We want to inform you about the release of a new Heimdal™ Release Candidate version, 2.5.350 RC, that is now live in the RC dashboard. The Heimdal™ Agent will be deployed, on a roll-out basis, during the upcoming week.
This new Release Candidate brings to fruition long-standing efforts we have made to improve our award-winning suite even further, to a game-changing level of stellar performance and UX. We hope you will be just as excited as we are to explore every novelty the new dashboard and agent are packing up!
Here are the new features and improvements rolling in with the new 2.5.350 RC:
Heimdal™ Dashboard:
- Simplified and Revitalized – the new Heimdal™ Dashboard V3
Our visualization and reporting within the Heimdal™ Dashboard have a completely new look and feel, bringing them even closer to the smooth and unified data science portal we are aiming for.
Detailed reporting and intuitive action buttons have never looked better! The unified user experience within the Heimdal™ dashboard is based on a blending of your feedback and the latest design principles in order to provide you with the easiest and friendliest way to explore advanced intelligence & control your cybersecurity layers.
Here is the new screenshot of the brand new, intuitive design that awaits you once you start exploring:
- Data visibility based on Customer approval
A new check box “Allow Heimdal Security to view your dashboard data”, found in the “Guide” section of the dashboard, tab “Customer Settings”, was created, which, if ON (activated) will allow the Heimdal Security staff to view the customer’s dashboard data (pls. not that if deactivated, the Heimdal Support team’s ability to assist you will be reduced significantly).
- Forensics module
The good news continues, as we have also launched brand-new module for advanced forensics data reporting, but for now only to select customers for testing. We expect a full customer release in Q3. You can explore within the dashboard a wealth of data and user-enhanced forensics and analysis capabilities.
This new Forensics module can be found in the left menu, under the Products section:
This new module is collecting statistics from the other agent-based Heimdal™ active products/ modules (Threat Prevention Endpoint, Next – gen AV, PAM, App. Control), as well as data related to memory usage, compiling all this info into a “one stop shop” view which will ease the life of IT Administrators.
In the Endpoint settings area, under the General tab, Admin. Settings there are 2 checkboxes (Enable Forensics & Enable Memory Management) which need to be activated in order for the module to work (note: Please contact our Support Dept. for enabling/ disabling the 2 check boxes).
In the dedicated Forensics module page, the Heimdal™ Dashboard user will be able to search through the data (displayed in a table) by process name, process id, hostname or remote IP. Also, data can be ordered by process name, hostname, source and score. “Download CSV” will export a CSV report with all data available from the specified timeframe.
If the Customer has licensing option enabled for App. Control, he/ she will be able to create rules for one alert at a time.
For some processes (in case of which we could calculate the MD5 hash), a link to VirusTotal will be present in grid. Please note that not all alerts are having a valid VirusTotal hash (given that some of them are lacking Virus Total data).
For processes what have a process ID different than zero, performing a click on the process name will redirect the Dashboard user to a new page, in order to see more details regarding the selected process, like in the screenshot below:
In this page, the Dashboard user will see the main details in the left-upper side of the page. Next, under the details from the left-upper side, there is a graph displayed with processes hierarchy that spawned the current process.
For each process in the graph, the details from the right side of the page will be updated with data for the selected node. In the screenshot above, “vlc-cache-gen.EXE” was selected. After switching to “explorer.exe”, the content changed to:
For each process, we are monitoring network activity performed by that process and we display all requests made in the “Network Activity” grid, from the right-lower side. The other details that are presented are: the owner of the process, session ID, full path of the process, command line arguments, threat count, total read operations, total write operations.
In the “Active Clients” details view a new tab was added, dedicated to the Forensics module. The new structure looks like this:
The Forensics module contains 2 sub-tabs, one corresponding to the alert view, for the specified client/ hostname, and the other for memory usage statistics.
The first sub - tab contains the list of all alerts gathered from the other Heimdal modules/ products (agent based), for the current client/ hostname info. In this sub - tab the user is not able to search through data, but he/ she can filter it, just like in the main view, described above.
The second sub-tab contains the list of all processes that were running in the selected timeframe.
If there are multiple processes spawned under the same parent, like in the screenshot below, we’ll take all processes with the same name, and save only one record in the data base:
For each process, we save the owner, number of handles, number of threads, working set, measured in KB, peak working set (also in KB), total read operations and total write operations. If there is a situation like in the screenshot above, we save only one instance of Chrome in the local database, and for each of the properties saved, we make the sum of each child process’s properties. Only for the Peak Working set we take the maximum value.
Every 6 hours, we take all the data saved in local database and we create an average snapshot that will be sent to our servers. The snapshot contains average values for all properties saved, except the Peak Working set, where, again, we take the maximum value.
After sending the snapshot to the server, the local database is deleted.
We store average snapshots on our servers of only 7 days!
The view from dashboard will display for each unique process the last snapshot saved in database, like in the screenshot below:
The user can search by process name or username and filter by any field.
Also, a detailed view is available for each process, by performing a click on each process name.
In the detailed view, the user will be able to see all average snapshots from the last 7 days (the ones calculated in agent every 6 hours).
- Azure AD integration to retrieve the GP groups
This new functionality will enable the matching of group policies depending on the AD groups that the current logged in user is part of.
- SAML 2.0 Dashboard Login
The SAML 2.0 Dashboard login functionality is now stabilized and available again in the new 2.5.350 RC version.
- Wake on LAN
The Wake on LAN (WOL) protocol allows devices to be woken from a sleep or hibernate state. WOL is not officially supported from soft off (full shutdown without a hibernation file), but the BIOS on some systems may support arming NICs for wake, even though Windows is not involved in the process (requires changes in the BIOS settings and are different from board to board).
In terms of functionalities, a new checkbox was added in the Endpoint Settings, General tab, Additional Settings (as per the below screenshot):
We also added two new options (in the “Select what action to take dropdown”), in the Active Clients section of the Heimdal Dashboard, which, when selected, will wake (cancel wake, if the machine has already been selected from WOL) the selected client/ hostname.
Wake on LAN DOES NOT work if the client:
- is in an IPv6 network (requires router changes in order to allow multicasting)
- is connected to the network through Wi-Fi
- uses a logical adapter for VPN (logical adapters don’t have MAC addresses)
- uses a docking station
Heimdal™ Threat Prevention - Network:
- Reports
A new Heimdal™ Threat Prevention – Network report is now available for the Dashboard user. The report will contain statistics about blocked domains, top most infected categories etc. and it’s customizable in terms of receiving recurrence. It can be found under the Accounts section of the Heimdal Dashboard (as shown in the below screen shot).
Heimdal™ Threat Prevention Endpoint:
- Re - grouping of DarkLayer Guard™ Settings
A new section, called Compatibility Settings, has been created in the Endpoint Settings area, Threat Prevention, DarkLayer Guard™ tab. The new section contains the following (already existing functionalities):
- Enable High compatibility mode
- Cisco Anyconnect/Fortinet compatibility mode
- DoH Compatibility mode
- Pause DarkLayer GUARD when Cisco Anyconnect or Fortinet is detected
Heimdal™ Privileged Access Management:
- Instant Dashboard to Agent communication
With this new functionality, the end user will be able to receive “instant” statuses on the Agent (pop-up) getting to know if their elevation request has been approved or denied, in the Dashboard, by the IT Admin. A pre-requisite for the functionality to work, is activating the “Enable real time communication” feature (note: in order to activate the “Enable realtime communication” functionality you need to contact our Support Dept ).
- Allow end users to revoke the elevation
A new option, found in the Endpoint Settings area, Privileges & App. Control, Privileged Access Management tab, consisting of a checkbox was added (visible only to IT Administrators). The functionality is meant to give the elevated end user the possibility to revoke an existing session elevation.
There will also be a new button in Heimdal™ Agent, created in order to allow the end user the revoking (immediate de-escalation) of the current session elevation. After a user started using its administrator session, the “ELEVATE” button from Heimdal™ Privileged Access Management (PAM) (formerly Thor AdminPrivilege) tab in the agent’s interface will be replaced with “REVOKE” button, as shown in the below screenshot.
