Our latest release aligns with our product strategy. It has a cross-platform release that includes a new macOS Release Candidate agent, version 3.3.4 RC.
You can now download both from the Guide -> Download and Install tab in the Heimdal dashboard. We will deploy the latest Heimdal macOS RC version through our self-update mechanism in stages over the coming weeks.
Heimdal Endpoint Detection
● Ransomware Encryption Protection Endpoint for macOS
The latest macOS agent build includes a new product module, Ransomware Encryption Protection Endpoint for macOS, which reinforces Heimdal's "One Platform. Total Security" vision and our unified, cross-platform product strategy, all while keeping your environment safe.
The new module is part of Heimdal's Endpoint Detection cluster of products, which includes REP Endpoint, a security solution that protects endpoint systems from ransomware attacks.
REP Endpoint monitors file system activities and process behavior in real time, proactively identifying and blocking malicious encryption attempts to prevent damage and reduce recovery time and costs.
This solution tailors itself to corporate environments where minimal user interaction and maximum automation are pivotal.
The real-time protection feature is particularly effective against zero-day ransomware threats, which are new, before unknown malware variants that may bypass traditional security solutions, including Next-Gen Antivirus (NGAV). Zero-day ransomware exploits unknown vulnerabilities in the system, making it undetectable for traditional signature-based or even heuristic-based antivirus products.
How it works
1. Behavioral Analysis
Unlike NGAV, which relies on predefined patterns or signatures, REP monitors disk changes to detect any ransomware agnostic of MD5 or behavior.
It monitors processes for suspicious activities, such as:
- High-frequency file creation or modification.
- The use of specific file extensions commonly associated with ransomware.
- Attempts to overwrite or delete existing files.
2. Immediate Blocking
As soon as a process exhibits ransomware-like behavior, the REP module terminates it and prevents further damage, shutting down any lateral movement attempts.
This includes monitoring processes that encrypt files in bulk or leave ransomware notes across directories.
3. Advantages Over NGAV
REP does not require prior knowledge of the ransomware.
It adapts to new threats by focusing on malicious behaviors rather than known signatures or patterns.
This makes it an essential layer of defense in corporate environments.
The new module can be enabled from the Endpoint Settings -> MacOS GP tab -> click on a GP -> Endpoint Detection -> Ransomware Encryption Protection.
The settings area is very similar to the Windows OS version one, allowing Heimdal dashboard users to leverage a “Reporting mode” – active monitoring of the processes but without actual blocking (we recommend using this feature when initially setting up the product and keeping it on for at least a couple of weeks, to monitor behavior and implications on processes run in your organization and tweaking the use leveraging the exclusions option), the end users to get pop-up notifications, in the Heimdal agent, whenever a malicious process is detected and blocked (“Agent Balloon Notifications”) and these pop-ups to remain on screen/persistent, based on the enablement of the “Agent Balloon Notifications Persistence" check box.
The dedicated GP tab also offers an “Exclusions” section, which allows IT admins to exclude processes that they deem safe and that should not be blocked by REP.
Exclusions can be bulk imported from a .csv file or entered manually, based on: file name, file path, directory, or wildcard. Also, IT admins can choose to exclude all apps that are already notarized, and that can be achieved by enabling the “Exclude applications that are already notarized” functionality. The exclusions grid offers a Search option (based on value or friendly name), and the data from this grid can also be exported in .csv format.
Exclusion Management
Allows users to define exclusions for specific files, folders, or applications.
Use Cases
1. False Positives mitigation
Some legitimate software may mimic ransomware behavior, such as bulk file encryption or compression tools.
Admins can exclude these tools from monitoring to avoid disruptions.
2. Custom Business Applications
Many organizations use proprietary software that may trigger REP due to its unique behavior.
By adding these applications to the exclusion list, admins ensure smooth operation without compromising security.
3. Compliance with Internal Policies
Exclusions can be configured to align with organizational policies or workflows that require specific files or folders to remain unmonitored.
Security Considerations
Exclusions reduce false positives. But configure them with care. Otherwise, you may create blind spots in the system.
You can find the REP Endpoint info for the macOS module in the Heimdal Dashboard. Go to Products -> Endpoint Detection -> Ransomware Encryption Protection -> macOS tab, Endpoint Detections & Hostname/Detection views.
The two tables about removed views, like the Windows OS product grids, provide information on Blocked or Detected (Reporting mode) processes. They include hostnames, usernames, process names, blocking reasons, PIDs, owners, statuses, and timestamps. The data is organized differently depending on the selected view.
Clicking a Hostname will lead the dashboard user to a Client Specifics view, where entries are listed at machine/ hostname level.
Clicking on a process name will redirect the dashboard user to a Process Specifics/ Details view, where detailed info (including process tree visualization) about the blocked or detected process is available.
When it comes to the Heimdal agent side of things, the Heimdal end users can visualize REP Endpoint related info in the dedicated view from the agent and are going to be provided (depending on the state of the “Agent Balloon Notifications” GP functionality) with minimal but crucial information, ensuring transparency and causing almost no disruption at all.