Configuration
On-Access
In this section you can configure the antimalware protection components:
Important
This functionality is enabled only if the security agent installed on endpoints is running in Detection and prevention mode.
On-access Scanning
On-access scanning prevents new malware threats from entering the system by scanning local and network files when they are accessed (opened, moved, copied or executed), boot sectors and potentially unwanted applications (PUA).
Note
This feature has certain limitations on Linux-based systems. For details, see to the requirements for GravityZone.
To configure on-access scanning:
Use the check box to turn on-access scanning on or off.
Warning
If you turn off on-access scanning, endpoints will be vulnerable to malware.
For a quick configuration, select the security level that best suits your needs (Aggressive, Normal or Permissive).
Use the description on the right side of the scale to guide your choice.
You can configure the scan settings in detail by selecting the Custom protection level and clicking the Settings link.
This will display the On-access scanning settings window, containing several options organized under the General and Advanced tabs.
The Advanced tab addresses the on-access scanning for Linux machines. Use the checkbox to turn it on or off.
In the table below, you can configure the Linux directories you want to scan. By default, there are five entries, each one corresponding to a specific location on endpoints:
/home,/bin,/sbin,/usr,/etc.To add more entries:
Write down any custom location name in the search field, at the upper side of the table.
Select the predefined directories from the list displayed when clicking the arrow at the right-end of the search field.
Click the
Add button to save a location to the table and the 
Delete button to remove it.
General tab options:
File location - Use these options to specify which types of files you want to be scanned. Scanning preferences can be configured separately for local files (stored on the local endpoint) or network files (stored on network shares).
If antimalware protection is installed on all computers in the network, you may disable the network files scan to allow a faster network access.
You can set the security agent to scan all accessed files (regardless of their file extension), application files only or specific file extensions you consider to be dangerous.
Scanning all accessed files provides the best protection, while scanning applications only can increase the system's performance.
Note
Application files are considerably more vulnerable to malware attacks than other types of files. For more information, refer to Application file types.
If you want only specific extensions to be scanned, choose User defined extensions from the menu and then enter the extensions in the edit field, pressing
Enterafter each extension.Note
On Linux-based systems, file extensions are case sensitive and the files with the same name but with different extension are considered distinct objects. For example,
file.txtis different fromfile.TXT.For system performance reasons, you can also exclude large files from scanning.
Select Maximum size (MB) checkbox and specify the size limit of the files which will be scanned. Use this option wisely because malware can affect larger files too.
Scan - Select the corresponding check boxes to enable the desired scan options:
Only new or changed files
By scanning only new and changed files, you may greatly improve overall system responsiveness with a minimum trade-off in security.
Boot sectors
Scans the system’s boot sector.
This sector of the hard disk contains the necessary code to start the boot process.
When a virus infects the boot sector, the drive may become inaccessible and you may not be able to start your system and access your data.
Process memory
Scans the memory of a process to detect in-memory malicious behavior.
For keyloggers
Keyloggers record what you type on your keyboard and send reports over the Internet to a malicious person (hacker).
The hacker can find out sensitive information from the stolen data, such as bank account numbers and passwords, and use it to gain personal benefits.
For Potentially Unwanted Applications (PUA)
A Potentially Unwanted Application (PUA) is a program that may be unwanted on the PC and sometimes comes bundled with freeware software. Such programs can be installed without the user's consent (also called adware) or will be included by default in the express installation kit (ad-supported). Potential effects of these programs include the display of pop-ups, installing unwanted toolbars in the default browser or running several processes in the background and slowing down the PC performance.
Archives
Select this option if you want to enable on-access scanning of archived files. Scanning inside archives is a slow and resource-intensive process, which is therefore not recommended for real-time protection. Archives containing infected files are not an immediate threat to system security. The malware can affect the system only if the infected file is extracted from the archive and executed without having on-access scanning enabled.
If you decide on using this option, you can configure the following optimization options:
Archive maximum size (MB)
You can set a maximum accepted size limit of archives to be scanned on-access.
Select the corresponding check box and type the maximum archive size (in MB).
Archive maximum depth (levels)
Select the corresponding check box and choose the maximum archive depth from the menu.
For best performance choose the lowest value, for maximum protection choose the highest value.
Deferred scanning
Deferred scanning improves system performance when performing file access operations. For example, system resources are not affected when large files are copied. This option is enabled by default.
Scan actions - Depending on the type of detected file, the following actions are taken automatically:
Default action for infected files
Bitdefender detects files as infected through various advanced mechanisms, which include malware signatures, machine learning and artificial intelligence (AI) based technologies.
Bitdefender security agent can normally remove the malware code from an infected file and reconstruct the original file. This operation is known as disinfection.
By default, if an infected file is detected, Bitdefender security agent will automatically attempt to disinfect it.
If disinfection fails, the file is moved to quarantine to contain the infection.
You can change this recommended flow according to your needs.
Important
For particular types of malware, disinfection is not possible because the detected file is entirely malicious. In such cases, the infected file is deleted from the disk.
Default action for suspect files
Files are detected as suspicious by the heuristic analysis and other Bitdefender technologies.
These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.
Suspect files cannot be disinfected, because no disinfection routine is available.
When a suspect file is detected, users will be denied access to that file to prevent a potential infection.
Though not recommended, you can change the default actions. You can define two actions for each type of file. The following actions are available:
Deny access
Deny access to detected files.
Important
For MAC endpoints, Move to quarantine action is taken instead of Deny access.
Disinfect
Remove the malware code from infected files. It is recommended to always keep this as the first action to be taken on infected files.
Delete
Delete detected files from the disk, without any warning. It is advisable to avoid using this action.
Move to quarantine
Move detected files from their current location to the quarantine folder. Quarantined files cannot be executed or opened; therefore, the risk of getting infected disappears. You can manage quarantine files from the Quarantine page of the console.
Take no action
Only report the infected files detected by Bitdefender.
Ransomware Vaccine
Ransomware vaccine immunizes your machines against known ransomware blocking the encryption process even if the computer is infected. Use the check box to turn Ransomware vaccine on or off.
The Ransomware vaccine feature is deactivated by default. Bitdefender Labs analyze the behavior of widespread ransomware, and new signatures are delivered with each security content update, to address the latest threats.
Warning
To further increase protection against ransomware infections, be cautious about unsolicited or suspicious attachments and make sure security content is updated.
Note
Ransomware vaccine is available only if machines are protected by Bitdefender Endpoint Security Tools and Endpoint Security (legacy agent).
DazukoFS third-party kernel module
DazukoFS third-party kernel module enables Bitdefender Endpoint Security Tools to perform on-access scanning on Linux. For information on enabling on-access scanning and specifying the directories to be scanned on Linux, refer to the Antimalware On-access scanning section.
The Linux version of Bitdefender Endpoint Security Tools includes an on-access scanning module that, for specific Linux distributions and kernel versions, requires the third-party DazukoFS loadable kernel module. DazukoFS is a stackable file system that enables third-party applications to control file access on Linux systems.
The Bitdefender Endpoint Security Tools installation package includes and automatically installs DazukoFS for select supported Linux kernel versions. The DazukoFS package shipped with Bitdefender Endpoint Security Tools is compiled for the kernel versions listed in the table below. To use on-access scanning on supported Linux distributions with lower or kernel versions unsupported by DazukoFS, you must compile the DazukoFS package for the corresponding kernel. contact Bitdefender Enterprise Support and enquire about the availability of a solution.
Linux Distribution | Kernel version |
Debian 5.0, 6.0 | 2.6.18 - 2.6.37 |
Ubuntu 10.04 LTS | |
CentOS 6.x | |
Red Hat Enterprise Linux 6.x |
Important
DazukoFS is a legacy solution. To perform on-access scanning on Linux systems with kernel versions 2.6.38 and higher, you need to enable Fanotify. For the on-access scanning requirements on Linux, including the list of kernels supporting DazukoFS and Fanotify, refer to this topic.
To learn more about possible issues with on-access scanning on Linux, refer to On-access scanning in Bitdefender Endpoint Security Tools for Linux.
Other useful topics:
DazukoFS limitations
For DazukoFS and on-access scanning module to work together, a series of conditions must be met. Please check if any of the statements below apply to your Linux system and follow the guidelines to avoid issues:
DazukoFS supports kernels up to version 2.6.37.
The SELinux policy must be either disabled or set to permissive. To check and adjust the SELinux policy setting, edit the /etc/selinux/config file.
Bitdefender Endpoint Security Tools is exclusively compatible with the DazukoFS version included in the installation package. If DazukoFS is already installed on the system, remove it prior to installing Bitdefender Endpoint Security Tools .
If the DazukoFS package shipped with Bitdefender Endpoint Security Tools is not compatible with the system's kernel version, the module will fail to load. In such case, you can either update the kernel to the supported version or contact Bitdefender Enterprise Support and enquire about the availability of a solution.
When sharing files using dedicated servers such as NFS, UNFSv3 or Samba, you have to start the services in the following order:
Enable on-access scanning from Control Center. For more information, refer to On-Access policy settings.
Start the network sharing service.
For NFS:
# service nfs startFor UNFSv3:
# service unfs3 startFor Samba:
# service smbd startImportant
For the NFS service, DazukoFS is compatible only with NFS User Server.
On-Execute
In this section you can configure protection against malicious processes, when they are executed. It covers the following protection layers:
Note
The range of actions you can take may vary depending on the license included in your current plan.
Cloud-based threat detection
Cloud-based threat detection technology identifies advanced threats running cloud-based machine learning algorithms, while ensuring on-the-fly updates. This technology improves the efficiency of your environment by lowering the required local disk footprint and resources consumption.
Important
This cloud scanning technology is used only when the security agent installed on endpoints is set to operate in EDR (Report only) mode in Bitdefender EDR standalone for MSP.
This technology comprises to major components:
The Content Extractor - It extracts metadata from your environment and sends it to the cloud for processing.
The Threat Detector - It receives metadata packs from the Content Extractor, analyzes the information using stat-of-the-art machine learning and heuristic algorithms, and based on the results it generates a detection.
This component does not have the need to directly access files, buffers, memory, or operating system files. It requires a small disk footprint and can be updated on-the-fly.
Use the check box to turn Cloud-based threat detection on or off.
Advanced Threat Control
Bitdefender Advanced Threat Control is a proactive detection technology which uses advanced heuristic methods to detect new potential threats in real time.
Note
This module is available for:
Windows for workstations (modern and legacy versions)
Windows for servers (modern and legacy versions)
macOS starting with OS X El Capitan (10.11)
Advanced Threat Control continuously monitors the applications running on the endpoint, looking for malware-like actions. Each of these actions is scored and an overall score is computed for each process. When the overall score for a process reaches a given threshold, the process is considered to be harmful. Advanced Threat Control will automatically try to disinfect the detected file. If the disinfection routine fails, Advanced Threat Control will delete the file.
Note
Before applying the disinfect action, a copy of the file is sent to quarantine so as you can restore the file later, in the case of a false positive. This action can be configured using the Copy files to quarantine before applying the disinfect action option available in the Antimalware > Settings tab of the policy settings. This option is enabled by default in the policy templates.
To configure Advanced Threat Control:
Use the check box to turn Advanced Threat Control on or off.
Warning
If you turn off Advanced Threat Control, computers will be vulnerable to unknown malware.
The default action for infected applications detected by Advanced Threat Control is disinfect. You can set another default action, using the available menu:
Block - to deny access to the infected application.
Take no action - to only report the infected applications detected by Bitdefender.
Click the security level that best suits your needs (Aggressive, Normal or Permissive). Use the description on the right side of the scale to guide your choice.
As you set the protection level higher, Advanced Threat Control will require fewer signs of malware-like behavior to report a process. This will lead to a higher number of applications being reported and, at the same time, to an increased likelihood of false positives (clean applications detected as malicious).
Note
It is highly recommended to create exclusion rules for commonly used or known applications to prevent false positives (incorrect detection of legitimate applications).
Go to the Antimalware > Settings tab and configure the ATC/IDS process exclusion rules for trusted applications.
Fileless Attack Protection
Fileless Attack Protection is set by default to detect and block fileless malware at pre-execution, including terminating PowerShell running malicious command line, blocking malicious traffic, analyzing memory buffer prior to code injection, and blocking the code injection process.
You can configure it as follows:
Command-Line Scanner detects fileless attacks at pre-execution stage.
Antimalware Scan Interface Security Provider scans content at a deeper level using Windows Antimalware Scan Interface (AMSI) integration. Scripts, files, URLs, and others are sent by different services that require a security analysis before accessing, running, or writing them to the disk. Additionally, you can control whether to report the outcome of the Antimalware module analysis further to the AMSI services or not.
Note
This module is available for:
Windows for workstations (modern versions)
Windows for servers (modern versions)
Ransomware Mitigation
Ransomware Mitigation uses detection and remediation technologies to keep your data safe from ransomware attacks. Whether the ransomware is known or new, GravityZone detects abnormal encryption attempts and blocks the process. Afterwards, it recovers the files from backup copies and restores them to their original location.
Requirements
Important
Ransomware Mitigation requires Advanced Threat Control and On-access Scanning, available when the security agent installed on endpoints is set to run in Detection and prevention mode.
For information about supported OS and disk space requirements, refer to Ransomware Mitigation.
Behavior
File monitoring. The entire system is monitored, except for the user’s temporary folder, c:\Users\{name}\AppData\Local\Temp\. For information about what file types are being monitored, refer to Ransomware Mitigation.
The backup process. The backup process is triggered whenever a suspicious process tries to modify a file. The retention period for backup files is 30 days. After a file is restored successfully, its backup is deleted from storage.
Note
Backups are available for files which are 15 MB in size, or smaller.
Naming convention for restored files. The files are restored in their original location, next to their encrypted version. The naming convention for a restored file follows this pattern: OriginalName - Restored.OriginalExtension. If that name already exists within the target directory, the naming convention changes to OriginalName – Restored(2).OriginalExtension.
IP block for remote attacks. In case of a remote attack, an IP block is instituted for two hours, or until there is a system restart.
Configuration
To configure Ransomware Mitigation:
Select the Ransomware Mitigation check box under the Antimalware > On-Execute policy section to enable the feature.
Select the monitoring modes you want to use:
Locally - GravityZone monitors the processes and detects ransomware attacks initiated locally on the endpoint. It is recommended for workstations. Use with caution on servers due to performance impact.
Remote - GravityZone monitors access to network share paths and detects ransomware attacks that are initiated from another machine. Use this option if the endpoint is a file server or has network shares enabled.
Select the recovery method:
On-demand - You manually choose the attacks from which to recover the files. You can do this from the Reports > Ransomware Activity page at any time of your convenience, but no later than 30 days from the attack. After this time, recovery will no longer be possible.
Automatic - GravityZone automatically recovers the files right after a ransomware detection.
For the recovery to be successful, endpoints need to be available.
Monitoring
Once enabled, you have multiple options to check if your network is under a ransomware attack:
Check notifications and look for Ransomware Detection.
For more information on this notification, refer to Notification Types.
Check the Reports section.
The Security Audit report displays information about remote ransomware attacks.
The Ransomware Activity report lays out data related to both local and remote attacks. Inside this page you can also launch recovery tasks, if needed.
In case you notice a detection that is a legitimate encryption process, have certain paths where you allow file encryption, or allow remote access from certain machines, add exclusions to the Antimalware > Custom Exclusions policy section. Ransomware Mitigation allows exclusions on folder, process, and IP/mask.
On-Demand
In this section, you can add and configure antimalware scan tasks that will run regularly on the target computers, according to the defined schedule.
Important
This functionality is enabled only if the security agent installed on endpoints is running in Detection and prevention mode.
The scanning is performed silently in the background, regardless the user is logged in the system or not.
Though not mandatory, it is recommended to schedule a comprehensive system scan to run weekly on all endpoints. Scanning endpoints regularly is a proactive security measure that can help detect and block malware that might evade real-time protection features.
Besides regular scans, you can also configure the automatic detection and scanning of external storage media.
Managing scan tasks
The Scan Tasks table informs you of the existing scan tasks, providing important information on each of them:
Task name and type.
Schedule based on which the task runs regularly (recurrence).
Time when the task was first run.
You can add and configure the following types of scan tasks:
Quick Scan uses in-the-cloud scanning to detect malware running in the system. Running a Quick Scan usually takes less than a minute and uses a fraction of the system resources needed by a regular virus scan.
When malware or rootkits are found, Bitdefender automatically proceeds with disinfection. If, for any reason, the file cannot be disinfected, then it is moved to quarantine. This type of scanning ignores suspicious files.
The Quick Scan is a default scan task with preconfigured options that cannot be changed. You can add only one quick scan task for the same policy.
Full Scan checks the entire endpoint for all types of malware threatening its security, such as viruses, spyware, adware, rootkits and others.
Bitdefender automatically tries to disinfect files detected with malware. In case malware cannot be removed, it is contained in quarantine, where it cannot do any harm. Suspicious files are being ignored. If you want to take action on suspicious files as well, or if you want other default actions for infected files, then choose to run a Custom Scan.
The Full Scan is a default scan task with preconfigured options that cannot be changed. You can add only one full scan task for the same policy.
Custom Scan allows you to choose the specific locations to be scanned and to configure the scan options.
Network Scan is a type of custom scan, which allows assigning one single managed endpoint to scan network drives, then configuring the scan options and the specific locations to be scanned. For network scan tasks, you need to enter the credentials of a user account with read/write permissions on the target network drives, for the security agent to be able to access and take actions on these network drives.
The recurrent network scan task will be sent only to the selected scanner endpoint. If the selected endpoint is unavailable, the local scanning settings will apply.
Note
You can create network scan tasks only within a policy that is already applied to an endpoint which can be used as a scanner.
Besides the default scan tasks (which you cannot delete or duplicate), you can create as many custom and network scan tasks as you want.
To create and configure a new custom or network scan task, click the 
Add button at the right side of the table.
To change the settings of an existing scan task, click the name of that task.
To remove a task from the list, select the task and click the 
Delete button at the right side of the table.
Configuring scan tasks
The scan task settings are organized under three tabs:
General - set task name and execution schedule.
Options - choose a scan profile for quick configuration of the scan settings and define scan settings for a custom scan.
Target - select the files and folders to be scanned and define scan exclusions.
Options are described hereinafter from the first tab to the last:
Details
Choose a suggestive name for the task to help easily identify what it is about. When choosing a name, consider the scan task target and possibly the scan settings.
By default, scan tasks run with decreased priority. This way, Bitdefender allows other programs to run faster, but increases the time needed for the scan process to finish. Use the Run the task with low priority check box to disable or re-enable this feature.
Note
This option applies only to Bitdefender Endpoint Security Tools and Endpoint Security (legacy agent).
Select the Shut down computer when scan is finished check box to turn off your machine if you do not intend to use it for a while.
Note
This option applies to Bitdefender Endpoint Security Tools, Endpoint Security (legacy agent) and Bitdefender Endpoint Security Tools.
Scheduler
Use the scheduling options to configure the scan schedule.
You can set the scan to run every few hours, days or weeks, starting with a specified date and time.
Endpoints must be powered-on when the schedule is due. A scheduled scan will not run when due if the machine is turned off, hibernating or in sleep mode. In such situations, the scan will be postponed until next time.
Note
The scheduled scan will run at the target endpoint local time. For example, if the scheduled scan is set to start at 6:00 PM and the endpoint is in a different timezone than Control Center, the scanning will start at 6:00 PM (endpoint time).
Optionally, you can specify what happens when the scan task could not start at the scheduled time (endpoint was offline or shutdown). Use the option If scheduled run time is missed, run task as soon as possible according to your needs:
When you leave the option unchecked, the scan task will attempt to run again at the next scheduled time.
When you select the option, you force the scan to run as soon as possible. To fine-tune the best timing for the scan runtime and avoid disturbing the user during the work hours, select Skip if next scheduled scan is due to start in less than, then specify the interval that you want.
Scan Options
Click the security level that best suits your needs (Aggressive, Normal or Permissive).
Use the description on the right side of the scale to guide your choice.
Based on the selected profile, the scan options in the Settings section are automatically configured. However, if you want to, you can configure them in detail.
To do that, select the Custom check box and then go to the Settings section.
File Types
Use these options to specify which types of files you want to be scanned.
You can set the security agent to scan all files (regardless of their file extension), application files only or specific file extensions you consider to be dangerous.
Scanning all files provides best protection, while scanning applications only can be used to perform a quicker scan.
Note
Application files are far more vulnerable to malware attacks than other types of files.
For more information, refer to Application file types.
If you want only specific extensions to be scanned, choose User Defined Extensions from the menu and then enter the extensions in the edit field, pressing
Enterafter each extension.Archives
Archives containing infected files are not an immediate threat to system security.
The malware can affect the system only if the infected file is extracted from the archive and executed without having real-time protection enabled.
However, it is recommended to use this option in order to detect and remove any potential threat, even if it is not an immediate threat.
Note
Scanning archived files increases the overall scanning time and requires more system resources.
Scan inside archives
Select this option if you want to check archived files for malware.
If you decide on using this option, you can configure the following optimization options:
Limit archive size to (MB)
You can set a maximum accepted size limit of archives to be scanned.
Select the corresponding check box and type the maximum archive size (in MB).
Maximum archive depth (levels)
Select the corresponding check box and choose the maximum archive depth from the menu.
For best performance choose the lowest value, for maximum protection choose the highest value.
Scan email archives
Select this option if you want to enable scanning of email message files and email databases, including file formats such as .eml, .msg, .pst, .dbx, .mbx, .tbb and others.
Note
Email archive scanning is resource intensive and can impact system performance.
Miscellaneous
Select the corresponding check boxes to enable the desired scan options.
Scan boot sectors
Scans the system’s boot sector.
This sector of the hard disk contains the necessary code to start the boot process.
When a virus infects the boot sector, the drive may become inaccessible and you may not be able to start your system and access your data.
Scan registry
Select this option to scan registry keys.
Windows Registry is a database that stores configuration settings and options for the Windows operating system components, as well as for installed applications.
Scan for rootkits
Select this option to scan for rootkits and objects hidden using such software.
Scan for keyloggers
Select this option to scan for keylogger software.
Scan network shares
This option scans mounted network drives.
For quick scans, this option is deactivated by default. For full scans, it is activated by default. For custom scans, if you set the security level to Aggressive/Normal, the Scan network shares option is automatically enabled. If you set the security level to Permissive, the Scan network shares option is automatically disabled.
Scan memory
Select this option to scan programs running in the system's memory.
Scan cookies
Select this option to scan the cookies stored by browsers on the endpoint.
Scan only new and changed files
By scanning only new and changed files, you may greatly improve overall system responsiveness with a minimum trade-off in security.
Scan for Potentially Unwanted Applications (PUA)
A Potentially Unwanted Application (PUA) is a program that may be unwanted on the PC and sometimes comes bundled with freeware software. Such programs can be installed without the user's consent (also called adware) or will be included by default in the express installation kit (ad-supported). Potential effects of these programs include the display of pop-ups, installing unwanted toolbars in the default browser or running several processes in the background and slowing down the PC performance.
Resume Scan after Product Update
Select this option to automatically resume on-demand scan tasks after being interrupted.
Actions
Depending on the type of detected file, the following actions are taken automatically:
Default action for infected files
Bitdefender detects files as infected through various advanced mechanisms, which include malware signatures, machine learning and artificial intelligence (AI) based technologies.
The security agent can normally remove the malware code from an infected file and reconstruct the original file. This operation is known as disinfection.
If an infected file is detected, the security agent will automatically attempt to disinfect it.
If disinfection fails, the file is moved to quarantine in order to contain the infection.
Important
For particular types of malware, disinfection is not possible because the detected file is entirely malicious. In such cases, the infected file is deleted from the disk.
Default action for suspect files
Files are detected as suspicious by the heuristic analysis and other Bitdefender technologies.
These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.
Suspect files cannot be disinfected, because no disinfection routine is available.
Scan tasks are configured by default to ignore suspect files.
You may want to change the default action in order to move suspect files to quarantine.
Quarantined files are sent for analysis to Bitdefender Labs on a regular basis.
If malware presence is confirmed, a signature is released to allow removing the malware.
Default action for rootkits
Rootkits represent specialized software used to hide files from the operating system.
Though not malicious in nature, rootkits are often used to hide malware or to conceal the presence of an intruder into the system.
Detected rootkits and hidden files are ignored by default.
Though not recommended, you can change the default actions.
You can specify a second action to be taken if the first one fails and different actions for each category.
Choose from the corresponding menus the first and the second action to be taken on each type of detected file.
The following actions are available:
Take no action
No action will be taken on detected files. These files will only appear in the scan log.
Disinfect
Remove the malware code from infected files.
It is recommended to always keep this as the first action to be taken on infected files.
Delete
Delete detected files from the disk, without any warning.
It is advisable to avoid using this action.
Move to quarantine
Move detected files from their current location to the quarantine folder.
Quarantined files cannot be executed or opened; therefore, the risk of getting infected disappears.
You can manage quarantine files from the quarantine Quarantine page of the console.
Scan Target
Add to the list all the locations you want to be scanned on the target computers.
To add a new file or folder to be scanned:
Choose a predefined location from the drop-down menu or enter the Specific paths you want to scan.
Specify the path to the object to be scanned in the edit field.
If you have chosen a predefined location, complete the path as needed.
For example, to scan the entire
Program Filesfolder, it suffices to select the corresponding predefined location from the drop-down menu.To scan a specific folder from
Program Files, you must complete the path by adding a backslash (\) and the folder name.If you have chosen Specific paths, enter the full path to the object to be scanned.
It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.
Click the corresponding
Add button.
To edit an existing location, click it.
To remove a location from the list, move the cursor over it and click the corresponding
Delete button.For network scan tasks, you need to enter the credentials of a user account with read/write permissions on the target network drives, for the security agent to be able to access and take actions on these network drives.
Exclusions
You can either use the exclusions defined in the Antimalware > Exclusions section of the current policy, or you can define custom exclusions for the current scan task.
For more details, refer to Exclusions.
Scan settings
These settings allow you to change the default behavior of two scan types: Contextual scan and External devices scan.
Contextual scan
Right-click on local files or folders to start a scan directly from the Windows Explorer contextual menu.
The Contextual scan policy settings allow you to change the default behavior of this type of scan.
External devices scan
These settings allow you to customize the scans performed on external devices.
For both scan types, you can set how aggressive or permissive the scans are, what is being scanned, the type of threats the scans are searching for, and what actions BEST should take once suspicious activity is detected.
Device scanning
You can configure the security agent to automatically detect and scan external storage devices when they are connected to a Windows endpoint.
Detected devices fall into one of these categories:
CDs/DVDs
USB storage devices, such as flash pens and external hard-drives
Devices with more than a specified amount of stored data.
Device scans automatically attempt to disinfect files detected as infected or to move them to quarantine if disinfection is not possible.
Important
some devices such as CDs/DVDs are read-only. No action can be taken on infected files contained on such storage support.
Note
During a device scan, the user can access any data from the device.
If alert pop-ups are enabled in the General > Notifications section, the user is prompted whether or not to scan the detected device instead of the scan starting automatically.
When a device scan is started:
A notification pop-up informs the user about the device scan, provided that notification pop-ups are enabled in the General > Notifications section.
Once the scan is completed, the user must check detected threats, if any.
Select Device Scanning option to enable the automatic detection and scanning of storage devices. To configure device scanning individually for each type of device, use the following options:
CD/DVD media
USB storage devices
Do not scan devices with stored data more than (MB). Use this option to automatically skip scanning of a detected device if the amount of stored data exceeds the specified size. Type the size limit (in megabytes) in the corresponding field. Zero means that no size restriction is imposed.
HyperDetect
HyperDetect adds an extra layer of security over the existing scanning technologies (On-Access, On-Demand and Traffic Scan), to fight against the new generation of cyber-attacks, including advanced persistent threats. HyperDetect enhances the Antimalware and Content Control protection modules with its powerful heuristics based on artificial intelligence and machine learning.
Note
This module is available for:
Windows for workstations (modern versions)
Windows for servers (modern versions)
Linux
With its ability to predict targeted attacks and detect most sophisticated malware in the pre-execution stage, HyperDetect exposes threats much faster than the signature-based or behavioral scanning technologies.
To configure HyperDetect:
Use the HyperDetect check box to turn the module on or off.
Select which type of threats you want to protect your network from. By default, protection is enabled for all types of threats: targeted attacks, suspicious files and network traffic, exploits, ransomware, or grayware.
Note
The heuristics for network traffic require Content Control > Traffic Scan to be enabled.
Customize the protection level against threats of the selected types.
Use the master switch at the top of the threats list to choose a unique level of protection for all types of threats, or select individual levels to fine tune protection.
Setting the module at a certain level will result in actions being taken up to that level. For example, if set to Normal, the module detects and contains threats that trigger the Permissive and Normal thresholds, but not the Aggressive one.
Protection increases from Permissive to Aggressive.
Keep in mind that an aggressive detection may conduct to false positives, while a permissive one can expose your network to some threats. It is recommended to first set protection level to the maximum and then lower it in case of many false positives, until you achieve the optimal balance.
Note
Whenever you enable protection for a type of threats, detection is automatically set to the default value (Normal level).
Under the Actions section, configure how HyperDetect should react to detections. Use the drop-down menu options to set the action to be taken on threats:
For files: deny access, disinfect, delete, quarantine, or just report the file.
For network traffic: block or just report the suspicious traffic.
Select the check box Extend reporting on higher levels next to the drop-down menu, if you want to view the threats detected at higher protection levels than the one set.
If you are uncertain of the current configuration, you can easily restore the initial settings by clicking the Reset to default button at the lower side of the page.
Settings
In this section you can configure the quarantine settings and the scan exclusion rules.
Quarantine
You can configure the following options for the quarantined files from the target endpoints:
Delete files older than (days) - By default, quarantined files older than 30 days are automatically deleted. If you want to change this interval, choose a different option from the menu.
Submit quarantined files to Bitdefender Labs every (hours) - By default, quarantined files are automatically sent to Bitdefender Labs every hour.
You can edit the time interval between quarantined files are being sent (one hour by default). The sample files will be analyzed by the Bitdefender malware researchers. If malware presence is confirmed, a signature is released to allow removing the malware.
Rescan quarantine after security content updates - Keep this option selected to automatically scan locally quarantined files after each security content update. Cleaned files are automatically moved back to their original location.
Copy files to quarantine before applying the disinfect action - Select this option to prevent data loss in case of false positives and copy each file detected as infected to quarantine before applying the disinfect action. You can afterwards restore legitimate files from the Quarantine page.
Allow users to take actions on local quarantine - This option is controlling the actions that endpoint users can take on local quarantined files via the Bitdefender Endpoint Security Tools interface.
By default, local users can restore or delete quarantined files from their computer using the options available in Bitdefender Endpoint Security Tools.
By disabling this option, users will not have access anymore to the quarantined files action buttons from the Bitdefender Endpoint Security Tools interface.
Note
Availability and functioning of this feature may differ depending on the license included in your current plan.
Exclusions
Bitdefender security agent can exclude from scanning certain object types. Antimalware exclusions are to be used in special circumstances, or following Microsoft or Bitdefender recommendations. For an updated list of exclusions recommended by Microsoft, please refer to this web article.
In this section, you can configure the use of different types of exclusions available with the Bitdefender security agent.
You can define In-policy exclusions for in-house developed applications or customized tools, according to your specific needs. In-policy exclusions are available only to the policy where the have been defined.
You can add one or multiple lists of exclusions to the policy from the Configuration Profiles section. The same exclusion lists are available to multiple policies through options in the Configuration Profiles section.
You can customize the list of enabled recommended vendor and product exclusions.
In-policy exclusions
In-policy antimalware exclusions apply to one or more of the following scanning methods:
On-access scanning
On-execute scanning
On-demand scanning
Advanced Threat Control (ATC/IDS)
Ransomware Mitigation
Important
If you have an EICAR test file that you use periodically to test antimalware protection, you should exclude it from on-access scanning.
If using VMware Horizon View 7 and App Volumes AppStacks, refer to this VMware document.
To exclude specific items from scanning, select the In-policy exclusions option and then add the rules into the table underneath.
To add an exclusion rule:
Select the exclusion type from the menu:
File: only the specified file.
Folder: all files and processes inside the specified folder and from all of its subfolders.
Extension: all items having the specified extension.
Process: any object accessed by the excluded process.
File Hash: the file with the specified hash. GravityZone supports the SHA-256 hash algorithm.
Note
Adding File Hash type exclusions could result in high CPU usage due to the checksum calculations performed.
Certificate Hash: all the applications under the specified certificate hash (thumbprint).
Threat Name: any item having the detection name (not available for Linux operating systems).
Command Line: the specified command line (available only for Windows operating systems).
Warning
In agentless VMware environments integrated with NSX, you can exclude only folders and extensions.
Provide the details specific to the selected exclusion type:
File, Folder or Process
Enter the path to the item to be excluded from scanning. You have several helpful options to write the path:
Declare the path explicitly:
For example:
C:\tempTo add exclusions for UNC paths, use any of the following syntaxes:
\\hostName\shareName\filePath\\IPaddress\shareName\filePathNote
To accommodate Linux requirements, GravityZone supports up to 4096 characters when defining paths. To apply this limit on Windows, make sure MAX_PATH is set to support this value on the target machines. Learn more in Microsoft documentation.
Use the system variables available in the drop-down menu:
For process exclusions, you must also add the name of the application's executable file.
For example:
%ProgramFiles%- excludes the Program Files folder%WINDIR%\system32– excludes folder system32 within Windows folder%SystemDrive%- excludes the drive where the Windows folder was placed, usually driveC:Note
It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.
Use wildcards:
The asterisk (*) substitutes for zero or more characters excepting path delimiters. Double asterisk (**) substitutes for zero or more characters including path delimiters. The question mark (?) substitutes for exactly one character. You can use several question marks to define any combination of a specific number of characters. For example, ??? substitutes for any combination of exactly three characters.
For example:
C:\Test\*.*– excludes all files from Test folderC:\Test\*.png– excludes all PNG files, from the Test folderC:\Test\*- excludes all folders and subfolders from Test**\file.txt- excludes all folders and subfolders that containfile.txt**\my_folder\*\file.txt- excludes all the folders on all levels abovemy_folderand all subfolders on a single level undermy_folderthat containfile.txt**\application*.exe- excludes all the files that have the nameapplicationand variations of this name followed by one or more characters, regardless where the files are located.C:\Program Files\WindowsApps\Microsoft.Not??.exe– excludes the Microsoft Notes processes.
Note
Double asterisk can lead to undesired exclusions when misused, therefore we recommend caution.
Double asterisk is not available on macOS.
Process exclusions do not support wildcards on Linux operating systems.
Extension
Enter one or more file extensions to be excluded from scanning, separating them with a semicolon ";". You can enter extensions with or without the preceding dot. For example, enter txt to exclude text files.
Note
On Linux-based systems, file extensions are case sensitive and the files with the same name but with different extension are considered distinct objects. For example,
file.txtis different fromfile.TXT.File hash, Certificate hash, Threat name, or Command line
Enter the file hash, certificate thumbprint (hash), the exact name of the threat or the command line depending on the exclusion rule. You can use one item per exclusion.
Select the scanning methods to which the rule applies. Some exclusions may be relevant for just one of the scanning modules (On-access scanning, On-demand scanning, ATC/IDS, Ransomware Mitigation), while others may be recommended for all of the modules.
Optionally, click the Show remarks button to add a note in the Remarks column about the rule.
Click the
Add button.The new rule will be added to the policy.
To remove a rule from the policy, click the corresponding Delete button.
Important
On-demand scanning exclusions do NOT apply to contextual scanning. Contextual scanning is initiated by right-clicking a file or folder and selecting Scan with Bitdefender Endpoint Security Tools.
You can reuse the exclusion rules in more policies by importing them.
To import custom exclusions:
Click Import. The Import Policy Exclusions window opens.
Click Add and then select the CSV file.
Click Save.
The table is populated with the valid rules.
Note
If the CSV file contains invalid rules, a warning informs you of the corresponding row numbers.
Each row in the CSV file corresponds to a single rule, having the fields in the following order:
<exclusion type>, <object to be excluded>, <modules>
These are the available values for the CSV fields:
Exclusion type:
1, for file exclusions2, for folder exclusions3, for extension exclusions4, for process exclusions5, for file hash exclusions6, for certificate hash exclusions7, for threat name exclusions8, for command line exclusionsObject to be excluded:
A path or a file extension
Modules:
1, for on-demand scanning2, for on-access scanning3, for all modules4, for ATC/IDS6, for Ransomware Mitigation
For example, a CSV file containing antimalware exclusions may look like this:
1,"d:\\temp",1 2,%WinDir%,3 4,"%WINDIR%\\system32",4
Note
The Windows paths must have the backslash (\) character doubled. For example, %WinDir%\\System32\\LogFiles.
Vendor and product exclusions
Vendor and product exclusions refer to all recommended exclusions included in Bitdefender security agent. This option is enabled by default.
Caution
You can choose to disable vendor and product exclusions, if you want to scan all types of objects, but this option will considerably impact the machine performance and will increase the scan time.
With the vendor and product exclusions option enabled:
If you disable the Custom button, all the recommended vendor and product exclusions are added by default to the policy.
If you enable the Custom button, from the drop-down menu you can select which vendor and product exclusions to apply to the policy.
Adding exclusion lists from configuration profiles to policy
To add exclusion lists from configuration profiles to the policy:
From the drop-down menu, select the lists you want to add to the policy.
Each list selected from the drop-down will populate the grid area, where you can see how many endpoints will be impacted by the added exclusion list.
After assessing which lists to include, click Save to complete the process.
Note
For more details on how to create and manage exclusion lists, refer to Configuration profiles .
Overriding exclusions
You can run scan tasks with another set of exclusions than the general ones in the Antimalware > Settings policy section. These exclusions apply only to on-demand scanning.
Open the custom scan task configuration window:
For instant scan tasks (runs once)
Go to the Network page.
Select the target endpoints.
Click the Tasks button in the Action Toolbar and select Scan.
In the General tab, select Custom scan.
For scheduled scan tasks
Go to the Policies page.
Open the policy template assigned to your target endpoint.
Go to the Antimalware > On-demand section.
Click Add, and then select Custom. If you already have a task created, select the task from the list.
Configure the other available settings. For details, refer to Managing Network Objects > Computers > Running Tasks > Scan section of the GravityZone Administrator's Guide.
In the Target tab > Exclusions section, choose the option Define custom exclusions for this scan.
Add the exclusion rules. For more info, refer to In-policy exclusions.
Click Save to add the exclusion rule.
Click Save once more to save the policy.
Adding process exclusions for Mac
As GravityZone administrator, you can configure process exclusions for Mac in the Antimalware and Network Protection sections of the security policy.
In macOS, the entities listed in the Applications folder are in fact containers that include all binary files, libraries, and dependencies for those apps.
Therefore, when adding antimalware exclusions, you must enter the entire path to the executable file from the application’s container. When adding exclusions in Network Protection, you only need to enter the name of the executable file.
To browse one container and obtain the name of the executable file, right-click that container and select Show Package Contents.
Usually, the path to the executable file is /Application.app/Contents/MacOS/binary, where Application.app is the name of the container and binary is the name of the executable file.
For example, the complete path for the Calendar application in macOS is /Applications/Calendar.app/Contents/MacOS/Calendar
Note
Some applications have different names for the executable files. For example, Visual Studio Code has the executable file with the name Electron. Therefore, the complete path is /Applications/Visual Studio Code.app/Contents/MacOS/Electron.
To exclude a process from scanning for malware in the Antimalware section of the policy settings, follow these steps:
Log in to GravityZone Control Center.
Go to the Policies page.
Create or edit a custom policy.
Go to Antimalware and click Settings.
Select the Custom Exclusions check box.
From the menu, select Process as exclusion type.
Enter the complete path to the executable file of the application. For example, the complete path for the Time Machine application is
/Applications/Time Machine.app/Contents/MacOS/Time Machine.Select the scanning modules to which the rule applies:
On-Access
ATC/IDS
Ransomware Mitigation
All the above modules
Optionally, click Show remarks to add a note about this exclusion in the Remarks field.
Click the
Add button.Click Save.
To remove a rule from the list, click the corresponding Delete button.
To exclude a process from traffic scanning in the Network Protection section of the policy settings, follow these steps:
Log in to GravityZone Control Center.
Go to the Policies page.
Create or edit a custom policy.
Go to Network Protection > General and select the Global Exclusions check box.
From the menu, select Application as exclusion type.
Enter the name of the executable file of the application to be excluded.
For example, enter
calendarto exclude the Calendar application,firefoxto exclude the Mozilla Firefox browser, orelectronto exclude the Visual Studio Code application.Use wildcards to specify any applications matching a certain name pattern.
For example:
c*.exematches all applications starting with "c" (chrome.exe).??????.exematches all applications with a name that contains six characters (chrome.exe, safari.exe, etc.).[^c]*.exematches all application except for those starting with "c".[^ci]*.exematches all application except for those starting with "c" or "i".
Note
You do not need to enter a path and the executable file does not have an extension.
Optionally, add a note about the exclusion in the Remarks field.
Click the
Add button.Click Save.
To remove a rule from the list, click the corresponding
Delete button.
Configure Faronics Deep Freeze to work with Bitdefender Endpoint Security Tools
This section explains how to configure Faronics Deep Freeze Enterprise to allow installation of Bitdefender Endpoint Security Tools.
Faronics Deep Freeze helps eliminate computer damage and downtime by making computer configurations indestructible. Once Deep Freeze is installed on a computer, any changes made to the computer—regardless of whether they are accidental or malicious—are never permanent. Deep Freeze provides immediate immunity from many of the problems that plague computers today—inevitable configuration drift, accidental system misconfiguration, malicious software activity, and incidental system degradation.
Having Faronics Deep Freeze Enterprise installed on a computer will cause the signature updates installed by BEST to be deleted at every system reboot.
This section is meant to help you understand how to configure Faronics Deep Freeze Enterprise to work along with BEST without blocking:
Signatures updates after a system reboot
Policy assignment from Control Center
BEST product updates
You have two options to install BEST: manually or using a script.
Install Faronics Deep Freeze Enterprise version 8 or higher on a server in your network.
Use the Deep Freeze Configuration Administrator utility to configure a password and a new partition (for instance, T:\) with minimum of 1.5 GB capacity as thawspace. The thawspace includes the files that will be kept after a system is rebooted with Deep Freeze active.
In Deep Freeze Configuration Administrator utility tool, go to File > Create Workstation Install Program and create an installation package for the systems protected by Deep Freeze.
Install the newly created package on the target machine.
Open Deep Freeze Enterprise and select the Boot Thawed check box in Boot Control tab. This option will disable Deep Freeze on the next reboot, allowing you to install Faronics Data Igloo and BEST.
Reboot the target machine.
Install Faronics Data Igloo.
Open the regedit utility on the target machine and create the registry key
HKEY_LOCAL_MACHINE\Software\Bitdefender.Using Faronics Data Igloo, change the target of the
HKEY_LOCAL_MACHINE\Software\Bitdefenderkey to a folder located on the T:\ partition.On the partition containing the operating system, create the following folders:
%ProgramFiles%\Bitdefender\Endpoint Security\Signatures%ProgramFiles%\Bitdefender\Endpoint Security\ThreatScanner%ProgramFiles%\Bitdefender\Endpoint Security\settings%ProgramFiles%\Bitdefender\Endpoint Security\epagng
Using the Folder Redirection tab from Faronics Data Igloo, redirect these three folders to a folder from T:\ partition.
Install BEST on the target machine.
Install Faronics Deep Freeze Enterprise version 8 or higher on a server in your network.
Use the Deep Freeze Configuration Administrator utility to configure a password and a new partition (for instance, T:\) with minimum of 1.5 GB capacity as thawspace. The thawspace includes the files that will be kept after a system is rebooted with Deep Freeze active.
In Deep Freeze Configuration Administrator utility tool, go to File > Create Workstation Install Program and create an installation package for the systems protected by Deep Freeze.
Install the newly created package on the target machine. The machine will automatically reboot.
Open Deep Freeze Enterprise and select the Boot Thawed check box in Boot Control tab. This option will disable Deep Freeze on the next reboot, allowing you to install Faronics Data Igloo and BEST.
Reboot the target machine.
Install Faronics Data Igloo.
Download the Bitdefender redirection script from here.
Extract the VBS script file from the archive and run it.
Note
On operating systems with User Account Control enabled, launch Command Prompt (cmd.exe) as Administrator and run the script from the command line.
Install BEST on the target machine.
Important
During this process, the target system will reboot two times.
To successfully run a BEST product update:
Switch the target machine to Boot Thawed mode. Deep Freeze will require a reboot in order to boot into Boot Thawed mode.
Run the Update task from the Control Center. Additionally, you can run the update from the local console.
Note
In some situations, BEST may require a reboot of the target machine.
Log in to Control Center to confirm the product update has been installed successfully by generating an Update Status report.
Switch the target machine to Boot Frozen mode. Deep Freeze will require a reboot in order to boot into Boot Frozen mode.
Security Servers
In this section you can assign Security Servers to endpoints in your environment, to streamline the distribution of scanning tasks, and customize Security Server specific settings.
Note
Availability and functioning of this feature may differ depending on the license included in your current plan.
Security Server assignment
You can assign one or several Security Servers to the target endpoints, and set the priority with which endpoints will elect a Security Server to send scanning requests.
Note
It is recommended to use Security Servers for scanning virtual machines or computers with low resources.
To assign a Security Server to the target endpoints, add the Security Servers you want to use, in the Security Server Assignment table, as follows:
Click the Security Server drop-down list and then select a Security Server.
If the Security Server is in DMZ or behind a NAT server, enter the FQDN or IP of the NAT server in the Custom Server Name/IP field.
Important
Make sure that port forwarding is correctly configured on the NAT server so that the traffic from endpoints can reach the Security Server. For details regarding ports, refer to GravityZone (cloud) communication ports.
Click the
Add button in the Actions column.The Security Server is added to the list.
Repeat the previous steps to add other Security Servers, if available or needed.
To set the priority of the Security Servers:
Use the up and down arrows available in the Actions column to increase or decrease each Security Server's priority.
When assigning more Security Servers, the one on top of the list has the highest priority and will be selected first.
If this Security Server is unavailable or overloaded, the next Security Server is selected.
Scan traffic is redirected to the first Security Server that is available and has a convenient load.
To remove a Security Server from the list, click the corresponding Delete button in the Actions column.
Note
The antimalware and security server policies for Bitdefender must be updated by removing the reference to any deleted security servers.
Failing to update the policy could result in configuration issues and potential security vulnerabilities.
You can also assign Security Servers when you create or edit an installation package. For more information, refer to the Security server assignment step in Install security agents - standard procedure.
Security Server Load Balancing
You can customize how scanning tasks are being distributed among available Security Servers by choosing one of these Security Server operating modes:
Redundancy mode - choose this mode to send scanning requests to the first available Security Server.
Equal distribution mode - choose this mode to distribute the scanning load equally between Security Servers.
Communication between Security Servers and endpoints
Enable the Use an SSL encrypted connection option if you want to encrypt the connection between the target endpoints and the specified Security Server appliances.
By default, GravityZone uses self-signed security certificates. You can change them with your own certificates in the Configuration > Certificates page of Control Center.
Communication between Security Servers and GravityZone
Choose one of the available options to define your proxy preferences for the communication between the selected Security Server machines and GravityZone:
Keep installation settings - to use the same proxy settings defined with the installation package.
Use proxy defined in the General section - to use the proxy settings defined in the current policy, under General > Settings section.
Do not use proxy - when the target endpoints do not communicate with the specific Bitdefender components via proxy.
Security Server Configuration
Running multiple on-demand scan tasks on virtual machines sharing the same datastore can create antimalware scanning storms. To prevent this and to allow only a certain number of scan tasks to run at the same time:
Select the Limit the number of concurrent on-demand scans option.
Select the level of allowed concurrent scan tasks from the drop-down menu. You can choose a predefined level or enter a custom value.
The formula to find the maximum limit of scan tasks for each predefined level is:
N = a x MAX(b ; vCPUs - 1), where:N= maximum limit of scan tasksa= multiplying coefficient, having the following values:1- for Low;2- for Medium;4- for HighMAX(b;vCPU-1)= a function that returns the maximum number of scan slots available on the Security Server.b= the default number of on-demand scan slots, which currently is set to four.vCPUs= number of virtual CPUs assigned to the Security Server
For example:
For a Security Server with 12 CPUs and a High level of concurrent scans, we have a limit of:
N = 4 x MAX(4 ; 12-1) = 4 x 11 = 44concurrent on-demand scan tasks.
Enable affinity rules for Security Server Multi-Platform
Choose which behavior the Security Server should have when its host enters in maintenance mode:
If enabled, the Security Server remains tied to the host and GravityZone shuts it down. When maintenance is over, GravityZone automatically restarts the Security Server.
This is the default behavior.
If disabled, the Security Server is moved to another host and continues to run. In this case, the Security Server name changes in Control Center to point the former host. The name change persists until the Security Server is moved back to its native host.
If the resources are sufficient, the Security Server can land on a host where another Security Server is installed.