Skip to main content

Security agents

To protect your network with BitdefenderGravityZone, you must install Bitdefender Endpoint Security Tools on Windows, Linux and macOS endpoints.

Bitdefender Endpoint Security Tools

GravityZone ensures Windows, Linux, and macOS physical and virtual machines protection with Bitdefender Endpoint Security Tools, an intelligent environment-aware security agent which adapts to the endpoint type. Bitdefender Endpoint Security Tools can be deployed on any machine, either virtual or physical.

On Windows and Linux, the security agent provides a flexible scanning system, being an ideal choice for mixed environments (physical, virtual and cloud). On Mac, the scanning technology available is Local Scan, with security content stored locally.

In addition to file system protection, Bitdefender Endpoint Security Tools also includes mail server protection for Microsoft Exchange Servers.

Bitdefender Endpoint Security Tools uses one single policy template for physical and virtual machines, and one installation kit source for any environment (physical or virtual) running Windows, Linux, or macOS.


The following protection features are available with Bitdefender Endpoint Security Tools:



Some features and roles are only available with certain GravityZone commercial packages. For details, refer to this comparison page.

Power User

Control Center administrators can grant Power User rights to endpoint users via policy settings. The Power User module enables administration rights at user level, allowing the endpoint user to access and modify security settings via a local console. Control Center is being notified when an endpoint is in Power User mode and the Control Center administrator can always overwrite local security settings.


This module is available only for supported Windows desktop and server operating systems.


Endpoint agents using the Bitdefender Endpoint Security Tools Relay role serve as a communication proxy and update servers for other endpoints in the network. Endpoint agents with relay role are especially required in organizations with isolated networks, where all traffic is made through a single access point.

In companies with distributed networks, the relay agents help lowering the bandwidth usage, by preventing protected endpoints to connect directly to GravityZone.

Once a Bitdefender Endpoint Security Tools Relay agent is installed in the network, other endpoints can be configured via policy to communicate with the Control Center through the relay agent.

Bitdefender Endpoint Security Tools Relay agents serve for the following purposes:

  • Discovering all unprotected endpoints in the network.

    This functionality is essential for the security agent deployment in a cloud GravityZone environment.

  • Deploying the endpoint agent inside the local network.

  • Updating protected endpoints in the network.

  • Ensuring the communication between Control Center and connected endpoints.

  • Acting as proxy server for protected endpoints.

  • Optimizing the network traffic during updates, deployments, scanning and other resource-consuming tasks.

Patch Caching Server

Endpoints with the Relay role may also act as a Patch Caching Server. With this role enabled, Relays servers store software patches downloaded from the vendor's websites, and distributes them to target endpoints in your network. Whenever a connected endpoint has software with missing patches, it takes them from the server and not from the vendor's website, optimizing the traffic generated and the network bandwidth load.


This additional role is available with a registered Patch Management add-on.

Exchange Protection

Bitdefender Endpoint Security Tools with an Exchange role can be installed on Microsoft Exchange Servers with the purpose of protecting the Exchange users from email-borne threats.

Bitdefender Endpoint Security Tools with an Exchange role protects both the server machine and the Microsoft Exchange solution.