Skip to main content


The Antimalware protection layer is based on security content scanning and heuristic analysis (B-HAVE, ATC) against: viruses, worms, Trojans, spyware, adware, keyloggers, rootkits and other types of malicious software.

Bitdefender's antimalware scanning technology relies on the following technologies:

  • First, a traditional scanning method is employed where scanned content is matched against the security content database. The security content database contains byte patterns specific to known threats and is regularly updated by Bitdefender. This scanning method is effective against confirmed threats that have been researched and documented. However, no matter how promptly the security content database is updated, there is always a vulnerability window between the time when a new threat is discovered and when a fix is released.

  • Against brand-new, undocumented threats, a second layer of protection is provided by B-HAVE, Bitdefender's heuristic engine. Heuristic algorithms detect malware based on behavioral characteristics. B-HAVE runs suspicious files in a virtual environment to test their impact on the system and ensure they pose no threat. If a threat is detected, the program is prevented from running.

Scanning engines

BitdefenderGravityZone is able to automatically set the scanning engines when creating security agent packages, according to the endpoint's configuration.

The administrator can also customize the scan engines, being able to choose between several scanning technologies:

  1. Local Scan, when the scanning is performed on the local endpoint. The local scanning mode is suited for powerful machines, having security content stored locally.

  2. Hybrid Scan with Light Engines (Public Cloud), with a medium footprint, using in-the-cloud scanning and, partially, the local security content. This scanning mode brings the benefit of better resources consumption, while involving off-premise scanning.

  3. Central Scan in Public or Private Cloud, with a small footprint requiring a Security Server for scanning. In this case, no security content set is stored locally, and the scanning is offloaded on the Security Server.


    There is a minimum set of engines stored locally, needed to unpack the compressed files.

  4. Central Scan (Public or Private Cloud scanning with Security Server) with fallback* on Local Scan (Full Engines)

  5. Central Scan (Public or Private Cloud scanning with Security Server) with fallback* on Hybrid Scan (Public Cloud with Light Engines)

* When using a dual engines scanning, if the first engine is unavailable, the fallback engine will be used. Resource consumption and network utilization will depend on the used engines.


Antimalware uses the following components:

  • GravityZone Control Center

  • Security agent (Bitdefender Endpoint Security Tools installed on Windows, Linux, & Mac endpoints)

  • Security Server Multi-Platform

Install and configure Antimalware

To start using this feature, follow the steps below:


The Antimalware module is included by default in all installation packages. If you already have the BEST agent installed on your endpoints, no further deployment is required.

Test out the Antimalware feature

The protection is divided in these categories:

  • On-access scanning: prevents new malware threats from entering the system.

  • On-demand scanning: allows detecting and removing malware already residing in the system.

The Antimalware module behaves differently depending on how the security agent installed on endpoints is set up to run:

  • Detection and prevention mode: This operation mode sets the Antimalware module to detect and block threats. When it detects a virus or other malware, the Bitdefender security agent will automatically attempt to remove the malware code from the infected file and reconstruct the original file. This operation is referred to as disinfection.

    Files that cannot be disinfected are moved to quarantine in order to isolate the infection. When a virus is in quarantine, it cannot do any harm because it cannot be executed or read.

    Advanced users can configure scan exclusions if they do not want specific files or file types to be scanned.

  • EDR (Report only) mode: This operation mode exclusively enables On-execute scanning, set to only report threats, and not blocking them.

    This mode of operation is available for users that want to install a lightweight EDR solution in their environments, that can run alongside other prevention solutions. For blocking capabilities, you are required to add a full product license.

    Contact your sales representative or visit the Bitdefender website for more information.