In this article, you will learn everything you need to know about the Threat Prevention - Endpoint module. Threat Prevention - Endpoint is based on the DarkLayer Guard engine, the world’s most advanced endpoint DNS threat hunting tool and boasts our Threat to Process Correlation technology allowing you to spot processes, users, URLs, and attacker origins used to infiltrate your network. Threat Prevention - Endpoint makes the DarkLayer Guard - Endpoint work in tandem with our VectorN Detection AI-based traffic pattern recognition engine to also give you HIPS/HIDS and IOA/IOC capabilities and spot hidden malware, complete autonomous of code and signatures.
1. Description
2. How does DarkLayer Guard - Endpoint work?
3. HEIMDAL Agent - DarkLayer Guard
4. Threat Prevention - Endpoint view
5. Threat Prevention - Endpoint settings
DESCRIPTION
Threat Prevention - Endpoint is responsible for filtering all network packages based on DNS request origin and destination. It replaces the manual or DHCP set DNS values with IP Addresses from the Client Host IP Address range, thus, effectively telling the computers to resolve the DNS requests themselves. The original DNS values from the network card settings are not lost but are saved under GUIDs in the Windows Registry and used when DNS requests are made towards internal resources (print servers, local file servers, or anything that has a private IP Address assigned) or external resources. The traffic filtering engine blocks malicious packages from communicating across the network prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial exfiltration, and prevents data loss or network infections.
- Here is an example of how DarkLayer Guard's multi-layered protection works against malware, social engineering scams, and drive-by attacks:
Threat Prevention - Endpoint blocks malicious websites by making sure that users do not establish untrusted connections. If a connection is made, an attacker is able to open backdoors into a PC by using zero-day exploits or by executing remote shellcodes. The module also makes sure that data is not automatically filled into online forms, belonging to fraudulent websites.
- An example of how DarkLayer Guard - Endpoint protects users from financially exploiting malware (banking trojans) can be seen below:
The DarkLayer Guard - Endpoint filter receives more than 800.000 new weekly updates to keep up with cybercriminals’ threats. A filter update is provided every 2 hours. The update is based on a wide range of data, such as newly registered domain names, reverse engineering of advanced malware, monitoring of criminal network sinkholes, and data gathered during e-crime analysis. This insight into cybercrime enables Heimdal to block data from a PC or network from being sent to a hacker-controlled server, therefore protecting corporate or personal data from exfiltration.
HOW DOES DARKLAYER GUARD WORK?
Windows
On Windows, when Threat Prevention - Endpoint is enabled, DarkLayer Guard - Endpoint engine creates a local DNS Server that will work as a filtering engine before resolving the DNS Query performed by the user. The DarkLayer Guard DNS Server highjacks the DNS IP Address on the active Network Adapter(s) to scan for malicious websites and other web locations (servers, online ads, etc) that can potentially install malware or be used as gateways for cyber-attacks.
The DarkLayer Guard - Endpoint engine will change the DNS (Domain Name System) IP Addresses on IPv4 and IPv6.
- On IPv4, it will change your DNS IP Address from Obtain DNS server addresses automatically (set by a DHCP) or from an already set static DNS IP Address to 127.7.7.x (the DarkLayer Guard DNS IP Address). Your initial DNS IP Address will be backed up in the Windows Registry to be used to solve the DNS Queries after being allowed;
- On IPv6, it will change your DNS IP Address from Obtain DNS server addresses automatically (set by a DHCP) or from an already set static DNS IP Address to fe80::xxxx:yyyy:xxxx:zzzz (the DarkLayer Guard DNS IP Address). Your initial DNS IP Address will be backed up in the Windows Registry to be used to solve the DNS Queries after being allowed.
Once the DNS IP Address is set, every web location you access via the Internet will be processed through a database that is set locally in the HEIMDAL Agent installation path. This database is about 15 MB in size and 95% of the websites blocked are located here.
If the website is identified as being infected, the DarkLayer Guard - Endpoint engine will block it and you will see this block page (in the browser):
Additionally, if you perform nslookup on a malicious domain, the resolving IP Address will be 52.166.12.23 (our HEIMDAL Security block page):
If the website is not blocked after being processed through the local database it will pass but there is a second step. The website will be parsed through another database, in the cloud (about 6GB in size) where it will be checked again. If it’s found to be malicious, DarkLayer Guard - Endpoint will block it. If it’s safe, you’ll just be able to access the website normally.
macOS
On macOS, when Threat Prevention - Endpoint is enabled, the Heimdal Agent creates DNS Proxy a that will take filter the traffic just like the DarkLayer Guard engine.
In order for the DNS Proxy to be installed, the Heimdal Agent will require permission to install a System Extension Profile:
IMPORTANT
All this filtering process takes place in milliseconds and will not affect your internet connection speed.
HEIMDAL Agent - DarkLayer Guard
The HEIMDAL Agent displays information about the Prevented Attacks, the Targeted Processes, and the VectorN Detections.
When enabled, whenever a malicious domain is queried, a pop-up window will be shown to the user. Engaging the Click for the full details will redirect the user to the HEIMDAL Agent in the Threat Prevention -> DarkLayer Guard view.
The information displayed on the HEIMDAL Agent - Threat Prevention section is reported to the HEIMDAL Dashboard -> Threat Prevention - Endpoint view.
THREAT PREVENTION - ENDPOINT view
The Threat Prevention - Endpoint view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the DNS queries that are filtered by the HEIMDAL Agent's DarkLayer Guard engine. On the top, you see a statistic regarding the number of Analyzed Traffic Requests, the number of Prevented Attacks, the percentage of Prevented Attacks, and the number of Category Blocks.
The collected information is placed in the following views: Standard, Threat Type, Hostname/Latest Threats, TTPC, Category Blocks, and Full Logging.
- Standard
This view displays a table with the following details: Hostname, Username, IP Address, Analyzed Requests, Prevented Attacks, and Risk Level. - Threat Type
This view displays a table with the following details: Threat Type, Number of matches, Most Targeted Hostname, and Username. - Hostname/Threats
This view displays a table with the following details: Hostname, Username, Domain Blocked, Threat Type, and Number of matches. - Latest Threats
This view displays a table with the following details: Hostname, Username, Threat Type, Threat Type, Threat Source, TTPC, and Date. - TTPC
This view displays a table with the following details: TTPC Detections, the Number of matches, Most Targeted Hostname, Username, Most Frequently Detected Infected Domain, and Last Match. - Category Blocks
This view displays a table with the following details: Hostname, Username, IP Address, and Category Blocked Domains. - Full Logging
The Hostname view displays a table with the following details: Hostname, Allowed Requests, Prevented Attacks, and Risk Level.
The Domain view displays a table with the following details: Domain and the Total Hits. - Investigate
This view allows you to get DNS-related statistics on any domain you input in the search field. The view is split into 3 subsections:
a. Global Threat Intelligence - displays a top 3 of most accessing processes, the TPE matches (the number of times, in the selected timeframe, the domain has been intercepted via TPE), the Global TPE matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE in the Global Heimdal Security database), the domains/URLs related to the same IP Address, the TPE + TPN matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE and TPN), the Global TPE + TPN matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE and TPN in the Global Heimdal Security database);
b. Predictive DNS Score - displays a maliciousness score based on an Artificial Intelligence algorithm (ranging from 0 to 100) that is corroborated with the presence of the domain (in question) on the Threat Prevention Endpoint blocklist (blocklist match). The higher the score, the higher the probability that the domain in question is infected. The Predictive DNS Score will showcase a Risk Level (None, Low, Medium, High, Critical) based on the above-mentioned score;
c. DNS Statistics - displays a graphical representation of the daily number of hits for the chosen domain (the blue
the line shows that the queried domain was found clean at the time of the query, while the red line shows that the queried domain was found infected at the time of the query);
d. Requester distribution - displays a map and statistics of top public IP Addresses that called the domain in question (the origin of the DNS query to the domain in question). - App Discovery
This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Risk Level, and Installed Endpoints. App Discovery can be used as a cloud access security broker (CASB) that provides a comprehensive set of capabilities to help you manage and control the use of cloud apps across your organization - including visibility into inappropriate cloud app usage.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
THREAT PREVENTION - ENDPOINT settings
By enabling the DarkLayer Guard engine, the HEIMDAL Agent will enable the network filter that will protect the computer from accessing malicious domains or URLs.
DarkLayer Guard - turn ON/OFF the DarkLayer Guard DNS Filtering;
General Settings
Force DHCP DNS usage - this feature sets the DNS on the Network Interface Card(s) to Automatic (DHCP) behind the DarkLayer Guard engine. If the DarkLayer Guard engine fails to add 127.7.7.x or fe80::yyyy:yyyy:xxxx:xxxx on the NIC(s) it will revert to Automatic DNS (set automatically by the DHCP). This option is recommended to be enabled if:
- You are using VPN connections in your organization;
- Nobody from your organization uses a static DNS IP Address.
