In this article, you will learn everything you need to know about the device information view of each particular endpoint. This view can be accessed by logging into the HEIMDAL Dashboard, clicking on Management -> Active clients on the left sidebar, and then clicking on any device in the list.
In the General tab, you see 2 sub-tabs: Machine info and Logs. The Machine Info view displays basic information related to endpoint identification (hostname, username, last seen, IP Address, external IP Address), hardware (bios version, manufacturer, motherboard serial, motherboard manufacturer, model, CPU, Memory, Disk serial, and usage), operating system (version, build version, last reboot) and HEIMDAL product status.
The data is being updated on each data set as follows:
- Username, Last seen, IP Address, Memory usage (every hour);
- Disk usage (it's an arhythmetic mean of the I/O operations of the last 24 hours);
- Disk capacity (the size of the System drive);
- VDF Version and Timestamp (every hour);
- DNS Information (every hour);
- Enabled modules (every hour).
The Logs view allows you to see the Status History and request the Heimdal Logs, the Event Viewer Logs, the Remote Desktop Logs (for those with Remote Desktop on their license) and quarantined or intercepted files from the endpoint. The log files or the detected files are usually uploaded to the HEIMDAL Dashboard on the first Group Policy check (according to the Group Policy check interval configured in the applying Group Policy) after being requested.
In order to have a better overview of the status of your endpoints/devices, track their usage, or see what situations require manual intervention, we've come up with a list of warnings and notifications that should give you an understanding of each scenario:
- The processor is running at 50 % - the CPU usage exceeds the limit configured in the applying Group Policy on CPU Threshold. To solve it, reduce the CPU usage on the endpoint/device itself or increase the CPU Threshold limit in the Group Policy;
- The memory is running at 60 % - the Memory usage exceeds the limit configured in the applying Group Policy on Memory Threshold. To solve it, reduce the Memory usage on the endpoint/device itself or increase the Memory Threshold limit in the Group Policy;
- The disk is running at 90 % - the disk usage (I/O operations) exceeds 90% (default limit). To solve it, close some of the processes that cause high disk usage;
- An update has started! - the HEIMDAL Agent has initiated a self-update operation to update itself to a newer version;
- DarkLayerGuard was disabled by the Uptime Checker. - the DarkLayer Guard engine is trying to 'hijack' the DNS IP Addresses configured on the NICs (to replace it/them with our loopback address), but for some reason, it is not completing the operation. This can happen due to an incompatibility between our product and another (security) product (like a VPN) that alters or changes the DNS IP Addresses on the NICs;
- DLL hijacking detected and stopped (...). - as they start, the DarkLayerapplications or services, are looking for DLL (Dynamic Link Libraries) files in order to function correctly. When these DLLs are not found or they are implemented insecurely it is possible for the application to be forced to load and execute malicious Dynamic Link Libraries. For this kind of situation, HEIMDAL Security will detect and block any changes made in the locations where DLLs are stored;
- A reboot is in progress on this machine to install one or more Microsoft Updates. - when at least one Windows Update that requires a reboot has been installed and the system was shut down afterward, the notification message will be displayed if the endpoint/device does not return actively within 7 days. This warning also triggers an email alert to the HEIMDAL Dashboard Administrator (with Alerts enable) to inform about the endpoint that has not come back online;
- The machine needs a reboot to complete the Microsoft Update. - whenever a Windows Update that requires a reboot is installed, the notification is displayed until the computer is rebooted and communicates with our HEIMDAL servers;
- There was an error when fetching available Windows Updates. HRESULT: 0x80072EFD. - the HEIMDAL Agent tried to install a Windows Update but failed due to the displayed error: HRESULT 0xYYYYZZZZ. Running the Windows Update troubleshooter on the endpoint itself should solve the issue or give more information;
- Action required: for Heimdal™ Next-Gen Antivirus & MDM to work, please uninstall the following antivirus product(s): ... - another Antivirus product is being detected on the endpoint/device and it conflicts with the HEIMDAL Next-Gen Antivirus & MDM. Two antivirus products cannot work correctly on the same endpoint/device and that is why we recommend having only one. When it comes to Windows Defender, our product will automatically disable it and take over to Security Center to offer a true Next-Gen security solution. Although the detected antivirus product has been uninstalled, it might still be detected due to the registry leftovers in the WMI. To solve it, you need to reset the WMI (HEIMDAL Security Support can assist with this process);
- Could not update antivirus definition files. - the Antivirus definition files failed to update on the endpoint. To solve the issue, reboot the endpoint and check the VDF Version and Timestamp to see if it got updated. If not, please reach out to HEIMDAL Security Support Team;
- Could not detect a functional firewall on this device. It is recommended to install one. - the HEIMDAL Agent is checking for a firewall solution (Windows Firewall), but is unable to find it and activate it;
- Please restart your computer to finish the installation. - the HEIMDAL Next-Gen Antivirus & MDM requires a reboot to complete the installation of the Antivirus drivers.
