Configuring profiles

The Configuration Profiles section allows you to create and manage collections of settings that you can assign to one or more policies in a fast and efficient manner.

Configuration profiles include:

Exclusions

The Exclusions page enhances your control over the content of policies by creating and managing exclusion lists that can be tailored to the profile of every segment in your environment.

This single-source exclusion management system bypasses the need to inherit the settings from one policy to another in order to reuse exclusions, by allowing you to create and manage exclusions and exclusion lists outside the policy.

You can reuse an exclusion in one or multiple lists, and then assign these lists to one or multiple policies, thus allowing you complete freedom to customize the content that will be excluded from scanning. Furthermore, when you assign a list of exclusions to a policy, you will be able to view how many endpoints will be impacted by the change.

This will result in having and using leaner and more targeted policies, which will increase the overall performance and stability of your environment, and reduce the workload of your SOC team by lowering the amount of false-positive events.

Important

Bitdefender security agent can exclude from scanning certain object types. Antimalware exclusions are to be used in special circumstances, or following Microsoft or Bitdefender recommendations. For an updated list of exclusions recommended by Microsoft, please refer to this web article.

The Exclusions page includes two major areas:

The Exclusions lists panel, where you can create and manage exclusion lists.
The Exclusions grid, where you can create new exclusions, or manage exclusions already assigned to exclusion lists.

The Exclusion lists panel

In the Exclusion lists panel you can create new lists and manage them, and also have access to all the available lists created in your company by other users with manage network rights.

The My lists section includes only the lists of exclusions you have created.
The Other lists section includes all the lists of exclusions available in your company created by all the users with manage network rights.

You can create a new list by clicking the NEW LIST button.

The Exclusions grid

In the Exclusions grid area you can create new exclusion rules from scratch, edit and delete them, use the extensive filtering options to manage existing exclusions and assign them to lists.

If you click the All Exclusions bar at the top of the lists section the grid area will populate with all the exclusion rules created so far in your environment, regardless if they are assigned to a list or not.
Exclusions may be displayed on multiple pages. To navigate them, use the control buttons at the bottom.
If you select any of the exclusion lists the grid area will populate with the exclusion rules assigned to that list only.

To customize the grid area you can take the following actions:

Click the Show/Hide Filters button to show or hide the filters bar.
Click the Show/Hide Columns button to add or remove filter columns.
Click the Refresh button to refresh the list.
Click the Clear button to reset all filters.

Searching, filtering, and sorting exclusions

The grid area offers you multiple searching, filtering, and sorting options.

You can filter/search by:

Object type - select the desired object type from the drop-down and click APPLY to display the available exclusion rules.
Excluded items - type in the name of an excluded item to search and display all the rules that may contain it.
Modules - select the desired scanning technology to display all the exclusion rules applied to that module.
Remarks - search for exclusion rules with a specific keyword added to the Remarks field.

For excluded items and remarks, you can use the asterisk (*) as wildcard in searches to match zero, one or more characters. For example, use *text to find all items that contain text.

To sort exclusions, click the header of each of column, including In lists and Added on.

Creating and assigning exclusions to lists

In GravityZone, you can create exclusions individually, then assign them individually or collectively to one or more lists.

To create a new exclusion rule from scratch and assign it to a list:

Click the Add Exclusions button and start defining the new exclusion rule.
Select the exclusion object type from the menu:
- File: only the specified file
- Folder: all files and processes inside the specified folder and from all of its subfolders
- Extension: all items having the specified extension
- Process: any object accessed by the excluded process
- File Hash: the file with the specified hash (in SHA-256 format)
- Certificate Hash: all the applications under the specified certificate hash (thumbprint, in SHA-1 and SHA-2 format)
- Threat Name: any item having the detection name (not available for Linux operating systems)
- Command Line: the specified command line (available only for Windows operating systems)
- IP/Mask: The IP address or IP mask (0-255 format) for which inbound and outbound traffic will be excluded from scanning.
Provide the details specific to the selected exclusion type:
File, Folder or Process
Enter the path to the item to be excluded from scanning. You have several helpful options to write the path:
- Declare the path explicitly:
  For example: C:\temp
  To add exclusions for UNC paths, use any of the following syntaxes:
  \\hostName\shareName\filePath
  \\IPaddress\shareName\filePath
- Use the system variables available in the drop-down menu:
  For process exclusions, you must also add the name of the application's executable file.
  For example:
  %ProgramFiles% - excludes the Program Files folder
  %WINDIR%\system32 – excludes folder system32 within Windows folder
  Note
  It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.
- Use wildcards:
  The asterisk (*) substitutes for zero or more characters excepting path delimiters. Double asterisk (**) substitutes for zero or more characters including path delimiters. The question mark (?) substitutes for exactly one character. You can use several question marks to define any combination of a specific number of characters. For example, ??? substitutes for any combination of exactly three characters.
  For example:
  C:\Test\*.* – excludes all files from Test folder
  C:\Test\*.png – excludes all PNG files from the Test folder
  C:\Test\* - excludes all files from Test
  **\file.txt - excludes all folders and subfolders that contain file.txt
  **\my_folder\*\file.txt - excludes all the folders on all levels above my_folder and all subfolders on a single level under my_folder that contain file.txt
  **\application*.exe - excludes all the files that have the name application and variations of this name followed by one or more characters, regardless where the files are located.
  C:\MyApp\** - excludes all files and folders in MyApp folder, regardless of the depth level.
  C:\Program Files\WindowsApps\Microsoft.Not??.exe – excludes the Microsoft Notes processes.
Note
- Double asterisk can lead to undesired exclusions when misused, therefore we recommend caution.
- Double asterisk is not available on macOS.
- Process exclusions do not support wildcards on Linux operating systems.
Extension
Enter one or more file extensions to be excluded from scanning, separating them with a semicolon ";". You can enter extensions with or without the preceding dot. For example, enter txt to exclude text files.
Note
On Linux-based systems, file extensions are case sensitive and the files with the same name but with different extension are considered distinct objects. For example, file.txt is different from file.TXT.
File hash, Certificate hash, Threat name, or Command line
Enter the file hash, certificate thumbprint (hash), the exact name of the threat or the command line depending on the exclusion rule. You can use one item per exclusion.
Command line examples:
```
npm install
npx nx format
tester.exe acceptance --run-all-tests      
```
Select the scanning methods to which the rule applies. Some exclusions may be relevant for just one of the scanning modules (On-access scanning, On-demand scanning, ATC/IDS, Ransomware Mitigation, LSASS Protection), while others may be recommended for all of the modules.
Optionally, click the Show remarks button to add a note in the Remarks column about the rule.
Click the Add button.
The new rule will be added to the list.
To remove a rule from the list, click the corresponding Delete button.
Important
On-demand scanning exclusions will NOT apply to contextual scanning. Contextual scanning is initiated by right-clicking a file or folder and selecting Scan with Bitdefender Endpoint Security Tools.

To assign an exclusion rule to one or multiple lists:

In the grid area, click the More and Edit list assignment buttons.
In the configuration page, from the drop-down menu, select the lists that will add the exclusion rule to their content and click Apply.
In the Lists Preview area you can see the exclusion lists you are about to update, and how many endpoints will be impacted by the exclusion list.
Click Assign to complete the process.

To assign multiple exclusion rules to multiple lists:

In the grid area, select one or more exclusions.
Click the Assign to lists button.
In the configuration page, from the drop-down menu, select the lists that will add the exclusion rules to their content and click Apply.
In the Lists Preview area you can see the exclusion lists you are about to update.
Click Assign to complete the process.

Editing exclusions inline

To edit an exclusion rule inline:

Go to the desired exclusion, click the More button and Edit exclusion.
Make changes in the following columns:
- Excluded items
- Modules
- Remarks
Click the confirmation icon to save the changes.

Exporting exclusions

To export one or more exclusions in CSV format:

Select the corresponding check boxes in the grid.
Click the Actions button at the upper side of the grid and Export selection.
In the confirmation page, check the listed exclusions. Only the first five selected items are displayed. The CSV file will include the entire selection.
Confirm the action.

To export all exclusions displayed on all pages at a certain moment, click the Export view button in the upper-right corner of the grid.

Deleting exclusions

To delete a specific exclusion:

Go to the desired exclusion, click the More and Delete buttons.
In the confirmation window, review the lists and the policies affected by your action.
Confirm the action.

To delete multiple exclusions:

Select the corresponding check boxes in the grid.
Click the Actions button at the upper side of the grid and select Delete.
In the confirmation window, review the number of exclusions, lists and policies affected by your action.
Confirm the action.

Creating a new exclusion list

To create a new exclusion list:

Click the NEW LIST button to open the window where you can define your new list.
Name your new list by filling out the Title field.
Note
This field is mandatory.
Add relevant details about the list in the Description field.
After naming and describing your list you can start defining the exclusion rules.
Select the excluded object type from the menu:
- File: only the specified file.
- Folder: all files and processes inside the specified folder and from all of its subfolders.
- Extension: all items having the specified extension.
- Process: any object accessed by the excluded process.
- File Hash: the file with the specified hash. GravityZone supports the SHA-256 hash algorithm.
- Certificate Hash: all the applications under the specified certificate hash (thumbprint).
- Threat Name: any item having the detection name (not available for Linux operating systems).
- Command Line: the specified command line (available only for Windows operating systems).
- IP/Mask: The IP address or IP mask (0-255 format) for which inbound and outbound traffic will be excluded from scanning.
Warning
In agentless VMware environments integrated with vShield, you can exclude only folders and extensions. By installing Bitdefender Tools on the virtual machines, you can also exclude files and processes.
During the installation process, when configuring the package, you must select the check box Deploy endpoint with vShield when a VMware environment integrated with vShield is detected.
Provide the details specific to the selected exclusion type:
File, Folder or Process
Enter the path to the item to be excluded from scanning. You have several helpful options to write the path:
- Declare the path explicitly:
  For example: C:\temp
  To add exclusions for UNC paths, use any of the following syntaxes:
  \\hostName\shareName\filePath
  \\IPaddress\shareName\filePath
  Note
  To accommodate Linux requirements, GravityZone supports up to 4096 characters when defining paths. To apply this limit on Windows, make sure MAX_PATH is set to support this value on the target machines. Learn more in Microsoft documentation.
- Use the system variables available in the drop-down menu:
  For process exclusions, you must also add the name of the application's executable file.
  For example:
  %ProgramFiles% - excludes the Program Files folder
  %WINDIR%\system32 – excludes folder system32 within Windows folder
  %SystemDrive% - excludes the drive where the Windows folder was placed, usually drive C:
  Note
  It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.
- Use wildcards:
  The asterisk (*) substitutes for zero or more characters excepting path delimiters. Double asterisk (**) substitutes for zero or more characters including path delimiters. The question mark (?) substitutes for exactly one character. You can use several question marks to define any combination of a specific number of characters. For example, ??? substitutes for any combination of exactly three characters.
  For example:
  C:\Test\*.* – excludes all files from Test folder
  C:\Test\*.png – excludes all PNG files from the Test folder
  C:\Test\* - excludes all files from Test
  **\file.txt - excludes all folders and subfolders that contain file.txt
  **\my_folder\*\file.txt - excludes all the folders on all levels above my_folder and all subfolders on a single level under my_folder that contain file.txt
  C:\Program Files\WindowsApps\Microsoft.Not??.exe – excludes the Microsoft Notes processes.
Note
- Double asterisk can lead to undesired exclusions when misused, therefore we recommend caution.
- Double asterisk is not available on macOS.
- Process exclusions do not support wildcards on Linux operating systems.
Extension
Enter one or more file extensions to be excluded from scanning, separating them with a semicolon ";". You can enter extensions with or without the preceding dot. For example, enter txt to exclude text files.
Note
On Linux-based systems, file extensions are case sensitive and the files with the same name but with different extension are considered distinct objects. For example, file.txt is different from file.TXT.
File hash, Certificate hash, Threat name, or Command line
Enter the file hash, certificate thumbprint (hash), the exact name of the threat or the command line depending on the exclusion rule. You can use one item per exclusion.
Select the scanning methods to which the rule applies. Some exclusions may be relevant for just one of the scanning modules (On-access scanning, On-demand scanning, ATC/IDS, Ransomware Mitigation), while others may be recommended for all of the modules.
Note
The Modules field will pre-select by default all the modules relevant for the selected Object type.
Click the Add button to add it to the list.
Optionally, you can import already defined rules from a CSV file.
1. Click Import and browse for the CSV file you want to add.
2. Select the CSV file and click Open.
  The list will be populated with the valid rules.
  Note
  If the CSV file contains invalid rules, you will be prompted an error message.
Each row in the CSV file corresponds to a single rule, having the fields in the following order:
```
<exclusion type>, <object to be excluded>, <modules>
```
These are the available values for the CSV fields:
Exclusion type:
- 1 - for file exclusions
  2 - for folder exclusions
  3 - for extension exclusions
  4 - for process exclusions
  5 - for file hash exclusions
  6 - for certificate hash exclusions
  7 - for threat name exclusions
  8 - for command line exclusions
  9 - for IP/mask exclusions
- Object to be excluded:
  A path or a file extension
- Modules:
  1 - for on-demand scanning
  2 - for on-access scanning
  3 - for all modules
  4 - for ATC/IDS
  6 - for Ransomware Mitigation
For example, a CSV file containing antimalware exclusions may look like this:
```
"1","d:\\temp","1"
"1",%WinDir%,"3"
"4","%WINDIR%\\system32","4"
```
Important
The Windows paths must have the backslash (\) character doubled. For example, %WinDir%\\System32\\LogFiles.
To remove any of the created exclusions from the list just click the Remove icon.
After defining all the exclusion rules you want in the list click Save.
The newly created list will be available in the My lists section. See Assigning exclusion lists to policies for details on how to assign an exclusion list to one or multiple policies.

Assigning exclusion lists to policies

To assign an exclusion list to one or multiple policies:

Select the desired exclusion list from the Exclusion lists panel.
The grid area will be populated with all the exclusion rules assigned to the selected list.
Here you can add new exclusions, delete existing ones, or filter them by multiple criteria. See The Exclusions grid for more details on how to configure the grid area and filter exclusions.
Click the list name to open its side details panel.
The details panel includes general information about the lists origins, relevant details, and actions you can take.
Click the Edit assignment to assign the exclusion list to one or multiple policies.
From the drop-down menu, select the policies that will add the exclusion list to their content and click Apply.
In the Policies Preview area you can see the policies you are about to update.
Click Save to complete the process.

Editing an exclusion list

To edit an exclusion list:

Click the list name in the left-side panel.
In the grid area, click the Edit list buton.
In the configuration page, you can make these changes:
- Edit title
- Edit description
- Add new exclusions manually or by importing them from a CSV file.
For details on configuring an exclusion list, refer to Creating a new exclusion list.
Click the Update button to confirm the changes.

Add exclusions from the Blocked Applications report

To add exclusions to the Configuration Profiles section directly from the Blocked Applications report, follow these steps:

Go to the Reports section of Control Center and create a Blocked Applications report.
For generic details on report configuration, refer to Create reports.
After creating the report, go to the details area and select the processes blocked by the Antimalware and Advanced Anti-Exploit modules.
Click the Add exclusion option and select To profiles.
GravityZone redirects you to the Configuration Profiles section.
In the exclusions grid, one or two entries are automatically created for each selected process, depending on the module that has blocked it:
- One entry as a process exclusion when blocked by the ATC/IDS module. The exclusion rule displays the path in the Excluded items column and mention the ATC/IDS module.
- Two entries, one as a process exclusion and another as a file exclusion, when blocked by the Antimalware module. The process exclusion displays the path in the Excluded items column and mentions the On-Access and ATC/IDS modules. The file exclusion displays the path in the Excluded items column and mentions all modules corresponding to the file object type.
Click the More icon and Edit list assignment to add these exclusions to any list.
Click the Back button at the top-left corner of the Configuration Profiles section to return to the Blocked Applications report.

Deleting an exclusion list

To delete an exclusion list:

Expand the exclusion list's detail's panel and click DELETE.
You will be prompted a confirmation message, displaying the policies that will have the list removed, and how many endpoints you will impact if you decide to delete the exclusion list.
Click DELETE to go through with the deletion, or CANCEL to exit the operation.

Monitoring changes in User Activity

You can monitor the changes made to exclusion rules and exclusion lists in the User Activity section.

When creating, editing, deleting or assigning an exclusion rule to a list, an entry for the Exclusions Rules area indicates each of these changes. If the exclusion rule is assigned to multiple lists, GravityZone Control Center displays an entry for each affected list for the Exclusions Lists area. If the list is assigned to a policy, then an entry for the Policies area indicates this change as well.

For example, editing an exclusion rule that is assigned to three lists, of which one is assigned to four policies, generates eight entries in User Activity:

One entry for the exclusion rule.
Three entries for the affected exclusion lists.
Four entries for the affected policies.

All these entries have the same creation date and time, so you can easily monitor them.

GravityZone records the following edited elements of an exclusion: object type, excluded items, modules and list assignments. However, the section does not record changes for remarks.

Maintenance Windows

The Maintenance Windows page includes settings that allow you create configuration profiles to control maintenance operations on endpoints. Being independent from the policy, you can generate multiple maintenance windows suited for every scenario that might arise within your environment.

This approach simplifies the process of configuring policies and, at the same time, helps you create and apply more targeted policies.

You can share permissions for maintenance windows, so the other GravityZone users from your company will be able to view and use them.

As a partner, you can create and modify maintenance windows for managed companies. You cannot share maintenance windows across companies. Specifically, you can use maintenance windows only in the company for which they have been created.

You can create and apply maintenance windows with Patch Management settings.

The Patch Management module releases you from the burden of keeping the endpoints updated with the latest software patches, by automatically distributing and installing patches for a vast variety of products. You can check the list of supported vendors and products in this article.

Note

The Patch Management module is available for:

Windows for workstations
Windows for servers
The following Linux distributions: CentOS, RHEL, and SLE. See requirements and limitations here.

In the Maintenance Windows page, you can view, filter, search for, create, edit, and delete windows. To use a maintenance window, you must assign it to a policy in the Policies section. Creating, editing and deleting maintenance windows are recorded in User activity log.

Note

Bitdefender installs only digitally-signed patches. If a vendor provides patches that are not signed, Bitdefender does not consider them. In this case, you can manually download and install those patches.

Note

To manage patches manually, use the options available in the Patch Inventory section.

Viewing maintenance windows

The Maintenance Windows page includes two major areas:

The selection panel, which contains the list of available maintenance windows ordered by type.
The details grid, where you create new maintenance windows or manage the existing ones.

You can view maintenance windows only for one company at a time. To change the company, click the name of the current company in the upper-right corner of the page and make another selection in the drop-down list.

Filtering and searching for maintenance windows

In the Maintenance Windows page you can easily filter and searching for maintenance windows by using the options available in the selection panel and in the details grid.

