Heimdal Assistance and Support Help Center home page

Articles in this section

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.

HEIMDAL Dashboard device information

Last updated

In this article, you will learn everything you need to know about the device information view of each particular endpoint. This view can be accessed by logging into the HEIMDAL Dashboard, clicking on Management -> Active clients on the left sidebar, and then clicking on any device in the list.

1. General
2. Threat Prevention
3. Patch & Asset Management
4. Endpoint Detection
5. Privileges & App Control 
6. Remote Desktop
7. TAC

GENERAL

MACHINE INFO

In the General tab, you see 2 sub-tabs: Machine info, Logs, and Memory usage. The Machine Info view displays basic information related to endpoint identification (hostname, username, last seen, IP Address, external IP Address), hardware (bios version, manufacturer, motherboard serial, motherboard manufacturer, model, CPU, Memory, Disk serial, Disk capacity, and Disk usage), operating system (version, full version, build version, service pack, original install state, and Last reboot) and HEIMDAL product status. 

device_information.PNG

The data is being updated on each data set as follows:

  • Username, Last seen, IP Address, Memory usage (every hour);
  • Disk usage (it's an arhythmetic mean of the I/O operations of the last 24 hours);
  • Disk capacity (the size of the System drive);
  • VDF Version and Timestamp (every hour);
  • DNS Information (every hour);
  • Enabled modules (every hour).

LOGS

The Logs view allows you to see the Status History and request the Heimdal Logs, the Event Viewer Logs, the Remote Desktop Logs (for those with Remote Desktop on their license) and quarantined or intercepted files from the endpoint. The log files or the detected files are usually uploaded to the HEIMDAL Dashboard on the first Group Policy check (according to the Group Policy check interval configured in the applying Group Policy) after being requested.

logs_status_history.PNG

Status notifications

In order to have a better overview of the status of your endpoints/devices, track their usage, or see what situations require manual intervention, we've come up with a list of warnings and notifications that should give you an understanding of each scenario:

  • The processor is running at 50 % - the CPU usage exceeds the limit configured in the applying Group Policy on CPU Threshold. To solve it, reduce the CPU usage on the endpoint/device itself or increase the CPU Threshold limit in the Group Policy;
  • The memory is running at 60 % - the Memory usage exceeds the limit configured in the applying Group Policy on Memory Threshold. To solve it, reduce the Memory usage on the endpoint/device itself or increase the Memory Threshold limit in the Group Policy;
  • The disk is running at 90 % - the disk usage (I/O operations) exceeds 90% (default limit). To solve it, close some of the processes that cause high disk usage;
  • An update has started! - the HEIMDAL Agent has initiated a self-update operation to update itself to a newer version;
  • DarkLayerGuard was disabled by the Uptime Checker. - the DarkLayer Guard engine is trying to 'hijack' the DNS IP Addresses configured on the NICs (to replace it/them with our loopback address), but for some reason, it is not completing the operation. This can happen due to an incompatibility between our product and another (security) product (like a VPN) that alters or changes the DNS IP Addresses on the NICs;
  • DLL hijacking detected and stopped (...). - as they start, the DarkLayerapplications or services, are looking for DLL (Dynamic Link Libraries) files in order to function correctly. When these DLLs are not found or they are implemented insecurely it is possible for the application to be forced to load and execute malicious Dynamic Link Libraries. For this kind of situation, HEIMDAL Security will detect and block any changes made in the locations where DLLs are stored; 
  • A reboot is in progress on this machine to install one or more Microsoft Updates. - when at least one Windows Update that requires a reboot has been installed and the system was shut down afterward, the notification message will be displayed if the endpoint/device does not return actively within 7 days. This warning also triggers an email alert to the HEIMDAL Dashboard Administrator (with Alerts enable) to inform about the endpoint that has not come back online;
  • The machine needs a reboot to complete the Microsoft Update. - whenever a Windows Update that requires a reboot is installed, the notification is displayed until the computer is rebooted and communicates with our HEIMDAL servers;
  • There was an error when fetching available Windows Updates. HRESULT: 0x80072EFD. - the HEIMDAL Agent tried to install a Windows Update but failed due to the displayed error: HRESULT 0xYYYYZZZZ. Running the Windows Update troubleshooter on the endpoint itself should solve the issue or give more information;
  • Action required: for Heimdal™ Next-Gen Antivirus & MDM to work, please uninstall the following antivirus product(s): ... - another Antivirus product is being detected on the endpoint/device and it conflicts with the HEIMDAL Next-Gen Antivirus & MDM. Two antivirus products cannot work correctly on the same endpoint/device and that is why we recommend having only one. When it comes to Windows Defender, our product will automatically disable it and take over to Security Center to offer a true Next-Gen security solution. Although the detected antivirus product has been uninstalled, it might still be detected due to the registry leftovers in the WMI. To solve it, you need to reset the WMI (HEIMDAL Security Support can assist with this process);
  • Could not update antivirus definition files. - the Antivirus definition files failed to update on the endpoint. To solve the issue, reboot the endpoint and check the VDF Version and Timestamp to see if it got updated. If not, please reach out to HEIMDAL Security Support Team;
  • Could not detect a functional firewall on this device. It is recommended to install one. - the HEIMDAL Agent is checking for a firewall solution (Windows Firewall), but is unable to find it and activate it; 
  • Please restart your computer to finish the installation. - the HEIMDAL Next-Gen Antivirus & MDM requires a reboot to complete the installation of the Antivirus drivers.

THREAT PREVENTION

DARKLAYER GUARD ENDPOINT

The DarkLayer Guard™ Endpoint view will log any threat detected by this module. Here you will find the user under which the detection happened, and the source of the threat (under which you can also click for more forensic informationInformation – click here for more forensic data, check VirusTotal's databaseVirusTotal, or find the IPs, URLs, and domains considered a threat in that particular case). The view supports categories so you can filter based on prevented attacks, allowed domains/processes, or all detections regardless of status. 

DLG_add_to_allowlist.PNG

DARKLAYER GUARD NETWORK

The DarkLayer Guard™ Network view will log any threat detected by this module. Here you will find the IP address and domain associated with the respective attack, the type and also the timestamp of each threat. The view can also be filtered to show more relevant results depending on the case needed. 

DLG_network.PNG

DLG_network_filters.PNG

VECTORN DETECTION 

The VectorN Detection™ view shows you all of the detections made by this product. Here you will be shown the malware pattern detected, the probability of further infection, how many times the detection occurred, the process bearing the malware infection, and the last time it was detected. Upon selecting one or more detections, you can choose to quarantine the files or hide the detection altogether from the action menu.

VectorN.PNG

VECTORN TPN DETECTION

The VectorN TPN Detection™ view shows you all of the detections made by this product. Here you will be shown the malware pattern detected, the probability of further infection, how many times the detection occurred, and the last time it was detected.

DLG_TPN_VectorN.PNG

PATCH & ASSET MANAGEMENT

3ʳᵈ PARTY PATCH MANAGEMENT

The 3ʳᵈ Party Patch Management tab shows information about the software on the endpoint that is monitored and patched. Apps can also be hidden if they do not present an interest. Here you can see the view based on a chronological log of the status/patches (Latest Status/Latest Patch). Presented information includes the name and version of each application logged, any CVE and CVSS information if available, the last update date, and whether the update was successful or not.

3rd_party_endpoint_latest_status.PNG

The Currently and Historically considered vulnerable software are categories that show which software is and was considered vulnerable, based on the latest version compared to the currently installed one, CVE/CVSS information, and the date of the check.

3rd_party_currently_vulnerable_endpoint.PNG

The Up-to-date view is a filter of the Latest Status view, in the way that it shows all the software that has the latest version installed, along with the version, CVE/CVSS information, and the timestamp.

3rd_party_up_to_date_endpoint.PNG

The Uninstalled view shows software that was uninstalled recently on the respective machine.

OPERATING SYSTEM UPDATES

The Operating System Updates category parses information about patches to the Windows OS. Here, you can sort to see Installed, Pending, or Available updates, as well as hide them from any of the views. These views show the KB from Microsoft, the severity rating, CVE/CVSS information if available, products for which the updates apply, and whether a reboot is necessary for available and pending updates.

OS_update_installed_endpoint.PNG

The Compliance View will show you if the endpoint is compliant or non-compliant at the date of the check. 

OS_update_compliance_endpoint.PNG

ASSET MANAGEMENT

The Asset Management category shows all the software found on the computer and offers information on whether each specific is supported and/or uninstallable by the HEIMDAL Agent, as well as actions to add that software to a Group Policy or uninstall it, along with the version information for each entry. The view can be further filtered for monitored-only (or not) software.

Asset_management_endpoint.PNG

ENDPOINT DETECTION

DETECTED THREATS

The Detected Threats category under Endpoint Detection offers respective information regarding infections on the machine. Here, detected files can be quarantined, deleted, excluded, or uploaded to the Dashboard for the support teams to review if needed (by checking the files and clicking Upload for analysis in the actions menu). The parsed information includes the file name and its MD5 hash, the threat name and its type, the status of the infection, and the timestamp of the detection.

Endpoint_detected_threats_view.PNG

QUARANTINE

The Quarantine category covers the contained infections. Here, quarantined files can also be deleted, excluded, or uploaded to the Dashboard for the support teams to review if needed (by checking the files and clicking Upload for analysis in the actions menu). The parsed information includes the file name and its MD5 hash, the threat name and its type, the status of the infection, any resolution taken, if available, and the timestamp of the detection.

endpoint_quarantine_view.PNG

SCAN HISTORY

The Scan History view will show logs of each scan that was performed on the machine, with details such as scan type, elapsed time and if any infections were found, and the resolution for each.

Scan_history_endpoint.PNG

FIREWALL RULES

The Firewall Rules tab shows what rules are currently enforced on the machine, by the current Group Policy, which can further be filtered by allowed or blocked applications. Here you can also see for each entry, the ports and protocols of the rule, and whether the rule specifies the communication as inbound or outbound.

firewall_rules_endpoint.PNG

FIREWALL ALERTS

The Firewall Alerts tab will log any detections made by the Firewall and will show the count of attempts per username and per IP Address.

firewall_alerts_endpoint.PNG

RANSOMWARE ENCRYPTION PROTECTION 

The Ransomware Encryption Protection views will log activity in this respect. Here you can see the process and its ID, the username, and the reason for blocking. If you select one or more entries, you can also exclude them or upload them for analysis.

rep_endpoint.PNG

Moreover, each entry contains links to VirusTotal's database, but also a Forensics analysis that will tell you more about the specific detection's patterns, relations, and behavior.

process_details_endpoint.PNG

ZERO-TRUST EXECUTION PROTECTION

The Zero-Trust Execution Protection views will log the activity of this product. Here you can see the process and its MD5 hash, the username it ran from, and the timestamp. If you select one or more entries, you can also exclude them or upload them for analysis.

zero_trust_protection_endpoint.PNG

PRIVILEGES & APP CONTROL

PRIVILEGE ACCESS MANAGEMENT

The Privilege Access Management tab shows you the current pending Administrator requests (which you can approve or deny), as well as a history of previous requests. If provided, the reason can also be seen for each request, as well as the time, type, and username of the requester. The Generate local token button allows you to generate a 60-second token that can be used by the user to be allowed to request an Administrator elevation. 

PAM_pending_approvals_endpoint.PNG

PAM_approves_deny_endpoint.PNG

APPLICATION CONTROL

The Application Control tab lets you filter and manage the processes that are allowed to run. Here you can manually allow or block any detected processes.

  • Full Logging
    This view shows all the processes that are intercepted on the endpoint with the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp. full_logging.PNG
    A process that has been intercepted by Application Control will be displayed 24 hours after the initial interception. An already-intercepted process will have its status refreshed in real-time. 
  • Matching Allowed Rules
    This view shows all the processes that are intercepted and allowed on the endpoint with the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp.
    matching_allowed_rules.PNG
  • Matching Blocked Rules
    This view shows all the processes that are intercepted and blocked on the endpoint with the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp.
  • Matching Allowed with Auto Elevation
    This view shows all the processes that are intercepted and allowed with Auto Elevation on the endpoint with the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp.matching_with_auto_elevation.PNG
  • Raw data
    This view shows all the processes that are intercepted in real-time on the endpoint with the following details: Process Name, Number of Executions, Publisher, Software Name, Version, MD5, Status, and Timestamp.
    raw-data.PNG

The Search field allows you to search among the processes by Process Name, Publisher, Software Name, and MD5. The Hide Microsoft Application allows you to display or hide Microsoft processes. 

COMPLIANCE VIEW

The Compliance View tab lets you view active users on the machine, together with the domain and groups they belong to, as well as whether they are or not Administrators.

PAM_compliance_view_endpoint.PNG

ZERO-TRUST EXECUTION PROTECTION

The Zero-Trust Execution Protection views will log the activity of this product. Here you can see the process and its MD5 hash, the username it ran from, and the timestamp. If you select one or more entries, you can also exclude them or upload them for analysis.

PAM_zero_trust_endpoint.PNG

REMOTE DESKTOP

HISTORY

The Remote Desktop category allows you to view a history of remote sessions performed on a specific machine. The information included shows the hostname the connection was done between, the duration, and the type of the session.

RD_history_endpoint.PNG

RECORDINGS

The Recordings view will show all the recordings of remote sessions performed if those were chosen to be saved. Here you can view the hostname of the machine the recording was saved on, the filename of the recording, its timestamp, and password.

RD_recordings_endpoint.PNG

TAC

The TAC tab provides us with information about events for every endpoint happening in your organization, collecting and displaying them here.

In the TAC view, you have the Device Info which displays the (agent version, IP, external IP, location), Hardware Info (CPU, no. of cores, memory, disk capacity), Operating System Info (description, version, build version, service pack, last reboot), Antivirus Info (VDF version, VDF timestamp).

RISK CHART

The Risk Chart tab provides the user a spider diagram with score details per product like risk score and top detection. Below you can see two examples with different information if those small dots are clicked on:

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.