Heimdal™ Threat Prevention - Endpoint embeds everything a system needs to prevent an infection before it happens. It filters malicious traffic, updates 3rd party apps thus minimizing exploitation risks and it identifies the computers that may have been compromised by attackers, also reporting this to the centralized management system. The protection is proactive, reliable, scalable, and consists of three active modules: DarkLayer Guard, VectorN Detection, and Vulnerability Management.
Dark Layer Guard
This module is responsible for filtering all network packages based on DNS request origin and destination. It replaces the manual or DHCP set DNS values with IPs from the Client Host IP range thus effectively telling the computers to resolve the DNS requests themselves. The original DNS values from the network card settings are not lost, they are saved under GUIDs in the Windows Registry and they are used when requests are made towards internal resources like print servers, local file servers, or anything that has a private IP assigned.
The traffic filtering engine, which blocks malicious packages from communicating across the network prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial exfiltration, and prevents data loss or network infections.
Here is an example of how Heimdal™ Threat Prevention - Endpoint’s multi-layered protection works against malware, social engineering scams and drive-by attacks:
The module blocks malicious websites by making sure that users do not establish untrusted connections. If a connection is made, an attacker is able to open backdoors into a PC by using zero-day exploits or by executing remote shellcodes. Heimdal™ Threat Prevention - Endpoint also makes sure that data is not automatically filled into online forms, belonging to fraudulent websites.
DLG can shield a PC from a man-in-the-browser attack, it can hide it from an attacker’s domain or it can prevent ransomware - such as Crypto locker - from downloading its encryption keys even if the PC has already been infected.
An example of how Dark Layer Guard protects users from financially exploiting malware (banking trojans) can be seen below:
The Dark Layer Guard filter receives more than 800.000 new weekly updates to keep up with cybercriminals’ threats. A filter update is provided every 2 hours. The update is based on a wide range of data, such as newly registered domain names, reverse engineering of advanced malware, monitoring of criminal network sinkholes, and data gathered during e-crime analysis.
This insight into cybercrime enables Heimdal to block data from a PC or network from being sent to a hacker-controlled server, therefore protecting corporate or personal data from exfiltration.
Filter devices on Dark Layer Guard grid views (except CATEGORY BLOCKS VIEW)
Selecting one device from the device list would filter the entire grid (no need for accessing other values)
- Click here for more details regarding Dark Layer Guard
- Click here to navigate The User Interface in Thor Home
- Click here to configure your Heimdal™
This module identifies the computers that are most prone to have been infected by malicious scripts and malware. It will identify patterns of malicious domain requests and filter these accordingly. The computers identified by VectornN as potentially infected are to be ultimately treated as threats by the system administrator, investigated, and scanned for threats either manually or automatically.
In 2017 data-stealing malware or data usage attacks were responsible for more than 55% of the cases where corporations lost valuable information. Approximately 19% of data theft malware is detected by traditional antivirus software. Low detection rates are caused by polymorphism, which means that malware can constantly change behavior and attack methods. The problem of data theft is furthermore increasing because informational theft is no longer happening on the PC itself but is spreading over the entire network. VectorN Detection employs traffic and usage algorithms, rather than rely just on signature and access detection.
Filter devices on VectorN grid views
Selecting one device from the device list would filter the entire grid (no need for accessing other values)
- Click here for more details regarding VectorN Detection
- Click here for more details regarding VectorN Detection Engine
- Click here for MODERATE POSSIBILITY of infection
- Click here for HIGH AND VERY HIGH POSSIBILITY of infection
- Click here for VectorN Detection LOW RISK Users
- Click here for VectorN Detection MEDIUM RISK Users
- Click here for VectorN Detection HIGH RISK Users
Heimdal™ Patch & Asset Management (3rd Party Applications)
More than 80% of all attacks happen by using exploits in 3rd Party Software. The module identifies and automatically updates 3rd Party Software on any computer it is installed upon so that cybercriminals can’t take advantage of any potential vulnerability arisen due to outdated software.
Heimdal™ Patch & Asset Management is designed to have low resource consumption, using as few system resources as possible and works without interrupting the user. Heimdal™ Patch & Asset Management works with our own CDN so pushing new software and updates is fast and reliable.
Features of Heimdal™ Threat Prevention - Endpoint
1. Patch Management
Heimdal™ Threat Prevention - Endpoint monitors and automatically updates a range of software applications. The patches are downloaded directly from our servers and we only add special code switches to deploy the patches silently and at the correct time. Heimdal™ Threat Prevention - Endpoint will never close a running application or automatically reboot the PC after the updates have been installed. Also, Heimdal™ Threat Prevention - Endpoint will never request user/ admin permissions or show UAC pop-ups, even if the UAC is enabled.
Applications included and monitored in the Patch Management system are selected on the following criteria:
- One or more versions contain vulnerabilities, which are corrected in updated versions
- Vulnerabilities pose a security risk and are therefore actively used by IT criminals
1.1. The list of supported software
Here you can find the full list of the applications that can be installed or patched by Heimdal™ Threat Prevention - Endpoint: https://support.heimdalsecurity.com/hc/en-us/articles/206845959-Which-software-does-Heimdal-patch-
1.2. Technical implementation
Thor receives its information from monitoring the Registry Editor application. Firstly, it looks for the DisplayName property of an app. If this property is not found, the Install button/option is displayed. Secondly, if the DisplayName is found, then it looks to the DisplayVersion properties and it decides if the installed version is older than the latest one. Depending on the comparison result, Thor then applies the patch.
Heimdal™ Threat Prevention - Endpoint scans the PC every 2 hours by default to find new applications or apply patches to the existing ones. The list of detected software, their version, and update status can be seen in the “Patching System” tab from the main user interface as well as in the online management portal.
If an update is available, then the patching process will begin as soon as possible, when the PC is idle and is not using the specific software. If several pieces of software require patching, then these will be managed one at a time. If the agent is unable to patch specific software like a browser plug-in because it may be in use, Heimdal™ Threat Prevention - Endpoint will notify the user via a red exclamation mark inside the interface and the relevant information will be added in the dashboard.
1.3. Software that already has auto-update enabled
Please note that some of the software apps that Heimdal™ Threat Prevention - Endpoint monitors and updates automatically and silently may already have auto-update enabled in their default settings. This means that updates delivered into the software directly by the software manufacturer (via the auto-update feature built into the application) may be faster than patches applied by Heimdal™ Threat Prevention - Endpoint.
The following applications already have auto-update enabled by default by the software manufacturer and consequently, may be updated faster than Heimdal™ Threat Prevention - Endpoint can deliver the necessary patches: Google Chrome, Google Drive, Skype, Mozilla Firefox, Mozilla Thunderbird.
If you “select all” for the “install” option in the group policy, when new software is added to the Heimdal™ Threat Prevention - Endpoint, the newly added software will be automatically installed in your environment.
1.4. Patches deployment method – Bulk or Staged?
If you are about to deploy Heimdal™ Threat Prevention - Endpoint in your organization and your Group Policy is set to deploy new applications or to patch existing ones, you must know that the patches will be downloaded as the clients check towards the Dashboard, they never check at the same time.
This way, we ensure that you'll avoid any traffic load in your organization. If a higher version is already installed on your PC, Heimdal™ Threat Prevention - Endpoint will display the following warning:
1.5. Uninstall Application Feature - CORP clients only
Please read more about this on our article from FAQ: https://support.heimdalsecurity.com/hc/en-us/articles/214423645-UNINSTALL-APPLICATION-feature-explained
2. Traffic check – Malicious websites, zero-day exploits, and data ex-filtration
Internet traffic checking in Heimdal™ Threat Prevention - Endpoint is based on a database and a filtering engine. It blocks websites with malicious content or blocks access to servers that are controlled and operated by IT Criminals.
Heimdal™ Threat Prevention - Endpoint also incorporates heuristic traffic checking and statistical analysis to discover new and yet unknown threats. By doing so it protects a corporate network or private user from opening backdoors, uploading data into the hands of hackers, or from having data ex-filtrated from PCs or Networks.
As the filter is based on a CDN it works just as quickly anywhere in the world and it adds no delay (4 ms on average) compared to normal web browsing.
2.1. Technical Implementation
The feature runs as a service on the local PC and checks all DNS lookups that are made on the PC. When a lookup is made, Heimdal™ Threat Prevention - Endpoint will send the DNS lookup onto the DNS Servers defined in the client DHCP settings and check whether any of them are found in the list of malicious servers or websites.
The list is compiled as a space-optimized probabilistic data structure and only takes up 15 MB of disk space. Through this data structure Heimdal™ Threat Prevention - Endpoint can decide if the DNS name is either:
a. With 100% certainty not on the list of malicious sites
b. With 98% certainty on the list of malicious sites
If the address is not on the list of malicious servers, Heimdal™ Threat Prevention - Endpoint will approve the request from the used DNS servers.
If the address is with a 98% certainty on the list, Heimdal™ Threat Prevention - Endpoint will perform an extra check towards our servers to verify whether the address is harmful or not.
a. If it does show up as harmful, the site or traffic is blocked and a notice will be displayed.
b. If the domain address is not harmful the traffic will be allowed.
The advantage of using a probabilistic data structure is that the speed of the service is much higher and the size of the database is only roughly 0,5% of the total list.
The traffic check works for all services on the PC and on VPN. It also works on internal as well as private networks.
- Click here for more details regarding Heimdal™ Patch & Asset Management
- Click here for more details regarding Microsoft Updates Overview in Heimdal™ Patch & Asset Management.
- Click here to see what 3rd Party Applications cannot be added to the Heimdal™ Patch & Asset Management
Here is the Heimdal™ Threat Prevention - Endpoint product overview presentation: