Bitdefender B2B Help Center

Troubleshooting

Authentication failed when creating first Company Administrator account

Issue

When creating the first Company Administrator account, you may receive “Authentication failed” error message.

Solution

To solve the issue, check if you are using the latest GravityZone on-premises version. If not, you can download the latest one from here  and then try to install it once more.

Should the above steps not resolve the issue, contact the Bitdefender Enterprise Support Team attaching full logs.

GravityZone license validation errors

This section explains how to troubleshoot GravityZone license validation issues.

Issue

Sometimes when you register your Bitdefender license key in GravityZone Control Center, you may encounter the following error messages:

  • No connection to the licensing server.

  • The license is invalid.

Solution

In these situations, ensure that:

  • The connectivity to Bitdefender Licensing Server is working properly.

    Make sure that your border firewall allows the connectivity to the following address and whitelist it if possible: lv2.bitdefender.com

    To check the connectivity:

    1. Open a SSH connection from your GravityZone appliance.

    2. Log in with the username: bdadmin and the password that you have set.

    3. Type the commands below to install telnet and check the connectivity:

      sudo apt install telnet

      telnet lv2.bitdefender.com 443

      If the connection is successful, the result will be similar to:

      9832_1.png

    Note

    If these errors occur when you replace an old license key with a new one, make sure that GravityZone is updated to the latest version.

If the registration process still fails, contact the Bitdefender Enterprise Support team attaching a set of advanced logs to your support ticket.

Black screen in Windows 7 after installing Bitdefender Endpoint Security Tools

This section provides steps on how to resolve the black screen on Windows 7 after installing Bitdefender Endpoint Security Tools (BEST), when using VMware.

Currently there is an incompatibility between BEST and the redirection feature from VMware View agent.

In order to solve the black screen issue, modify the VMware view agent and disable/uninstall PCoIP smart card redirection.

Error 69651. Unable to find a suitable server for domain

This section explains how you can troubleshoot error 69651 received in Control Center.

This error may occur when the agent installation failed.

To fix this issue:

  1. Check the Administrative share and credentials format (when deploying from the Relay: user@domain).

  2. Make sure the appliance can resolve the domain name and domain controller name:

    ping domain_nameping dc_name
  3. Make sure the appliance can reach the domain controller on port 389.

    telnet domain_name porttelnet dc_name port

Verification warnings for Bitdefender Endpoint Security Tools for Windows

This section informs you of the warnings related to Bitdefender's identity, which cannot be verified for a series of GravityZone agents.

After September 17, 2018, when using or trying to install older versions of Bitdefender security agent for Windows, you may receive some errors and warnings about identity trust (see the pictures below), and the operating system may prevent you from installing the kit. This issue occurs because the kit you are trying to use is old and the security certificate used to sign it is no longer valid.

15352_1.png
15352_2.png

Fig. 1. Warning occurring at local installation, or repair/uninstall via Control Panel

Fig. 2. Warning occurring when trying to fix issues via Windows Security Center (Action Center)

Learn how this issue affects the Bitdefender product versions, and what you can do to address the situation, from the details described herein.

Bitdefender Endpoint Security Tools (BEST)

Version

Lost functionalities

Remediation

6.2.x

Any type of deployment or local installation of these kit versions

For GravityZone on-premises editions

Download and publish the latest kit versions.

For GravityZone cloud editions

The latest kit versions are already available in GravityZone Control Center.

Fix issues via Windows Security Center / Action Center. This means you cannot use this method to update signatures, enable Antimalware or Firewall.

Update the agent to latest version.

Repair or uninstall run via Control Panel or Start Menu.

Note

On Windows 7, they work if you turn off UAC.

6.4.x

The following installation methods:

  • Any type of deployment through a Relay

  • Local installation through Windows Downloader

Note

BEST for Windows Legacy does not support repair and remote deployment.

You can install the agent locally using the full kit.

6.6.1.36 - 6.6.4.68

The following installation methods:

  • Any type of deployment through a Relay

  • Remote deployment through Install task from GravityZone Control Center

  • Installation through Windows Downloader

For GravityZone on-premises editions

Download and publish the latest kit version (6.6.4.71+).

For GravityZone cloud editions

The latest kit version is already available in GravityZone Control Center.

You can install the agent locally using the full kit.

Repair run via Control Panel or Start Menu, if the kit published in GravityZone is one of these versions. This issue persists even if the agent updated to the latest version (via task or policy).

Endpoint Security by Bitdefender

Important

Endpoint Security by Bitdefender has reached end of life (EOL) as of June 30, 2018. Upgrade to the latest versions of Bitdefender Endpoint Security Tools at your earliest convenience.

Version

Lost functionalities

Remediation

5.1.4.223 - 5.3.36.793

Local installation with full kit or setup downloader.

Upgrade to the latest versions of Bitdefender Endpoint Security Tools.

Repair or uninstall run via Control Panel.

Note

On Windows 7, they work if you turn off UAC.

Fix issues via Windows Security Center / Action Center. This means you cannot use this method to update signatures, enable Antimalware or Firewall.

5.3.36.796 - 5.3.37.798

Repair or uninstall run via Control Panel, only if initially installed using kit version 5.3.36.793 or older.

Note

On Windows 7, they work if you turn off UAC.

Bitdefender Tools for Windows

Version

Lost functionalities

Remediation

All

Remote deployment via GravityZone Control Center.

Install locally using the SYSTEM user.

