white paper - watchman it...

Unrestricted document

© Copyright 2016 – Heimdal Security A/S. All rights reserved

Heimdal Security

White Paper Technical whitepaper and implementation guide for corporate environments

Technical Whitepaper

of 61

1. Table of contents

1. Table of contents ........................................................................................................................... 2

1.Prelude ............................................................................................................................................ 4

2. Who is Heimdal Security ................................................................................................................ 4

3. What is Heimdal Corporate ............................................................................................................ 4 3.1. Automatic patching of 3rd party software ............................................................................................ 4 3.2. Traffic scanning - Malicious site blocking, Zero-hour protection, Data protection ............................ 4 3.3. Detection of data stealing malware and financial malware ................................................................ 6

4. System Requirements ................................................................................................................... 7 4.1. PC rights ................................................................................................................................................... 7 4.2. Resource usage ....................................................................................................................................... 8 4.3. Software compliance .............................................................................................................................. 8 4.4. Web based administration module ........................................................................................................ 9

5. Function description .................................................................................................................... 10 5.1. Heimdal software client ........................................................................................................................ 10

5.1.1. Installation Process and usage environments ........................................................................... 10 5.1.2. Creating adapted MSI installation files ....................................................................................... 12 5.1.3. Distribution of Heimdal through Active Directory Group Policy Management ........................ 16 5.1.4. Heimdal’s Group policies without AD groups ............................................................................. 24 5.1.5. Heimdal’s Group policies with AD groups ................................................................................... 25 5.1.6. Heimdal combined with Authentication Proxy ........................................................................... 27 5.1.7. Internet WebServers ..................................................................................................................... 28 5.1.8. Static IP / DNS Environments Settings ....................................................................................... 28 5.1.9. Virtualization environments ......................................................................................................... 30 5.1.10. Using Heimdal with Cisco Anyconnect VPN ............................................................................... 31 5.1.11. Other environments ...................................................................................................................... 31 5.1.12. Heimdal VPN compatibility table ................................................................................................. 31 5.1.13. Usage on Terminal servers or Citrix servers ............................................................................... 31 5.1.14. Internet Protocol Version ............................................................................................................. 32 5.1.15. Uninstall Process .......................................................................................................................... 33

6. Features ...................................................................................................................................... 34 6.1.1. Patch Management ....................................................................................................................... 34 6.1.2. Traffic check – Malicious websites, zero-day exploits and data ex-filtration .......................... 37 6.1.3. Detection of data stealing or financial malware ......................................................................... 38

6.2. Web based management interface ...................................................................................................... 38


of 61

6.2.1. Account activation and install ..................................................................................................... 39 6.2.2. Malware Overview ......................................................................................................................... 41 6.2.3. Vulnerability Overview .................................................................................................................. 42 6.2.4. Traffic Overview ............................................................................................................................ 43 6.2.5. Active clients ................................................................................................................................. 46 6.2.6. Group policy Overview .................................................................................................................. 47 6.2.7. ROI Report...................................................................................................................................... 47 6.2.8. How can I activate my Dashboard account? .............................................................................. 48 6.2.9. Dashboard Login FAQ ................................................................................................................... 48 6.2.10. How To Use Google Authenticator On Google Chrome Browser .............................................. 48 6.2.11. What is Heimdal RC?..................................................................................................................... 50

7. User interface .............................................................................................................................. 53 7.1.1. The Overview tab ........................................................................................................................... 53 7.1.2. TRAFFIC SCANNING TAB ............................................................................................................. 53 7.1.3. MALWARE ENGINE TAB ............................................................................................................... 55 7.1.4. PATCHING SYSTEM TAB .............................................................................................................. 56 7.1.5. VIEW LOG SECTION ...................................................................................................................... 58 7.1.6. SETTINGS TAB .............................................................................................................................. 60


of 61

1.Prelude This documents contains an in depth technical walkthrough of Heimdal Corporate. The document describes the software units, communication, system requirements, implementation recommendation and administration processes.

2. Who is Heimdal Security Heimdal is a security product launched in 2011 by Denmark-based company CSIS Security Group. In early 2014, Heimdal Security spun off from CSIS Security Group and became a separate entity. Today Heimdal Security works with major corporations, public entities and banks across the world in fighting against e-Crime.

Since its inception in 2011, Heimdal set new standards in financial malware detection by continuously following IT criminals’ footsteps and providing the best security solution for organizations as well as private individuals.

Today, Heimdal Security works with major corporations, public entities and banks across the world in fighting against e-Crime.

3. What is Heimdal Corporate Information theft and data leakage increased by more than 50% over the last two years and continue to create new security challenges for corporations across continents. Heimdal protects a corporation’s private information and data by combining different safety measures:

3.1. Automatic patching of 3rd party software More than 80% of all attacks happen by using exploits in 3rd party software. Heimdal identifies and automatically updates 3rd party software on any computer it is installed upon, so that cyber criminals won’t be able to take advantage of any vulnerability. Heimdal is designed to have low resource consumption, using as few system resources as possible - only 35 MB of memory - and works without interrupting the user.

3.2. Traffic scanning - Malicious site blocking, Zero-hour protection, Data protection

Both work-related and private Internet usage create challenges for corporations, as it becomes difficult for the average user to defend himself from advanced malware techniques employed by cyber criminals. Since malicious code can be executed even from legitimate websites, through drive-by attacks, or through phishing links, checking traffic for application using web technologies is a must for all company endpoints.


of 61

Heimdal integrates a built-in traffic filtering engine, which blocks malicious websites, prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial ex-filtration and prevents data loss or network infections. Here are some examples on how Heimdal protects a network from Software exploits and Banking Trojans.

