In this article, you will learn everything you need to know about the settings you can perform on the HEIMDAL client-side products from the HEIMDAL Dashboard -> Endpoint Settings. To go to the Endpoint Settings, you have to log in to the HEIMDAL Dashboard, click the Endpoint Settings button (top-right corner), and select a Group Policy.
In the General tab, you can configure Group Policy settings that refer to GP assigning, check intervals, thresholds, and other additional settings.
Policy Name - set the name of the Group Policy;
Language - allows you to select the language of the HEIMDAL Agent to be enforced on the endpoints;
Priority - shows you the priority of the Group Policy in the Group Policy list. It can be set by using Drag and Drop in the GP list;
AD Computer Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP;
AD User Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP;
External IPs - this option allows you to assign the Group Policy based on an External IP or more External IPs. Adding multiple IPs is done by separating them by using a comma:
Specific Azure Groups - allows you to bind the current GPs assigning to an Azure Active Directory Group or multiple Azure Active Directory Groups (Microsoft 365 Groups, Distribution Groups, Mail-enabled Security Groups, Security Groups). The users that are members of the specified Azure Active Directory Group(s), will get the current Heimdal Group Policy;
Policy check interval - sets the Group Policy check interval that is automatically performed by the HEIMDAL Agent to communicate with the HEIMDAL Dashboard and servers. The default time for the Policy check interval is 180 min ;
Licensing check interval - sets the HEIMDAL license check interval that is automatically performed by the HEIMDAL Agent;
CPU Threshold - allows you to set the CPU Threshold for the waning notifications displayed in the Status column of each endpoint (in the Active Clients view). The default setting for CPU Threshold is 50%;
Memory Threshold - allows you to set the Memory Threshold for the waning notifications displayed in the Status column of each endpoint (in the Active Clients view);
----> Example: The memory is running at 65 % | The CPU is running at 55 %
This feature is designed to allow the HEIMDAL Agent to communicate with the HEIMDAL Dashboard if the endpoint(s) is/are placed behind a Proxy Server. It allows you to specify the proxy settings by adding the needed information in the displayed fields.
Use system default - the HEIMDAL Agent will automatically pick up the Proxy settings from the computer's Internet Settings. If this option is enabled, the HEIMDAL Agent will impersonate the user that is currently logged in on the computer to pick up the Proxy configuration. If no user is logged in, the HEIMDAL Agent will not be able to collect the Proxy information;
No proxy - the user does not use a Proxy;
Manual proxy - the user needs to manually add the Proxy information for the Host, Port, Domain, Username, and Password;
Include in Release Candidate Program - enforces the update of the HEIMDAL Agent to the latest HEIMDAL Release Candidate (Beta) version available on the HEIMDAL Servers;
Do not show GUI - run the HEIMDAL Agent without the GUI. This feature is recommended for File Servers, Citrix Servers, Terminal Servers, or RDP Servers where multiple users are connecting at the same time;
Enable realtime communication - allows the HEIMDAL Agent to communicate with the HEIMDAL Dashboard (with a delay of under 1 minute) and apply GP updates, Next-Gen Antivirus on-demand scans, Logs requests, Wake-on-Lan requests;
Skip prompting the client when requesting logs - allows you to request the HeimdalLogs or the Event Viewer Logs from any endpoint without the explicit approval of the user. If this option is disabled, the HEIMDAL Agent will display a pop-up on the end-user endpoint each time the HEIMDAL Dashboard Administrator tries to collect the HeimdalLogs or the Event Viewer Logs from the endpoint to confirm that he allows the Administrator to collect the Logs. The HEIMDAL Support Team also has access to this feature. If the option is enabled the HEIMDAL Support Team can collect the info without the confirmation of the user;
Only merge with AD groups specific policies - allows you to merge the current GP with other GPs that match the endpoint's AD Computer Group or AD User Group (available only if Inheritance Mode is ON). If this option is enabled, you will e able to apply multiple Group Policies to machines that are part of different AD groups;
