We want to inform you about the release of a new Heimdal™ Production Dashboard version, 2.5.373, that is now live. The Heimdal™ Production Agent will be available, for download, in the dashboard (“Guide” section, “Download and install” tab), starting Monday, September 20th, 2021 and, deployed, on a roll-out basis, during the upcoming week.
Here are the main features and improvements rolling in with the new 2.5.374 PROD:
Heimdal™ App. Control, Privileged Access Management, Next-Gen AV:
- Zero – Trust Execution Protection
This new submodule will ensure protection against zero-hour threats compromising your environment. The submodule can be activated from the Endpoint Settings section of the Heimdal™ Dashboard from three different areas: Privileges & App Control -> Application Control, Privileges & App Control -> Privileged Access Management, and Endpoint Detection -> Next-Gen Antivirus tabs (please note that if the submodule is enabled or disabled in one of the three above mentioned Settings areas, the change will take effect in all of the three modules).
In the following lines, we will give a high-level description of the way the new submodule enhances Heimdal™’s detection capabilities: as soon as a new process is started, if the corresponding file does not have a known/ trusted signature, the Zero – Trust Protection module will check, in a bloom filter (data sets containing historical “intel” collected from the Heimdal™ Agent-based products/ modules), if that application is benign or not and it will either let it run or “kill it”, based on the diagnosis of the performed check.
All the processes that are intercepted by the Zero – Trust Protection submodule will be displayed, in the Heimdal™ Dashboard, as a list/ grid having the below structure (screenshot taken from the Endpoint Detection, Next-Gen Antivirus & MDM module; nevertheless, the grid has the same structure and contains the same data in the other two modules, found under Privileges & App Control product cluster).
In the status column, we will display the diagnosis returned by the bloom filter. We will have three possibilities: Allowed, Blocked, and Unknown. While the first two statuses are self-explanatory, the “Unknown” status corresponds to processes that aren’t found in the bloom filter data sets. These processes are blocked and sent for further investigation to the Heimdal™ Security Support team. Post being reviewed by our Support, the processes will have a final status (Allowed or Blocked) and this final status will be reflected in the next bloom filter update (the update happens daily at 00:00 UTC).
In case an application is blocked by the Zero – Trust Protection submodule, the Heimdal Agent will display a pop–up window notifying the end-user of this aspect.
Heimdal™ Threat Prevention Network:
- Threat Prevention Network LogAgent
The newly released version includes the long-awaited Threat Prevention Network LogAgent feature, whose characteristics are described over the next few pages. The Threat Prevention Network LogAgent allows you to associate the IP addresses of the Allowed Requests and Prevented Attacks to the Hostnames on which the network filtering took place.
The Threat Prevention Network LogAgent is available, for download and install, in three manners:
- included in the Heimdal™ Agent .msi package (available for Windows Server versions);
- as a stand-alone downloadable archive and, then, using an install script (available for Linux Ubuntu equipped machines);
- as a stand-alone .msi package (available for Windows Server versions).
! Prerequisites for all download and install manners:
- Uninstall CSIS LogAgent
Installation via the Heimdal™ Dashboard – available only for Windows Server:
In the “Management” -> “Active Clients” section of the Heimdal™ dashboard, if an endpoint is running a Windows Server operating system, the “Enable DNS server” option is available, in the “Select what action to take” drop-down list.
By clicking on this command, the Threat Prevention Network LogAgent will be installed on that specific endpoint.
In case of installation via the Heimdal™ Dashboard, the LogAgent will be updated automatically, whenever a new version is available.
Manual install on Windows Server using a stand-alone .msi Installer – working only for Windows Server:
The Threat Prevention Network LogAgent can be manually installed by downloading the stand-alone .msi from the Heimdal™ Dashboard, Guide section -> Download and install tab and then, click “Install”. In case of manual install, through the stand-alone .msi, the LogAgent will be updated automatically, whenever a new version is available.
Manual install on Linux Ubuntu using an install script – working only for Ubuntu:
In the case of the Linux Ubuntu operating system, the Threat Prevention Network LogAgent can be manually installed by downloading the .zip archive from the Heimdal™ Dashboard, Guide section -> Download and install tab, extracting it to any chosen location and running, from the extracted archive, “install-ubuntu.sh” with Sudo permissions. In case of manual install, through the Linux Ubuntu operating system .zip archive, the LogAgent will be updated automatically whenever a new version is available.
- Animated Dashboard homepage graphs
There is new functionality on our Dashboard homepage, meant to enhance the dashboard user experience and provide the most relevant data. In case the dashboard user does not interact with any of the dashboard homepage graphs for at least 15 seconds, the graphs corresponding to the products’ submodules will automatically shift from submodule to submodule.
- Access Control List for Corp. Customer, Resellers, and Distributors
Given the more granularity required for distinct and segregated control capabilities on the Heimdal™ Dashboard functionalities, we’ve implemented a dedicated set of claims (permissions), that will allow our Corp. Customer and Partners (Resellers and Distributors) to achieve just that. The ACLs are part of the Accounts section of the Dashboard. A new tab called “Access Control” has been created and contains a table with claims (permissions) that can be awarded or revoked to/ from user accounts from your organization. To be able to award/ revoke permissions (own and other accounts), the dashboard user needs to have the “Ability to edit (award/ revoke) user account permissions” enabled.
In the case of the existing Corp. Customers and Partners, the accounts will keep the same Heimdal™ Dashboard privileges (claims) as per their current roles and will have the “Ability to edit (award/ revoke) user account permissions” claim default enabled. In the case of newly created Corp. Customers and Partners, the first created account (of the IT admin of the Customer/ Partner) will have the “Ability to edit (award/ revoke) user account permissions” claim enabled by the Heimdal™ staff who created the account and, subsequently, will be able to edit account permissions for the other accounts in their organization.
Heimdal™ Threat Prevention Endpoint:
- Improve Threat to Process Correlation accuracy
If enabled, this functionality, consisting of a check box found in the Endpoint Settings, Threat Prevention, DarkLayer Guard™ tab, enhances our TTPC (Threat to Process Correlation) accuracy in terms of capturing the process(es) which triggered a malicious DNS to be blocked by DarkLayer Guard™. The functionality will be default enabled for new Group Policies.
To do so, we leveraged an established Microsoft technology, called Sysmon, which is a system monitoring tool that intercepts each call made to the network board driver and logs it on to “Event Viewer” (each time DLG blocks a domain we will “ask” Sysmon for the process id that made the request and display the info in the DarkLayer Guard™ Endpoint “Latest Threats” & “TTPC” views).
- VectorN™ Detection engine rework
A complete codebase reimplementation of our AI/ML-driven DNS pattern recognition detection engine has been performed, leading to improved efficiency and more persistent data. Enhancements were applied to the processing patterns, mailing and export jobs.
- Threat Prevention Endpoint Full logging
The feature, part of the Threat Prevention Endpoint module, is meant to allow the dashboard user to view DNS data on both blocked DNS (Prevented Attacks), as well as on Allowed DNS Requests. The feature can be activated from the Endpoint Settings -> Threat Prevention -> DarkLayer Guard tab (see below screenshot).
In the Heimdal Dashboard, there is a dedicated Full Logging view (Threat Prevention Endpoint), containing 2 subviews:
- Hostname view displaying info categorized on: Hostname, Allowed Requests, Prevented Attacks, and Risk Level
- Domain View displaying info categorized on: Domain and Total Hits
The Domain view allows the dashboard user to filter the data on All queries, Prevented Attacks, Allowed Requests.
Raw data is displayed in the Active Clients -> Threat Prevention -> Full Logging tab. The data grid contains the following columns: Active Username, Domain, Threat Type, TTPC, Protocol, Date, and Status. This “Client Specifics” view, which is also available if the dashboard user clicks on the Hostname, Prevented Attacks, Allowed Request info, from the Hostname view, allows filtering on: Prevented Attacks (default filter value) or Allowed Requests (pls. see below screenshot).
When the dashboard user clicks on the Total Hits info, from the Domain View, they are taken to a detailed view (see below screenshot) where they can white/ blacklist the domain and apply commands at workstation level (Quarantine, Add to storage), in case a malicious process (prevented attack) triggered the block.
Heimdal™ Endpoint Detection, Next-Gen Antivirus & MDM:
- Addition of Heuristic settings in the Next-Gen AV product
In the Endpoint Settings, Endpoint Detection, Next-Gen Antivirus tab, Antivirus Settings area, we added a new check box which, if enabled, will enrich the unknown viruses AV detection capabilities – we analyze affected code and scan for virus-specific functions/ behavior.
Post enabling the functionality, a drop-down list will appear, allowing the dashboard user to set the “aggressiveness” level of the Heuristic Detection Level (default set to “Medium”).
- Option to apply Global AV exclusions by Directory name/ path
In the Endpoint detection, Next-Gen Antivirus & MDM, “Latest Infections” and “Quarantine” views, when a machine is selected, we added the possibility, on the “Select what action to take” drop-down list, to perform file exclusions by Directory name/ path (besides the currently existing “by filename” and “by file path”, Global Exclusions options).
- Option to apply Global processes exclusions by Directory name/ path
In the Endpoint detection, Ransomware Encryption Protection, “Latest Detections” view, when a machine is selected, we added the possibility, on the “Select what action to take” drop-down list, to perform process exclusions by Directory name/ path (besides the currently existing “by filename” and “by file path”, Global Exclusions options).
Heimdal™ Privileged Access Management:
- PAM Compliance View
This feature consists of a brand-new tab in the PAM area of the Heimdal™ Dashboard, tab which is providing PUBA (Privileged User Behavior Analytics) data to the dashboard users. It adds even more compliance flavor to the module, showcasing information related to users that had a session or file escalations during the selected time frame, local and/ or AD groups that they are part of, a domain name that the users pertain to, and if the users are Admins or not (in case the users are Admins, we are also displaying the reasons behind).
- Restrict elevation for users not pertaining to a pre-defined local group
This feature will prevent end-users that are not part of a specified local group to make use of the PAM elevations. The feature can be enabled from the Endpoint Settings, Privileges & App Control, Privileged Access Management tab, Group Settings section by checking the dedicated tick box, called “Map users to group”. Once enabled, the text field “Group Name” will show up and the dashboard user can input a local group, allowing only the end users which are part of that group to request elevations.
In case the end-user is not part of the defined local group when trying to elevate, the Heimdal™ Agent will display the below pop–up notification:
Heimdal™ Email Security:
- Outbound Domain Relay Region Redirection
A new option was added to the Network Settings, Email Protection, Email Security, Add/ edit domain section of the Heimdal™ Dashboard. The option is called “Outbound Relay Region Redirection” and, if enabled, it will allow the dashboard user to select which outbound domain to relay through which email server, based on geographic regions (for the moment, the option is only applicable for the US region).
- Sender Rewriting Scheme (SRS) Email Security option
This new functionality, consisting of a check box, found in the Network Settings, Email Protection, Email Security, Additional Domain Settings area of the Heimdal™ Dashboard, if enabled, will rewrite the “From” address (“Envelope From”) for all inbound emails (please note that the “From” Header/ “Display From” address, shown by email clients, remains unchanged). The feature is meant to remove the need for Customers to whitelist the Heimdal™ Security MX Record IP in their organization’s email server (this feature can be enabled/ disabled only by our Support department).
Other improvements & fixes:
- Enhanced Reseller Master Group Policy
Changes to the Reseller Master Group Policy have been introduced (only at Customer level), namely: The Customer can add new Group Policies (besides the Master GP one) and can edit existing Group Policies (except for the Master GP one); the Customer Group Policies are now “active” and the Customer can change the GP priorities (these will be applied on the endpoints, based on the established priorities).
- “DNS server response validation” check box in DarkLayer Guard™ Settings
We introduced a new check box in the Endpoint Settings, Threat Prevention, DarkLayer Guard™, Compatibility Settings, which, if enabled, will allow DarkLayer Guard™ to test your DNS resolvers and rotate them if any of them fails.
- Proxy fallback system implementation
We implemented a fallback system for manual proxy. If the manual proxy is set, but not reachable, a fallback will make the call to the system proxy, following to no proxy, to ensure that the Heimdal™ Agent communicates with our core services.
- Fix related to the Application Control .csv file
The issue related to the App. Control .csv file being empty (when downloaded from the App. Control views) has been sorted.
- Threat Prevention Network sorting and search issues have been fixed
In the different views of the Threat Prevention Network module, there were some filtering issues (sort by Hits and Total Hits, search by Threat Type, search by Client IP, etc.). All these issues have been identified and fixed.
- Fix related to Next-Gen Antivirus
In certain scenarios, detections triggered by our Next-Gen AV module were not reported to the dashboard. The root cause was identified and the issue is now fixed.
- WakeOnLan - SensitiveData module active for all types of customers
Fixed an issue where non-CORP data was sent by the WakOnLan feature.