Under PATCH MANAGEMENT category, you can select one of these types:

All patches
Security patches
Non-security patches

The details grid will display the maintenance windows accordingly. Details include:

Window name.
Status - indicates whether the maintenance window is being used in policies or not.
Schedule details - indicates the number of schedules configured within the maintenance window. For example, a maintenance window with three schedules indicates one schedule for patch scanning and two for applying security and non-security patches, respectively.
Last modified - displays date and time when the maintenance window was modified.
Last edited by - indicates the last user who modified the maintenance window.
Permissions - indicates whether other users have shared permissions to modify the displayed maintenance windows.
In policies – displays the number of policies to which the maintenance windows are assigned.

You can sort the maintenance windows by clicking the header of the following columns: Window name, Status, Last modified, Last edited by, Permissions, In policies.

You can search/filter by:

Window name - type in one or more characters and click the magnifying glass (or press Enter) to display matching maintenance window names.
Status - select the one of the items from the drop-down list and click APPLY to display used, unused, or all maintenance windows.
Last modified - click to display a calendar where you can specify precise intervals.
Select one of the predefined options in the left-side panel (Last 24 hours, Last 7 days, Last 30 days) or customize the interval by using the calendar in the right-side panel. Use the left and right arrows on the sides of the panel to navigate through the calendar.
Click CONFIRM to apply the selection.
Last edited by - type in one or more characters from the user names and click the magnifying glass (or press Enter) to display maintenance windows created or modified by certain GravityZone users.
In the More filtering box, select Permissions and click APPLY to display maintenance windows with shared or not shared permissions.

Additional options are available in the upper-right corner of the grid:

Creating and editing a maintenance window

With maintenance windows, you control automatic patch deployment. First you will configure how patches are downloaded to the endpoints, and then which patches to install and when.

GravityZone performs patch deployment in two independent phases:

Assessment - When requested via the management console, endpoints scan for missing patches and report them back.
Installation - The GravityZone console sends the endpoint agents a list of patches you want to install. The agents downloads the patches and then installs them.

The maintenance window provides the settings to automate these processes, partly or entirely, so that they run periodically based on the preferred schedule.

Important

For the assessment and installation to be successful on Windows endpoints, you must ensure the following requirements are met:

Trusted Root Certification Authorities stores the DigiCert Assured ID Root CA certificate.
Intermediate Certification Authorities includes the DigiCert SHA2 Assured ID Code Signing CA.
Endpoints have installed the patches mentioned in these Microsoft articles:
- For Windows 7 and Windows Server 2008 R2: Microsoft Security Advisory 3033929
- For Windows Vista and Windows Server 2008: You cannot run an application that is signed with a SHA-256 certificate on a computer that is running Windows Vista SP2 or Windows Server 2008 SP2

To create a maintenance window:

In the Maintenance Windows page, click the ADD WINDOW button.
Enter a window name. This field is mandatory.
Enable the option Allow others to make changes to this maintenance window if you want shared permissions.
For targeted operations, select one or both these options:
- Scan for patches - the security agent scans the endpoint for missing patches and it reports them back to GravityZone console.
- Apply patches - the GravityZone console sends the agent a list of patches you want to install. The endpoint downloads the patches from the Patch Caching Server and then installs them. Further, choose what type of patches to be installed on the endpoints:
  - Security patches - include fixes for vulnerabilities / CVEs.
  - Non-security patches - include bug fixes and new features for third-party applications.
  Once you have selected Scan for patches and Apply patches, additional options will appear on the page, as described below.
Configure scheduling options:
- Smart scan for patches when new applications are installed. When a new application is installed on the endpoint, the security agent automatically installs all discovered OS and application updates, regardless of any planned scan and installation tasks.
  Note
  Patch Management does not support smart scan on Linux endpoints.
- Use the same schedule for all targeted operations. The security agent scans for patches and then, as soon as possible, it installs them on the endpoint.
- Use fallback schedule compatible with Bitdefender Endpoint Security Tools for Windows version 7.3.2.x or older. This option ensures compatibility with the previous generation of the security agent which provided only limited scheduling capabilities. For the best experience with the Patch Management module, we recommend updating Bitdefender Endpoint Security Tools for Windows to version 7.4.1.111 or later.
  Important
  If you apply the maintenance window with this option disabled to non-compatible endpoints, the security agent will not perform patch scanning and patch installation on them.
Depending on the options you have enabled, the following scheduling forms will appear on the page:
- Schedule for patch scanning, where you configure when the patch scanning operation takes place.
- Schedule for applying patches - security, where you configure when the security patches are installed on the endpoints.
- Schedule for applying patches - non-security, where you configure when the non-security patches are installed on the endpoints.
Note
If you have selected Use the same schedule for all targeted operations, a single schedule form replaces the individual schedules.
In a schedule form, you can configure with great flexibility when the desired action (patch scanning or patch installation) to take place:
- Immediately (only for patch installation) - the security agent will install patches as soon as possible after finishing a patch scanning.
- Weekly - the security agent scans for patches and installs them during the week as follows:
  - On certain weeks of the month (every one, two, three, or four weeks).
  - On specific days (any selection from Monday to Sunday).
  - Starting with a specific date.
  - Between certain hours (any selection from 00:00 to 23:59).
- Monthly - the security agent scans for patches and installs them during the month as follows:
  - On certain months of the year (every one, two, three and so on, up to every twelve months).
  - On specific days (any selection from the first to the last day of the month or during specific days of the week)
  - Starting with a specific date.
  - Between certain hours (any selection from 00:00 to 23:59).
Examples:
- For weekly schedule, you can set a patch scan task to take place every three weeks, on Monday, Wednesday and Friday, starting 12 December 2021, between 18:00 and 19:30.
- For monthly schedule, you can set a patch scan task to take place every two months, on the third Wednesday of the month, starting 12 December 2021, between 10:00 and 10:59.
  Note
  If you have chosen the scan to take place on the 31st day of the month, the task will be skipped in months with 30 days or less.
For various reasons, an endpoint may be offline when patch installation is scheduled to run. Select the option If missed, run as soon as possible to install the patches immediately after the endpoint comes back online.
Configure reboot preferences:
- Users postpone the system restart until a more convenient time. Select this option to allow endpoint users to restart the system whenever they want, without enforcing a time limit.
  On the endpoint, the security agent will display a dialog window where users can restart the system immediately, postpone the restart alert, or pick a more convenient time.
- Users postpone the system restart only within a specific interval. Select this option to enforce a time limit within endpoint users can restart their systems. Further, you can specify:
  - An additional number of minutes if the interval is missed.
  - A customized message for endpoint to display before the restart.
  On the endpoint, the security agent will display a dialog window where users can restart the system immediately, postpone the restart alert, or pick a more convenient time. An interface message will inform them when the restart is schedule to take place, according to the configuration made in GravityZoneControl Center. The customized message will appear before the restart as a Windows message.
  Example:
  If you have set the interval between 16:30 and 17:30, with additional 10 minutes for missed interval, users can postpone the restart within that hour. Starting at 17:30, they will have only 10 minutes left until the automatic restart of the system, regardless of their actions.
- System restarts automatically after a specific number of minutes. Select this option to enforce automatic restart on the endpoints, after a specific time. In this case, endpoint users cannot postpone or pick a time for restart. For this option you can also customize a message to be displayed before the restart.
Important
For endpoint users to be prompted to take actions, make sure you have enabled Endpoint restart notification, Display alert pop-ups and Display notifications pop-ups options in the General > Notifications section of the policy settings. If these options are disabled and the automatic restart not selected, you need to manually restart the endpoint after patch installation.
Note
Patch Management currently does not support reboot on Linux endpoints.
Configure additional patch settings:
- Select Relays with Patch Caching Server role.
  The patch dissemination process is using Patch Caching Servers to optimize the network traffic. Windows endpoints connect to these servers and download patches through the local network. For high availability of patches, it is recommended to use more than one server.
  To add relay servers:
  - Make a selection in the drop-down list.
  - Enter one or more custom names or IP addresses and separate them by semicolon (;). The field length limit is 256 characters.
  Click the button to confirm your selection. Click the X icon to delete a relay from the list.
  If the list is empty, then you need to install the Patch Caching Server role on Relays in your network. For details on installation, refer to Install security agents - standard procedure.
  Note
  Relays can be Windows or Linux machines that will download and store updates from Microsoft and other vendors only for Windows endpoints. Once a patch required, Windows endpoints will download it from the caching server, preventing bandwidth clogging.
  Linux endpoints download patches directly from vendors’ websites.
  For each selected relay, you can configure priority. An endpoint requests a patch from the assigned servers in order of priority. The endpoint downloads the patch from the server where it finds it first. A server that lacks a requested patch will automatically download it from the vendor, to make it available for future requests.
  Note
  Relays with Patch Caching Server role and the policy where the maintenance window is being used must belong to the same company. You cannot use Patch Caching Servers from other companies.
  Select the option Use vendors websites as fallback location for downloading the patches to make sure your endpoints receive software patches in case Patch Caching Servers are unavailable. In case you disable this option, you risk to leave your network outdated if Patch Caching Servers are unavailable and, at the same time, the internet connection is interrupted.
- Under Vendors and products to include or exclude from being patched, create a list with applications you want to be updated or not.
  A list with Included will contain the applications will be updated. All the rest will be ignored.
  A list with Excluded will contain the applications ignored from updating. All the rest found on the endpoint will be updated.
  If you make no selection, the security agent will update all applications installed on the endpoint.
  To create a list of vendors and products:
  1. Select Included or Excluded. The selected option applies to the entire list you are creating.
  2. From the drop-down list, select vendors and applications, and click Select products.
    Note
    The list displays separate products for Windows and Linux.
  3. Click the button to add your selection to the list. To delete a vendor or product, click the X icon.
  4. To edit the selection, click the product name in the list to open up a contextual menu where you can make changes.
Click Save to confirm the configuration and create the maintenance window.

To edit a maintenance window, click the name in the grid to open it. After making changes, click Save.

Deleting a maintenance window

To delete a maintenance window:

In the details grid from the Maintenance Windows page, select the check box corresponding to the maintenance window.
Click the Delete button and confirm action.
Important
When deleting an assigned maintenance window, the Patch Management module will be disabled in that policy. To re-enable it, you have to assign a new maintenance window.

Assigning a maintenance window to a policy

To apply Patch Management settings into your network, you need to assign the maintenance window to a policy.

Note

To assign a maintenance window created for other company, you have to log in

to GravityZone as an administrator of that company.

This is how you assign the maintenance window to a policy:

Go to Policies and click Add to create a new policy, or open an existing one to edit it.
In the Patch Management section, click the field next to Maintenance windows and make a selection from the drop-down list.
The list includes all the maintenance windows created by you and other users, if they have shared permissions.
Click Save to confirm the action.

Once the maintenance window assigned to the policy, the Patch Management section will display a summary that includes:

Maintenance window name
Targeted operations (Scan for patches / Apply patches)
Patch scope (Security / Non-security)
Recurrence
Reboot details

You can assign only one maintenance window per policy. To assign the same maintenance window to multiple policies, you must edit each policy one by one.

To remove a maintenance window from a policy, choose No maintenance window selected from the drop-down list next to Maintenance windows. After you confirm your choice and click Save, the Patch Management module becomes inactive.

In this section:

PARTNERS