Enforce uninstall password - allows you to set up an uninstall password that will be required when uninstalling HEIMDAL Agent from any endpoint that is applying the current Group Policy. It prevents unauthorized users to uninstall the HEIMDAL Agent or performing other changes;
Synchronize with time server – this feature syncs the endpoint's time with the Windows Time to ensure correct communication between the HEIMDAL Agent and the HEIMDAL servers. The HEIMDAL Agent will run w32tm /resync and net time /set /y in the background every time a Group Policy check is performed;
Enable Wake on LAN - enables/disables the Wake-on-LAN functionality. Wake-on-LAN is not supported if:
- the endpoint is in an IPv6 network;
- the endpoint is connected through Wi-Fi;
- the endpoint uses a logical adapter for VPN (logical adapters don't have MAC Addresses);
- the endpoint uses a docking station;
Use Priority update servers - allows you to set a Priority Update Server and prioritize 3rd Party Applications deployment over an active Internet connection. Once enabled, any computer that is applying the current Group Policy can be marked down as Priority Update Server (from the Active Clients view, by selecting the endpoint and by marking it as Priority Update Server from the dropdown menu), thus, overwriting the Default Update Server. All 3rd Party Application patches/HEIMDAL Agent versions downloaded on the Priority Update Server can be distributed to other endpoints in the environment via P2P instead;
Keep cached files indefinitely - the cached files (3rd Party Applications or HEIMDAL Agent versions) will be stored indefinitely on the Priority Update Server until they are manually deleted. If you disable the option, the disk will not be cleared;
Additional check interval for normal computers - allows you to set the interval of minutes used by the endpoints to communicate with the Priority Update Server.
Threat Prevention is structured into 2 modules: DarkLayer Guard and VectorN Detection. This Group Policy section is designed to manage the HEIMDAL™ Threat Prevention engine embedded in the HEIMDAL Agent.
By enabling the DarkLayer Guard module, the HEIMDAL Agent will enable the network filter that will protect the computer from getting infected.
Force DHCP DNS usage - this feature sets the DNS on the Network Interface Card(s) to Automatic (DHCP) behind the DarkLayer Guard engine. If the DarkLayer Guard engine fails to add 127.7.7.x or fe80::yyyy:yyyy:xxxx:xxxx on the NIC(s) it will revert to Automatic DNS (set automatically by the DHCP). This option is recommended to be enabled if:
- You are using VPN connections in your organization;
- Nobody from your organization uses a static DNS IP Address.
Use default loopback address - this feature makes the DarkLayer Guard will set the DNS on the Network Interface Card(s) to 127.0.0.1 instead of 127.7.7.x (for IPv4) and ::1 instead of fe80::yyyy:yyyy:xxxx:xxxx (for IPv6). This will enforce the DarkLayer Guard engine to intercept traffic from a single adapter. This setting helps ensure compatibility between Heimdal™ Threat Prevention and certain VPN products, as well as other software you may use, such as virtualization products;
Force NCSI fix - this feature will fix the Network Connectivity Status Indicator that causes the connected globe in the Tray menu when running alongside DarkLayer Guard. The HEIMDAL Agent sets the value 1 (default is 0) on the following path Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActive Probing, and adds a Microsoft IP Address in the hosts file (C:\Windows\System32\drivers\etc);
DoH Compatibility Mode - this feature will prevent your active browser (Google Chrome or Mozilla Firefox) from employing DNS over HTTPS packages, replacing the more comprehensive DNS traffic filtering provided by HEIMDAL™ Threat Prevention;
Cisco Anyconnect/Fortinet compatibility mode - this feature will reroute traffic from IPv6 to IPv4 on a Cisco Anyconnect adapter, to solve a known bug in Cisco Anyconnect/Fortinet IPv6 filtering;
Enable High Compatibility Mode – this feature sets a 15-ms delay in applying the DarkLayer Guard filter over the Network Interface Card that currently has internet access, in order to allow all relevant Microsoft Windows services to start up normally. The services which are allowed to start up normally are in charge of vital extended environment tasks like domain discovery, network drives authentication, etc.
