Advanced Anti-Exploit
Powered by machine learning, Advanced Anti-Exploit is a proactive technology that stops zero-day attacks carried out through evasive exploits.
Advanced Anti-Exploit catches the latest exploits in real-time and mitigates memory corruption vulnerabilities that can evade other security solutions. It protects the most commonly used applications, such as browsers, Microsoft Office or Adobe Reader, as well as others that you may think of. It watches over system processes and protects against security breaches and hijacking existing processes.
Components
Advanced Anti-Exploit uses the following components:
GravityZone Control Center
Security agent (Bitdefender Endpoint Security Tools installed on Windows & Linux endpoints)
Prerequisites
For the Advanced Anti-Exploit feature to operate on an endpoint, the following prerequisites need to be met:
The BEST agent needs to be deployed on the endpoint using an installation package that has the Advanced Anti-Exploit module included.
A policy that has Advanced Anti-Exploit enabled needs to be applied to the endpoint.
Your company needs to have a license that includes the Advanced Anti-Exploit feature.
Install and configure Advanced Anti-Exploit
There are three possible scenarios for installing this feature on your endpoints:
An endpoint does not have the BEST agent installed. In this case, use the Create an installation package procedure.
An endpoint has the BEST agent installed, but Advanced Anti-Exploit is not included in the modules list. In this case, use the Add Advanced Anti-Exploit using a Reconfigure agent task procedure.
An endpoint has the BEST agent installed, and the Advanced Anti-Exploit module is included. In this case, go directly to the Configure and enable the Advanced Anti-Exploit feature section.
Create an installation package:
Log in to GravityZone Control Center.
Go to the Installation Packages page from the left side menu.
Click the Create button in the upper-right side of the screen.
Type in the Name and Description for the new installation package.
Select the modules you want to include.
Note
Make sure you include the Advanced Anti-Exploit module.
Click Save.
Select the newly created package from the list of packages and click Send download links.
Enter the email addresses of the recipients and click Send.
Policies are used to enable and configure features both on endpoints and in terms of general functionality.
GravityZone comes with a default set of policy settings, that are custom tailored to meet the most common customer needs. These policies are applied, by default, to endpoints, after the BEST agent is installed. You cannot modify or delete the default GravityZone policy.
You can use these default policy settings and leave the configuration of the policy for a later date, or customize the feature using the steps below:
Log in to GravityZone Control Center.
Go to the Policies page from the left side menu.
You can either:
Under Antimalware > Advanced Anti-Exploit, enable and configure the module.
Save your policy.
If you created a new policy, apply it on the endpoints where the feature is installed.
Go to the Network page from the left side menu.
Select the endpoints you want to apply the policy to.
Click the
Assign Policy button at the upper side of the table.Select the policy you want to apply.
Click Finish.
Note
For more information, refer to Assigning device policies
If you have edited an existing policy, make sure it is applied to all endpoints where the feature is installed.
This will ensure that the feature is enabled and configured to best suit your company's needs.
Verify Advanced Anti-Exploit activity
Depending on how you configured your policy, the module will take one of the following actions when suspicious activity is detected from an application:
Kill process: ends immediately the exploited process.
Block only: prevents the malicious process from accessing unauthorized resources without GravityZone reporting the event.
Report only: GravityZone reports the event without taking any mitigation action. You can view the event details in the Advanced Anti-Exploit notification, and in Blocked Applications and Security Audit reports.
Block and report: prevents the malicious process from accessing unauthorized resources and GravityZone reports the event. You can view the event details in the Advanced Anti-Exploit notification, and in Blocked Applications and Security Audit reports.