In this article, you will learn everything you need to know about the way to configure perimeter products: Threat Prevention Network and Email Security.
In order to set up Threat Prevention - Network in the Heimdal Dashboard, you have to access the Network Settings section -> Threat Prevention tab.
DarkLayer Guard - turn on/off the Threat Prevention - Network module;
Log Agent logging - turn ON/OFF intercepted logs reporting within the HEIMDAL Dashboard;
Hybrid DNS - turn ON/OFF the HEIMDAL DNS Server that runs locally on the DNS Server to filter the DNS queries;
Domains Allowlist - allows you to allowlist a domain/sub-domain for the users in your network;
Domains Blocklist - allows you to blocklist a domain/sub-domain for the users in your network;
Block By Category - this feature allows you to block groups of domains that are included in a category (example: Social, Sports, Gambling, Finance, Health, and others):
Custom block pages - this feature allows you to add a custom HTML block page that will replace the default Heimdal block page when Threat Prevention - Network intercepts and blocks access to a malicious domain (or blocklisted domain):
Note: If you are using TPE and TPN, when it comes to allowlisting/blocklisting TPN will have priority. For example, if you blocklist a domain in TPN, but not in TPE, even if the endpoint has that domain allowlisted in the Group Policy, the user will get the block banner since TPN is the first to filter that domain.
Access Rule* - add your Public IP Address(es) to filter traffic through our DNS Servers. Here you can specify a Public IP Address or a Subnet;
FILL CURRENT IP - automatically add your current Public IP Address in the Subnet field, getting it ready for being added as an Access Rule.
- You can add an Access Rule only if you are logged in to the HEIMDAL Dashboard from the Public IP Address that you are trying to add as an Access Rule;
- You can only add /32, /31, and /30 subnets;
- If you need a wider range, please write to email@example.com;
- Once a new Access Rule is added for a Public IP Address or Subnet, it will be allowlisted in our database. Removing it from the Access Rules will stop the filtering through our DNS Servers and could cause connectivity issues on your DNS Server if you are still forwarding traffic through the Threat Prevention - Network.
*WARNING: Once a new Access Rule is added for a Public IP Address or Subnet, it will be allowlisted in our database. Removing it from the Access Rules will stop the filtering through our DNS Servers and could cause connectivity issues on your DNS Server if you are still forwarding traffic through the Threat Prevention - Network.
Log unknown hostnames - logs and displays unknown (N/A) hostnames in the Threat Prevention Network views (Standard view and Latest Threats view);
Log local domains - logs and displays intercepted local domains;
Policy check interval - sets the check interval of the Threat Prevention Log Agent;
Update Network Settings - updates all the configurations performed in the Threat Prevention Network module.
In order to set up Email Protection - Email Security in the HEIMDAL Dashboard, you have to log in and access the Network Settings section:
Email Security - enables the Email Security module;
Add Domain - allows you to add the domain that will be filtered by the Email Security engine;
Domain name - allow you to add a domain name (eg. heimdalsecurity.com);
Inbound Host - allows you to set your Inbound Mail Server Domain/Public IP, your Port and to choose a TLS option (eg. heimdalsecurity-com.mail.protection.outlook.com:25);
Outbound IP/Provider - allows you to set the Outbound SMTP Server by selecting one from the dropdown or adding the Public IP Address or domain name of the SMTP Server in the Public IP/Domain field;
Outbound Relay Region Redirection - allows you to configure a domain to redirect the outbound flow through a regional Email Security relay server (USA available at the moment). This is an option that helps when the domain(s) you are sending emails to is/are applying Geo-Location restrictions. (This feature is visible and can be configured only by the Support Team).
Additional Domain Settings
Put inbound delivery on pause - allows you to pause the inbound email delivery (the system will check every 15 minutes for any changes);
Recipient verification - this option allows the Email Security servers to verify if a recipient's email address exists before sending them an email. If a user does not exist, it will block the email before reaching the mail server. Recipient verification helps improve the spam block rate by using resources more efficiently. Usually, Exchange uses port 2525 for recipient (receipt) validation. (This feature is visible and can be configured only by the Support Team);
Block outbound Danish CPR number if no TLS transmission - this option will block outbound emails when a Danish CPR number is detected, even if the Force TLS (encrypted) transmission is enabled for any domains;
Always block outbound Danish CPR Number - scans the email for any Danish CPR number and blocks them if they include any Danish CPR Number;
DMARC** - checks if the incoming email comes from a sender that is authorized to send emails on behalf of the sending domain and that the email has not been modified in the delivery process;
SPF** - checks if the incoming email comes from a host that is authorized by the domain's administrators to send on behalf of the domain;
Sender Rewriting Scheme (SRS) - allows the Email Security engine to rewrite the Envelope From the address for all Inbound emails). The Header From field will remain unchanged. This feature bypasses the requirement to allowlist the HEIMDAL Email Security IP Addresses on your organization's Mail Server. This feature is recommended only in case of not being able to allowlist the HEIMDAL Email Security IP Addresses;
Block emails without TLS - allows you to tag, quarantine, and reject emails that are not transmitted through TLS. the quarantine will store the emails for 90 days, while the reject will not store them in any way;
Force TLS - encrypts the email message from Heimdal Security to the recipient's email server;
Force TLS transmission to any domain - encrypts the email message from Heimdal Security to the next-hop email server;
DKIM** Signing - allows you to generate and configure a DKIM Signature that will be included in the outbound email header; after generating it, the DKIM Signature needs to be validated through the Check DNS button with the DKIM Record specified on the domain DNS Settings; after validation, the configured selector can be enabled;
SEPO In - allows you to use the SEPO encryption service and delivers the email to the SEPO Inbound Scan Server;
SEPO Out - allows you to use the SEPO encryption service and checks CPR, Abnormal and Forced TLS delivery;
Block emails without TLS - allows you to intercept emails without TLS and choose whether to tag/block/quarantine them;
Anti Spam Settings
The Antispam Settings allow you to change the aggressiveness of the spam filter and to choose what actions to take on emails based on five different classification levels and scores between -0.1 and 100.
Enable Anti Spam Filtering - enables or disables the antispam filtering engine on the selected domain;
CLASSIFICATION - each email that is being filtered by the HEIMDAL Email Security module gets a classification from one of the Anti Spam engines. The emails can be classified as Confirmed Spam, High Possible Spam, Possible Spam, Suspected Spam, All other Emails;
SCORE LEVEL - allows you to customize a value between 0-100 that will serve as a limit for the action that will be taken on each email; a lower number/score will make the Anti Spam engine detect emails that are less likely to be spam, and a higher number will make the Anti Spam engine detect emails are likely to be spam;
ACTION - allows you to choose an action for every type of classification (Reject, Quarantine, Tag Subject, No Action).
- Reject will reject the email without storing it on the HEIMDAL Servers;
- Quarantine will quarantine the emails and will store them for 90 days on the HEIMDAL Servers;
- Tag will add a tag to the email’s existing subject: # Warning: Possible Spam or Fraud! #;
- No Action will make the emails pass unaltered through the Email Security engine.
- if the Score level is set to >= 3, emails that get a score level of 2 will not be flagged (they will be DELIVERED), while emails that get a score level of 3 or higher will be flagged as SPAM (they will be Tagged, Quarantined, Rejected or No Action, depending on the set Action);
- if the classification for Possible SPAMs has a set Score Level of 2 and an action of Quarantine, all emails that are tagged as "Possible SPAM" and have a Score Level equal or higher than 2 will be quarantined and flagged as SPAM in the Email Security view (within the HEIMDAL Dashboard).
In the Security Settings section, you can change the different Security Settings for Email Security.
Antivirus & Anti-Malware - allows you to activate or deactivate the malware & virus detection engines. This can be used to diagnose against false positives, in the event that Email Security detects legitimate emails and/or attachments as harmful, or containing malware;
Advanced Threat Protection (this feature is included in the Email Security Advanced licensing option) - allows you to activate or deactivate the detection systems against advanced threats. This can be used to diagnose false positives, in the event that detects legitimate emails and/or attachments as harmful or contain advanced threats.
Enable Email Security Advanced Threat Protection - enable/disable the Advanced Threat Protection, which detects new threats through Machine Learning and Dynamically developed detection mechanisms;
Enable Email Security Macro Analyzer -allows you to execute macros and scripts within emails in a sandboxed environment for analysis & detection;
Enable Email Security SHA256 Analyzer - this feature quickly checks the email blocked by Email Security Advanced Threat Protection against online malware analyst services Virustotal and Payload Security. This can be of use in gaining more information on a specific malware sample. Email Security generates a SHA256 hash checksum for each file detected as suspicious/bad/harmful/malicious. You can run the search or even download email parts through the Messaging Logs interface. To search & locate any email blocked by Email Security Advanced Threat Protection in Messaging Logs, you have to left-click the email and select Attachments. Here you will have the option to check the attachments checksum directly at VirusTotal or Hybrid Sandbox. You can download the full attachment for further investigation and analysis, but please be aware that downloading the full attachment can be a security risk (which also will be communicated via a dialogue box before potential download);
Email Security PDF Analyzer - executes PDF files and other container files within emails in a sandboxed environment for analysis & detection;
Enable Email Security Phishing Protection - enable or disable the detection systems against phishing emails. This can be used to diagnose against false positives, in the event that Email Security detects legitimate emails as phishing emails;
Force ATP scanning if released - allow the email to be scanned by the ATP Email Security engines, after being released from quarantine (due to previously having been detected by the Antivirus, Anti-Malware, and Anti Spam engines). An email that is not confirmed malicious by Advanced Threat Protection will be delivered but it will be flagged as Released to ATP. If Advanced Threat Protection confirms that the email is malicious, the email will be quarantined and the type will be changed from Released to ATP into ATP;
Action on Detection - allows you to configure the actions that will be taken by Email Security on emails containing threats, categorized by malware, ATP, and Phishing (None, Quarantine, Tag Subject, Reject);
Blocklist, Allowlist & Greylist
These functionalities will allow you to add email addresses, domains, IP Addresses, or Email Subjects to the Blocklist or to the Allowlist, thus regulating specific email senders your organization needs to always block or allow.
Blocklist - allows you to blocklist an email address, a domain, a sender IP Address that is sending emails to your domain or to blocklist an email based on the email subject and take action against them (Quarantined, Reject, Delete). If you want to edit an existing blocklisting rule, you can click the Pencil button:
In the Blocklist editor, you can edit the action that will be performed on the email matching the blocklist rule and you can leave a note for any HEIMDAL Dashboard Administrator that will go through these settings.
The Allowlist takes precedence over the Blocklist, so, if you allowlist the sender's email address (firstname.lastname@example.org) and blocklist the sender's domain (example.com), the email should be received by the recipient. Allowlisting an email based on the subject will NOT bypass the SPF/DMARC check even if it's disabled in the allowlist.
Allowlist - allows you to allowlist an email address, a domain, a sender IP Address that is sending emails to your domain or to allowlist an email based on the email subject and can be customized to bypass different scanning methods. Under normal circumstances, it is not advisable to allowlist sender IP Addresses, as this can provide open access for threats and spam in the event the sender's network or endpoints are compromised. If you want to edit an existing blocklisting rule, you can click the Pencil button:
In the Allowlist editor, you can edit the allowlisting settings performed on the email matching the allowlist rule and you can leave a note for any HEIMDAL Dashboard Administrator that will go through these settings.
- SPF/DMARC scanning - while unticked, the specified email address/domain/IP Address will be allowlisted for SPF/DMARC scanning;
- Spam scanning - while unticked, the specified email address/domain/IP Address will be allowlisted for Spam scanning;
- Virus scanning - while unticked, the specified email address/domain/IP Address will be allowlisted for Virus scanning;
- Attachment detection - while unticked, the specified email address/domain/IP Address will be allowlisted for attachment scanning;
- Advanced Threat Protection - while unticked, the specified email address/domain/IP Address will be allowlisted for Advanced Threat Protection scanning;
- Non-TLS block - while unticked, the specified email address/domain/IP Address will allow emails that are not sent with TLS;
- Check Header - while enabled, the header sender information will be checked. The SPF/DMARC scanning engine will not be allowlisted for security reasons.
The Allowlist takes precedence over the Blocklist, so, if you allowlist the sender's email address (email@example.com) and blocklist the sender's domain (example.com), the email should be received by the recipient.
Domain greylist threshold - allows you to enable and set the domain greylisting interval from 1 to 90 days. Domain Greylisting will collect and store data on sending domain names for the number of days set on the threshold slider. This feature works in conjunction with the Tag greylisted emails, which adds a tag (# Unknown domain: Possible spam/phishing mail #) in the Subject field of each email that is coming from a sender's domain name that has not been sending emails to your organization in the last 1 to 90 days (according to the value set on the Domain greylist threshold). We recommend having the Domain greylist threshold activated for at least 30 days prior to enabling the Tag greylisted emails option for better data collection. Also, know that the data collection on sending domain names will be done if all the above conditions are met:
- recipient's domain is not the same as the sender's domain;
- sender's domain is not in the list of the common domains;
- sender's domain was not allowlisted.
Tag greylisted emails - adds a tag (# Unknown domain: Possible spam/phishing mail #) in the Subject field of each email that is coming from a sender's domain name that has not been sending emails to your organization in the last 1 to 90 days (according to the value set on the Domain greylist threshold). Each email will be scanned in the background.
This feature will allow you to change the different settings for an email with attachments. The attachment filters can be enabled for specific file extensions. As an increasing number of threats are trying to bypass email filters by filename and/or file parser manipulation, Email Security also provides an advanced attachment filter, based on inspection and analysis of each attached file. The advanced attachment filter will also safeguard against users renaming or manipulating their files to bypass policies your organization has set up for allowable file types for email transmission.
- Executables - allows you to intercept and take action on emails with attached executable files (EXE files);
- Dangeours files - allows you to intercept and take action on emails with attached files with the following file extensions: .ac .air .apk .app .applescript .awk .bas .bat .cgi .chm .cmd .com .cpl .crt .csh .dld .dll .drv .elf .exe ._exe .fxp .hlp .hta .inf .ins .inx .isu .iqy .jar .js .jse .jsp .kix .ksh .lib .lnk .mcr .mem .mht .mpkg .mrc .ms .msc .msi .msp .mst .ocx .pas .pcd .pif .pkg .pl .prc .prg .py .pyc .pyo .reg .scpt .scr .sct .seed .sh .shb .shs .spr .sys .thm .tlb .udf .url .uue .vb .vbe .vbs .vdo .wcm .ws .wsc .wsf .wsh .xap .zlq;
- Password Protected Files - allows you to intercept and take action on emails with attached files that are password protected (usually archives);
- Multiple file extensions - all the emails having attachments made of more than one extension will be handled based on the selected Action on Detection;
- Filtering by Extension - allows you to define your own file extensions to be filtered by the Email Security engine. Please note that threats in attachments are masked by false file extensions when compared to the real content of the attachment. This feature works only for the Inbound mail flow and will block emails including external attachments;
- Add Extension - allows you to add a file extension (E.g. exe, without the dot [.] in front of the file extension);
This feature allows you to change the notification settings for emails that have been sent to quarantine by Email Security. Depending on the configuration, Email Security sends email notifications to the users that receive emails that are quarantined, but also allows Administrators to receive email notifications about the emails that are quarantined in your organization. You can select what types of quarantined emails to add to the report, and also define if it’s possible to preview and release the emails directly from the Quarantine Report.
General Quarantine Report Settings - allows you to set a sending schedule for the Quarantine Report. It can be configured for daily sending, weekly sending, or hourly sending;
View & Edit Quarantine Report - allows you to set the limits of the classification to be included in the Quarantine Report;
- View & Edit Template - allows you to customize the way the Quarantine Report header and footer look like;
- Spam limits - allows you to define the Score Level interval for each Spam Classification to be included in the Quarantine Report;
- Test report - this feature allows you to send a test Quarantine Report to an email address that you specify;
Admin Quarantine Report by Email - allows you to enable the Quarantine Report for Administrators only. This report includes all quarantined emails from within your organization in one complete Quarantine Report. You can add one or more recipients using the Receivers field (comma-separated list). To avoid spam-releasing conflicts, enabling this feature will disable the User Quarantine Report;
User Quarantine Report by Email - allows you to enable the User Quarantine Report to be sent to recipients of quarantined emails. The users who do not receive any quarantined emails will not receive a User Quarantine Report. To avoid spam-releasing conflicts, enabling this feature will disable the Admin Quarantine Report;
Advanced Threat Protection - allows you to define what type of quarantined emails should be included in the Quarantine Report (Spam, Malware, ATP, Attachment, SPF, Non-TLS) and to enable whether to Preview, Release, or Allow the Sender right from the quarantined email right from the Quarantine Report notification.
This feature allows you to set a limit for the Outgoing email flow in terms of minute rate and daily rate:
Outbound minute rate - allows you set an outbound minute rate of 10 to 200 minutes;
Outbound daily rate - allows you to set an outbound daily rate of 500 to 10,000 emails per day;
All the emails that exceed the limit will be rejected.
SMTP AUTH USERS
This feature allows you to add an SMTP Authenticated User for a Printer or a Copy-Machine to send out emails through Email Security. To use this feature you need to specify a username, a password, and the IP Address:
- Username: smtp (or any other username)
- Password: <your-password>
- Confirm Password: <confirm-your-password>
- IP Address: <your-IP-Address>
Press Add, then Save changes and Update Nework Settings.
To test the SMTP Auth feature, you can open a PowerShell window and run the following command:
Send-MailMessage -From 'firstname.lastname@example.org' -To 'email@example.com' -Subject 'Test Email' -Body 'Testing the SMTP Relay Service' -SmtpServer 'eu-esec-outbound.heimdalsecurity.com' -Usessl -Port 587 -Credential (Get-Credential)
You will be prompted to insert the credentials (firstname.lastname@example.org* and password) you added in the HEIMDAL Dashboard.
* - Although in the Heimdal Dashboard, the username does not include the domain, in the authentication popup you are required to specify the domain.
This feature consists of a popping modal that will allow you to copy the settings from the domain that is being edited to another domain (or multiple domains) configured in the Email Security module. It is important to know that the domain that is being edited will include the changes you already applied on each tab.