We want to inform you about the release of 2 new Heimdal™ versions, 2.5.336 Production and 2.5.341 Release Candidate.
The 2.5.336 Production version is scheduled to go live on Wednesday, April 7th 2021, in the Heimdal™ Dashboard, with the Heimdal™ Agent following over the next week, on a roll-out basis, while, the 2.5.341 RC version is already available, for download, in the Heimdal™ RC Dashboard.
Here are the new features and improvements rolling in with the new 2.5.336 Production:
Changes in the new 2.5.336 Production:
Heimdal™ Threat Prevention - Network:
- Improved and robust new infrastructure
A new infrastructure was implemented for Threat Prevention – Network to replace the old CSIS Secure DNS infrastructure, which will be faster and able to scale to infinite user connections in the future, without the risk of delayed response times.
Those using the new infrastructure will now be able to see data in the dashboard and CSIS customers will be contacted by Heimdal Customer Satisfaction Managers to migrate their platform.
Heimdal™ Patch & Asset Management:
- WU - Option to schedule WU in a specific week of the month
WU Update Scheduler will have an additional dropdown that allows the customer to schedule Microsoft Updates on a recurring basis, by selecting the week(s) of the month in which to schedule the updates. The option is available only if the scheduler is set to “Choose week day” and has at least 1 day selected.
Heimdal™ Privileged Access Management:
- Display file name requested for elevation
For file elevations, the name of the elevated file is now displayed in the Privileged Access Management Pending Approval view. A new column was added in order to accommodate the new information.
Endpoint Detection:
- Ransomware Encryption Protection
A new module is now available under Endpoint Detection, Ransomware Encryption Protection.
The new module’s is built with a sole purpose of eliminating ransomware encryption threats. To stop Ransomware Encryption. Start here.
The module processes kernel events for IO reads, writes, directory enumeration and file executions. The engine will currently allow a maximum of 3 files to get encrypted until it will give the verdict that the process is suspicious. Once flagged, details about the suspicious process are being gathered and sent to the Heimdal™ servers. Details include: the process command line arguments, the network connections (IP and port), read/write operation count at the moment of detection, as well as the process tree from the suspicious process tracing -back to the root process.
As soon as a suspicious process event occurs, there will be an option to automatically terminate the process.
Heimdal™ Email Security:
- Domain Grey listing
This is a new feature which can be found under the BLACK & WHITE & GREYLIST sub section of the Email Security Settings. It comprises two functionalities:
- E-Mail filter threshold Domain Greylist threshold
A new option was added in Perimeter, Email Security settings under the Additional Domain Settings section: E-Mail filter threshold.
When enabled, the option will allow the storage (for up to 90 days), per mailbox, in Heimdal™'s database, for the number of days set by threshold slider (up to 90 days) , of the domains from which the customer is receiving emails. Be aware that this saving will be done if all the above conditions are met: recipient domain is not equal with the sender domain, sender domain is not in the list of the common domains, sender domain was not whitelisted. The storage period can be set by using the dedicated slider.
2. Tag Grey listed emails
On top of the storage, the Domain Grey listing feature has a functionality related to tagging the emails which are coming from new domains.
In order to better monitor potentially suspicious activity, the new domains from which e-mails are received, will be visually differentiated, at Inbox level, by the addition of a dedicated tag "E-Mail from new domain" in the e-mail’s subject. These e-mails won’t be blocked directly, they will be tagged and scanned in the background until a final verdict on maliciousness is reached.
- Advanced Threat Protection - Force ATP scanning if email is released
A new option, meant to enhance security, was added in the Email Security Settings section, Security Settings subsection.
This new feature enables an additional scan by the ATP Email Security engines, post the e mail having been released from Quarantine (deemed as malicious by the Antivirus, Anti Malware and AntiSpam engines).
- Rename email details headers
Small name changes were performed to some of the headers from the email Details modal. “HEADER” and “BODY” remain the same but “PROPERTIES” was changed to “MAIN” and “HISTORY” was changed to “ADVANCED”.
- Source & destination IP black & whitelisting
The option to blacklist or whitelist destination and source IP is now available in the Advanced tab from the email Details modal.
"Select a domain” lists all individual domains for that perimeter GP, as well as an option (first in the list) called “All domains”. The domain which the email was received from is displayed by default.
When one of the “BLACKLIST SENDER”, “WHITELIST SENDER”, “BLACKLIST DOMAIN”, “WHITELIST DOMAIN” (Main tab) or “BLACKLIST SOURCE IP”, “WHITELIST SOURCE IP”, “BLACKLIST DESTINATION IP”, “WHITELIST DESTINATION IP” (Advanced tab) buttons are pressed, the desired command is either applied to individual domains or, to all the domains in the perimeter (as per the option set from the “Select a domain” window).
- Enhance SPAM LEVEL search (for range selection)
The user is now able to search emails in the ADVANCED SEARCH area, by using a SPAM score interval.
A maximum spam score box was also added, allowing the user to select a SPAM interval based on which emails will be searched and displayed. This option will be available in both Inbound and Outbound views.
- "Response from Server" column added to the Verbose file
The column "Response from Server" and its corresponding info was added in the Verbose CVS file from Email Security.
- Blacklist emails from external domains without TLS
A new option was added in Perimeter, Email Security settings under the Additional Domain Settings section: Block emails without TLS.
If activated, the functionality will block all emails, coming from external domains, which were not delivered encrypted through the Transport Layer Security protocol. The feature contains two functionalities:
- A checkbox to enable/ disable the feature. If the functionality is enabled, the dashboard user will be able to select, from a dropdown list, the action to take (default) in such instances.
- A “WHITELIST ALL INTERNAL DOMAINS” button, which becomes active when the feature is enabled, and which allows the dashboard user to easily white list all the internal domains in one go.
For easier tracking and identification, when the feature is enabled and non-TLS-encrypted emails are received, the “NON-TLS BLOCK” type will be displayed in the logs.
Application Control:
- Small flow improvements
Some small changes that should improve the overall user experience were performed. The changes are not visible to the end user.
- Download CVS file
The option to export the Application Control entries is now available.
Other improvements:
- Files clean up
Performed small changes to better clean up the Heimdal™ files stored on the machines for Heimdal™ Email Fraud Prevention and bloom filter files from the DarkLayer Guard™ Engine.
- Agent Reboot Notification
Post installing Microsoft Windows Updates, with the Patch & Asset Management module, the pop – up window containing the reboot notifications is now displayed correctly for the end users.
- Microsoft Windows Updates on Windows Server 2012 R2
The fix enables you to push install Microsoft Windows Updates on Windows Servers 2012 R2 correctly.
- Next – Gen Antivirus enhancements (updated engine drivers)
The updated drivers contain improvements meant to avoid memory corruption when performing an asynchronous scan, if the target is no longer available (unmounted). These adaptations have been applied based on the full memory dump and provided Driver Verifier information and will prevent unexpected crashes.
Changes in the new 2.5.341 Release Candidate:
Here are also the fixes available in the 2.5.341 RC version of the Heimdal™ Agent (available for download in the “GUIDE” section, “Download and Install” tab, of the Heimdal™ RC Dashboard):
- Agent Reboot Notification
Post installing Microsoft Windows Updates, with the Patch & Asset Management module, the pop – up window containing the reboot notifications is now displayed correctly for the end users.
- Microsoft Windows Updates on Windows Server 2012 R2
The fix enables you to push install Microsoft Windows Updates on Windows Servers 2012 R2 correctly.
- Next – Gen Antivirus enhancements (updated engine drivers)
The updated drivers contain improvements meant to avoid memory corruption when performing an asynchronous scan, if the target is no longer available (unmounted). These adaptations have been applied based on the full memory dump and provided Driver Verifier information and will prevent unexpected crashes.
If you need help with anything, don’t hesitate to contact corpsupport@heimdalsecurity.com.