Heimdal blocks malicious websites by making sure that users do not establish untrusted connections. If a connection is made, an attacker is able to open backdoors into a PC by using zero-day exploits or by executing remote shell codes. Heimdal also makes sure that data is not automatically filled into online forms, belonging to fraudulent websites. Heimdal can shield a PC from a man-in-the-browser attack, it can hide it from an attacker’s domain or it can prevent malware - such as Cryptolocker - from downloading its encryption keys even if the PC has already been infected. Heimdal offers another layer of security that normal antivirus products cannot provide.


of 61

An example on how Heimdal protects users from financially exploiting malware, such as Cryptolocker, can be seen below.

The Heimdal filter receives more than 800.000 new weekly updates to keep up with cyber criminals’ threats. A filter update is provided every 2 hours. The update is based on a wide range of data, such as new registered domain names, reverse engineering of advanced malware, monitoring of criminal network Zinkholes and data gathered during e-crime analysis.

This insight into cybercrime enables Heimdal to block data from a PC or network from being sent to a hacker controlled server, therefore protecting corporate or personal data from ex-filtration.

3.3. Detection of data stealing malware and financial malware In 2013 data stealing malware or data usage attacks were responsible for more than 55% of the cases where corporations lost valuable information. Approximately 19% of data theft malware is detected by traditional antivirus software. Low detection rates are caused by polymorphism, which means that malware is able to constantly change behavior and attack methods. The problem of data theft is furthermore increasing, because informational theft is no longer happening on the PC itself, but is spreading over the entire network. Heimdal protects information at the point where data is being accessed, whether it is on the PC or in a web browser by making sure that no backdoors are opened in the process. Heimdal deploys an innovative protection technology against data and financial malware to keep hackers at bay.


of 61

Employing traffic and usage algorithms, rather than relying just on signature and access detection, Heimdal offers a comprehensive level of protection compared to traditional antivirus products.

4. System Requirements You may install Heimdal on computers running the following operating systems:

Windows 7 (32 and 64 bit) Windows 8 (32 and 64 bit) Windows 8.1 (32 and 64 bit) Windows 10 (32 and 64 bit) Windows Server 2008 R2 Windows Server 2012/2012 R2.

Heimdal has the following system requirements:

Microsoft .NET Framework 4.6.1 Takes 100 MB disk space Takes 250 MB RAM Takes 3% of CPU usage Local administrator or domain administrator (if in domain) rights during installations User rights during execution Internet access

If .NET Framework 4.6.1 is not already installed, Heimdal will automatically download and install it.

*if Heimdal is used on a server, the .NET Framework version should be locked. We do not recommend to have the .NET Framework set on auto updating!

For the best experience, we recommend you to use the latest version of any operating system.

4.1. PC rights To install, close or restart Heimdal, you must have administrative rights over that computer.

If you have local user rights, you can still run the user interface or update the product.

Action: Required user rights: Installation of Heimdal Local administrator Automatic update of Heimdal* Local user Patching 3. party software* Local user Traffic filtering and Malware engine Local user Reboot or restart of Heimdal Local administrator Manual starting Heimdal Local administrator Changing locked setting locally for Heimdal Not Possible

* If the used group policy allows the action to be permitted locally.


of 61

4.2. Resource usage Heimdal consists of one application and 2 Windows services:

Component: Component type: HeimdalAgent.exe Application HeimdalService Service HeimdalSecureDNS Service

In a normal state Heimdal memory usage stands between 3 and 35 MB of memory across the 3 above components. During short periods of the update process, the agent may use up to 85 MB of RAM memory. During software updates more than the required 23 MB disk space may also be used.

4.3. Software compliance Heimdal is designed to co-exist with Antivirus and Patch Management tools. This means that Heimdal can work with any security software on the market without causing unstable system behavior.

If a Firewall or a Proxy are installed on the Client, you must make sure it is not set to block traffic from and to Heimdal. If you want to create a rule in your Firewall, Heimdal needs these settings:

http://heimdalprodstorage.blob.core.windows.net with local port 80; https://cloudservice.heimdalsecurity.com with local port 443; 8.8.8.8 with local port 1

Example of firewall and proxy in which you need to add these exclusions: Websense, Fortigate, SonicWALL, Windows Firewall, Watchguard, Zscaler, Cisco ASA firewalls, Sophos UTM, Untangle, Barracuda, Webtitan, TRITON AP-WEB, Symantec, Trend Micro, Netgear. For Software Center Endpoint Protection 2012 you need to exclude Heimdal’s processes (Heimdal.Agent.exe, Heimdal.AgentLoader.exe, HeimdalClientHost.exe, HeimdalSecureDNS.exe) as in the pictures:

http://heimdalprodstorage.blob.core.windows.net/

https://cloudservice.heimdalsecurity.com/


of 61

4.4. Web based administration module Heimdal Corporate includes an online management tool, which can be accessed through https://dashboard.heimdalsecurity.com . The site is compatible with all major browser versions.

https://dashboard.heimdalsecurity.com/


of 61

5. Function description Heimdal Corporate consists of 3 elements; a software client, a content delivery network (CDN) and a web based statistics module.

5.1. Heimdal software client Heimdal is installed via an installation file and can be deployed automatically in corporate environments, using different installation triggers.

5.1.1. Installation Process and usage environments Heimdal can be installed via an MSI based installer.

5.1.1.1. Installation via MSI file It is also possible to install Heimdal via MSI. The newest version including detailed documentation can be downloaded below: http://heimdalprodstorage.blob.core.windows.net/setup/Heimdal.msi

In order to be able to install Heimdal Corporate please verify that you have Microsoft .NET Framework 4.6.1 full profile with all the appropriate updates. If Microsoft .NET Framework 4.6.1 is not installed onto your computer, please download it from

here: https://www.microsoft.com/en-us/download/details.aspx?id=49982

Each time a new version of Heimdal is released, we are also releasing a Beta version that contains fixes, improvements or other changes that will appear in the next official launch. This is the download link for the beta version: https://heimdalprodstorage.blob.core.windows.net/setup/Heimdal-beta.msi

If you want to install or test the Beta version of Heimdal, we do not recommend you to do it on more than 1 or 2 machines, because this version can be instable and cause problems.

An example of an installation string that would install Heimdal automatically is: msiexec /qn /i Heimdal.msi heimdalkey="key here"

http://heimdalprodstorage.blob.core.windows.net/setup/Heimdal.msi

https://www.microsoft.com/en-us/download/details.aspx?id=49982

https://heimdalprodstorage.blob.core.windows.net/setup/Heimdal-beta.msi


of 61

*The silent deployment of Heimdal does not support changes of the installation path, ie: set PATH... *If you install Heimdal Corp we recommend to reboot the machine after the installation is performed

5.1.1.2. Install Heimdal via GUI-less build Heimdal has also a Gui-less version. That means you can choose to deploy only the Services offered by Heimdal and the User Interface of the Agent will not be displayed.

Here is how you do this:

1. Install Heimdal on your machines (see 5.1.1.1) 2. After the installation is done, open your Web based administration panel (UNIFIED THREAT

DASHBOARD) 3. Select and create a new policy (if you already have a policy set, then you can edit that one if you

don’t want to create a new one) 4. In the policy you’ve just created or you want to edit, check the option Do not show GUI, that’s in the

right-bottom corner.

5. Press the green ”Update” button and save you changes


of 61

The changes will be applied after all the machines on which Heimdal is installed will receive a reboot. It is very important to reboot the machines, otherwise the Gui-less version will not be activated.

5.1.2. Creating adapted MSI installation files It is possible to install Heimdal in non-command accepting environments such as Active Directory Group Policy Management and similar systems.

The activation key can be inserted directly into the MSI, as a row with the property ”HEIMDALKEY” and Value ”[activationkey/serialkey]”. The following section shows the approach to be used when inserting the activation key using Orca Version 5.0.9600.0

Before doing the adapted MSI file, check the following settings from ORCA:

a. Open Orca b. Click on Tools c. Choose Options d. Go to the Database tab e. Check the first two options f. Hit Apply


of 61

1. Install Orca and open Heimdal.msi


of 61

2. Find and mark the tabel “Property” and select ”Tables” and click ”Add Row…”.

3. In the Property field, write HEIMDALKEY and in the Value field paste your activation key as shown in the examples below:


of 61

4. To save as a standalone MSI with the activation key built in, click ”File” and ”Save As”.


of 61

Remember that MSI files contain your organisations license/serial key and should only be used on the computer, which you have purchased licenses for. Abuse will be monitored.

5.1.3. Distribution of Heimdal through Active Directory Group Policy Management Microsoft Active Directory Group Policy Management is a integrated part of Microsoft Active Directory, which help you do configurations across all or parts or your organizations computers.

To configure an automatic distribution of the Heimdal agent through Group Policy Management you need to have:

The Heimdal MSI installation package. You can find the download path in the section ”Installation” under the main section ”Functional description” in this document.

An adjusted MSI file with your organizations activation key included. Access and rights to change the Active Directory group policy for the domain.. A network path, where the Heimdal MSI installations file can be placed. All computers, which are to

have the agent installed, must have read access to this network path. Microsoft .net 4.6.1 Full Profile must be installed on all computers.


of 61

Step 1: Create the folder where you want to share Heimdal.msi from:

Step 2: Choose the people in you network you want to share this folder with and establish their permission level.


of 61

Step 3: On the Domain Controller, click on Administrative Tools and then open Group Policy Management. Under the domain for which you want to create a GPO:

select Group Policy Objects right click choose New GPO and then select the name (“Heimdal” in our case).

See the example below for clarifications:


of 61

Step 4: Open the Group Policy Management Editor and select the following:

User Configuration Policies Software Settings Software Installation Package right click New Package.


of 61


of 61

Step 5: For “Deploy Software”, chose the “Assigned” option. This means the installation will run without user interaction:

Step 6: Select package “Heimdal”, right click, select Properties and then Deploy Software.


of 61

Step 7: Next, go to “Deployment” tab, where you can see deployment types and options. To install Heimdal CORP (v2), please choose the “Install this application at logon” option and then hit “Apply”.

Step 8: To install Heimdal CORP (v2) from the user’s computer, do the following:

Open Command Prompt as Administrator and type: gpupdate /force /boot /logoff


of 61

The user’s computer will restart and install the software, as shown below:


of 61

This is a silent installation. You can check the results in the Control Panel/Programs to verify if Heimdal CORP (v2) was installed successfully.

*If you install Heimdal Corp we recommend to reboot the machine after the installation is performed

5.1.4. Heimdal’s Group policies without AD groups First, you need to create a new policy except the default one. After your created the new policy, just apply and enable it.

Heimdal user can use only one policy. If there are more which are suited for the user, Heimdal will apply only the one with the highest value of priority (in our case “Skype” policy has the highest value-4). Therefore, Heimdal will apply this policy, with the highest value of priority.


of 61

5.1.5. Heimdal’s Group policies with AD groups With this feature you can distribute your own policy for all/some users. Also, in case you have AD groups, you can distribute your policy through AD groups.

5.1.5.1. How can I distribute Heimdal’s policy to AD Computer groups? If you want to distribute a policy to an AD computer groups, you need just to create a new policy and put in the field of AD Local Security Group the name of computer groups (“Servers”, in our case).

After you create this policy, you only need to enable it.

5.1.5.2. How can I distribute a policy to an AD User groups? If you want to distribute a policy to an AD user groups, you need just to create a new policy and put in the field of AD User Group the name of computer groups (“Marketing” in our case) and after this step to enable the policy from the menu of Group policies.


of 61

Please keep in mind, that each user can have only one policy, and if for the same AD group, we have two policies, Heimdal will use only the policy with a higher value of priority.

If you want to see what AD Groups has Heimdal detected on your machine, you can go at this location: C:\programdata\heimdalsecurity\logs\licensing.log and open the Licensing.log file.


of 61

5.1.5.3. How do I change the priority of a group policy? The value/number of priority of a group policy is assigned automatically in an increasing way. The next policy created will receive number 6 of priority. In case you want to change the priority of policy “All test” (from the picture) from 7 to 6, you need to go with your mouse over the policy “All Test” and drag and drop it on the position you want, in this case 6.

5.1.6. Heimdal combined with Authentication Proxy Heimdal can be used in combination with IT Security proxies or authentication proxies. The steps below must be followed to use Heimdal with a Proxy:

Login at https://dashboard.heimdalsecurity.com – Navigate to to Group Policies. If you do not already have policies defined, then click ”Create new policy”. If more than one policy is

being used, then the Proxy information must be entered into all of them. Check the “Enable Policy setting” checkbox and as a minimum Host, Port, Username and Password.


of 61

once you introduced your Proxy setting, deploy Heimdal using this command: msiexec /qn /i Heimdal.msi heimdalkey="xxxxx-xxxxx-xxxxxx-xxxxxx" proxy="Address=x.x.x.x Port=xy Username=cgt Password=1 Domain=heimdalsecurity.com".

*If you install Heimdal Corp we recommend to reboot the machine after the installation is performed

5.1.7. Internet WebServers Using heimdal with internal webservers is fully supported as long as they use DNS based naming. For example Http://heimdal.local - where as http://heimdal is not supported You can also use IP addresses without a problem http://192.168.0.1 This does only affect web based services, not file sharing services or drive share mapping such as \\heimdal

5.1.8. Static IP / DNS Environments Settings

For the full use of Heimdal, we recommend using a DHCP set DNS environment. You can use Heimdal in a statically set DNS environment, but the static DNS server must be set prior to installation. Should you wish to use a DHCP set DNS, with a Static IP configuration environment, then Static IP's must be configured in the DHCP reservation list of your DHCP server or network router. Using these settings also ensures avoiding IP collisions on the network.

http://heimdalsecurity.com/

http://heimdal.local/

http://heimdal/

http://192.168.0.1/


of 61

Set up DHCP Reservation for a Computer *the example was made on a Windows Server 2008 R2

To set up DHCP reservation in Windows Server 2008 R2 for a DHCP client computer in the network, administrators must follow the steps given as below:

Go to the target DHCP client computer and fetch its physical address by typing IPCONFIG /ALL command in the command line interface and pressing Enter key.

Log on to Windows Server 2008 R2 DHCP Server computer on which DHCP server role is installed using domain admin or enterprise admin account credentials.

From the desktop screen, click the Start button. From the displayed menu, go to Administrative Tools > DHCP. On DHCP snap-in, from the console tree in the left pane, double-click to expand the DHCP server

name. From the expanded list, go to IPv4 > <DHCP scope name>. From the displayed list, right-click Reservations.

In the context menu that appears, click on New Reservation. On the New Reservation box, in the Reservation name field, specify a new reservation name. In the IP address field, type the IP address from the DHCP IP address pool that will be reserved for

the target DHCP client computer.


of 61

In the MAC address field, specify the physical address of the target DHCP client computer that was retrieved earlier in step 1.

Click Add to add the new reservation to the selected DHCP scope. Once added, click Close. Close DHCP snap-in when done.

Before deploying Heimdal in your environment, make sure that all the machines are set to Obtain the DNS server address automatically. *in order for the Heimdal Traffic Filtering option to work properly, Heimdal should be able to set its own DNS address (127.0.0.1), that’s why the client should have the DNS address set on automatic.

5.1.9. Virtualization environments For virtual computers: 1. When you install the Windows operating system (tested with Win8 Pro) from the same ISO on 2 different virtual computers, they get different SIDs. The motherboard and Hard disk serial numbers are different, so Heimdal can be installed on both of them, and both will work normally. 2. When you install the Windows operating system (tested with Win8 Pro) from the same cloned image on 2 different virtual computers, they get the same SID and the same motherboard and hard disk serial numbers. Heimdal can be successfully installed with the same CORP license on both machines, but you will see only one client at a time in the Dashboard. For Citrix: These Citrix environment versions are a minimum requirement, as is the Heimdal agent version: XenServer 6.5 ; XenApp & XenDesktop – 7.6


of 61

5.1.10. Using Heimdal with Cisco Anyconnect VPN

Heimdal can be used with Cisco Anyconnect VPN. You just need to set split exclude: 104.46.51.121 (this is the IP address of our cloud services) For the model Cisco ASA 5585-X, you can change as in the next image:

5.1.11. Other environments

Exchange, KMS or Domain Controllers are not supported.

5.1.12. Heimdal VPN compatibility table Standard With Certificate Split Tunnel Tunnel all

Windows VPN x x x (Not offered by vendor)

F5 Big VPN x x x (Not offered by vendor)

Cisco Anyconnect x x x (if split exclude is set)

Not supported

Direct Access If IPv6 is disabaled

If IPv6 is disabaled If IPv6 is disabaled Not supported

5.1.13. Usage on Terminal servers or Citrix servers In order to run Heimdal on Terminal Servers or Citrix servers, we suggest that you use the Gui-less version of our product.

To do so, please follow these steps:

1. To connect to the online Heimdal Dashboard by going to dashboard.heimdalsecurity.com and logging with your credentials provided by your Heimdal CORP partner.

2. Click the GROUP POLICY tab 3. If you already have a Policy click on it, is not press the ”Create a new policy” button 4. In the bottom right corner of the Policy, enable the option named “Do not show GUI” 5. Deploy Heimdal on your server (see point 5.1.1.1 and 5.1.1.2) 6. If you already have Heimdal installed, you will need to reboot the machine. Only after the reboot,

the changes you made in the policy will be applied


of 61

7. After you create a RDP (Remote Desktop Protocol) session to the Terminal Server, you can verify if Heimdal was installed successfully.

8. Locate Heimdal Installation path: C:\Program Files (x86)\Heimdal\

5.1.14. Internet Protocol Version Heimdal can filter your traffic both on IPv4 and IPv6. Please see below the DNS settings made by Heimdal when Traffic Filtering is activated.

On IPv4, the DNS address set by Heimdal is 127.0.0.1

On IPv6, the DNS address set by Heimdal is ::1


of 61

*if traffic filtering is disabled - the 127.0.0.1 will be removed when the adapter becomes active * Traffic filtering can cause issues if the client uses SAP because SSO requires the KDC (Kerberos Domain Controller) to be present as the Primary DNS

5.1.15. Uninstall Process If you have a Heimdal.msi based installation, please use the uninstall script below. This applies to both x64 and x86 systems and it will remove Heimdal silently. MsiExec.exe /X{8DC81212-50FB-48F6-9835-0A73CDE314B5} /qn taskkill /F /IM Heimdal.Agent.exe taskkill /F /IM Heimdal.AgentLoader.exe rd /s /q "C:\Program Files (x86)\Heimdal\" rd /s /q "C:\Program Files\Heimdal\Heimdal.AgentLoader.exe" rd /s /q "C:\Program Files\Heimdal\" reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\HeimdalSecurity" /f reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\HeimdalSecureDNS" /f reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HeimdalSecurity" /f reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\HeimdalSecureDNS" /f *you must run the commands in the same order they are written above In this case {8DC81212-50FB-48F6-9835-0A73CDE314B5} is the GUID pertaining to Heimdal agent v2.2.0. If you are using an older version of Heimdal or the BETA version, then you can use this command to find the Heimdal agent GUID and change the entry in the script detailed above:


of 61

wmic product get name,version,identifyingnumber

The uninstall script must be run with administrative privileges!

6. Features

6.1.1. Patch Management Heimdal monitors and automatically updates a range of software applications. The patches are downloaded directly from the our servers and we only add special Heimdal code to install the patches silently and at the correct time. Heimdal will never close a running application or automatically reboot the PC after the updates have been installed. Also, Heimdal will never request permissions or show UAC pop-ups, even if the UAC is enabled.

Applications included and monitored in the Patch Management system are selected on the following criteria:

One or more versions contain vulnerabilities, which are corrected in updated versions Vulnerabilities pose a security risk and are therefore actively used by IT criminals

6.1.1.1. The list of supported software is below: - Heimdal Security, Heimdal Client - Java 7 (32bit) - Java 7 (64bit) - Java 8 (32bit) - Java 8 (64bit) - Adobe Shockwave - Adobe Flash Plugin - Adobe Flash Player - Adobe Acrobat Reader XI - Adobe Acrobat Reader DC - Adobe Air - VLC Player (32bit) - VLC Player (64bit) - Apple Quicktime - Google Chrome x32 - Google Drive


of 61

- Mozilla Firefox (32bit) -patched only in English - Mozilla Firefox (64bit) -patched only in English - Mozilla Thunderbird -patched only in English - Ccleaner (32bit) -patched only in English - Ccleaner (64bit) -patched only in English - 7-Zip (32bit) - 7-Zip (64bit) - WinRAR - Microsoft Silverlight - iTunes (32bit) - iTunes (64bit) - Foxit Reader - Skype - Notepad++ - GIMP (32bit) - GIMP (64bit) - LibreOffice - Pidgin - Jitsi (32bit) - Jitsi (64bit) - FileZilla (32bit) - FileZilla (64bit) - Teamviewer

6.1.1.2. Technical implementation Heimdal received its information from monitoring Registry Editor.

First, he looks for the DisplayName property of an App, if this property is not found, the Install button/option is displayed.

Second, if the DisplayName is found, then he looks that the DisplayVersion properties and if the installed version is older than the latest one, then Heimdal applies the patch.


of 61

Heimdal scans the PC once per hour to find new applications or apply patches to existing ones. The list of detected software, their version and update status can be seen in the ”Patching System” tab from the main user interface as well as in the online management portal.

If an update is available then the patching process will begin as soon as possible, when the PC is idle and is not using the specific software. If several software’s require patching, then these will be managed one at a time. If the agent is unable to patch specific software like a browser plug-in because it may be in use, Heimdal will notify the user via an red exclamation mark

6.1.1.3. Software that already has autoupdate enabled Please note that some of the software apps that Heimdal monitors and updates automatically and silently may already have autoupdate enabled in their default settings. This means that updates delivered into the software directly by the software maker (via the autoupdate feature built into the application) may be faster than patches applied by Heimdal. The following applications already have autoupdate enabled by default by the software maker and, consequently, may be updated faster than Heimdal can deliver the necessary patches: Google Chorme, Google Drive, Skype, Mozilla Firefox, Mozilla Thunderbird.

6.1.1.4. Patches deployment method – Bulk or Staged? If you are about to deploy Heimdal in your organization and your Group Policy is set to deploy new applications or to patch existing ones, you must know that the patches will be downloaded as the clients check towards the Dashboard, they never check at the same time. This way, we ensure that you'll avoid any traffic load in your organization.

If a higher version is already installed on your PC, Heimdal will display the following warning:


of 61

6.1.1.5. Uninstall Application Feature - CORP clients only Please read more about this on our article from FAQ: https://support.heimdalsecurity.com/hc/en-us/articles/214423645-UNINSTALL-APPLICATION-feature-explained

6.1.2. Traffic check – Malicious websites, zero-day exploits and data ex-filtration Internet traffic checking in Heimdal is based on a database and a filtering engine. It blocks websites with malicious content or blocks access to servers which are controlled and operated by IT Criminals. Heimdal also incorporates heuristic traffic checking and statistical analysis to discover new and yet unknown threats. By doing so it protects a corporate network or private user from opening backdoors, uploading data into the hands of hackers or from having data ex-filtrated from PCs or Networks. As the filter is based on a CDN it works just as quick anywhere in the world and it adds no delay (4 ms on average) compared to normal web browsing.

6.1.2.1. Technical Implementation The feature runs as a service on the local PC and checks all DNS lookups that are made on the PC. When a lookup is made, Heimdal will send the DNS lookup onto the DNS Servers defined in the client DHCP settings and check whether any lookups made are contained in the list of malicious servers or websites.

The list is compiled as a space optimized probabilistic data structure and only takes up 2 MB of disk space. Through this data structure Heimdal is able to decide if the DNS name is either:

a) With 100% certainty not on the list of malicious sites b) With 98% certainty on the list of malicious sites

If the address is not on the list of malicious servers, Heimdal will approve the request from the used DNS servers.


of 61

If the address is with a 98% certainty on the list, Heimdal will perform an extra check towards our servers to verify whether the address is harmful or not.

a) If it does show up as harmful, the site or traffic is blocked and a notice will be displayed. b) If the domain address is not harmful the traffic will be allowed.

The advantage of using a probabilistic data structure is that the speed of the service is much higher and the size of the database is only roughly 0,5% of the total list.

The traffic check works for all services on the PC and on VPN. It also works on internal as well as private networks.

6.1.3. Detection of data stealing or financial malware The built in detection module for advanced malware cannot be compared to traditional antivirus products, as it works entirely different. It should not serve as a replacement for antivirus, but as a supplement.

6.1.3.1. Technical implementation Heimdal’s detection of malware is based on configuration files, computer events and Internet traffic as opposed to a classic antivirus product, which is based on signatures and file access. Heimdal is therefore very effective against data or financial malware, which rely on these approaches to penetrate computers, but is therefore not effective against traditional viruses.

Heimdal also incorporates a heuristics traffic detection engine for malware combined with a detection engine based on statistical analysis.

If data stealing or financial malware is detected a red smiley will be displayed in the client and on the process bar. Heimdal will also provide a link to a suggested removal tool, but will not attempt to remove the malware itself only block it from transmitting data from the system to the malicious servers.

6.2. Web based management interface You can find all the details of Heimdal users (number of software monitored, number of vulnerabilities, total DNS requests, blocked traffic requests, geographical location of your users, number and details of active clients- Operating System and IP, number of licenses) logging in our dashboard, on the address: https://dashboard.heimdalsecurity.com/home

The IP address of our Dashboard is: 40.113.122.223

https://dashboard.heimdalsecurity.com/home


of 61

6.2.1. Account activation and install Step 1 - Confirmation

You will receive 2 emails: The first email will be from your Account Manager containing your Username and Password The second email will come from the Heimdal dashboard which shall contain a link – please see

below.


of 61

Step 2 - Logging into the Management Portal

When you have clicked the Confirm Account Link, you will be taken to a page where you will be able to log into the Management Portal – please see below screenshot.

Please download the Google Authenticator app on your phone (it’s free and can be found on Google Play, iTunes and Windows Store)

Scan the QR code with Google Authenticator, this will then generate a 6 digit code roughly every 30 seconds. You will need to get a code from Google Authenticator every time you log into Heimdal’s Management Portal!

Enter the password given in the email you received from your Account Manager and then create a new password

Enter the generated code from Google Authenticator and press the Submit button.


of 61

If you are admin and you need access to your account, reset password or add a new IP to your account, please contact your Account Manager.

Step 3 – MSI file and your License Key

With everything set up you can now download Heimdal onto as many End-Points and Servers as you like

Click “Guide” at the top of the Screen Here you will find the MSI File to Download and Install Heimdal You will also find Your Licence Key here The Customer you select under “Management for Resellers”, it will bring up their licence key See Diagram to Right

6.2.2. Malware Overview The Malware Overview tab offers a list of the malware strains detected by Heimdal Corporate, providing key intelligence so you can manage risks in your environment. Here you can see the Hostname, IP Address, Date (which is the last malware scan timestamp) and the status of the host (if it’s is safe or not). Also, you can search after Hostname or IP address through the list.


of 61

You can see details about traffic for each host, with details about Operating System, IP address and URLs blocked by Heimdal.

6.2.3. Vulnerability Overview The Vulnerability Overview tab provides a centralized view about the vulnerabilities in your environment, enabling you to manage them and prevent security incidents. Heimdal is able to install and update the following software:

FileZilla x64, 7-zip x64, 7-zip x86, CCleaner x64, CCleaner x86, Firefox, FileZilla, Skype, Adobe Shockwave, Chrome, VLC x86, VLC x64, WinRar x86, WinRar x64, Adobe Flash, Adobe Reader, Foxit Reader, Gimp x86,


of 61

Gimp x64, Libre Office, Thunderbird, Notepad++, Pidgin Jitsi x86, Google Drive, Java x86, Adobe Acrobat Reader DC, Microsoft Silverlight, Microsoft Silverlight x64, Adobe Flash Plugin, Adobe Air, QuickTime.

You can choose what software to install or update using policies from Group policies tab. More details about this in chapter 5.1.5 .

6.2.4. Traffic Overview Heimdal CORP V2 uses a bloom filter technology (the same as the one used by the Google search engine). This ensures it is as fast and as accurate as possible. The bloom filter sits locally on the machine and it will only ask the cloud when there is a partial or full match to the local filter. If there is no match, it passes clean through. With the size of the filter we use, we get 99.5% accuracy of the local PC. Consequently, we will only have to ask for the remaining 0,5% of information during the DNS interrogation. That’s because, out of all the data we check, there will have already been a match in the local DB for most of it. Out of those 0,5% that we check - about 1-3% are typically malicious, depending on your user profiles. The benefits of this system are: - High accuracy - High performance - No false positive blocks The downside is about 0,47-0,49% of what we check will be a false positive check (but not a block). But we have to do it like that in order not to have a 2GB database on the local PC and the cloud servers run 128 Core to make sure there is 0,0ms lag and turnaround time on requests. In short - the dashboard will show stuff that is not malicious, but there will have been a match in the local database to some of it.


of 61

Traffic Filtering option protects your users by blocking access to malicious websites. This feature is updated regularly and does not require any administration or maintenance on your part.

You can activate this option from your Dashboard account and check if it’s working using the address: http://www.notblockedbyheimdalsecurity.com/

http://www.notblockedbyheimdalsecurity.com/


of 61

If it’s working, you will see the following page in your browser:

If it’s not working or you don’t have the Traffic Filtering option enabled, you will see the following page:


of 61

6.2.5. Active clients The Active Clients tab shows a list of the active workstations protected by Heimdal Corporate using your activation key. This module lets you check who are the active clients. You can list them and search after Hostname, IP Address and when was last time when a host was seen in the Dashboard.

6.2.5.1. Revoke License Button This option can be found in the Dashboard, on the Active Clients list.

This option allows the Account Administrator to revoke the Heimdal usage rights on a certain Host/Machine. This means that, once the REVOKE LICENSE button will be clicked, Heimdal will never receive the information from the Policies set in the Dashboard (you will be able to install Heimdal on that machine, but a policy will never again be applied on that machine).

That’s why we recommend you use this option ONLY when a machine/computer leaves your organization.

If you decide to revoke the license for specific clients, click the green checkbox and you will be prompted to confirm this:


of 61

Once your pressed “Yes”, the machine for which you revoked the license will stop receiving information from the Group Policy and it will not be updated correctly. If you pressed the Revoke button by mistake or you want to revert the action, you can always press the Unrevoke License button.

By pressing this button, you will give all the rights back to the machine that was removed from your Organization and after a reboot the machine should receive again the Group policy you’ve set in the Dashboard.

6.2.6. Group policy Overview In order to have a better overview over this, please visit our FAQ and read about the Group Policy feature.

This is the address: https://support.heimdalsecurity.com/hc/en-us/articles/213634049-Dashboard-Features-Group-Policy-Overview

6.2.7. ROI Report The ROI Report tab depicts an estimated return on investment provided by Heimdal Corporate in terms of financial resources saved by protecting the users and data in your network.

https://support.heimdalsecurity.com/hc/en-us/articles/213634049-Dashboard-Features-Group-Policy-Overview

https://support.heimdalsecurity.com/hc/en-us/articles/213634049-Dashboard-Features-Group-Policy-Overview


of 61

6.2.8. How can I activate my Dashboard account? You can ask your account manager about it. All we need is your email address and your IP. Please bear in mind that you can access your account only from the IP provided. In case you need to access your account from a different location, just ask your account manager to add this new IP in your Dashboard account.

6.2.9. Dashboard Login FAQ On Android phones, when trying to download the app, you get the following error: "Google Play authentication is required". Try to have them follow this guide: https://www.androidpit.com/how-to-fix-google-play-authentication-is-required-error “Codes generated by the Authenticator do not work.” This is most likely because it is not synced correctly. You can try the following: Go to the main menu on the Google Authenticator app: Click Settings Click Time correction for codes Click Sync now How can I synchronize the time on iPhone? You can synchronize the time following these steps: Settings -> General -> Date & Time -> Set Automatically

6.2.10. How To Use Google Authenticator On Google Chrome Browser This guide will show you the steps you need to follow in order to add Google Authenticator to Chrome browser. Step 1 Click on: Download and add the GAuth Authenticator extension to the browser if asked to do so or click on the Add to Chrome button > Add extension

https://www.androidpit.com/how-to-fix-google-play-authentication-is-required-error

https://www.androidpit.com/how-to-fix-google-play-authentication-is-required-error

https://www.google.ro/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwje8bTbmP3PAhVDAcAKHRjSD68QFggaMAA&url=https%3A%2F%2Fchrome.google.com%2Fwebstore%2Fdetail%2Fgauth-authenticator%2Filgcnhelpchnceeipipijaljkblbcobl%3Fhl%3Den&usg=AFQjCNFdwLFpHW1Bg69W1w-K5ze002btqA


of 61

Step 2

1. Now that the extension is added to the browser, open it and start configuring it: Click on the Heimdal security Dashboard link: https://dashboard.heimdalsecurity.com/

2. Log in using the credentials sent by the account manager 3. After logging in, you’ll need to change your password.

- While on this page, click on the GAuth Authenticator extension and click on the Pencil icon to begin adding the account.

https://dashboard.heimdalsecurity.com/


of 61

- Next, click on the + Add and Insert the email address and the Secret Code is the one from the

dashboard login page.

- After the Secret Code is inserted please press Add - At this point, the Authenticator is set up on the browser. - The Dashboard login page must not be closed or logged into yet. -

6.2.11. What is Heimdal RC? Heimdal RC is the release candidate (beta version) that is in pre-production. We recommend you install this version only if someone from the Heimdal team recommends you do it. Otherwise, this version might cause issues in your organization because of its relative instability. How can I upgrade to Heimdal RC? – PRO users

1. Open Heimdal. 2. Click on the settings wheel. 3. Click on Settings.


of 61

4. Scroll down and turn on Update to Beta.

How can I upgrade to Heimdal RC? – CORP users

1. Open dashboard.heimdalsecurity.com. 2. Login to your account. 3. Select Group Policies. 4. Open the policy in which you want to activate and install Heimdal RC. 5. Enable “Include in the Beta Program”.

Does Heimdal upgrade automatically when a new version appears? And what happens if I already have Heimdal RC installed? Yes, Heimdal updates itself automatically in one of the following scenarios: A. If you have Heimdal 2.2.8 installed and version 2.2.9 is released, Heimdal will automatically update to version 2.2.9. B. If you have Heimdal 2.2.8 RC and version 2.2.9 is released, Heimdal will automatically update to version 2.2.9. Heimdal will NOT update itself automatically in the following circumstances: If you have Heimdal 2.2.9 RC and version 2.2.9 is released, Heimdal will not automatically update to version 2.2.9. Heimdal’s upgrade is based on the version number. If Heimdal detects a lower version on the system, it upgrades automatically. But if it detects a version that is equal or higher than the latest version released (2.2.9 in this example), Heimdal will not upgrade itself automatically the latest version.


of 61

!!! The official update will always have a lower version number than the RC version (release candidate). Example: If we launch Heimdal 2.2.9 official release, we will launch, at the same time, Heimdal 2.2.10 RC. Consequently, the next official release version will be 2.2.10. So if you decide to use Heimdal 2.2.10 RC, when version 2.2.10 will official be released, Heimdal 2.2.10 RC will not be automatically updated. If the current version installed on the endpoint is equal to the RC version, the automatic update will not happen: 2.2.10 RC will NOT update to 2.2.10 official release. If the current version installed on the endpoint is lower to the RC version, the automatic update will happen: 2.2.9 RC will update to 2.2.10 official release.


of 61

*Having a set of endpoints that constantly run the RC (Release Candidate) version of Heimdal can greatly help you anticipate potential issues that Heimdal might cause organization-wide, before releasing a new version to all your endpoints. As a result, we recommend that you enroll 1-2% of your active endpoints into a separate Active Directory group. You can set a specific group policy to that set of endpoints, in order for them to always run the RC version of Heimdal. Our support team will always be within reach, so we can work out the potential issues and ensure that your organization is making the most of what Heimdal Security products have to offer!

7. User interface

7.1.1. The Overview tab

Is your home screen for your Heimdal product. It lets you know right away what the overall status of your system is. It can display 3 types of messages and colors:

Green + “Your computer is healthy” – when your system is safe Yellow + “Your computer must be updated” – when there are outdated applications Heimdal

detected and is currently patching Red + “Your computer is at risk!” - when your credentials have been compromised.

You can initiate a Heimdal scan by clicking on the hexagonal button in the overview tab. On the bottom left corner of your Heimdal dashboard you will always see how many days you have left of your subscription.

7.1.2. TRAFFIC SCANNING TAB

In the Traffic Scanning tab, you can choose to turn off active traffic scanning or traffic filtering. However, we do not recommend doing it, because it will substantially decrease your protection level.


of 61

If you want to find out more about these options, just click on the information balloon next to them.

Autodisable traffic filtering feature - If Heimdal can’t connect to the cloud servers from your location, Traffic Filtering won’t work properly. This may disconnect your PC from the Internet. To avoid this, you can choose to automatically disable Traffic Filtering. Heimdal will re-enable the feature when it can reconnect to the cloud servers.

If you use Heimdal CORP and you want to activate this option (auto-disable), you can find it in your Group Policy, under Traffic Scannig.

Additionally, by clicking on the Use Proxy button, you can set up your own proxy to create an additional protection layer for your system.


of 61

On the right hand side, you will see how many web traffic scans Heimdal has performed on your system in the last 7 days. You can also see how many of the web addresses you accessed were blocked, if any.

7.1.3. MALWARE ENGINE TAB

In the Malware Engine tab, you can choose to turn off active malware scanning. However, we do not recommend doing it, because it will substantially decrease your protection level.

If you want to find out more about this Heimdal PRO capability, just click on the information balloon next to this option for details.

On the right hand side, you will see how many malware scans Heimdal PRO has performed on your system in the last 7 days. You can also see how many malware strains Heimdal has cleaned from your system in the same time frame.


of 61

7.1.4. PATCHING SYSTEM TAB

In the Patching System tab, you can choose to turn off the active the patching system. However, we do not recommend doing it, because it will substantially decrease your protection level by depriving your software of automatic updates. If you want to find out more about this Heimdal PRO capability, just click on the information balloon next to this option for details.

In this tab you will also see a list of over 20 software applications that Heimdal can patch for your automatically and silently. You can see the latest version available for each of them and check their status:

A green tick = the application is up to date


of 61

A line of 2 dynamic dots = the application is being updated

A red exclamation mark = the software couldn’t be patched

A yellow exclamation mark = the application couldn’t be patched because a newer version is already installed

You can also install new software applications with one click. Just click the Install button next to the application you want. The latest version of the application will be installed in your system securely and directly, without having to download an installer and run it. No adware, no additional bundles – just the app you need.

You can also select which applications Heimdal should not patch for you automatically, if you want to. You can do this by deselecting the applications from the “Autoupdate” column. Please keep in mind that this will decrease your security level.


of 61

On the right hand side, you can see how many applications Heimdal is monitoring at the moment. You can also see how many updates (patches) Heimdal has applied to your apps in the last 7 days.

7.1.5. VIEW LOG SECTION

In the View Log section you get a bird’s eye view of your system’s security, in the General tab. You can see how the Traffic Filter, Malware Engine and Patching System are working to keep you protected.


of 61

If you choose the Software Patches tab in the left hand side menu, you will see which updates have been installed, for which application, which version and on which date.

If you choose the Infections Detected tab, you will see which infections have been found and blocked by Heimdal. You can see when these infections were detected, the malware strain’s name and their status. If no infection has been detected, the tab will be empty.

If you choose the Websites blocked page, you will see a list of infected or potentially dangerous websites that Heimdal has blocked to protect your system. You can see the web address that has been blocked and the date when it was blocked.


of 61

7.1.6. SETTINGS TAB

If you want to access the Settings section, click the gear icon on the top right corner.

The first tab you will see is the Settings tab, where you can perform several actions:

Turn the Malware Scanning capability off and on Increase the interval which determines how often Heimdal will scan your system for malware. The

minimum interval is 60 minutes. Increasing this interval may leave you exposed to cyber threats. We recommend you use the default setting.

Turn the Traffic Scanning capability off and on Configure proxy settings to provide an additional protection layer for your system Turn the Patching System off and on Increase the interval which determines how often Heimdal will scan for updates for your software

applications. The minimum interval is 120 minutes. Increasing this interval may leave you exposed to cyber threats. We recommend you use the default setting.

Choose to update to beta – this provides you with the option to be among the first to have beta versions of Heimdal installed on your system, which come with enhancements. Not choosing to become part of the beta program means your Heimdal product will be updated to the latest stable release.


of 61

From this screen, you can also choose the License tab.

Here, you will be able to perform several actions, depending on your product type.

white paper - watchman it...

Documents