Use default loopback address - this feature makes the DarkLayer Guard will set the DNS on the Network Interface Card(s) to 127.0.0.1 instead of 127.7.7.x (for IPv4) and ::1 instead of fe80::yyyy:yyyy:xxxx:xxxx (for IPv6). This will enforce the DarkLayer Guard engine to intercept traffic from a single adapter. This setting helps ensure compatibility between Heimdal™ Threat Prevention and certain VPN products, as well as other software you may use, such as virtualization products;
Improve TTPC accuracy - installs and updates the sysmon Windows addon (if not installed already) to improve the interception of processes that perform malicious DNS requests (if the endpoint is running another application that uses sysmon, this might cause a conflict for this functionality);
- You can find the Sysmon logs in Event Viewer Logs -> Application and Service Logs -> Microsoft -> Windows -> Sysmon -> Operational. The Event ID used for DNS request logging is 22;
- When the DarkLayer Guard - Endpoint ending gets the process ID from Sysmon and it queries the Window processes, there is a risk that the process was already killed or stopped. If this happens, DarkLayer Guard - Endpoint will not be able to get the process information so a generic “-” will be displayed in the HEIMDAL Dashboard;
- There is a 2-minute wait time when the same domain it’s accessed and this will result in displaying only one entry for that specific domain even if it was accessed several times in that time interval. In the Event Viewer Logs, an entry will show up every time a domain is accessed.
Full logging - get enriched information on the DNS requests made from the endpoints (we will log all the DNS requests made in your environment);
Compatibility Settings
DoH Compatibility Mode - this feature will prevent your active browser (Google Chrome or Mozilla Firefox) from employing DNS over HTTPS packages, replacing the more comprehensive DNS traffic filtering provided by HEIMDAL™ Threat Prevention;
Cisco Anyconnect/Fortinet compatibility mode - this feature will reroute traffic from IPv6 to IPv4 on a Cisco Anyconnect adapter, to solve a known bug in Cisco Anyconnect/Fortinet IPv6 filtering;
Use supported VPN forwarders - makes the DarkLayer Guard engine use the DNS IP Addresses provided/set by the VPN adapter on all the adapters of the endpoint;
High Compatibility Mode – this feature sets a 15-ms delay in applying the DarkLayer Guard filter over the Network Interface Card that currently has internet access, in order to allow all relevant Microsoft Windows services to start up normally. The services which are allowed to start up normally are in charge of vital extended environment tasks like domain discovery, network drives authentication, etc.
Pause DarkLayer Guard when Cisco Anyconnect or Fortinet is detected - this feature will pause the DarkLayer Guard engine while the endpoint is connected to Cisco Anyconnect/Fortigate. The DNS filtering with automatically re-enable after disconnecting from Cisco Anyconnect/Fortigate;
Force NCSI fix - this feature will fix the Network Connectivity Status Indicator that causes the connected globe in the Tray menu when running alongside DarkLayer Guard. The HEIMDAL Agent sets the value 1 (default is 0) on the following path Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActive Probing, and adds a Microsoft IP Address in the hosts file (C:\Windows\System32\drivers\etc);
DNS server response validation - the DarkLayer Guard will test the DNS Resolvers and alternate them in case any of them fail (we change the 1st DNS with the 2nd one until the 1st one is up and running again);
Disable DarkLayer Guard for IPv6 - allows you to disable DarkLayer Guard filtering on IPv6;
Check Interval - allows you to set the time interval of the DarkLayer Guard engine to check for new updates to the filtering database;
DNS over HTTPS Server - allows you to specify a DoH domain or an IP Address to be used by the DarkLayer Guard engine as DNS Server. DNS over HTTPS Server is filtering traffic only when the computer is outside of the organization's network/environment. When a computer is locally connected to the domain or via VPN, DNS over HTTPS Server will not filter the traffic, but resolve the traffic with the internal DNS IP Address. Usually, DoH Servers are using different IP Addresses depending on the location, but the common practice is that DoH Server can be identified by DNS Name (which is the same);
Domains allowlist – this feature allows the HEIMDAL Dashboard Administrator to allowlist a domain that is blocked by the Heimdal™ Threat Prevention. You can allowlist domains, subdomains, top-level domains (.com, .co.uk, etc.), or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on one and the same row; you can download a sample CSV file from here):
Block by Category - this feature allows you to block groups of domains that are included in a category (example: Social, Sports, Gambling, Finance, Health, and others):
Block by Category Schedule - this feature is available only when Block by Category is enabled and allows you to schedule specific time intervals when the Block by Category feature applies;
Domains blocklist - this feature allows the HEIMDAL Dashboard Administrator to blocklist a domain that Heimdal™ Threat Prevention - Endpoint does not consider a threat or block access to a specific domain. You can blocklist domains, subdomains, top-level domains (.com, .co.uk, etc.) or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on one and the same row; you can download a sample CSV file from here):
Custom block pages – this feature allows you to add a custom HTML block page that will replace the default Heimdal block page when Threat Prevention - Endpoint intercepts and blocks access to a malicious domain (or blocklisted domain):
IMPORTANT
Do not use the DarkLayer Guard - Endpoint engine in combination with another DNS traffic scanning application because they might conflict with each other and none of them will work correctly. We recommend you disable other traffic scanning applications installed locally before you enable Heimdal's DarkLayer Guard engine.