CLOUD SOLUTIONS

Troubleshooting

Using the Bdsyslog scanning tool

This section explains how to use the Bdsyslog tool to submit suspicious files for malware analysis.

If your computer appears to be infected but Bitdefender does not detect any malware, please follow the steps below. Be sure to provide us with the following information, so that we can fully understand the cause and provide you with a quick solution:

Note

This information will be used for malware analysis only and will be treated accordingly.

  1. Download the BDSysLog tool on the computer with issues.

  2. Extract the archive and then run the BDSysLog_i.exe file.

  3. Click the Create log button to generate the log.

    A progress bar will indicate the status. When complete, you will receive a prompt to inform you that the log was saved in bdsyslog.zip on the Desktop of the computer.

  4. Take a screenshot displaying the malware or the effects of the malware (if applicable).

  5. Update the security agent.

  6. Run a Full scan task and save the scan log.

  7. Create an archive with the logs and the screenshot.

  8. Go to the Help & Support page of Control Center and submit a Support ticket.

  9. Fill in the requested information. Describe the suspicious behavior that led you to believe that your computer is infected.

  10. If the previously created archive is smaller than 10 MB, click the Upload button and attach it. Otherwise, mention that the logs are exceeding the upload size limit. You will receive a link which you can use to upload your files.

  11. Click Submit. A Bitdefender Support Engineer will contact you shortly.

Bitdefender detects legitimate applications as a threat

This section explains what to do when Bitdefender reports a legitimate file as being infected (false positive).

Bitdefender strives to reduce false-positive reports to a minimum. However, these reports are commonly due to bad programming practices (e.g. applications that change the Master Boot Record, add run registry entries, change system files without the user’s confirmation or execute custom macros in office applications, etc.).

When an application is wrongfully detected, try adding exclusions as explained in Adding antimalware exclusions.Adding antimalware exclusions

Should the exclusions fail, you need to send us the detected file(s) as described below:

Note

These files are used only for malware analysis and are treated accordingly.

  1. Disable Bitdefender real-time protection and/or any other security software you are using.

  2. Locate the file(s) on your drive.

  3. Add the detected file(s) to a ZIP file using file compression software of your choice (WinZip, WinRAR, etc.)

  4. Password-protect the ZIP file with the password infected.

  5. Complete the Enterprise Support Online Form and provide us with the following:

    • The ZIP file (upload via “Attach a file” field)

    • The message body must contain the words FALSE POSITIVE.

  6. Click the Submit button.

  7. Enable the Bitdefender real-time protection and/or any other security software you might use.

Bitdefender does not detect malware

Some files may not be detected by Bitdefender even if they are malicious. This is called a false negative and usually occurs when the malware uses new (unexplored) techniques.

In order to promptly resolve this issue, we kindly ask that you send us the malware file(s) as described below:

Note

These files will be used for malware analysis only and will be treated accordingly.

  1. Disable Bitdefender's real-time protection and/or any other security software that might be in use

  2. Locate the file(s) on your drive

  3. Add the malware file(s) to a zip file using file compression software of your choice (WinZip, WinRAR, etc.)

  4. Password protect the zip file with the password "infected"

  5. Complete the CUSTOMER CARE ONLINE FORM and provide us with the following:

    • The zip file (upload via “Attach a file” field)

    • The words “FALSE NEGATIVE” typed in the message body

  6. Click the SUBMIT button

  7. Enable the Bitdefender real-time protection and/or any other security software you might use.

Note

False negative reports are corrected as soon as possible once we receive the samples.

If you suspect that your computer is infected but Bitdefender does not detect any threats, please read this article.

Making SELinux module compatible with On-Access scanning in BEST Linux

This section describes how to make the SELinux module compatible with On-Access scanning in Bitdefender Endpoint Security Tools (BEST) for Linux.

Should you require more information on configuring SELinux than provided, please refer to your Linux distribution documentation.

Issue

Security-Enhanced Linux (SELinux) is a kernel module that provides a mechanism for supporting access control security policies. This mechanism interferes with the Antimalware module of BEST for Linux so that On-Access Scanning does not properly function when the SELinux policies are set to Enforcing.

Solution

To overcome this issue, you need to change the SELinux policies to Permissive or Disabled (recommended). This is how you make SELinux compatible with On-Access Scanning:

  1. Check the status of SELinux on the endpoint, by running the following command:

    sudo sestatus

    If the SELinux Current mode is set to Enforcing, you need to change it to Permissive or Disabled (recommended).

  2. To change the SELinux policy status:

    1. Edit the configuration file with the text editor of your choice (such as <vi, vim=""> </vi,>

    2. On Red Hat based systems (RHEL, CentOS, Fedora, SuSE), the configuration file is /etc/sysconfig/selinux.

    3. On Ubuntu / Debian based systems, the configuration file is /etc/selinux/config.

      Note

      If you cannot find the SELinux configuration file on your system, please consult the documentation of your Linux distribution.

      Example:

      # nano /etc/sysconfig/selinux
    4. Edit the line starting with SELINUX= as follows:

      • For Permissive mode:

        SELINUX=permissive
        16543_1.png
      • For Disabled mode:

        SELINUX=disabled
        16543_2.png
    5. Save the file.

      If you use nano to edit the configuration, to save the file and exit, use the following sequence: Ctrl+O, Enter, Ctrl+X.

    6. Reboot the endpoint.

    7. After reboot, check the SELinux status by running the command again:

      sudo sestatus

      The output should be permissive or disabled.

      16543_3.png
    8. Check the Antimalware module status with the following command:

      # /opt/BitDefender/bin/bduitool get ps | grep Antimalware

      The Antimalware module status should be On (active).

      16543_4.png

      If the Antimalware module is Off, although SELinux is properly configured, refer to On-access scanning in Bitdefender Endpoint Security Tools for Linux for trobleshooting Bitdefender Endpoint Security Tools for Linux.

Submitting sample files and websites for analysis

In this section you will learn how to submit sample files and websites for analysis, using the online submission form.

Issue

You may notice false positives or false negatives while using Bitdefender Endpoint Security Tools. A false positive occurs when a Bitdefender module detects a legitimate file or a website as infected. Whereas a false negative occurs when a Bitdefender module fails to detect an infection.

Solution

To rule out any potential false positive or false negative, use the online submission form to send a sample file or a website for analysis. To submit a sample file or website for analysis, using the online submission form:

  1. Go to Automatic sample submission uploader.

  2. Complete the submission form with your contact details and sample information.

  3. Click Submit.

    Note

    Samples provided through the online submission form are automatically archived and protected with the following password: infected.

This will open an email ticket that will be forwarded to the Antimalware Laboratory. The Antimalware Laboratory will provide you with an answer after analysis.

On-access scanning in Bitdefender Endpoint Security Tools for Linux

This section describes how to troubleshoot On-access scanning on Bitdefender Endpoint Security Tools for Linux.

Issue

In some situations, On-access scanning from Bitdefender Endpoint Security Tools may not properly work on the Linux endpoint. There are two main possible causes:

  • On-access scanning is disabled from the policy settings regarding the Antimalware module.

  • On-access scanning is incompatible with certain security policies applied on that endpoint. This usually happens because of missing dependencies on the endpoint operating system.

Solution

To find out why On-Access scanning is not working, you have to verify:

  1. The status of the Antimalware module

  2. The conditions required by Bitdefender Endpoint Security Tools for Linux

The status of the Antimalware module

Verify that the Antimalware module On-access scanning is enabled on the security agent, run the following command:

sudo /opt/BitDefender/bin/bduitool get ps

Example

Product version: 6.2.20.63Last succeeded update: 2018-05-07 at 19:05:28New product update available: noSignatures version: 7.75906New signatures update available: yesInstalled scan type: FullInstalled scan type fallback: NoneCurrently used scan type: FullFeatures:- Antimalware status: Off

In this example, the Antimalware module status is Off. This is only referring to the On-access scanning feature of the Antimalware module.

The On-demand scanning feature of the Antimalware module is always enabled.

Conditions required by Bitdefender Endpoint Security Tools for Linux

To make sure that the Antimalware module is working properly, check the following conditions:

  • The endpoint has a security policy active that does not disable On-access scanning. Also, check in the GravityZone console that On-access scanning for Linux option is enabled in the policy and has target paths defined in the list.

  • The endpoint is correctly communicating with the GravityZone console or with the assigned relay endpoint.

  • The endpoint is licensed correctly. Go to the Network page, in GravityZone Control Center, and make sure that the endpoint does not have Pending or Expired status under Protection Layers section.

  • The endpoint can successfully connect to its allocated Security Server through ports 7081 and 7083, if the Scan Type is set to Remote. This information is displayed by running the bduitool get ps command.

    In case the remote scan is used, no fallback engine is configured, and the endpoint cannot communicate with Security Server, then the Antimalware module will not work at all. For example, run the following command:

    sudo /opt/BitDefender/bin/bduitool get ps

    In this case, the output will look like this:

    Product version: 6.2.20.87Last succeeded update: 2018-10-31 at 16:48:55New product update available: noSignatures version: 7.77462New signatures update available: yesInstalled scan type: RemoteInstalled scan type fallback: NoneCurrently used scan type: NoneFeatures:- Antimalware status: Off
  • The security agent is using a newer kernel than 2.6.37 and the Fanotify feature is active in the kernel. To learn how to configure Fanotify in Debian 8, refer to Bitdefender Endpoint Security Tools compatibility with Debian 8.

  • SELinux is disabled or set to Permissive on the endpoint. If SELinux is active with Enforcing setting, On-access scanning will not function correctly. For details about managing SELinux on systems running BEST, refer to Making SELinux module compatible with On-Access scanning in BEST Linux.

  • For endpoints using kernels with version 2.6.36 or below, the DazukoFS kernel module is installed and loaded for supported kernel versions. To check if the DazukoFS module is loaded, run the following command:

    lsmod | grep dazuko

If all the above conditions are met, but the Antimalware module is still disabled, contact the Bitdefender Business Support Team.