Antimalware
The Antimalware protection layer is based on security content scanning and heuristic analysis (B-HAVE, ATC) against: viruses, worms, Trojans, spyware, adware, keyloggers, rootkits and other types of malicious software.
Bitdefender's antimalware scanning technology relies on the following technologies:
First, a traditional scanning method is employed where scanned content is matched against the security content database. The security content database contains byte patterns specific to known threats and is regularly updated by Bitdefender. This scanning method is effective against confirmed threats that have been researched and documented. However, no matter how promptly the security content database is updated, there is always a vulnerability window between the time when a new threat is discovered and when a fix is released.
Against brand-new, undocumented threats, a second layer of protection is provided by B-HAVE, Bitdefender's heuristic engine. Heuristic algorithms detect malware based on behavioral characteristics. B-HAVE runs suspicious files in a virtual environment to test their impact on the system and ensure they pose no threat. If a threat is detected, the program is prevented from running.
Scanning engines
BitdefenderGravityZone is able to automatically set the scanning engines when creating security agent packages, according to the endpoint's configuration.
The administrator can also customize the scan engines, being able to choose between several scanning technologies:
Local Scan, when the scanning is performed on the local endpoint. The local scanning mode is suited for powerful machines, having security content stored locally.
Hybrid Scan with Light Engines (Public Cloud), with a medium footprint, using in-the-cloud scanning and, partially, the local security content. This scanning mode brings the benefit of better resources consumption, while involving off-premise scanning.
Central Scan in Public or Private Cloud, with a small footprint requiring a Security Server for scanning. In this case, no security content set is stored locally, and the scanning is offloaded on the Security Server.
Note
There is a minimum set of engines stored locally, needed to unpack the compressed files.
Central Scan (Public or Private Cloud scanning with Security Server) with fallback* on Local Scan (Full Engines)
Central Scan (Public or Private Cloud scanning with Security Server) with fallback* on Hybrid Scan (Public Cloud with Light Engines)
* When using a dual engines scanning, if the first engine is unavailable, the fallback engine will be used. Resource consumption and network utilization will depend on the used engines.
Components
Antimalware uses the following components:
GravityZone Control Center
Security agent (Bitdefender Endpoint Security Tools installed on Windows, Linux, & Mac endpoints)
Security Server Multi-Platform
Install and configure Antimalware
To start using this feature, follow the steps below:
Note
The Antimalware module is included by default in all installation packages. If you already have the BEST agent installed on your endpoints, no further deployment is required.
Log in to GravityZone Control Center.
Go to the Installation Packages page from the left side menu.
Click the Create button in the upper right side of the screen.
Type in the Name and Description for the new installation package.
Select the modules you want to deploy.
Note
Make sure you include the Antimalware module.
Click Save.
Select the newly created package from the list of packages and click Send download links.
Enter the email addresses of the recipients and click Send.
Policies are used to enable and configure features both on endpoints and in terms of general functionality.
GravityZone comes with a default set of policy settings, that are custom tailored to meet the most common customer needs. These policies are applied, by default, to endpoints, after the BEST agent is installed. You cannot modify or delete the default GravityZone policy.
You can use these default policy settings and leave the configuration of the policy for a later date, or customize the feature using the steps below:
Log in to GravityZone Control Center.
Go to the Policies page from the left side menu.
You can either:
Under Antimalware > On-access, configure the settings.
Move to the On-demand page, and configure the settings.
Go to the Settings page, and configure the settings.
Go to the Security servers page, and configure the settings.
Save your policy.
If you created a new policy, apply it on the endpoints where the feature is deployed:
Go to the Network page from the left side menu.
Select the endpoints you want to apply the policy to.
Click the
Assign Policy button at the upper side of the table.Select the policy you want to apply.
Click Finish.
Note
For more information, refer to Assigning device policies
If you have edited an existing policy, make sure it is applied to all endpoints where the feature is deployed.
This will ensure that the feature is enabled and configured to best suit your company's needs.
Test out the Antimalware feature
The protection is divided in these categories:
On-access scanning: prevents new malware threats from entering the system.
On-demand scanning: allows detecting and removing malware already residing in the system.
The Antimalware module behaves differently depending on how the security agent installed on endpoints is set up to run:
Detection and prevention mode: This operation mode sets the Antimalware module to detect and block threats. When it detects a virus or other malware, the Bitdefender security agent will automatically attempt to remove the malware code from the infected file and reconstruct the original file. This operation is referred to as disinfection.
Files that cannot be disinfected are moved to quarantine in order to isolate the infection. When a virus is in quarantine, it cannot do any harm because it cannot be executed or read.
Advanced users can configure scan exclusions if they do not want specific files or file types to be scanned.
EDR (Report only) mode: This operation mode exclusively enables On-execute scanning, set to only report threats, and not blocking them.
This mode of operation is available for users that want to install a lightweight EDR solution in their environments, that can run alongside other prevention solutions. For blocking capabilities, you are required to add a full product license.
Contact your sales representative or visit the Bitdefender website for more information.