This article sets the guidelines for navigating the Group Policy interface.
The article will be structured into 5 segments, which illustrate and explain each feature:
- Heimdal™ Threat Prevention - Endpoint
- Heimdal™ Next-Gen Antivirus & MDM
- Heimdal™ Privileged Access Management
- Heimdal™ Email Security
In this section, the user can add this GP to a specific AD Global Security Group.
The AD Computer Group is the AD Global Security Group where all the machines are. This way, whenever that machine comes online only the policy will be applied.
The AD User Group is the AD Global Security Group where all the users are. This way, whenever that user logs onto a computer, the policy begins to be applied.
External IPs - this feature will allow you to assign a group policy based on an External IP and more. If you decide to add more than one, you will need to separate them by using comma.
The priority for GP will be the following:
- Specific GP
- External IP
- Computer Groups
- User Groups
- All (by the priority set in GP list)
Policy check interval and Licensing check interval - These features also checks if the policy is applied correctly on the machines. The option is designed to push the policy on all the computers at a specified set interval of time. This way, the policy will also be applied to the machines that were offline when a change was made in the dashboard.
The default time for the Policy check interval is 180 min, but it can be decreased up to 15 min or increased to a maximum of 1440 min.
CPU Threshold and Memory Threshold allows you to increase the value for which Thor will send an alert in the Active Client like the one below:
"The memory is running at 65 %"
"The CPU is running at 55 %"
The minimum and the default setting is 50% for CPU and 60% for the Memory.
Enable proxy settings – This feature is designed to install Thor Enterprise if the user uses a specific proxy server by adding the needed information in the fields displayed. For more information on how to set it up please read here: How Do I Install Thor Enterprise If I'm Behind A Proxy Server?.
Include in Release Candidate Program - This feature, once enabled, it will update the current version of Thor Enterprise to BETA (Release Candidate) version. This will happen only on the machines that are using the Group Policy where this option was checked.
Do not show GUI - This feature is designed to offer the possibility to deploy Thor Enterprise without GUI (Graphical User Interface) or to deploy the Beta version/RC of Thor Enterprise.
Note: We recommend everyone running Heimdal™ Threat Prevention - Endpoint on Terminal Servers or Citrix servers to make sure that "Do not show GUI" is checked before the entire policy (Heimdal™ Threat Prevention - Endpoint Enterprise installation included) is set to be deployed.
Skip prompting the client when requesting logs - this option, if disabled, will display a pop-up on the end-user machine each time the Administrator of the account tries to collect the HeimdalLogs from the machine. The user needs to confirm that he allows the Administrator to collect the Logs. If enabled, the Administrator can collect the Logs without the confirmation of the user.
*The Heimdal Support Team also has access to this feature. If the option is enabled the Heimdal Support team can collect the info without the confirmation of the user.
Only merge with AD groups specific policies - this option will be available only if Inheritance mode is ON. If Inheritance mode is OFF, then this option will be grayed out.
If this option is enabled, you will e able to apply multiple Group Policies to machines that are part of different AD groups.
Use Priority update servers - Check this box to prioritize 3rd party applications deployment over an active Internet connection. If this option is enabled, any computer marked down as "Server" will henceforth fulfill the role as a Priority Update Server, overwriting the default update server. Any downloaded applications, software, and updates can be deployed from the Update Server.
You can set a machine as a Priority Update Server from the Active Client view. Search the machine that you would like to set it as a Priority Update Server, select it and click the button "Priority Update Server"
Keep cached files indefinitely - If this option is enabled, the cached files will be stored indefinitely on the Priority Update Server, until they are manually deleted. If you disabled the option, the disk will not be cleared.
Enforce uninstall password – This feature allows you to set up a password that will be required when uninstalling Thor Enterprise from one of the machines related to this Group Policy.
Synchronize with time server – This feature will run two silent commands that will keep the time on the server up to date. These commands will run in the background every time Thor Enterprise Scans the machine. The commands are:
net time /set /y
In order for all the changes made to take effect, remember to click on the Update button on the bottom left side.
Communication between Backend and Agent
The communication between Backend and Agent concerning server messages (event viewer/heimdal logs/files requests, antivirus scans, RDP port unblock, retarget license) and group policy updates can now be done under a minute.
This is achieved by posting the message initially to an azure function, specifying all the clients that the message is intended for, and that function then forwards that message to the queues corresponding to those clients. Each client has an azure storage queue that is created on the first message intended for that client. The queue name is the client info id prefixed with “mq-“.
For server messages, only one client is notified. For group policy updates, all the clients associated with that customer, are notified in order to retrieve the updated group policy. When selecting a specific group policy for an active client, only that client will be notified to retrieve the new group policy.
In order to connect to the queue, the agent needs the queue url that includes a SAS. This connection string is retrieved when the Client Host service starts. If the retrieval process fails, the service will retry every 5 minutes, until it gets the queue url. After the url is successfully obtained, the agent connects to the queue every minute and checks to see if there are new messages
This communication currently supports only 2 topics: ServerMessages and GroupPolicy. In code these have values of 100 and 200 respectively. If viewing the messages in the queue from the azure portal, these values will be shown inside the message.
On the Dashboard -> Settings->Click on a policy->General tab, a new checkbox has been added, “Enable realtime communication”, that is unchecked by default. If checked, it enables the rapid communication between backend and agent when the agent fetches the group policy. When unchecked, it will disable the rapid communication (if enabled), in under a minute, because the agent will receive a message on the queue with a GroupPloicy topic.
Heimdal™ Threat Prevention - Endpoint
This section is structured into 3 modules:
- DarkLayer Guard
- VectorN Detection
- Vulnerability Mgmt
This section of the Group Policy is designed to administrate the Heimdal™ Threat Prevention - Endpoint engine embedded in Thor Enterprise.
By enabling the DarkLayer Guard, Heimdal™ Patch & Asset Management will add the DNS 127.7.7.x to the network adapter’s IPv4. This is basically the network filter that will protect the computer from getting infected.
1. Enable High Compatibility Mode – The option is by default enabled for all accounts. This incurs a 15 ms of delay in applying the Dark Layer Guard filter over the network card (NIC) which currently has internet access, in order to allow all relevant Microsoft Windows OS services to start up normally. The services which are allowed to start up normally are in charge of vital extended environment tasks like domain discovery, network drives authentication, etc. This option enhances functionality in large corporate environments, but it can be disabled if desired.
2. Enable VectorN detection lockdown - this option is recommended to be enabled only if you also have enabled High Compatibility Mode. If enabled, this option will override the High Compatibility Mode option and 127.7.7.x will never be removed from the NIC Card. This option was introduced for users that have the High Compatibility Mode enabled, but Heimdal™ Patch & Asset Management detects a malware pattern on the machine and locks down any gate for this malware, including at reboot or shut down when the user is exposed if he has the High Compatibility Mode option on.
3. Cisco Anyconnect IPv6 compatibility mode - Enabling this feature will reroute traffic from IPv6 to IPv4 on a Cisco Anyconnect adapter, to solve a known bug in Cisco Anyconnect IPv6 filtering.
4. DoH Compatibility Mode - If this option is enabled, Thor will prevent your active browser from employing DNS over HTTPS package, replacing the more comprehensive DNS traffic provided by Heimdal™ Patch & Asset Management.
We strongly encourage you to enable this option
Read here more about https://heimdalsecurity.com/blog/dns-over-https-doh-best-practices/
5. Force DHCP DNS usage - If enabled, this feature will make sure you will always have the NIC Card set to automatic DNS in case Heimdal™ Patch & Asset Management fails to add 127.7.7.x on the NIC Card. This option is recommended to be enabled if:
a. You are using VPN connections in your organization
b. Nobody from your organization uses Static IP.
(We recommend you to contact Support at firstname.lastname@example.org before enabling this option)
6. Force NCSI fix - if enabled this functionality will fix the Network Connectivity Status Indicator that causes the connected globe in the tray menu, when running alongside DarkLayerGuard.
When this is checked a windows registry will be modified and a whitelisted ip with a domain will be added to window hosts file from system32. Once this option is unchecked, it will be restored to the original state for both registry and file of client.
The registry path that is modified is: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActive Probing
This registry key will be set to 1 if force ncsi fix is enabled, but 0 will be set on uninstall or uncheck ONLY if the client had this option before making it 1.
The hosts file can be found at the following path:
Check the 2 paths specified above to see the changes:
7. Use default loopback address: Once checked, DarkLayer GUARD will set your DNS to 127.0.0.1 instead of 127.7.7.x. It will also set ::1 as your loopback address for IPv6. This will enforce DarkLayer GUARD to intercept traffic from a single adapter. This setting helps ensure compatibility between Heimdal™ Patch & Asset Management and certain VPN products, as well as other software you may use, such as virtualization products.
8. Check Interval - by using this feature, you can adjust the time for Heimdal™ Patch & Asset Management to initiate a network scan.
9. Enable domains whitelist – This feature allows the user to whitelist a domain that Heimdal™ Patch & Asset Management blocks the access to due to being suspicious. The domain can be typed in the field that is displayed once the option is ticked and click ADD to whitelist it.
You also can upload a CVS file with multiple domains (divided by "," comma).
facebook.com, youtube.com, amazon.com. That way these domains will be accessible by all machines that are part of the Group Policy.
The domain can be removed from the whitelist by clicking on the red X next to it, it will automatically become blacklisted again once the policy is updated.
10. Enable domains blacklist - This feature allows the user to blacklist a domain that Heimdal™ Threat Prevention - Endpoint does not consider a threat. Perhaps you want to prohibit access to a specific domain in your environment. You can use this option to block it. You can add the domain to the field that appears once you tick the feature. Just click on “add” to blacklist it.
You also have the possibility to upload a CVS file with multiple domains (divided by "," comma).
facebook.com, youtube.com, amazon.com. That way these domains will be not accessible by all machines that are part of the Group Policy.
You can remove the domain from the blacklist by clicking on the red X next to it, it will automatically become whitelisted again once this is done.
11. Top level domains
This feature allows you to whitelist or blacklist top level domains. Ex: “.com, .co.uk, .uk, etc.”
12 Enabled custom block pages – This feature allows you to add a custom HTML page that will be displayed when Heimdal™ Threat Prevention - Endpoint blocks a domain instead of the one shown by Heimdal™ Threat Prevention - Endpoint .
13. Enabled Block By Category - This feature allows you to block high-level groupings of ads — such as Social, Apparel, Finance, and Health — from appearing on your network or specified inventory.
14. Enabled Block By Category Schedule - The block by category can now be scheduled to certain time periods. The user can select either weekdays or days in a month and block domains from the selected categories within the selected time interval. “Enable Block by Category” needs to be enabled for this feature.
- By selecting one or more days in a Week when Heimdal™ Threat Prevention - Endpoint you can block domains :
- By selecting one or more days in a month when Heimdal™ Threat Prevention - Endpoint you can block domains:
This feature is designed to periodically scan the system for malware. For more information regarding this feature and what it does, please download and read the latest whitepaper that can be found here: Announcements or in the Dashboard > Guide > Download and install section.
It will identify patterns of malicious domain requests and filter these accordingly. The computers identified by VectorN as potentially infected are to be ultimately treated as threats by the system administrator, investigated and scanned for threats either manually or automatically.
Heimdal™ Patch & Asset Management - 3rd Party Applications
By enabling the Heimdal™ Patch & Asset Management - 3rd Party Applications module, it will allow the user to install or update a specific software from the list of all the applications that are added to the Group Policy.
In this section, you can also enable Asset Management and Assets View.
To read more about Asset Management, please access the Guide section in the dashboard then Download and install where you can find a document with details and usage instructions: Infinity Management Guide
When you enable the Assets View option you will have the possibility to track and manage all the software installed on the devices in your organization, even if we do not offer patches for them. After you activate the feature you can manage the applications from Heimdal™ Threat Prevention - Vulnerability Mgmt section.
The Assets View updates the list of applications every 24 hours, but it can be manually updated by restarting the computer (this one takes the Delay Patching on Start-up option into consideration).
In order for all the changes made to take effect, you have to click the Update button on the bottom left side.
1. Manage Applications offers the following actions:
- The user can select to install and update a specific software on the computers from the GPO
- The user can select to monitor the software without letting Heimdal™ Threat Prevention - Endpoint patch them automatically. This can be done just by marking the checkbox called "Enable 3rd Party Applications module"
- The user can select to install a specific version of the software if it's required by the system.
- The user can select to only update a specific software on the computers from the GPO. This implies that the software selected is already installed on the machines.
- The user can select to only install specific software on the computers from the GPO. This will only install the latest version of the selected software but will not update it if a new version of it will be released.
- The user can select to update all the pieces of software by checking the option Keep all applications up to date. This option will select all the pieces of software and will update them if they are found on the machines that use the Group Policy. Also, it will gray out and will not allow any modifications or exclusions.
- The user can use the option ALLOW INSTALL – This feature will allow the end-user to install by himself a piece of software that has this option checked in the Group Policy.
Note! Even if no option to Install or Update is selected, Heimdal™ Threat Prevention - Endpoint will monitor the found applications from the machines that are also present in our application list. The number of monitored applications can be seen here:
- The user can select one or more days in a Week when Heimdal™ Threat Prevention - Endpoint can install the updates
- The user can select one or more days in a month when Heimdal™ Threat Prevention - Endpoint can install the updates
- The user can select a certain period of the day or exclude a certain period of the day when the patches to be applied.
Note: If Install All is enabled, when we add new software in Heimdal™ Threat Prevention - Endpoint , they will be automatically installed on your machines.
2. Lockdown a certain software version
The Group Policy also allows you to select a certain version of the software and lock it down. That means Heimdal™ Threat Prevention - Endpoint will not update it anymore.
Note: If you have a higher version installed and you lock down a lower version, Heimdal™ Threat Prevention - Endpoint will not downgrade it, but if you have a lower version of the software and you lock down a higher version, Heimdal™ Threat Prevention - Endpoint will update that software to the version you selected.
3. Delay a Patch
This option offers you the possibility to delay a patch with 1, 3, 7, 15 or 30 days. That means the patch will be applied to your machine after the selected days since we added in Heimdal™ Threat Prevention - Endpoint 's Heimdal™ Patch & Asset Management .
In order to improve the performance of computers, you can delay the patching after the machine has started.
4. Uninstall Applications
Another feature that the patching system offers is the Uninstall Applications.
This feature allows the user to:
- Uninstall a specific application by writing its name in the field and pressing Add or Enter.
For example, maybe you need to remove Adobe Acrobat Reader DC from all the machines.
In this case, you need to add the full name of the application in the field and press Add or Enter.
- If the “Starts with” option is selected before pressing Add, Heimdal™ Threat Prevention - Endpoint will uninstall everything from the computer that begins with the word “Adobe”. That is why you should know exactly what software needs removing. An example will be Adobe Acrobat Reader DC. That way, you can ensure that Heimdal™ Threat Prevention - Endpoint will only remove the software Adobe Acrobat Reader DC.
- If you need to remove a software app from the Managed Application list from all the computers, then you need to make sure that the option to ”Install” or “Update” is not selected in order for it to work.
Then that happens because, in the Managed Application list, Adobe Reader is still selected to perform one of the following actions: Install or Update. Removing these actions will allow the software to be uninstalled.
2. This feature allows uninstalling software that is not on the Managed Application list. It can be any other software from the computer. As mentioned previously, you have to write the full name of the software (as it appears in Control panel) before pressing Add.
For more information about this feature please click here: UNINSTALL APPLICATION Feature Explained.
In order for all the changes made to take effect, remember to click on the Update button on the bottom left side.
With Thor Enterprise you can now apply Microsoft updates to the Windows computers in your company’s environment.
Implemented a search field for group policies and a new filter option to show only asset management applications in the managed application grid for third party apps.
- Settings – Select a group policy
- Heimdal™ Threat Prevention - Endpoint – Vulnerability Mgmt – Third Party Apps
- Managed Applications Grid
- Heimdal™ Threat Prevention - Endpoint – Vulnerability Mgmt – Third Party Apps
- Settings – Select a group policy
Vulnerability Mgmt - Microsoft Updates
With Vulnerability Mgmt you can now apply Microsoft updates to the Windows computers in your company’s environment.
Heimdal™ Threat Prevention - Endpoint allows the management of these patches, select which ones to deploy on the computers under the respective GP, to delete or hide them and select to suppress the reboot of the machines after the installation is complete as well as schedule when the computers to be restarted if required.
When Microsoft Vulnerability reporting only is enabled, the Patch & Asset Management -> Microsoft Updates view will only display the updates available for the endpoints in your environment without applying them. The updates will be removed from the list once they have been installed
The Install no restart required updates only will push automatically all the patches that do not require a restart after completion.
Suppress and install everything will install all Windows updates, no matter if they require a reboot and without restarting the computer automatically unless the reboot scheduler is activated.
If Enable Agent notifications for reboot is activated a message will be displayed by the Thor agent on the end user's computer that a restart is necessary to finish the installation.
Enable installation by category - by enabling this option you will be able to customize your Microsoft Updates and deploy the categories that are most important for you. Categories can be manually selected from the drop-down menu.
Server Source allows Heimdal Security to download the updates from the servers you chose. If Default is selected the updates will be downloaded from the source configured on the machine and if Windows Updates is selected any other 3rd party or WSUS will be bypassed so that the updates are fetched from Microsoft servers.
The Enable Delaying Windows Updates option allows postponing the updates for a number of days after their release, selecting from 1 to 31 days. This setting will override the customization of the scheduler.
For the Microsoft updates the user has control when they should be deployed, being allowed to set a schedule.
Now the Microsoft Update Scheduler will have an additional dropdown that allows you to select on which week of the month you prefer to schedule the update scheduler to work, but only if the scheduler is set to Choose week day and has at least 1 day selected.
By choosing a week of month, it will apply the same functionality for all selected days of week.
This schedule allows the selection of a timeframe when devices will be restarted after each update that requires a reboot was installed.
Force reboot during time selection will restart the computer no more than once in the selected timeframe even if there were no updates installed requiring a reboot.
After everything has been selected and adjusted, the user must Update Policy for the changes to take effect.
Windows Updates Check Interval - this option will allow you to control how often should Heimdal check for available Windows Updates. The minimum is 720 min.
Force Reboot Delay - When a force reboot is detected the agent will display a popup notification with the remaining minutes until rebooting. This reboot cannot be canceled.
This option will allow you to control how fast the computer will be rebooted after an update that requires a reboot has been installed.
The interval is between 5 and 60 min.
Enable Microsoft Updates Reboot Delay - if this option is enabled you will be able to give your users the permission to delay a reboot of their machines.
The two sliders will let you set the number of minutes the user can delay a reboot and how many times a reboot can be delayed.
In the screenshot below, the user is able to delay the reboot with 60 min, 3 times tops.
Heimdal™ Next-Gen Antivirus & MDM
This section includes 2 modules:
- Next-Gen Antivirus Management
- Firewall Management
Next-Gen Antivirus Management
By enabling this feature, the antivirus will turn ON.
Enable Real-Time Protection – The endpoints will be scanned in real-time to catch both known and unknown threats. This feature will scan all actions performed on any file, such as read, write or execute so that malicious activities can be detected immediately.
Allow Manual Scan - provides the option to start any scan by the user directly from the agent.
Allow Cancel Scan - if enabled, end-user will be able to cancel a scheduled scan
Enable Prescan Cache - The prescan cache will cache the already scanned files, thus optimizing a server's performance
Scan Mode does not change the behavior of real-time scan and will only apply to a system scan. It has two options:
a) SMART - The files are scanned based on the file type and file content by sophisticated algorithms. Using this will speed up a system scan and provide the same level of protection.
b) ALL - In this mode, the AV will scan all files the same but it will take considerably more time to finish a system scan.
Disable USB Ports - disabling USB ports for removable devices (memory sticks for example) so that any plugged removable device will not be recognized
AutoScan USB Ports - allow autoscan on any USB removable device that will be plugged in computer.
For CORP users, this option will launch automatically a popup with scan window that runs, and for HOME users, a prompt will be launched to ask the user if he wants to scan or not the new plugged device.
Enable Real-Time Scan Network Files will scan all network files but it might reduce the performance of the computer .
Enable Real-Time Scan Network Files (READ INFO) - if this option is enabled, Thor will do a real-time scan each time a change is performed on your network drivers.
- The default scan action on infected – This allows you to set up the action that you want the antivirus to take upon detecting a threat: Deny, Quarantine or Allow.
- The default scan action on suspicious - This allows you to set up the action that you want the antivirus to take upon detecting a suspicious file: Deny, Quarantine or Allow
Be advised that the Deny option is available only if Enable Real-Time Protection is activated in the Group Policy.
Update virus definitions interval [min] – The default time interval is 120 min but can be modified up to 360 min. This feature is designed to check whether there are new virus definitions files (VDF’s) within the Thor Enterprise cloud. If a new VDF is available, this gets automatically downloaded to the local agent database. It is recommended to have the limit set to 120 min in order to update the database as soon as possible.
As the name states, this section allows you to schedule a scan that suites your needs. You can start creating a schedule by pressing ADD NEW SCAN button on the right side.
Scan Profile Name – In this section you can add the name for the profile you want to create.
Scan Type – This allows you to choose what type of scan you wish Heimdal™ Next-Gen Antivirus & MDM to run in the profile created.
- Full scan – profile will scan all the local files on the endpoints that have the policy applied
- Quick scan – profile will scan critical OS locations and the most usual target folders which are known for virus activity:
C:\Program Files\Common Files
C:\Program Files (x86)\Common Files
- Hard Drive scan – profile will scan all files on the hard drive while ignoring the files on all external media types
- Local Drive scan – the profile will scan all local disks including the hard drives, optical drives, and external storage
- System scan – profile will scan system directory
- Removable Drive scan – profile will only scan for files that become accessible from flash, optical or external drives
- Network Drive Scan – will scan the network mapped folders
- Active Processes Scan – profile will only scan for processes currently running on the target machine
- Custom Scan - available only on the user's computer from the agent, allows the scan of any file by using the right-click context menu then selecting Scan with Heimdal™ Next-Gen Antivirus & MDM which will open a new window with the result
Once the Scan Profile Name and Scan type have been chosen, Heimdal Dashboard allows you to set the timeframe when Heimdal™ Next-Gen Antivirus & MDM antivirus will start to run.
You can choose which days of the week you want the antivirus to run on.
You can also choose which days of the month you want the antivirus to run on. Usually, this option is used in corporations that have a very strict maintenance policy.
Choose time interval - This allows you to set up a timeframe for when Heimdal™ Next-Gen Antivirus & MDM should run the created scan profile.
- The scan profile does not apply automatically in the policy after clicking the “set scan” button. The administrator needs to confirm this by clicking the “update-policy” button. If the update is not clicked, the defined scan profile will be lost if the current page is left before updating the policy.
- Multiple scan profiles can be created inside a single Heimdal™ Next-Gen Antivirus & MDM policy. However, the scan type is exclusive. This means that it is not possible to create multiple profiles with the same scan type. Example: no 2 scan profiles can be defined to perform full scans in the same policy.
This feature allows you to add exclusions that Heimdal™ Next-Gen Antivirus & MDM will ignore after scanning.
You can add multiple sets of exclusions for some specific windows products (Ex: SQL Server, Windows Server 2012). In the dashboard, you can see a drop-down added to Normal and Real-time exclusions where those specific windows products will appear with a checkbox along with them. By selecting one of these checkboxes, a list of exclusions will be added to the customer currently exclusion list. A checkbox will be marked only if all exclusions from its set are on the customer’s list.
Multiple elements can be added in the exclusion list like file names, file paths and whole directories and also patterns:
- Filename – This option is referring to a specific name that you give to a document or to a file on your computer: it is used if you want Heimdal™ Next-Gen Antivirus & MDM to ignore a specific suspicious file from being scanned or from any actions being taken upon it by our antivirus:
- File Path - A path, the general form of the name of a file or directory, specifies a unique location in a file system : it is used if you want Heimdal™ Next-Gen Antivirus & MDM to ignore a specific File Path from being scanned or from any actions being taken upon it by our antivirus:
- Directory -A file system cataloging structure which contains references to other computer files, and possibly other directories. On many computers, directories are known as folders, or drawers.
- This option is used if you want Heimdal™ Next-Gen Antivirus & MDM to ignore a specific Directory from being scanned or from any actions being taken upon it by our antivirus:
- Pattern - A pattern is the formalization of a problem/solution pair, used to make an object-oriented design decision. This option is used if you want Heimdal™ Next-Gen Antivirus & MDM to ignore a specific Pattern from being scanned or from any actions being taken upon it by our antivirus:
Real Time Exclusion List - the items added here will be excluded directly from the realtime driver before scanning. Only use this when the regular exclusion doesn't work. Adding too many items here may affect performance.
It is recommended to use this feature for applications, external drives to avoid having their files/folders blocked instantly by the AV scanning but to have them in the normal Exclusion List if they are used regularly and for longer periods of time.
General Quarantine List
This feature allows you to add a specific file or path to quarantine. It is used to define a certain AV behavior when a certain file with a distinct file name is created on the hard drive. Also, it can be tweaked to only apply to files in a certain physical location.
Basically, the administrator is telling the agent that whenever a suspicious file is found on the hard drive, the file gets automatically quarantined. As already stated, this is also valid for file paths: whenever a file is detected on a certain path, that file gets quarantined immediately.
Implemented a new flow that handles files in the "General Quarantine List" added by file path, that are not detected by Avira as Suspicious/ Infected. "Default scan action on suspicious" determines what action will be taken when scanning a file in the "General Quarantine List".
Those are the steps that you need to take for testing it:
- Add a file path to the global quarantine list. (Some extensions like “.txt” don’t work with real-time scanning)
- Activate manual scanning and real-time scanning:
- Manual scanning -> right click on a file in the “General Quarantine List” and select “Scan with Heimdal™ Next-Gen Antivirus ”
- Real-time scanning: try to open a file in the “General Quarantine List”
- Note: Restart is required for AV to work after installation.
This is the module that allows you to control the Windows Firewall from the Heimdal Management Portal.
Enable Firewall Management - this option allows you to enable the management of the Windows Firewall. If this option is turn OFF Windows Firewall will remain ON. We do not enable or disable the Windows Firewall.
Use automatic rules - if this option is enabled, you can select the profile you want to enabled and the Incoming/ Outgoing connections. You can select the Incoming/ Outgoing connections if you enable the corresponding profile.
Allow isolation - when this option is enabled, the user is able to isolate an endpoint (or not). If the endpoint is isolated, all its external connections are rerouted through the Heimdal Security systems.
Once the option is enabled the machine can be isolated from the active client view, by selecting the machine you want to isolate and press the ISOLATE button.
Isolation rules- This feature adds the functionality of adding some specific rules for firewall only if the computer is Isolated. Those rules come as a group (more specific as a profile that adds some rules for a certain program, ex: TeamViewer, ISL Online). Those rules will be deleted when the pc will go for unisolate.
- To add more profiles, it is necessary to be added manually in database table.
- Those isolation rules after adding the specific profile and saving the GP settings, will be added as normal rules with an additional field that specifies this is an isolation rule, so in database these isolation rules can be found after adding them, in the same table with other normal rules.
Block RDP port on brute force detection - by enabling this option If an audit breach is detected the RDP port (3389) is blocked for both TCP and UDP. In the active clients view, an icon will be displayed in the status column if the RDP port is blocked the workstation is not isolated. Selecting one or more workstations will display the unblock RDP port which will unblock the RDP port for those clients.
Add new rule - this option allow you to add/ edit/ remove rules. The actions will take action after you click Save / Update policy. The name of the rule needs to be unique. Each rule will have added to their name the protocol on which it was created. Example: In the dashboard, we add a rule “Block sql server port”, on the client machine the rule will have the name “Block sql server port-TCP” for TCP protocol and “Block sql server port-UDP” for UDP protocol. This was needed to make sure the naming is clear since a rule can’t contain both protocols in case of BOTH options from the dashboard adds rule.
- Get infection Sha256 from agent to dashboard -
An additional field was added for infections/quarantines that were sent to dashboard. The filed stores the infection file hash and will show in dahshboard nect to the "add to storage" icon, an additional icon that will redirect a VirusTotal to atoscan the selected hash.
Heimdal™ Privileged Access Management
This feature enables the user to request an elevation and use it just if it has been accepted by an administrator through the Dashboard.
Enable Admin Privilege - this option allows you to enable or disable the Heimdal™ Privileged Access Management module
De-elevate and block elevation for users with risk of infections - when enabled, this option removes the admin privileges for a user automatically if there was any malware or malicious links detected by Thor in the past 7 days
RUN AS ADMINISTRATOR
This privilege adds new functionality to the Heimdal™ Privileged Access Management suite by offering the ability to get elevate for the run of a single file without a UAC prompt.
In order to make this feature available, you will need to activate the “Allow run as administrator” setting inside the Admin Privilege group policy.
Require reason - when enabled, Thor will solicit a reason for the user's rights escalation query.
Auto-mode - when enabled, all session requests will be queried directly to the sysadmin.
Approval via Dashboard - when enabled, all session requests and responses will go exclusively through the Dashboard. Approved or rejected queries can be reviewed in the dashboard.
If you activated the Run as Administrator feature, the following item will appear in the windows right-click menu for .msi and .exe files:
When clicking on the item, if the “Require reason” setting is set in the group policy, the following popup will appear:
After clicking elevate, depending on the setting in the group policy, either a request will be sent to the server, and the following popup will appear:
Or the file will be run automatically and the following popup will appear:
Revoke existing local admin rights
When enabled, all the existing local administrators (users from the Administrators group) on the machines will be de-escalated (revoked from the Administrators group). If the module detects any local administrators, it will automatically downgrade the, to standard rights (excepting the default Administrator user).
The feature allows you to whitelist a hostname or a username (or a domain group*). If a hostname is whitelisted, then on that machine the admin-right won't be removed.
You have the possibility of selecting any hostname under your Heimdal license (you can’t insert a hostname that is not saved in the Active Clients view, or hardcode any of it) or any username (here we don’t perform any checks. We save only the user that has last logged in on each hostname, so we trust our agent that it will whitelist a user that exists in the network).
If you want to whitelist a hostname and don't fill in the username field, all users on that hostname will be whitelisted. If you specify just a username (or a domain group), without mentioning the hostname to whitelist, all users with this username from all PCs under this group policy will be whitelisted. In order to inform the user regarding these two aspects, in grid will be shown a placeholder message for any combination where hostname OR username doesn’t have any value.
If there is any data within the grid, you will be able to search through data, by hostname or username (data are paginated).
On service start, we get all members from local administrators group. If we found the hostname whitelisted, we skip caching users, because we don’t need to delete any of them. Otherwise, we remove all users, that were not marked as whitelisted in GP, and we save them in our local storage.
