Skip to main content

Troubleshooting

Using the Bdsyslog scanning tool

This section explains how to use the Bdsyslog tool to submit suspicious files for malware analysis.

If your computer appears to be infected but Bitdefender does not detect any malware, please follow the steps below. Be sure to provide us with the following information, so that we can fully understand the cause and provide you with a quick solution:

Note

  • Forensic information as well as all suspected files are sent to our Bitdefender Cloud Services. In addition, the forensic information is also added in the local archive file. If you do not have a network connection, all information is added in the local archive file.

  • This information will be used for malware analysis only and will be treated accordingly.

  1. Download the BDSysLog tool on the computer with issues.

  2. Run the BDSysLog_i.exe file.

  3. Click the Create log button to generate the log.

    A progress bar is going to indicate the status. When complete, you are going to receive a prompt informing you that the log was saved in bdsyslog.zip on the Desktop of the computer.

  4. Take a screenshot displaying the malware or the effects of the malware (if applicable).

  5. Update the security agent.

  6. Run a Full scan task and save the scan log.

  7. Create an archive with the logs and the screenshot.

  8. Go to the Help & Support page of Control Center and submit a Support ticket.

  9. Fill in the requested information. Describe the suspicious behavior that led you to believe that your computer is infected.

  10. If the previously created archive is smaller than 10 MB, click the Upload button and attach it. Otherwise, mention that the logs are exceeding the upload size limit. You will receive a link that you can use to upload your files.

  11. Click Submit. A Bitdefender Support Engineer will contact you shortly.

Bitdefender detects legitimate applications as a threat

This section explains what to do when Bitdefender reports a legitimate file as being infected (false positive).

Bitdefender strives to reduce false-positive reports to a minimum. However, these reports are commonly due to bad programming practices (e.g. applications that change the Master Boot Record, add run registry entries, change system files without the user’s confirmation or execute custom macros in office applications, etc.).

When an application is wrongfully detected, try adding exclusions as explained in In-policy exclusions.

Should the exclusions fail, you need to send us the detected file(s) as described below:

Note

These files are used only for malware analysis and are treated accordingly.

  1. Disable Bitdefender real-time protection and/or any other security software you are using.

  2. Locate the file(s) on your drive.

  3. Add the detected file(s) to a ZIP file using file compression software of your choice (WinZip, WinRAR, etc.)

  4. Password-protect the ZIP file with the password infected.

  5. Complete the Enterprise Support Online Form and provide us with the following:

    • The ZIP file (upload via “Attach a file” field)

    • The message body must contain the words FALSE POSITIVE.

  6. Click the Submit button.

  7. Enable the Bitdefender real-time protection and/or any other security software you might use.

Bitdefender does not detect malware

Some files may not be detected by Bitdefender even if they are malicious. This is called a false negative and usually occurs when the malware uses new (unexplored) techniques.

In order to promptly resolve this issue, we kindly ask that you send us the malware file(s) as described below:

Note

These files will be used for malware analysis only and will be treated accordingly.

  1. Locate the file(s) on your drive

  2. Add the malware file(s) to a zip file using file compression software of your choice (WinZip, WinRAR, etc.)

    Note

    If you can not access the file you will need to temporarily disable the Bitdefender On-access antivirus protection and/or any other security software that might be in use.

  3. Password protect the zip file with the password "infected"

  4. Complete the CUSTOMER CARE ONLINE FORM and provide us with the following:

    • The zip file (upload via “Attach a file” field)

    • The words “FALSE NEGATIVE” typed in the message body

  5. Click the SUBMIT button

  6. Enable the Bitdefender real-time protection and/or any other security software you might use if you had to disable them during step 2.

Note

False negative reports are corrected as soon as possible once we receive the samples.

If you suspect that your computer is infected but Bitdefender does not detect any threats, please read this article.

Making SELinux compatible with On-Access scanning in BEST Linux

Issue

Security-Enhanced Linux (SELinux) is a kernel feature that provides a mechanism for supporting access control security policies. When the SELinux policies are set to Enforcing, this mechanism interferes with the Antimalware module in specific situations:

  • when using BEST for Linux v7 with CentOS 6 and where DazukoFS is present.

  • when using auditd to support EDR.

  • when deploying Bitdefender Security for Container on virtual machines.

Solution

To overcome this issue, you need to change the SELinux policies to Permissive or Disabled (recommended). This is how you make SELinux compatible with On-Access Scanning:

  1. Check the status of SELinux on the endpoint, by running the following command:

    sudo sestatus

    If the SELinux Current mode is set to Enforcing, you need to change it to Permissive or Disabled (recommended).

  2. To change the SELinux policy status:

    1. Edit the configuration file with the text editor of your choice (such as vim or nano)

    2. On Red Hat based systems (RHEL, CentOS, Fedora, SuSE), the configuration file is /etc/sysconfig/selinux.

    3. On Ubuntu / Debian based systems, the configuration file is /etc/selinux/config.

      Note

      If you cannot find the SELinux configuration file on your system, please consult the documentation of your Linux distribution.

      Example:

      # nano /etc/sysconfig/selinux

    4. Edit the line starting with SELINUX= as follows:

      • For Permissive mode:

        SELINUX=permissive
        16543_1.png

      • For Disabled mode:

        SELINUX=disabled
        16543_2.png

    5. Save the file.

      If you use nano to edit the configuration, to save the file and exit, use the following sequence: Ctrl+O, Enter, Ctrl+X.

    6. Reboot the endpoint.

    7. After reboot, check the SELinux status by running the command again:

      sudo sestatus

      The output should be permissive or disabled.

      16543_3.png

    8. Check the Antimalware module status with the following command:

      # /opt/bitdefender-security-tools/bin/bduitool get ps | grep Antimalware

      The Antimalware module status should be On (active).

      16543_4.png

      If the Antimalware module is Off, although SELinux is properly configured, refer to On-access scanning in Bitdefender Endpoint Security Tools for Linux for trobleshooting Bitdefender Endpoint Security Tools for Linux.

Submitting sample files and websites for analysis

In this section you will learn how to submit sample files and websites for analysis, using the online submission form.

Issue

You may notice false positives or false negatives while using Bitdefender Endpoint Security Tools. A false positive occurs when a Bitdefender module detects a legitimate file or a website as infected. Whereas a false negative occurs when a Bitdefender module fails to detect an infection.

Solution

To rule out any potential false positive or false negative, use the online submission form to send a sample file or a website for analysis. To submit a sample file or website for analysis, using the online submission form:

  1. Go to Automatic sample submission uploader.

  2. Complete the submission form with your contact details and sample information.

  3. Click Submit.

    Note

    Samples provided through the online submission form are automatically archived and protected with the following password: infected.

This will open an email ticket that will be forwarded to the Antimalware Laboratory. The Antimalware Laboratory will provide you with an answer after analysis.

On-access scanning in Bitdefender Endpoint Security Tools for Linux

This section describes how to troubleshoot On-access scanning on Bitdefender Endpoint Security Tools for Linux.

Issue

In some situations, On-access scanning from Bitdefender Endpoint Security Tools may not properly work on the Linux endpoint. There are two main possible causes:

  • On-access scanning is disabled from the policy settings regarding the Antimalware module.

  • On-access scanning is incompatible with certain security policies applied on that endpoint. This usually happens because of missing dependencies on the endpoint operating system.

Solution

To find out why On-Access scanning is not working, you have to verify:

  1. The status of the Antimalware module

  2. The conditions required by Bitdefender Endpoint Security Tools for Linux

The status of the Antimalware module

Verify that the Antimalware module On-access scanning is enabled on the security agent, run the following command:

sudo /opt/BitDefender/bin/bduitool get ps

Command output

Product version: 6.2.20.63
Last succeeded update: 2018-05-07 at 19:05:28
New product update available: no
Signatures version: 7.75906
New signatures update available: yes
Installed scan type: Full
Installed scan type fallback: None
Currently used scan type: Full
Features:- 
Antimalware status: Off

In this output, the Antimalware module status is Off. This is only referring to the On-access scanning feature of the Antimalware module.

The On-demand scanning feature of the Antimalware module is always enabled.

Conditions required by Bitdefender Endpoint Security Tools for Linux

To make sure that the Antimalware module is working properly, check the following conditions:

  • The endpoint has a security policy active that does not disable On-access scanning. Also, check in the GravityZone console that On-access scanning for Linux option is enabled in the policy and has target paths defined in the list.

  • The endpoint is correctly communicating with the GravityZone console or with the assigned relay endpoint.

  • The endpoint is licensed correctly. Go to the Network page, in GravityZone Control Center, and make sure that the endpoint does not have Pending or Expired status under Protection Layers section.

  • The endpoint can successfully connect to its allocated Security Server through ports 7081 and 7083, if the Scan Type is set to Remote. This information is displayed by running the bduitool get ps command.

    In case the remote scan is used, no fallback engine is configured, and the endpoint cannot communicate with Security Server, then the Antimalware module will not work at all. For example, run the following command:

    sudo /opt/BitDefender/bin/bduitool get ps

    In this case, the output will look like this:

    Product version: 6.2.20.87Last succeeded update: 2018-10-31 at 16:48:55New product update available: noSignatures version: 7.77462New signatures update available: yesInstalled scan type: RemoteInstalled scan type fallback: NoneCurrently used scan type: NoneFeatures:- Antimalware status: Off

  • The security agent is using a newer kernel than 2.6.37 and the Fanotify feature is active in the kernel. To learn how to configure Fanotify in Debian 8, refer to Bitdefender Endpoint Security Tools compatibility with Debian 8.

  • SELinux is disabled or set to Permissive on the endpoint. If SELinux is active with Enforcing setting, On-access scanning will not function correctly. For details about managing SELinux on systems running BEST, refer to Making SELinux compatible with On-Access scanning in BEST Linux.

  • For endpoints using kernels with version 2.6.36 or below, the DazukoFS kernel module is installed and loaded for supported kernel versions. To check if the DazukoFS module is loaded, run the following command:

    lsmod | grep dazuko

If all the above conditions are met, but the Antimalware module is still disabled, contact the Bitdefender Business Support Team.

Addressing Google Drive issues with Bitdefender Endpoint Security Tools on Windows and macOS

The interaction between Bitdefender Endpoint Security Tools (BEST) and Google Drive may result in performance issues on endpoints during scheduled scans. To avoid these issues, you need to add exclusions or make certain configurations in GravityZone Control Center.

This article discusses several scenarios and the possible solutions on Windows and macOS endpoints.

BEST for Windows and Google Drive

On Windows, you may encounter different scenarios while using Google Drive.

Scenario 1. BEST scans the G: drive every time a full scan runs on endpoint

Issue

Bitdefender Endpoint Security Tools (BEST) scans the same files, multiple times, over the internet. This action results in downloading files offline and consuming disk space.

Solution

To exclude the G: drive from scanning, you must add a folder exclusion with the following details:

  • Path: G:\

  • Modules: On-demand

The On-access module still provides full protection for that location.

When adding the exclusion, pay attention to Google virtual drive naming behavior:

  • If drive letter G: is available, Google Drive uses it to map the virtual drive

  • If G: is not available (already in use), Google Drive uses the first available drive letter.

If Google Drive uses a different drive letter, make sure you also add that letter as an exclusion.

To learn how Google Drive assign mount letters to the virtual drive, refer to this article from Google.

Scenario 2. BEST scans the local Google Drive cache

Issue

This action makes the files keep resyncing or getting downloaded offline taking space on the endpoint.

Solution

Create folder and process exclusions as described below.

Folder exclusion

  • Path: %LOCALAPPDATA%\Google\DriveFS

  • Modules: On-demand, On-access, ATC/IDS

Process exclusion

  • The path from your system configuration for GoogleDriveFS.exe

  • Modules: On-access, ATC/IDS

Scenario 3. BEST scans the Google Drive drive every time the application is started and the drive is mounted

Issue

This action causes resource consumption and it happens because the Device Scanning option is active in the policy (for details, refer to Antimalware On-Demand).

antimalware_device_scanning_300062_en.png

Possible solutions

  • Disable the Device Scanning option in the policy. As long as On-access scanning is functional on the endpoint, this action does not affect security.

  • Disable USB storage devices scan in Device Scanning. As long as On-access scanning is functional on the endpoint, this action does not affect security.

  • Set a size limit for the Do not scan devices with stored data more than (MB) option (for example, 100 MB).

  • Enable the Display alert pop-ups option in the General > Notifications settings of the policy. This action allows the user to choose whether to scan the attached drive or not.

    policy_general_notifications_300062_en.png

Scenario 4. I want to block Google Drive when using the Device Control module

Issue

Google Drive causes resource consumption when having the Device Control module active on endpoint. This happens because GravityZone matches the Google virtual drive to the External Storage > Other category.

Solution

To block Google Drive, you can choose one of these options:

  • Block the entire External Storage category. To do this, open the External Storage category and, for Permission, select Blocked.

    device_control_external_storage_300062_en.png

  • Block only the Other category in External Storage. Follow these steps:, select Custom under Permission, and select Blocked for Other.

    1. Open the External Storage category.

    2. For Permission, select Custom.

    3. Under Customer Permissions, go to Other and select Blocked.

      device_control_external_storage_other_300062_en.png

BEST for Mac and Google Drive

On macOS, Bitdefender Endpoint Security Tools (BEST) is constantly scanning the local Google Drive cache and mount point.

This behavior makes the files keep resyncing or getting downloaded offline, which takes space on the endpoint. In addition, the endpoint may experience high CPU usage due to constant scanning activity.

To avoid these issues, configure folder and process exclusions as follows:

Folder exclusions

  • Path: /Volumes/GoogleDrive/

  • Modules:  On-demand, On-Access, ATC/IDS

  • Path: ~/Library/Application Support/Google/DriveFS/

  • Modules: On-demand, On-Access, ATC/IDS

Process exclusion

Path: /Applications/Google Drive File Stream.app/Contents/MacOS/Google Drive File Stream

Modules: On-Access, ATC/IDS

The On-access scanning module will still offer full protection for the location.

Using exclusions in GravityZone

To add exclusions in GravityZone Control Center, go to the Policies page, open a policy and use the options in the Antimalware > Settings section. You can configure in-policy exclusions (only applicable to that policy) or assign an exclusion list from configuration profiles (applicable to multiple policies).

For details on how exclusions work in policies, refer to Exclusions.

For details on adding exclusions in configuration profiles, refer to Configuration profiles.

For details on process exclusions for macOS, refer to Adding process exclusions for Mac.

In this section: