Thor Foresight embeds everything a system needs to prevent an infection before it happens. It filters malicious traffic, it updates 3rd party apps thus minimizing exploitation risks and it identifies the computers that may have been compromised by attackers, also reporting this to the centralized management system. The protection is proactive, reliable, scalable and consists of three active modules: DarkLayer Guard, VectorN Detection and X-ploit Resilience.
Dark Layer Guard
This module is responsible with filtering all network packages based on DNS request origin and destination. It replaces the manual or DHCP set DNS values with IPs from the Client Host IP range thus effectively telling the computers to resolve the DNS requests themselves. The original DNS values from the network card settings are not lost, they are saved under GUIDS in registry editor and they are used when requests are made towards internal resources like print servers, local file servers or anything that has a private IP assigned.
The traffic filtering engine, which blocks malicious packages from communicating across the network prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial exfiltration and prevents data loss or network infections.
Here is an example on the how Thor Foresight’s multi-layered protection works against malspam, social engineering scams and drive-by attacks:
The module blocks malicious websites by making sure that users do not establish untrusted connections. If a connection is made, an attacker is able to open backdoors into a PC by using zero-day exploits or by executing remote shell codes. Thor Foresight also makes sure that data is not automatically filled into online forms, belonging to fraudulent websites.
DLG can shield a PC from a man-in-the-browser attack, it can hide it from an attacker’s domain or it can prevent ransomware - such as Cryptolocker - from downloading its encryption keys even if the PC has already been infected.
An example on how DLG protects users from financially exploiting malware (banking trojans) can be seen below:
The DLG filter receives more than 800.000 new weekly updates to keep up with cyber criminals’ threats. A filter update is provided every 2 hours. The update is based on a wide range of data, such as new registered domain names, reverse engineering of advanced malware, monitoring of criminal network sinkholes and data gathered during e-crime analysis.
This insight into cybercrime enables Heimdal to block data from a PC or network from being sent to a hacker-controlled server, therefore protecting corporate or personal data from exfiltration.
- Click here for more details regarding Dark Layer Guard
- Click here to navigate The User Interface in Thor Home
- Click here to configure your Thor
This module identifies the computers that are most prone to have been infected by malicious scripts and malware. It will identify patterns of malicious domain requests and filter these accordingly. The computers identified by VectornN as potentially infected are to be ultimately treated as threats by the system administrator, investigated and scanned for threats either manually or automatically.
In 2017 data stealing malware or data usage attacks were responsible for more than 55% of the cases where corporations lost valuable information. Approximately 19% of data theft malware is detected by traditional antivirus software. Low detection rates are caused by polymorphism, which means that malware can constantly change behavior and attack methods. The problem of data theft is furthermore increasing, because informational theft is no longer happening on the PC itself but is spreading over the entire network. VectorN Detection employs traffic and usage algorithms, rather than rely just on signature and access detection.
- Click here for more details regarding VectorN Detection
- Click here for more details regarding VectorN Detection Engine
- Click here for MODERATE POSSIBILITY of infection
- Click here for HIGH AND VERY HIGH POSSIBILITY of infection
- Click here for VectorN Detection LOW RISK Users
- Click here for VectorN Detection MEDIUM RISK Users
- Click here for VectorN Detection HIGH RISK Users
More than 80% of all attacks happen by using exploits in 3rd party software. The module identifies and automatically updates 3rd party software on any computer it is installed upon, so that cyber criminals can’t take advantage of any potential vulnerability arisen due to outdated software.
X-Ploit resilience is designed to have low resource consumption, using as few system resources as possible and works without interrupting the user. X-Ploit Resilience works with our own CDN so pushing new software and updates is fast and reliable.
- Click here for more details regarding X-Ploit Resilience
- Click here for more details regarding Microsoft Updates Overview in X-Ploit Resilience.
- Click here to see what 3rd Party Applications cannot be added to the X-Ploit Resilience Patching System
- Click here to see the minimum requirements for adding new software to the X-Ploit Resilience Patching System
Features of Thor Foresight
1. Patch Management
Thor Foresight monitors and automatically updates a range of software applications. The patches are downloaded directly from our servers and we only add special code switches to deploy the patches silently and at the correct time. Thor Foresight will never close a running application or automatically reboot the PC after the updates have been installed. Also, Thor Foresight will never request user/ admin permissions or show UAC pop-ups, even if the UAC is enabled.
Applications included and monitored in the Patch Management system are selected on the following criteria:
- One or more versions contain vulnerabilities, which are corrected in updated versions
- Vulnerabilities pose a security risk and are therefore actively used by IT criminals
1.1. The list of supported software
Here you can find the full list of the applications that can be installed or patched by Heimdal Foresight: https://support.heimdalsecurity.com/hc/en-us/articles/206845959-Which-software-does-Heimdal-patch-
1.2. Technical implementation
Thor receives its information from monitoring the Registry Editor application. Firstly, it looks for the DisplayName property of an app. If this property is not found, the Install button/option is displayed. Secondly, if the DisplayName is found, then it looks to the DisplayVersion properties and it decides if the installed version is older than the latest one. Depending on the comparison result, Thor then applies the patch.
Thor Foresight scans the PC every 2 hours by default to find new applications or apply patches to the existing ones. The list of detected software, their version and update status can be seen in the “Patching System” tab from the main user interface as well as in the online management portal.
If an update is available, then the patching process will begin as soon as possible, when the PC is idle and is not using the specific software. If several pieces of software require patching, then these will be managed one at a time. If the agent is unable to patch specific software like a browser plug-in because it may be in use, Thor Foresight will notify the user via a red exclamation mark inside the interface and the relevant information will be added in the dashboard.
1.3. Software that already has autoupdate enabled
Please note that some of the software apps that Thor Foresight monitors and updates automatically and silently may already have autoupdate enabled in their default settings. This means that updates delivered into the software directly by the software manufacturer (via the autoupdate feature built into the application) may be faster than patches applied by Thor Foresight.
The following applications already have autoupdate enabled by default by the software manufacturer and consequently, may be updated faster than Thor Foresight can deliver the necessary patches: Google Chrome, Google Drive, Skype, Mozilla Firefox, Mozilla Thunderbird.
If you “select all” for the “install” option in the group policy, when new software is added to the Thor Foresight, the newly added software will be automatically installed in your environment.
1.4. Patches deployment method – Bulk or Staged?
If you are about to deploy Thor Foresight in your organization and your Group Policy is set to deploy new applications or to patch existing ones, you must know that the patches will be downloaded as the clients check towards the Dashboard, they never check at the same time.
This way, we ensure that you'll avoid any traffic load in your organization. If a higher version is already installed on your PC, Thor Foresight will display the following warning:
1.5. Uninstall Application Feature - CORP clients only
Please read more about this on our article from FAQ: https://support.heimdalsecurity.com/hc/en-us/articles/214423645-UNINSTALL-APPLICATION-feature-explained
2. Traffic check – Malicious websites, zero-day exploits and data ex-filtration
Internet traffic checking in Thor Foresight is based on a database and a filtering engine. It blocks websites with malicious content or blocks access to servers which are controlled and operated by IT Criminals.
Thor Foresight also incorporates heuristic traffic checking and statistical analysis to discover new and yet unknown threats. By doing so it protects a corporate network or private user from opening backdoors, uploading data into the hands of hackers or from having data ex-filtrated from PCs or Networks.
As the filter is based on a CDN it works just as quick anywhere in the world and it adds no delay (4 ms on average) compared to normal web browsing.
2.1. Technical Implementation
The feature runs as a service on the local PC and checks all DNS lookups that are made on the PC. When a lookup is made, Thor Foresight will send the DNS lookup onto the DNS Servers defined in the client DHCP settings and check whether any of them are found in the list of malicious servers or websites.
The list is compiled as a space optimized probabilistic data structure and only takes up 15 MB of disk space. Through this data structure Thor Foresight can decide if the DNS name is either:
a. With 100% certainty not on the list of malicious sites
b. With 98% certainty on the list of malicious sites
If the address is not on the list of malicious servers, Thor Foresight will approve the request from the used DNS servers.
If the address is with a 98% certainty on the list, Thor Foresight will perform an extra check towards our servers to verify whether the address is harmful or not.
a. If it does show up as harmful, the site or traffic is blocked and a notice will be displayed.
b. If the domain address is not harmful the traffic will be allowed.
The advantage of using a probabilistic data structure is that the speed of the service is much higher and the size of the database is only roughly 0,5% of the total list.
The traffic check works for all services on the PC and on VPN. It also works on internal as well as private networks.
Here is the Thor Foresight product overview presentation: