No proxy - the user does not use a Proxy;
Manual proxy - the user needs to manually add the Proxy information for the Host, Port, Domain, Username, and Password;
Additional Settings
Include in Release Candidate Program - enforces the update of the HEIMDAL Agent to the latest HEIMDAL Release Candidate (Beta) version available on the HEIMDAL Servers;
Do not show GUI - run the HEIMDAL Agent without the GUI. This feature is recommended for File Servers, Citrix Servers, Terminal Servers, or RDP Servers where multiple users are connecting at the same time;
Realtime communication - allows the HEIMDAL Agent to communicate with the HEIMDAL Dashboard (with a delay of under 1 minute) and apply GP updates, Next-Gen Antivirus on-demand scans, Logs requests, Wake-on-Lan requests;
Skip prompting the client when requesting logs - allows you to request the HeimdalLogs or the Event Viewer Logs from any endpoint without the explicit approval of the user. If this option is disabled, the HEIMDAL Agent will display a pop-up on the end-user endpoint each time the HEIMDAL Dashboard Administrator tries to collect the HeimdalLogs or the Event Viewer Logs from the endpoint to confirm that he allows the Administrator to collect the Logs. The HEIMDAL Support Team also has access to this feature. If the option is enabled the HEIMDAL Support Team can collect the info without the confirmation of the user;
Only merge with AD groups specific policies - allows you to merge the current GP with other GPs that match the endpoint's AD Computer Group or AD User Group (available only if Inheritance Mode is ON). If this option is enabled, you will be able to apply multiple Group Policies to machines that are part of different AD groups;
Enforce uninstall password - allows you to set up an uninstall password that will be required when uninstalling HEIMDAL Agent from any endpoint that is applying the current Group Policy. It prevents unauthorized users to uninstall the HEIMDAL Agent or performing other changes;
Synchronize with time server – this feature syncs the endpoint's time with the Windows Time to ensure correct communication between the HEIMDAL Agent and the HEIMDAL servers. The HEIMDAL Agent will run w32tm /resync and net time /set /y in the background every time a Group Policy check is performed;
Wake on LAN - enables/disables the Wake-on-LAN functionality. Wake-on-LAN is not supported if:
- the endpoint is in an IPv6 network;
- the endpoint is connected through Wi-Fi;
- the endpoint uses a logical adapter for VPN (logical adapters don't have MAC Addresses);
- the endpoint uses a docking station;
Allow network scan - allows you to select an endpoint (from the Active Clients view) and scan the network for devices/endpoints that are not running the HEIMDAL Agent;
Collect Telemetry data - enhances the data/log collection by installing Sysmon (Microsoft System Monitor) to get more data for incident resolution in the Event Viewer Logs. The Sysmon logs come with a retention time of 30 days. If you are already using the Microsoft System Monitor (Sysmon), we will overwrite your existing configuration, but if Sysmon is not installed on your endpoint(s), enabling this feature will install it;
Auto-collect logs on isolation - collects the Heimdal Agent logs, the Event Viewer Logs and the Remote Desktop logs once an endpoint is isolated (this option is greyed out if Firewall is turned OFF and the isolation functionality is also turned OFF);
Use Priority update servers - allows you to set a Priority Update Server and prioritize 3rd Party Applications deployment over an active Internet connection. Once enabled, any computer that is applying the current Group Policy can be marked down as Priority Update Server (from the Active Clients view, by selecting the endpoint and by marking it as Priority Update Server from the dropdown menu), thus, overwriting the Default Update Server. All 3rd Party Application patches/HEIMDAL Agent versions downloaded on the Priority Update Server can be distributed to other endpoints in the environment via P2P instead;
Keep cached files indefinitely - the cached files (3rd Party Applications or HEIMDAL Agent versions) will be stored indefinitely on the Priority Update Server until they are manually deleted. If you disable the option, the disk will not be cleared;
Additional check interval for normal computers - allows you to set the interval of minutes used by the endpoints to communicate with the Priority Update Server.
THREAT PREVENTION
Threat Prevention is structured into 2 modules: DarkLayer Guard and VectorN Detection. This Group Policy section is designed to manage the HEIMDAL Threat Prevention engine embedded in the HEIMDAL Agent.
DARKLAYER GUARD
By enabling the DarkLayer Guard engine, the HEIMDAL Agent will enable the network filter that will protect the computer from getting infected.
DarkLayer Guard - turn ON/OFF the DarkLayer Guard DNS Filtering;
General Settings
Force DHCP DNS usage - this feature sets the DNS on the Network Interface Card(s) to Automatic (DHCP) behind the DarkLayer Guard engine. If the DarkLayer Guard engine fails to add 127.7.7.x or fe80::yyyy:yyyy:xxxx:xxxx on the NIC(s) it will revert to Automatic DNS (set automatically by the DHCP). This option is recommended to be enabled if:
- You are using VPN connections in your organization;
- Nobody from your organization uses a static DNS IP Address.
Use default loopback address - this feature makes the DarkLayer Guard will set the DNS on the Network Interface Card(s) to 127.0.0.1 instead of 127.7.7.x (for IPv4) and ::1 instead of fe80::yyyy:yyyy:xxxx:xxxx (for IPv6). This will enforce the DarkLayer Guard engine to intercept traffic from a single adapter. This setting helps ensure compatibility between HEIMDAL Threat Prevention and certain VPN products, as well as other software you may use, such as virtualization products;
Force NCSI fix - this feature will fix the Network Connectivity Status Indicator that causes the connected globe in the Tray menu when running alongside DarkLayer Guard. The HEIMDAL Agent sets the value 1 (default is 0) on the following path Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActive Probing, and adds a Microsoft IP Address in the hosts file (C:\Windows\System32\drivers\etc);
Improve TTPC accuracy - installs and updates the Sysmon service (if not installed already) to improve the interception of processes that perform malicious DNS requests;
- You can find the Sysmon logs in Event Viewer Logs -> Application and Service Logs -> Microsoft -> Windows -> Sysmon -> Operational. The Event ID used for DNS request logging is 22;
- When the DarkLayer Guard - Endpoint ending gets the process ID from Sysmon and it queries the Window processes, there is a risk that the process was already killed or stopped. If this happens, DarkLayer Guard - Endpoint will not be able to get the process information so a generic “-” will be displayed in the HEIMDAL Dashboard;
- There is a 2-minute wait time when the same domain it’s accessed and this will result in displaying only one entry for that specific domain even if it was accessed several times in that time interval. In the Event Viewer Logs, an entry will show up every time a domain is accessed.
Full logging - get enriched information on the DNS requests made from the endpoints (we will log all the DNS requests made in your environment);
Disable DarkLayer Guard for IPv6 - allows you to disable DarkLayer Guard filtering on IPv6;
DoH Compatibility Mode - this feature will prevent your active browser (Google Chrome or Mozilla Firefox) from employing DNS over HTTPS packages, replacing the more comprehensive DNS traffic filtering provided by HEIMDAL™ Threat Prevention;
Cisco Anyconnect/Fortinet compatibility mode - this feature will reroute traffic from IPv6 to IPv4 on a Cisco Anyconnect adapter, to solve a known bug in Cisco Anyconnect/Fortinet IPv6 filtering;
Use supported VPN forwarders - makes the DarkLayer Guard engine use the DNS IP Addresses provided/set by the VPN adapter on all the adapters of the endpoint;
High Compatibility Mode – this feature sets a 15-ms delay in applying the DarkLayer Guard filter over the Network Interface Card that currently has internet access, in order to allow all relevant Microsoft Windows services to start up normally. The services which are allowed to start up normally are in charge of vital extended environment tasks like domain discovery, network drives authentication, etc.
Pause DarkLayer Guard when Cisco Anyconnect or Fortinet is detected - this feature will pause the DarkLayer Guard engine while the endpoint is connected to Cisco Anyconnect/Fortigate. The DNS filtering with automatically re-enable after disconnecting from Cisco Anyconnect/Fortigate;
DNS server response validation - the DarkLayer Guard will test the DNS Resolvers and alternate them in case any of them fail (we change the 1st DNS with the 2nd one until the 1st one is up and running again);
Check Interval - allows you to set the time interval of the DarkLayer Guard engine to check for new updates to the filtering database;
Domains allowlist – this feature allows the HEIMDAL Dashboard Administrator to allowlist a domain that is blocked by the Heimdal™ Threat Prevention. You can allowlist domains, subdomains, top-level domains (.com, .co.uk, etc.) or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on one and the same row; you can download a sample CSV file from here):
Block by Category - this feature allows you to block groups of domains that are included in a category (example: Social, Sports, Gambling, Finance, Health, and others):
Block by Category Schedule - this feature is available only when Block by Category is enabled and allows you to schedule specific time intervals when the Block by Category feature applies;
Domains blocklist - this feature allows the HEIMDAL Dashboard Administrator to blocklist a domain that Heimdal™ Threat Prevention - Endpoint does not consider a threat or block access to a specific domain. You can blocklist domains, subdomains, top-level domains (.com, .co.uk, etc.), or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on one and the same row; you can download a sample CSV file from here):
Custom block pages – this feature allows you to add a custom HTML block page that will replace the default Heimdal block page when Threat Prevention - Endpoint intercepts and blocks access to a malicious domain (or blocklisted domain):
VECTORN DETECTION
The VectorN Detection engine is a feature that searches for patterns within the blocks of HEIMDAL's DarkLayer Guard records, detecting malware in ways that no other endpoint protection can. It will identify patterns of malicious domain requests and filter these accordingly. The computers identified by VectorN as potentially infected are to be ultimately treated as threats by the system administrator, investigated, and scanned for threats either manually or automatically.
VectorN Detection - turn ON/OFF the VectorN Detection engine (this requires the DarkLayer Guard module to be enabled as well);
PATCH & ASSETS
Patch & Assets is structured into 2 modules: 3rd Party Patch Management and Microsoft Updates. This Group Policy section is designed to manage the HEIMDAL Patch & Assets components embedded in the HEIMDAL Agent.
3RD PARTY PATCH MANAGEMENT
The Patch & Asset Management - 3rd Party Patch Management module allows the user(s) to install or update a specific 3rd Party Application from the list of applications managed by HEIMDAL Security.
3rd Party Patch Management - turn ON/OFF the 3rd Party Software module;
General Settings
Infinity Management - turn on/off the Infinity Management module to deploy your own 3rd Party Applications/Patches (.msi, .exe, .bat files) from the stand-alone patch management system. The patches can be configured in the Infinity Management module and applied to any Group Policy;
Keep all applications up-to-date - all current and future 3rd Party Applications that are included in our 3rd Party Patch Management list will be added to automatic update;
Assets View - allows you to track down and manage all the 3rd Party Applications installed on the devices in your organization, even if we do not offer patches for them (supports applications that are installed in the All Users context). The Assets View updates the list of applications every 24 hours, but it can be manually updated by restarting the computer (this one takes the Delay Patching on Start-up option into consideration).
Software Asset Management - allows you to manage the software license details for an application that is installed in your environment in a dedicated view found under Patch & Asset Management -> 3rd Party Patch Management. You can input the Software Name, Version, Publisher, License Type, Quantity, Price, Expiration Date, etc.
Manage Applications
Show only Infinity Management applications - displays the 3rd Party Applications added in Infinity Management only;
Install - enable the selected 3rd Party Application(s) to be installed on the endpoint(s) if it is not already installed. If the 3rd Party Application is already installed, it will not do anything;
Update - enable the automatic update of the selected 3rd Party Application(s);
Allow Install - make the selected 3rd Party Application(s) available for manual installation by displaying it in the HEIMDAL Agent - 3rd Party Patch Management list:
Delay - allows you to delay the automatic deployment of the selected 3rd Party Application(s) by 1 to 30 days;
Version - allows you to target the selected 3rd Party Application(s) to the Latest Version or to an older version (available in the Patching System). Targeting a version that is older than the Latest Version will downgrade the higher version to the targeted version. This means that Heimdal™ Patch & Assets will not update it anymore;
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for newly available patches;
Delay patching on startup - allows you to set the delay time interval applied on computer startup until the HEIMDAL Agent starts the patching operation;
Patch install delay pop-up - notifies the end-user when a 3rd Party Application is being installed (when it is performed from the Active Clients view). The install delay allows you to configure the installation delay by 5 to 60 minutes and the number of postpones the end user is allowed to postpone the installation;
Patching Schedule - allows you to set a scheduler for the 3rd Party Application patching module;
- You can select one or more days in a week when HEIMDAL Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can select one or more days in a month when HEIMDAL Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can also select a specific interval of any day to exclude the 3rd Party Application patching.
Applications Blocklist
This feature allows you to uninstall a specific 3rd Party Application(s) to restrict the usage of unwanted applications or to get applications removed from all machines that are applying the current Group Policy. This feature removes most of the applications that Patch & Asset Management is monitoring and also uninstalls other 3rd Party Applications that are present on the endpoints but not managed by Patch & Asset Management module. To uninstall a 3rd Party Application you need to specify the name of the application and a version option (exact version, lower versions, or higher versions).
- the example below targets any Spotify application and versions 2.23.7.10 and higher of WhatsApp;
- using the Starts with option will remove any package named Spotify or WhatsApp with the specified version or higher.
Example:
- If you want to uninstall a 3rd Party Application that is in the 3rd Party Software list, you need to make sure that the tickboxes for Install or Update are unticked in order to be able to add the 3rd Party Application to the Application Blocklist.
OPERATING SYSTEM UPDATES
The Patch & Asset Management - Operating System Updates module allows the HEIMDAL Dashboard Administrator(s) to view, download and deploy available Operating System Updates that are specific to any endpoint in your environment. HEIMDAL Patch & Assets allows you to select which ones to deploy on the computers that are applying the current Group Policy, to delete or hide them and select to suppress the reboot of the endpoints after completing the Operating System Updates installation or to schedule when the endpoints will reboot (to complete the installation of the Operating System Update).
Operating System Updates - turn ON/OFF the Operating System Updates product;
Microsoft Vulnerability reporting only - will only display the Windows Updates available for the endpoints (in the Microsoft Updates view) in your environment without applying them.
General Settings
Install no restart required updates only - allows you to enable/disable the automatic download and install of all the available Windows Updates that do NOT require a reboot to complete the installation process;
Suppress and install everything - allows you to enable/disable the automatic download and installation of all the available Windows Updates (those that require a reboot the complete the installation process and also those that do not require a reboot) when they are released by Microsoft on the Microsoft API. The computer will not reboot automatically even if an installed update requires a reboot in order to complete. The reboot will be carried out manually by the user/administrator;
Installation of optional updates - allows you to enable/disable the automatic download and installation of optional updates (like Microsoft Feature Updates);
Prevent Windows 11 auto-upgrade - allows you to prevent the computers from installing the Upgrade to Windows 11;
Enhanced reboot detection - the HEIMDAL Agent will perform another check to see if a reboot is required to complete the installation of a Windows Update. This feature may put the endpoint(s) in a continuously reboot state;
Installation by category - allows you to enable/disable the automatic download and installation of specified Microsoft Updates categories. Categories can be selected from the drop-down menu:
Installation of other Microsoft products - allows you to enable/disable the automatic download and install Microsoft Updates for other Microsoft products like Microsoft 365, Microsoft Office, Microsoft Teams, OneDrive, OneNote, Microsoft Edge;
OS Updates Exclusions - allows you to exclude Windows Updates from being installed by KB or Title. Exclusions will have priority over the installed Windows Updates selected for installation in the Group Policy. The Exclusions section allows you to import a CSV file in case you have multiple KBs or Titles that need to be excluded;
Agent notifications for reboot - allows you to enable/disable the Reboot Required notification that is displayed by the HEIMDAL Agent on the end-user computer when a reboot is necessary to finish the installation of a Windows Update;
Server Source- allows the HEIMDAL Agent to download the available Windows Updates from the server source you chose.
- Default- searches for updates on the intranet Microsoft update service location (if specified) configured in theLocal Group Policy Editor -> Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update, or on the Microsoft Default source (if nothing is specified);
- Windows Updates- searches for updates directly on the Microsoft Update servers (bypassing any specified intranet location).
The section below allows you to hide or delete specific Windows Updates that are manually set for installation:
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for new Available Windows Updates:
Delayed OS Interval (days) - allows you to postpone the installation of the Windows Updates for a number of days after their release. This setting will override the customization of the scheduler:
OS Schedule - allows you to configure the interval(s) when the deployment of available Windows Updates takes place. You can select a day or multiple days during the week or during the month (and a timeframe that applies to the selected day/s). Choosing a day or multiple days (without selecting the weeks) will run the OS Updates on the selected days of every week. Choosing a day or multiple days (by selecting the First Week and the Second Week) will run the OS Updates on the selected days, in the First Week and the Second Week only. The scheduler considers the way the days are distributed within the calendar.
In the example below, the month of September 2022 spans a period of 5 weeks. The First week starts on the 1st of September and this means that the First week includes only 4 days, while the Fifth week includes 5 days. Choosing a combination of Thursday and First Week means that the OS Updates will run on the 1st of September. Choosing a combination of Monday and First Week means that OS Updates will on the 5th of September (the first day from the second week) because the first Monday of the month happens then. This happens in order to prevent skipping a month if the selected day is out of scope. The other case refers to a combination of Sunday and the Fifth Week, which means that the last Sunday is out of the scope of the Fifth Week. Because the algorithm is adjusted in such a way as not to skip any month, the OS Update scheduler will run on the 25th of September (which is the actual last Sunday of the month).
The scheduler can be made Active during the time selection or Inactive during the time selection. This feature is designed to allow you to schedule when the download and installation of Windows Updates take place to minimize the impact on the workflow in your environment;
OS Reboot Scheduler - allows you to configure the interval(s) when an endpoint can reboot in order to complete the installation of available Windows Updates Updates that require a reboot. You can select a day or multiple days during the week or during the month (and a timeframe that applies to the selected day/s). Choosing a day or multiple days (without selecting the weeks) will run the OS Updates on the selected days of every week. Choosing a day or multiple days (by selecting the First Week and the Second Week) will run the OS Updates on the selected days, in the First Week and the Second Week only. The scheduler considers the way the days are distributed within the calendar.
In the example below, the month of September 2022 spans a period of 5 weeks. The First week starts on the 1st of September and this means that the First week includes only 4 days, while the Fifth week includes 5 days. Choosing a combination of Thursday and the First Week means that the reboot will occur on the 1st of September. Choosing a combination of Monday and the First Week means that the reboot will be on the 5th of September (the first day from the second week) because the first Monday of the month happens then. This happens in order to prevent skipping a month if the selected day is out of scope. The other case refers to a combination of Sunday and the Fifth Week, which means that the last Sunday is out of the scope of the Fifth Week. Because the algorithm is adjusted in such a way as not to skip any month, the OS Reboot scheduler will run on the 25th of September (which is the actual last Sunday of the month).
The scheduler can be made Active during the time selection or Inactive during the time selection. This feature is designed to allow you to schedule when an endpoint can reboot in order to complete the installation of Windows Updates that require a reboot to minimize the impact on the workflow in your environment;
OS Reboot Delay - allows you to configure a reboot delay interval and a number of postpones to grant the end-user the possibility of preparing for a scheduled reboot required to complete the installation of a Windows Update. The two sliders will allow you to set the number of minutes the user can delay a reboot and how many times a reboot can be delayed:
OS Reboot Delay can allow the user to postpone the reboot event outside the scheduled interval. The reboot delay postpones notifications are being displayed even if Agent notifications for reboot functionality is disabled.
IMPORTANT
OS Updates is not designed to support the installation of Windows Updates that are approved via WSUS. Although an endpoint can be pointed to look for updates on a WSUS location, the HEIMDAL Agent is not able to discover the updates approved in WSUS and install them. The recommendation is to allow HEIMDAL's OS Updates to manage them by searching and installing them right from the Microsoft Update servers.
ENDPOINT DETECTION
Endpoint Detection is structured into 3 modules: Next-Gen Antivirus, Firewall Management, and Ransomware Encryption Protection. This Group Policy section is designed to manage the HEIMDAL Endpoint Detection components embedded in the HEIMDAL Agent.
NEXT-GEN ANTIVIRUS
The Endpoint Detection - Next-Gen Antivirus will allow you or the users to perform scan operations on the endpoints in your environment to keep viruses and other threats away.
Next-Gen Antivirus - turns ON/OFF the Next-Gen Antivirus module;
General Settings
AutoScan USB Ports - turn on/off the automatic scan of any USB Removable Device (like flash drives, storage devices, HDDs) that is plugged into a computer. On Enterprise users, the option will automatically launch a popup with the Scan Window that runs;
USB Silent Mode Scan - do not display a Scan window on the end-user computer. This option works only for USB Removable Devices (it does not work with other plug-and-play devices like headphones, cameras, mouses, or keyboards). This feature can be turned on only if AutoScan USB Ports is turned on. The endpoints will be scanned in real-time to catch both known and unknown threats. This feature will scan all actions performed on any file, such as read, write or execute so that malicious activities can be detected immediately;
Disable USB Ports - allows you to disable Removable Media Devices from being connected to a computer. A computer reboot is required in order to activate/deactivate this function. Enabling the Disable USB Ports will allow you to add a storage device to an allowlist (based on either Class or Hardware ID), thus, allowing it to run;
Agent Baloon Notifications - allow the HEIMDAL Agent to display a balloon notification on detected files;
Hide Windows Defender interface - allows you to hide the Windows Defender interface (within Windows Security Center). Hiding the interface will make it so that the Virus & Threat protection section in Windows Security Center gets hidden also.
While hidden, the Security providers section will display No providers in the Antivirus field.
Antivirus Settings
Isolate on Tamper Detection - isolates a computer from the Internet if the HEIMDAL Security services are tampered with. The Firewall product will be enabled if it is disabled;
Allow users to stop AV Service - allows the end-users to stop the Heimdal Antivirus service on the endpoint based on a password set by the IT Administrator. Once enabled, you can set the password and the Auto-Restart interval for the Antivirus service (between 2 and 60 minutes). Password must be greater than 6 characters, and the Pause interval is in the range of 2-60 minutes:
Allow Manual Scan - enables/disables the ability of the end-user to start any scan directly from the HEIMDAL Agent;
Allow Cancel Scan - enables/disables the ability of the end-user to cancel any running or scheduled scan operation directly from the HEIMDAL Agent;
Zero-Trust Execution Protection
Zero - Trust Execution Protection - enables the protection against zero-hour threats compromising your environment (it can also be enabled/disabled from the Privileges & App Control -> Privileged Access Management module and from the Privileges & App Control -> Application Control module as well). Zero-Trust Execution Protection checks the unsigned executable files and blocks their execution if deemed untrusted;
Reporting mode - scans and logs all the processes with Zero-Trust Execution Protection to the HEIMDAL Dashboard without taking any action (allow or block);
Exclusions - the exclusion area allows you to exclude a process from the Zero-Trust Execution Protection by File Name, File Path, Directory, or MD5;
Update virus definitions interval [min] - allows you to set the update time interval for the virus definition files. The default value is 120 minutes and it can be extended to 360 minutes. This feature is designed to check whether there are any new virus definition files (VDF’s) available on the HEIMDAL servers. When a new VDF file is available, it will get automatically downloaded to the local agent database. It is recommended to have the limit set to 120 min in order to update the database as soon as possible.
Schedule Scan
This section allows you to schedule a scan according to your preferences. You can start creating a schedule by pressing Add New Scan button.
Scan Profile Name - specify the name for the profile you want to create;
Scan Type - select the type of scan you wish HEIMDAL Next-Gen Antivirus to run in the created profile;
- Full Scan - scans all the files on the endpoint;
- Quick Scan - scans critical OS locations and the most usual target folders which are known for virus activity: C:\Program Files\Common Files, C:\Program Files (x86)\Common Files, C:\Windows, C:\Windows\system32, C:\Windows\SysWOW64;
- Hard Drive Scan - scans all files on the hard drive while ignoring the files on all external media types;
- Local Drive Scan - scans all local disks including the hard drives, optical drives, and external storage;
- System Scan - scans the system directory;
- Removable Drive Scan - scans files stored on flash, optical or external drives;
- Network Drive Scan - scans files on Mapped Network Drives, it detects the infection(s), but NO action will be performed because the Next-Gen Antivirus cannot remove something from a network location to place it in the local Quarantine folder. This scan type works with Mapped Network Drives but does NOT work with Network locations:
- Active Processes Scan - scans the processes that are currently running on the endpoint;
- Custom Scan - available only on the end user's computer in the HEIMDAL Agent, allows the scan of any file by using the right-click context menu and then selecting Scan with HEIMDAL Next-Gen Antivirus & MDM which will open a new window with the result;
You can set up a scheduler to run the selected Scan Type in the specified timeframe. The scheduler enables you to choose a day or multiple days during the week or during the month and the time interval when to run the selected Scan Type.
IMPORTANT
The scan profile does not apply automatically in the policy after clicking the Set Scan button. The configured scheduler needs to be confirmed by updating the policy. If the Update GP button is not clicked, the defined scan profile will be lost if the current page is left before updating the policy. Multiple scan profiles can be created inside a Group Policy. However, the scan type is exclusive. This means that it is not possible to create multiple profiles with the same scan type. For example, there cannot be 2 scan profiles to perform full scans in the same Group Policy.
Next-Gen Antivirus Exclusion List
This feature allows you to add exclusions that Next-Gen Antivirus & MDM will ignore after scanning. The Exclusion List comes with different Priorities and enables you to exclude file names, file paths, directories, or patterns (wildcards).
Priorities
Low (former Normal Exclusions) - scans the object first and excludes it after;
Medium (former Real-Time Exclusions) - excludes the object directly from the real-time driver and it pre-scans it. Only use this when the low priority doesn't work. It is recommended to use this priority for applications, and external drives to avoid having their files/folders blocked instantly by the Antivirus scanning if they are used regularly and for longer periods of time.
High - excludes the object without performing any scan. This priority type allows up to 5 High priority exclusions. A toaster warning is displayed if a user tries to add more than five High priority exclusions.
Types
Filename - allows you to specify the filename that you want to exclude (e.g. test.exe, file.doc, file.txt, example.msi). We don’t recommend using filename exclusions as malware might have the same name as that of a file that you trust. Therefore, in order to avoid excluding potential malware from being scanned, use a fully qualified path to the file that you want to exclude. If you still want to use the filename exclusions, please be aware that due to the changes in the improved basic detection engine made in the 3.5.0 Release, files that have been excluded based on filename might not run from the first attempt. If this happens, please allow a few seconds to pass from the first try and then launch the file again (this slight delay is caused due to the fact that when the first execution attempt happens, the file could be detected and quarantined and, behind the scenes, we will remove it from quarantine and make it available for execution);
File Path- allows you to specify the file path where the file is located on the hard drive (e.g.C:\Users\Username\Desktop\test.exe, C:\test.exe);
Directory - allows you to specify a directory path to be excluded (sub-directories are automatically excluded) from scanning (e.g. C:\Users\Username\Desktop, C:\Downloads);
Pattern - allows you to specify a pattern that should be excluded from scanning. This option does not work with System Variables (e.g. C:\test\*.*, *.bat).
Profiles
The Profiles allow you to exclude known paths for specific server roles:
- Domain Controller
- Exchange Server
- File and Storage Server
- Microsoft SQL Server
- MySQL Server
- Print Server
- RDP Server
These profiles come with predefined exclusions for folders/files associated with the server.
This section allows you to import a CSV list of exclusions, but you can also download an existing exclusion list in CSV format.
Global Quarantine List
The Global Quarantine List allows you to add a file to quarantine if it is detected by the Antivirus engine (the file will be marked as Suspicious or Infected).
- A file that is added to the Global Quarantine List based on File Name can be quarantined ONLY if the Antivirus engine detects the file as Suspicious/Infected;
- A file that is added to the Global Quarantine List based on File Path can be quarantined no matter if the Antivirus engine detects it as Suspicious/Infected or not;
- Files added by File Path will be marked as Suspicious;
- .txt files added by File Path will not work with Real-Time Scanning.
OS-specific settings
Real-Time Protection - the endpoints will be scanned in real-time to catch both known and unknown threats;
Real-Time Archive Scan - enables the scan of archives and their contents. After enabling this option you can also set the Maximum Recursion depth (scans the parent archive and the child archives included in the parent archive, up to the 10th level)and Maximum archive files (scans the selected number of files included in an archive and only up to 100 files). Enabling this feature will impact the CPU performance as it requires more processing power;
False Positive Control - allows the Next-Gen Antivirus to identify exceptional false positives detections in real-time and prevent them from impacting the performance of antimalware scanning;
Protection Cloud - sends a suspicious file's digital fingerprint to our real-time protection cloud for further analysis and returns a fast response on whether the file is infected or safe;
Real-Time Scan Network Files - enables the Next-Gen Antivirus to do a real-time scan each time a change is performed on your network drivers;
Heuristic Settings - turn ON/OFF the detection of unknown viruses by analyzing affected code and scanning for virus-specific functions. Based on the selected Heuristic Detection Level (Low, Medium, High) the appropriate number of detection rules are activated, increasing or decreasing the aggressiveness level of detection (please be aware that a Heuristic Level High can increase the number of false positives and that for desktop environments Heuristic Level Low and Medium are recommended);
Scan Mode - allows you to select the way the real-time engine performs system scans:
- SMART - the real-time engine will scan all files based on the file type and file content by sophisticated algorithms. This option will speed up a system scan and provide the same level of protection;
- ALL - the real-time engine will scan all files (but it will take considerably more time to finish).
Default Scan Action on Infected - allows you to select the action that you want the Next-Gen Antivirus to take upon detecting an infected file: Deny, Quarantine, Allow, or Delete. Be advised that the Deny option is available only if Real-Time Protection is turned ON in the Group Policy;
Default Scan Action on Suspicious - allows you to select the action that you want the Next-Gen Antivirus to take upon detecting a suspicious file: Deny, Quarantine, or Allow. Be advised that the Deny option is available only if Real-Time Protection is turned ON in the Group Policy.
FIREWALL
This module allows you to control the Windows Firewall from the HEIMDAL Dashboard.
Firewall Management - turn ON/OFF the management of the Windows Firewall. Turning the Firewall Management ON will enable the Windows Firewall on the endpoints if it is disabled, but turning it OFF will not disable the Windows Firewall on the endpoints;
General Settings
Block RDP port on brute force detection - automatically blocks the default RDP Port (3389) on the endpoint where an audit breach is detected for both TCP and UDP. Once the RDP Port is blocked on an endpoint, you'll see a Blocked RDP icon in the Status column (in the Active Clients' view). To unblock the RDP Port, you have to select the endpoint in question and click on Unblock RDP Port from the dropdown menu;
RDP Port - this field allows you to change the default RDP Port (3389) to another port number (in case of another RDP Port usage);
Enforce manual added rules when computer is isolated - keep the manually added firewall rules in the Group Policy even when the computer is isolated;
Allow ICMP Echo Requests - creates a rule that allows PING requests inside your network;
Use automatic rules - allows you to select any of the profiles to enable/disable the Inbound/Outbound connections;
Allow isolation - allows you to isolate an endpoint in your network from the rest of the endpoints. If the endpoint is isolated, all its external connections are rerouted through the Heimdal Security systems. Once the option is enabled, the endpoint can be isolated from the Active Clients view, by selecting the endpoint you want to isolate and by pressing the Isolate button:
Isolate on Tamper Detection - allows you to automatically isolate an endpoint when the end-user is trying to stop/pause the HEIMDAL services (when the end-user is trying to break the Anti-Tamper Protection);
Isolation rules - allows you to add specific predefined rules in the Windows Firewall if the computer is isolated. The rules come as a group (more specifically as a profile that adds some rules for a certain application, e.g. TeamViewer, ISL Online). The rules will be deleted when the endpoint is unisolated. Please note the fact that any HEIMDAL process/application is allowed by default.
Firewall Rules - this option allows you to add/edit/remove Firewall rules in the Windows Defender Firewall. In order to create a Firewall Rule you need to follow the required conditions:
- Name - allows you to set the rule name (the name of the rule needs to be unique). Each rule will include a suffix (corresponding to the protocol type) in the rule name (e.g. Block SQL Server port-TCP or Block SQL Server Port-UDP);
- Application - specify the application path or * for any application;
- Remote IP - specify an IP Address or * for any IP Address;
- Port - specify the port value or * for any Port (values can be set only for TCP or UDP protocols);
- Direction - specify the direction of the flow (In, Out, Both directions);
- Protocol - specify the protocol type (TCP, UDP, or Any);
- Permission - specify whether to block or allow;
- Profile Types - specify on what profile the rule applies (Domain, Private, Public).
Additional Settings - Local AD Computer Groups - allows you to apply the rule to the computer(s) that are part of the specified Local Active Directory Computer groups;
- Remote AD Computer Groups - allows you to apply the rule to any remote IP Address belonging to computers that are part of the specified AD Computer Groups (this setting will take into consideration the selected IP type: public/private/both);
- Local IP - allows you to apply the rule to a computer that uses the specified IP Address(es). Multiple IP Addresses can be specified, separating them by a comma;
- IP Type - allows you to select between Public, Private or Both
Firewall Predefined Rules - allows you to enable/disable predefined rules based on a list of groups. These firewall groups are mapped in order to provide network connectivity for Windows programs and services and the user cannot alter them.
- Permission - specify whether to block or allow;
The Show details button allows you to see additional details regarding the predefined rules (that are not present in the grid).
Allowlist Brute Force IP - allows you to add an IP Address that is detected as Brute Force Attack and is considered a false positive;
RANSOMWARE ENCRYPTION PROTECTION
The Ransomware Encryption Protection module detects processes that perform encryption operations on files on the endpoint with malicious intent. The module is processing kernel events for IO reads, writes, directory enumeration, and file execution. Patterns are matched against the collected events after studying the same patterns that are being created by actual ransomware. The engine will allow 3 files to get encrypted until it will give the verdict that the process is suspicious. Once flagged, details about the suspicious process are gathered and sent to the Heimdal servers.
Ransomware Encryption Protection - turn ON/OFF the Ransomware Encryption Protection module;
General Settings
Reporting mode - enabling it will report the processes detected by Ransomware Encryption Protection without blocking them;
Agent Baloon Notifications - allows you to turn ON/OFF the Agent balloon notifications when encryption is detected;
Isolate on Tamper Detection - allows you to turn ON/OFF the isolation feature when a Tamper Detection is being made. When enabled, it will ensure the Firewall product/service is enabled and that the endpoint where this behavior is being observed will be isolated from the network (thus, preventing lateral movement). For the functionality to work, you need to have the Next-Gen Antivirus & MDM and Firewall products/services licensed, and, even if the Firewall product is disabled, we will automatically activate it (otherwise the corresponding tick box will be grayed out/non-functional);
Exclusions - allows you to exclude a filename, file path, directory path, MD5, or wildcard (*\MyFolder\*, *\MyFolder\*.exe, D:\*\MyFolder\*, D:\*\MyFolder\*.exe, *\Folder\app.exe, C:\Folder\*, C:\Folder\*\folder2\app.exe) from being blocked by the REP module. The Exclusions section has a Download button that will download a CSV Report with the exclusions list.
PRIVILEGES & APP CONTROL
Privileges & App Control allows to you control user permissions in your organization and enables you to manage elevations and special permissions to applications that are used on each endpoint. Privileges & App Control is structured into 2 modules: Privileged Access Management and Application Control.
PRIVILEGED ACCESS MANAGEMENT
The Privileged Access Management module will allow you to give users the ability to install software they need for a period of time you select using the Administrator Session or the Run with Privileged Access Management option for single file elevation. Rights granted can be revoked at any time and actions are logged for a full audit trail. This is the feature that allows an end-user to request admin privileges over his machine by sending a request to the Heimdal Dashboard System Administrator who can deny or accept his request.
Privileged Access Management - turn ON/OFF the Privileged Access Management module;
Deny elevation of system files - allows you to deny elevation of system files (e.g. cmd.exe, powershell.exe, services.msc);
Forbid elevation if CVSS >= 7 - denies elevation requests made from endpoints where a 3rd Party Application (managed by the HEIMDAL Agent through the 3rd Party Patch Management) is detected as vulnerable (with a CVSS score of 7 or higher) if the elevation approval mode is set to Auto-mode. This applies to endpoints where 3rd Party Patch Management is enabled;
User token elevation - installs a kernel mini-driver that allows the user to elevate a file under the User context (Run with Admin Privilege under the User context, instead of the System context);
De-elevate and block elevation for users with risk of infections - automatically removes the Administrator privileges and blocks elevation requests for a user if there were any malware detections found on the endpoint by the Heimdal Agent's Next-Gen Antivirus (statuses: None, QuarantinePending, ExcludePending, RepairPending, DeletePending, ErrorRepair, ErrorDelete, ErrorQuarantine) or VectorN detections in the past 7 days;
Enable PAM Compliance data retrieval - allows the HEIMDAL Agent to retrieve information about the administrators found on the endpoints where the HEIMDAL Agent is installed;
Run as Administrator
Allow run as administrator - turn ON/OFF the single-file elevation request (Run with AdminPrivilege) feature;
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation:
Prevent spawning other processes - any process that is spawned by an application started with the Run with AdminPrivilege will be terminated;
Auto-mode - all single-file elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> History filter);
Approval via Dashboard - all single-file elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes);
Local token elevation - requires the requesting user to enter a local token (no matter if the endpoint is online or offline) provided by the HEIMDAL Dashboard Administrator (a local token can be generated by the HEIMDAL Dashboard Administrator from each client specifics in the Privileges & App Control tab -> Privileged Access Management);
Approval via Dashboard when online - the elevation request is approved via the HEIMDAL Dashboard only (if the endpoint is online), without requiring a local token. If the endpoint is offline, the elevation request can be approved via the local token provided by the HEIMDAL Dashboard Administrator;
Administrator Session
Allow administrator session - turn ON/OFF the full administrator elevation request feature. Note that some changes cannot be committed during an Administrator Elevation although the user has Administrator rights;
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation:
Automatically close all processes started during an elevation when the session ends - all processes that were started during an Administrator session will be terminated once the elevation session ends;
Allow user to end elevation - allows the elevated user to stop/revoke the Administrator session;
Auto-mode - all Administrator Session elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> History filter);
Approval via Dashboard - all Administrator Session elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes);
Local token elevation - requires the requesting user to enter a local token (no matter if the endpoint is online or offline) provided by the HEIMDAL Dashboard Administrator (a local token can be generated by the HEIMDAL Dashboard Administrator from each client specifics in the Privileges & App Control tab -> Privileged Access Management);
Approval via Dashboard when online - the elevation request is approved via the HEIMDAL Dashboard only (if the endpoint is online), without requiring a local token. If the endpoint is offline, the elevation request can be approved via the local token provided by the HEIMDAL Dashboard Administrator;
Azure login - allows the member of an Azure AD group (the group can be specified in the Azure Group Name field that is displayed after enabling the option) to log in with the Azure AD credentials to be able to request elevation on an endpoint. This feature is meant for Administrators that remote on the endpoints of standard users to get elevated with their own credentials. In Azure, you will need to allow the Heimdal Security PAM Sign-in action so that the function will allow you to sign. This functionality is supported in hybrid environments. Azure AD-only environments are NOT supported;
Do not allow Run with AP when session elevated - prevents the user from running with Admin Privileges while the system is already running an Administrator session;
SESSION LENGTH (2-120 MIN) - allows you to set the interval for a single-file elevation or a full administrator session;
Group Settings
Allow only a specific user to request elevation rights - allows only a specific user to initiate elevation requests from a specific workstation. Their name has to be the same or is included in the hostname of the workstation from which the elevation is requested and the username must be separated from the rest of the workstation name by the '-' character.(e.g. MyLaptop-Username1 or Username1-MyLaptop);
Map users to group - allows you to specify a single local group name to allow the users that are members of the local group to request elevations (this field is case sensitive). The group must be present locally in the Local Users and Groups and only the members of that group will be allowed to request elevation;
Additional Settings
Accepted requests availability time - allows you to specify the time interval until an approved elevation can be started If the approved elevation session is not started in the specified timeframe, it will be automatically revoked after 24 hours. When this feature is turned OFF, the approved elevation session is revoked after 24 hours if it is not started by the user that requested it;
Time to live (1-24 hours) - allows you to set the time interval for the above-mentioned option;
Zero - Trust Execution Process - enables the protection against zero-hour threats compromising your environment (it can be enabled/disabled from the Endpoint Detection -> Next-Gen Antivirus module and from the Privileges & App Control -> Privileged Access Management module as well). Zero-Trust Execution Protection checks the unsigned executable files and blocks their execution if deemed untrusted;
Reporting mode - allows the scan and logging of the applications with Zero - Trust Execution Protection, without taking any action: allow, block.
Exclusions - the exclusion area allows you to exclude a process from the Zero-Trust Execution Protection by File Name, File Path, Directory, or MD5;
Revoke existing local admin rights - allows you to downgrade the Administrator users (both Local and Domain users) to Standard users. Basically, the HEIMDAL Agent takes a snapshot of the local Administrators' Group on each endpoint and removes all the members (except the default Administrator user) from that group, thus, downgrading them to Standard permissions. Once enabled, the users that are logged will preserve the Administrator permissions until the first logoff/reboot. On domain-joined computers, the downgrading of the members of the local Administrators' Group will be performed only if the endpoint has is communicating with the domain (domain controller). If the computer is not able to communicate with the domain (domain-controller), the members of the local Administrators' Group will NOT be removed from the group. The members of the local Administrators group are cached on service start (preserved users are not cached because they will not be removed) in our local storage. The members of the local Administrators Group are added back on service stop or when the Revoke existing local admin rights feature is disabled;
Preserved Users - allows you to preserve the Administrator permissions of the specified users/domain groups on a specific computer/group of computers (or all computers). If the user/domain group is preserved, the HEIMDAL Agent will not remove it from the local Administrators Group. Preserving a hostname without specifying a username (or a domain group) means that all users on that endpoint will be members of the local Administrators Group. Preserving a username (or a domain group) without specifying the hostname means that all users with this username will be a member of the local Administrators group on all the computers that are applying this Group Policy policy. The Username field allows you to select from the local Administrators that are detected on the endpoints. If the username that you are looking for is not among the ones present in the dropdown selector, you can manually type the username you want to preserve;
Enforce token refresh - this option works, only if the above-mentioned option (Revoke existing local admin rights) is enabled and forces a log off on the user that is logged in (if he is part of the local Administrators Group) to revoke his membership from the local Administrators Group. A popup will appear in the right-side corner of the screen, to inform the user that he will be automatically logged off in 5 minutes, in order to completely remove his Administrator privileges. The popup has a button that allows the user to log off right away;
Disable interactive logon - allows you to disable interactive logon to force the users that are logging in to enter both the username and password. Enabling/disabling this option will modify the following registry value: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\dontdisplayusername.
When Interactive Logon is disabled, we get the current value of that registry and override it with 1. The current value is then saved in our repository in the Windows Registry, with the key CachedDontDisplayLastUsername. When Interactive logon is re-enabled, we update dontdisplaylastusername value with the one we cached and then will delete our cached value. This improvement was made because we used to set by default dontdisplaylastusername to 0 if Revoke existing local admin rights was disabled (which it was, by default), even though some of our users needed to set that value to 1.
APPLICATION CONTROL
The Application Control module allows you to control how processes (and applications) are executed on endpoints inside your organization. You can define a set of rules that describe what processes are allowed or blocked on your machines (in your environment) using details like Software Name, Paths, Publisher, MD5, Signature, or Wildcard Paths. Application Control can handle how a process (it can get automatic elevation from the HEIMDAL Privileged Access Management module, if so configured) or child process (it can allow or block all processes spawned by the process defined by the rule) should run.
Application Control - turn ON/OFF the Application Control module;
Privileged Access Management to bypass the ruleset - allows the Privileged Access Management module to bypass any defined rules during the elevation session;
General Settings
Full Logging Mode - allows the HEIMDAL Agent to intercept any process(es) running on the endpoints that are applying this Group Policy;
User token elevation - installs a kernel mini-driver that allows the user to elevate a file under the User context (Run with Admin Privilege under the User context, instead of the System context);
Internal port for AppControl - allows you to edit the internal port used by the Application Control module. 8001 is the default port number used by Application Control;
App. Control driver interception - installs and uses the Application Control kernel mini-filter driver that enhances the speed of the HEIMDAL Agent when intercepting and blocking a process;
Ruleset Mode - allows you to turn on/off the ruleset or to report the processes matched by the defined rules and to take action on them;
- Disable - disables the rules set in the ruleset;
- Enable - enables the rules set in the ruleset;
- Reporting only - intercepts and reports (in the Application Control view) the processes matched by in the ruleset;
Default file action - this dropdown allows you to select the default action that will be performed (allow or block) if the processes that are executed are not matching any rules set in the Ruleset. System Files will be allowed to run unless they are matched on the Ruleset list;
If the Ruleset Mode is set to Enable and the Default file action is set to Block, the Apply default action to script tickbox is activated to be enabled or not. This means that you can allow the selected script extensions from the dropdown field to run no matter the Default file action.
Application Control Rules
You can add a rule to match a process based on several conditions:
- Priority - the higher the priority value, the higher the priority is;
- Subject - depending on the rule type, you can specify a Software name (Microsoft Edge), Path (C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe), MD5 (eaa5674047232d4a08e3f5a80ae41847), Publisher (Microsoft Corporation), Signature (c774204049d25d30af9ac2f116b3c1fb88ee00a4), Wildcard path (%SystemRoot%, %SystemDrive%, %SystemDirectory%, %ProgramFiles%, %ProgramFiles(x86), %ProgramData%, %AppData%, %TEMP%, %SystemDrive%\Test\*\download.exe, C:\test\*\download.exe, C:\test\*), Command Line (C:\Documents\test.pdf, *.pdf, C:\*\My Folder\*.pdf), Certificate subject (CN=Google*C=US*) - the rule will match the first part of the process certificate subject until the first *;
- Friendly name - a friendly name that can be used to search between rules;
- Allow Auto Elevation - specify whether the matched process will run under Administrator elevation or not. For Rule Types other than Path/Wildcard Path, you need to enable App. Control driver interception in order for the Auto Elevation functionality to work;
- Spawns - specify whether the matched process will allow the spawns of other child processes or not;
- Rule type - define the rule by Software Name, Path, MD5, Publisher, Signature, Wildcard path, Command Line Arguments, Certificate subject;
- Action Type - allows you to select between Allow and Block;
- Action - allows you to allow or block the defined process;
In the Ruleset table, you can enable Allow auto elevation for the selected rule to allow the matched process to run with Administrator permissions (requires the Application Control driver to be enabled, otherwise the Allow auto elevation will be available only for Path and Wildcard path-type rules). The Spawns tickbox allows the process to spawn other processes. The Deny file permissions tickbox will deny user permissions (Full Control, Read, Write, etc.) when the user is trying to a access file matching the rule that is set to Block. You also have the possibility of searching through the rules and using the Download button to download a .csv file with all the rules in the Ruleset.
Due to possible performance issues, we recommend you keep the number of rules as low as you can (at least when it comes to MD5-type rules). This scenario is also impacted by the size of the files that are matched by rules. The performance issue is not caused by the HEIMDAL Agent itself, but by the fact that the MD5 needs to be computed every time the process is launched (especially with big executable files).
Zero - Trust Execution Process - enables the protection against zero-hour threats compromising your environment (it can be enabled/disabled from the Endpoint Detection -> Next-Gen Antivirus module and from the Privileges & App Control -> Privileged Access Management module as well). Zero-Trust Execution Protection checks the unsigned executable files and blocks their execution if deemed untrusted;
Reporting mode - allows the scan and logging of the applications with Zero - Trust Execution Protection, without taking any action: allow, block.
Exclusions - the exclusion area allows you to exclude a process from the Zero-Trust Execution Protection by File Name, File Path, Directory, or MD5;
EMAIL PROTECTION
Email Fraud Prevention scans and prevents email fraud by intercepting Inbound and Outbound communications, comparing them with pre-registered signatures, and detecting whether changes have been operated or not. This helps flag down the BEC attacks before they have a chance of convincing you to hand over sensitive info.
Email Fraud Prevention - turn ON/OFF the Email Fraud Prevention module;
General Settings
Agent Balloon Notifications - displays a pop-up notification each time a file is moved inside/outside the Email Fraud Prevention folder;
- display the pop-up notifications until they are closed;
disable/enable the Outlook suspicious activity warnings;
REMOTE DESKTOP
By enabling the Remote Desktop, the HEIMDAL Agent will enable the network filter that will protect the computer from accessing malicious domains or URLs.
Remote Desktop - turn ON/OFF the Remote Desktop and allow Supporters from your organization to connect remotely to other computers;
Unattended Remote Desktop session - allows the Supporter to automatically connect remotely to any endpoint in your organization without needing the end user's approval. When connecting to an attended remote session, the end-user will get a pop-up to Accept or Reject the incoming connection;
Automatically record Record Desktop sessions - allows the remote computer (applying this Group Policy) to record the remote session and makes it available to be downloaded from the HEIMDAL Dashboard.
The Supporters section allows you to see a list of all devices & usernames that are assigned the Supporter role to be able to perform an unattended remote session on the computers applying the specified Group Policy/Group Policies. The bin button allows you to remove any Supporter from the Supporter list.
Copy changes to other policies
Pressing the Update GP button displays a pop-up message that allows you to save the changes to the current Group Policy, specific Group Policies or all Group Policies.
Current Group Policy - saves the changes to the current Group Policy;
Specific Group Policies - allows you to select the Group Policies where the new settings should be applied to;
All Group Policies - allows you to apply the new settings to all of the Group Policies.
Corner cases
- Schedulers - changing an existing scheduler in the Group Policy and copying the changes to another Group Policy or multiple Group Policies will not work if the module is disabled (if the change doesn't also enable the module).
Example: GP1 has the 3rd Party Software enabled and you change the time interval in the Patching Scheduler. In this case, copying the new Patching Scheduler settings to GP2 will not be possible if 3rd Party Software is disabled in GP2; - Schedulers - changing an existing scheduler and copying the changes to another Group Policy or multiple Group Policies that don't use a scheduler will not work/apply;
- Regular lists - copying the Domains Allowlist / Domains Blocklist to a Group Policy that does not have Domains Allowlist / Domains Blocklist enabled will not enable the options but the lists are copied and they become available once the Domains Allowlist / Domains Blocklist are enabled;
- in the Custom Block Page, changing the custom block page file/filename will not get copied to the Group Policy or Group Policies where you want to copy if the Custom Block Page option is not enabled;
- Patch & Assets -> 3rd Party Software - copying changes for regular 3rd Party Applications work, however, the changes that affect 3rd Party Applications that are added to Infinity Management are NOT copied if the Infinity Management option is disabled (and it does not enable Infinity Management);
- Pre-determined Category lists - copying a Category List to a Group Policy where the feature is disabled will not enable the feature but it will carry the copied Category List and the user can see it by enabling the feature;
- Remote Desktop Supporters - the list of supporters cannot be copied from one Group Policy to another as this data is handled from the Products -> Remote Desktop -> Remote Desktop view.