CLOUD SOLUTIONS

Configuration

On-access

In this section you can configure the antimalware protection components:

policy-eps-2_1_0-onaccess.png

Important

This functionality is enabled only if the security agent installed on endpoints is running in Detection and prevention mode.

On-access scanning

On-access scanning prevents new malware threats from entering the system by scanning local and network files when they are accessed (opened, moved, copied or executed), boot sectors and potentially unwanted applications (PUA).

Note

This feature has certain limitations on Linux-based systems. For details, see to the requirements for GravityZone.

To configure on-access scanning:

  1. Use the check box to turn on-access scanning on or off.

    Warning

    If you turn off on-access scanning, endpoints will be vulnerable to malware.

  2. For a quick configuration, select the security level that best suits your needs (Aggressive, Normal or Permissive).

    Use the description on the right side of the scale to guide your choice.

  3. You can configure the scan settings in detail by selecting the Custom protection level and clicking the Settings link.

    This will display the On-access scanning settings window, containing several options organized under the General and Advanced tabs.

    The Advanced tab addresses the on-access scanning for Linux machines. Use the checkbox to turn it on or off.

    In the table below, you can configure the Linux directories you want to scan. By default, there are five entries, each one corresponding to a specific location on endpoints: /home, /bin, /sbin, /usr, /etc.

    To add more entries:

    • Write down any custom location name in the search field, at the upper side of the table.

    • Select the predefined directories from the list displayed when clicking the arrow at the right-end of the search field.

    Click the add_inline.png Add button to save a location to the table and the delete_inline.png Delete button to remove it.

General tab options:

  • File location - Use these options to specify which types of files you want to be scanned. Scanning preferences can be configured separately for local files (stored on the local endpoint) or network files (stored on network shares).

    • If antimalware protection is installed on all computers in the network, you may disable the network files scan to allow a faster network access.

      You can set the security agent to scan all accessed files (regardless of their file extension), application files only or specific file extensions you consider to be dangerous.

    • Scanning all accessed files provides the best protection, while scanning applications only can increase the system's performance.

      Note

      Application files are considerably more vulnerable to malware attacks than other types of files. For more information, refer to Application File Types.

    • If you want only specific extensions to be scanned, choose User defined extensions from the menu and then enter the extensions in the edit field, pressing Enter after each extension.

      Note

      On Linux-based systems, file extensions are case sensitive and the files with the same name but with different extension are considered distinct objects. For example, file.txt is different from file.TXT.

    • For system performance reasons, you can also exclude large files from scanning.

      Select Maximum size (MB) checkbox and specify the size limit of the files which will be scanned. Use this option wisely because malware can affect larger files too.

  • Scan - Select the corresponding check boxes to enable the desired scan options:

    • Only new or changed files

      By scanning only new and changed files, you may greatly improve overall system responsiveness with a minimum trade-off in security.

    • Boot sectors

      Scans the system’s boot sector.

      This sector of the hard disk contains the necessary code to start the boot process.

      When a virus infects the boot sector, the drive may become inaccessible and you may not be able to start your system and access your data.

    • For keyloggers

      Keyloggers record what you type on your keyboard and send reports over the Internet to a malicious person (hacker).

      The hacker can find out sensitive information from the stolen data, such as bank account numbers and passwords, and use it to gain personal benefits.

    • For Potentially Unwanted Applications (PUA)

      A Potentially Unwanted Application (PUA) is a program that may be unwanted on the PC and sometimes comes bundled with freeware software. Such programs can be installed without the user's consent (also called adware) or will be included by default in the express installation kit (ad-supported). Potential effects of these programs include the display of pop-ups, installing unwanted toolbars in the default browser or running several processes in the background and slowing down the PC performance.

    • Archives

      Select this option if you want to enable on-access scanning of archived files. Scanning inside archives is a slow and resource-intensive process, which is therefore not recommended for real-time protection. Archives containing infected files are not an immediate threat to system security. The malware can affect the system only if the infected file is extracted from the archive and executed without having on-access scanning enabled.

      If you decide on using this option, you can configure the following optimization options:

      • Archive maximum size (MB)

        You can set a maximum accepted size limit of archives to be scanned on-access.

        Select the corresponding check box and type the maximum archive size (in MB).

      • Archive maximum depth (levels)

        Select the corresponding check box and choose the maximum archive depth from the menu.

        For best performance choose the lowest value, for maximum protection choose the highest value.

    • Deferred scanning

      Deferred scanning improves system performance when performing file access operations. For example, system resources are not affected when large files are copied. This option is enabled by default.

  • Scan actions - Depending on the type of detected file, the following actions are taken automatically:

    • Default action for infected files

      Bitdefender detects files as infected through various advanced mechanisms, which include malware signatures, machine learning and artificial intelligence (AI) based technologies.

      Bitdefender security agent can normally remove the malware code from an infected file and reconstruct the original file. This operation is known as disinfection.

      By default, if an infected file is detected, Bitdefender security agent will automatically attempt to disinfect it.

      If disinfection fails, the file is moved to quarantine to contain the infection.

      You can change this recommended flow according to your needs.

      Important

      For particular types of malware, disinfection is not possible because the detected file is entirely malicious. In such cases, the infected file is deleted from the disk.

    • Default action for suspect files

      Files are detected as suspicious by the heuristic analysis and other Bitdefender technologies.

      These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.

      Suspect files cannot be disinfected, because no disinfection routine is available.

      When a suspect file is detected, users will be denied access to that file to prevent a potential infection.

    Though not recommended, you can change the default actions. You can define two actions for each type of file. The following actions are available:

    • Deny access

      Deny access to detected files.

      Important

      For MAC endpoints, Move to quarantine action is taken instead of Deny access.

    • Disinfect

      Remove the malware code from infected files. It is recommended to always keep this as the first action to be taken on infected files.

    • Delete

      Delete detected files from the disk, without any warning. It is advisable to avoid using this action.

    • Move to quarantine

      Move detected files from their current location to the quarantine folder. Quarantined files cannot be executed or opened; therefore, the risk of getting infected disappears. You can manage quarantine files from the Quarantine page of the console.

    • Take no action

      Only report the infected files detected by Bitdefender.

Ransomware vaccine

Ransomware vaccine immunizes your machines against known ransomware blocking the encryption process even if the computer is infected. Use the check box to turn Ransomware vaccine on or off.

The Ransomware vaccine feature is deactivated by default. Bitdefender Labs analyze the behavior of widespread ransomware, and new signatures are delivered with each security content update, to address the latest threats.

Warning

To further increase protection against ransomware infections, be cautious about unsolicited or suspicious attachments and make sure security content is updated.

Note

Ransomware vaccine is available only if machines are protected by Bitdefender Endpoint Security Tools and Endpoint Security (legacy agent).

Compiling the DazukoFS module for an unsupported kernel version

DazukoFS enables Bitdefender Tools to perform on-access scanning on Linux. For information on enabling on-access scanning and specifying the directories to be scanned, refer to Administrator's Guide.

This section describes how to compile the DazukoFS module shipped with Bitdefender Tools for an unsupported kernel version.

Security for Virtualized Environments (SVE) is the first comprehensive security solution for virtualized datacenters. The solution protects virtualized Windows, Linux, and Solaris systems, both servers and desktops. While integrated with VMware vShield, the unique architecture of the solution allows it to be leveraged when using any system virtualization offering.

Introduction

The Linux version of Bitdefender Tools includes an on-access scanning module that, for specific Linux distributions and kernel versions, requires the DazukoFS loadable kernel module. DazukoFS is a stackable file system that enables third-party applications to control file access on Linux systems.

The Bitdefender Tools installation package includes and automatically installs DazukoFS. The DazukoFS package shipped with Bitdefender Tools is compiled for the kernel versions listed in the table below. To use on-access scanning on supported Linux distributions with lower kernel versions, you must compile the DazukoFS package for the corresponding kernel.

Linux Distribution

Kernel version

Debian 5.0, 6.0

2.6.18 - 2.6.37

Ubuntu 10.04 LTS

CentOS 6.x

Red Hat Enterprise Linux 6.x

DazukoFS limitations

For DazukoFS and on-access scanning module to work together, a series of conditions must be met. Please check if any of the statements below apply to your Linux system and follow the guidelines to avoid issues.

  • DazukoFS supports kernels up to version 2.6.37.

  • The SELinux policy must be either disabled or set to permissive. To check and adjust the SELinux policy setting, edit the /etc/selinux/config file.

  • Bitdefender Tools is exclusively compatible with the DazukoFS version included in the installation package. If DazukoFS is already installed on the system, remove it prior to installing Bitdefender Tools.

  • If the DazukoFS package shipped with Bitdefender Tools is not compatible with the system's kernel version, the module will fail to load. In such case, you can either update the kernel to the supported version or recompile the DazukoFS module for your kernel version. You can find the latest DazukoFS package here.

  • When sharing files using dedicated servers such as NFS, UNFSv3 or Samba, you have to start the services in the following order:

    1. Enable on-access scanning from Control Center. For more information, refer to On-Access policy settings.

    2. Start the network sharing service.

      For NFS:

      # service nfs start

      For UNFSv3:

      # service unfs3 start

      For Samba:

      # service smbd start

      Important

      For the NFS service, DazukoFS is compatible only with NFS User Server.

Compiling and loading DazukoFS for other kernel versions

After installing Bitdefender Tools, follow the steps below to compile DazukoFS for the system's kernel version and then load the module.

  1. Download the proper kernel headers.

    • On Ubuntu systems, run this command:

      # sudo apt-get install linux-headers-`uname -r`

    • On RHEL/CentOS systems, run this command:

      # sudo yum install kernel-devel kernel-headers-`uname -r`

  2. On Ubuntu systems, you need build-essential:

    # sudo apt-get install build-essential

  3. Copy and extract the DazukoFS source code in a preferred directory:

    # mkdir temp # cd temp # cp /opt/BitDefender/share/src/dazukofs-source.tar.gz # tar -xzvf dazukofs-source.tar.gz # cd dazukofs-3.1.4

  4. Compile the module:

    # make

  5. Install and load the module:

    # make dazukofs_install

On-execute

In this section you can configure protection against malicious processes, when they are executed. It covers the following protection layers:

policy-eps-2_1_0-onexecute.PNG

Note

The range of actions you can take may vary depending on the license included in your current plan.

Cloud-based threat detection

Cloud-based threat detection technology identifies advanced threats running cloud-based machine learning algorithms, while ensuring on-the-fly updates. This technology improves the efficiency of your environment by lowering the required local disk footprint and resources consumption.

Important

This cloud scanning technology is used only when the security agent installed on endpoints is set to operate in EDR (Report only) mode.

This technology comprises to major components:

  • The Content Extractor - It extracts metadata from your environment and sends it to the cloud for processing.

  • The Threat Detector - It receives metadata packs from the Content Extractor, analyzes the information using stat-of-the-art machine learning and heuristic algorithms, and based on the results it generates a detection.

    This component does not have the need to directly access files, buffers, memory, or operating system files. It requires a small disk footprint and can be updated on-the-fly.

Use the check box to turn Cloud-based threat detection on or off.

Advanced Threat Control

Bitdefender Advanced Threat Control is a proactive detection technology which uses advanced heuristic methods to detect new potential threats in real time.

Note

This module is available for:

  • Windows for workstations (modern and legacy versions)

  • Windows for servers (modern and legacy versions)

  • macOS starting with OS X El Capitan (10.11)

Advanced Threat Control continuously monitors the applications running on the endpoint, looking for malware-like actions. Each of these actions is scored and an overall score is computed for each process. When the overall score for a process reaches a given threshold, the process is considered to be harmful. Advanced Threat Control will automatically try to disinfect the detected file. If the disinfection routine fails, Advanced Threat Control will delete the file.

Note

Before applying the disinfect action, a copy of the file is sent to quarantine so as you can restore the file later, in the case of a false positive. This action can be configured using the Copy files to quarantine before applying the disinfect action option available in the Antimalware > Settings tab of the policy settings. This option is enabled by default in the policy templates.

To configure Advanced Threat Control:

  1. Use the check box to turn Advanced Threat Control on or off.

    Warning

    If you turn off Advanced Threat Control, computers will be vulnerable to unknown malware.

  2. The default action for infected applications detected by Advanced Threat Control is disinfect. You can set another default action, using the available menu:

    • Block - to deny access to the infected application.

    • Take no action - to only report the infected applications detected by Bitdefender.