The option will also be available in the Heimdal™ Agent’s modal menu – as displayed below.
Heimdal™ Endpoint Detection:
- Next – gen AV
- Detect and disable Windows Defender ATP on Windows Server
If the Heimdal™ Next-gen AV is installed on a Windows Server machine and Windows Defender is installed as well, then, the Windows Defender feature will be automatically uninstalled and a restart will be required (a Restart Required notification visible in the Antivirus Module on the client application), in order to stop the running Windows Defender service.
In case the Heimdal™ Next-gen AV is uninstalled, then the Windows Defender feature will be re-installed (only if it was previously installed prior to Heimdal installation), but will require a restart in order for the defender service to start (a notification Dashboard / Active Clients notification will be generated – pls. see below screen shot).
2. Add False Positive Control option to the Next – gen AV Settings
A new checkbox was introduced in the Next - Gen Antivirus Settings, enabling the dashboard user to control the “False Positive Control” feature of the antivirus engine.
If enabled, this feature allows detection of “clean” files, that the antivirus might otherwise consider malware (a request is made to the cloud determining if the file is actually a malware, or something that just seems like malware, but in fact safe; in case the additional check deems the file as safe, then it will not be quarantined).
If this option is disabled and a scanned file is detected as malware, then it will be quarantined, without any additional checks (pls. note that the realtime engine is not automatically updated with this option, at the moment the GP is updated and it will continue to work with the current settings, until it is restarted ; also, since this feature makes a request to the cloud, an active internet connection is needed).
3. Updated list of predefined profiles for Next-gen AV Exclusions
We updated the “Pre – defined” Profiles Exclusion (from AV scanning) drop-down list, found in the Endpoint Settings, Endpoint Detection, Next-gen Antivirus tab, Exclusion List section, with the 7 profiles recommended by Microsoft, namely: Domain Controller, Exchange Server, File and Storage Services, Microsoft SQL Server, MySQL Server, Print Server, RDP Server.
4. Re - grouping of Next-gen AV Settings
The General Settings area, from the Endpoint Settings, Endpoint Detection, Next-gen Antivirus tab, of the Heimdal Dashboard, was split into 2 settings areas: General Settings and Antivirus Settings as per the below screen shot:
Heimdal™ Email Security:
- Whitelist & blacklist based on E-mail Subject
In the Group Policy/ Settings section of Heimdal™ Email Security product, in the “Blacklist & Whitelist” sub section, we added a dropdown functionality, called “TYPE” and containing two options:
- addition to Blacklist or Whitelist based on Email Address, Domain or IP or
- addition to Blacklist or Whitelist based on E-mail Subject
Also, in the “Show Details” view from Email Security, Main tab, two new buttons called: “Blacklist email based on subject” and “Whitelist email based on subject” are available.
The dropdown “Select a domain” will list all individual domains for that Network GP, as well as an option (first in the list), called “All domains”, so that when one of the “BLACKLIST EMAIL BASED ON SUBJECT” or “WHITELIST EMAIL BASED ON SUBJECT” buttons is pressed, the desired command is either applied to individual domains or, to all the domains in the network.
Other improvements:
- Updated Heimdal™ Next-gen AV engine
The Heimdal™ Next-gen Antivirus engine has been updated to the latest version, enhancing the detection capabilities and improving the previous functionalities.
- Optional Microsoft Updates are now received via Microsoft API
This fix will enable the Dashboard users to conduct optional Windows Updates by activating a checkbox “Enable optional updates”, that can be found in the Endpoint Settings, Patch & Assets, Microsoft Updates tab.
- Predictive DNS in Threat Prevention Endpoint (TPE) and Threat Prevention Network (TPN)
We've enriched our TPE & TPN products detection capabilities, by adding a unique and futuristic Predictive DNS functionality. Predictive DNS allows you to foresee a threat before you encounter it. By utilizing Heimdal™'s Neural Networks AI (Artificial intelligence) capabilities, we allow you to protect yourself against domains that traditional DNS solutions, would not see for another 2-3 weeks.
Heimdal™’s Predictive DNS allows you to proactively block malicious servers, while they still look benign and before being misused, with more than 96% success rate.