We want to inform you about the release of a new Heimdal™ Production Dashboard version, 2.5.383, that is now live. The Heimdal™ Production Agent will be available, for download, in the dashboard (“Guide” section, “Download and install” tab), starting Monday, November 8th, 2021 and, deployed, on a roll-out basis, over the coming weeks.
Here are the main features and improvements rolling in with the new 2.5.383 Prod. release:
Flagship Feature
Heimdal™ Remote Desktop:
This brand - new product launched by Heimdal™ Security, greatly improves your flexibility in terms of connecting remotely to your end-users and being able to provide support at a click of a button. A very helpful, easy-to-use, and secure product, meant to complete your cybersecurity environment.
More info about the recently launched Heimdal™ RD product is available in the dedicated “Remote Desktop Product Sheet” and “Remote Desktop Technical Paper” documents and the Remote Desktop Video Guides (all of them available in the Guide -> Download and install tab of the dashboard). You can also find the video guides on the Heimdal™ Security Youtube channel.
Heimdal™ App. Control, Privileged Access Management, NextGen AV:
- Zero – Trust Execution Protection Exclusions list and Reporting mode
As you probably already know from our previous Release, 2.5.370, Heimdal™ Security launched a very sought-after module, which protects zero-hour threats. In these new iterations of the Heimdal™ prod. dashboard and agent, the Zero – Trust Execution Protection module was further enhanced, allowing the dashboard user the option to white list processes, at GP level, based on the file name, file path, directory, and hash value (MD5). This functionality also offers the possibility to import a .csv list of processes that are to be excluded from the Zero – Trust Execution Protection detection mechanism.
Besides the above–described enhancement, we also implemented a Reporting mode. The functionality consists of a check box, found in the:
- Endpoint Settings -> Endpoint Detection -> Next-Gen Antivirus
- Endpoint Settings -> Privileges & App Control -> Privileged Access Management and
- Endpoint Settings -> Privileges & App Control -> Application Control
Zero – Trust Execution Protection areas, which, when enabled, will scan and log the applications, with Zero – Trust Execution Protection, but won’t take any action, like allowing or blocking.
In the Zero – Trust Execution Protection grids from the dashboard, these processes will be marked in a particular way, for easier identification (having an icon next to the Process Name).
Heimdal™ Threat Prevention Endpoint:
- DarkLayer Guard™ forensic enhancements
In the Threat Prevention Endpoint module, we enriched the available forensic data, thus providing even more intelligence to the dashboard users. This data is obtained by collating domain and threat to process correlation inputs coming from both our Threat Prevention Endpoint, as well as Threat Prevention Network products.
When accessing the Hostname/ Threats and Latest Threats views of our Threat Prevention Endpoint product you will observe the presence of a new icon
which, when clicked on, will provide more information about the found threat (domain, full URL, connecting process, resolved IPs, popularity score – total number of hits in the Heimdal™ database, malware score awarded by IT admins, through votes, deeming the domain as benign or Malicious).
There will also be a new view available, called Investigate view, which will provide DNS – related statistics. For the Investigate view data to be available, the search field should contain a domain name.
The Investigate view will be split into 3 main subsections:
- Predictive DNS score: shows a maliciousness score based on an Artificial Intelligence algorithm (range from 0 – 100) corroborated with the presence of that particular domain on the Threat Prevention Endpoint blacklist (blacklist match). The higher the score, the higher the probability that the given domain is infected. We will also showcase a Risk Level (None, Low, Medium, High, Critical), based on the above-mentioned score.
- DNS statistics: a graphical representation of the daily number of hits for the chosen domain (blue line – the queried domain was found clean at the time of the query; red line – the queried domain was found infected at the time of the query).
- Requester distribution: shows statics and a map, of the top public IPs that called (from where the request was made to) the chosen domain.
A new tab called App. Discovery view was added in Threat Prevention Network and Threat Prevention Endpoint and this new view allows you to monitor the apps. from your environment by providing the total number of endpoints which the apps. are installed on and, a more crucial risk assessment, based on the DNS requests made by the applications. Post analysis, the apps. are rated based on risk levels (None, Medium, and High).
Heimdal™ Patch and Asset Management:
- Software Asset Management view
In the Patch & Asset Management -> 3rd Party Software dashboard section we have created a new view, called “SAM view” which allows the dashboard user to manage their software license–related info (Application Name, Publisher, Type, Quantity, Price, License Key, Expiration Date, etc.).
When clicking on the Application Name, the user will be redirected to the editor page (SAM Details page), being able to edit the license information.
If a SAM item has more than one detail, then, only the first detail is shown, with the rest being collapsed. An expand/ collapse button is present for these items allowing the expansion of all the details of a particular item.
The view also shows the number of discovered endpoints/ servers for that particular item (the number of machines on which that software is installed). If this number is higher than the maximum number of endpoint/ server licenses (for multiple details, the sum of the maximum values is taken), then it will be displayed in red font. The Discovered Endpoints and Discovered Servers columns are also clickable and if the number in the columns is clicked it opens the editor (Software Asset Management Details page) for that SAM item, the Discovered Assets tab being default selected.
In the Patch & Asset Management -> 3rd Party Software -> Assets view, there is also the possibility to create a SAM item from an asset, by selecting a single entry and then, using the “Create software license command” from the “Select what action to take drop-down” list. This command will open the SAM editor with the Application Name and the Alias already filled in.
Details tab
The primary properties of a SAM item are the Application Name and the Alias. The Alias property represents a list of expressions used for automatically discovering assets by their name. Since multiple assets may be part of the same license (only having different versions), multiple assets may match the same Software Assets Management item. Since the same software can be bought from multiple publishers in multiple ways, in the editor (SAM Details page) there is a “Details” tab granting the possibility to input multiple license details concerning multiple publishers. The properties of the details are:
- Publisher – The name of the publisher
- Type – Monthly, Over the Counter, or Lifetime
- Maximum Number of Endpoint Licenses
- Maximum Number of Server Licenses
- Unit Price per Endpoint
- Unit Price per Server
- Currency
- Expiration Date
- Renewal Date
Discovered Assets tab
The actual linking between a SAM item and assets occurs when inventory applications are reported from the Heimdal™ agent to the Heimdal™ dashboard. The linking is done by matching the alias expressions to the name of the application. This linking only occurs if the License Manager checkbox is checked in the current Group Policy (Endpoint Settings -> Patch & Assets -> Patch Management).
The Discovered Assets tab shows the Non-stacked Assets view, filtering only those assets that correspond to the currently selected SAM item.
Heimdal™ Endpoint Detection, Ransomware Encryption Protection:
- Ransomware Encryption Protection dashboard improvements
This feature consists of:
- an enhanced grid for displaying the Ransomware Encryption Protection information, which will now include a column containing the Blocking Reason:
- Default: in the case of blocks that occurred before the feature was implemented
- Encrypted files: for blocks triggered by files being encrypted
- Delete VSS: for cases in which the block occurred due to altered Volume Shadow Copy Service (e.g.: deleted partitions)
- Self-grant permission: for blocks of processes that granted self-permissions
2. the TOP 3 files affected by a process that triggered a Ransomware Encryption Protection alert
3. an email alert is sent to the “logged in” account (if eligible to receive email alerts), both for Corporate Customers, as well as for Resellers (REP detections happening in the case of one of their customers).
- Ability to add processes to the Ransomware Encryption Protection Exclusions list based on hash (MD5)
We’ve added the possibility to add processes to the Ransomware Encryption Protection Exclusions list (Endpoint Settings -> Endpoint Detection -> Ransomware Encryption Protection tab) based on the process hash (MD5).
Heimdal™ Endpoint Detection, NextGen Antivirus & MDM:
- Anti-tamper protection and Isolate on Tamper Detection
To further increase the cybersecurity of your organization, Heimdal™ Security introduced a new feature, called Anti-tamper protection, which does not allow your end-users to stop/ pause the protection services (even if they have Admin rights).
Furthermore, in the very unlikely case in which something force stops one of the Heimdal™ Services, the machine in which this behavior is seen will be isolated from the network. To enable this functionality, the dashboard user needs to access the Endpoint Settings -> Endpoint Detection -> Firewall tab and tick the “Isolate on Tamper Detection” check box.
Heimdal™ Privileged Access Management:
- New statuses when an elevation is blocked by a Next-Gen Antivirus detection
In the Privileges & App. Control -> Privileged Access Mgmt. -> History View, two new statuses were added in the “Action” column, namely:
- “Elevation denied due to detection”, pertaining to a scenario in which malware is already present in the system and its presence has not been resolved yet is the Next-Gen Antivirus product (the end-user is not allowed to elevate)
- “De – elevated due to detection”, pertaining to a scenario in which, live, during the elevation, a malware attack is detected by the Next-Gen Antivirus product and the end-user is de – elevated instantly (this functionality works only if the Endpoint Settings -> Privileges & App Control -> Privileged Access Management, “De-elevate and block elevation for users with risk or infections” setting is enabled)
In the agent, the end-user will receive a pop–up, depending on the two above-mentioned scenarios, with either the “You are not able to elevate due to a Next-Gen AV detection” or the “You’ve been de elevated due to a Next-Gen AV detection” messages.
The new statuses are formatted as hyperlinks and when clicked on, they will lead the dashboard user to the Next-Gen AV module, where all the details related to the detection can be found (Detected Threats tab).
The action “Retry Elevation” will be available in the “Select what action to take” drop-down list and:
- if used and the Next-Gen AV detection was sorted (Quarantine, Exclude, Delete actions) then the elevation will automatically be transferred into the “Pending Approvals” view with either the “Awaiting elevation” or the “Awaiting file elevation” statuses;
- if used and the Next-Gen AV detection was not resolved, the dashboard user will get a toaster message (“Elevation can’t be retried because there still is an active detection on the machine”) and the elevation won’t be transferred into the “Pending Approvals” view (until the detection is resolved)
Other improvements & fixes:
- Ransomware Encryption Protection enhancement related to lower CPU usage
Changes in the Ransomware Encryption Protection mechanism have been made to make the REP module lighter in terms of CPU usage (e.g.: we won’t analyze processes that are whitelisted/ excluded anymore).
- Ransomware Encryption Protection not starting fix
We fixed some issues related to the Ransomware Encryption Protection module not starting, although being enabled in the Endpoint Settings -> Endpoint Detection -> Ransomware Encryption Protection area of the Heimdal™ Dashboard.
- Email Security live refresh function
The Email Security grids showcasing the Inbound and Outbound views are going to be refreshed real-time, showcasing new incoming and/ or outgoing emails on the spot.
- Email Security ATP scanning engine enhancement
The Email Security Advanced Threat Protection scanning engine has been integrated with the DarkLayer Guard™ DNS filter, greatly enhancing the Email Security product detection capabilities.
- Next-Gen Antivirus fix
The issue related to infected files extracted from an archive on the local machine that was not reported back to the dashboard was fixed.
- Application Control small fixes and improvements
- Windows 11 Heimdal™ dashboard compatibility
This improvement allows Windows 11 OS-based devices to have their Operating System Info displayed correctly in the Heimdal™ Dashboard
- Fix related to Email Fraud Prevention – Outlook compatibility
In certain scenarios (Outlook versions different than the Windows bit versions), the “Disable Outlook Suspicious activity warnings” check box did not work, although enabled; we implemented a fix for this issue and now everything is back to normal.
- Email Fraud Prevention “black screen” fix on Outlook startup
This fix ensures that the “black screen” pop-up that appeared, for a short time, when Email Fraud Prevention launched (when Microsoft Outlook started), is not displayed anymore.