On service stop, all users from local storage are added back to the local Administrators group. Also, this operation is performed on policy update. If option to “De-elevate administrator users” is unchecked, all users from local storage that were members of local admin group when service was started, will be added back to local admin group.
* - The Username (or a Domain Group) field is case sensitive.
Auto-mode - when enabled, all Allow administration sessions requests will be queried directly to the sysadmin.
Approval via Dashboard - when enabled, all Allow administration sessions requests and responses will go exclusively through the Dashboard. Approved or rejected queries can be reviewed in the dashboard.
SESSION LENGTH (2-60 MIN) - allows you to set the time interval for which the end-user can have admin rights.
Heimdal™ Email Protection
This section includes 2 modules:
- Heimdal™ Email Security
- Heimdal™ Email Fraud Prevention
This is perimeter base product - you’re going to find it in your perimeter settings.
Heimdal™ Email Fraud Prevention that allows you to scan and prevent email fraud.
Heimdal™ Email Security is an independent module, like the Next-Gen Antivirus or DarkLayerGuard. This module will intercept all outlook emails from Inbox and Sent folder. The module should start when to install Heimdal or refresh group policy if Heimdal™ Email Security is ON in group policy and Outlook is open. If no outlook instance is open in the current moment, the module will check every 5 minutes if outlook has been opened and try to start Heimdal™ Email Security module.
For intercepting emails, we created a secondary app named Heimdal™ Email SecurityMonitor. If this app is closed, the module will try to start it, checking its connection every 10 minutes. Also, if Heimdal™ Email Security service is closed, this secondary app should be closed.
Heimdal™ Email Security will intercept every mail from Inbox and Sent folder and send it for validation. A partial response is received in 10 minutes and a final result will be received in 24 hours. If final/partial status is Infected, mail will be moved to Heimdal™ Email Security subfolder from Inbox. If the mail was initially infected (moved to HeimdalInfectedMails), and then in the final result it is considered uninfected, the mail will be moved back to the original folder.
Enable Heimdal™ Email Security - by enabling this option Heimdal™ Email Security will become active
LAST DAYS TO SCAN - this slider allows you to increase or decrease the number of days you want Thor to scan your inbox. The first time the Heimdal™ Email Security is activated (and only once), we scan the inbox for the last X days (7 by default)
Enable Agent Balloon Notifications - by enabling this option you will receive a pop-up notification each time a file is moved inside/outside the Heimdal™ Email Security folder.
- by enabling this option will allow you to see notifications until you close it.
Whenever Heimdal™ Email Security moves a mail to the infected folder, we show a popup on the agent side, warning the user with the following text: “We detected a malicious email and we have moved it away from the inbox” and if Heimdal™ Email Security detects that the email is not infected and was moved to In assessment folder, the client popup will have the following text: “False positive detected, we have restored an email to your inbox” and the mail will be moved back to the original folder.
See how to apply a certain Group Policy to your machines here: https://support.heimdalsecurity.com/hc/en-us/articles/360001861477
new checkbox on Heimdal™ Email Security tab that will disable/enable the outlook suspicious activity warnings.
On Agent a registry key will be modified for this with the values (2 -> disable, 0 -> enable). This registry key value can be found at the following path in regedit: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Outlook\Security
You also find multiple tools under your Settings section, at the Perimeter view, by only editing your domain:
Below you will find a list with all of them accompanied with instructions :
2. Additional Domanin Settings
3. Anti Spam Settings
4. Security Settings
5. Blacklist and Whitelist
6. Attachment Settings
7. Quarantine Settings
9. SMTP Auth Users
You can find more details about this chapter in the following article : https://support.heimdalsecurity.com/hc/en-us/articles/360007381137-MailSentry-E-Mail-Security-and-Spamfilter-Configuration-
Enable Agent Balloon Notifications Quarantine
Automate the customer email flow to Mailchimp
Implemented backend integration for Mailchimp. Distributor, Reseller and Crop customer and Account emails will be sent to Mailchimp on creation and update, and archived when deleted.
- Adding a new account will add his email to the mailchimp audience
- Updating an account will add the email to the mailchimp audience if it does not exist or update and existing contact
- The tags equivalate to the licensing options on the selected customer
- Deleting an account will archive the corresponding contact in the mailchimp audience
- Adding a new customer will add his email to the mailchimp audience
- Updating a customer will add the email to the mailchimp audience if it does not exist or update and existing contact
- The tags equivalate to the selected licensing options
- Deleting a customer will archive the corresponding contact in the mailchimp audience