We want to inform you that we will be releasing 2 new Heimdal™ versions soon, 2.5.330 RC and 2.5.322 PROD.
Both of them are scheduled to go live on Wednesday, the 3rd of February, in the Dashboard, with the Agent following over the next week, on a roll-out basis.
Here are the new features and improvements rolling in with the new 2.5.330 RC:
Heimdal™ Threat Prevention - Network:
- Improved and robust new infrastructure
A new infrastructure was implemented for Threat Prevention – Network to replace the old CSIS Secure DNS infrastructure, which will be faster and able to scale to infinite user connections in the future, without the risk of delayed response times.
Those using the new infrastructure will now be able to see data in the dashboard and CSIS customers will be contacted by Heimdal Customer Satisfaction Managers to migrate their platform.
Heimdal™ Patch & Asset Management:
- WU - Option to schedule WU in a specific week of the month
WU Update Scheduler will have an additional dropdown that allows the customer to schedule Microsoft Updates on a recurring basis, by selecting the week(s) of the month in which to schedule the updates. The option is available only if the scheduler is set to “Choose week day” and has at least 1 day selected.
Heimdal™ Privileged Access Management:
- Display file name requested for elevation
For file elevations, the name of the elevated file is now displayed in the Privileged Access Management Pending Approval view. A new column was added in order to accommodate the new information
Endpoint Detection:
- Ransomware Encryption Protection
A new module is now available under Endpoint Detection, Ransomware Encryption Protection.
The new module’s is built with a sole purpose of eliminating ransomware encryption threats. To stop Ransomware Encryption. Start here.
The module processes kernel events for IO reads, writes, directory enumeration and file executions. The engine will currently allow a maximum of 3 files to get encrypted until it will give the verdict that the process is suspicious. Once flagged, details about the suspicious process are being gathered and sent to the Heimdal™ servers. Details include: the process command line arguments, the network connections (IP and port), read/write operation count at the moment of detection, as well as the process tree from the suspicious process tracing -back to the root process.
Once a suspicious process event occurs, there will be an option to automatically terminate the process
Heimdal™ Dashboard:
- Domain Grey listing is a new feature which can be found under the BLACK & WHITE & GREYLIST sub section of the Email Security Settings. It comprises two functionalities:
Tag Grey listed emails:
On top of the storage, the Domain Grey listing feature has a functionality related to tagging the emails which are coming from new domains.
In order to better monitor potentially suspicious activity, the new domains from which e-mails are received, will be visually differentiated, at Inbox level, by the addition of a dedicated tag "E-Mail from new domain" in the e-mail’s subject. These e-mails won’t be blocked directly, they will be tagged and scanned in the background until a final verdict on maliciousness is reached.
Advanced Threat Protection - Force ATP scanning if email is released:
- A new option, meant to enhance security, was added in the Email Security Settings section, Security Settings subsection.
This new feature enables an additional scan by the ATP Email Security engines, post the e mail having been released from Quarantine (deemed as malicious by the Antivirus, Anti Malware and AntiSpam engines).
- Rename email details headers
Small name changes were performed to some of the headers from the email Details modal. “HEADER” and “BODY” remain the same but “PROPERTIES” was changed to “MAIN” and “HISTORY” was changed to “ADVANCED”;
- Source & destination IP black & whitelisting
The option to blacklist or whitelist destination and source IP is now available in the Advanced tab from the email Details modal.
"Select a domain” lists all individual domains for that perimeter GP, as well as an option (first in the list) called “All domains”. The domain which the email was received from is displayed by default.
When one of the “BLACKLIST SENDER”, “WHITELIST SENDER”, “BLACKLIST DOMAIN”, “WHITELIST DOMAIN” (Main tab) or “BLACKLIST SOURCE IP”, “WHITELIST SOURCE IP”, “BLACKLIST DESTINATION IP”, “WHITELIST DESTINATION IP” (Advanced tab) buttons are pressed, the desired command is either applied to individual domains or, to all the domains in the perimeter (as per the option set from the “Select a domain” window)
- Enhance SPAM LEVEL search (for range selection)
The user is now able to search emails in the ADVANCED SEARCH area, by using a SPAM score interval.
A maximum spam score box was also added, allowing the user to select a SPAM interval based on which emails will be searched and displayed. This option will be available in bot Inbound and Outbound views.
- "Response from Server" column added to the Verbose file
The column "Response from Server" and its corresponding info was added in the Verbose CVS file from Email Security.
- Blacklist emails from external domains without TLS
A new option was added in Perimeter, Email Security settings under the Additional Domain Settings section: Block emails without TLS.
If activated, the functionality will block all emails, coming from external domains, which were not delivered encrypted through the Transport Layer Security protocol. The feature contains two functionalities:
1. A checkbox to enable/ disable the feature. If the functionality is enabled, the dashboard user will be able to select, from a dropdown list, the action to take (default) in such instances.
2. A “WHITELIST ALL INTERNAL DOMAINS” button, which becomes active when the feature is enabled, and which allows the dashboard user to easily white list all the internal domains in one go.
For easier tracking and identification, when the feature is enabled and non-TLS-encrypted emails are received, the “NON-TLS BLOCK” type will be displayed in the logs.