  3. Click the security level that best suits your needs (Aggressive, Normal or Permissive). Use the description on the right side of the scale to guide your choice.

    As you set the protection level higher, Advanced Threat Control will require fewer signs of malware-like behavior to report a process. This will lead to a higher number of applications being reported and, at the same time, to an increased likelihood of false positives (clean applications detected as malicious).

    Note

    It is highly recommended to create exclusion rules for commonly used or known applications to prevent false positives (incorrect detection of legitimate applications).

    Go to the Antimalware > Settings tab and configure the ATC/IDS process exclusion rules for trusted applications.

    policy-eps-2_3_1-exclusions-atc-ids.png
Fileless Attack Protection

Fileless Attack Protection is set by default to detect and block fileless malware at pre-execution, including terminating PowerShell running malicious command line, blocking malicious traffic, analyzing memory buffer prior to code injection and blocking the code injection process.

Note

This module is available for:

  • Windows for workstations (modern versions)

  • Windows for servers (modern versions)

Ransomware Mitigation

Ransomware Mitigation uses detection and remediation technologies to keep your data safe from ransomware attacks. No matter the ransomware is known or new, GravityZone detects abnormal encryption attempts and blocks the process. Afterwards, it recovers the files from backup copies to their original location.

Important

Ransomware Mitigation requires Active Threat Control and On-access Scanning, available when the security agent installed on endpoints is set to run in Detection and prevention mode.

Note

This module is available for:

  • Windows for workstations

  • Windows for servers

To configure Ransomware Mitigation:

  1. Select the Ransomware Mitigation check box under the Antimalware > On-Execute policy section to enable the feature.

  2. Select the monitoring modes you want to use:

    • Locally - GravityZone monitors the processes and detects ransomware attacks initiated locally on the endpoint. It is recommended for workstations. Use with caution on servers due to performance impact.

    • Remote - GravityZone monitors access to network share paths and detects ransomware attacks that are initiated from another machine. Use this option if the endpoint is a file server or has network shares enabled.

  3. Select the recovery method:

    • On-demand - You manually choose the attacks from which to recover the files. You can do this from the Reports > Ransomware Activity page at any time of your convenience, but no later than 30 days from the attack. After this time, recovery will no longer be possible.

    • Automatic - GravityZone automatically recovers the files right after a ransomware detection.

    For the recovery to be successful, endpoints need to be available.

Once enabled, you have multiple options to check if your network is under a ransomware attack:

  • Check notifications and look for Ransomware Detection.

    For more information on this notification, refer to Notification Types.Notification Types

  • Check the Security Audit report.

  • Check the Ransomware Activity page.

    Inside this page you can also launch recovery tasks, if needed. For more information, refer to Ransomware Reports.

In case you notice a detection that is a legitimate encryption process, have certain paths where you allow file encryption, or allow remote access from certain machines, add exclusions to the Antimalware > Custom Exclusions policy section. Ransomware Mitigation allows exclusions on folder, process, and IP/mask.

On-demand

In this section, you can add and configure antimalware scan tasks that will run regularly on the target computers, according to the defined schedule.

policy-eps-2_2_0-ondemand_2.png

Important

This functionality is enabled only if the security agent installed on endpoints is running in Detection and prevention mode.

The scanning is performed silently in the background, regardless the user is logged in the system or not.

Though not mandatory, it is recommended to schedule a comprehensive system scan to run weekly on all endpoints. Scanning endpoints regularly is a proactive security measure that can help detect and block malware that might evade real-time protection features.

Besides regular scans, you can also configure the automatic detection and scanning of external storage media.

Managing scan tasks

The Scan Tasks table informs you of the existing scan tasks, providing important information on each of them:

  • Task name and type.

  • Schedule based on which the task runs regularly (recurrence).

  • Time when the task was first run.

You can add and configure the following types of scan tasks:

  • Quick Scan uses in-the-cloud scanning to detect malware running in the system. Running a Quick Scan usually takes less than a minute and uses a fraction of the system resources needed by a regular virus scan.

    When malware or rootkits are found, Bitdefender automatically proceeds with disinfection. If, for any reason, the file cannot be disinfected, then it is moved to quarantine. This type of scanning ignores suspicious files.

    The Quick Scan is a default scan task with preconfigured options that cannot be changed. You can add only one quick scan task for the same policy.

  • Full Scan checks the entire endpoint for all types of malware threatening its security, such as viruses, spyware, adware, rootkits and others.

    Bitdefender automatically tries to disinfect files detected with malware. In case malware cannot be removed, it is contained in quarantine, where it cannot do any harm. Suspicious files are being ignored. If you want to take action on suspicious files as well, or if you want other default actions for infected files, then choose to run a Custom Scan.

    The Full Scan is a default scan task with preconfigured options that cannot be changed. You can add only one full scan task for the same policy.

  • Custom Scan allows you to choose the specific locations to be scanned and to configure the scan options.

  • Network Scan is a type of custom scan, which allows assigning one single managed endpoint to scan network drives, then configuring the scan options and the specific locations to be scanned. For network scan tasks, you need to enter the credentials of a user account with read/write permissions on the target network drives, for the security agent to be able to access and take actions on these network drives.

    The recurrent network scan task will be sent only to the selected scanner endpoint. If the selected endpoint is unavailable, the local scanning settings will apply.

    Note

    You can create network scan tasks only within a policy that is already applied to an endpoint which can be used as a scanner.

Besides the default scan tasks (which you cannot delete or duplicate), you can create as many custom and network scan tasks as you want.

To create and configure a new custom or network scan task, click the add.pngAdd button at the right side of the table.

To change the settings of an existing scan task, click the name of that task.

To remove a task from the list, select the task and click the delete.pngDelete button at the right side of the table.

Configuring scan tasks

The scan task settings are organized under three tabs:

  • General - set task name and execution schedule.

  • Options - choose a scan profile for quick configuration of the scan settings and define scan settings for a custom scan.

  • Target - select the files and folders to be scanned and define scan exclusions.

Options are described hereinafter from the first tab to the last:

policy-eps-2_2_1-ondemand-edit_task-general.png
  • Details

    Choose a suggestive name for the task to help easily identify what it is about. When choosing a name, consider the scan task target and possibly the scan settings.

    By default, scan tasks run with decreased priority. This way, Bitdefender allows other programs to run faster, but increases the time needed for the scan process to finish. Use the Run the task with low priority check box to disable or re-enable this feature.

    Note

    This option applies only to Bitdefender Endpoint Security Tools and Endpoint Security (legacy agent).

    Select the Shut down computer when scan is finished check box to turn off your machine if you do not intend to use it for a while.

    Note

    This option applies to Bitdefender Endpoint Security Tools, Endpoint Security (legacy agent) and Endpoint Security for Mac.

  • Scheduler

    Use the scheduling options to configure the scan schedule.

    You can set the scan to run every few hours, days or weeks, starting with a specified date and time.

    Endpoints must be powered-on when the schedule is due. A scheduled scan will not run when due if the machine is turned off, hibernating or in sleep mode. In such situations, the scan will be postponed until next time.

    Note

    The scheduled scan will run at the target endpoint local time. For example, if the scheduled scan is set to start at 6:00 PM and the endpoint is in a different timezone than Control Center, the scanning will start at 6:00 PM (endpoint time).

    Optionally, you can specify what happens when the scan task could not start at the scheduled time (endpoint was offline or shutdown). Use the option If scheduled run time is missed, run task as soon as possible according to your needs:

    • When you leave the option unchecked, the scan task will attempt to run again at the next scheduled time.

    • When you select the option, you force the scan to run as soon as possible. To fine-tune the best timing for the scan runtime and avoid disturbing the user during the work hours, select Skip if next scheduled scan is due to start in less than, then specify the interval that you want.

  • Scan Options

    Click the security level that best suits your needs (Aggressive, Normal or Permissive).

    Use the description on the right side of the scale to guide your choice.

    Based on the selected profile, the scan options in the Settings section are automatically configured. However, if you want to, you can configure them in detail.

    To do that, select the Custom check box and then go to the Settings section.

  • File Types

    Use these options to specify which types of files you want to be scanned.

    You can set the security agent to scan all files (regardless of their file extension), application files only or specific file extensions you consider to be dangerous.

    Scanning all files provides best protection, while scanning applications only can be used to perform a quicker scan.

    Note

    Application files are far more vulnerable to malware attacks than other types of files.

    For more information, refer to Application File Types.

    If you want only specific extensions to be scanned, choose User Defined Extensions from the menu and then enter the extensions in the edit field, pressing Enter after each extension.

  • Archives

    Archives containing infected files are not an immediate threat to system security.

    The malware can affect the system only if the infected file is extracted from the archive and executed without having real-time protection enabled.

    However, it is recommended to use this option in order to detect and remove any potential threat, even if it is not an immediate threat.

    Note

    Scanning archived files increases the overall scanning time and requires more system resources.

    • Scan inside archives

      Select this option if you want to check archived files for malware.

      If you decide on using this option, you can configure the following optimization options:

      • Limit archive size to (MB)

        You can set a maximum accepted size limit of archives to be scanned.

        Select the corresponding check box and type the maximum archive size (in MB).

      • Maximum archive depth (levels)

        Select the corresponding check box and choose the maximum archive depth from the menu.

        For best performance choose the lowest value, for maximum protection choose the highest value.

    • Scan email archives

      Select this option if you want to enable scanning of email message files and email databases, including file formats such as .eml, .msg, .pst, .dbx, .mbx, .tbb and others.

      Note

      Email archive scanning is resource intensive and can impact system performance.

  • Miscellaneous

    Select the corresponding check boxes to enable the desired scan options.

    • Scan boot sectors

      Scans the system’s boot sector.

      This sector of the hard disk contains the necessary code to start the boot process.

      When a virus infects the boot sector, the drive may become inaccessible and you may not be able to start your system and access your data.

    • Scan registry

      Select this option to scan registry keys.

      Windows Registry is a database that stores configuration settings and options for the Windows operating system components, as well as for installed applications.

    • Scan for rootkits

      Select this option to scan for rootkits and objects hidden using such software.

    • Scan for keyloggers

      Select this option to scan for keylogger software.

    • Scan network shares

      This option scans mounted network drives.

      For quick scans, this option is deactivated by default. For full scans, it is activated by default. For custom scans, if you set the security level to Aggressive/Normal, the Scan network shares option is automatically enabled. If you set the security level to Permissive, the Scan network shares option is automatically disabled.

    • Scan memory

      Select this option to scan programs running in the system's memory.

    • Scan cookies

      Select this option to scan the cookies stored by browsers on the endpoint.

    • Scan only new and changed files

      By scanning only new and changed files, you may greatly improve overall system responsiveness with a minimum trade-off in security.

    • Scan for Potentially Unwanted Applications (PUA)

      A Potentially Unwanted Application (PUA) is a program that may be unwanted on the PC and sometimes comes bundled with freeware software. Such programs can be installed without the user's consent (also called adware) or will be included by default in the express installation kit (ad-supported). Potential effects of these programs include the display of pop-ups, installing unwanted toolbars in the default browser or running several processes in the background and slowing down the PC performance.

    • Resume Scan after Product Update

      Select this option to automatically resume on-demand scan tasks after being interrupted.

  • Actions

    Depending on the type of detected file, the following actions are taken automatically:

    • Default action for infected files

      Bitdefender detects files as infected through various advanced mechanisms, which include malware signatures, machine learning and artificial intelligence (AI) based technologies.

      The security agent can normally remove the malware code from an infected file and reconstruct the original file. This operation is known as disinfection.

      If an infected file is detected, the security agent will automatically attempt to disinfect it.

      If disinfection fails, the file is moved to quarantine in order to contain the infection.

      Important

      For particular types of malware, disinfection is not possible because the detected file is entirely malicious. In such cases, the infected file is deleted from the disk.

    • Default action for suspect files

      Files are detected as suspicious by the heuristic analysis and other Bitdefender technologies.

      These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.

      Suspect files cannot be disinfected, because no disinfection routine is available.

      Scan tasks are configured by default to ignore suspect files.

      You may want to change the default action in order to move suspect files to quarantine.

      Quarantined files are sent for analysis to Bitdefender Labs on a regular basis.

      If malware presence is confirmed, a signature is released to allow removing the malware.

    • Default action for rootkits

      Rootkits represent specialized software used to hide files from the operating system.

      Though not malicious in nature, rootkits are often used to hide malware or to conceal the presence of an intruder into the system.

      Detected rootkits and hidden files are ignored by default.

    Though not recommended, you can change the default actions.

    You can specify a second action to be taken if the first one fails and different actions for each category.

    Choose from the corresponding menus the first and the second action to be taken on each type of detected file.

    The following actions are available:

    • Take no action

      No action will be taken on detected files. These files will only appear in the scan log.

    • Disinfect

      Remove the malware code from infected files.

      It is recommended to always keep this as the first action to be taken on infected files.

    • Delete

      Delete detected files from the disk, without any warning.

      It is advisable to avoid using this action.

    • Move to quarantine

      Move detected files from their current location to the quarantine folder.

      Quarantined files cannot be executed or opened; therefore, the risk of getting infected disappears.

      You can manage quarantine files from the quarantine Quarantine page of the console.

  • Scan Target

    Add to the list all the locations you want to be scanned on the target computers.

    To add a new file or folder to be scanned:

    1. Choose a predefined location from the drop-down menu or enter the Specific paths you want to scan.

    2. Specify the path to the object to be scanned in the edit field.

      • If you have chosen a predefined location, complete the path as needed.

        For example, to scan the entire Program Files folder, it suffices to select the corresponding predefined location from the drop-down menu.

        To scan a specific folder from Program Files, you must complete the path by adding a backslash (\) and the folder name.

      • If you have chosen Specific paths, enter the full path to the object to be scanned.

        It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.

    3. Click the corresponding add_inline.pngAdd button.

    To edit an existing location, click it.

    To remove a location from the list, move the cursor over it and click the corresponding delete.pngDelete button.

  • For network scan tasks, you need to enter the credentials of a user account with read/write permissions on the target network drives, for the security agent to be able to access and take actions on these network drives.

  • Exclusions

    You can either use the exclusions defined in the Antimalware > Exclusions section of the current policy, or you can define custom exclusions for the current scan task.

    For more details regarding exclusions, refer to Adding antimalware exclusions.Adding antimalware exclusions

Device scanning

You can configure the security agent to automatically detect and scan external storage devices when they are connected to the endpoint.

Detected devices fall into one of these categories:

  • CDs/DVDs

  • USB storage devices, such as flash pens and external hard-drives

  • Devices with more than a specified amount of stored data.

Device scans automatically attempt to disinfect files detected as infected or to move them to quarantine if disinfection is not possible.

Important

some devices such as CDs/DVDs are read-only. No action can be taken on infected files contained on such storage support.

Note

During a device scan, the user can access any data from the device.

If alert pop-ups are enabled in the General > Notifications section, the user is prompted whether or not to scan the detected device instead of the scan starting automatically.

When a device scan is started:

  • A notification pop-up informs the user about the device scan, provided that notification pop-ups are enabled in the General > Notifications section.

Once the scan is completed, the user must check detected threats, if any.

Select Device Scanning option to enable the automatic detection and scanning of storage devices. To configure device scanning individually for each type of device, use the following options:

  • CD/DVD media

  • USB storage devices

  • Do not scan devices with stored data more than (MB). Use this option to automatically skip scanning of a detected device if the amount of stored data exceeds the specified size. Type the size limit (in megabytes) in the corresponding field. Zero means that no size restriction is imposed.

HyperDetect

HyperDetect adds an extra layer of security over the existing scanning technologies (On-Access, On-Demand and Traffic Scan), to fight against the new generation of cyber-attacks, including advanced persistent threats. HyperDetect enhances the Antimalware and Content Control protection modules with its powerful heuristics based on artificial intelligence and machine learning.

Note

This module is available for:

  • Windows for workstations (modern versions)

  • Windows for servers (modern versions)

  • Linux

With its ability to predict targeted attacks and detect most sophisticated malware in the pre-execution stage, HyperDetect exposes threats much faster than the signature-based or behavioral scanning technologies.

To configure HyperDetect:

  1. Use the HyperDetect check box to turn the module on or off.

  2. Select which type of threats you want to protect your network from. By default, protection is enabled for all types of threats: targeted attacks, suspicious files and network traffic, exploits, ransomware, or grayware.

    Note

    The heuristics for network traffic require Content Control > Traffic Scan to be enabled.

  3. Customize the protection level against threats of the selected types.

    Use the master switch at the top of the threats list to choose a unique level of protection for all types of threats, or select individual levels to fine tune protection.

    Setting the module at a certain level will result in actions being taken up to that level. For example, if set to Normal, the module detects and contains threats that trigger the Permissive and Normal thresholds, but not the Aggressive one.

    Protection increases from Permissive to Aggressive.

    Keep in mind that an aggressive detection may conduct to false positives, while a permissive one can expose your network to some threats. It is recommended to first set protection level to the maximum and then lower it in case of many false positives, until you achieve the optimal balance.

    Note

    Whenever you enable protection for a type of threats, detection is automatically set to the default value (Normal level).

  4. Under the Actions section, configure how HyperDetect should react to detections. Use the drop-down menu options to set the action to be taken on threats:

    • For files: deny access, disinfect, delete, quarantine, or just report the file.

    • For network traffic: block or just report the suspicious traffic.

  5. Select the check box Extend reporting on higher levels next to the drop-down menu, if you want to view the threats detected at higher protection levels than the one set.

If you are uncertain of the current configuration, you can easily restore the initial settings by clicking the Reset to default button at the lower side of the page.

Settings

In this section you can configure the quarantine settings and the scan exclusion rules.

Quarantine

You can configure the following options for the quarantined files from the target endpoints:

  • Delete files older than (days) - By default, quarantined files older than 30 days are automatically deleted. If you want to change this interval, choose a different option from the menu.

  • Submit quarantined files to Bitdefender Labs every (hours) - By default, quarantined files are automatically sent to Bitdefender Labs every hour.

    You can edit the time interval between quarantined files are being sent (one hour by default). The sample files will be analyzed by the Bitdefender malware researchers. If malware presence is confirmed, a signature is released to allow removing the malware.

  • Rescan quarantine after security content updates - Keep this option selected to automatically scan quarantined files after each security content update. Cleaned files are automatically moved back to their original location.

  • Copy files to quarantine before applying the disinfect action - Select this option to prevent data loss in case of false positives and copy each file detected as infected to quarantine before applying the disinfect action. You can afterwards restore legitimate files from the Quarantine page.

  • Allow users to take actions on local quarantine - This option is controlling the actions that endpoint users can take on local quarantined files via the Bitdefender Endpoint Security Tools interface.

    By default, local users can restore or delete quarantined files from their computer using the options available in Bitdefender Endpoint Security Tools.

    By disabling this option, users will not have access anymore to the quarantined files action buttons from the Bitdefender Endpoint Security Tools interface.

Note

Availability and functioning of this feature may differ depending on the license included in your current plan.

Exclusions

Bitdefender security agent can exclude from scanning certain object types. Antimalware exclusions are to be used in special circumstances, or following Microsoft or Bitdefender recommendations. For an updated list of exclusions recommended by Microsoft, please refer to this web article.

In this section, you can configure the use of different types of exclusions available with the Bitdefender security agent.

AMSettingsExclusions.png
  1. You can define Custom Exclusions for in-house developed applications or customized tools, according to your specific needs.

  2. You can customize the list of enabled recommended product vendor exclusions.

  3. You can add one or multiple lists of exclusions to the policy.

Custom exclusions

Custom antimalware exclusions apply to one or more of the following scanning methods:

  • On-access scanning

  • On-execute scanning

  • On-demand scanning

  • Advanced Threat Control (ATC/IDS)

  • Ransomware Mitigation

Important

  • If you have an EICAR test file that you use periodically to test antimalware protection, you should exclude it from on-access scanning.

  • If using VMware Horizon View 7 and App Volumes AppStacks, refer to this VMware document.

To exclude specific items from scanning, select the Custom Exclusions option and then add the rules into the table underneath.

policy-eps-2_3-exclusions_2.png

To add a custom exclusion rule:

  1. Select the exclusion type from the menu:

    • File: only the specified file

    • Folder: all files and processes inside the specified folder and from all of its subfolders

    • Extension: all items having the specified extension

    • Process: any object accessed by the excluded process

    • File Hash: the file with the specified hash

    • Certificate Hash: all the applications under the specified certificate hash (thumbprint)

    • Threat Name: any item having the detection name (not available for Linux operating systems)

    • Command Line: the specified command line (available only for Windows operating systems)

    Warning

    In agentless VMware environments integrated with vShield, you can exclude only folders and extensions. By installing Bitdefender Tools on the virtual machines, you can also exclude files and processes.

    During the installation process, when configuring the package, you must select the check box Deploy endpoint with vShield when a VMware environment integrated with vShield is detected.

  2. Provide the details specific to the selected exclusion type:

    File, Folder or Process

    Enter the path to the item to be excluded from scanning. You have several helpful options to write the path:

    • Declare the path explicitly:

      For example: C:\temp

      To add exclusions for UNC paths, use any of the following syntaxes:

      \\hostName\shareName\filePath

      \\IPaddress\shareName\filePath

    • Use the system variables available in the drop-down menu:

      For process exclusions, you must also add the name of the application's executable file.

      For example:

      %ProgramFiles% - excludes the Program Files folder

      %WINDIR%\system32 – excludes folder system32 within Windows folder

      Note

      It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.

    • Use wildcards:

      The asterisk (*) substitutes for zero or more characters. The question mark (?) substitutes for exactly one character. You can use several question marks to define any combination of a specific number of characters. For example, ??? substitutes for any combination of exactly three characters.

      For example:

      C:\Test\*.* – excludes all files from Test folder

      C:\Test\*.png – excludes all PNG files, from the Test folder

      C:\Test\* - excludes all folders and subfolders from Test

      C:\Program Files\WindowsApps\Microsoft.Not??.exe – excludes the Microsoft Notes processes.

    Note

    Process exclusions do not support wildcards on Linux operating systems.

    Extension

    Enter one or more file extensions to be excluded from scanning, separating them with a semicolon ";". You can enter extensions with or without the preceding dot. For example, enter txt to exclude text files.

    Note

    On Linux-based systems, file extensions are case sensitive and the files with the same name but with different extension are considered distinct objects. For example, file.txt is different from file.TXT.

    File hash, Certificate hash, Threat name, or Command line

    Enter the file hash, certificate thumbprint (hash), the exact name of the threat or the command line depending on the exclusion rule. You can use one item per exclusion.

  3. Select the scanning methods to which the rule applies. Some exclusions may be relevant for just one of the scanning modules (On-access scanning, On-demand scanning, ATC/IDS, Ransomware Mitigation), while others may be recommended for all of the modules.

  4. Optionally, click the Show remarks button to add a note in the Remarks column about the rule.

  5. Click the add_inline.png Add button.

    The new rule will be added to the policy.

To remove a rule from the policy, click the corresponding delete_inline.png Delete button.

Important

On-demand scanning exclusions will NOT apply to contextual scanning. Contextual scanning is initiated by right-clicking a file or folder and selecting Scan with Bitdefender Endpoint Security Tools.

Importing exclusions

You can reuse the exclusion rules in more policies by importing them.

To import custom exclusions:

  1. Click Import. The Import Policy Exclusions window opens.

  2. Click Add and then select the CSV file.

  3. Click Save.

    The table is populated with the valid rules.

    Note

    If the CSV file contains invalid rules, a warning informs you of the corresponding row numbers.

Each row in the CSV file corresponds to a single rule, having the fields in the following order:

<exclusion type>, <object to be excluded>, <modules>

These are the available values for the CSV fields:

Exclusion type:

  • 1, for file exclusions

    2, for folder exclusions

    3, for extension exclusions

    4, for process exclusions

    5, for file hash exclusions

    6, for certificate hash exclusions

    7, for threat name exclusions

    8, for command line exclusions

  • Object to be excluded:

    A path or a file extension

  • Modules:

    1, for on-demand scanning

    2, for on-access scanning

    3, for all modules

    4, for ATC/IDS

    6, for Ransomware Mitigation

For example, a CSV file containing antimalware exclusions may look like this:

1,"d:\\temp",1
1,%WinDir%,3
4,"%WINDIR%\\system32",4

Note

The Windows paths must have the backslash (\) character doubled. For example, %WinDir%\\System32\\LogFiles.

Recommended product vendor exclusions

The recommended product vendor exclusions are by default enabled and included in Bitdefender security agent.

VendorExclusions.png

Caution

You can choose to disable vendor exclusions, if you want to scan all types of objects, but this option will considerably impact the machine performance and will increase the scan time.

With the recommended product vendor exclusions option enabled:

  • If you disable the Custom button, all the recommended vendor exclusions will be added by default to the policy.

  • If you enable the Custom button, from the drop-down menu you can select which vendor exclusions to apply to the policy.

    customVendorExclusions.png
Adding exclusion lists to policy

To add exclusion lists to the policy:

  1. From the drop-down menu, select the lists you want to add to the policy.

    addListsToPolicy.png

    Each list selected from the drop-down will populate the grid area, where you can see how many endpoints will be impacted by the added exclusion list.

    multipleListsInPolicy.png
  2. After assessing which lists to include, click Save to complete the process.

Note

See Configuring profiles for more details on how to create and manage exclusion lists.

Overriding exclusions

You can run scan tasks with another set of exclusions than the general ones in the Antimalware > Settings policy section. These exclusions apply only to on-demand scanning.

  1. Open the custom scan task configuration window:

    • For instant scan tasks (runs once)

      1. Go to the Network page.

      2. Select the target endpoints.

      3. Click the Tasks button in the Action Toolbar and select Scan.

      4. In the General tab, select Custom scan.

    • For scheduled scan tasks

      1. Go to the Policies page.

      2. Open the policy template assigned to your target endpoint.

      3. Go to the Antimalware > On-demand section.

      4. Click Add, and then select Custom. If you already have a task created, select the task from the list.

  2. Configure the other available settings. For details, refer to Managing Network Objects > Computers > Running Tasks > Scan section of the GravityZone Administrator's Guide.

  3. In the Target tab > Exclusions section, choose the option Define custom exclusions for this scan.

  4. Add the exclusion rules. For more info, refer to Configuring custom exclusions.Configuring Custom Exclusions

  5. Click Save to add the exclusion rule.

  6. Click Save once more to save the policy.

Adding process exclusions for Mac

As GravityZone administrator, you can configure process exclusions for Mac in the Antimalware and Network Protection sections of the security policy.

Overview

In macOS, the entities listed in the Applications folder are in fact containers that include all binary files, libraries, and dependencies for those apps.

Therefore, when adding antimalware exclusions, you must enter the entire path to the executable file from the application’s container. When adding exclusions in Network Protection, you only need to enter the name of the executable file.

To browse one container and obtain the name of the executable file, right-click that container and select Show Package Contents.

69763_1.png

Usually, the path to the executable file is /Application.app/Contents/MacOS/binary, where Application.app is the name of the container and binary is the name of the executable file.

For example, the complete path for the Calendar application in macOS is /Applications/Calendar.app/Contents/MacOS/Calendar

69763_2.png

Note

Some applications have different names for the executable files. For example, Visual Studio Code has the executable file with the name Electron. Therefore, the complete path is /Applications/Visual Studio Code.app/Contents/MacOS/Electron.

Adding process exclusions in the Antimalware section

To exclude a process from scanning for malware in the Antimalware section of the policy settings, follow these steps:

  1. Log in to GravityZone Control Center.

  2. Go to the Policies page.

  3. Create or edit a custom policy.

  4. Go to Antimalware and click Settings.

  5. Select the Custom Exclusions check box.

  6. From the menu, select Process as exclusion type.

    69763_3.png
  7. Enter the complete path to the executable file of the application. For example, the complete path for the Time Machine application is /Applications/Time Machine.app/Contents/MacOS/Time Machine.

  8. Select the scanning modules to which the rule applies:

    • On-Access

    • ATC/IDS

    • Both On-Access and ATC/IDS modules

  9. Optionally, click Show remarks to add a note about this exclusion in the Remarks field.

  10. Click the add_inline.png Add button.

  11. Click Save.

To remove a rule from the list, click the corresponding delete_inline.png Delete button.

Adding process exclusions in Network Protection

To exclude a process from traffic scanning in the Network Protection section of the policy settings, follow these steps:

  1. Log in to GravityZone Control Center.

  2. Go to the Policies page.

  3. Create or edit a custom policy.

  4. Go to Network Protection > General and select the Global Exclusions check box.

  5. From the menu, select Application as exclusion type.

    69763_4.png
  6. Enter the name of the executable file of the application to be excluded.

    For example, enter Calendar to exclude the Calendar application, or Electron to exclude the Visual Studio Code application.

    Note

    You do not need to enter a path and the executable file does not have an extension.

  7. Click the add_inline.png Add button.

  8. Click Save.

    To remove a rule from the list, click the corresponding delete_inline.png Delete button.

Configure Faronics Deep Freeze to work with Bitdefender Endpoint Security Tools

This section explains how to configure Faronics Deep Freeze Enterprise to allow installation of Bitdefender Endpoint Security Tools.

Bitdefender Endpoint Security Tools (BEST) is a fully-automated computer security program, managed remotely by your network administrator. Once installed, it protects you against all kinds of malware (such as viruses, spyware and trojans), network attacks, phishing and data theft. It can also be used to enforce your organization's computer and Internet usage policies.

Faronics Deep Freeze helps eliminate computer damage and downtime by making computer configurations indestructible. Once Deep Freeze is installed on a computer, any changes made to the computer—regardless of whether they are accidental or malicious—are never permanent. Deep Freeze provides immediate immunity from many of the problems that plague computers today—inevitable configuration drift, accidental system misconfiguration, malicious software activity, and incidental system degradation.

Overview

Having Faronics Deep Freeze Enterprise installed on a computer will cause the signature updates installed by BEST to be deleted at every system reboot.

This section is meant to help you understand how to configure Faronics Deep Freeze Enterprise to work along with BEST without blocking:

  • Signatures updates after a system reboot

  • Policy assignment from Control Center

  • BEST product updates

Install BEST with Faronics Deep Freeze Enterprise

You have two options to install BEST: manually or using a script.

Configure manually
  1. Install Faronics Deep Freeze Enterprise version 8 or higher on a server in your network.

  2. Use the Deep Freeze Configuration Administrator utility to configure a password and a new partition (for instance, T:\) with minimum of 1.5 GB capacity as thawspace. The thawspace includes the files that will be kept after a system is rebooted with Deep Freeze active.

  3. In Deep Freeze Configuration Administrator utility tool, go to File > Create Workstation Install Program and create an installation package for the systems protected by Deep Freeze.

  4. Install the newly created package on the target machine.

  5. Open Deep Freeze Enterprise and select the Boot Thawed check box in Boot Control tab. This option will disable Deep Freeze on the next reboot, allowing you to install Faronics Data Igloo and BEST.

  6. Reboot the target machine.

  7. Install Faronics Data Igloo.

  8. Open the regedit utility on the target machine and create the registry key HKEY_LOCAL_MACHINE\Software\Bitdefender.

  9. Using Faronics Data Igloo, change the target of the HKEY_LOCAL_MACHINE\Software\Bitdefender key to a folder located on the T:\ partition.

  10. On the partition containing the operating system, create the following folders:

    • %ProgramFiles%\Bitdefender\Endpoint Security\Signatures

    • %ProgramFiles%\Bitdefender\Endpoint Security\ThreatScanner

    • %ProgramFiles%\Bitdefender\Endpoint Security\settings

    • %ProgramFiles%\Bitdefender\Endpoint Security\epagng

  11. Using the Folder Redirection tab from Faronics Data Igloo, redirect these three folders to a folder from T:\ partition.

  12. Install BEST on the target machine.

Configure using scripting functionality
  1. Install Faronics Deep Freeze Enterprise version 8 or higher on a server in your network.

  2. Use the Deep Freeze Configuration Administrator utility to configure a password and a new partition (for instance, T:\) with minimum of 1.5 GB capacity as thawspace. The thawspace includes the files that will be kept after a system is rebooted with Deep Freeze active.

  3. In Deep Freeze Configuration Administrator utility tool, go to File > Create Workstation Install Program and create an installation package for the systems protected by Deep Freeze.

  4. Install the newly created package on the target machine. The machine will automatically reboot.

  5. Open Deep Freeze Enterprise and select the Boot Thawed check box in Boot Control tab. This option will disable Deep Freeze on the next reboot, allowing you to install Faronics Data Igloo and BEST.

  6. Reboot the target machine.

  7. Install Faronics Data Igloo.

  8. Download the Bitdefender redirection script from here.

  9. Extract the VBS script file from the archive and run it.

    Note

    On operating systems with User Account Control enabled, launch Command Prompt (cmd.exe) as Administrator and run the script from the command line.

  10. Install BEST on the target machine.

Running a BEST product update

Important

During this process, the target system will reboot two times.

To successfully run a BEST product update:

  1. Switch the target machine to Boot Thawed mode. Deep Freeze will require a reboot in order to boot into Boot Thawed mode.

  2. Run the Update task from the Control Center. Additionally, you can run the update from the local console.

    Note

    In some situations, BEST may require a reboot of the target machine.

  3. Log in to Control Center to confirm the product update has been installed successfully by generating an Update Status report.

  4. Switch the target machine to Boot Frozen mode. Deep Freeze will require a reboot in order to boot into Boot Frozen mode.

Security Servers

In this section you can assign Security Servers to endpoints in your environment, to streamline the distribution of scanning tasks, and customize Security Server specific settings.

policy-eps-2_4-sva.png

Note

Availability and functioning of this feature may differ depending on the license included in your current plan.

Security Server Assignment

You can assign one or several Security Servers to the target endpoints, and set the priority with which endpoints will elect a Security Server to send scanning requests.

Note

It is recommended to use Security Servers for scanning virtual machines or computers with low resources.

To assign a Security Server to the target endpoints, add the Security Servers you want to use, in the Security Server Assignment table, as follows:

  1. Click the Security Server drop-down list and then select a Security Server.

  2. If the Security Server is in DMZ or behind a NAT server, enter the FQDN or IP of the NAT server in the Custom Server Name/IP field.

    Important

    Make sure that port forwarding is correctly configured on the NAT server so that the traffic from endpoints can reach the Security Server. For details regarding ports, refer to GravityZone (cloud) communication ports.

  3. Click the add_inline.png Add button in the Actions column.

    The Security Server is added to the list.

  4. Repeat the previous steps to add other Security Servers, if available or needed.

To set the priority of the Security Servers:

  • Use the up and down arrows available in the Actions column to increase or decrease each Security Server's priority.

    When assigning more Security Servers, the one on top of the list has the highest priority and will be selected first.

    If this Security Server is unavailable or overloaded, the next Security Server is selected.

    Scan traffic is redirected to the first Security Server that is available and has a convenient load.

To remove a Security Server from the list, click the corresponding delete_inline.png Delete button in the Actions column.

Security Server Load Balancing

You can customize how scanning tasks are being distributed among available Security Servers by choosing one of these Security Server operating modes:

  • Redundancy mode - choose this mode to send scanning requests to the first available Security Server.

  • Equal distribution mode - choose this mode to distribute the scanning load equally between Security Servers.

Communication between Security Servers and endpoints

Enable the Use an SSL encrypted connection option if you want to encrypt the connection between the target endpoints and the specified Security Server appliances.

By default, GravityZone uses self-signed security certificates. You can change them with your own certificates in the Configuration > Certificates page of Control Center.

Communication between Security Servers and GravityZone

Choose one of the available options to define your proxy preferences for the communication between the selected Security Server machines and GravityZone:

  • Keep installation settings - to use the same proxy settings defined with the installation package.

  • Use proxy defined in the General section - to use the proxy settings defined in the current policy, under General > Settings section.

  • Do not use proxy - when the target endpoints do not communicate with the specific Bitdefender components via proxy.

Security Server Configuration

Running multiple on-demand scan tasks on virtual machines sharing the same datastore can create antimalware scanning storms. To prevent this and to allow only a certain number of scan tasks to run at the same time:

  1. Select the Limit the number of concurrent on-demand scans option.

  2. Select the level of allowed concurrent scan tasks from the drop-down menu. You can choose a predefined level or enter a custom value.

    The formula to find the maximum limit of scan tasks for each predefined level is: N = a x MAX(b ; vCPUs - 1), where:

    • N = maximum limit of scan tasks

    • a = multiplying coefficient, having the following values: 1 - for Low; 2 - for Medium; 4 - for High

    • MAX(b;vCPU-1) = a function that returns the maximum number of scan slots available on the Security Server.

    • b = the default number of on-demand scan slots, which currently is set to four.

    • vCPUs = number of virtual CPUs assigned to the Security Server

    For example:

    For a Security Server with 12 CPUs and a High level of concurrent scans, we have a limit of:

    N = 4 x MAX(4 ; 12-1) = 4 x 11 = 44 concurrent on-demand scan tasks.