In this article, you will learn everything you need to know about the settings you can perform on the HEIMDAL client-side products from the HEIMDAL Dashboard -> Endpoint Settings. To go to the Endpoint Settings, you have to log in to the HEIMDAL Dashboard, click the Endpoint Settings button (top-right corner), and select a Group Policy.
In the Endpoint Settings, you have a section dedicated to macOS endpoints where you can create and manage Group Policies that are applied to the endpoints inside your organization. In the Linux GP tab, you can see all the Group Policies, you can edit their priorities according to your needs (by using drag & drop), you can enable/disable them or you can duplicate them. The Download button allows you to download an Excel file with all the Group Policies and the settings in each Group Policy.
In the General tab, you can configure Group Policy settings that refer to GP assigning, check intervals, thresholds, and other additional settings.
Policy Name - set the name of the Group Policy;
Language - allows you to select the language of the HEIMDAL Agent to be enforced on the endpoints;
Priority - shows you the priority of the Group Policy in the Group Policy list. It can be set by using Drag and Drop in the GP list;
AD Computer Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP;
AD User Group - this option is used to bind an AD Global Security Group to the current GP. This way, the endpoint that is a member of the specified AD Global Security Group will apply this GP;
External IPs - this option allows you to assign the Group Policy based on an External IP or more External IPs. Adding multiple IPs is done by separating them by using a comma:
Policy check interval - sets the Group Policy check interval that is automatically performed by the HEIMDAL Agent to communicate with the HEIMDAL Dashboard and servers. The default time for the Policy check interval is 180 min ;
Licensing check interval - sets the HEIMDAL license check interval that is automatically performed by the HEIMDAL Agent;
This feature is designed to allow the HEIMDAL Agent to communicate with the HEIMDAL Dashboard if the endpoint(s) is/are placed behind a Proxy Server. It allows you to specify the proxy settings by adding the needed information in the displayed fields.
Proxy Settings - the user needs to manually add the Proxy information for the Host, Port, Domain, Username, and Password;
Include in Release Candidate Program - enforces the update of the HEIMDAL Agent to the latest HEIMDAL Release Candidate (Beta) version available on the HEIMDAL Servers;
Threat Prevention is structured into 2 modules: DarkLayer Guard and VectorN Detection. This Group Policy section is designed to manage the HEIMDAL Threat Prevention engine embedded in the HEIMDAL Agent.
By enabling the DarkLayer Guard engine, the HEIMDAL Agent will enable the network filter that will protect the computer from getting infected.
DarkLayer Guard - turn ON/OFF the DarkLayer Guard DNS Filtering;
Force DHCP DNS usage - this feature sets the DNS on the Network Interface Card(s) to Automatic (DHCP) behind the DarkLayer Guard engine. If the DarkLayer Guard engine fails to add 127.7.7.x or fe80::yyyy:yyyy:xxxx:xxxx on the NIC(s) it will revert to Automatic DNS (set automatically by the DHCP). This option is recommended to be enabled if:
- You are using VPN connections in your organization;
- Nobody from your organization uses a static DNS IP Address.
Use default loopback address - this feature makes the DarkLayer Guard will set the DNS on the Network Interface Card(s) to 127.0.0.1 instead of 127.7.7.x (for IPv4) and ::1 instead of fe80::yyyy:yyyy:xxxx:xxxx (for IPv6). This will enforce the DarkLayer Guard engine to intercept traffic from a single adapter. This setting helps ensure compatibility between HEIMDAL Threat Prevention and certain VPN products, as well as other software you may use, such as virtualization products;
Check Interval - allows you to set the time interval of the DarkLayer Guard engine to check for new updates of the filtering database;
Domains whitelist – this feature allows the HEIMDAL Dashboard Administrator to whitelist a domain that is blocked by the HEIMDAL Threat Prevention. You can whitelist domains, subdomains, top-level domains (.com, .co.uk, etc.) or event multiple domains at once by uploading a CSV file (the domains need to be divided by "," comma):
Domains blacklist - this feature allows the HEIMDAL Dashboard Administrator to blacklist a domain that HEIMDAL Threat Prevention - Endpoint does not consider a threat or to block the access to a specific domain. You can blacklist domains, subdomains, top-level domains (.com, .co.uk, etc.) or event multiple domains at once by uploading a CSV file (the domains need to be divided by "," comma)
Custom block pages – this feature allows you to add a custom HTML block page that will replace the default Heimdal block page when HEIMDAL Threat Prevention - Endpoint intercepts and blocks access to a malicious domain (or blacklisted domain):
The VectorN Detection engine is a feature that searches for patterns within the blocks of HEIMDAL's DarkLayer Guard records, detecting malware in ways that no other endpoint protection can. It will identify patterns of malicious domain requests and filter these accordingly. The computers identified by VectorN as potentially infected are to be ultimately treated as threats by the system administrator, investigated, and scanned for threats either manually or automatically.
VectorN Detection - turn ON/OFF the VectorN Detection engine (this requires the DarkLayer Guard module to be enabled as well);
Endpoint Detection currently includes the Next-Gen Antivirus. This Group Policy section is designed to manage the HEIMDAL Endpoint Detection components embedded in the HEIMDAL Agent.
The Endpoint Detection - Next-Gen Antivirus will allow you or the users to perform scan operations on the endpoints in your environment to keep viruses and other threats away.
Next-Gen Antivirus - turns ON/OFF the Next-Gen Antivirus module;
Protection Cloud- sends a suspicious file's digital fingerprint to our real-time protection cloud for further analysis and returns a fast response on whether the file is infected or safe;
Allow Manual Scan - enables/disables the ability of the end-user to start any scan directly from the HEIMDAL Agent;
Allow Cancel Scan - enables/disables the ability of the end-user to cancel any running or scheduled scan operation directly from the HEIMDAL Agent;
Default Scan Action on Infected - allows you to select the action that you want the Next-Gen Antivirus to take upon detecting an infected file: Deny, Quarantine, Allow or Delete. Be advised that the Deny option is available only if Real-Time Protection is turned ON in the Group Policy;
Default Scan Action on Suspicious - allows you to select the action that you want the Next-Gen Antivirus to take upon detecting a suspicious file: Deny, Quarantine, or Allow. Be advised that the Deny option is available only if Real-Time Protection is turned ON in the Group Policy.
Update virus definitions interval [min] - allows you to set the update time interval for the virus definition files. The default value is 120 minutes and it can be extended to 360 minutes. This feature is designed to check whether there are any new virus definition files (VDF’s) available on the HEIMDAL servers. When a new VDF file is available, it will get automatically downloaded to the local agent database. It is recommended to have the limit set to 120 min in order to update the database as soon as possible.
This section allows you to schedule a scan according to your preferences. You can start creating a schedule by pressing Add New Scan button.
Scan Profile Name - specify the name for the profile you want to create;
Scan Type - select the type of scan you wish HEIMDAL Next-Gen Antivirus to run in the created profile;
- Full Scan - scans all the files on the endpoint;
- Quick Scan - scans critical OS locations and the most usual target folders which are known for virus activity: C:\Program Files\Common Files, C:\Program Files (x86)\Common Files, C:\Windows, C:\Windows\system32, C:\Windows\SysWOW64;
- Hard Drive Scan - scans all files on the hard drive while ignoring the files on all external media types;
- Local Drive Scan - scans all local disks including the hard drives, optical drives, and external storage;
- System Scan - scans the system directory;
- Removable Drive Scan - scans files stored on flash, optical or external drives;
- Network Drive Scan - scans files on Mapped Network Drives, it detects the infection(s), but NO action will be performed because the Next-Gen Antivirus cannot remove something from a network location to place it in the local Quarantine folder. This scan type works with Mapped Network Drives but does NOT work with Network locations:
- Active Processes Scan - scans the processes that are currently running on the endpoint;
- Custom Scan - available only on the end user's computer in the HEIMDAL Agent, allows the scan of any file by using the right-click context menu then selecting Scan with HEIMDAL Next-Gen Antivirus & MDM which will open a new window with the result;
You can set up a scheduler to run the selected Scan Type in the specified timeframe. The scheduler enables you to choose a day or multiple days during the week or during the month and the time interval when to run the selected Scan Type.
The scan profile does not apply automatically in the policy after clicking the Set Scan button. The configured scheduler needs to be confirmed by updating the policy. If the Update GP button is not clicked, the defined scan profile will be lost if the current page is left before updating the policy. Multiple scan profiles can be created inside a Group Policy. However, the scan type is exclusive. This means that it is not possible to create multiple profiles with the same scan type. For example, there cannot be 2 scan profiles to perform full scans in the same Group Policy.
Next-Gen Antivirus Exclusion List
This feature allows you to add exclusions that Next-Gen Antivirus & MDM will ignore after scanning. The Exclusion List comes with different Priorities and enables you to exclude file names, file paths, directories, or patterns (wildcards).
Filename - allows you to specify the filename that you want to exclude (e.g. test.exe, file.doc, file.txt, example.msi);
File Path - allows you to specify the file path where the file is located on the hard drive (e.g. C:\Users\Username\Desktop\test.exe, C:\test.exe);
Directory - allows you to specify a directory path to be excluded (sub-directories are automatically excluded) from scanning (e.g. C:\Users\Username\Desktop, C:\Downloads);
Pattern - allows you to specify a pattern that should be excluded from scanning. This option does not work with System Variables (e.g. C:\test\*.*, *.bat).
Global Quarantine List
The Global Quarantine List allows you to add a file to quarantine if it is detected by the Antivirus engine (the file will be marked as Suspicious or Infected).
- A file that is added in the Global Quarantine List based on File Name can be quarantined ONLY if the Antivirus engine detects the file as Suspicious/Infected;
- A file that is added in the Global Quarantine List based on File Path can be quarantined no matter if the Antivirus engine detects it as Suspicious/Infected or not;
- Files added by File Path will be marked as Suspicious;
- .txt files added by File Path will not work with Real-Time Scanning.
PRIVILEGES & APP CONTROL
Privileges & App Control allows to you control user permissions in your organization and enables you to manage elevations and special permissions to applications that are used on each endpoint.
PRIVILEGED ACCESS MANAGEMENT
The Privileged Access Management module will allow you to give users the ability to install software they need themselves for a period of time you select using the Administrator Session or the Run with Privileged Access Management option for single file elevation. Rights granted can be revoked any time and actions are logged for a full audit trail. This is the feature that allows an end-user to request admin privileges over his machine by sending a request to the Heimdal Dashboard System Administrator who can deny or accept his request.
Privileged Access Management - turn ON/OFF the Privileged Access Management module;
Run as Administrator
Allow run as administrator - turn ON/OFF the single-file elevation request (Run with AdminPrivilege) feature;
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation:
Auto-mode - all single-file elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> History filter);
Approval via Dashboard - all single-file elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes);
Allow administrator session - turn ON/OFF the full administrator elevation request feature. Note that some changes cannot be committed during an Administrator Elevation although the user has Administrator rights;
Require reason - when requesting an elevation, the Heimdal Agent will display a pop-up to request a reason for the elevation:
Auto-mode - all Administrator Session elevation requests (Run with AdminPrivilege) will be automatically approved and queried in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> History filter);
Approval via Dashboard - all Administrator Session elevation requests and responses will require the approval of the HEIMDAL Dashboard Administrator. The pending elevations will be displayed in the Heimdal Dashboard (under Products -> Privileges & App Control -> Privileged Access Management -> Pending Approvals filter). Once approved, the requesting user will be able to start the session after receiving a Start elevation pop-up (this is automatically displayed in 1-5 minutes);
SESSION LENGTH (2-120 minutes) - allows you to set the interval for a single-file elevation or a full administrator session;