Application control:
- Small flow improvements
Some small changes that should improve the overall user experience were performed. The changes are not visible to the end user.
- Download CVS file
The option to export the Application Control entries is now available.
Other improvements:
- Files clean up
Performed small changes to better clean up the Heimdal™ files stored on the machines for Heimdal™ Email Fraud Prevention and bloom filter files from the Darklayer Guard™ Engine.
Changes in the new 2.5.322 PROD:
Here are also the changes coming in the new 2.5.322 PROD version, on the basis of the previous 2.5.320 RC and 2.5.321 RC:
Dashboard:
- Granular filter for the dashboard time frame
The timeframe selector now has 2 additional fields for selecting Hour and Minutes to the specific timeframe. Once a custom time is selected, the dashboard results will be filtered accordingly.
A default time is applied for each selector- 00:00 for start date and 23:59 for the end date.
- Device filter available in DarkLayer GUARD / VectorN Detection / Next-Gen Antivirus / Privileged Access Management views
Depending on the availability of the module on each OS, a device filter was added in Threat Prevention Network, VectorN, Next-Gen Antivirus, and Privileged Access Management views. The filters are Android, Mac OS, and Windows devices.
- DNSInfo added Active Clients verbose CSV
- Microsoft Updates per Group Policy information added in API
- Added the MD5 column for Next-Gen Antivirus
Agent:
- Agent info logged in fixed registry key
This feature is meant to allow the user (only Enterprise users) to see which modules of the Heimdal product suite are installed and running on the customers' endpoints, which version of the agent is installed on the endpoints and which group policy it belongs to (GP).
The registries are found here:
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\HeimdalSecurity\Info or
HKEY_LOCAL_MACHINE\SOFTWARE \HeimdalSecurity\Info (based on Windows version 64 or 32)
DarkLayer GUARD™:
- Added “Force NCSI fix” option
A new checkbox was added in group policy > Threat Prevention Network module, “Force NCSI fix”.
When enabled, this functionality will fix the Network Connectivity Status Indicator that causes the not connected globe in the tray menu, when running alongside DarkLayerGuard.
Patch & Asset Management:
- Improvement for Windows Updates
The small change was made to the reboot popup message to be displayed on top of all open windows.
Firewall:
- Added isolation exclusions profiles
This feature adds the functionality of adding some specific rules for firewall only if the computer is isolated. Those rules come as a specific profile that adds some rules for a certain program (ex: TeamViewer, ISL Online). Those rules will be deleted when the pc will be not isolated.
New isolation profiles can be added, please send this request to the Support team.
Heimdal™ Privileged Access Management:
- Elevation request availability period
A new option was added in Privileged Access Management Group policy, “Accepted requests availability time”. When enabled, the user is able to select a custom time to live for elevation request, between 1 and 24 hours. If the option is disabled, all elevation requests will expire after the default 24-hour period.
Application Control – A new Privileged Access Management module:
- Application Control is a module created to better control which applications can be executed on client machines and how they are executed
You can define rules which describe what is allowed or blocked on machines using application details like paths, publisher and executable MD5, as well as how the application should run (it can automatically elevate the application if so configured) and how we handle child processes (we can allow all processes spawned by the application defined by the rule).
The Privileged Access Management group policy tab has been split into 2 subsections. “Privileged Access Management” tab will include previous options for Privileged Access Management and the second tab. “Application Control” will include new settings for the Application Control module.
Heimdal™ Email Fraud Prevention:
- New and updated engine
The module now has a new and updated engine. No change should be visible to the end user but the overall functionality should be improved. The new engine has been developed in-house and it is a far more flexible than the old one. This engine transition will allow Heimdal Security far more development freedom in the future.
- Group policy option to disable Outlook suspicious activity warnings
A new checkbox on the Email Fraud Prevention tab has been added to the Dashboard Group Policy settings, that will disable/enable the Outlook suspicious activity warnings.
In the Heimdal™ Agent a registry key will be modified for this with the values (2 -> disable, 0 -> enable). This registry key value can be found at the following path in regedit:
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Outlook\Security
On this path a new key will be created if not exists called “ObjectModelGuard” and this will be modified with the 2 values I’ve presented above.
Heimdal™ Email Security and Spamfilter:
- Added minute and daily limits for sent emails
A default minute limit of 300 emails and a daily limit of 10.000 emails was added. The limit change be lowered from the Perimeter settings, in the Limits section.
- Option to customize the header and footer of the Quarantine Report
In Perimeter, Quarantine settings options, a new button is available “View and Edit Template”. When clicking this button, a model that allows the user to edit the header and footer of the Quarantine Report is displayed.
Heimdal™ Next-gen Antivirus & MDM:
- VDF files update
Some improvements were made to the update VDF files flow to cover some cases where the files were updated with a small delay.
- Antivirus not registered in Action Center
Fixed the issue where Heimdal™ Next-Gen Antivirus was not registered as the default antivirus when updating from older to newer versions.
Firewall:
- Isolation flow improvements
We made some small improvements to the isolation functionality for a smoother user experience.
- Unblock RDP flow improvements
Some small changes were made to the unblock RPD functionality to address some corner cases where the port was not always unblocked in due time.