GravityZone policy best practices for MDR customers
This page offers recommendations for configuring a GravityZone policy for MDR customers, whether they are Customers or Partners with monthly or yearly licensing plans.
Each section of the article corresponds to a specific policy section, outlining the settings within it and the recommended configuration for each. Settings that are not mentioned do not have specific recommendations, so you may configure them as needed.
Important
The recommendations provided reflect best practices. However, they do not guarantee full protection from security incidents for you or your customers.
All recommendations should be tested in your environment before deploying them to production, to ensure the changes do not negatively affect business processes.
Agent
Settings
Page section | Setting | Recommended value |
|---|---|---|
Uninstall password configuration |
| |
Set uninstall password | Selected and configured |
Important
It is recommended to configure an uninstall password to prevent unauthorized removal of BEST.
For details on how to set the uninstall password, refer to Settings > Uninstall password configuration.
Update
Page section | Setting | Recommended value |
|---|---|---|
Product update | Product update | Enabled |
Scheduler > Recurrence | Hourly | |
Scheduler > Check for updates every | 1 hour | |
Endpoint reboot scheduler > Postpone reboot | Selected | |
Security content update | Security content update | Enabled |
Scheduler > Recurrence | Hourly | |
Scheduler > Check for updates every | 1 hour |
Note
For guidance on configuring the Agent > Update policy section, refer to Update.
Tip
For non-persistent VDIs, disable product updates to avoid frequent reinstalls.
Antimalware
On-Access
Page section | Setting | Recommended value |
|---|---|---|
On-access Scanning | On-access Scanning | Enabled |
Scan options | Custom | |
File location |
| |
Scan local files | Selected; All files | |
Scan network files | Selected; All files | |
Maximum size | Unselected | |
Scan |
|
|
New or changed files only | Selected | |
Boot sectors | Selected | |
Process memory | Selected | |
For keyloggers | Selected | |
For potentially unwanted applications (PUA) | Selected | |
Archives | Selected | |
Archive maximum size | At least 10 MB | |
Archive maximum depth (levels) | 2 | |
Deferred scanning | Selected | |
Scan actions |
|
|
Action for infected objects | Remediate | |
Linux directory scanning |
|
|
Scan Linux directories | Selected (This setting applies only to Linux endpoints. It has no effect on other operating systems.) |
Note
For guidance on configuring the Antimalware > On-Access policy section, refer to On-access.
On-Execute
Page section | Setting | Recommended value |
|---|---|---|
Cloud-based Threat Detection | Cloud-based Threat Detection | Enabled |
Advanced Threat Control | Advanced Threat Control | Enabled |
Action for infected applications | Remediate | |
Security level | Workstations: Normal or Aggressive Servers: Aggressive | |
Sensitive Registry Protection | Selected; Kill process | |
Kernel-API Monitoring | Selected | |
Fileless Attack Protection | Fileless Attack Protection | Enabled |
Command-line Scanner | Selected | |
Antimalware Scan Interface Security Provider | Selected | |
Report analysis results to Antimalware Scan Interface | Selected | |
Ransomware Mitigation | Ransomware Mitigation | Enabled |
EFS Protection | Selected | |
Monitoring > Locally | Selected | |
Monitoring > Remotely | Selected | |
Recovery | Automatically |
Note
For guidance on configuring the Antimalware > On-Execute policy section, refer to On-execute.
On-Demand
Add a Quick scan task and a Full scan task with the following recommended settings:
Page section | Setting | Recommended value | |
|---|---|---|---|
Quick scan | Full scan | ||
General > Scheduler |
|
| |
Start date and time | As soon as possible | As soon as possible | |
Recurrence > Schedule task to run once every | 1 days | n/a | |
| Recurrence > Run task every | n/a | Your preferred day of the week |
Options > File types | |||
Scan | All files | All files | |
Options > Archives | |||
Scan inside archives | Selected | Selected | |
Limit archive size | At least 100 MB | At least 100 MB | |
Maximum archive depth (levels) | 2 | 2 | |
Options > Miscellaneous | |||
| All settings | Selected | Selected |
Options > Actions | |||
Default action for infected objects | Remediate | Remediate | |
Default action for rootkits | Remediate | Remediate | |
Note
For details on adding scan tasks, refer to Configuring scan tasks.
Anti-Tampering
Page section | Setting | Recommended value |
|---|---|---|
Anti-Tampering | Anti-Tampering | Enabled |
Vulnerable drivers | Selected | |
Remediation action for vulnerable drivers | Deny access | |
Callback evasion | Selected | |
Remediation action for callback evasion | Isolate endpoint |
Note
For guidance on configuring the Antimalware > Anti-Tampering policy section, refer to Anti-tampering.
Hyper Detect
Page section | Setting | Recommended value |
|---|---|---|
Hyper Detect | Hyper Detect | Enabled |
Protection level | ||
All | Selected | |
Targeted attack | Workstations: Normal Servers: Aggressive | |
Suspicious files and network traffic | Workstations: Normal Servers: Aggressive | |
Exploits | Workstations: Normal Servers: Aggressive | |
Ransomware | Aggressive | |
Grayware | Workstations: Normal Servers: Aggressive | |
Actions | ||
Files | Remediate | |
Files > Extend reporting on higher levels | Workstations: Selected Servers: No recommendation | |
Network traffic | Block | |
Network traffic > Extend reporting on higher levels | Workstations: Selected Servers: No recommendation |
Note
For guidance on configuring the Antimalware > Hyper Detect policy section, refer to HyperDetect.
Advanced Anti-Exploit
Page section | Setting | Recommended value |
|---|---|---|
Advanced Anti-exploit | Advanced Anti-exploit | Enabled |
System-wide detections > Windows | ||
All | Selected | |
Process introspection | Kill process | |
Privilege escalation | Kill process | |
LSASS protection | Block only | |
System-wide detections > Linux | ||
All | Selected; Report only or Kill process |
Note
For guidance on configuring the Antimalware > Advanced Anti-Exploit policy section, refer to Advanced Anti-Exploit.
Settings
Page section | Setting | Recommended value |
|---|---|---|
Quarantine | ||
Delete files older than (days) | 30 | |
Submit quarantined files to Bitdefender Labs every (hours) | Selected; 1 | |
Rescan quarantine after malware security content updates | Selected | |
Copy files to quarantine before applying the remediation action | Selected |
Note
For guidance on configuring the Antimalware > Settings policy section, refer to Settings.
Exclusions
Setting | Recommended value |
|---|---|
Exclusions from configuration profiles | Enabled |
Vendor and product exclusions | Enabled |
All vendor and product exclusions | Selected |
Note
For guidance on configuring the Antimalware > Exclusions policy section, refer to Exclusions.
Sandbox Analyzer
Endpoint Sensor
Page section | Setting | Recommended value |
|---|---|---|
Connection settings |
| |
Use Cloud Sandbox Analyzer | Selected | |
Automatic sample submission from managed endpoints | Automatic sample submission from managed endpoints | Enabled |
| Analysis mode > Monitoring | Selected |
Remediation actions > Default action | Remediate | |
Content prefiltering | ||
| All | Selected; Normal |
Note
For guidance on configuring the Sandbox Analyzer > Endpoint Sensor policy section, refer to Sandbox Analyzer.
Firewall
Important
The Firewall module must be configured only for Windows endpoints.
When installed, this module stops the existing Firewall service, but will not remove any existing firewall rules.
To allow MDR to take the Block IP and Block port response actions, this module needs to be enabled.
General
Page section | Setting | Recommended value |
|---|---|---|
Firewall | Firewall | Enabled |
Log verbosity level | Selected; Low | |
Block port scans | Selected | |
Exclusions | Selected | |
Duplicate to Network Protection | Selected |
Note
For guidance on configuring the Firewall > General policy section, refer to General.
Settings
Page section | Setting | Recommended value |
|---|---|---|
Adapters | ||
Network profile | Public (for all adapter types) | |
Network discovery | Yes (for all adapter types) |
Note
For guidance on configuring the Firewall > Settings policy section, refer to Settings.
Rules
Page section | Setting | Recommended value |
|---|---|---|
Settings | ||
Protection level | Ruleset, known files and allow | |
Create rules for applications blocked by IDS | Selected | |
Monitor process changes | Selected | |
Ignore signed processes | Selected |
Note
For guidance on configuring the Firewall > Rules policy section, refer to Rules .
Network Protection
General
Page section | Setting | Recommended value |
|---|---|---|
Network Protection | Network Protection | Enabled |
General settings | ||
Intercept Encrypted Traffic | Selected | |
Scan HTTPS | Selected | |
Scan POP3S | Selected | |
Exclude finance domains | Selected | |
Scan IMAPS | Workstations: Selected Servers: Not available | |
Scan MAPI | Workstations: Selected Servers: Not available | |
Scan SMTPS | Workstations: Selected Servers: Not available | |
Intercept TLS handshake | Selected | |
Respond with an Access Denied page | Selected | |
Exclusions | Exclusions | Enabled |
Note
For guidance on configuring the Network Protection > General policy section, refer to General .
Web Protection
Page section | Setting | Recommended value |
|---|---|---|
Antiphishing | Antiphishing | Enabled |
Default action for suspicious webpages | Block | |
Protection against fraud | Selected | |
Protection against phishing | Selected | |
Web Traffic Scan | Web Traffic Scan | Enabled |
Email Traffic Scan | Email Traffic Scan | Enabled |
Incoming emails (POP3) | Selected | |
Incoming emails (IMAP) | Workstations: Selected Servers: Not available | |
Outgoing emails (SMTP) | Selected |
Note
For guidance on configuring the Network Protection > Web Protection policy section, refer to Web Protection.
Network Attacks
Page section | Setting | Recommended value |
|---|---|---|
Network Attack Defense | Network Attack Defense | Enabled |
Server traffic scan | Server traffic scan | Servers: Enabled Workstations: Not available |
Inspect encrypted domain controller traffic | Selected | |
Inspect RDP traffic | Inspect RDP traffic | Enabled |
Attack techniques | ||
All | Selected; Block |
Note
For guidance on configuring the Network Protection > Network Attacks policy section, refer to Network Attacks.
Incidents Sensor
General
Page section | Setting | Recommended value |
|---|---|---|
Incidents Sensor | Incidents Sensor | Enabled |
EDR response actions | Selected | |
Prevent process execution | Selected | |
Terminate the running process | Selected |
Note
For guidance on configuring the Incidents Sensor > General policy section, refer to Incidents Sensor.
Risk Management
General
Page section | Setting | Recommended value |
|---|---|---|
Risk Management | Risk Management | Enabled |
Scheduler | ||
Recurrence > Schedule task to run once every | 1 days | |
If scheduled run time is missed, run task as soon as possible | Selected | |
Exclude NSVA IPs from scanning | Selected |
Note
For guidance on configuring the Risk Management > General policy section, refer to Risk Management.
Blocklist
Page section | Setting | Recommended value |
|---|---|---|
Blocklist | Blocklist | Enabled |
Application hash | Selected | |
Application path | Selected | |
Network connection | Selected |
Note
For guidance on configuring the Blocklist policy section, refer to Blocklist.
Additional policy configuration recommendations
The modules listed below are also recommended for activation: