Skip to main content

GravityZone Control Center 

July 2024 (Version 6.52.0-1)

Early Access

External Attack Surface Management

External Attack Surface Management (EASM) is now available for Early Access. It is currently in a controlled availability.

EASM solutions help organizations gain a comprehensive view of their external attack surface. These solutions automatically discover and organize all assets, services and potential vulnerabilities that are accessible from the internet. Bitdefender EASM helps companies reduce their attack surface by identifying internal and external assets exposed to the internet, thus enhancing existing GravityZone capabilities.

You can access External Attack Surface Management from the EASM dashboard and EASM inventory pages, under Risk Management.

New features


The Antimalware module capabilities are now enriched with a new feature that enables Unified Extensible Firmware Interface (UEFI) scanning. The new Scan UEFI option ensures the security and integrity of the system's boot process and protects against sophisticated threats that can persist at the firmware level.

The feature is available for on-demand scheduled tasks in the policy and malware scan tasks from the Network page. The option is located under the Miscellaneous section of each Full, Quick, and Custom scan type and is enabled by default when the security level is set to Aggressive.

You can find and further analyze this type of detection event using Threats Xplorer, or by generating a Security Audit report.


Company administrators can now make the following changes to their existing yearly licenses:

  • Increase the number of seats of your license up to 100. If you want to extend your license further, you need to purchase an additional license key.

  • Extend the expiration date by a period equal to or shorter than the original license duration.

The changes can be done from the Plans and purchase tab, in the Edit company window.


This feature is only available for licenses with less than 100 seats and purchased online, directly from Bitdefender.


GravityZone platform

Security for Amazon Web Services now supports the Asia Pacific (Osaka) mandatory region.


  • This update comes with a new design and improved interface texts for the following policy sections:

    • Patch Management

    • Integrity Monitoring

    • Encryption

    • Incidents Sensor

    • Storage Protection

    • Risk Management

    The remaining sections will gradually migrate to the new design in future GravityZone releases.

  • All pages with new design now include a link to related GravityZone documentation under Get help from Support Center.

  • As a Partner, when you access the Policies page, your company's policies are automatically displayed. To view policies from other companies, select a different option in the Company column.

  • You can now create a maintenance window directly in the Patch Management section of the policy settings if none is available for selection. This maintenance window includes patch scanning settings only. To install patches, go to the main menu and edit the window in the Configuration profiles section.

  • You now receive relevant messages when trying to import exclusions files with errors in the Storage Protection section.

  • When disabling Use Bitdefender Global Protective Network to enhance protection in the policy settings, the confirmation message now informs you that you must switch to Local Scan engines if you are using Hybrid Scan engines.

Patch Management

Manually approved patches, including Microsoft Windows Feature Updates and security tools, are now available for Windows endpoints. These updates cannot be installed automatically.

Some highlights:

  • GravityZone sections such as Dashboard, Network, Tasks, Patch Inventory, Maintenance Windows, and User Activity have been updated to support Manually approved patches.

  • The Network Patch Status report now includes information related to Manually approved patches.

Network protection

  • The Time Limiter tab, which allowed you to configure time-based access restrictions, has been removed from Network Protection > Content Control > Web Access Control > Settings.

  • The Block/Schedule/Allow selector, previously used for auto-selecting intervals in the Time Limiter feature, has also been removed from the Web Access Control section, simplifying the user interface and reducing complexity.

  • You can now define schedulers in Configuration Profiles > Web Access Control Scheduler without needing to select a category, thus making the Categories field optional.

    You must still indicate the required time and day. This modification enables schedulers to accurately represent time-limiter intervals, offering more flexibility in scheduling without being limited by pre-established categories.

  • You can now add a maximum of 20 schedulers for each Schedule created in Configuration Profiles > Web Access Control Scheduler.


The Delete button on the Tasks page now also removes pending subtasks of tasks that are in progress. The confirmation window and the User activity page have been updated to reflect the changes.

Public API

  • Maintenance windows API

    • The manuallyApprovedPatchesSettings setting is now available for the updateType parameter when making requests using the createPatchManagementMaintenanceWindow and updatePatchManagementMaintenanceWindow methods.

    • The response for the getMaintenanceWindowDetails method now includes the manuallyApprovedPatchesSettings setting.

    • A new method is available: getManuallyApprovedPatches.

  • Network API

    • The new deleteTask method now removes pending subtasks of tasks that are in progress.

XDR Sensors

When displaying a network sensor in Sensors management, you can now find the complete details of the NSVA, including all the networks it is monitoring and their user provided details.

Resolved issues

Device Control

Some users faced challenges adding exclusions for wireless headphones in Device Control.


Tasks performed on endpoints removed from the GravityZone database showed the computer name as obfuscated.


In some cases, users were unable to save policies containing entries under Exchange Protection > General > Domain IP Check (Antispoofing).

GravityZone platform

Security fixes.

June 2024 (Version 6.51-01)

New features

MSP Product Trials

The EDR Trial report feature offers a summary of the EDR related activity observed during the trial. The report offers MSPs a comprehensive view of the client's current cybersecurity landscape, highlighting connections to EDR data to emphasize the potential risks of security events and the effectiveness of EDR in addressing them.

Partners can download this summary as a PDF file from the Product Trials Hub tab in the Edit company window. The downloaded document is available for each company that has been, or is, enrolled in an EDR Trial, and contains information specific to that company.

Public API

  • A new method is now available for the Network API: deleteTask. The method allows users to delete a specific task, identifying it using its task ID.



  • The GravityZone CSPM+ license now also provides access to cloud detection and response features, as follows:


    Only incidents created from cloud sensors will be made available.

    For access to XDR endpoint incidents or other XDR sensors you still require the appropriate license.

Resolved issues

Health Dashboard

  • Fixed an issue that caused inconsistencies between the number of non-compliant endpoints in the Endpoints policy status widget and the number reported in the Policy Compliance report.


  • Fixed an issue causing endpoints to incorrectly appear as isolated in GravityZone.

  • Due to an internal issue, scheduled Reconfigure agent tasks were running immediately on endpoints.

  • In some cases, users were forcefully logged out of GravityZone after attempting to delete multiple endpoints from the Network grid.

  • In some cases, the endpoints were not displayed in GravityZone despite BEST being successfully installed.

  • In some cases, importing a CSV with Content Control exclusions in Policy > Content Control > Web Access Control > Exclusions resulted in uppercase URLs being converted to lowercase, causing exclusions to fail.


  • Resolved an issue that caused the Incident Graph to fail loading due to an unexpected error.

Public API

  • Using the updateCompanyDetails method to update a company no longer incorrectly activates its subscription end date, incorrectly adding a value in the company's endSubscription attribute.


  • Fixed an issue causing an error message to appear when trying to save changes to a GravityZone company. This would occur due to an inconsistency in the company's recorded subscription end date.

GravityZone platform

  • Security fixes.

April 2024 (Version 6.50.0-1)

New features


Anti-Tampering enables you to view when vulnerable drivers are detected on endpoints, and when advanced attack attempts are made to disable the security agent, leading to compromised product integrity.

The feature capabilities are divided in two main categories with distinct targets:

  • Vulnerable drivers

    This pre-tampering technology detects vulnerable drivers on endpoints that can be exploited by attackers, posing threats to the integrity of the product. The technology is compatible with Windows and Linux operating systems.

  • Callback evasion

    This post-tampering technology can detect when the security agent callback functions have been maliciously removed or disabled. New threats or unintentional human error could be engineered to potentially allow unauthorized access to the kernel, leading to compromised product integrity. The technology is compatible with Windows operating systems.

You can enable or disable the feature and configure different actions in the policy under the Antimalware > Anti-Tampering section.

To view more information about detection events you can generate a Security Audit or Blocked Applications report or use portlets. Additionally, you can be notified whenever the security agent callbacks are maliciously removed or disabled, or vulnerable drivers are detected on endpoints by using the new Anti-Tampering event notification.

Control Center

  • Customer type companies without a monthly subscription will now experience an improved experience when accessing the control center landing page. The page will feature user-friendly content that simplifies basic tasks and provides access to the latest news from Bitdefender.



  • You can now submit quarantined files to Bitdefender Labs directly from Quarantine. The new option Submit to Bitdefender Labs enables you to submit previously retrieved files for an in-depth analysis that can rule out possible false positive detections. You will receive the analysis results on the email address provided when submitting the file.

  • You can now remotely retrieve and download quarantined files from endpoints with Linux operating systems.


  • GravityZone email notifications now have a fresh design, revised email subjects and notification titles. Additionally, some notifications in GravityZone Control Center have been renamed. You can find more information in Changes to GravityZone email notifications.

  • The New incident notification has been improved: all configuration options have been merged into one. Exiting users, with any on the three settings activated prior to the update, now have the New incident notification enabled by default.


  • The Actions button from Configuration Profiles > Exclusions has been removed.

  • The Export Selection and Delete options, previously located under Configuration Profiles > Exclusions > Actions, have been added to the interface for better accessibility and ease of use.

Cloud Security

  • GravityZone user account permissions now apply to existing roles from the Cloud Security console. Depending on the user rights assigned to your GravityZone account, you will have access only to specific features, actions or sections of the Cloud Security console.


The Response tab is now also available for EDR incidents.

  • On demand endpoint actions executed from an incident graph are now displayed in the response grid of that incident.

  • The status of tasks resulting from EDR response actions is now changed to Failed after being unresponsive for two days.

  • The Remediation button and the associated section have been removed from the Endpoint Incidents tab and are now available in the new EDR Response tab.

  • You can now manually mark endpoint response actions as done or dismissed from the Response grid.


The requirements for Partners, and the procedure for licensing, provisioning, and activating the Bitdefender MDR Service for companies using monthly licenses have changed. To facilitate these changes, there have also been some changes made in the GravityZone console.

  • The Contact Details section under the My company page is now called Contact details for GravityZone.

  • A new section is now available under the My company page: Contact details for Bitdefender MDR. This section contains mandatory information required to onboard a partner Company that is new to the MDR console. When saving the information, validation is required, and can be done by sending a code to the email address assigned to the contact.

    The information in this section is mandatory to Partner companies that haven't enabled the MDR service and haven't initiated onboarding prior to this release. Until the information is filled in, they will not be able to enable the MDR service for their client companies own use.

    Once the information has been saved, an Emergency Contact is automatically created in the Bitdefender MDR console. You can not change this information at a later date from GravityZone.

  • The requirements for activating the MDR service for reselling for client Partner companies are:

    • The company must have the The company's Partner can assist with the security management setting enabled.

  • The requirements for the onboarding process to begin for a Partner company are:

    • The company must have the Managed Detection and Response Foundations service enabled for resell.

    • All the information under the direct Partner's Contact details for Bitdefender MDR section is filled in with valid data.

    Once all requirements are met, an automatic activation email is sent to the contact listed under Contact details for Bitdefender MDR.

  • The requirements for activating the MDR service for the own use of client Customer companies are:

    • The Client company's direct partner has the Bitdefender MDR service enabled for reselling.

    • Both the Partner and the Client companies must have the The company's Partner can assist with the security management enabled.

    • At least one of these requirements must be met:

      • All the information under the direct Partner's Contact details for Bitdefender MDR section is filled in with valid data.

      • The Bitdefender MDR service has already been enabled and the onboarding process started prior to this release.

Public API

  • Accounts API

    • The phoneNumber parameter is now available for the createAccount and updateAccount methods.

  • Companies API

    • The mdrContactInformation attribute is now returned by the getCompanyDetails method.

    • The mdrContactInformation parameter is now available for the updateCompanyDetails method.

  • General API

    • A new method is available: generateEmailVerificationCode. This will allow you to send an email verification code to the email address specified in the MDR contact person section.

  • Incidents API

    • Version 1.1 is now available for the updateIncidentNote method.

  • Network API

    • The getTaskStatus method now also includes information for each endpoint the task ran on. The information is organized into subtasks.


      These changes only apply to version 1.1 of the method.

Resolved issues


  • In some cases, restoring the Docker host resulted in container duplication and the container inventory failing to load in the Network page.

GravityZone platform

  • Security fixes.

Known issues


  • GravityZone users from companies using Business Security Premium license are not receiving New incident notifications.

March 2024 (Version 6.49.0-1)

Early Access

YARA detection rules

  • YARA rules are now available on macOS endpoints starting with the following BEST version:

New features

MSP Product Trials

  • MSP Product Trials enables partners to enroll client companies in trials, allowing them to test out features, add-ons, and services that are not included in their subscription. The feature is being released in stages, in a controlled availability manner.


Threats Xplorer

  • You can now filter detection events based on endpoint tags. Using automatic or custom tags helps you view events from specific endpoint groups and efficiently analyze and correlate detections.

Executive Summary

The Incidents status widget was renamed to Incidents breakdown by action taken and for a more granular view, the widget categories are now available as:

  • Reported: includes Endpoint and Organization incidents upon which no action was taken and require further investigation.

  • Partially blocked: includes Organization incidents in which the automatic actions defined in the policies have been taken only on some entities.

  • Blocked: includes Endpoint incidents that were detected and blocked by GravityZone prevention modules.

Help & Support

The Help & Support page has a new design, easier to navigate. Topics are displayed on cards organized in two tabs:

  • Basics - covers GravityZone general use, technical assistance, legal aspects, and more.

  • Advanced Configuration - provides information on specific GravityZone features.

As with the previous Help & Support page, the content depends on the company type and the license you are using.

Public API

  • Packages API

    • A new method is now available: updatePackage. You can use it to update installation packages.

  • Companies API

    • The getCompanyDetails method now returns the ParentCompanyId attribute.

  • API Event Push Service

    • Events sent through the Event Push Service API that fail to deliver are now saved in a buffer, which can hold up to 1000 messages. Once the counter exceeds 1000 messages, Event Push Service will automatically stop sending events, and it will reset the serviceSettings.status field used in the getPushEventsSettings method to 0.

    • The getPushEventStats method now returns the max attribute, which is an object that contains the messageQueueBytes and messageQueueLength attributes.

User Activity

  • Entries related to creating or editing a policy now include the list of changed settings in the Details area. The settings are grouped by sections.


The Sensors Management feature now provides integration with two new sensors:

  • CSPM+. This new sensor collects telemetry about cloud platforms security posture from Cloud Security to enrich GravityZone XDR incidents and risk information.

  • Security for Mobile. This new sensor processes mobile device events collected from GravityZone Security for Mobile.

  • The Associated risks widget is now available in the Overview tab of the Incidents view window. The widget provides a graph detailing a breakdown of all known risks per entity type and links to related entities.


Custom rules

Custom detection rules and Custom exclusion rules features will only work if your endpoints have the following version of BEST or newer, as announced in GravityZone banner in January:

  • (Windows)

  • (Linux)

  • (macOS)

Resolved issues

Security for AWS

  • The Amazon EC2 integration experienced synchronization issues, which resulted in previously removed secured instances being displayed in the Network Inventory.

Network protection

  • Some users experienced an issue where exclusions were still being applied, even when the Use Exclusions option was disabled in the Web access control settings section.

Power User

  • The Network section and the Policy Compliance report did not reflect changes made by Power User to the policy.

GravityZone platform

  • Security fixes.

February 2024 (Version 6.48.0-1)

Early Access

Health Dashboard

  • The export functionality is now available in Health Dashboard. You can use this new option to access and manage the centralized data outside GravityZone Control Center, according to your needs. All events are exported in the widely available CSV format, making it easier to import into other software programs tailored for your business.

  • A new entry is now available in the Endpoint patch management widget. Patches available, not installed provides you with the number of endpoints in your network that have patches available, but no patch installation task was initiated to install them.

New features

Security Telemetry

  • You can now enable sending telemetry data from your BEST protected endpoints to integrated platforms in syslog format. The option can be accessed by editing a policy, going to General > Security Telemetry and selecting Syslog (JSON) from the SIEM solution field under the SIEM Connection Settings section.

XDR demo incident

  • A new demo function is now available on the Incidents page. This feature simulates a scenario from multiple sensors and showcases the capabilities of the XDR feature.

    You can access this new capability from the Show demo incident button, on the upper right side of the Incidents page.

GravityZone platform

  • A new GravityZone Cloud instance hosted in Singapore is now available.


Security for AWS

Security for AWS now includes the following improvements:

  • Licensing compatibility extends to all GravityZone standard products with the exception of Free Risk Assessment Tool and GravityZone EDR Cloud.

  • It supports multiple Amazon EC2 inventories per company.

  • Users can now set names for Amazon EC2 integrations.

  • The Amazon EC2 integration aligns on the same level with Computers and Groups in Network Inventory.

  • The Integration tags tab now also displays AWS tags. They are available in the Information window of Amazon EC2 instances. You can use tags in Policies > Assignment Rules.

  • The Tasks Details panel now includes information about the Amazon EC2 integration name.

  • The new Amazon EC2 subscription type has changed notification informs you whenever your subscription type changes from Marketplace to Partner.

  • The User Activity page has been updated.

  • Amazon EC2 Subscription Status report is now available for any company using or managing Amazon EC2 integrations.

  • Partners can now suspend or reactivate integrations directly from the Amazon EC2 Subscription Status report.

  • The Amazon EC2 Monthly Usage report now contains two new columns: Integration Name and AWS Account ID.

  • The Integrations page now includes multiple new columns: Name, Status, Subscription type and Subscription status.


  • You can now submit quarantined files to Sandbox Analyzer directly from Quarantine. The new option Submit to Sandbox Analyzer enables you to submit previously retrieved files for an in-depth behavioral analysis.

  • Filtering quarantined files based on the technology that performed the detection is now available. The new Detecting technology filter and column helps you view manually quarantined files and files detected by multiple Antimalware and Integrity Monitoring technologies.

  • You can now remotely retrieve and download quarantined files from endpoints with macOS operating systems.

Public API

  • A new version (1.1) is now available for the following APIs and methods, providing various quality of life improvements:

    Version 1.0 for these methods is still available for use.

    Existing methods remain unchanged and the same parameters and attributes apply.

    • Network API

      • getEndpointsList

      • getNetworkInventoryItems

      • createReconfigureClientTask

      • getTaskStatus

    • Incidents API

      • createIsolateEndpointTask

      • createRestoreEndpointFromIsolationTask

    • Quarantine API

      • createAddFileToQuarantineTask

      • createRestoreQuarantineExchangeItemTask

      • createRestoreQuarantineItemTask

      • createEmptyQuarantineTask

      • createRemoveQuarantineItemTask


    To switch to using version 1.1, you will have to change the API URL.

  • The following changes have been performed for the Integrations API as a result of the changes done to AWS integrations:

    • The configureAmazonEC2Integration method is no longer available.

    • The integrationName parameter is now available for the configureAmazonEC2IntegrationUsingCrossAccountRole method.

    • The procedure and requirements for generating external IDs has changed, impacting requests using the generateAmazonEC2ExternalIdForCrossAccountRole method, and the information returned by the getAmazonEC2ExternalIdForCrossAccountRole and configureAmazonEC2IntegrationUsingCrossAccountRole methods.

    • The integrationName parameter is now available for the disableAmazonEC2Integration method.

  • The licensedServices parameter is now also returned by the getLicenseInfo method for companies using yearly licenses.

  • The possible values of the maxResults parameter have changed for the findCompaniesByName method.


  • A new option is available when creating a Monthly License Usage report: Only new customer companies. Enabling this option allows you to display monthly usage reports only for companies created between two specific dates.

Advanced Anti-Exploit

  • Added Google Chrome to the Predefined Windows Applications list that you can find in the Antimalware > Advanced Anti-Exploit policy settings. Now you have the flexibility to customize browser protection based on your preferences.

Control Center

  • Customers with CSPM+ licenses will now have an improved experience when accessing the Control Center landing page. The page will feature user-friendly content that simplifies basic tasks and provides access to the latest news from Bitdefender.

Product Trials

  • Companies using GravityZone Small Business Security can now enroll in Product Trials and and explore new features and products.


  • The settings in the Risk Management section have been changed: scheduled scans can now be set to run only daily or weekly.


The Node Details panel was improved and now inlcudes:

  • MAC information for the following nodes:

    • Endpoint

    • Server

    • IP

    If Endpoint or Server nodes have multiple IPs, the MAC information may contain multiple values.

  • One or multiple IP addresses for the following nodes:

    • Domain nodes

    • Endpoint

    • Server

  • One or multiple domain names for the IP node.

The Advanced search panel now includes a new field: network.domain_name. You can use this field in your search query.

Removed features


  • The Update Linux EDR modules using product update option has been removed from the General > Update page in the policy settings.

Resolved issues

Threats Xplorer

  • Fixed an issue that caused inconsistencies between detection events reported in Threats Xplorer and information displayed in HyperDetect Activity report.


  • Sometimes, endpoints under Active Directory integrations could not be used as network scanners for on-demand tasks.


  • Fixed an issue that was affecting the EC2 Monthly Usage report. Data was being returned for the month previous to the one requested in the report.


  • Fixed an issue where disabling EDR for own use on a partner company would incorrectly disable the Live Search feature for all their customers.


  • Scanned streams summary in the Scan Logs tab of endpoint details had some information duplicated.

GravityZone platform

  • Security fixes.

Known issues

GravityZone platform

  • Remotely submitting logs using the Troubleshooting tab to Bitdefender Cloud fails for endpoints that communicate with the GravityZone console using a Relay. This issue affects only the new GravityZone Cloud instance introduced with this release.

  • Setting up a Security Server requires you to manually configure the communication server address using the option GZ Cloud Custom Address. This issue affects only the new GravityZone Cloud instance introduced with this release.

January 2024 (Version 6.47.0-1)

Early Access

Health Dashboard

  • The feedback form is now enriched with more details to streamline the way you share your thoughts with us. Your insights, suggestions, and experiences with Health Dashboard play an important role in helping us enhance and refine the feature.

GravityZone Cloud Security

  • The Asset Inventory page is now available in the GravityZone Cloud Security console.

    You can use the feature to access an overview of your inventory list across your cloud resources, different cloud providers and accounts that you have onboarded.

    The page consists of two sections:

    • Resources - provides an overview of all existing resources detected across all your integrated cloud accounts.

    • Identities - provides an overview of different identity types.

  • API Integration is now available for GravityZone Cloud Security. You can set up the new feature from the Integrations page in the  GravityZone Cloud Security console.

  • A new remediation option is now available for supported findings detected on AWS cloud resources. This is available in the Posture Management > Rules page: One-click Remediate. The option is represented by a new icon in the rules table.

    To allow GravityZone Cloud Security to make changes to your selected AWS cloud account, an additional setup is required for this capability.



GravityZone introduces a new capability that enables you to remotely download quarantined files directly from Quarantine. The new functionality is available in Quarantine > Computers and Virtual Machines.

To get the file of interest, you need to first retrieve it from the endpoint using the new Retrieve button. Once the file is retrieved, you can proceed to download it as a password-protected archive using the Download option.

  • The new functionality is available for all license and company types and for endpoints with Windows operating systems.

  • You require Manage Networks and Manage Company rights to use the feature.

  • Child companies can allow their direct partner to retrieve and download files by enabling the option Your Bitdefender partner can download your quarantined files from the My company section. The Partner download permission changed notification is sent whenever this option is enabled or disabled.

  • The retrieved file is available for download within 24 hours after which it is automatically deleted and requires a new retrieve action.

  • The File size column was added to provide details about the size of the quarantined files.

Assignment rules

  • New descriptions are available for locations and exclusions when defining negative conditions for location rules.

GravityZone platform

  • Bitdefender enforces in GravityZone the use of the HTTPS protocol for Bitdefender Endpoint Security Tools updates to enhance security. For more information, refer to this article.

  • New values are now available for the Field of activity option when creating or editing a company.

Resolved issues

Threats Xplorer

  • The detections calendar failed to display weekdays in the proper order after changing the language from the My account section.

Health Dashboard

  • Fixed an issue that caused inconsistencies in the count of unmanaged endpoints between Health Dashboard and the Network Protection Status report.


  • Fixed an issue that caused inconsistencies between the number of open incidents shown in the EDR - Incidents Status portlet and the Incidents view.


  • In some cases, expired Reconfigure agent tasks ran on endpoints after they came back online.


  • In some cases, users were unable to view scan logs from the Network inventory > Endpoint details > Scan Logs tab.

Risk Management

  • Fixed an issue causing incorrect search results to be returned in the name filter in the Risk Management > Security Risks > Misconfigurations page.

December 2023 (Version 6.46.0-1)

Early Access

Health Dashboard

  • Security Server status is now enriched with new information and a structure that improves readability. The widget includes the total number of Security Servers in your company and a new category for underloaded Security Servers.

    The new structure emphasizes three main categories: Total, Underloaded, Overloaded.

  • Endpoint update status is now available as two separate widgets to enhance flexibility and ease of use:

    • Product update status

    • Security content update status

  • The Endpoint patch management widget now includes the total number of endpoints that have the Patch Management module installed.


Sandbox Analyzer

The Sandbox Analyzer page now displays more specific messages for failed detonations.

Product Trials

You can now access even more products through the Product Trials feature:

  • Advanced Threat Intelligence

  • Managed Detection & Response

  • Cloud Security Posture Management

  • XDR


  • The name of the sensor is now displayed in the title setup window during integration.


For a better visualization, you can now expand the following panels further:

  • Node details panel

  • Alert details panel opened from a node

  • Alert details panel opened from the Alerts/Events section


There is now consistent behavior between the delete button and the drag-and-drop action within the deleted folder.

Any endpoint that is moved to the deletion folder, either through the delete button or drag-and-drop, will be uninstalled immediately via the uninstall task or later when it reconnects online and communicates. For more details, visit the Deleting endpoints page.

Resolved issues


The sorting settings in Network did not accurately reflect the specified sorting settings for the Last Seen filter.

GravityZone platform

  • Security fixes.

December 2023 (Version 6.45.0-1)


GravityZone platform

  • Implemented internal optimizations for enhanced performance and stability of GravityZone.

November 2023 (Version 6.45.0-1)

Early Access

GravityZone Cloud Security

  • Early Access enrollment is now available for GravityZone Cloud Security.

  • With this feature, you can quickly onboard your cloud inventory, identify risky misconfigurations, and report on your adherence to renowned compliance frameworks.

Health Dashboard

  • You can now enroll your company in the Early Access program and use Health Dashboard regardless of the number of seats covered by your license.

  • You can now access and use Health Dashboard without any restrictions based on the network groups assigned to your account. You need to have visibility over at least one endpoint in your company.

New features

Unified Incidents

The Incidents page is improved with multiple new features including a new grid that unifies the Extended Incidents, Endpoint Incidents, and Detected Threats tabs. It offers an improved overall user experience and the possibility to create customized views based on your needs.

This feature correlates host-based EDR incidents with broader attacks detected by XDR, bringing both types of incidents in one place: the Incidents grid.

The new unified grid combines Endpoint and Company incidents in a single view, correlating EDR and XDR child incidents under a parent incident that contains the complete description of an attack. Correlated incidents are displayed in their own column in the grid, in line with the parent incident. They are not listed as separate entries in the grid.

The release comes with a more flexible and improved Smart View, along with new filters and options that allow you to create customized views based on your needs.


Unified Incidents

  • Incidents generated by the EDR or Prevention Modules now display the name of the endpoint in the Entities column.

  • You can now click on the number of alerts in the Incident details panel to display the Alerts tab.

  • The new Smart views filtering feature allows you to customize the information that is displayed by the feature, including switching between Organizational and Endpoint incidents Smart views.

  • You can now use the Change Status button from the top of the Incidents grid to change the status of multiple incidents.

  • You can now perform bulk actions on all incident types.

  • New columns and filters are available in the Incidents page:

    • Entities: it indicates the number and types of incidents involved in an event.

    • Resources: it allows users to see and filter for resources involved in Organization incidents.


  • You can now suspend a user account from an integrated Google Workspace tenant.

  • You can now delete an email resource from a Google Workspace tenant user mailbox.

  • The Sensor Setup page now displays what license each type of sensor requires.

  • Changed the requirements for Azure AD sensor integration: You now require User Administrator and Global Administrator roles for your O365 application.

  • You can now save up to 50 queries in the Advanced search panel.

Patch Management for Mac

GravityZone extends support for Patch Management to macOS endpoints. Using the same settings in Control Center as for Windows and Linux, you can now keep macOS applications and the operating system up to date in a simple, efficient and unified manner.

Some highlights:

  • GravityZone sections such as Dashboard, Installation Packages, Network, Tasks, Patch Inventory, Maintenance Windows, and User Activity have been updated to support Patch Management for Mac.

  • When configuring a maintenance window, macOS applications are displayed separately from the Windows and Linux versions in the Vendors and Products section.

  • Reports such as Network Patch Status and Network Protection Status and notifications such as Missing patch issue now include information related to Patch Management on macOS endpoints.

  • Patch Management for Mac is available with existing GravityZone keys and it is licensed per managed endpoint, the same as for Windows and Linux.

  • This feature is available for macOS Big Sur (11.0) and later and requires Full Disk Access for the Bitdefender agent on endpoints.

To use Patch Management on macOS endpoints, you must reconfigure the security agent installed on them.


GravityZone applies operating system patches only for minor versions, for example from version 13.5 (Ventura) to 13.6 (Ventura), but not from 13.9 (Ventura) to 14.0 (Sonoma).

Executive Summary

The Executive Summary report now includes the custom logo image that you have selected for your company. For the default company settings, the report reflects the general Bitdefender GravityZone logo.

Exchange Protection

  • There are now two methods of restoring emails from Quarantine:

    • Release as attachment: the email is sent using a notification email as an attachment to a custom list of mailboxes. Files attached to the original email are not included.


      This is the option previously called Restore.

    • Release to intended recipient: releases the email to reach its intended recipient's mailbox, along with all attached files.

  • The following secondary actions are now available when configuring Content filtering rules in GravityZone policies:

    • Notify recipients: Send a notification to the intended recipients when an action is taken on an email. Emails are only sent to mailboxes that belong to a domain accepted by the company email server.

    • Notify the sender: Send a notification to the sender when an action is taken on an email. Emails are only sent to mailboxes that belong to a domain accepted by the company email server.

    • Notify users: Send notifications to the specified mailboxes when when an action is taken on an email.


Firewall is now available for Windows Servers. This update focuses on simplifying rule management, ensuring essential network traffic, and providing more flexibility.

  • Users can now edit and delete all existing predefined rules in the policy.

  • The Firewall can be enabled on the Windows Server operating systems by performing the Reconfigure Task. The activation of the Firewall module is not automatic, even if Firewall is enabled in the policy.

  • Before enabling the module on their systems, it is important for users to assess and design their Firewall rules for servers. This is necessary to avoid potential service disruptions caused by the configuration of the ruleset, which may block traffic.

  • The Firewall icon from Installation Packages was updated, and now includes both Windows servers and workstations.

  • To find the supported Windows Server operating systems refer to this kb article.


All on-demand scan tasks now include the setting Preserve last access time. Using this new option you can control whether to preserve the last access time for a file during a scan or to allow the scanning process to modify the timestamp of that file. The option is available in the Options tab of each type of scan task, under Settings > Miscellaneous, and is enabled by default.

Network protection

  • Multiple schedules are now available in Configuration Profiles > Web Access Control Scheduler. This allows users to have more flexibility in setting up different time windows for Web Access Control. The Web rules list found in Content Control > Web Access Control Settings > Web Categories Filter has been moved under Policies > Configuration Profiles > Web Access Control Scheduler > Category Scheduler.

    Users can now create new schedules with multiple time window settings and assign categories to each schedule. The categories will be removed from the policy and the new schedule will be mapped to a policy.

  • You can now exclude from scanning any financial domains from Network Protection > General > Network Protection > Intercept Encrypted Traffic > Exclude financial domains.


In the Endpoint details page, the Content Control module now consists of three separate modules: Content Control, Web Traffic Scan, and Antiphishing.

Public API

  • Network API

    • A new method is now available: getTaskStatus. You can use it to retrieve information about the status of a given task.

  • Accounts API

    • The manageInventory, managePoliciesRead, and managePoliciesWrite attributes are now available for the rights parameter. The attributes are available for requests made using the createAccount and updateAccount methods and are returned by requests made with the getAccountsList method.

  • Maintenance Windows API

    • The os attribute is now available under vendorProductsPairs for the specificVendorAndProduct parameter. You can use it to specify the operating system the vendor-products pair is compatible with.

      The attribute is available for requests made using the createPatchManagementMaintenanceWindow and updatePatchManagementMaintenanceWindow methods and is returned by requests made with the getMaintenanceWindowDetails method.

  • Quarantine API

    • A new method is now available: createReleaseQuarantineExchangeItemTask. You can use it to release items from the quarantine to their intended recipients.


  • Passwords reset links now expire after 24 hours. If the time has passed, you have to repeat the password reset request.

  • The Manage Networks right for GravityZone user accounts has been replaced by the following options:

    • Manage Networks. Create and download installation packages; install security agents; manage tasks and quarantined files. You can choose between two levels of customization:

      • View and Analyze Data

      • Advanced Investigation

    • Manage Endpoint Settings. View or manage policies, configuration profiles, assignment rules and any other endpoint setting from other GravityZone areas. You can choose between two levels of customization:

      • Read only

      • Read and Write

Resolved issues

Health Dashboard

In some cases, the Endpoint issues widget classified and displayed macOS endpoints without major issues as critical.

Installation Packages

In some cases, installation packages created by a partner included all Security Servers from his managed companies.

GravityZone platform

  • Fixed an issue causing Email Security monthly usage to be registered for suspended companies.

  • Security fixes.

November 2023 (Version 6.44.1-1)


GravityZone platform

  • Implemented internal optimizations for enhanced performance and stability of GravityZone.

October 2023 (Version 6.44.1-1)

Early Access

Health Dashboard

Health Dashboard is a brand-new feature designed to provide a comprehensive overview of endpoint issues and status within your network. Different widgets offer important insights into the health and performance of endpoints and highlight critical concerns that require your attention.

You can monitor your network's health with the intuitive visuals and customizable features that Health Dashboard provides in this unified view. Using endpoint tags and company filters enables you to focus on data that is most relevant to your organization. You can add, remove, resize, or move widgets according to your needs and create smart views to ensure that essential information is readily available in a single view.

Health Dashboard includes details about:

  • Managed, active, unmanaged, or offline endpoints

  • Endpoint types in your network inventory

  • Endpoints update status

  • Endpoints issues

  • Endpoints policy status

  • Modules coverage on your endpoints

  • Licensing information for your company

  • Endpoints encryption status

  • Patch status on your endpoints

  • Permission issues present on macOS endpoints

  • Security Server status

Unified Incidents

You can now copy the incident link directly from the Incidents grid by hovering over a grid entry or selecting one, and clicking the Copy to clipboard button. You can copy the links of the correlated incidents from the Incident info panel.


Product Trials

  • The Product Trials feature is now available for all companies that own one of these yearly licenses:

    • GravityZone Business Security

    • GravityZone Advanced Business Security

    • GravityZone Business Security Premium

    • GravityZone Business Security Enterprise

    • GravityZone Security for Workstations

    • GravityZone Security for Servers

  • You can now access even more products through the Product Trials feature:


  • Bitdefender is launching three new MDR products:

    • MDR Foundations

    • MDR Enterprise

    • MDR Premium

  • The Response flavor is no longer available for the Managed Detection and Response service. The remaining flavor, Foundations, is now the default option. As a result, the service is now called Managed Detection and Response Foundations.


    This change only affects companies with monthly subscription licenses.

Container Protection

You can now delete containers from the GravityZone inventory if their host has been offline for more than 24 hours.

Resolved issues

Public API

The following parameters are now returned by API events of the Antimalware type: cleaned, blocked, deleted, quarantined, ignored, and present. The parameters record how many detections originated from the same file or process in the course of a minute.

September 2023 (Version 6.43.1-2)


GravityZone platform

  • Applied new technology optimizations to improve platform performance.

September 2023 (Version 6.43.1-1)


GravityZone platform

  • Implemented internal optimizations for enhanced performance and stability of GravityZone.

September 2023 (Version 6.43.0-1)

Early Access

YARA detection rules

YARA rules are queries you can use to scan endpoints for patterns of malicious behavior. Use the YARA detection rules feature to generate custom alerts and security incidents based on the results of these scans.

This feature is available for Windows and Linux endpoints with the following BEST versions:

  • Windows: or newer

  • Linux: or newer

To create YARA rules, go to Incidents > Custom detection rules, click the Add rule button, and then click YARA. Follow the on-screen instructions.

After you create a YARA detection rule, you cannot convert it into another type of detection rule.

From the Custom detection rules grid, you can enable or disable YARA detection rules, or start on-demand scans by clicking the 151926_1.png vertical ellipsis button and then selecting the Scan option.

Clicking a YARA detection rule from the Custom detection rules grid brings up the YARA details panel. From this panel, you can switch to the Search and Incidents sections to view the alerts and incidents generated by the rule.

Unified Incidents

The Parameter filter is now available in the Incidents section. It contains a series of criteria you can use to further filter your grid results and create highly customized smart views.



The Incidents > Custom Rules section has been divided into two sections: Custom detection rules and Custom exclusion rules.

  • The grids and rule configuration pages have a new design.

  • Rule settings now include targets. You can now decide whether to apply the rule to the entire company or to specific groups by endpoint tags.

  • Clicking a grid entry brings up the details panel of the rule. It contains information about the rule, options for navigating rules and for editing the current rule. For custom detection rules, you can use the View alerts and View incidents buttons to switch to the Search and Incidents sections.

  • In the Incidents > Search section, you can now look up both custom detection rules and custom exclusion rules by using the other.rule_id field in your search query. You can still use the other.exclusion_id field to identify existing alerts for the next 90 days, after which the field will be deprecated.

  • The Custom detection rules and the Custom exclusion rules sections are now available to Partners even if they do not have an active EDR license on their account.

  • Partners can now control rules for their managed companies and can use the Company filter in the grid to view the rules created for each company. Customers can also view the rules Partners have applied on their company.

  • When switching to a new Partner, all custom rules created by the former Partner are disabled. The new Partner will not be able to view the rules applied by the former Partner.

GravityZone platform

  • Companies switching from a trial license to a monthly subscription will automatically have the Email redaction setting disabled.

  • New BEST for Linux installation packages are now available for systems with ARM architecture (AArch64).

  • Minor UI changes to the Add company and Edit company windows, including a different order for the Add-ons displayed in the Licensing tab.

Public API

New limitations are in place to the number of API requests allowed per second. For more information, refer to this kb article.

Resolved issues

Threats Xplorer

In certain instances, when navigating from an Executive Summary widget to Threats Xplorer, the corresponding data did not load successfully.


  • Fixed an issue that was affecting the Endpoint Encryption Status report, where endpoints were missing, even if they had encryption module installed and active.

  • Fixed an issue that was preventing the On-demand Scanning report from correctly opening scan logs.


On the Notification Settings page, a single icon for sending options was visible, despite all options being enabled. The issue occurred when the browser window was horizontally resized to a smaller scale.

GravityZone platform

Fixed an issue preventing virtual endpoints from NSX environments from taking up a license seat. The issue occurred for companies with a GravityZone Security for Virtual Env per CPU license.

August 2023 (Version 6.42.0-1)

Early Access

Product Trials

You can now access even more products through the Product Trials feature:

New features

Process Introspection

Process Introspection encompasses various types of attacks such as exploits, injections, and evasion. The feature performs an in-depth analysis of the process state when a child process is created, examining potential indicators of compromise. The analysis offers an overview of detected parent processes and the child processes they have spawned. You can find the feature in the policy, under Advanced Anti-Exploit > System Wide Detections.

Protection models for Monthly Subscription

A new level of customization is now available for the Endpoint Security product: Protection models. Monthly subscription users can now select between multiple versions of the product, customized to meet specific security needs:

  • A la carte

  • Secure

  • Secure Plus

  • Secure Extra

Existing subscriptions are equivalated as A la carte protection models. The functionality, features, and products included in the subscription will remain the same.

Small Business Security

Bitdefender is launching a new product: Bitdefender Small Business Security. This product is available for online purchase only on the Bitdefender website.


GravityZone platform

  • The Help & Support page has been redesigned and restructured. The page now provides an improved overall user experience.

  • Companies using the Bitdefender MDR service can no longer disable the Your Bitdefender partner can assist you with security management setting.

  • Partners can no longer disable the The company's Partner can assist with the security management setting for managed companies that use the Bitdefender MDR service.

  • You can only enable the Bitdefender MDR service for companies (either for own use, or resell) that have the Your Bitdefender partner can assist you with security management setting enabled.


  • The Remote Shell feature now supports file upload and download options on Linux endpoints, starting with BEST version

  • New Resource types have been added to the XDR Incidents feature.

  • The Reader role is required for the XDR sensor integration with Azure Cloud. For more information on how to adjust your sensor configuration, refer to Azure Cloud sensor prerequisites.

Configuration Profiles

A new exclusion type is now available in Configuration Profiles. You can use the new option Command line with regex to efficiently define exclusions using regular expressions. By leveraging the power of regular expressions, intricate exclusion patterns can be easily constructed, providing greater control and customization.

Public API

  • APIs keys are visible only at the time of creation. This now also includes the ones created prior to March 2023. Make sure you save all API keys in a safe location and do not share it with anyone.

  • Licensing API

    • The getMonthlyUsage and getMonthlyUsagePerProductType methods now returns the aLaCarteMonthlyUsage, mspSecureMonthlyUsage, mspSecurePlusMonthlyUsage, and mspSecureExtraMonthlyUsage attributes.

    • The getLicenseInfo method now returns the assignedProtectionModel and additionalProtectionModels attributes.

    • The getLicenseInfo and getNetworkInventoryItems methods now return the manageEventCorrelator, manageSandboxAnalyzer, and manageHyperDetect settings under the ownuse attribute.

    • The getLicenseInfo and getNetworkInventoryItems methods now return the manageEventCorrelatorResell, manageSandboxAnalyzerResell, and manageHyperDetectResell settings under the resell attribute.

    • The assignedProtectionModel and additionalProtectionModels parameters are now available for the setMonthlySubscription method.

  • Network API

    • The getNetworkInventoryItems method now returns the assignedProtectionModel and additionalProtectionModels attributes under the 1 (company) item type.

    • The getNetworkInventoryItems now returns the manageEventCorrelator, manageSandboxAnalyzer, and manageHyperDetect settings under the ownuse attribute.

    • The getNetworkInventoryItems now returns the manageEventCorrelatorResell, manageSandboxAnalyzerResell, and manageHyperDetectResell settings under the resell attribute.

    • The options parameter is now available for the getManagedEndpointDetails method, along with the includeScanLogs option.

    • The includeScanLogs option is now available for the options parameter for the getEndpointsList method.

    • The includeScanLogs option is now available for the options parameter for the getManagedEndpointDetails method.

    • The includeScanLogs setting is now available for the endpoints option under the options parameter for the getNetworkInventoryItems method.

  • Companies API

    • The assignedProtectionModel and additionalProtectionModels parameters are now available for the createCompany method.

    • The email attribute is now mandatory when including the contactPerson parameter in createCompany and updateCompanyDetails methods requests.

    • If any field under the contactPerson attribute is populated, all fields under the attribute will be returned by the getCompanyDetails method (fullName, email, phoneNumber, companyRole), regardless if hey have a value assigned or not.

    • The manageEventCorrelator, manageSandboxAnalyzer, and manageHyperDetect settings are now available under the ownuse parameter for the createCompany and setMonthlySubscription methods.

    • The manageEventCorrelatorResell, manageSandboxAnalyzerResell, and manageHyperDetectResell settings are now available under the resell parameter for the createCompany and setMonthlySubscription methods.


The Endpoint Risk Analytics feature now has set limits for the number of vulnerabilities it displays: top 100 vulnerabilities per application, and top 500 vulnerabilities per endpoint. The vulnerabilities are ranked by severity. After resolving existing vulnerabilities, you can run a Risk Scan task to discover and display more.

Network Protection

  • The toggle used for reverting to the previous version of the Installation Packages was removed.

  • The Reconfigure client task has undergone a redesign and has a new name: Reconfigure agent. It allows for the customization of settings that were initially configured during the installation of the endpoint protection solution.

    A new Show all modules option has been added to the Remove menu and allows Admins/Partners to view all modules, regardless of license restrictions. The new option enables them to remove modules that were previously installed but are no longer usable/visible due to license changes or downgrades. This only applies to the Remove option in Reconfigure agent task.

    The Scan mode option in Match list becomes available only when the selected endpoints belong to the same company and the Detection and prevention operation mode is chosen. If endpoints from different companies are selected, the Scan Mode section will not be visible.


You can now filter companies by License Type in MDR Service Status reports.

Resolved issues


Fixed an issue that was causing the notifications for Sensor integration status to have misaligned text in the body of the email.

GravityZone platform

  • Deleted virtual machines no longer appear as licensed.

  • Resolved an issue causing the license usage of a company to remain the same after an endpoint had been moved to another company.

Public API

Users that do not have the Manage Companies right enabled now properly receive an error when attempting to use any method included in Accounts API.

June 2023 (Version 6.41.0-1)



  • GravityZone eXtended Detection and Response now supports events from Google Cloud Platform through a new sensor integration. The new sensor collects and processes audit information related to Google Cloud resources. The sensor can be configured through the Sensors Management.

  • A new notification type has been implemented: Sensor integration status. This notification informs you when the status of a sensor integration changes.

Public API

  • Licensing API

    • The manageContainerProtection and manageContainerProtectionResell settings has been added to the ownUse and resell parameters for the setMonthlySubscription method.

  • Company API

    • The manageContainerProtection and manageContainerProtectionResell settings has been added to the ownUse and resell parameters for the createCompany method.

  • Network API

    • The getNetworkInventoryItems method now returns the manageContainerProtection option under the ownUse object and the manageContainerProtectionResell option under the resell object.

  • Packages API

    • You can now use the userControl, antiphishing, and trafficScan settings instead of contentControl under the modules parameter when using the createPackage method. This modification mirrors the changes done to the GravityZone installation packages.

    • The getPackageDetails method now returns the userControl, antiphishing, and trafficScan parameters.


The default interval after which notifications are automatically deleted is now 7 days. This change applies to both existing and newly created accounts. To customize the interval according to your needs, refer to Configuring notification settings.


Starting with this update, users who have not logged in to the GravityZone console at least once will no longer receive the majority of notifications. This applies to both existing and newly created accounts.


The Automatic Network Discovery option can now be enabled in the policy under Relay > Communication > Automatic Discovery of new endpoints.

  • Enabling the option will prompt the Relays to execute the Network Discovery task every 4 hours.

  • New customers have the option disabled by default, while the option remains enabled for any existing custom policies.


  • The Antiphishing and Traffic Scan features are now available as separate options under the Network Protection module when creating an installation package.

  • Renamed Network Protection > Web Protection > Traffic Scan to Web Traffic Scan in both GravityZone new and existing packages.


  • On the Tasks page, the new default value for the Company filter is All recursively, while for Start period it is Last 7 days.

Resolved issues


Fixed an issue that was causing the deployed Network sensors to be counted as unlicensed endpoints, even though the necessary licenses were active on the company.


Load Balancing options were not saved in the policy when configuring the Redundancy mode for the Security Server.


In some cases, attached CSV files were not correctly included in certain reports sent via email. The issue is now fixed.

Threats Xplorer

The company selector in Threats Xplorer now accurately displays all companies using the Bitdefender EDR product.

May 2023 (Version 6.40.0-1)

New features

Mobile Security

The Bitdefender GravityZone Security for Mobile is a mobile security solution able to protect mobile devices having Android or iOS operating systems against multiple threat vectors. It is designed to protect an employee’s corporate-owned or BYOD from advanced persistent threats without sacrificing privacy or personal data.

GravityZone Security for Mobile provides the following:

  • Protection of corporate-owned or BYOD devices from advanced persistent threats, which includes implementing endpoint protection software, keeping software and firmware up to date, implementing network segmentation, and using multi-factor authentication.

  • Risk intelligence and forensic data necessary.

  • Detection across all four threat categories — device compromises, network attacks, phishing attempts and malicious apps.

  • Visibility for the Incident Response teams into mobile threats and risks through integrations with leading UEM, SIEM, SOAR, and XDR systems.

  • Application vetting to detect malicious apps (Android and iOS) and out of compliance application detection.

  • Network Protection by detecting network borne threats, recon attempts, weak security connections, MiTM attacks.

  • Device Protection by detecting OS vulnerabilities as well as vulnerable devices that cannot be updated, and missing encryption, jailbreak/root, system tampering.



You can now remotely upload and download files using the Remote Shell feature. The Upload and Download options are available after you begin a remote shell session.

  • The files are encrypted throughout the upload and download processes.

  • You can upload no more than 20 files at a time.

  • You can view and cancel file downloads by accessing the Network inventory > endpoint details > Investigation tab. You can also retrieve the downloaded files from this section.

  • If you want to be notified when the files are uploaded or downloaded, configure the New Investigation Files Activity notification type.

Network Protection

  • The Web rules action categories found in Content Control > Web Access Control Settings > Web Categories Filter have been updated with the new Warn action.

  • The new action type aims to enhance the administrator's comprehension of the report's warnings and blocks.

  • In the Security Audit Report, the Event Type column was updated to also filter events by Warned Websites, and Warned & Disregarded Websites.

GravityZone platform

  • A full installation kit is now available for BEST Windows endpoints that use ARM CPUs.

  • Search behavior in the company filter is now consistent across multiple pages such as Threats Xplorer, Quarantine, Tasks, Accounts, Installation Packages, Executive Summary, and Tags Management.

    This is the expected behavior:

    • After typing a sequence of characters, GravityZone displays all entries starting with those characters.

    • When using the asterisk (*) as wildcard, GravityZone displays all entries containing that sequence of characters.

Public API

  • Licensing API

    • The manageRemoteEnginesScanning and manageRemoteEnginesScanningResell settings has been added to the ownUse and resell parameters for the setMonthlySubscription method.

    • The manageMobileSecurity parameter is now available for the setMonthlySubscription method.

    • The getLicenseInfo method now returns the manageRemoteEnginesScanning option under the ownUse object and the manageRemoteEnginesScanningResell option under the resell object.

    • The getLicenseInfo method now returns the manageMobileSecurity setting.

    • The getMonthlyUsage and getMonthlyUsagePerProductType methods now returns the mobileSecurityMonthlyUsage object.

  • Company API

    • The manageRemoteEnginesScanning and manageRemoteEnginesScanningResell settings has been added to the ownUse and resell parameters for the createCompany method.

    • The manageMobileSecurity setting has been added under the licenseSubscription for he createCompany method.

  • Network API

    • The getNetworkInventoryItems method now returns the manageRemoteEnginesScanning option under the ownUse object and the manageRemoteEnginesScanningResell option under the resell object.

    • The getNetworkInventoryItems method now returns the manageMobileSecurity object.

  • Reports API

    • A new report type is available under the type parameter for the getReportsList method: 38 - Mobile Security Monthly License Usage.

    • A new report type is available under the type parameter for the createReport method: 38 - Mobile Security Monthly License Usage.

Network Inventory

  • Unmanaged endpoints discovered more than 30 days ago will be subject to a removal process in this release.

  • Unmanaged devices can be discovered by using Relays or on-demand Network Discovery tasks.

Resolved issues


  • Failed tasks displayed the same message that they took more than 48 hours to complete, regardless of the actual reason.

GravityZone platform

  • Security fixes.

April 2023 (Version 6.39.0-1)

Early Access

Product Trials

Product Trials enable you to try out other products directly from the GravityZone console, even if you already have an active license.

Available product trials will be displayed in the Product Trials Hub page, depending on your current license. Enabling a product trial will make new features available to you for a limited period of time. The feature will be released in stages and has limited availability at the moment.

New features

Live Search

Live Search is now available for all GravityZone users that have access to EDR / XDR. With this feature you can search for real time events and system information from the online endpoints in your network, using OSquery, an SQL-compatible query system.



  • The Network > Tasks page has a new look and new options for a better user experience. Some highlights:

    • Filters and search boxes

    • Expandable and sortable columns

    • New details panel for sub-tasks.

  • Tasks in the Network page have now more intuitive and consistent names. For example, Scan has become Malware scan, Install is now Install agent, and Reconfigure client has been renamed to Reconfigure agent.

    The new names are also reflected in the Network > Tasks page, under the Task type category.

    With this update, the User Activity page displays actions on tasks under the new names. Existing records under old names remain unchanged.

    For the complete list of renamed tasks, refer to Changes to task names in GravityZone Cloud Control Center.

  • When you, as a Partner, assign a task to multiple companies in the Network page, GravityZone creates individual tasks for each company in the Network > Tasks page. In such a case, a sub-task includes only endpoints from one company.

  • When accessing the Network > Tasks page as a Partner, you view by default all managed companies recursively.

  • When you, as a Partner, assign a task in the Network page to multiple companies, you can no longer select the parent company, but only its child companies of Customer type.


  • Now you can see the date when a domain controller was last reported to the Active Directory sensor integration. Find the Last reported field in the integration's details panel.

  • Now you can delete individual domain controllers from an Active Directory sensor integration.


  • The Accounts page has been redesigned and restructured. The page now provides an improved overall user account management experience.


  • You can now choose to receive notifications via email in plain text format. The new option is available for all notification types and you can find it on the Notifications Settings page.

  • The notifications email subject is now editable. You can customize the subject according to your needs using the new option Set custom email subject when configuring the notification. The option is available for most notification types.

  • The HyperDetect Activity notification is now enriched with details such as the detection type, user, company, and the command line used.

  • The Login from New Device notification includes the email address of the account used.


  • In the Policies > Assignment Rules page, you can now apply policies via location rules only to targets you manage.

    From now on, the Targets section is always active when you configure a rule. If you do not specify targets, GravityZone automatically selects all the available entities when saving the rule.

    Old rules with no targets specified will continue to function as before until you manually save them again.

  • When you access Policies > Assignment Rules as a Partner, you now view your company rules instead of a blank page with no company selected.

Public API

  • Accounts API

    • The following Notifications Visibility Options are now available:

      • setCustomEmailSubject - if true, it changes the default subject used in GravityZone notification emails.

      • emailSubject - it contains the custom text to be used for GravityZone notification emails if setCustomEmailSubject is set to yes.


      These options are only available for specific notification types.

    • The sendOnlyPlainTextEmail parameter is now available for the configureNotificationsSettings method. Enabling this option sends all notification emails in plain text format.

    • The getNotificationsSettings method now returns an additional option: sendOnlyPlainTextEmail.

    • The passwordLifetime, and accountLockdown parameters are now available for the getAccountsList method.

  • Network API

    • The productOutdated parameter is now available for the getEndpointsList method. The parameter indicates if the endpoint is missing one or more agent updates.

    • The createScanTask method now return all task IDs created as a result of the request instead of the most recent one.

  • Companies API

    • The country, state, industry, and contactPerson parameters are now available for the createCompany and updateCompanyDetails methods.

    • The industry parameter is now available for the getCompanyDetails method.

Patch Management

  • All Partner companies can now use Patch Management for their managed companies, regardless of their own use licensing settings.

  • Patch Management features are no longer applicable to companies that have the associated license expired.

Integrity Monitoring

  • The Integrity Monitoring grid now provides better visibility of the actions within its columns.

Installation Packages

The Network > Packages page has a new design and a new name: Installation Packages.

  • The Add button has become Create.

  • All other buttons except Download have been moved under More actions.

  • The package configuration form also has a new look.

For a limited time, the old design is still accessible via the toggle in the upper right corner of the console.

Network Protection

The Web rules list found in Content Control > Web Access Control Settings > Web Categories Filter has been updated with additional categories. All existing policies are automatically updated to reflect the changes made regarding the updated categories.

  • Newly added categories:

    • Astrology

    • Auto

    • Food

    • Kids

    • Lifestyle

    • Occult

    • Pets

    • Real Estate

    • Society

  • Updated categories:

    • Drugs category was split into the following categories: Alcohol, Tobacco, Pharmacy.

    • Video Online category was replaced by the Videos category.

    • Banks category was replaced by the Financial category.

    • Casual Games, Online Games and Computer Games categories have been merged into the Games category.

GravityZone platform

  • Raw Events now offers support for Linux. The OS type column in the Raw Events grid indicates which fields are available for Linux endpoints.

  • The Gather logs feature from Network > endpoint details > Troubleshooting tab has been enhanced. You can now select between three new types of logs:

    • Product general issues

    • Malware infection

    • Malware infection (no cloud services)

  • The eXtended Detection and Response sensor integration licensing options have been renamed:

    • Identity providers (includes Active Directory, Azure AD, and Microsoft Intune)

    • Productivity apps (includes Microsoft Office 365 and Google Workspace)

    • Network (includes Network sensor)

    • Cloud workloads (includes AWS, Azure Cloud, and GCP)

Exchange protection

  • Policy changes to content filtering rules now properly save when adding lookaround assertions in the rule settings. The issue occurred for rules containing body content filters of expression type.

Resolved issues


  • Exclusions configured in Configuration Profiles did not propagate to inherited policies.


  • Fixed an issue that was preventing the Incident history tab from displaying the analyst's name correctly after changing the incident status.

  • The other.event_id parameter in the Incidents > Search feature of XDR now returns results when using wildcards.


  • In some cases, users could not delete finished tasks created by accounts no longer active.


  • Fixed an issue that caused timezone inconsistencies in the Security Audit Report chart.


  • Fixed an issue that prevented gathering logs from GravityZone using a network share for Linux and macOS endpoints.

GravityZone platform

  • User Activity logs for API key creation are now visible to all users with the necessary rights.

  • Selecting the Download > Security container action in the Packages page no longer causes the Download Security Container window to freeze while loading.

  • Security fixes.

Public API

  • Partners can now properly use the createRemoveQuarantineItemTask method to remove an item from quarantine for a client company. Previously, the request would return an Invalid params / At least one specified target is invalid. message.

March 2023 (Version 6.38.1-2)

Resolved issues

GravityZone platform

  • Fixed compatibility issues between the Active Directory and Security for AWS integrations. Starting with this release, Active Directory is going to be prioritized (for inventory, policy assignments, license flow, etc.).

  • Users who log in with SAML single sign-on can now access the Investigation Package options without any additional steps.


  • In certain situations, incidents could not be deleted from the Incidents grid when they went past their retention period, resulting in incidents with no details. The issue is now fixed.

Integrity Monitoring

  • Integrity Monitoring did not display some events for Linux endpoints. The issue is now fixed.

March 2023 (Version 6.38.0-0)

Early Access

Live Search

  • You can now filter endpoints by their GravityZone tags by using the Tags filter.

  • The Reset filters button is now available in the Live Search page.

  • You can inspect the database schema and search for available tables and fields using the new side panel.

  • Improved the Metadata window:

    • you can now filter endpoints based on Status and Sent rows

    • a new button is available that allows you to assign tags to endpoints

  • Multiple graphical elements have been modified to offer a better user experience.


Endpoint tags

This update brings several new options, support for tags management on child companies, and introduces the feature to the GravityZone Cloud Security for MSP users.

  • In the Network page, you can now create custom tags directly in the Assign custom tags window.

  • In the Unassign custom tags window, you can remove all custom tags from endpoints at once.

  • As a Partner, you can control endpoint tags on child companies by using new company columns, filters and selectors in the Network and Tags Management pages.

  • Each tag in the Tags Management page now includes an inline menu to delete it or to easily create copies and apply them in your company or other companies.

  • You can review actions taken on tags in each company in the User Activity page.

  • Non-MSP Partners can now manage endpoint tags on child companies that use a compatible GravityZone product, regardless of their own license. However, Partners need a compatible license to manage tags in their own companies.

    For existings GravityZone products that support endpoint tags, refer to the list included in GravityZone November 2022 (version 6.34.0-1) release notes.

  • For the first time, endpoints tags are available to GravityZone Cloud Security for MSP users, for both Endpoint Security and Bitdefender EDR product types.

    MSP Partners have access to tags in their own companies with either a license key or monthly subscription. They can also manage tags on child companies provided those companies meet the licensing conditions.

    To manage endpoint tags, Customer companies need a compatible license key or, if they use monthly subscription, they also must have the Advanced Threat Security add-on, with at least one of its components (HyperDetect or Sandbox Analyzer) active.


As a Partner, when you go to the Network page after this update, you will see by default your own company tags. To view endpoint tags for a child company, make sure the Company column is enabled and use its filter to select the company you are interested in. Once the child company has been selected, the Tag filter loads all its tags.

Public API

  • APIs keys are now visible only at the time of creation. Make sure you save all API keys in a safe location and do not share it with anyone.


    Keys generated prior to the release are still visible from the edit window.

  • The productOutdated field has been moved under the Details member for getNetworkInventoryItems API responses.


  • The Company filter now has two new entries: All directly managed and All recursively. You can use them to view quarantined files from all the companies you directly manage or from all companies to which you have access.

  • The Clear button was renamed to Reset filters and you can use it to readjust filters to their default values.

Exchange Protection

  • The Send a Copy To secondary action is now available for the Replace file with text, Delete file, and Reject/Delete email actions. The settings can be found in the Policies > Exchange protection > Content Control page, under the Attachment filtering section.

GravityZone platform

  • Security for Amazon Web Services now supports the following optional regions that can be disabled or enabled from AWS: Cape Town, Hong Kong, Hyderabad, Jakarta, Osaka, Spain, Zurich, United Arab Emirates, Milan.

  • New event types are now available in Configuration > Raw Events grid. Before enabling them, make sure you first check the Requirements column.

Resolved issues

Integrity Monitoring

  • Fixed an issue that prevented the directory path validation from working when users added a custom rule.

  • Fixed an issue that caused Integrity Monitoring to generate empty reports.

Network inventory

  • Folders indicated issues (red exclamation mark) when endpoints inside them had the Encryption module disabled.


  • Fixed an issue causing the GravityZone integration with Microsoft Azure Sentinel to fail.

eXtended Detection and Response

  • A partner is now able to delete a pre-existing Network sensor integration for a customer even if the customer has the EDR feature disabled.

GravityZone platform

  • The GravityZone console displayed a few incorrect translations on French and German interfaces.

February 2023 (Version 6.37.0-2)

Resolved issues


  • In certain situations, connecting through Remote Shell using a single sign-on authentication resulted in a connection timeout. The issue is now fixed.

February 2023 (Version 6.37.0-1)

Early Access

Unified Incidents

  • You can now perform a search from the Incidents grid to view all events and alerts related to an incident. Click the 151926_1.png vertical ellipsis button at the right end of the grid entry and then the View events and alerts option. You will be redirected to the Search page, filled with the requested events.

  • You can now trigger a search from the side panel of entities or resources to view all related events and alerts. Click the 151926_1.png vertical ellipsis button and then the View events and alerts option. You will be redirected to the Search page, filled with the requested events.

Live Search

  • The OS filter is now available for Live Search. You can use it to perform a query for specific endpoints based on their operating system.

  • Live Search queries will no longer wait for unresponsive endpoints before returning results. This significantly improves query wait time.

  • The Company filter is now only visible to Partner companies.

  • When searching for a query, both the name and the syntax are now checked for matches.

  • Multiple graphical elements have been modified to offer a better user experience.



  • Information about security risks is now available in the incident Overview > Summary > Root cause section. The text includes links to Endpoint Risk Analytics (ERA), where you can view further details.

  • The incidents Search function has two new fields, which you can use in queries : email.sender_address and email.sender_name.

    The field email.sender, which currently contains the same information, will be deprecated in 90 days.

  • Remote Shell now supports single sign-on authentication. Once single sign-on is configured, you will be redirected to your company's login page whenever you start a remote shell session.

GravityZone platform

  • Improved the communication mechanism between the GravityZone console and endpoints in network-restricted environments. This change requires a firewall rule to be created. The rule should whitelist a new set of web addresses that are used to verify the server certificate revocation and enhance security. For more information, refer to GravityZone (cloud) communication ports.

  • The Partner Changed notification now clearly indicates if a client company has joined or left your management.


  • You now receive an explanatory message every time you cannot save a policy due to invalid data in the Sandbox Analyzer > Endpoint Sensor and Integrity Monitoring > Real Time sections.

Public API

Network API
  • The returnTaskId parameter is now available for the createscantask and createscantaskbymac API methods. The parameter allows you to include the newly created task ID in the API response.

  • The productOutdated paramater is now available for the getnetworkinventoryitems API method. This parameter allows you to include information about the update status of all the endpoints of a given company in the API response.

Incidents API
  • The returnRuleId parameter is now available for the createcustomrule API method. The parameter allows you to include the newly created rule ID in the API response.

Push API
  • A new Event Push API alert is now available: partner-changed. This event triggers when a client company joins or leaves your management.

Resolved issues

Integrity Monitoring

  • The License Expires notification now includes the name of the Data Retention Add-on that is soon to expire.


  • XDR trial users who installed Network sensor will no longer encounter the "Not licensed" error message when switching to a full license.

GravityZone platform

  • Security Containers and Security Container hosts no longer incorrectly appear in the Network page as having issues.

  • Security fixes.

January 2023 (Version 6.36.0-1)


GravityZone platform

The way Bitdefender partners view incidents from their companies and child companies has changed:

  • Partners can view their company's incidents and receive incident notifications only if they have manage rights over the company's network.

  • Partners can view the Custom Rules page of their company only if they have manage rights over the company's network.

  • Partners can view incidents and receive incident notifications only from the child companies they have access to.

  • EDR portlets count incidents only from the companies the partners have access to.

Resolved issues


  • In some cases, users could not change the incident Status, Assignee or Priority values. The issue has been fixed, but the fix does not apply retroactively.

December 2022 (Version 6.35.0-1)

Early Access

XDR Live Search

  • The Endpoint name filter is now available for Live Search. You can use it to perform a query on specific endpoints from a company.

  • Multiple graphical elements have been modified to offer a better user experience.

  • Actions taken in the Live Search page are now available in the User Activity records.


Integrity Monitoring

  • You can now create rules using different types of special characters.

  • MITRE IDs have been added for events generated by default rules. They are displayed in the Event details window.

  • When a data retention add-on expires, events are kept for only 7 days, if the Integrity Monitoring license is still active. Events generated before the data retention add-on expired are still available for the previous retention period.

  • Performance improvements.


  • Where applicable, the Deactivate AWS account response action is now also displayed as a recommended action in the incident Overview tab, in the Action needed section.

Network Protection

  • You can now enable outbound traffic monitoring for Network Attack Defense over SFTP and SCP/SSH protocols on Linux machines. The new options are available on the Network Protection > General page in the policy settings. In addition, the Scan SSL option has been renamed to Intercept Encrypted Traffic and Scan HTTP has become Scan HTTPS.

Resolved issues

Integrity Monitoring

  • Fixed an issue that prevented caching mechanisms from working when querying the Bitdefender Global Protective Network to check if a process is trusted.

  • Fixed an issue that prevented service events from being generated on SUSE Linux Enterprise Server (SLES) systems.

  • Fixed an issue that prevented the use of the mv command to trigger folder rename events.


  • Fixed a Splunk integration issue that was causing empty "att_ck_id" fields in "new-incident" events.

GravityZone platform

  • You can now uninstall the Integrity Monitoring, Patch Management, and Full Disk Encryption modules after their corresponding license keys have expired.

  • Fixed an issue that was preventing partners from enabling the Command-Line Scanner and Antimalware Scan Interface Security Provider features their customers if Fileless Attack Protection was not licensed in their own company.

  • Fixed an issue that was causing EDR raw event submission to fail for endpoints configured to use a proxy.

  • Fixed an issue that was causing endpoints with Patch Management installed to display the module as expired. The issue occurred after replacing the license key for the main product.

November 2022 (Version 6.34.0-1)

Early Access

XDR Live Search

  • The Company filter is now available for Live Search. As an MSP, you can use it to perform a query on endpoints from a specific company.

Unified Incidents

  • This feature correlates host-based EDR incidents with broader attacks detected by XDR, bringing both types of incidents in one place: the Incidents grid.

  • Correlated incidents are displayed in their own column in the grid, in line with the parent incident. They are not listed as separate entries in the grid.

  • A new notification type is now available, Correlated incident, informing you when an incident assigned to you is correlated with another incident.

  • New columns are now available:

    • Actions taken: shows you whether an attack was blocked by other prevention technologies.

    • Resources and Entities : replace the former Organization impact. For more information, click an entity or a resource to open their specific side panel.

  • Filters enhancements include multiple select for the Companies option and a new filter for Correlated incidents.

  • Views offers you the option to save your current filter and column settings for later use. You can also name, rename, delete or add your views to the Favorites category. The default views are All incidents and Assigned to you.

  • The Incident - Suspicious activity status and Incident - Suspicious activity portlets in Monitoring > Dashboard now reflect both EDR and XDR incidents. The dashboards count the parent incidents. Correlated incidents are not represented in the charts. Severity scores are grouped by: High (75 - 100), Medium (40 - 74) and Low (10 - 39).

New features

Integrity Monitoring

Integrity Monitoring reviews and validates changes made on Windows and Linux endpoints to assess the integrity of multiple entities.

Integrity Monitoring operates based on default rules, provided by Bitdefender, and custom rules. These rules are available in the Policies > Integrity Monitoring Rules page of Control Center.

Based on these rules, Integrity Monitoring takes action when events are generated for files, folders, registry entries, users, services and installed software. These events are displayed on the Reports > Integrity Monitoring Events page of Control Center.

You can also create a portlet, as well as two types of reports based on Integrity Monitoring events:

  • Integrity Monitoring activity, which displays events from the events page.

  • Integrity Monitoring configuration changes, which displays Bitdefender Trusted as well as Unapproved events.

Integrity Monitoring also comes with hardcoded restrictors, which automate best practices to reduce alert fatigue and prevent a negative impact on performance.

Integrity Monitoring is available for all standard products, except for GravityZone EDR and Bitdefender FRAT. It is delivered as an add-on for products with a license key, and as a licensing option for monthly subscriptions.

By default, it stores the detected events for 7 days. In addition, it comes with a data retention add-on to store the events. You have three options from which can choose: 90 days, 180 days and 1 year of data retention.

GravityZone platform

  • Raw Events is a new feature that helps you filter which Windows or macOS events GravityZone processes. This feature becomes available in the Configuration tab if you have the following:

    • GravityZone Business Security Enterprise or Bitdefender EDR license

    • One of the storage add-on licenses: GravityZone EDR 90 days Data Retention Add-on, GravityZone EDR 180 days Data Retention Add-on, or GravityZone EDR 365 days Data Retention Add-on.

    • EDR or XDR module enabled

    You can only send raw events to one feature at a time: either to a SIEM, to Advanced search, or to Bitdefender MDR.

Endpoint tags

You can now assign security policies to endpoints based on tags, in addition to the existing location and user rules. With this release, you can create, edit, delete, and assign tags manually or automatically. As a partner, you can manage endpoint tags only for your own company.

We updated several areas in GravityZone Control Center to accommodate this feature:

  • Endpoint tags are configurable in the new Network > Tags Management page.

  • Tag rules are configurable under the new category Endpoint Tag Rule in the Policies > Assignment Rules page.

  • The Network page includes a new button to assign and unassign tags to endpoints, and a new column that allows tag filtering.

  • The Accounts > User Activity page records actions such as create, edit, delete, assign and unassign tags.

Endpoint tags are available with the following GravityZone products:

  • GravityZone Business Security Premium

  • GravityZone Business Security Enterprise

  • GravityZone Security for Workstations

  • GravityZone Security for Servers

  • GravityZone EDR

Email Security

Sandbox for Email Security

The feature adds a powerful layer of protection to your user's email accounts, sending attachments in email messages to be analyzed in depth and await results before delivering the message .

Sandbox serves as a safe virtual environment for testing potentially malicious files. A real environment is simulated where threats are triggered and payloads are detonated, in order to analyze their behavior and identify malicious intent.

The technology provides:

  • Advanced threat protection and zero-day exploit detection.

  • Machine learning algorithms, behavior analysis, anti-evasion techniques and memory snapshot comparison to detect threats.

  • The capacity to uncover malicious files, including threats designed for undetectable targeted attacks.

  • Support for a broad range of file types.

  • Dynamic analysis to detect and defeat advanced malware.

Microsoft Outlook Add-in for Email Security

This add-in enables users to report messages as spam or phishing attacks directly from their inbox.

If a message is reported, it will be sent to Bitdefender and analyzed. The information gathered will be used to improve detection and the overall effectiveness of the Email Security product.


GravityZone platform

  • Emails sent to new GravityZone users now contain one-time links instead of temporary passwords. Users can use the links to create a new password and log in.

  • The Incident status portlet in Monitoring > Executive Summary now groups incidents based on whether the attacks were blocked by prevention technologies or not. The new values for this portlet are: Blocked attacks and Requires investigation.

  • You can now view in the endpoint details in Network when the Patch Management and Full Disk Encryption modules are expired and why.

  • GravityZone now generates and sends email notifications when the license limit for Patch Management or Full Disk Encryption is about to be reached, has been reached or exceeded.

  • You can now install the Microsoft Hyper-V Security Server for second generation VM hardware.

  • You now have visibility over tasks created by other users in the same company. You cannot take actions on them, but you can sort and filter them by username in the new Owner column in the Tasks grid.

    Users from child companies can view tasks created by their parent company only for entities within their own companies. They can also view the user from the parent company who has created the task. This scenario applies to both Customer and Partner type companies.

  • Actions taken on your tasks, such as create, restart and delete, are now visible in the Accounts > User Activity page.

  • The default period for trusted browsers with two-factor authentication (2FA) has been set to 7 days.


  • A new response action is now available in the Incidents Graph and Response tabs: Deactivate AWS account. This action creates and applies a policy that deactivates the AWS user account and deletes the associated access keys.

  • The Sensors Management feature now provides integration with Google Workspace. The new sensor collects and pre-processes activity and usage data related to Google Workspace accounts and services.

  • Prerequisites for the Active Directory sensor have changed. With the exception of Global Object Access Auditing policies, all group policies in Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies must be set to audit all login events.

  • The default retention period for alerts has changed to 90 days. Extend retention periods for alerts, incidents or raw events by enabling a different storage add-on: GravityZone EDR 180 days Data Retention Add-on or GravityZone EDR 365 days Data Retention Add-on.

Threats Xplorer

  • The Detection details panel now includes the web address involved in the attack for each event that is based on the Network Attack Defense technology.

  • Improved the exclusions mechanism for LSASS Protection events. Now when you add an exclusion from the Detection details panel, the necessary details are automatically configured in the Configuration Profiles page.

Public API

  • API support is now available for the new Integrity Monitoring feature. The following methods have been updated: getManagedEndpointDetails, getNetworkInventoryItems, createReconfigureClientTask, createPackage, createCompany, setMonthlySubscription, getLicenseInfo, getMonthlyUsage, getMonthlyUsagePerProductType, createReport, getReportsList.

Resolved issues


  • The Patch Management and Full Disk Encryption modules will now be disabled when applied to endpoints after the seat limit on the corresponding license keys has been reached.

Threats Xplorer

  • The Detection details panel displayed the policy directly assigned to endpoints instead of the active policy at the moment of the detection applied through assignment rules.

GravityZone platform

  • The Policy tab in the endpoint details no longer displays the status "Cannot determine". The message appeared due to an issue with the cleanup rules that was fixed.

  • Fixed issue causing Antiphishing reports to display incorrect data for the current month. This issue occurred when the reporting interval was set for the last 2 or 3 months.

  • Security fixes.

Known issues

Integrity Monitoring


  • Integrity Monitoring events are not generated for monitored entities that are modified by processes excluded from Advanced Threat Control scanning.

  • Integrity Monitoring events are not generated for files that have been modified through Server Message Block (SMB).


  • Integrity Monitoring is not compatible with 32-bit operating systems.

  • Integrity Monitoring is not applicable for Bitdefender Security Container.

  • Service events are not generated on SUSE Linux Enterprise Server (SLES) systems.

  • Using mv command does not trigger folder rename events.

October 2022 (Version 6.32.0-2)



The following features are generally available to all customers using Bitdefender EDR, GravityZone Endpoint Detection and Response, GravityZone Business Security Premium and GravityZone Business Security Enterprise:

  • Assignee option to assign the incident to an analyst.

  • Priority option to assign the incident a priority.

  • Incident history button shows all actions taken on the incident, including assign and priority.

The above features are in the XDR Incident Overview and EDR Graph View pages as well as in the status bar of the incidents.

September 2022 (Version 6.31.0-2)

Early Access

XDR Live Search

  • Early Access enrollment is now available for Live Search. With this feature you can directly search for events and system information from the online endpoints in your network, using OSquery, an SQL-compatible query system.

New features

Early Access programs

  • Early Access allows you to try out specific products, features or functionalities that are still in development, by enrolling in beta programs. Learn more

Remote troubleshooting

  • Remote troubleshooting is now available for GravityZone Security for Containers.



  • Auto-complete functionality is now available when adding tags in Incidents > Custom Rules.

  • The Sensors Management feature now provides integration with Azure Cloud. The new Azure Cloud sensor can collect and pre-process cloud activity data.

  • A new filter is available for the Status column in the Configuration > Sensor management page.

  • Integrations with Azure AD can now provide Risky user information in Incidents > Graph. Enable this functionality by setting up the Azure AD sensor with the IdentityRiskyUser.Read.All permission.

  • Integrations with O365 now allow you to delete a suspicious email directly from Incidents > Graph.


  • You can now filter and view quarantined items regardless of the time interval. Using the Quarantined on filter you can customize any interval that suits your needs.

GravityZone platform

  • You can now export the data displayed in the Companies page as a CSV file.

  • A new filter is available for the Product Status column in the Companies page: you can select between companies with active, expired, trial or no licenses.

  • Licensing information is now available for the Full Disk Encryption and Patch Management add-ons in the My company, Edit Company and Companies pages.

  • The primary update location for endpoints and relays is now The previous location will still be used as a fallback. You can view the changes in the General and Relay sections of the policy under the Update tab.

  • As GravityZone administrator, you can take ownership over policies created by users that have been deleted. The new Take Ownership is now available in the Policies page, and the Created by column has been renamed Owner.

  • For user assignment rules, you can select organizational units (OUs) in Active Directory inventories as targets.

  • The Network Protection Status report now indicates when the Full Disk Encryption and Patch Management modules are expired.

Email Security

  • You can now activate the Email Redaction setting for your Email Security account. This will mask sensitive information when accessing emails through reports. Learn more

Resolved issues


  • getNetworkInventoryItems no longer returns an internal server error when users with no rights granted over their own company use the method for child companies.

August 2022 (Version 6.27.2-3)

New features

GravityZone platform

  • Added the following features to Security for Amazon Web Services:

    • Sandbox Analyzer - companies can submit files, samples and URLs, and check their status.

    • HyperDetect - this module is activated from the policy. It detects advanced attacks and suspicious activities in the pre-execution stage.

    • Fileless Attack Protection - this feature prevents fileless malware attacks. The newly generated event is displayed by BEST. In addition, the event is also visible in the Security Audit Report.

    • Antimalware Central Scan - this feature enables the Security Server in the Packages section.

    • Advanced Anti-Exploit - this feature generates anti exploit events when the tool is run on a managed endpoint.

    • Network Attack Defense - this feature focuses on detecting network attacks designed to gain access on endpoints through specific techniques. In addition, the event is visible in the Notifications section, if Network incident events are enabled.

    • Incidents - this feature displays all suspicious incidents detected at endpoint level, that require investigation and upon which no action was taken yet.

    • Endpoint Risk Analytics - you can see new information in the Risk Management dashboard and Security Risks after the risk scan task has successfully finished.


    All these features are also available for companies with an existing AWS integration.


GravityZone platform

  • Installation packages are now kept even if the user that created them is deleted.


  • The Sensors Management feature now provides integration with Microsoft Intune. The new Microsoft Intune sensor can be configured to collect and pre-process device-related data.

  • Actions taken on incidents are now visible in Accounts > User Activity.


  • Port scan exclusions are now available. You can create IP-based exclusions to allow port scanning.


This feature brings major changes to the Firewall technology used. We recommend testing this feature before deploying it to your endpoints.

Advanced Anti-Exploit

  • The LSASS process protection option is now more customizable and provides details about possible exploits that may target Local Security Authority Server Service (LSASS). You can configure block or report actions in the policy, add exclusions for trusted processes in Configuration Profiles and view related user activity. The events are available in the security agent local interface.

Risk Management

  • The Endpoint Score in the Top Devices at Risk widget now takes User Behavior Risks into account.

Resolved issues

GravityZone platform

  • The option The company manages endpoint security is no longer disabled when editing partner companies with clients.

  • Security fixes.

Configuration Profiles

  • Users were unable to export exclusion lists from a GravityZone On-premises instance and import them in GravityZone Cloud.

Patch Management

  • Patches for excluded products were incorrectly displayed in Control Center as failed.

August 2022 (Version 6.27.2-2)

Resolved issues

GravityZone platform

  • Security fixes.

July 2022 (Version 6.27.2-1)



  • Added support for multi-value fields in the Incidents > Search section. This functionality is also present in the Details panel.

  • Alert data is now available in the Incidents > Search section. The raw data is available in the JSON tab of the Details panel.

  • Alerts now display the corresponding incident number.

  • New fields have been added to Incidents > Search. The fields are either related to alert data or to resource information normally displayed in the Graph section of an incident.

  • Added two new columns to the Extended Incidents / Endpoint Incidents tabs in the Incidents page: Assigned to and Priority.

  • For the XDR Incident Overview and EDR Graph View pages, added the following items:

    • Assignee option to assign the incident to an analyst.

    • Priority option to assign the incident a priority.

    • Notes button providing a list of analyst notes.

    • History button providing a history of the incident.

Sensors Management

  • The Sensors Management section now displays the setup steps at the top of the page.

  • Re-designed authentication-related error messages for the O365, Azure AD and AWS sensors.

Risk Management

  • Decommissioned endpoints no longer appear in Risk Management. The corresponding risk data is deleted and it no longer impacts risk-related reports and dashboards.


  • The Restart machine task is now available for all Security Server types in distributed environments.


  • The configuration page for location assignment rules now has the Targets section, where you can define specific folders within the network where you can apply a rule. If you do not enable Targets, the rule applies to the entire network.

  • A new column added in the Assignment Rules grid indicates the status of existing rules:

    • Running – the rule is active and is applicable to the endpoints.

    • No target – the rule is not applied to the endpoints because it is missing targets.

Resolved issues


  • The Restore button is now available again for Exchange Quarantine.

July 2022 (Version 6.26.2-2)

New features


  • You can now integrate GravityZone data into Microsoft Azure Sentinel, allowing automatic transfer of GravityZone events to the Microsoft platform.



  • Added a new response action to the Incidents Graph and Response tabs: Mark user as compromised. This action marks the user as compromised in Azure AD Identity Protection security tool. The Azure AD and Office 365 sensor requirements have been updated to reflect the type of permissions required for this response action.

  • As a Partner, you can now view and deploy sensors for all managed companies under your account.

  • As an MSP, you can collect investigation packages on endpoints from any company under your management.

  • User activity records are now available for actions taken in the Sensors Management page.

Threats Xplorer

Threats Xplorer now provides you with enriched information about each security event and possible actions that you can take, all in a single view. The new Detection details panel is available when selecting any event from the grid and includes the following:

  • Details about the threat such as threat type and name, the action taken, the detecting module, and others.

  • Details about the detected object including the category and object-specific information like process ID, file path, URL, email subject, and others.

  • Endpoint details such as endpoint name, type and risk score, the assigned policy, any existing vulnerabilities or misconfigurations, and others.

  • Several investigation and remediation actions like scanning or isolating the endpoint, adding exclusions for files and processes or add detected objects to the Blocklist.

  • The option to view all the security events on a specific endpoint within the last 24 hours.

  • A link to a specific endpoint within the Network Inventory.


  • Bitdefender MDR Foundations is now available as an add-on to the Bitdefender Managed Detection and Response service.

  • XDR is now available as an add-on. Additional licenses need to be enabled for each type of sensor platform. When reselling XDR, all types of sensor platforms will automatically be enabled for client companies.

  • License trials now offer a maximum of 50 seats.

  • New trial keys are now generated with 12 characters.

  • Company Administrators can now enable or disable XDR sensor categories when the XDR add-on is enabled.

  • Monthly Trial licenses now include XDR and all sensor categories.


  • Editing exclusions and list assignments now reflects in more detail in the User Activity section, with separate entries for the affected exclusions, lists, and policies.

  • In Policies > Configuration Profiles, you can assign multiple exclusions to multiple lists by using the new Assign to lists option.

  • Minor name changes to various buttons and options for more consistency.

GravityZone authentication

  • The options and messages related to two-factor authentication (2FA) are now referring to “trusting the browser” rather than “remembering the device”, as the settings actually apply per browser. This addresses the scenario where a user might use a computer with multiple browsers to log in to GravityZone Control Center.

  • Some buttons and options related to 2FA have been redesigned, alongside other minor visual changes.

  • A new message informs you when you cannot log in to GravityZone Control Center because of an ongoing update.

Sandbox Analyzer

  • As a partner, you now can see submissions from other companies in the Sandbox Analyzer section of the Control Center main menu. Use the search box or the new drop-down list on the page to switch from the default view of your company's submissions to those from all direct companies or from a specific company.

  • In the Sandbox Analyzer > Manual Submission section, you can select from the drop-down list a company on whose behalf to submit samples.

  • Starting with this release, you can retrieve detailed Sandbox Analyzer HTML reports via API. The Sandbox Analyzer Results report, which contains only a summary, is no longer deprecated.


The Quarantine page has a new modern design and includes the following changes:

  • The views selector was redesigned into two new subsections that are available in the GravityZone menu under Quarantine.

  • Filters and columns allow more control and customization. You can show or hide filters, add or remove columns and use a compact view.

  • The company selector is available in a new format as a customizable column and filter for partner companies.

  • Added new time intervals for the quarantined items.

  • Renamed a few elements on the page.


  • Multiple graphical elements have been modified to offer a better user experience:

    • For companies that use multiple products, only the total number of products is displayed. You can use the arrow button on the left side of the screen to display all used products.

    • Multiple buttons have been redesigned, moved, or included under the More actions menu.

    • Improved the page navigation.

    • Added the Settings menu, which allows you to customize the information displayed for each company. The menu also provides additional features, including Reset view, Compact View and a search box to find specific columns.

  • Several improvements have been made to the list of companies:

    • Added additional filters.

    • A new Show or hide filters button is available in the upper right side of the page.

    • You can customize the filters displayed on your screen by using the More menu or by removing individual filters using the Remove button.

    • A Clear button, allowing you to revert all filter settings to default.

    • Added several columns, providing access to additional company, product, and usage information.

    • Renamed License usage to Usage Breakdown and License validity to Expiry date for improved clarity.

  • The information under Company ID has been moved to a new field called Company hash. Replacing it, will be the company's database ID, which mainly used for API requests.

  • Companies now have two identifiers in Control Center:

    • Company ID, the company identifier in GravityZone Database. Use this ID when making API requests.

    • Company hash, previously shown in Control Center as Company ID. Use the hash when changing the Bitdefender partner via Control Center.


  • Added two new tasks in the Network > Tasks section: Isolate and Remove from isolation.


  • You can now use the Reports API to download Sandbox Analyzer HTML reports.

  • Several methods under the Companies, Licensing and Network API have been updated to support the addition of the XDR add-on.


  • From now on GravityZone Control Center is available in Japanese.

Resolved issues

GravityZone platform

  • Companies are now suspended when reaching subscription end date.


  • The 201 response status code is no longer handled as an error for the Event Push Service.


  • In some situations, the Security Audit report did not include Advanced Anti-Exploit events.

Risk Management

  • The Devices grid in Security Risks used to count all misconfigurations, regardless of whether they had been marked as Ignore risks.

June 2022 (Version 6.26.2-1)

New features


  • EDR alerts in the Incidents > Search section now display additional information in the JSON tab of the Details panel. The key-value pairs in this tab cannot be used for building queries. However, you can copy the entire data to clipboard for ease of access in your investigations.


  • Early Access Program licenses have been reworked:

    • You can now add the license on top of any other standalone license that includes EDR.

    • The license no longer has usage limitations.


    Previously generated Early Access Program licenses will be invalidated. Companies currently in the program will need to acquire a new license key.



  • Only the first two types of attacks are now visible in the Summary section of the incident Overview tab. You may expand the list to view all types of attacks.

  • The Resources section inside the incident Graph has been redesigned:

    • The resources under the transition panel are now displayed as a list under each associated alert. The list displays groups of resources, organized by type, and includes the number of items for each type. The full resource details can be accessed from each alert panel.

    • The list of resources within the alert's details panel is now collapsible, making the details easier to observe.

    • All details gathered from an email are now grouped under a single resource. Along with the information aggregated from the previously existing resources (subject, URLs, and attachments) additional information will be made available:

      • Resource type: Email

      • Email Subject

      • Email ID

      • Received on

      • Sender

      • Receiver (to / cc / bcc lists)

      • Attachments

      • URLs

  • Remote Shell is now available for Bitdefender XDR. You can find it in the incident Graph tab, in the details panel of endpoints or server nodes.

  • Network Sensor details are now available in Configuration > Sensors Management.


  • The EDR incident page has been redesigned:

    • A floating bar is now displayed above the Critical path of the incident and contains two functionalities: Search entities and Incident trigger.

    • The elements of the Incident status bar have been rearranged and the endpoint name is no longer displayed.


  • You can now add exclusions to Configuration Profiles right from the Blocked Applications report. Use the new Back option at the top-left corner in Configuration Profiles to return to the report if needed.

  • In Configuration Profiles, the menu option Assign to list has been modified to Edit list assignment. The name of the corresponding configuration page also reflects this change.

  • The Exclusions grid area in Configuration Profiles includes a new sortable column named Added on, which by default lists the exclusions in reverse chronological order. Only exclusions added after this GravityZone update will display date and time.

  • Exclusions in Configuration Profiles and in the policy now support the %SystemDrive% variable.

  • You can now use the asterisk (*) as wildcard for searching exclusions in the Configuration Profiles section.

  • To accommodate Linux requirements, exclusions now support up to 4096 characters when defining paths in Configuration Profiles and in the policy. To apply this on Windows systems, make sure MAX_PATH is set to support this value on the target machines.

Maintenance Windows

  • New messages warn you when deleting maintenance windows assigned to policies, and when you remove the last maintenance window from a policy.

  • You can now sort maintenance windows by name, status, modification time, users who last edited the window, permissions, and policies.

  • The grid area in Configuration Profiles now displays the list of maintenance windows on multiple pages instead of a page with infinite scrolling.

  • Minor text changes to the Patch Management section in the policy and in Configuration Profiles.


  • You can now scroll through sections inherited from another policy.

Resolved issues

Device Control

  • Creating a Device Control exclusion rule with multiple devices IDs, separated by commas or space, now correctly saves all information.

GravityZone platform

  • Security fixes.

May 2022 (Version 6.26.1-2 EFX)


Remote troubleshooting

  • The Debug session now contains a troubleshooting scenario for the Endpoint Detection and Response(EDR) module. Using this new option, you can gather specific logs that target EDR issues such as incidents not generated, false positives, missing incidents data, and others.

  • The Content Control (traffic scan and user control) scenario now also covers Firewall issues and was renamed Content Control and Firewall.


These changes are available for Windows systems.

May 2022 (Version 6.26.1-2)


Threats Xplorer

  • The detection events category and action taken have a new color design necessary for future developments.

Resolved issues

Configuration Profiles

  • The Modules column in the grid area was displaying the Unknown status instead of All modules (value "3") for exclusions coming from imported lists.

May 2022 (Version 6.26.1-1)

New features


  • You can now request a new sensor type by accessing Configuration > Sensors Management > Add new > Need a different sensor?



  • Now you can also access the Remote Shell feature from the Network section Action Toolbar. The option becomes available once you select at least one managed device in the list.

Network Protection

  • The Exclusions table in the General page includes a Remarks column where you can add comments for existing or new rules.

April 2022 (Version 6.24.0-3)


GravityZone platform

  • Two-factor authentication (2FA) becomes mandatory for all GravityZone Cloud accounts on April 12, 2022. From now on, when logging into Control Center, you need to enter a six-digit code from an authenticator app in addition to your GravityZone credentials.

    If you do not use 2FA yet, you will be prompted to set it up in a configuration page. You can skip the configuration page up to 5 times.

    Bitdefender supports any TOTP authenticator compatible with the standard RFC6238, installed on devices such as smartphones and computers. Learn how to configure an authenticator on your smartphone or computer.

    This update comes with the following new options:

    • Remember this device, on the Control Center login screen. Select this option to trust the device used for accessing Control Center and to skip entering the six-digit code. Different browsers on the same computer mean different devices.

    • Allow users to remember their device, in the Authentication tab of the company settings. As an administrator, use this option to configure the time interval for skipping 2FA up to 90 days.

    • Forget all remembered devices and Forget current remembered device, in the account settings, to reset those devices that skip 2FA when signing into GravityZone.

    Two-factor authentication cannot be disabled. In case you forget your credentials or lose your authentication device, ask your administrator to reset 2FA from your account settings.


    Bitdefender does not enforce two-factor authentication (2FA) to GravityZone accounts using single sign-on (SSO).

Learn more about two-factor authentication and how to enable it from this FAQ article.

Public API

  • Enforcing two-factor authentication brings the following changes to the public API:

    • The API calls that had the parameter enforce2FA set to false are now automatically set to true for createCompany and updateCompanyDetails methods. This change does not return an error message.

    • The new optional parameter skip2FAPeriod is available for createCompany and updateCompanyDetails methods. This parameter allows you to configure the time interval in days for skipping two-factor authentication by specifying one the values: 0, 1, 3, 7 14, 30, 90. 0 (zero) means this option is disabled and the user must enter the six-digit code when logging into GravityZone.

April 2022 (Version 6.23.0-4)

Minimum requirements:

  • Security agents: (Windows), (Linux), (macOS)


Starting April 12, 2022, two-factor authentication becomes mandatory for all GravityZone Cloud accounts. When signing in after this date, GravityZone will automatically prompt you to configure 2FA. If you are already using 2FA or logging in with an Identity Provider, this change will not affect you. Read more.

A dedicated GravityZone update on April 12 will enforce two-factor authentication for existing users. The same update will bring a new option to remember the device used for signing in, which will allow skipping 2FA for a configurable time interval.

New features

XDR in general availability

eXtended Detection and Response (XDR) consolidates security-relevant endpoint detections with telemetry from non-endpoint sources such as network visibility, email security, identity and access management, or cloud security. XDR focuses on optimizing threat detection, investigation, and real-time threat hunting.

XDR provides advanced investigation tools such as:

  • The Overview tab - Here you can evaluate the impact of an incident on your organization, and quickly act to contain threats.

  • The Graph tab - Here you can analyze in detail the Initial access, Exit points, as well as the interactions between the multiple elements of your environment, and affected resources.

    Every graph element provides relevant information in their details panel, as well as specific mitigation actions. The Graph displays data correlated from endpoint, network, productivity, identity, and cloud sensors.

  • The Alerts tab - Here you can see in detail all the security events that make an extended incident, and search for specific events by multiple criteria.

  • The Response tab - Here you can view and take recommended actions to mitigate threats to your organization, and analyze actions already executed from within the incident graph.

XDR also includes new powerful investigation features such as:

  • An advanced Search feature you can use to analyze any element or company resource involved in an incident. It provides:

    • Improved data visualization.

    • Automatic suggestions for field names, values and operators when typing queries.

    • Ability to save and name search queries: they will be displayed in the Smart views panel. You can also edit or delete them.

    • Ability to view more details about an event using the Details panel.

  • An interactive full Remote Shell feature you can use to connect remotely to any endpoint in your environment, and take immediate action to minimize threats or perform advanced forensics.

  • An Investigation Package feature you can use to collect data from any endpoint involved in an incident. You can download and analyze data such as BEST product logs, system info, registry files, Windows, macOS and Linux event logs.

To bring all these together, XDR uses advanced correlation engines to process data from multiple sources, such as:

  • The Incidents sensor

  • The Network sensor

  • Productivity sensors:

    • The O365 Mail and Audit sensors

  • Identity sensors:

    • The Active Directory sensor

    • The Azure AD sensor

  • Cloud sensors:

    • The AWS sensor


The Network, Productivity, Identity, and Cloud sensors, as well the Remote Shell feature require a separate license key for activation.

Threats Xplorer

Bitdefender introduces Smart Views, a brand-new GravityZone feature focused on optimizing user experience by adding a new level of personalization in Threats Xplorer. You can now create your own customized views or use predefined ones and quickly switch between them as needed. In a single view, you can customize filters, different time intervals, add or remove columns and scale their size.


GravityZone platform

  • Bitdefender has launched a new product portfolio. We have changed several product names to offer a better representation of our current vision. Learn more.

  • The Edit Company page has been redesigned to match the Add Company and My Company pages, providing an improved overall company management experience.

  • The package configuration page includes new privacy options in the Miscellaneous section.

  • The list of supported internet browsers has updated. Learn more.

Threats Xplorer

  • The company selector is available in a new format as a customizable column and filter for partner companies. Furthermore, the improved filter now helps partners analyze detection events from multiple companies all at once.

  • Added a new type of detection event for dynamic malware. This uses Fileless Attack Protection and Windows Antimalware Scan Interface (AMSI) technologies integration to detect various fileless threats.

Network Protection

  • The Content Control module is now available for Windows servers and Citrix virtual apps and desktops. For existing clients, the module is available through the Reconfigure Client task, while new clients need the installation packages configured accordingly. Learn more. Content Control on Windows servers requires Bitdefender Endpoint Security Tools version or later.

  • The Network Attack Defense module for macOS systems in now supported in GravityZone. The next versions of Bitdefender Endpoint Security Tools will ensure compatibility between endpoints and GravityZone.

  • On Windows servers, the Network Attack Defense module extends its capabilities on Windows servers beyond RDP connections and it scans web traffic as well when used with the new Content Control capability.


You can now scan the memory of a process using the new Process memory option available in the On-Access Scanning > Settings section of the policy.

Fileless Attack Protection

The new integration with Windows Antimalware Scan Interface (AMSI) technology provides an additional level of protection against dynamic malware such as script-based attacks.

  • The Command-Line Scanner option allows you to detect fileless attacks at pre-execution stage.

  • The Antimalware Scan Interface Security Provider option allows you to scan content (scripts, files, URLs etc.) sent by other services that require a security vendor to analyze it before accessing, running, or writing it to the disk.

Configuration Profiles

  • Bitdefender introduces a series of improvements to the Exclusions section:

    • The ability to import and export exclusion lists in the CSV format.

    • The ability to edit exclusions inline and delete or export them in bulk. You can also export selected exclusions.

    • The ability to sort exclusions and a new pagination system for easier navigation.

    • A new option in the Blocked Applications report to add exclusions to lists.

    • Improved performance when using filters.

  • In the Patch Management section, you can now add multiple custom hostnames or IP addresses for Patch Caching Servers, separated by semicolon (;). The total limit is 256 characters.

Assignment Rules

For location rules, we increased the maximum number of DNS servers addresses to 30, and the field length to 480 characters.


  • The License Usage Limit Has Been Reached or Exceeded and License Limit Is About To Be Reached notifications now apply to Email Security mailboxes as well.

Security Audit

  • The report now includes an enhanced graphical evolution of all security events that occurred on the selected target. You can view each available module as a single line in the graph and all modules in the graph legend.

  • The exported report in PDF format now includes a new graph that details the evolution of the Antimalware security events.

  • Added a new event type for AMSI detections.


  • The Endpoint details page displays more explicit messages when users have not approved Full Disk Access and Network extension for Bitdefender Endpoint Security Tools components.

Public API

  • A new connector is available for sending events from GravityZone to SIEMs lacking HTTPS listeners. You can use the new DEB package to deploy the connector as a service. This provides easier installation, maintenance, and upgrades. Learn more.


From now on GravityZone Control Center is available in Vietnamese.

Sandbox Analyzer

Security improvements to Cloud Sandbox.

March 2022 (Version 6.22.0-1)




Join the Bitdefender Early Access Program for the opportunity to access the XDR improvements, ahead of everyone else. Share your feedback with us and we'll make it a priority and tailor the product to your needs. Contact Customer Support to get the key to these locked features.

  • The Sensors Management feature now provides integration with AWS. You can configure the new AWS sensor to collect and process configuration changes and actions taken by users, roles, or AWS services.

  • Extended Incidents now display in graph the users involved in the interaction between two incident entities as an independent identity node, highlighted with a dotted link. The dotted transition also displays the direction, to make it easy to see if the user affects or is affected by the other elements it interacts with.

  • The Graph offers support for forensic artifacts collected by the AWS sensor from your company's AWS service.

  • When the same alert is spawned in multiple Graph interactions, this information is now shown in its details panel, to make it easier for you to investigate.


  • The License Expires notification comes with the following changes:

    • Recurrence: The notification will now be sent 90, 30, 7, and 1 day before expiration, each time containing specific content.

    • Content: Details include company information, product name, the expired license keys and useful URLs.


    For Partners, these changes apply only to notifications about their own licenses.

Configuration Profiles

  • On the Exclusions page, you can add and remove columns from the grid.

Patch Management

  • The Patch Management module for Linux now installs only on supported distributions.

  • Linux machines now display in the endpoint details page explicit error messages for users whenever a Patch Scan or Patch Install task fails.

  • The Patch Inventory page displays the OS type column dynamically depending on the available endpoint types (Windows or Linux).

Assignment Rules

  • For location-based rules, the maximum number of IP addresses you can add in the DNS server address category has been increased to 30. The character limit in the corresponding field has been extended to 480.

Public API

  • The Push API now provides additional information:

    • modules events now inform you if the Network Attack Defense module is disabled or enabled on your endpoints.

    • network-sandboxing events now include the computer identifier and the IDs of your Sandbox Analyzer submissions.

February 2022 (Version 6.21.1-1)


GravityZone platform

  • The User Activity page now includes details about API operations such as editing, creating, and deleting API keys.

  • You can now add descriptions to your API keys from the API keys section under Account Menu > My Account.

  • New endpoint packages no longer have the Device Control module on by default.

  • New privacy options have been added in the following section of the console: Policies > General > Settings > Options.



Join the Bitdefender Early Access Program for the opportunity to access the XDR improvements, ahead of everyone else. Share your feedback with us and we'll make it a priority and tailor the product to your needs. Contact Customer Support to get the key to these locked features.

  • The Sensors Management feature now provides integration with Active Directory. The new Active Directory sensor can be configured to collect and process user login information.

  • The Graph offers support for forensic artifacts collected by the Active Directory sensor from your company's AD Domain Controllers.

    The alerts resulted from interactions between incident elements offer additional data about involved entities and resources, displayed in their specific side panel.

  • The Security Analytics sensor from the menu in the Alerts tab will be replaced by specific sensors that have triggered alerts.

  • The XDR Search feature now provides automatic suggestions for fields, values and operators, which appear as you type. Syntax highlighting has been added for improved readability.

    The new details panel shows further information about the events in the grid, and its data can be used to further refine your search. Support for Office 365 logs is now available.

January 2022 (Version 6.20.1-2)

Resolved issues

GravityZone platform

  • Endpoint names are no longer clickable in the Endpoint Protection Status report for GravityZone users with Security Analyst role. Previously, clicking endpoint names resulted in Control Center session expiration for such users.

  • Security fixes.

January 2022 (Version 6.20.1-1)

Minimum requirements:

  • Security agents: (Windows); (Linux); (macOS)



We upgraded the visual mechanics of the Extended Incidents Graph to better represent the events that have occurred within the incident you are investigating.

  • Triggered alerts that were displayed on both source and target nodes are now displayed as part of the interaction between them, thus eliminating duplicates.

  • The interactions between nodes is displayed as a separate graph entity that shows all the company resources that were impacted in some way by the triggered alerts.


Join the Bitdefender Early Access Program for the opportunity to access the XDR improvements, ahead of everyone else. Share your feedback with us and we'll make it a priority and tailor the product to your needs. Contact Customer Support to get the key to these locked features.

GravityZone platform

You can now view the names of Mac users logged into GravityZone via SSH. The new information is available in the Network section (Users tab in computer details) and in the Network Protection Status report.

December 2021 (Version 6.19.1-1)




Join the Bitdefender Early Access Program for the opportunity to access the XDR improvements, ahead of everyone else. Share your feedback with us and we'll make it a priority and tailor the product to your needs. Contact Customer Support to get the key to these locked features.


We redesigned the Search feature, and now it provides:

  • Enriched data, including raw events to help with investigation efforts

  • An extended number of suggested fields for creating queries. A list of fields with predefined values is available here.

  • Customizable results grid with show/hide columns functionality

  • New predetermined options for the Date field: Last 24 hours, Last 7 days, Last 30 days, and Custom.

Investigation Package

The new Investigation Package functionality enables the collection of forensic data from your environment without requiring a direct interaction with the endpoint involved in an incident.

This feature is designed to improve your SOC team's overall effectiveness by eliminating the time-consuming and labor-intensive task of manually collecting extra incident information from endpoints, allowing your team to mitigate and contain threats faster.

You can gather forensic data by using the Collect Investigation Package action from the Details Panel of any endpoint involved in an incident.

All investigation files are available for download in the Investigation tab of the endpoint's full details page.

Sensors Management

The new Sensors Management dashboard allows you to integrate sensors from all the major cloud service platforms, which enable GravityZone to gather and correlate data into highly-accurate extended incidents.

Currently in its early stages of development and production, this new feature provides integration with the Microsoft Office 365 platform, which will soon be followed by other integrations.

The feature provides integration with the Microsoft Office 365 platform through the Mail and Audit sensors, which boost the detection capabilities by providing metadata about email traffic and content, as well as user and admin operations retrieved from the Microsoft 365 unified audit log.

All sensors be configured and managed as separate sensor integration instances or together as part of the same instance setup.

The Sensors Management dashboard is available as a new tab in the Configuration page.

Extended incidents

The Graph went through a visual update designed to improve the investigation process. It now always indicates the origin of the incident in the Initial Access area, and all exfiltration and command & control activities in the Exit Points area.

The Graph also provides visual representation for new forensic artifacts collected and correlated from Microsoft Office 365 sensors, namely nodes for O365 users and O365 Mail and Audit sensor integration instances.

The new Overview tab displays the most impactful events of an extended incident, condensed in three major areas:

  • Summary - A synopsis of the entire incident, including data on initial access, tactics and techniques used by attackers, and affected organization assets

  • ATT&CK Tactics and Techniques - All the identified MITRE ATT&CK tactics and techniques used in the incident

  • Highlights - The critical alerts from the most impactful steps in the incident kill chain

Patch Management

Maintenance Windows

GravityZone introduces Maintenance Windows in Configuration Profiles, a new and powerful way to configure Patch Management settings outside policies. The Maintenance Windows feature provides you with higher control over patch scanning and patch installation than before, with expanded scheduling options.

In the policy, the old Patch Management module is replaced with a simple interface that allows you to assign the maintenance window you want. You can assign the same maintenance window, created by you or other users, to multiple policies. As a partner, you can create and modify maintenance windows for managed companies.

Upon this release, all Patch Management settings from existing policies will automatically be moved into maintenance windows, and then assigned to each policy accordingly. So, no worries there, your previous hard work is in safe hands.

The Maintenance Windows feature requires a valid license with Patch Management.

Read more about Maintenance Windows


  • Starting with this version, you can no longer configure relays with Patch Caching Server role in the policies of other companies. The Relay and the policy must belong to the same company.

  • The option Auto-restart machine after (hours) for Patch Management has been migrated from Endpoint Restart Notification section in the policy settings to the new option System restarts automatically after a specific number of minutes in the maintenance window settings. Under the new option, the restart interval has been set to maximum 60 minutes, regardless of any previous value.

Linux support

GravityZone extends support for patch scanning and installation to Linux endpoints. For a unified experience, you can use the same maintenance windows and the same policies as for Windows.

Supported Linux distributions for this feature:

  • CentOS

  • Red Hat Enterprise Linux (RHEL)

  • SUSE Linux Enterprise (SLE)


Unlike for Windows, Patch Management for Linux endpoints does not require Relay role to use the Patch Caching Server role. Instead, the security agent downloads the updates directly from vendors’ websites.


This feature will be operational with the next release of Bitdefender Endpoint Security Tools for Linux.

Threats Xplorer

The export functionality is now available in Threats Xplorer. You can use this new option to access and manage the centralized data outside GravityZone Control Center, according to your needs. The security events are exported in the widely available CSV format, making it easier to import in other software programs tailored for your business.


Antiphishing Activity report

The Antiphishing Activity report is now capable of organizing Antiphishing detections and affected endpoints based on different criteria. The new features focus on underlining possible security issues in your network while helping you achieve an effortless analysis.

The report now includes:

  • Top 10 domains blocked on endpoints, which details the most frequently detected domains.

  • Top 10 affected endpoints, which informs you about the endpoints that have the most Antiphishing detections.

  • Affected endpoints, which presents the total number of endpoints with at least one detection.

  • Total detections, which provides the total number of phishing detections on all endpoints.


After this update, the last instance of the scheduled report will no longer be available in the View report column. To access the archive containing all instances, select the report, click Download and then select Full archive from the drop-down menu.

Security Audit report

The new improvements simplify the analysis of Antimalware detections in the Security Audit report. The report now classifies the Antimalware detections and affected endpoints based on different criteria as follows:

  • Top 10 malware by number of endpoints, which details the most frequent Antimalware detections.

  • Top 10 endpoints by number of Antimalware detections, which informs you about the endpoints that have the most Antimalware detections.

  • Endpoints, which presents the total number of endpoints with at least one Antimalware detection.

  • Detections, which provides the total number of Antimalware detections on all endpoints.


  • GravityZone now supports multiple standard products. Products added to the same company must be compatible.

  • The My Company page has been reworked and restructured. The page now provides an improved overall company management experience.

  • Notifications regarding reaching or exceeding a license limit or a license expiring have been modified. Changes include:

    • Notification recurrence

    • Customized information for companies with multiple licenses


Bitdefender MDR for MSPs

As a Managed Service Provider (MSP) you can now benefit of automatic provisioning and billing for the Managed Detection and Response (Bitdefender MDR) service, offering you and your customers protection through outsourced cybersecurity operations 24 hours a day, every day of the year. The Bitdefender MDR service combines cybersecurity for endpoints, network, and security analytics with the threat-hunting expertise of a SOC fully staffed by security analysts from global intelligence agencies.

This service is available in two flavors:

  • Bitdefender MDR Advice - retain full control over end customer environments, with the MDR team acting as a trusted advisor, providing curated recommendations to equip your team to respond to customer incidents.

  • Bitdefender MDR Response - benefit of a fully-managed threat hunting solution that includes state-of-the-art prevention and expert response. The Bitdefender Bitdefender MDR Customer Success Team (CST) will affect real-time changes in your customer’s environments when security incidents are identified, based on a set of pre-approved actions you both agreed upon.

You can activate, deactivate, or switch between service flavors by editing the company details page.


If you are a Bitdefender Partner, the Bitdefender MDR Service needs to be enabled by Bitdefender. If you are an MSP interested in Bitdefender MDR, please contact your Partner.

  • The New Company and Edit Company pages have been improved. Managing and displaying company licenses has been updated to support multiple licenses.

  • The Licensing section within the add / edit company flow for the Monthly Subscription license option now offers you easier activation and management of the products, add-ons, and services provided by Bitdefender.

  • Use the new Own use section to enable add-ons and services for your own company, and the Reselling section to grant other partners the right to resell products, add-ons, and services.

Public API

  • The Incidents API has new methods for managing custom rules: getCustomRulesList, createCustomRule, and deleteCustomRule.

  • Patch Management is now available through API. For the Maintenance Windows API, the following methods have been added:

    • createPatchManagementMaintenanceWindow

    • getMaintenanceWindowList

    • getMaintenanceWindowDetails

    • updatePatchManagementMaintenanceWindow

    • deleteMaintenanceWindow

    • assignMaintenanceWindows

    • unassignMaintenanceWindows

  • The Companies, Network and Licensing APIs have been modified as follows:

    • Functionality for the getNetworkInventoryItems and getLicenseInfo methods has been changed.

    • The addProductKey and removeProductKey methods has been added.

    • The createCompany, setMonthlySubscription, getLicenseKey, getLicenseDetails, and getCompanyDetails methods have been modified to properly display multiple standard and add-on licenses, and include information and settings on Bitdefender MDR for MSPs.

Resolved issues


Fixed an error that in some particular cases was preventing incidents from being generated.


Firewall rules are now being imported from GravityZone if the protocol is set to ICMP.

Configuration Profiles

  • Exclusions imported from larger CSV files no longer go under All exclusions, but in your newly-created list.

  • Exclusion lists created by the current user are now displayed only in the My lists section. They will no longer be added to the Default exclusion lists.


You can now search by company in Add Company page.

Known issues


The License key, License usage and License validity columns in the Companies page will only display a company's first license key for standard products if the company has multiple base products.

November 2021 (Version 6.18.1-2)


  • Improvements made to back end code in preparation for future updates. Changes will have no direct impact on users.

Known issues

  • Starting with version 6.18.1-1, clicking the License keyLicense validitySubscription end date or Auto-renewal column headers in the Companies page no longer reorders the list of companies.

October 2021 (Version 6.18.1-1)

Minimum requirements:

  • Security agents: (Windows); (Linux); (macOS)


    Threats Xplorer

    • Threats Xplorer now automatically retains the columns size selection and displays it accordingly when you return to the page. Additionally, we have also made several adjustments to the default columns size for better visibility.

    • Added the new filter and column SHA256 that helps you easily identify a file hash.


    • The New Company page has been improved and the procedure to create a new company has been changed. For more information, refer to Creating companies.

    • Trial companies now start with a GravityZone Elite license equivalent and several add-ons, providing access to additional GravityZone features. For more information, refer to this page.

    September 2021 (Version 6.16.1-7)



    • A new option, Automatically copy the label of the Relay to connected endpoints, if not specified otherwise, is now available in the Configuration Network Settings tab. This helps you to manage the labels according to your preferences and choose whether the endpoints connected to a relay should inherit its label or not.

    • Agent packages names now include the product version.

    • You can now find the GravityZone Cloud version under the What's new section .


    • You can now automatically resume on-demand scan tasks using the Resume scan after product update option. To enable this select the option checkbox from the Options Miscellaneous section when you create or edit a scan task.

    Network Protection

    • You can now enable Scan SSL for RDP protocols.

    September 2021

    Resolved issues

    Executive Summary

    • In some situations, generating an Executive Summary report resulted in crashes for companies with an exceptionally high number of events.

    • In some cases, generating the Executive Summary PDF file led to crashes. The issue is now fixed.

    • The Monitoring section failed to display its subsections when hovering over it while the GravityZone menu was collapsed.


    • The Allow endpoints to send user login data to GravityZone option was not properly inherited from the main policy.

    August 2021

    New features

    Executive Summary report

    • The new report focuses on improving data accessibility while centralizing key security information from the Executive Summary page. You can easily export, schedule, and download the report from both the Reports and Executive Summary sections.


    GravityZone platform

    • To help you monitor, analyze and quickly identify valuable information we are introducing Executive Summary as the new landing page for GravityZone Control Center. You can adjust this setting to your preference at any moment from the My Account section.

    July 2021

    New Features

    Container Protection

    Bitdefender protection is now available for container environments. Container Protection monitors both the operating system on the host and running containers, providing server workload EDR and anti-exploit and antimalware scanning services based on licensing.

    The feature offers visibility into Linux server and container workload malicious activity in real time and a clear understanding of attack risk exposure at each stage of the attack. It detects complex attacks early with Linux native exploit detection technology and performs threat-hunting campaigns using the GravityZone EDR event search. Once licensed, you can deploy Container Protection through two solutions:

    • BEST for Linux v7 deployed directly on a container host.

    • Security Container instance deployed on a separate container that protects both the host and its managed containers.

    This new feature comes with a new report, Security Container Status, which helps you identify any issues that a specific Security Container might have, with the help of various indicators such as Update Status, Upgrade Status and more.

    A new notification is also available, Security Container Status Update, informing you when the product update status changes for a Security Container installed in your network.


    Advanced Anti-Exploit

    • Advanced Anti-Exploit feature is now available for Linux.


    • Virtual Machines view renamed into Cloud Workload.

    • Containers group added under Cloud Workload containing container hosts and container endpoints.

    • Physical and VM container hosts now visible under Computers & Virtual Machines.


    • Monthly License Usage report now contains Container Protection information.

    Configuration Profiles

    The Configuration Profiles section under Policies enables you to create and manage customized exclusion rule lists, and assign them to your company policies, thus enabling you to scale the usage of exclusions across your network more accurately, to lower the rate of false-positive events and improve system performance.

    Every exclusion rule you create can be assigned to one or multiple exclusion lists, and every list can be assigned to one or more policies. Furthermore, you can assign multiple exclusion lists to the same policy, for maximum flexibility.


    We fine-tuned the formula for how we calculate the Severity Score, to make it more accurate, by taking into account a wider range of parameters, and incident escalation. We also added new mechanics that allow us to update the formula on-the-fly with new parameters from our evolving correlation technologies.

    June 2021

    Minimum requirements:

    • Security agents: : (Windows)


    GravityZone platform

    • Now you can view the names of all active users logged on endpoints running Windows.

      This feature brings changes in the following sections of Control Center:

      • Network – the Network grid includes a new searchable column named Users and the endpoint details window displays a dedicated tab also named Users.

      • Reports – the Network Protection Status report includes a searchable column named Users.

      • Policies – a new check box in General > Settings > Options allows you to enable data collection. The information sent by endpoints to GravityZone includes usernames, login time and the login method.

      This feature can serve you in multiple ways:

      • As a GravityZone administrator, you can use the provided information to reach out to the endpoint users in case you need their input.

      • As a Security Analyst, you can correlate the information about the username with other events from GravityZone or 3rd party systems.

      • As a partner, the user-related information is helpful in situations such as when you create a Monthly License Usage report for audit purposes.

    • Renamed a few elements from the following sections:

      • Threats Xplorer - the columns Device name and Device type are now Endpoint name and Endpoint type.

      • Network - the column Machine type is now Endpoint type.

      • Executive Summary - the Threats breakdown by machine type widget is now Threats breakdown by endpoint type.

    • User Activity page now informs if a user has logged in GravityZone from a third-party platform with which it is integrated.

    • The cleanup rules for offline machines are now more flexible:

      • Name patterns can contain the question mark (?) as wildcard.

      • Name patterns can have any length and no longer require a letter at the beginning. For example, you can use only the asterisk (*) to disregard the machine name.

      • You can select targets that are offline for less than 24 hours or more than 90 days. The cleanup rules will run hourly for machines offline less than a day, and daily for the other ones.

      • The target selection now covers Active Directory inventory as well.

      You can use name patterns of any length.

      Improved the offline machines cleanup rules so that you can now use the question mark (?) as wildcard and select targets that are offline for less than 24 hours.


    • GravityZone extends the endpoint-based threat detection capabilities of the traditional EDR by incorporating network incidents, to successfully counter advanced threats no matter where they emerge in the infrastructure: on endpoints, network or in the cloud. This new EDR component combines the most advanced prevention capabilities, low overhead cross-technology correlation capabilities and Network Traffic Analytics to boost the cyber resilience of your organization.

      In this new light, the Incidents page has been enriched with the Extended Incidents tab, to display all organization-wide incidents which require further investigation.

      The new graphic representation of extended incidents makes it easy to view and investigate the evolution of a complex attack within your network:

      • It includes a detailed timeline of events, displaying the network point of entry, evolution over time, lateral movement and communication with outside agents.

      • It correlates events gathered by Endpoint Detection and Response and Network Traffic Analysis technologies.

      • It associates extended incidents with any detected endpoint incident that makes a potential staged attack.

    • Concurrently, if you are using a 3-rd party ticketing platform or a PSA solution, you will enjoy an enhanced experience through the new redirect links. Clicking on the embedded links will either:

      • direct you to the Endpoint Details page in GravityZone, when you are working on a security incident.

      • direct you to the Incidents section of that specific incident ID in GravityZone.

    Threats Xplorer

    • The available filters now dynamically adjust to your company's license type. This way, you can quickly use search and filtering criteria relevant to your company and obtain better results.


      The filters and detection events are available up to 90 days after you change the protection layers. Following this period, the events are deleted and the filters automatically reflect the available features according to your license key.


    • The HyperDetect Activity report now includes the exact name of the detected threat and the file hash.


    • The Network > Packages section now includes macOS downloader, which will make it easier for you to install the security agent on different Mac architectures, whether they are Intel x86 or ARM. The new downloader automatically detects the processor type and downloads and installs the right kit for that specific architecture.


    • From now on GravityZone is also available in Turkish.

    Product documentation

    • A unified self-service support experience with the new online help center. All GravityZone help content that was included in PDF guides, knowledge base articles and release notes, is now under one roof, in a more digestible format. Currently it is available only in English, localizations will follow soon.

    Public API

    • Network API: The result of the GetNetworkInventoryItems method now includes the policyId and moveState fields.

    Resolved issues


    • An overflow of records in the CVEs inventory collection downturned the Indicators of Risk query.

    • The Risk Management data removal step from the Security Risks > Devices section was skipped when BEST uninstall presented errors. The device still appeared to be present in the devices listed with vulnerabilities.

    • Following a Risk Scan, the Risk Management module displayed users as having a high severity score, even if the human risks had been fixed through a previous Risk Scan.

    Patch Management

    • Previously installed patches were not displayed in GravityZone after manually rebooting a Virtual Machine.

    MSP > Partners

    • The Reconfigure Task failed when trying to add the Exchange module to endpoints from two different companies - with the same configuration - and displayed the error message "Task could not be created. Some task settings could not be applied to all selected product types".

    May 2021

    New features

    Threats Xplorer

    Threats Xplorer offers you a highly increased visibility over the detected threats in your network and helps you perform a concise security analysis. The feature centralizes detection events from multiple GravityZone technologies and classifies them by category, threat type, remediation actions, and many others.

    Threats Xplorer makes it easy to identify and analyze threats by providing you with:

    • A wide variety of customizable columns with detailed information

    • Diverse filtering and search criteria

    • Detection events from various modules centralized in a single list

    • Infinite scroll functionality for seamless interaction


    Executive Summary

    Executive Summary now provides you with the possibility to explore multidimensional data, by browsing from a statistical level to a more granular and detailed view.

    The new drill-down capability helps you navigate instantly from widgets to specific sections of the Control Center. Each section displays complex information in a customized way so that you can identify and analyze with ease the aspects you are interested in.

    April 2021


    GravityZone platform

    Control Center leaves the old blue theme behind and comes with a couple of readability and usability improvements such as:

    • Replaced the scroll bar from the main menu with the More button to reveal additional items.

    • Increased the font size for lower screen resolutions.

    • Removed the top blue bar to make room for actual data.

    • Increased the contrast to the top banner for alerts.

    The Update Security Server task has two options now, for each type of update you can run, when available:

    • Feature update, for installing the Bitdefender new features, improvements and fixes, and security fixes

    • Run the task with this option to bring the OS of the Security Server to Ubuntu 20.04 LTS, the only supported version until new upgrade.


      Run the task with this option to bring the OS of the Security Server to Ubuntu 20.04 LTS, the only supported version until new upgrade.

    The grid in the Network page now includes new columns and several improvements, designed to help you better identify and find endpoints in the inventory:

    • Name. It can now display the MAC address appended to the hostname, to uniquely identify endpoints that may have the same hostname or IP address.

      You need to enable this option in the Configuration > Network Settings > Network Inventory settings page.

    • Machine type. It shows whether the endpoint is a server or a workstation.

    • OS type. It displays the type of operating system installed on the endpoint.

    • OS version. It shows the version of the operating system installed on the endpoint.

    • Last Seen. It now allows you to filter endpoints that were online in the last 24h, 7 days or 30 days.

    When creating an installation package in the Packages page, you have now the option to choose the operation mode of the security agent:

    • Detection and prevention, which allows you to choose the modules to include in the package, and to enable their full capabilities.

    • EDR (Report only), which creates an EDR package with a predefined list of modules, their functionality being limited to report-only actions. The package includes the following modules:

      • Advanced Threat Control (ATC)

      • EDR Sensor

      • Network Protection (Content Control, Network Attack Defense)


      Available only with GravityZone Business Security Enterprise, GravityZone Business Security Enterprise Plus, and GravityZone Cloud Security for MSP.

    Security Telemetry

    New options for configuring Security Telemetry:

    • Bypass validation of the SSL certificate on HTTP collector, in case your HTTP collector uses a self-signed SSL certificate.

    • Granular event type selection, if you are interested in sending to the SIEM only certain types of events.


    • The App Vulnerabilities details panel now allows you to view the devices impacted by a vulnerable application discovered in your environment.

      When you select a vulnerable application and click the View Devices button it will take you to the Devices section and display a list of all impacted devices.

    Email Security

    • You will now know when the GravityZone Security for Email license expires. Just make sure to enable the notifications in the Notifications page.


    • The Incidents page now displays suspicious events in the Endpoint Incidents tab, and events detected by prevention technologies, in the Detected Threats tab.

    Public API

    • Packages and Network APIs: Added the productType parameter to createPackage and createReconfigureClientTask methods. This parameter is optional and states the operation mode of the agent: EDR (Report only), or Detection and prevention.

    • Event Push Service API:

      • The taskType parameter for Troubleshooting activity notification is now a string and can have the following values: Gather Logs and Debug Session.

      • Enforced TLS 1.2 encryption.

      • Enforced the use of an authorization header when selecting JSON-RPC format.

    Resolved issues

    Patch Management

    • Completed Patch install tasks could not be deleted from the Tasks page, returning the error "Items you selected cannot be deleted”.

    February 2021

    Minimum requirements:

    • Security agents: (Windows); (Linux); (macOS)

    New features

    Apple M1 support

    Added support for Apple M1 processors. A separate installation package for endpoints, named macOS kit (Apple M1), is available for download in the Network > Packages section. The previous Mac kit has been renamed macOS kit (Intel x86) and is only compatible with Intel-based Macs.

    The following protection modules are supported on M1-based systems:

    • Antimalware

    • Device Control

    • Content Control

    • Full Disk Encryption

    Support for other features will be added in time.


    New kits will not install on OS X El Capitan (10.11). For details about the end of support for this legacy macOS version, refer to this topic.



    Added a new wildcard option when defining custom exclusions for files, folders, and processes. You can now use double asterisks (**) for replacing any character, including path separators (\). For example, with **\example.txt you can match any file named example.txt, regardless its location on the endpoint.

    The option is available in both Control Center and Power User policy settings, under Antimalware > Settings > Custom Exclusions section.


    The single asterisk (*) substitutes zero or more characters between the path delimiters (\).

    Network Inventory

    New options to avoid duplicates of cloned endpoints are available in Configuration > Network Settings:

    • Select Applies to cloned physical endpoints that are joined in Active Directory to resolve cloned HDD drives from decommissioned machines.

    • Select Applies to cloned virtual endpoints that are joined in Active Directory to resolve clones created using VMware Instant Clones.

    MSP & Partners

    • Changing the product type in the company configuration page triggers a warning message that recommends users to reconfigure the security agents accordingly before the existing product expires on endpoints.

      The new notification Product type has changed reminds users the same details and it is sent seven, three and one day before the grace period ends.

    • The Monthly License Trial license type now includes Bitdefender EDR feature, so you can enjoy the full GravityZone experience.

    Sandbox Analyzer

    Increased the length limit for detonated URLs from 500 to 1000 characters.


    • The Antiphishing Activity report provides more clarity as it now includes the action taken on each event (Blocked or Detected), when clicking the number in the Detected Websites column. The action is also specified in the Antiphishing event notification.

    • The Security Audit report includes a new event type, Detected Website, which is available in the report details and in the CSV file.

    Resolved issues


    Fixed a minor issue where Customer companies could select another company in the network when creating an installation package.

    MSP & Partners

    Fixed an issue where Partner companies with Monthly License Trial could not create trial child companies because of missing Product Type options.

    September 2020

    New features

    Security Telemetry

    • We now offer you the possibility to obtain raw security data from your endpoints right into a SIEM solution. Use this feature if you need a deeper analysis and correlation of the security events in your network.  Because we care about system performance and a low footprint of exported data, we are filtering out redundant information.

    Check out the new General > Security Telemetry section of the security policy to enable and configure this feature, and the endpoint’s Information page to verify the connection status between the endpoint and the SIEM.


    Available only for Windows endpoints and Splunk via HTTPS (TLS 1.2 or higher required).



    • New widgets in the Risk Management dashboard to show you how many users and devices were scanned across your network.

    MSP & Partners

    • As a Bitdefender Partner, you can now disable seat reservation for Partner companies. The option is available unless the company has minimum usage configured.

    • As a Partner with monthly subscription, you will have access to a more detailed view of the GravityZone Security for Email activity in the dashboard of the companies under your direct management (Example: see the sender/receiver/attachments etc).

    • Added an error message when trying to move a company with minimum usage under a Partner with fewer license seats.


    • Forget about redeploying the agent to apply a fix from an update. Just run the new Repair task in the Network page.


    • The new notification Partner Changed informs you when a managed company has moved under a different Partner.

    • License Usage Limit Has Been Reached now includes the list of the unlicensed endpoints within the past 24 hours due to license limit exceeding.

    Public API

    • EDR events are now available via Push API in JSON, CEF and Splunk formats. For this purpose, we added new-incident to subscribeToEventTypes. For more information, refer to the GravityZone API documentation.

    • getInstallationLinks and downloadPackageZip now provide full installation kits.

    • As Bitdefender Partner, you can now remove slot reservation for all child companies with one API call. For this purpose, set the new parameter removeReservedSlots in setMonthlySubscription.

    March 2020

    New features

    Single sign-on (SSO)

    Added single sign-on (SSO) authentication capability using the SAML 2.0 standard. The SSO options are available as follows:

    • In the new Configuration > Authentication Settings page, for your company.

    • In the Companies page, for companies you manage.

    • In the Accounts page, for GravityZone users.


    The GravityZone Bitdefender Security bundle now includes the Incidents feature, where we provide the Root Cause Analysis of threats detected and blocked by our preventive technologies, with complex incident filtering options and graphic representation of incidents, as well as isolation, blocklisting, and remote connection capabilities.



    EDR introduces the Scan for IOC technology, enabling you to scan your environment for known indicators of compromise in real-time and generate detailed reports.

    The Incidents page went through a significant visual and functional transformation, enhancing your experience when analyzing threats in your environment, as follows:

    • The new Overview bar displays open incidents, top alerts, techniques and affected devices, as well as specific filtering capabilities

    • The incidents list is now a fully customizable filterable grid with add/remove columns, for easier content management.

    • The Change Status menu introduces the option to mark incidents as false-positive and leave bulk notes for later consultation.

    • The detailed information for each incident, and their graphic representation and timeline, are now available in quick view mode.

    • The Graph tab unravels a multi-phase representation of staged attacks, as well as in-graph search capabilities.

    • The Node Details panel is now grouping information into more meaningful categories. Above that, the panel is fully expandable, to improve readability.

    Endpoint Risk Analytics

    • Endpoint Risk Analytics introduces the remediation of Common Vulnerability Exposures of applications currently installed in your environment.

    • The Risk Management dashboard has been completely redesigned to improve visualization and enhance your experience while assessing the overall level of risk your company may be facing.

    • The company risk score is now calculated by taking into account a wide list of indicators of risks and known application vulnerabilities, showing you its evolution in time.

    • The new score breakdown, and top misconfigurations and vulnerable application widgets make it easier to see where your environment is more vulnerable to attacks and which devices are affected the most.

    • The devices by severity widgets show you exactly how impacted by risks and vulnerabilities are the servers and workstations under your management.

    • The new Security Risks page provides complex filtering options for indicators of risk, application vulnerabilities and devices. Risks in each category can be easily mitigated through the recommendations and actions provided in their Details Panel.

    • The Companies View page is a new feature included in Endpoint Risk Analytics for MSP, providing a comprehensive overview of the overall risk faced by every company under your management, making it easy for you to assess and eliminate risks separately for each of your customers.


    You can now configure Security Servers’ cache sharing so that you can enable/disable it or restrict it to Security Servers from the same network. Not to worry about bandwidth consumption between sites anymore. The settings are available in the Configuration > Security Servers Settings page.


    Easily remove installed security solutions from your environment when upgrading to a full product license. The feature is ON by default and will remove any existing security software that creates conflicts when installing the BEST protection modules.

    Network Inventory (MSP only)

    • Partners (Company Administrator and Partner roles) are now able to move endpoints directly between the companies they manage by dragging and dropping endpoints in the Network page.

    • More comprehensive error messages when moving companies under other Partners.


    We eased Firewall configuration with the new option to import and export rules.

    Full Disk Encryption

    You can now set rules to exclude drives from encryption.

    Remote troubleshooting

    • GravityZone introduces Bitdefender Cloud as a new storage option for collected logs.

    • Remote troubleshooting is now available for Security Server Multi-Platform.

    • You can now restart a troubleshooting session while maintaining its previous settings.

    Monthly subscription trials

    Two new trial options: Monthly License Trial (Partners only) and Monthly Subscription Trial. Trial companies have access to all features and add-ons available with GravityZone Cloud Security for MSP.The Monthly License Trial is valid for 45 days and covers 25 endpoints.


    The Monthly License Usage report includes significant enhancements to simplify add-ons billing per usage:

    • Displays usage and status for all add-ons, including the latest ones, such as Patch Management, Security for Virtualized Environments (Virtual Servers and Virtual Desktop Infrastructure), Advanced Threat Security, and Endpoint Detection and Response.

    • Provides more information on each company’s type and monthly subscription and each endpoint installed modules, like Network Attack Defense and Advanced Anti-Exploit.

    • Includes the option to generate the report only for direct companies, ignoring their child companies.

    • The report has some columns renamed. If you use the CSV file to extract usage information into external systems, please see the details here.


    • View portlets in a single scrolling page and update all the information at once using the Refresh Portlets button.

    • Added time filtering for the Endpoint Protection Status, Policy Compliance and Update Status portlets.

    Two-factor authentication (2FA)

    We moved the 2FA settings of your company in the new Configuration > Authentication Settings page.

    What’s New

    Rushing to solve a problem and What’s New stays in the way? No more. We wrapped it gently in a gift box next to the Notifications icon. It will showcase the new features in a compact side panel.

    Amazon EC2 Integration

    Added hourly billing support for the new EC2 instance types.

    Event Push Service AP

    • New agent-related events for all supported operating systems are now available via JsonRPC, CEF and Splunk. These events refer to agent installation/removal, endpoint move, and hardware ID changes.

    • Added detection timestamps to antimalware (av) and Advanced Threat Control (atc) events. The field is named BitdefenderGZDetectionTime.

    Removed features


    Removed the Malware Activity report. You can use the Security Audit report instead.


    Removed the Malware Activity portlet.


    Removed support for scanning Mapped Network drives when On-Demand Device Scanning is used.

    Resolved issues

    Content Control

    Policy inheritance did not work for specific web categories.

    January 2020



    Added the following details to the HyperDetect Activity notification:

    • Parent process name

    • Parent process ID

    • Command line (if available)

    Public API

    Bitdefender Partners can now use the Companies API to enforce two-factor authentication. For this purpose, the following methods have been updated: createCompany, updateCompanyDetails and getCompanyDetails.

    Removed features

    Installation kits for Windows Legacy

    We removed all options to download installation kits for Windows legacy versions such as Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.

    For more information related to this subject, refer to these KB articles:

    November 2019


    Amazon EC2 integration

    • GravityZone now replicates the instances inventory from region EU Stockholm.

    • The hourly billing engine for AWS Marketplace subscribers now includes all newer EC2 instance types.

    Endpoint Risk Analytics (ERA)

    • Added new Indicators of Risk:

      • Macro settings for Microsoft Office applications

      • Credential storage for several applications including some of the most popular browsers and email management tools out there

    • Added new recommendations to better manage Local Group policies.


    • Updated the Add URL as exception action button to change dynamically into Add IP as exception, when the domain node is an IP instead of an URL.

    Network Inventory

    • A new type of entities in Network Inventory: golden image golden_image.png

      Mark the endpoints you use for creating clones and avoid duplicates in Network Inventory. Keep track of your golden images by using the available filters.


      This feature is disabled by default. To enable it, select Avoid duplicates of cloned endpoints in Configuration > Network Settings.

    • More relevant messages in Control Center when Mac clients have issues. For example, now you know if macOS hasn’t granted the agent permissions such as access to the disk drive.

    Public API

    • You can now check the usage of the following features:

      • Security for Virtualized Environments (Virtual Servers, and VDI)

      • Advanced Threat Security (HyperDetect and Sandbox Analyzer)

      • Patch Management

      • GravityZone Security for Email

      • EDR

      For this purpose, use the getMonthlyUsage method.

    • The getAccountsList method now returns details about 2FA status.

    Resolved issues


    • Incident graph was moving outside the display area when Hide nodes was used.

    • More details button in Navigator menu no longer worked when closing the Node Details panel.

    • Command lines were not displayed properly in the Node Details panel.

    • Adding an exception for a domain node (by clicking the Add URL as exception) would not work when the domain was an IP/Mask instead of an URL.

    • Clicking a notification for a new EDR incident was causing an error.


    • Indicators of Risk lane was not loading in Full-screen mode.

    • Some IOR rules were not being displayed properly in the Device Risk Lane > Details section.

    Email Security

    • Email addresses of previously deleted users were not available to new accounts.

    • GravityZone Security for Email was unavailable to Partners when the Manage Companies rights were missing.

    • Added links to guides in the Help & Support page.

    Device Control

    • Deleting a Device Control exclusion from the policy also deleted the first item in the list.


    • Some texts and images were untranslated.

    Network Inventory

    • Endpoints appeared duplicated in Network Inventory due to system cloning. We introduced a new entity in Network Inventory, called golden image, to avoid such situations. For details, check the Improvements section.


    • Duplicates of some scheduled reports were sent to email.

    October 2019

    Last revised: 2019-10-16

    Minimum agent version:

    Minimum Security Server Multi-Platform version:

    New features

    Email Security

    New GravityZone Security for Email service with complete email flow control and protection against spam, targeted phishing and impersonation attacks. Email administration incorporates management and analytics tools.

    GravityZone Security for Email management provides the following:

    • Deployment through domain MX record redirect.

    • Customizable policy engine to control email delivery and filter messages through a comprehensive rule builder.

    • Company-wide quarantine.

    • Connection rule configuration to monitor connection attempts to or from your mailboxes.

    • Safe and Deny lists configuration for companies or individual users.

    • Mailbox synchronization through Azure Active Directory and manual import.

    • DNS record configuration with support for SPF, DKIM and DMARC.

    The Analytics section delivers:

    • Real-time visibility through email flow charts, rules triggered, and actions taken.

    • Customizable reports for specific events. 

    • Scheduled reports and alerts for specific rules, actions or content

    Network Attack Defense

    A brand-new powerful technology focused on detecting network attack techniques designed to gain access on specific endpoints, such as brute-force attacks, network exploits, password stealers.

    The Network Attack Defense settings are available under the new Network Protection policy section. A specific notification informs you about incidents in your network, while the Network Incidents report will provide more insight about these detections.


    To use the Network Attack Defense module, you need to install it on endpoints. For existing installations, run a Reconfigure Client task with Network Attack Defense selected. For new deployments, edit the installation package to include this module.

    Remote troubleshooting

    The endpoint information page includes a new Troubleshooting tab, from where you can collect basic and advanced logs remotely. You can start a debug session, so that GravityZone collects the logs while the issue is reproducing. This will help our technical support specialists to perform an in-depth analysis of the issue and provide a resolution faster.

    You can save the collected data on a network share, on the target endpoint or on both.


    From now on we speak Chinese!



    Seriously now, you can switch the GravityZone interface to Simplified Chinese, if you please.



    The Incidents page went through a major visual and functional makeover, now providing enhanced investigation capabilities.

    The Graph tab displays the critical path and all side elements in a fit-to-screen vertical tree. Plus:

    • An interactive incident graph behavior with highlight of node and alternate path to endpoint on mouse-over, and same type elements grouped in expandable clusters.

    • The Filters and Navigator floating menus that allow easy customization and navigation of the incident map.

    • New Node Details, Incident Info and Remediation side panels with collapsible sections that provide information for each element, actions and recommendations to mitigate an attack.

    • Suspicious and malicious nodes now display alerts in their details panel, describing what was detected and how it might be exploited, in accordance with MITRE tactics and techniques.

    The Remote Connection tab is now available as an action button on the endpoint node's details panel.

    • Anomaly Detection - a baselining module that spots anomalies in how the system is functioning

    • Network Attack Defense – a new security layer that identifies network-specific breaches

    • Advanced Anti-Exploit – a recently released security layer that detects the most evasive exploits

    • AMSI - detections made by the Windows Antimalware Scan Interface (AMSI)

    Two-factor authentication (2FA)

    With this update, two-factor authentication is enabled by default when creating a company. When disabling 2FA, you will be prompted with a confirmation message before the changes come into effect.

    Company accounts

    MSP partners now have the option to add up to five custom fields in their Monthly License Usage report for storing third party or other custom data and facilitating billing automation.

    A new page is now available under Companies > Custom Fields, with two sections where you can manage and import data for these fields. You can view the custom fields also when creating or editing a company.


    • Integrating new modules to deployed agents is like playing with modeling clay. We have made the reconfiguring process more flexible.

    • You can choose to install Bitdefender security agents without removing the security software from other vendors. This means zero protection gap and faster deployment.

      Just remember, you’re doing this at your own risk. Some security solutions may affect the Bitdefender installation. Once you are protected by Bitdefender, you can manually remove any previously installed security solution.

    Network Inventory

    • Goodbye to unused virtual machines from your network inventory. The new Configuration page offers you the option to schedule automatic cleanup tasks.


    • The new Antimalware > On-Execute section covers Advanced Threat Control and Fileless Attack Protection.

    • Network Protection, another new policy section, exposes the new Network Attack Defense technology and shields the Content Control features.

    • Content Control went through a big transformation as well:

      • The old Traffic, Web, Data Protection, and Applications sections have been re-organized into new General, Content Control, and Web Protection sections.

    • The new Network Attacks section exposes the Network Attack Defense technology and its settings.

    • The new Global Exclusions option, in the General section, replaces the previous separated Traffic Scan and Antiphishing exclusions. During update, the existing policies will be automatically migrated to the new global exclusions.

    • Network Protection replaces the previous Content Control module in the Inheritance Rules settings.

    • The GravityZone reports keep tracking the Content Control features, but also include information on Network Attack Defense.

    • Location-based policies are now aware of the hostname, too. You can to define assignment rules based on endpoint’s hostname.

    • The Indicators of Risk (IOR) have been reclassified into new and more meaningful categories for increased efficiency in risk analysis and management.

    Sandbox Analyzer

    • Results from detonation analysis are available with new information-rich reports in HTML format. These reports contain details such as: malware classification, process-level view, network activity, timeline view, registry keys and mutex objects accessed, file systems modifications, IOC attributes.

    • The Filters area is expanded by default, so it is easier for first-time users to discover all the options available with the submission cards.

    • Under the Submission Type filtering category, the Automatic option has been renamed to Endpoint Sensor.

    Advanced Anti-Exploit

    Three new detection techniques are available: VBScript Generic, Shellcode EAF (Export Address Filtering), and Emerging Exploits. These detections will be present from now on in the Security Audit and Blocked Applications reports. Plus, User Activity now includes logs related to Advanced Anti-Exploit.

    Patch Management

    Added the option to limit reboot postpones at maximum 48 hours from new patches installation. When the set amount of time expires, endpoints will automatically reboot. Endpoint users will receive a notification regarding this action.


    The Endpoint Modules Status report now includes information on Sandbox Analyzer and HyperDetect.


    • MSP partners can enable GravityZone Security for Email and get the usage report via the public API.

    • All GravityZone reports are now available via API as well.

    • We have made some improvements here and there:

      • createReconfigureClientTask is updated with the latest changes

      • getManagedEndpointDetails returns all installed modules on a managed endpoint

      • setMonthlySubscription allows Bitdefender Partners to revoke seat reservation from companies with monthly licensing

      • getQuarantineItemsList has new filtering options

    Resolved issues


    Disabling the Endpoint Issues Visibility option in the Notifications policy section does not disable sub-features as well.


    Some partners were receiving daily License Expires email notifications against their notification settings. We added a new option to filter managed companies that may trigger such notifications.

    March 2019



    • Live Response via Terminal Sessions

      Establish remote sessions with endpoints from GravityZone Control Center and execute commands in real-time on their operating system:

      • Use the Remote Connection tab added to each incident page to establish a terminal session with the involved endpoint.

      • Run commands on endpoint in the terminal session to remediate the threat immediately (delete files, terminate processes) or collect data for further investigation (list files, processes, registry keys information).

    • Leverage the network isolation action to all Windows operating systems

      The Isolate action for endpoint nodes in incident views is available now for both Windows desktop and server operating systems, whether if the Firewall module is available on the endpoint or not.

    • Better visibility on important incidents

      Two new tabs added to the Incidents page help you discriminate between incidents requiring immediate action and the threats already blocked by Bitdefender. All suspicious activity requiring action and investigation appears under Investigate tab, while the Review tab reveals threats contained by automatic block actions.

    • Select and edit multiple incidents at once

      New option to change the status of multiple incidents at the same time from the Incidents page. You can select multiple incidents while navigating through several entries, and then easily change their status using the Bulk Operations button.

    Full Disk Encryption

    • Encryption on macOS is now performed by FileVault for the boot drive and by the diskutil command-line utility for the non-boot drive.

    • GravityZonenow takes ownership for macOS boot drives encrypted with FileVault.

    Sandbox Analyzer

    • You can now submit password-protected archives from the Manual Submission page.

    Windows Defender ATP Integration

    • A new and optimized integration flow based on Microsoft Azure Active Directory, replacing the existing one. If you have an active integration, follow these guidelines.

    • New event types (Process create, User session, and Network connections).

    • Added response actions from Windows Defender Security Center (Trigger remote scan, Isolate machine).


    Future updates related to this integration will be available only for GravityZone Business Security Enterprise. If you want to receive these updates, consider upgrading your GravityZonesolution.


    • You can now receive notifications for license usage on servers.

    • Syslog events are now available in Common Event Format (CEF) via Event Push Service API.


    The malware status reported by endpoints is now more accurately calculated and displayed in GravityZone reports and portlets:

    • The Still Infected status has been changed to Unresolved.

    • Removed the reporting interval options containing "last" ("last week" or "last 2 months") from scheduled reports.


      This change affects all existing scheduled reports. You may need to edit your scheduled reports and select another reporting interval option.


    • Improvements in policy assignment and deployment troubleshooting.

    Deprecated features

    • The Malware Activity report has become deprecated. The malware information from this report will be moved to another report in a future update.

    Resolved issues

    • Corrected the error messages displayed when creating the AWS integration with incorrect ARN / external ID.

    • Several minor bug fixes regarding GravityZone Control Center functionalities.

    June 2019

    Last revised: 2019-07-17

    Minimum BEST version:

    Minimum Security Server Multi-Platform version:

    New features

    Endpoint Risk Analytics

    This update brings Endpoint Risk Analytics, a brand-new feature designed for effectively identifying, assessing and remediating endpoint weaknesses. GravityZone exposes this new feature in the following areas:

    • Risk Management policy section, including a risk scan scheduler.

    • New Risk scan task available from the Network page.

    • Risk Management Dashboards, providing several panels with risk information, one-click resolve action per endpoint and recommendations for exposure mitigation.

    Advanced Anti-Exploit

    Powered by machine learning, this new proactive technology stops zero-day attacks carried out through evasive exploits. Advanced Anti-Exploit catches the latest exploits in real-time and mitigates memory corruption vulnerabilities that can evade existing solutions.

    This security layer is pre-configured with the recommended security settings and you can customize it from the Antimalware > Advanced Anti-Exploit policy section.

    You can view Advanced Anti-Exploit events in the Security Audit, Blocked Applications, Endpoint Module Status reports.


    This security layer addresses Windows-based systems.


    Implemented a new Load Balancing mechanism between endpoints, protected through BEST with Central Scan and Security Servers. You can now choose to distribute the load evenly between the assigned Security Servers.



    • Added full support for incidents detection and response actions, root cause analysis and MITRE events on Linux OS endpoints.

    • Enriched the Search section with several predefined queries, covering the most useful investigation scenarios.

      Improved security event visualization from the Search page:

      • New panel in the Graph area displaying the actions and their states for the selected event node in a single view.

      • New Further Investigation section in the node details area, outlining the additional analysis through Sandbox, Virus Total and Google.

    Sandbox Analyzer

    • Expanded the list of supported file types that can be automatically submitted to Sandbox Analyzer.

    • Added content pre-filtering capabilities for submitting files to the Sandbox Analyzer. This functionality is configurable in a new policy section.

    • Added error messages for failed detonations in the submission card section on the Sandbox Analyzer page.


    • A major increase of the scanning speed in VDI environments due to the new scan cache sharing protocol between Security Servers. To benefit of this feature, enable port 6379 to allow traffic between Security Servers.

    • Two new statues for Security Server load: Near overloaded and Near underloaded.

    • New custom exclusion types by file hash, certificate thumbprint, threat name, and command line.

    • Ability to define custom exclusions by using wildcards:

      • Asterisk (*) for one or more characters.

      • Question mark (?) for a single character.

    • New option to add folder exclusions for ATC/IDS. With this release, existing folder exclusions remain configured for On-Access and On-Demand scanning. To add ATC/IDS as well, you need to select the corresponding check box in the Modules column.

    Security for Storage

    You can now use a secured connection between Security Servers and the protected NAS servers, provided they use SSL over ICAP.


    Optimized the Control Center workspace with the new display modes of the menu: expanded, collapsed (icon view) and hidden.

    Update System

    Replaced the Antimalware signatures with a new method to identify known and unknown malware, called Security Content.

    Resolved issues

    Sandbox Analyzer

    Analysis results from a manual submission could not be retrieved if the proxy was in place.

    Update System

    In Control Center, weekly recurrence for Antimalware updates was resetting upon return, if set only on Sunday. This was only a display issue, the setting being sent correctly to the security agent.


    Removed the ghost folders that appeared on some Partner accounts.


    Security Server Load Balancing – Equal distribution mode had limited functionality. The scan load was not distributed equally between Security Servers.

    Known issues


    • The new custom exclusion types are not available for custom scanning tasks from the Network page.

    • The following exclusion types for ATC/IDS are available only for Windows desktop operating systems:

      • Process with wildcards

      • File hash

      • Detection name

      • Detection name with wildcards

      • Command line

    • Certificate thumbprint exclusions are not available for ATC/IDS.

    View the full list of known issues for GravityZone Cloud platform.

    February 2019


    Sandbox Analyzer

    • New perspective on submissions

      • Advanced reporting interface, in the main menu, offering a single pane of glass view with all samples that were submitted to Sandbox Analyzer.

        The info cards based interface adds detailed information about each submission like:

        • Sample name.

        • Submission time.

        • Submission type – automatic or manual.

        • Source – endpoint name.

        • Analysis result – clean, infected or unsupported.

        • Severity score – shows how dangerous the sample is.

        • Files and processes involved into sample’s actions.

        Each card includes a link to a submission report, where you get even more data.

      • While displaying all new submissions, the reporting interface shows the old manual submissions made before this update as well.

      • In time, as adding more functionality to it, this reporting interface will replace the Sandbox Analyzer Results report, which from now on has the status deprecated.

      • As MSP, you view in this interface only your own company submissions. Submissions of Customer companies are available in the Sandbox Analyzer Results report. Also, with this release, the Sandbox Analyzer Detection notification points to:

        • The new interface for submissions of your company.

        • The Sandbox Analyzer Results report for submissions of Customer companies.

    • New manual submission options

      • You can use these new options when submitting samples:

        • Submit URLs.

        • Define command-line arguments for sample analysis.

        • Set a time limit for analysis execution, the number of reruns and the internet access during analysis.

        • Exclude samples previously analyzed.

      • The Manual Submission page is now accessible from the main menu and from the new reporting interface.

    • User interface improvements at automatic submission in the security policy settings.

    Public API

    • HyperDetect events are now available in Event Push Service API.

    • Improved the mechanism of generating API keys. You will notice significantly longer API keys. The existing API keys continue to work as before this update, but it is recommended to replace them with new ones.

    Resolved issues

    • In some situations, GravityZone administrators could not modify security policies because the Save button was disabled.

    • Improved the error message for AWS integration when using invalid ARN or ExternalID.

    • Addressed a security issue that could affect manual submission to Sandbox Analyzer.

    • Sometimes, Control Center was displaying inconsistent encryption status for the same endpoints.