Pause DarkLayer Guard when Cisco Anyconnect or Fortinet is detected - this feature will pause the DarkLayer Guard engine while the endpoint is connected to Cisco Anyconnect/Fortigate. The DNS filtering with automatically re-enable after disconnecting from Cisco Anyconnect/Fortigate;
Check Interval - allows you to set the time interval of the DarkLayer Guard engine to check for new updates of the filtering database;
Enable domains whitelist – this feature allows the HEIMDAL Dashboard Administrator to whitelist a domain that is blocked by the Heimdal™ Threat Prevention. You can whitelist domains, subdomains, top-level domains (.com, .co.uk, etc.) or event multiple domains at once by uploading a CSV file (the domains need to be divided by "," comma):
Enable Block By Category - this feature allows you to block groups of domains that are included in a category (example: Social, Sports, Gambling, Finance, Health, and others):
Enabled Block by Category Schedule - this feature is available only when Block by Category is enabled and allows you to schedule specific time intervals when the Block by Category feature applies;
Enable domains blacklist - this feature allows the HEIMDAL Dashboard Administrator to blacklist a domain that Heimdal™ Threat Prevention - Endpoint does not consider a threat or to block the access to a specific domain. You can blacklist domains, subdomains, top-level domains (.com, .co.uk, etc.) or event multiple domains at once by uploading a CSV file (the domains need to be divided by "," comma)
Enabled custom block pages – this feature allows you to add a custom HTML block page that will replace the default Heimdal block page when Heimdal™ Threat Prevention - Endpoint intercepts and blocks access to a malicious domain (or blacklisted domain):
The VectorN Detection engine is a feature that searches for patterns within the blocks of Heimdal™'s DarkLayer Guard records, detecting malware in ways that no other endpoint protection can. It will identify patterns of malicious domain requests and filter these accordingly. The computers identified by VectorN as potentially infected are to be ultimately treated as threats by the system administrator, investigated, and scanned for threats either manually or automatically.
Enable VectorN Detection - enables the VectorN Detection engine (this requires the DarkLayer Guard module to be enabled as well);
Patch & Assets
Patch & Assets is structured into 2 modules: 3rd Party Software and Microsoft Updates. This Group Policy section is designed to manage the HEIMDAL™ Patch & Assets components embedded in the HEIMDAL Agent.
3rd Party Software
The Heimdal™ Patch & Asset Management - 3rd Party Software module allows the user(s) to install or update a specific 3rd Party Application from the list of applications managed by HEIMDAL Security.
Enable 3rd Party Software - turn on/off the 3rd Party Software module;
Enable Infinity Management - turn on/off the Infinity Management module to deploy your own 3rd Party Applications/Patches (.msi, .exe, .bat files) from the stand-alone patch management system. The patches can be configured in the Infinity Management module and applied to any Group Policy;
Keep all applications up-to-date - all current and future 3rd Party Applications that are included in our 3rd Party Software list will be added to automatic update;
Assets View - allows you to track down and manage all the 3rd Party Applications installed on the devices in your organization, even if we do not offer patches for them (supports applications that are installed in the All Users context). The Assets View updates the list of applications every 24 hours, but it can be manually updated by restarting the computer (this one takes the Delay Patching on Start-up option into consideration).
Show only Infinity Management applications - displays the 3rd Party Applications added in Infinity Management only;
Install - enable the selected 3rd Party Application(s) to be installed on the endpoint(s) if it is not already installed. If the 3rd Party Application is already installed, it will not do anything;
Update - enable the automatic update of the selected 3rd Party Application(s);
Allow Install - make the selected 3rd Party Application(s) available for manual installation by displaying it in the HEIMDAL Agent - 3rd Party Software list:
Delay - allows you to delay the automatic deployment of the selected 3rd Party Application(s) by 1 to 30 days;
Version - allows you to target the selected 3rd Party Application(s) to the Latest Version or to an older version (available in the Patching System). Targeting a version that is older than the Latest Version will downgrade the higher version to the targeted version. This means that Heimdal™ Patch & Assets will not update it anymore;
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for newly available patches;
Delay patching on startup - allows you to set the delay time interval applied on computer startup until the HEIMDAL Agent starts the patching operation;
Enable Patching Schedule - allows you to set a scheduler for the 3rd Party Application patching module;
- You can select one or more days in a week when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can select one or more days in a month when Heimdal™ Patch & Assets can install the 3rd Party Application(s)/Patches;
- You can also select a specific interval of any day to exclude the 3rd Party Application patching.
This feature allows you to uninstall a specific 3rd Party Application to restrict the usage of unwanted applications or to get applications removed from all machines that are part of the current Group Policy. This tool removes most of the applications that HEIMDAL™ Patch & Assets is monitoring and also uninstalls other 3rd Party Applications that are present on the endpoint(s) and are outside of the HEIMDAL™ Patch & Assets environment.
To uninstall a 3rd Party Application you need to specify the name of the application. You can also specify at least the first word of the name (in case the 3rd Party Application has a name composed of more than 1 word) to target multiple 3rd Party Applications that have their name starting with the same word and tick the Starts with a tickbox to be able to add the entry.
- The example below targets all Adobe applications that are installed on the endpoint(s) (Adobe Acrobat DC, Adobe Acrobat Reader DC, Adobe Audition 2019, and others);
- If you target a specific application you have to add the exact application name (like it is displayed in Control Panel - Programs and Features' list) to be uninstalled (like in the example below: Java 8 Update 291 (64-bit);
- If you want to uninstall a 3rd Party Application that is in the 3rd Party Software list, you need to make sure that the tickboxes for Install or Update are unticked in order to be able to add the 3rd Party Application in the Application Blacklist.
The HEIMDAL™ Patch & Asset Management - Microsoft Updates module allows the HEIMDAL Dashboard Administrator(s) to view, download and deploy available Windows Updates that are specific to any endpoint in your environment. HEIMDAL™ Patch & Assets allows you to select which ones to deploy on the computers that are applying the current Group Policy, to delete or hide them and select to suppress the reboot of the endpoints after completing the Windows Updates installation or to schedule when the endpoints will reboot (to complete the installation of the Windows Update).
Enable Microsoft Updates - turn on/off the Microsoft Updates Software module;
Microsoft Vulnerability reporting only - will only display the Windows Updates available for the endpoints (in the Microsoft Updates view) in your environment without applying them. The Available Windows Update will move to the Installed view once they have been installed;
Install no restart required updates only - allows you to enable/disable the automatic download and install of all the available Windows Updates that do not require a reboot to complete the installation process;
Suppress and install everything - allows you to enable/disable the automatic download and install of all the available Windows Updates (those that require a reboot the complete the installation process and also those that do not require a reboot). The reboot is performed according to the Microsoft Updates Reboot Schedule or when the user chooses so (if the Microsoft Updates Reboot Schedule is disabled) after receiving the Reboot Required warning;
Enable installation of optional updates - allows you to enable/disable the automatic download and install of optional updates (like Microsoft Feature Updates);
Enable installation by category - allows you to enable/disable the automatic download and install of specified Microsoft Updates categories. Categories can be selected from the drop-down menu:
Enable installation of other Microsoft products - allows you to enable/disable the automatic download and install Microsoft Updates for other Microsoft products like Microsoft 365, Microsoft Office, Microsoft Teams, OneDrive, OneNote, Microsoft Edge;
Enable Agent notifications for reboot - allows you to enable/disable the Reboot Required notification that is displayed by the HEIMDAL Agent on the end-user computer when a reboot is necessary to finish the installation of a Windows Update;
Server Source - allows the HEIMDAL Agent to download the available Windows Updates from the servers you chose. If Default is selected the Windows Updates will be downloaded from the source configured on the machine (WSUS or any other 3rd Party Server), while if Windows Updates is selected, WSUS or any other 3rd Party Server will be bypassed so that the Windows Updates are fetched from Microsoft Servers;
The section below allows you to hide or delete specific Windows Update:
Check interval - allows you to set the time interval when the HEIMDAL Agent checks for new Available Windows Updates:
Delayed Microsoft Updates Interval (days) - allows you to postpone the installation of the Windows Updates for a number of days after their release. This setting will override the customization of the scheduler:
Enable Microsoft Updates Schedule - allows you to configure the deployment of the available Windows Updates by selecting a day/multiple days during the week or during the month (and a timeframe that applies to the selected day(s)). Choosing a week of the month will make the HEIMDAL Agent will apply the same functionality for all selected days of the week. The scheduler can be made Active during the time selection or Inactive during the time selection:
Enable Microsoft Updates Reboot Scheduler - allows you to configure the restart interval for the endpoints that are installing Windows Updates that require a reboot by selecting a day/multiple days during the week or during the month (and a timeframe that applies to the selected day(s)). Choosing a week of the month will make the HEIMDAL Agent will apply the same functionality for all selected days of the week. The scheduler can be made Active during the time selection or Inactive during the time selection:
Enable Microsoft Updates Reboot Delay - allows you to configure a reboot delay interval and a number of postpones to grant the end-user the possibility of preparing for a scheduled reboot required to complete the installation of a Windows Update. The two sliders will allow you to set the number of minutes the user can delay a reboot and how many times a reboot can be delayed:
Endpoint Detection is structured into 3 modules: Next-Gen Antivirus, Firewall Management, and Ransomware Encryption Protection. This Group Policy section is designed to manage the HEIMDAL™ Endpoint Detection components embedded in the HEIMDAL Agent.
The Heimdal™ Endpoint Detection - Next-Gen Antivirus will allow you or the users to perform scan operations on the endpoints in your environment to keep viruses and other threats away.
Enable Next-Gen Antivirus - turn on/off the Next-Gen Antivirus module;
Allow users to stop AV Service - this functionality will allow end users to stop the AV service from the Heimdal Agent.
! This new option is available only for 'CORP' customers.
Once enabled, a GP tick box will appear allowing this (based on a password, set by the IT admin) and a slider for setting the auto restart time (also set by the IT admin).
Password must be greater than 6 characters, and the Pause interval is in the range of 2-60 minutes.
AutoScan USB Ports - turn on/off the automatic scan of any USB Removable Device (like flash drives, storage devices, HDDs) that is plugged in a computer. On Enterprise users, the option will automatically launch a popup with the Scan Window that runs, while on Home users, a prompt will be launched to ask the user if he wants to scan the newly plugged device or not;
USB Silent Mode Scan - do not display a Scan Window on the end-user computer. This option works only for USB Removable Devices (it does not work with other plug and play devices like headphones, cameras, mouses or keyboards). This feature can be turned on only if AutoScan USB Ports is turned on. The endpoints will be scanned in real-time to catch both known and unknown threats. This feature will scan all actions performed on any file, such as read, write or execute so that malicious activities can be detected immediately;
Disable USB Ports - allows you disable Removable Media Devices from being connected to a computer. A computer reboot is required in order to activate/deactivate this function;
Enable Agent Baloon Notifications - allow the HEIMDAL Agent to display a balloon notification on detected files.
Enable Real-Time Protection – The endpoints will be scanned in real-time to catch both known and unknown;
Allow Manual Scan - provides the option to start any scan by the user directly from the agent;
Allow Cancel Scan - if enabled, end-user will be able to cancel a scheduled scan;
Scan Mode does not change the behaviour of real-time scan and will only apply to a system scan. It has two options:
a) SMART - The files are scanned based on the file type and file content by sophisticated algorithms. Using this will speed up a system scan and provide the same level of protection.
b) ALL - In this mode, the AV will scan all files the same but it will take considerably more time to finish a system scan.
Disable USB Ports - disabling USB ports for removable devices (memory sticks for example) so that any plugged removable device will not be recognized
False Positive Control - will identify exceptional false positives detections in real time and prevent from impacting the performance of antimalware scanning.
Enable Protection Cloud - sends a suspicious file's digital fingerprint to our real-time protection cloud for further analysis and returns a fast response on on whether the file is infected or safe.
Enable Real-Time Scan Network Files (READ INFO) - if this option is enabled, Thor will do a real-time scan each time a change is performed on your network drivers.
- The default scan action on infected – This allows you to set up the action that you want the antivirus to take upon detecting a threat: Deny, Quarantine, Allow or Delete.
- The default scan action on suspicious - This allows you to set up the action that you want the antivirus to take upon detecting a suspicious file: Deny, Quarantine, or Allow
Be advised that the Deny option is available only if Enable Real-Time Protection is activated in the Group Policy.
Update virus definitions interval [min] – The default time interval is 120 min but can be modified up to 360 min. This feature is designed to check whether there are new virus definition files (VDF’s) within the Thor Enterprise cloud. If a new VDF is available, this gets automatically downloaded to the local agent database. It is recommended to have the limit set to 120 min in order to update the database as soon as possible.
As the name states, this section allows you to schedule a scan that suites your needs. You can start creating a schedule by pressing ADD NEW SCAN button on the right side.
Scan Profile Name – In this section you can add the name for the profile you want to create.
Scan Type – This allows you to choose what type of scan you wish Heimdal™ Next-Gen Antivirus & MDM to run in the profile created.
- Full scan – profile will scan all the local files on the endpoints that have the policy applied
- Quick scan – profile will scan critical OS locations and the most usual target folders which are known for virus activity:
C:\Program Files\Common Files
C:\Program Files (x86)\Common Files
- Hard Drive scan – profile will scan all files on the hard drive while ignoring the files on all external media types
- Local Drive scan – the profile will scan all local disks including the hard drives, optical drives, and external storage
- System scan – profile will scan system directory
- Removable Drive scan – profile will only scan for files that become accessible from flash, optical or external drives
- Network Drive Scan – this option is working only with Mapped network drives (see below screenshot):
Important! It will NOT work with Network location. It will scan and detect the infections, BUT NO action (quarantine, delete, etc.) will be performed (we cannot remove something from the drive and put it in a local PC quarantine folder).
- Active Processes Scan – profile will only scan for processes currently running on the target machine
- Custom Scan - available only on the user's computer from the agent, allows the scan of any file by using the right-click context menu then selecting Scan with Heimdal™ Next-Gen Antivirus & MDM which will open a new window with the result
Once the Scan Profile Name and Scan type have been chosen, Heimdal Dashboard allows you to set the timeframe when Heimdal™ Next-Gen Antivirus, Firewall & MDM antivirus will start to run.
You can choose which days of the week you want the antivirus to run on.
You can also choose which days of the month you want the antivirus to run on. Usually, this option is used in corporations that have a very strict maintenance policy.
Choose time interval - This allows you to set up a timeframe for when Heimdal™ Next-Gen Antivirus & MDM should run the created scan profile.
- The scan profile does not apply automatically in the policy after clicking the “set scan” button. The administrator needs to confirm this by clicking the “update-policy” button. If the update is not clicked, the defined scan profile will be lost if the current page is left before updating the policy.
- Multiple scan profiles can be created inside a single Heimdal™ Next-Gen Antivirus & MDM policy. However, the scan type is exclusive. This means that it is not possible to create multiple profiles with the same scan type. For example: no 2 scan profiles can be defined to perform full scans in the same policy.
This feature allows you to add exclusions that Heimdal™ Next-Gen Antivirus & MDM will ignore after scanning.
You can add multiple sets of exclusions for some specific windows products (Ex: SQL Server, Windows Server 2012). In the dashboard, Normal and Realtime Exclusions grids merged into the “Next-Gen AV Exclusion List” grid.
- The exclusions previously under the “Normal Exclusions” grid are now the “Low” priority exclusions under the new grid.
- The exclusions previously under the “Realtime Exclusions” grid are now the “Medium” priority exclusions under the new grid.
- The “High” priority exclusions are the one previously found in “GroupPolicyAntivirus_AVRealtimeScanOptions_ExplicitEngineExcludedPaths” under “GroupPolicyWrappers”. A user can add up to five “High” priority exclusions. A toaster warning will be displayed if a user tries to add more than five.
- Filename – This option is referring to a specific name that you give to a document or to a file on your computer: it is used if you want Heimdal™ Next-Gen Antivirus & MDM to ignore a specific suspicious file from being scanned or from any actions being taken upon it by our antivirus:
- File Path - A path, the general form of the name of a file or directory, specifies a unique location in a file system: it is used if you want Heimdal™ Next-Gen Antivirus & MDM to ignore a specific File Path from being scanned or from any actions being taken upon it by our antivirus:
- Directory -A file system cataloging structure that contains references to other computer files, and possibly other directories. On many computers, directories are known as folders or drawers.
- This option is used if you want Heimdal™ Next-Gen Antivirus & MDM to ignore a specific Directory from being scanned or from any actions being taken upon it by our antivirus:
- Pattern - A pattern is the formalization of a problem/solution pair, used to make an object-oriented design decision. This option is used if you want Heimdal™ Next-Gen Antivirus & MDM to ignore a specific Pattern from being scanned or from any actions being taken upon it by our antivirus:
Real Time Exclusion List - the items added here will be excluded directly from the real-time driver before scanning. Only use this when the regular exclusion doesn't work.
It is recommended to use this feature for applications, external drives to avoid having their files/folders blocked instantly by the AV scanning but to have them in the normal Exclusion List if they are used regularly and for longer periods of time.
Global Quarantine List
This feature allows you to add a specific file or path to quarantine. It is used to define a certain AV behavior when a certain file with a distinct file name is created on the hard drive. Also, it can be tweaked to only apply to files in a certain physical location.
Basically, the administrator is telling the agent that whenever a suspicious file is found on the hard drive, the file gets automatically quarantined. As already stated, this is also valid for file paths: whenever a file is detected on a certain path, that file gets quarantined immediately.
This is the module that allows you to control the Windows Firewall from the Heimdal Management Portal.
Enable Firewall Management - this option allows you to enable the management of the Windows Firewall. If this option is turn OFF Windows Firewall will remain ON. We do not enable or disable the Windows Firewall.
Use automatic rules - if this option is enabled, you can select the profile you want to enabled and the Incoming/ Outgoing connections. You can select the Incoming/ Outgoing connections if you enable the corresponding profile.
Allow isolation - when this option is enabled, the user is able to isolate an endpoint (or not). If the endpoint is isolated, all its external connections are rerouted through the Heimdal Security systems.
Once the option is enabled the machine can be isolated from the active client view, by selecting the machine you want to isolate and press the ISOLATE button.
Isolation rules- This feature adds the functionality of adding some specific rules for firewall only if the computer is Isolated. Those rules come as a group (more specific as a profile that adds some rules for a certain program, ex: TeamViewer, ISL Online). Those rules will be deleted when the pc will go for unisolate.
- To add more profiles, it is necessary to be added manually in the database table.
- Those isolation rules after adding the specific profile and saving the GP settings will be added as normal rules with an additional field that specifies this is an isolation rule, so in the database, these isolation rules can be found after adding them, in the same table with other normal rules.
Block RDP port on brute force detection - by enabling this option If an audit breach is detected the RDP port (3389) is blocked for both TCP and UDP. In the active client's view, an icon will be displayed in the Status column if the RDP port is blocked the workstation is not isolated. Selecting one or more workstations will display the unblock RDP port which will unblock the RDP port for those clients.
Add new rule - this option allows you to add/ edit/ remove rules. The actions will take action after you click Save / Update policy. The name of the rule needs to be unique. Each rule will have added to their name the protocol on which it was created. Example: In the dashboard, we add a rule “Block sql server port”, on the client machine the rule will have the name “Block sql server port-TCP” for TCP protocol and “Block sql server port-UDP” for UDP protocol. This was needed to make sure the naming is clear since a rule can’t contain both protocols in case of BOTH options from the dashboard adds rule.
- Get infection Sha256 from agent to dashboard -
An additional field was added for infections/quarantines that were sent to the dashboard. The filed stores the infection file hash and will show in the dashboard next to the "add to storage" icon, an additional icon that will redirect a VirusTotal to auto scan the selected hash.
- Add to storage -
By clicking this button, the file will be uploaded at the next group policy check in the dashboard, from where it can be extracted.
How to extract the files and check the upload status:
1) In the Management section, go to Active Clients
2) Click on the desired Hostname
3) Select the tab General
4) Navigate to Logs - click on Files
5) Select from the dropdown the preferred option
Files View - shows the uploaded files.
Files Status View - shows the status of the upload process.
Privileges & App Control
This feature enables the user to request an elevation and use it just if it has been accepted by an administrator through the Dashboard.
Enable Admin Privileged Access Management- this option allows you to enable or disable the Heimdal™ Privileged Access Management module
De-elevate and block elevation for users with risk of infections - when enabled, this option removes the admin privileges for a user automatically if there was any malware or malicious links detected by Thor in the past 7 days
RUN AS ADMINISTRATOR
This privilege adds new functionality to the Heimdal™ Privileged Access Management suite by offering the ability to get elevate for the run of a single file without a UAC prompt.
In order to make this feature available, you will need to activate the “Allow run as administrator” setting inside the Admin Privilege group policy.
Require reason - when enabled, Thor will solicit a reason for the user's rights escalation query.
Auto-mode - when enabled, all session requests will be queried directly to the sysadmin.
Approval via Dashboard - when enabled, all session requests and responses will go exclusively through the Dashboard. Approved or rejected queries can be reviewed in the dashboard.
If you activated the Run as Administrator feature, the following item will appear in the windows right-click menu for .msi and .exe files:
When clicking on the item, if the “Require reason” setting is set in the group policy, the following popup will appear:
After clicking elevate, depending on the setting in the group policy, either a request will be sent to the server, and the following popup will appear:
Or the file will be run automatically and the following popup will appear:
Auto-mode - when enabled, all Allow administration session requests will be queried directly to the sysadmin.
Approval via Dashboard - when enabled, all Allow administration sessions requests and responses will go exclusively through the Dashboard. Approved or rejected queries can be reviewed in the dashboard.
SESSION LENGTH (2-60 MIN) - allows you to set the time interval for which the end-user can have admin rights.
- Allow only a specific user to request elevation rights - Only a specific user will be allowed to initiate an elevation request from a specific workstation. If they are not already enjoying admin status, and only if their name is in the same or is included in the name of the workstation from which elevation is requested. For example: MyLaptop-Username1 or Username1-MyLaptop. The username must be separated from the rest of the workstation name by the '-' character.
- Accepted requests availability time - When enabled, this feature will allow you to pre-define the time escalation before it will be automatically revoked. When disabled, the elevation will be automatically revoked after 24 hours.
- Time to live (1-24 hours) - allows you to set the time interval for the above-mentioned option.
- Revoke existing local admin rights
When enabled, all the existing local administrators (users from the Administrators group) on the machines will be de-escalated (revoked from the Administrators group). If the module detects any local administrators, it will automatically downgrade the, to standard rights (excepting the default Administrator user).
The feature allows you to whitelist a hostname or a username (or a domain group*). If a hostname is whitelisted, then on that machine the admin-right won't be removed.
You have the possibility of selecting any hostname under your Heimdal license (you can’t insert a hostname that is not saved in the Active Clients view or hardcode any of it) or any username (here we don’t perform any checks. We save only the user that has last logged in on each hostname, so we trust our agent that it will whitelist a user that exists in the network).
If you want to whitelist a hostname and don't fill in the username field, all users on that hostname will be whitelisted. If you specify just a username (or a domain group), without mentioning the hostname to whitelist, all users with this username from all PCs under this group policy will be whitelisted. In order to inform the user regarding these two aspects, the grid will be shown a placeholder message for any combination where hostname OR username doesn’t have any value.
If there is any data within the grid, you will be able to search through data, by hostname or username (data are paginated).
On service start, we get all members from the local administrator's group. If we found the hostname whitelisted, we skip caching users, because we don’t need to delete any of them. Otherwise, we remove all users, that were not marked as whitelisted in GP, and we save them in our local storage.
On service stop, all users from local storage are added back to the local Administrators group. Also, this operation is performed on policy updates. If the option to “De-elevate administrator users” is unchecked, all users from local storage that were members of the local admin group when service was started, will be added back to the local admin group.
* - The Username (or a Domain Group) field is case-sensitive.
- Enforce token refresh
This option works, only if the above-mentioned option (Revoke existing local admin rights) is enabled.
After enabling the new option, on policy update in agent, if the currently logged in user (either the local user or AD user) was part of the local administrator's group and was removed due to Group Policy options, a popup will appear in the left side corner of the screen, to inform the user that he will be automatically logged off in 5 minutes, in order to completely remove its administrator privileges. The popup has a button that allows the user to log off right away.
- Disable interactive logon
When enabled, this feature will disable interactive logon, so each user that tries to log in will have to enter both username and password.
Enabling/disabling this option will modify following registry value:
When the option is enabled, we get the current value of that registry and override it with “1”. The current value is then saved in our repository in the registry, with the key “CachedDontDisplayLastUsername”.
When the option will be deactivated from the Group Policy, we will update “dontdisplaylastusername” value with the one we cached and then will delete our cached value. In this way, we will allow our clients to update “dontdisplaylastusername” as they wish.
This improvement was made because we used to set by default “dontdisplaylastusername” to 0 if “Revoke existing local admin rights” was disabled (which it was, by default), even though some of our users needed to set that value to 1.
Email Fraud Prevention -> Here.