We want to inform you about the release of a new Heimdal™ Release Candidate Dashboard version, 2.5.370, that is now live. The Heimdal™ Release Candidate Agent will be available, for download, in the dashboard (“Guide” section, “Download and install” tab), starting Monday, August 9th 2021 and, deployed, on a roll-out basis, during the upcoming week.
Here are the main features and improvements rolling in with the new 2.5.370 RC:
Flagship Feature
Heimdal™ App. Control, Privileged Access Management, Next Gen AV
- Zero – Trust Execution Protection
This new submodule will ensure protection against zero-hour threats compromising your environment.
The submodule can be activated from the Endpoint Settings section of the Heimdal™ Dashboard from three different areas: Privileges & App Control -> Application Control, Privileges & App Control -> Privileged Access Management and Endpoint Detection -> Next-Gen Antivirus tabs (please note that if the submodule is enabled or disabled in one of the three above mentioned Settings areas, the change will take effect in all of the three modules).
In the following lines, we will give a high-level description of the way the new submodule enhances Heimdal™’s detection capabilities: as soon as a new process is started, if the corresponding file does not have a known/ trusted signature, the Zero – Trust Protection module will check, in a bloom filter (data sets containing historical “intel” collected from the Heimdal™ Agent-based products/ modules), if that application is benign or not and it will either let it run or “kill it”, based on the diagnosis of the performed check.
All the processes that are intercepted by the Zero – Trust Protection submodule will be displayed, in the Heimdal™ Dashboard, as a list/ grid having the below structure (screenshot taken from the Endpoint Detection, Next Gen Antivirus & MDM module; nevertheless, the grid has the same structure and contains the same data in the other two modules, found under Privileges & App Control product cluster).
In the status column, we will display the diagnosis returned by the bloom filter. We will have three possibilities: Allowed, Blocked, and Unknown. While the first two statuses are self-explanatory, the “Unknown” status corresponds to processes that aren’t found in the bloom filter data sets. These processes are blocked and sent for further investigation to the Heimdal™ Security Support team. Post being reviewed by our Support, the processes will have a final status (Allowed or Blocked) and this final status will be reflected in the next bloom filter update (the update happens daily at 00:00 UTC).
In case an application is blocked by the Zero – Trust Protection submodule, the Heimdal Agent will display a pop–up window notifying the end-user of this aspect.
Heimdal™ Dashboard:
- Animated Dashboard homepage graphs
There is new functionality on our Dashboard homepage, meant to enhance the dashboard user experience and provide the most relevant data. In case the dashboard user does not interact with any of the dashboard homepage graphs for at least 15 seconds, the graphs corresponding to the products’ submodules will automatically shift from submodule to submodule.
- Access Control List for Corp. Customer, Resellers, and Distributors
Given the more granularity required for distinct and segregated control capabilities on the Heimdal™ Dashboard functionalities, we’ve implemented a dedicated set of claims (permissions), that will allow our Corp. Customer and Partners (Resellers and Distributors) to achieve just that. The ACLs are part of the Accounts section of the Dashboard. A new tab called “Access Control” has been created and contains a table with claims (permissions) that can be awarded or revoked to/ from user accounts from your organization. In order to be able to award/ revoke permissions (own and other accounts), the dashboard user needs to have the “Ability to edit (award/ revoke) user account permissions” enabled.
In the case of the existing Corp. Customers and Partners, the accounts will keep the same Heimdal™ Dashboard privileges (claims) as per their current roles and will have the “Ability to edit (award/ revoke) user account permissions” claim default enabled. In the case of newly created Corp. Customers and Partners, the first created account (pertaining to the IT admin of the Customer/ Partner) will have the “Ability to edit (award/ revoke) user account permissions” claim enabled by the Heimdal™ staff who created the account and, subsequently, will be able to edit account permissions for the other accounts in their organization.
Heimdal™ Threat Prevention Endpoint:
- Improve Threat to Process Correlation accuracy
If enabled, this functionality, consisting of a check box found in the Endpoint Settings, Threat Prevention, DarkLayer Guard™ tab, enhances our TTPC (Threat to Process Correlation) accuracy in terms of capturing the process(es) which triggered a malicious DNS to be blocked by DarkLayer Guard™.
In order to do so, we leveraged an established Microsoft technology, called Sysmon, which is a system monitoring tool that intercepts each call made to the network board driver and logs it on to “Event Viewer” (each time DLG blocks a domain we will “ask” Sysmon for the process id that made the request and display the info in the DarkLayer Guard™ Endpoint “Latest Threats” & “TTPC” views).
- VectorN™ Detection engine rework
A complete codebase reimplementation of our AI/ML-driven DNS pattern recognition detection engine has been performed, leading to improved efficiency and more persistent data. Enhancements were applied to the processing patterns, mailing, and export jobs.
Heimdal™ Endpoint Detection, NextGen Antivirus & MDM:
- Addition of Heuristic settings in the Next-Gen AV product
In the Endpoint Settings, Endpoint Detection, NextGen Antivirus tab, Antivirus Settings area, we added a new check box which, if enabled, will enrich the unknown viruses AV detection capabilities – we analyze affected code and scan for virus-specific functions/behavior.
Post enabling the functionality, a drop–down list will appear, allowing the dashboard user to set the “aggressiveness” level of the Heuristic Detection Level (default set to “Medium”).
- Option to apply Global AV exclusions by Directory name/ path
In the Endpoint detection, NextGen Antivirus & MDM, “Latest Infections” and “Quarantine” views, when a machine is selected, we added the possibility, on the “Select what action to take” drop-down list, to perform file exclusions by Directory name/ path (besides the currently existing “by filename” and “by file path”, Global Exclusions options).
- Option to apply Global processes exclusions by Directory name/ path
In the Endpoint detection, Ransomware Encryption Protection, “Latest Detections” view, when a machine is selected, we added the possibility, on the “Select what action to take” drop-down list, to perform process exclusions by Directory name/ path (besides the currently existing “by filename” and “by file path”, Global Exclusions options).
.
Heimdal™ Privileged Access Management:
- PAM Compliance View
This feature consists of a brand-new tab in the PAM area of the Heimdal™ Dashboard, tab which is providing PUBA (Privileged User Behavior Analytics) data to the dashboard users. It adds even more compliance flavor to the module, showcasing information related to users that had a session or file escalations during the selected time frame, local and/ or AD groups that they are part of, a domain name that the users pertain to, and if the users are Admins or not (in case the users are Admins, we are also displaying the reasons behind).
- Restrict elevation for users not pertaining to a pre-defined local group
This feature will prevent end-users that are not part of a specified local group to make use of the PAM elevations. The feature can be enabled from the Endpoint Settings, Privileges & App Control, Privileged Access Management tab, Group Settings section by checking the dedicated tick box, called “Map users to group”. Once enabled, the text field “Group Name” will show up and the dashboard user can input a local group, allowing only the end users which are part of that group to request elevations.
In case the end-user is not part of the defined local group when trying to elevate, the Heimdal™ Agent will display the below pop–up notification:
Heimdal™ Email Security:
- Outbound Domain Relay Region Redirection
A new option was added to the Network Settings, Email Protection, Email Security, Add/ edit domain section of the Heimdal™ Dashboard. The option is called “Outbound Relay Region Redirection” and, if enabled, it will allow the dashboard user to select which outbound domain to relay through which email server, based on geographic regions (for the moment, the option is only applicable for the US region).
- Sender Rewriting Scheme (SRS) Email Security option
This new functionality, consisting of a check box, found in the Network Settings, Email Protection, Email Security, Additional Domain Settings area of the Heimdal™ Dashboard, if enabled, will rewrite the “From” address (“Envelope From”) for all inbound emails (please note that the “From” Header/ “Display From” address, shown by email clients, remains unchanged). The feature is meant to remove the need for Customers to whitelist the Heimdal™ Security MX Record IP in their organization’s email server (this feature can be enabled/ disabled only by our Support department).
Other improvements & fixes:
- Enhanced Reseller Master Group Policy
Changes to the Reseller Master Group Policy have been introduced (only at Customer level), namely: The Customer can add new Group Policies (besides the Master GP one) and can edit existing Group Policies (except for the Master GP one); the Customer Group Policies are now “active” and the Customer has the ability to change the GP priorities (these will be applied on the endpoints, based on the established priorities).
- “DNS server response validation” check box in DarkLayer Guard™ Settings
We introduced a new check box in the Endpoint Settings, Threat Prevention, DarkLayer Guard™, Compatibility Settings, which, if enabled, will allow DarkLayer Guard™ to test your DNS resolvers and rotate them if any of them fails.
- Proxy fallback system implementation
We implemented a fallback system for manual proxy. If the manual proxy is set, but not reachable, a fallback will make the call to the system proxy, following to no proxy, in order to ensure that the Heimdal™ Agent communicates with our core services.
- Fix related to the Application Control .csv file
The issue is related to the App. Control .csv file being empty (when downloaded from the App. Control views) has been sorted.
- Threat Prevention Network sorting and search issues have been fixed
In the different views of the Threat Prevention Network module, there were some filtering issues (sort by Hits and Total Hits, search by Threat Type, search by Client IP, etc.). All these issues have been identified and fixed.
If you need help with anything, don’t hesitate to contact corpsupport@heimdalsecurity.com.