In this article, you will learn everything you need to know about the Threat Prevention - Endpoint module. Threat Prevention - Endpoint is based on the DarkLayer Guard engine, the world’s most advanced endpoint DNS threat hunting tool and boasts our Threat to Process Correlation technology allowing you to spot processes, users, URLs, and attacker origins used to infiltrate your network. Threat Prevention - Endpoint makes the DarkLayer Guard - Endpoint work in tandem with our VectorN Detection AI-based traffic pattern recognition engine to also give you HIPS/HIDS and IOA/IOC capabilities and spot hidden malware, complete autonomous of code and signatures.
Threat Prevention - Endpoint is responsible for filtering all network packages based on DNS request origin and destination. It replaces the manual or DHCP set DNS values with IP Addresses from the Client Host IP Address range, thus, effectively telling the computers to resolve the DNS requests themselves. The original DNS values from the network card settings are not lost but are saved under GUIDs in the Windows Registry and used when DNS requests are made towards internal resources (print servers, local file servers, or anything that has a private IP Address assigned) or external resources. The traffic filtering engine blocks malicious packages from communicating across the network prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial exfiltration, and prevents data loss or network infections.
- Here is an example of how DarkLayer Guard's multi-layered protection works against malware, social engineering scams, and drive-by attacks:
Threat Prevention - Endpoint blocks malicious websites by making sure that users do not establish untrusted connections. If a connection is made, an attacker is able to open backdoors into a PC by using zero-day exploits or by executing remote shellcodes. The module also makes sure that data is not automatically filled into online forms, belonging to fraudulent websites.
- An example of how DarkLayer Guard - Endpoint protects users from financially exploiting malware (banking trojans) can be seen below:
The DarkLayer Guard - Endpoint filter receives more than 800.000 new weekly updates to keep up with cybercriminals’ threats. A filter update is provided every 2 hours. The update is based on a wide range of data, such as newly registered domain names, reverse engineering of advanced malware, monitoring of criminal network sinkholes, and data gathered during e-crime analysis. This insight into cybercrime enables Heimdal to block data from a PC or network from being sent to a hacker-controlled server, therefore protecting corporate or personal data from exfiltration.
HOW DOES DARKLAYER GUARD WORK?
On Windows, when Threat Prevention - Endpoint is enabled, DarkLayer Guard - Endpoint engine creates a local DNS Server that will work as a filtering engine before resolving the DNS Query performed by the user. The DarkLayer Guard DNS Server highjacks the DNS IP Address on the active Network Adapter(s) to scan for malicious websites and other web locations (servers, online ads, etc) that can potentially install malware or be used as gateways for cyber-attacks.
The DarkLayer Guard - Endpoint engine will change the DNS (Domain Name System) IP Addresses on IPv4 and IPv6.
- On IPv4, it will change your DNS IP Address from Obtain DNS server addresses automatically (set by a DHCP) or from an already set static DNS IP Address to 127.7.7.x (the DarkLayer Guard DNS IP Address). Your initial DNS IP Address will be backed up in the Windows Registry to be used to solve the DNS Queries after being allowed;
- On IPv6, it will change your DNS IP Address from Obtain DNS server addresses automatically (set by a DHCP) or from an already set static DNS IP Address to fe80::xxxx:yyyy:xxxx:zzzz (the DarkLayer Guard DNS IP Address). Your initial DNS IP Address will be backed up in the Windows Registry to be used to solve the DNS Queries after being allowed.
Once the DNS IP Address is set, every web location you access via the Internet will be processed through a database that is set locally in the HEIMDAL Agent installation path. This database is about 15 MB in size and 95% of the websites blocked are located here.
If the website is identified as being infected, the DarkLayer Guard - Endpoint engine will block it and you will see this block page (in the browser):
Additionally, if you perform nslookup on a malicious domain, the resolving IP Address will be 220.127.116.11 (our HEIMDAL Security block page):
If the website is not blocked after being processed through the local database it will pass but there is a second step. The website will be parsed through another database, in the cloud (about 6GB in size) where it will be checked again. If it’s found to be malicious, DarkLayer Guard - Endpoint will block it. If it’s safe, you’ll just be able to access the website normally.
On macOS, when Threat Prevention - Endpoint is enabled, the Heimdal Agent creates DNS Proxy a that will take filter the traffic just like the DarkLayer Guard engine.
In order for the DNS Proxy to be installed, the Heimdal Agent will require permission to install a System Extension Profile:
All this filtering process takes place in milliseconds and will not affect your internet connection speed.
HEIMDAL Agent - DarkLayer Guard
The HEIMDAL Agent displays information about the Prevented Attacks, the Targeted Processes, and the VectorN Detections.
When enabled, whenever a malicious domain is queried, a pop-up window will be shown to the user. Engaging the Click for the full details will redirect the user to the HEIMDAL Agent in the Threat Prevention -> DarkLayer Guard view.
The information displayed on the HEIMDAL Agent - Threat Prevention section is reported to the HEIMDAL Dashboard -> Threat Prevention - Endpoint view.
THREAT PREVENTION - ENDPOINT view
The Threat Prevention - Endpoint view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the DNS queries that are filtered by the HEIMDAL Agent's DarkLayer Guard engine. On the top, you see a statistic regarding the number of Analyzed Traffic Requests, the number of Prevented Attacks, the percentage of Prevented Attacks, and the number of Category Blocks. You can navigate between multiple pre-filtered views to quickly and easily access the information that you need to process to analyze and remediate potential vulnerabilities.
The collected information is placed in the following views: Standard, Threat Type, Hostname/Latest Threats, TTPC, Category Blocks, and Full Logging.
The details displayed in the Standard view table are the following: Hostname, Username, IP Address, Analyzed Requests, Prevented Attacks, and Risk Level. The Standard view is a complete overview of the total analyzed requests and prevented attacks, as well as a pre-calculated risk level for your device. All entries are identified by hostname username and IP address. The calculated risk score is based on the time frame selected in the HEIMDAL Dashboard and offers a great way to visualize and measure the impact of your awareness training and security procedures that you facilitate in your organization, as you can track the changes in your high-risk users' behavior over time.
- Threat Type
This view displays a table with the following details: Threat Type, Number of matches, Most Targeted Hostname, and Username. The Threat Type view has all entries sorted into types of threats and the number of times the specific threat type is seen in your environment. You also get quick visibility over the host and user that has been targeted the most by the mentioned threat type. This can be used to gain a quick overview of the severity of threats currently encountered and will greatly help a security team prioritize their high-level remediation efforts.
This view displays a table with the following details: Hostname, Username, Domain Blocked, Threat Type, and Number of matches. The Hostname/Threats view is broken down into individual threats on specific hosts, including the associated Domain Name and the number of times that DarkLayer Guard has blocked the threat on that Host and User. This can be used to gain a detailed visualization of which devices are currently the most targeted and offer a security team direct insights into what devices they need to focus on protecting first.
- Latest Threats
This view displays a table with the following details: Hostname, Username, Threat Type, Threat Type, Threat Source, TTPC, and Date. The Latest Threats view, offers detailed information about each individual block that has been performed by DarkLayer guard, including Threat Type, associated Domain name, and Process correlation captured on the affected host. This information is prefiltered on time and date and is the place to get a real-time view of what is currently happening in the environment as the latest attacks are inserted at the top of the page.
This view displays a table with the following details: TTPC Detections, the Number of matches, Most Targeted Hostname, Username, Most Frequently Detected Infected Domain, and Last Match. The TTPC or Threat To Process Correlation view brings forth the specific potentially infected process used in the blocked attack, complete with the affected user and host, the implicated Domain Name, the timestamp for the attack, and the total file path to quickly locate the potentially infected file responsible for the process. If you are using Heimdal’s Next-Gen antivirus, you are able to quarantine the process file remotely with just a few clicks, straight from the TTPC view. You are also able to upload the process file to the cloud for malware analysis or to exclude a file that has been deemed to be legitimate. To assist a security team with further threat hunting, they will also find easy access to additional intelligence about the implicated domains, through quick toggle shortcuts. Additional information like IP addresses, full URLs, and additional resolved domains connected, can be viewed straight on the page. It is also possible to navigate directly to Heimdal’s investigation view or utilize Virus Total's third-party threat intelligence.
- Category Blocks
This view displays a table with the following details: Hostname, Username, IP Address, and Category Blocked Domains. The Category Blocks view presents a consolidated overview of all hits to the preset Category Filters. This view makes it easy to manage chosen Categories, get a visualization of their impact, and identify users with online behavior that does not match the organization.
- Full Logging
The Hostname view displays a table with the following details: Hostname, Allowed Requests, Prevented Attacks, and Risk Level.
The Domain view displays a table with the following details: Domain and the Total Hits.
This view allows you to get DNS-related statistics on any domain you input in the search field. The view is split into 3 subsections:
a. Global Threat Intelligence - displays a top 3 of most accessing processes, the TPE matches (the number of times, in the selected timeframe, the domain has been intercepted via TPE), the Global TPE matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE in the Global Heimdal Security database), the domains/URLs related to the same IP Address, the TPE + TPN matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE and TPN), the Global TPE + TPN matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE and TPN in the Global Heimdal Security database);
b. Predictive DNS Score - displays a maliciousness score based on an Artificial Intelligence algorithm (ranging from 0 to 100) that is corroborated with the presence of the domain (in question) on the Threat Prevention Endpoint blocklist (blocklist match). The higher the score, the higher the probability that the domain in question is infected. The Predictive DNS Score will showcase a Risk Level (None, Low, Medium, High, Critical) based on the above-mentioned score;
c. DNS Statistics - displays a graphical representation of the daily number of hits for the chosen domain (the blue
the line shows that the queried domain was found clean at the time of the query, while the red line shows that the queried domain was found infected at the time of the query);
d. Requester distribution - displays a map and statistics of top public IP Addresses that called the domain in question (the origin of the DNS query to the domain in question).
- App Discovery
This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Risk Level, and Installed Endpoints. App Discovery can be used as a cloud access security broker (CASB) that provides a comprehensive set of capabilities to help you manage and control the use of cloud apps across your organization - including visibility into inappropriate cloud app usage.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
THREAT PREVENTION - ENDPOINT settings
By enabling the DarkLayer Guard engine, the HEIMDAL Agent will enable the network filter that will protect the computer from accessing malicious domains or URLs.
DarkLayer Guard - turn ON/OFF the DarkLayer Guard DNS Filtering;
Force DHCP DNS usage - this feature sets the DNS on the Network Interface Card(s) to Automatic (DHCP) behind the DarkLayer Guard engine. If the DarkLayer Guard engine fails to add 127.7.7.x or fe80::yyyy:yyyy:xxxx:xxxx on the NIC(s) it will revert to automatic DNS (served by the DHCP). By default, this option is disabled and DarkLayer Guard should work just fine on any type of computer. It is recommended only if you use a VPN product/service that resets the DNS IP Address (after disconnecting) and sets the DNS on Obtain DNS server address automatically on the NIC.
This option is NOT recommended if:
- You use a static DNS IP Address(es) on your NIC;
- You are applying it to a Domain Controller/DNS Server.
Use default loopback address - this feature tells the DarkLayer Guard to set the DNS on the Network Interface Card(s) to 127.0.0.1 instead of 127.7.7.x (for IPv4) and ::1 instead of fe80::yyyy:yyyy:xxxx:xxxx (for IPv6). This will enforce the DarkLayer Guard engine to intercept traffic from a single adapter. This setting helps ensure compatibility between Threat Prevention Endpoint and certain VPN products, as well as other software you may use, such as virtualization products;
Improve TTPC accuracy - installs and updates the sysmon Windows addon (if not installed already) to improve the interception of processes that perform malicious DNS requests (if the endpoint is running another application that uses sysmon, this might cause a conflict for this functionality);
- You can find the Sysmon logs in Event Viewer Logs -> Application and Service Logs -> Microsoft -> Windows -> Sysmon -> Operational. The Event ID used for DNS request logging is 22;
- When the DarkLayer Guard - Endpoint ending gets the process ID from Sysmon and it queries the Window processes, there is a risk that the process was already killed or stopped. If this happens, DarkLayer Guard - Endpoint will not be able to get the process information so a generic “-” will be displayed in the HEIMDAL Dashboard;
- There is a 2-minute wait time when the same domain it’s accessed and this will result in displaying only one entry for that specific domain even if it was accessed several times in that time interval. In the Event Viewer Logs, an entry will show up every time a domain is accessed.
Full logging - get enriched information on the DNS requests made from the endpoints (we will log all the DNS requests made in your environment);
DoH Compatibility Mode - this feature will prevent your active browser (Google Chrome or Mozilla Firefox) from employing DNS over HTTPS packages, replacing the more comprehensive DNS traffic filtering provided by HEIMDAL™ Threat Prevention;
Cisco Anyconnect/Fortinet compatibility mode - this feature will reroute traffic from IPv6 to IPv4 on a Cisco Anyconnect adapter, to solve a known bug in Cisco Anyconnect/Fortinet IPv6 filtering;
Use supported VPN forwarders - makes the DarkLayer Guard engine use the DNS IP Addresses provided/set by the VPN adapter on all the adapters of the endpoint;
High Compatibility Mode – this feature sets a 15-ms delay in applying the DarkLayer Guard filter over the Network Interface Card that currently has internet access, in order to allow all relevant Microsoft Windows services to start up normally. The services which are allowed to start up normally are in charge of vital extended environment tasks like domain discovery, network drives authentication, etc.
Pause DarkLayer Guard when Cisco Anyconnect or Fortinet is detected - this feature will pause the DarkLayer Guard engine while the endpoint is connected to Cisco Anyconnect/Fortinet. The DNS filtering with automatically re-enable after disconnecting from Cisco Anyconnect/Fortigate;
Force NCSI fix - this feature will fix the Network Connectivity Status Indicator that causes the connected globe in the Tray menu when running alongside DarkLayer Guard. The HEIMDAL Agent sets the value 1 (default is 0) on the following path Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActive Probing, and adds a Microsoft IP Address in the hosts file (C:\Windows\System32\drivers\etc);
DNS server response validation - the DarkLayer Guard will test the DNS Resolvers and alternate them in case any of them fail (we change the 1st DNS with the 2nd one until the 1st one is up and running again);
Disable DarkLayer Guard for IPv6 - allows you to disable DarkLayer Guard filtering on IPv6;
Check Interval - allows you to set the time interval of the DarkLayer Guard engine to check for new updates to the filtering database;
DNS over HTTPS Server - allows you to specify a DoH domain or an IP Address to be used by the DarkLayer Guard engine as DNS Server. DNS over HTTPS Server is filtering traffic only when the computer is outside of the organization's network/environment. When a computer is locally connected to the domain or via VPN, DNS over HTTPS Server will not filter the traffic, but resolve the traffic with the internal DNS IP Address. Usually, DoH Servers are using different IP Addresses depending on the location, but the common practice is that DoH Server can be identified by DNS Name (which is the same);
Domains allowlist – this feature allows the HEIMDAL Dashboard Administrator to allowlist a domain that is blocked by the Heimdal™ Threat Prevention. You can allowlist domains, subdomains, top-level domains (.com, .co.uk, etc.), or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on one and the same row; you can download a sample CSV file from here):
Block by Category - this feature allows you to block groups of domains that are included in a category (example: Social, Sports, Gambling, Finance, Health, and others):
Block by Category Schedule - this feature is available only when Block by Category is enabled and allows you to schedule specific time intervals when the Block by Category feature applies;
Domains blocklist - this feature allows the HEIMDAL Dashboard Administrator to blocklist a domain that Heimdal™ Threat Prevention - Endpoint does not consider a threat or block access to a specific domain. You can blocklist domains, subdomains, top-level domains (.com, .co.uk, etc.) or even multiple domains at once by uploading a CSV file (when saving an Excel workbook/sheet as a CSV file, the domains/subdomains are automatically delimited by a comma [,] and they need to be listed on one and the same row; you can download a sample CSV file from here):
Custom block pages - this feature allows you to set your organization's name, craft a personalized message to be displayed on the block page, and incorporate your logo that will replace the default Heimdal block page when Threat Prevention - Endpoint intercepts and blocks access to a malicious domain (or blocklisted domain). The maximum allowed size for the logo is 1 MB. Exceeding this size will prompt you with an error;
Install Block Page Certificate – this feature allows DarkLayer Guard to display the Heimdal or Custom block page for HTTPS websites. This will automatically install the required certificate on all machines associated with the respective GP.
Do not use the DarkLayer Guard - Endpoint engine in combination with another DNS traffic scanning application because they might conflict with each other and none of them will work correctly. We recommend you disable other traffic scanning applications installed locally before you enable Heimdal's DarkLayer Guard engine.