In this article, you will learn everything you need to know about the Next-Gen Antivirus & MDM module.
1. Description
2. How does Next-Gen Antivirus & MDM work?
3. HEIMDAL Agent - Next-Gen Antivirus & MDM
4. Next-Gen Antivirus & MDM view
5. Next-Gen Antivirus & MDM settings
DESCRIPTION
Next-Gen Antivirus & MDM is the reactive protection side of our product suite. The Next-Gen Antivirus solution reacts to infected files found on the system. Next-Gen Antivirus combines the techniques known by both traditional and Next-Gen Antivirus to detect and remediate viruses, APTs, financial fraud, ransomware, and data leaks. It complements the Threat Prevention - Endpoint product module, to offer all-around protection. It offers a centralized management interface across all devices for easy corporate client management. It is flexible and easy to use and it offers a wide variety of scanning profiles to fit your corporate needs.
HOW DOES NEXT-GEN ANTIVIRUS WORKS?
As a standalone Antivirus product, the Next-Gen Antivirus & MDM features a complex threat scan module that is capable of detecting viruses, trojans, riskware, heuristic threats, adware, backdoor, constructors, dialers, exploits, trash, APCs. Besides the scan module that is available on each HEIMDAL Agent installation, the Antivirus as a concept also features reporting and control dashboard, protection cloud, local quarantine location, VDFs (Virus Definition Files).
HEIMDAL AGENT - NEXT-GEN ANTIVIRUS & MDM
Endpoint Detection - Next-Gen Antivirus (inside the HEIMDAL Agent) allows the end-user to run a scan or to stop a scan operation (if allowed in the Group Policy settings) and it also displays information about the detected Infections and the Quarantined files.
The end-user who is allowed to start a scan operation can click on the Go To Scan button where he can select a scan type from the following:
-
Quick Scan - scans critical OS locations and the most usual target folders that are known for virus activity
/System/Library/Extensions/, /System/Library/LaunchAgents, /System/Library/LaunchDaemons, /System/Library/StartupItems, /Library/Extensions, /Library/Internet Plug-Ins, /Library/LaunchAgents, /Library/LaunchDaemons, /Library/StartupItems, /Library/PrivilegedHelperTools, /Library/Preferences/loginwindow.plist, /Library/Preference/loginitems.plist, /Library/Preference/loginwindows.plist, /Users/*/Library/Internet Plug-Ins, /Users/*/Library/LaunchAgents; - Active Processes Scan - scans all the processes currently running on the machine;
- Full Scan - scans all the local files on the computer;
- Hard Drive Scan - scans all files on the hard drive while ignoring the files on all external media types;
- Local Drive Scan - the profile will scan all local disks including the hard drives, optical drives, and external storage;
- Removable Drive Scan - scans for the files that are on flash, optical, or external drives;
- System Scan - scans the system directory;
-
Network Drive Scan - scans the network mapped network drives (does not work with network locations). The HEIMDAL Agent detects infected files but no actions will be performed (Quarantine/Delete) because a file located on a network cannot be moved to the local quarantine folder.
The Infected/Quarantined view displays a list of intercepted File name, the Threat type, Infection Name, Status, and Date.
NEXT-GEN ANTIVIRUS & MDM view
The Endpoint Detection - Next-Gen Antivirus view displays all the information collected by the HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the detected/quarantined files intercepted by the HEIMDAL Agent's Next-Gen Antivirus engine. On the top, you see a statistic regarding the number of Infected Files, the number of Suspicious Files, and the number of Quarantined Files.
The collected information is placed in the following views: Latest Infections, Infections Type, Hostname/Infections, Quarantine, Exclude, Scan History, and Zero-Trust Execution Protection.
- Latest Infections
This view displays a table with the latest detected infections and the following details: Hostname, Username, File, MD5, Threat Category, Infection name, Status, Resolution, and Timestamp. This view allows you to select one or multiple infected files and add it/them to quarantine, delete it/them, or add it/them to storage. - Infections Type
This view displays a table with the infection type and the following details: Threat Category, Number of Matches, Most Targeted Hostname, Username, and Last match. - Hostname/Infections
This view displays a table with the hostname/infections and the following details: Hostname, Username, Highest Threat Category, Number of Matches, and Last match. - Quarantine
This view displays a table with all quarantined files and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp. This view allows you to select one or multiple quarantined files and Remove it/them from quarantine or add it/them to storage.
Quarantined files are kept for 90 days (this is the default value). - Exclude
This view displays a table of all exclusions and the following details: Hostname, Username, File, MD5, Threat Category, Infection Name, Status, Resolution, and Timestamp. - Scan History
This view displays a table with each computer that was performing scan operations (only the latest scan is displayed) and the following details: Hostname, Username, Group Policy, Timestamp, New Infections Found, and Resolution. This view allows you to select one or multiple endpoints and select a scan type (Quick Scan, Full Scan, Active Processes Scan, Hard Drive Scan, Local Drive Scan, Removable Drive Scan, System Scan, Network Drive Scan). The selected scan will start on the first Group Policy check performed by the HEIMDAL Agent on the selected endpoint. -
Zero - Trust Execution Protection
This view displays a table with the processes (non-signed executable files) intercepted by the Zero-Trust Execution Protection engine and the following details: Hostname, Username, Process Name, MD5 Hash, Timestamp, and Status. Clicking the 3-dot button will give you the option to search the file hash on VirusTotal or to Copy the file path to the Clipboard. The status of detection can be: Unknown (intercepted by ZTEP and not found in our database; files that are whitelisted globally by the Heimdal Support Team propagate to the endpoints after 3 days since the whitelist), Allowed (intercepted by ZTEP, but whitelisted in our database). The data in this view gets updated in real-time.
Selecting a file from the list allows you to add it to the exclusion list or upload it to the storage.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
The files listed in the Latest Infections view, Quarantine view, and Exclude view can get one of the following Resolution statuses:
None - no action is taken on the file;
Deleted - the file is deleted;
DeletePending - the file has been selected for deletion and it will be deleted when the HEIMDAL Agent performs a GP check;
ErrorDelete - the file has been selected for deletion but an error occurred (the file could be in use);
ErrorQuarantine - the file has been marked to be quarantined but an error occurred (the file could be in use);
FNOEXIST - the file has been marked to be deleted or quarantined but does not exist in the path (it has been removed manually or is not allowed to be written on the disk drive). A file that is copied/extracted/downloaded (basically, written on the disk) will be intercepted in the Memory before being written and it will NOT be allowed to be written. The Next-Gen Antivirus will display an infection event and the file will not be quarantined because it will be blocked in the Memory;
Quarantined - the file has been quarantined. A file that has been quarantined will be automatically deleted after 30 days, if it has not been restored;
QuarantinePending - the file has been marked to be quarantined and this operation will take place on the next HEIMDAL Agent GP check;
DeleteQuarantinePending - the file has been selected for deletion and this operation will be performed on the next HEIMDAL Agent GP check;
Excluded - the file has been excluded;
ExcludePending - the file has been marked to be excluded and the operation will take place on the next HEIMDAL Agent GP check;
ExcludeQuarantinePending - the file has been marked to be excluded and the operation will take place on the next HEIMDAL Agent GP check;
ErrorExcludeQuarantine - the file has been marked to be excluded and an error occurred;
ErrorRemoveQuarantine - the file has been marked to be removed from the Quarantine list and an error occurred (the file could have been deleted manually);
RemoveExclusionPending - the file has been marked to be excluded and the operation will be performed on the next HEIMDAL Agent GP check;
RemoveQuarantinePending - the file has been marked to be removed from the Quarantine list and the operation will be performed on the next HEIMDAL Agent GP check;
NEXT-GEN ANTIVIRUS & MDM settings
The Endpoint Detection - Next-Gen Antivirus will allow you or the users to perform scan operations on the endpoints in your environment to keep viruses and other threats away.
Next-Gen Antivirus - turns ON/OFF the Next-Gen Antivirus module;
General Settings
Protection Cloud - enables/disables the ability to send the file's digital fingerprint to our real-time protection cloud for further analysis and returns a fast response on whether the file is infected or safe;
Allow Manual Scan - enables/disables the ability of the end-user to start any scan directly from the HEIMDAL Agent;
Allow Cancel Scan - enables/disables the ability of the end-user to cancel any running or scheduled scan operation directly from the HEIMDAL Agent;
Default Action on detected of Infected files - can be set to Quarantine or Allow;
Default Action on detected of Suspicious files - can be set to Quarantine or Allow;
Update virus definitions interval [min] - allows you to set the update time interval for the virus definition files. The default value is 120 minutes and it can be extended to 360 minutes. This feature is designed to check whether there are any new virus definition files (VDF’s) available on the HEIMDAL servers. When a new VDF file is available, it will get automatically downloaded to the local agent database. It is recommended to have the limit set to 120 min to update the database as soon as possible.
Schedule Scan
This section allows you to schedule a scan according to your preferences. You can start creating a schedule by pressing Add New Scan button.
Scan Profile Name - specify the name for the profile you want to create;
Scan Type - select the type of scan you wish HEIMDAL Next-Gen Antivirus to run in the created profile;
- Full Scan - scans all the files on the endpoint;
- Quick Scan - scans critical OS locations and the most usual target folders which are known for virus activity (/System/Library/Extensions/, /System/Library/LaunchAgents, /System/Library/LaunchDaemons, /System/Library/StartupItems, /Library/Extensions, /Library/Internet Plug-Ins, /Library/LaunchAgents, /Library/LaunchDaemons, /Library/StartupItems, /Library/PrivilegedHelperTools, /Library/Preferences/loginwindow.plist, /Library/Preference/loginitems.plist, /Library/Preference/loginwindows.plist, /Users/*/Library/Internet Plug-Ins, /Users/*/Library/LaunchAgents);
- Hard Drive Scan - scans all files on the hard drive while ignoring the files on all external media types;
- Local Drive Scan - scans all local disks including the hard drives, optical drives, and external storage;
- System Scan - scans the system directory;
- Removable Drive Scan - scans files stored on flash, optical or external drives;
- Network Drive Scan - scans files on Mapped Network Drives, it detects the infection(s), but NO action will be performed because the Next-Gen Antivirus cannot remove something from a network location to place it in the local Quarantine folder;
- Active Processes Scan - scans the processes that are currently running on the endpoint;
- Custom Scan - available only on the end user's computer in the HEIMDAL Agent, allows the scan of any file by using the right-click context menu and then selecting Scan with HEIMDAL Next-Gen Antivirus & MDM which will open a new window with the result;
You can set up a scheduler to run the selected Scan Type in the specified timeframe. The scheduler enables you to choose a day or multiple days during the week or the month and the time interval when to run the selected Scan Type.
The scheduler also allows users to opt for recurring schedules at the weekly level.
IMPORTANT
The scan profile does not apply automatically in the policy after clicking the Set Scan button. The configured scheduler needs to be confirmed by updating the policy. If the Update GP button is not clicked, the defined scan profile will be lost if the current page is left before updating the policy. Multiple scan profiles can be created inside a Group Policy. However, the scan type is exclusive. This means that it is not possible to create multiple profiles with the same scan type. For example, there cannot be 2 scan profiles to perform full scans in the same Group Policy.
Next-Gen Antivirus Exclusion List
This feature allows you to add exclusions that Next-Gen Antivirus & MDM will ignore after scanning. The Exclusion List comes with different Priorities and enables you to exclude file names, file paths, directories, or patterns (wildcards).
Types
Filename - allows you to specify the filename that you want to exclude (e.g. test.exe, file.doc, file.txt, example.msi);
File Path - allows you to specify the file path where the file is located on the hard drive (e.g. /Users/test/Downloads/test.pkg);
Directory - allows you to specify a directory path to be excluded (sub-directories are automatically excluded) from scanning (e.g. /Users/test/Downloads/);
Pattern - allows you to specify a pattern that should be excluded from scanning.
Global Quarantine List
The Global Quarantine List allows you to add a file to quarantine if it is detected by the Antivirus engine (the file will be marked as Suspicious or Infected).
- A file that is added to the Global Quarantine List based on File Name can be quarantined ONLY if the Antivirus engine detects the file as Suspicious/Infected;
- A file that is added to the Global Quarantine List based on File Path can be quarantined no matter if the Antivirus engine detects it as Suspicious/Infected or not;
- Files added by File Path will be marked as Suspicious;
- .txt files added by File Path will not work with Real-Time Scanning.