GravityZone policy best practices for MDR customers
This page offers recommendations for configuring a GravityZone policy for MDR customers, whether they are Customers or Partners with monthly or yearly licensing plans.
Each section of the article corresponds to a specific policy section, outlining the settings within it and the recommended configuration for each. Settings that are not mentioned do not have specific recommendations, so you may configure them as needed.
Important
The recommendations provided reflect best practices. However, they do not guarantee full protection from security incidents for you or your customers.
All recommendations should be tested in your environment before deploying them to production, to ensure the changes do not negatively affect business processes.
Agent
Settings
It is recommended to configure an uninstall password to prevent unauthorized removal of BEST.
For details on how to set the uninstall password, refer to Settings > Uninstall password configuration.
Update
Setting | Recommended value |
|---|---|
Product update Scheduler > Recurrence Scheduler > Check for updates every Endpoint reboot scheduler > Postpone reboot | Enabled Hourly 1 Selected |
Security content update Scheduler > Recurrence Scheduler > Check for updates every | Enabled Hourly 1 |
Note
For guidance on configuring the Agent > Update policy section, refer to Update.
Tip
For non-persistent VDIs, disable product updates to avoid frequent reinstalls.
Antimalware
On-Access
Setting | Recommended value |
|---|---|
On-access Scanning | Enabled |
Scan options | Custom |
File location | |
Scan local files File types | Selected All files |
Scan network files File types | Selected All files |
Maximum size | Unselected |
Scan | |
New or changed files only | Selected |
Boot sectors | |
Process memory | |
For keyloggers | |
For potentially unwanted applications (PUA) | |
Archives Archive maximum size Archive maximum depth (levels) | Selected at least 10 MB 2 |
Deferred scanning | Selected |
Scan actions | |
Action for infected objects | Remediate |
Linux directory scanning | |
Scan Linux directories | Selected on Linux endpoints On workstations, it has no effect and does not impact system behavior. |
Note
For guidance on configuring the Antimalware > On-Access policy section, refer to On-access.
On-Execute
Setting | Recommended value |
|---|---|
Cloud-based Threat Detection | Enabled |
Advanced Threat Control Action for infected applications Security level Sensitive Registry Protection Sensitive Registry Protection action Kernel-API Monitoring | Enabled Remediate Normal or Aggressive for workstations, Aggressive for servers Selected Kill process Selected |
Fileless Attack Protection Command-line Scanner Antimalware Scan Interface Security Provider Report analysis results to Antimalware Scan Interface | Enabled Selected Selected Selected |
Ransomware Mitigation EFS Protection Monitoring > Locally Monitoring > Remotely Recovery | Enabled Selected Selected Selected Automatically |
Note
For guidance on configuring the Antimalware > On-Execute policy section, refer to On-execute.
On-Demand
A daily scan task and a weekly scan task are added, with the following recommended settings:
Setting | Recommended value for the daily scan task | Recommended value for the weekly scan task |
|---|---|---|
Scan type | Quick scan | Full scan |
General | ||
Scheduler > Start date and time | The day when the task is added, your preferred time (hour and minute) | The day when the task is added, your preferred time (hour and minute) |
Scheduler > Recurrence | Schedule task to run once every: 1 days | Run task every: your preferred day of the week |
Options > File types | ||
Scan | All files | All files |
Options > Archives | ||
Scan inside archives Limit archive size Maximum archive depth (levels) | Selected at least 100 MB 2 | Selected at least 100 MB 2 |
Options > Miscellaneous | ||
Scan boot sectors | Selected | Selected |
Scan UEFI | ||
Scan registry | ||
Scan for rootkits | ||
Scan for keyloggers | ||
Scan network shares | ||
Scan memory | ||
Scan cookies | ||
Scan only new and changed files | ||
Scan for potentially unwanted applications (PUA) | ||
Resume scan after product update | ||
Preserve last access time | ||
Options > Actions | ||
Default action for infected objects | Remediate | Remediate |
Default action for rootkits | ||
Note
For details on adding scan tasks, refer to Configuring scan tasks.
Anti-Tampering
Setting | Recommended value |
|---|---|
Anti-Tampering | Enabled |
Pre-tampering > Vulnerable drivers Remediation action for vulnerable drivers | Selected Deny access |
Post-tampering > Callback evasion Remediation action for callback evasion | Selected Isolate endpoint |
Note
For guidance on configuring the Antimalware > Anti-Tampering policy section, refer to Anti-tampering.
Hyper Detect
Setting | Recommended value |
|---|---|
Hyper Detect | Enabled |
Protection level | |
All | Selected |
Targeted attack | For workstations: Normal For servers: Aggressive |
Suspicious files and network traffic | |
Exploits | |
Ransomware | Aggressive |
Grayware | For workstations: Normal For servers: Aggressive |
Actions | |
Files Extend reporting on higher levels | Remediate Selected for workstations, no recommendation for servers |
Network traffic Extend reporting on higher levels | Block Selected for workstations, no recommendation for servers |
Note
For guidance on configuring the Antimalware > Hyper Detect policy section, refer to HyperDetect.
Advanced Anti-Exploit
Setting | Recommended value |
|---|---|
Advanced Anti-exploit | Enabled |
System-wide detections > Windows detections | |
All | Selected |
Process introspection | Kill process |
Privilege escalation | |
LSASS protection | Block only |
System-wide detections > Linux detections | |
All | Selected on Linux endpoints Not available for workstations |
Credentials monitoring | Report only or Kill process on Linux endpoints Not available for workstations |
Ptrace monitoring | |
Namespace monitoring | |
Corruption monitoring | |
SUID monitoring | |
Note
For guidance on configuring the Antimalware > Advanced Anti-Exploit policy section, refer to Advanced Anti-Exploit.
Settings
Setting | Recommended value |
|---|---|
Quarantine | |
Delete files older than (days) | 30 |
Submit quarantined files to Bitdefender Labs every (hours) | Selected, 1 |
Rescan quarantine after malware security content updates | Selected |
Copy files to quarantine before applying the remediation action | |
Note
For guidance on configuring the Antimalware > Settings policy section, refer to Settings.
Exclusions
Setting | Recommended value |
|---|---|
Exclusions from configuration profiles | Enabled |
Vendor and product exclusions | Enabled |
All vendor and product exclusions | Selected |
Note
For guidance on configuring the Antimalware > Exclusions policy section, refer to Exclusions.
Sandbox Analyzer
Endpoint Sensor
Setting | Recommended value |
|---|---|
Connection settings > Use Cloud Sandbox Analyzer | Selected |
Automatic sample submission from managed endpoints | Enabled |
Analysis mode | Monitoring |
Remediation actions | |
Default action | Remediate |
Content prefiltering | |
All | Selected |
Applications | Normal |
Documents | |
Scripts | |
Archives | |
Emails | |
Note
For guidance on configuring the Sandbox Analyzer > Endpoint Sensor policy section, refer to Sandbox Analyzer.
Firewall
Important
The Firewall module must be configured only for Windows endpoints.
When installed, this module stops the existing Firewall service, but will not remove any existing firewall rules.
To allow MDR to take the Block IP and Block port response actions, this module needs to be enabled.
General
Setting | Recommended value |
|---|---|
Firewall | Enabled |
Log verbosity level | Selected, Low |
Block port scans Exclusions Duplicate to Network Protection | Selected Selected Selected |
Note
For guidance on configuring the Firewall > General policy section, refer to General.
Settings
Setting | Recommended value |
|---|---|
Adapters > Wired, Wireless, and Virtual | |
Network profile | Public |
Network discovery | Yes |
Note
For guidance on configuring the Firewall > Settings policy section, refer to Settings.
Rules
Setting | Recommended value |
|---|---|
Settings | |
Protection level | Ruleset, known files and allow |
Create rules for applications blocked by IDS | Selected |
Monitor process changes Ignore signed processes | Selected Selected |
Note
For guidance on configuring the Firewall > Rules policy section, refer to Rules .
Network Protection
General
Setting | Recommended value |
|---|---|
Network Protection | Enabled |
General settings | |
Intercept Encrypted Traffic | Selected |
Scan HTTPS | Selected |
Scan POP3S | |
Exclude finance domains | |
Scan IMAPS | Selected for workstations, not available for servers |
Scan MAPI | |
Scan SMTPS | |
Intercept TLS handshake | Selected |
Respond with an Access Denied page | Selected |
Exclusions | Enabled |
Note
For guidance on configuring the Network Protection > General policy section, refer to General .
Web Protection
Setting | Recommended value |
|---|---|
Antiphishing Default action for suspicious webpages Protection against fraud Protection against phishing | Enabled Block Selected Selected |
Web Traffic Scan | Enabled |
Email Traffic Scan Incoming emails (POP3) Incoming emails (IMAP) Outgoing emails (SMTP) | Enabled Selected Selected for workstations, not available for servers Selected |
Note
For guidance on configuring the Network Protection > Web Protection policy section, refer to Web Protection.
Network Attacks
Setting | Recommended value |
|---|---|
Network Attack Defense | Enabled |
Server traffic scan Inspect encrypted domain controller traffic | Enabled for servers, not available for workstations Selected for servers, not available for workstations |
Inspect RDP traffic | Enabled |
Attack techniques | |
All | Selected |
Initial Access | Block |
Credential Access | |
Discovery | |
Lateral Movement | |
Crimeware | |
Note
For guidance on configuring the Network Protection > Network Attacks policy section, refer to Network Attacks.
Incidents Sensor
General
Setting | Recommended value |
|---|---|
Incidents Sensor | Enabled |
EDR response actions Prevent process execution Terminate the running process | Selected Selected Selected |
Note
For guidance on configuring the Incidents Sensor > General policy section, refer to Incidents Sensor.
Risk Management
General
Setting | Recommended value |
|---|---|
ERA | Enabled |
Scheduler | |
Recurrence > Schedule task to run once every | 1 days |
If scheduled run time is missed, run task as soon as possible | Selected |
Exclude NSVA IPs from scanning | Selected |
Note
For guidance on configuring the Risk Management > General policy section, refer to Risk Management.
Blocklist
Setting | Recommended value |
|---|---|
Blocklist | Enabled |
Application hash | Selected |
Application path | |
Network connection |
Note
For guidance on configuring the Blocklist policy section, refer to Blocklist.
Additional policy configuration recommendations
The modules listed below are also recommended for activation:
Patch Management
Device Control
Live Search
Encryption