DARKLAYER GUARD™ ENDPOINT and DARKLAYER™ GUARD NETWORK
The DarkLayer Guard™ Endpoint view will log any threat detected by this module. Here you will find the user under which the detection happened, and the source of the threat (under which you can also click for more forensic information, check VirusTotal's database, or find the IPs, URLs, and domains considered a threat in that particular case). The view supports categories so you can filter based on prevented attacks, allowed domains/processes, or all detections regardless of status. The same view is set up for the DarkLayer Guard™ Network as well.
VECTORN DETECTION and VECTORN TPN DETECTION
The VectorN Detection™ and VectorN TPN Detection™ views show you all of the detections made by these products. Here you will be shown the malware pattern detected, the probability of further infection, how many times the detection occurred, the process bearing the malware infection, and the last time it was detected. Upon selecting one or more detections, you can choose to quarantine the files or hide the detection altogether from the action menu.
PATCH & ASSET MANAGEMENT
3ʳᵈ PARTY PATCH MANAGEMENT
The 3ʳᵈ Party Patch Management tab shows information about the software on the endpoint that is monitored and patched. Apps can also be hidden if they do not present an interest. Here you can see the view based on a chronological log of the status/patches (Latest Status/Latest Patch). Presented information includes the name and version of each application logged, any CVE and CVSS information if available, the last update date, and whether the update was successful or not.
The Currently and Historically considered vulnerable software are categories that show which software is and was considered vulnerable, based on the latest version compared to the currently installed one, CVE/CVSS information, and the date of the check.
The Up-to-date view is a filter of the Latest Status view, in the way that it shows all the software that has the latest version installed, along with the version, CVE/CVSS information, and the timestamp.
The Uninstalled view shows software that was uninstalled recently on the respective machine.
OPERATING SYSTEM UPDATES
The Operating System Updates category parses information about patches to the Windows OS. Here, you can sort to see Installed, Pending, or Available updates, as well as hide them from any of the views. These views show the KB from Microsoft, the severity rating, CVE/CVSS information if available, products for which the updates apply, and whether a reboot is necessary for available and pending updates.
The Compliance View will show you if the endpoint is compliant or non-compliant at the date of the check.
The Asset Management category shows all the software found on the computer and offers information on whether each specific is supported and/or uninstallable by the HEIMDAL Agent, as well as actions to add that software to a Group Policy or uninstall it, along with the version information for each entry. The view can be further filtered for monitored only (or not) software.
DETECTED THREATS and QUARANTINE
The Detected Threats and Quarantine categories under Endpoint Detection offer respective information regarding infections on the machine. Here, Quarantined files can also be deleted, excluded, or uploaded to the Dashboard for the support teams to review if needed (by checking the files and clicking Upload for analysis in the actions menu). The parsed information includes the file name and its MD5 hash, the threat name and its type, the status of the infection, any resolution taken, if available, and the timestamp of the detection.
The Scan History view will show logs of each scan that was performed on the machine, with details such as scan type, elapsed time and if any infections were found, and the resolution for each.
The Firewall Rules tab shows what rules are currently enforced on the machine, by the current Group Policy, which can further be filtered by allowed or blocked applications. Here you can also see for each entry, the ports and protocols of the rule, and whether the rule specifies the communication as inbound or outbound.
The Firewall Alerts tab will log any detections made by the Firewall and will show the count of attempts per username and per IP Address.
RANSOMWARE ENCRYPTION PROTECTION and ZERO-TRUST EXECUTION PROTECTION
The Ransomware Encryption Protection and Zero - Trust Execution Protection views will log activity in these respects. Here you can see the process and its ID, the username, and the reason for blocking. If you select one or more entries, you can also exclude them or upload them for analysis.
Moreover, each entry contains links to VirusTotal's database, but also a Forensics analysis that will tell you more about the specific detection's patterns, relations, and behavior.
The Forensics category offers a categorized view of any alerts regarding unusual behavior and memory usage present on the machine at the moment and during the history confined in the selected timeframe of the Dashboard. Here you will find the process name and its ID, IP addresses used, and the source of the detection. Upon selecting entries, you can block the process with App Control.
PRIVILEGES & APP CONTROL
PRIVILEGE ACCESS MANAGEMENT
The Privilege Access Management tab shows you the current pending Administrator requests (which you can approve or deny), as well as a history of previous requests. If provided, the reason can also be seen for each request, as well as the time, type, and username of the requester. The Generate local token button allows you to generate a 60-second token that can be used by the user to be allowed to request an Administrator elevation.
The Application Control tab lets you filter and manage what software is allowed to run. Here you can Allow or Block manually any detected executables or processes. The full logging view shows all the software on the endpoint, details about the name, publisher, and processes, as well as the number of executions, the MD5 hash of the executable, and the version used.
The Matching Allowed Rules and Matching Blocked Rules views show you Firewall rules that match detected applications present on the endpoint.
The Remote Desktop category allows you to view a history of remote sessions performed to the specific machine, as well as access any recordings (if made) via the Recordings view. Information included shows the hostname the connection was done between, the duration, and the type of the session.