Installation error codes for Sandbox Analyzer On-Premises

Sandbox Analyzer On-Premises is a powerful antimalware Bitdefender GravityZone solution, designed to analyze suspicious content through different sensors deployed in the enterprise network. Detonation capabilities include file analysis and URL analysis, covering various file formats that are commonly used in advanced attacks.

Although the Sandbox Analyzer On-Premises installation should run smoothly, you may encounter certain errors during the process. This section provides an overview to the most common cases of failed installation and useful tips on how to fix them.

Caution

Before installing the Sandbox Analyzer Virtual Appliance, to prevent errors, make sure that you meet the hardware and software requirements to run such an environment. For details, refer to the Requirements > Sandbox Analyzer On-Premises chapter in the GravityZone Installation Guide.

Error 2001 - An unknown error has occurred during the Sandbox Analyzer installation.

Description

This error may have multiple causes and requires investigation from Bitdefender.

Solution

To identify the cause, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. Learn how to use Sandbox Analyzer LogCollector in Using Sandbox Analyzer LogCollector.

Error 2002 - Could not connect to the Bitdefender Update Server. Make sure the Sandbox Analyzer instance is connected to a network with outgoing internet connectivity.

Description

Installation may fail when the Sandbox Analyzer Virtual Appliance does not communicate with Bitdefender Update Server.

Solution

Verify there is connectivity between Sandbox Analyzer Virtual Appliance and sba-update.bitdefender.net, through port 443.

Error 2003 - Could not find the configuration file /opt/bitdefender/etc/serenity/config/auth_gz.json during installation.

Description

When installing, Sandbox Analyzer Virtual Appliance uses several configuration files. This error indicates that a one if these files is missing.

Solution

Deploy the Sandbox Analyzer Virtual Appliance once again. If the issue persists, contact Bitdefender Technical Support.

Error 2004 - Could not find the configuration file /opt/bitdefender/etc/serenity/config/install/serenity.json during installation.

Description

Sandbox Analyzer Virtual Appliance uses during installation several configuration files. This error indicates that a one if these files is missing.

Solution

Deploy the Sandbox Analyzer Virtual Appliance once again.

Error 2005 - Could not validate the license key provided during installation.

Description

This error may have multiple causes and requires investigation from Bitdefender.

Solution

This error may have multiple causes. To identify them, run the Sandbox Analyzer LogCollector and send the logs to Bitdefender Technical Support. Learn how to use Sandbox Analyzer LogCollector in Using Sandbox Analyzer LogCollector.

Error 2006 - Invalid or expired Sandbox Update Server certificate

Description

The error occurs when the certificate used for the Sandbox Update Server has expired or could not be verified.

Solution

Contact Bitdefender Technical Support.

Pending Authentication when trying to license a GravityZone security service

This section explains how to troubleshoot the "Pending Authentication" status occurrence when trying to license a GravityZone security service.

Issue

During the first step of the registration process for Bitdefender GravityZone you can encounter the "Pending Authentication" message.

Solution

For the authentication process to successfully work, you will have to check connectivity to the Bitdefender Licensing Server address: lv2.bitdefender.com

To license Bitdefender GravityZone modules (Security for Endpoints, Security for Virtualized Environments, and Security for Mobile Devices), you have to ensure the following requirements are fulfilled:

  1. You have installed or updated to the latest version of Bitdefender GravityZone.You can check this option by logging to GravityZone Control Center using the root account. Go to Update tab and check if any newer version is available to update to. If there is one, please upgrade the product and retry the authentication procedure.

    32058_1.png
  2. There is connectivity to Bitdefender Licensing Servers lv2.bitdefender.comFor investigating the connection, you will have to open a SSH connection from the GravityZone virtual appliance:

    1. Log in with bdadmin and the password used during the first steps of GravityZone virtual appliance deployment in the virtualization platform.

    2. Type the following commands:

      • sudo su – to have super user privileges

      • geapt-get install telnet – to install telnet

      • telnet lv2.bitdefender.com 80 – to check connectivity

        If the connection is successful, you will receive a notification like in the following image:

        32058_2.jpg

Protection module expired

In this section you will learn how to troubleshoot protection module expiry issues in GravityZone.

If you encounter endpoints with one or more expired protection modules, follow these steps:

Check the total number of available license seats
  1. Navigate to My company from the the upper-right corner of Control Center.

  2. Under License check the Expiry date and Available seats for install.

  1. Navigate to License section from the lower left corner of Control Center.

  2. Under License check the Expiry date and Available seats for install. As GravityZone products are available through various licensing options, it is important to know the type of license that you have and to make sure that its specifications meet your network size.

Ensure endpoint communication with the Communication Server

If endpoint communication is configured through a relay, or if it has a Security Server assigned, make sure that the communication channels are not restricted.

You can find a list of all the required ports and addresses for in the GravityZone Communication Ports article.

You can find a list of all the required ports and addresses in the GravityZone Communication Ports article.

Roles installation issues

This section provides more details about how to troubleshoot roles installation.

Overview

GravityZone appliance can run one, several or all of the following roles:

  • Database Server

  • Update Server

  • Web Console

  • Communication Server

The GravityZone virtual appliance is available for download here.

A GravityZone deployment requires running at least one instance of the above listed roles. Depending on GravityZone roles distribution, you will run one to four GravityZone appliances (or even more when Role Balancers are being used).

You can install multiple instances of the Communication Server role or Web Server role and connect them to other roles via Role Balancers. The built-in Role Balancer cannot be installed together with other roles on the same GravityZone appliance. If you already have third party balancing software or hardware within your network, you can choose to use them instead of the built-in balancers.

GravityZone roles are installed through the CLI using the option 5 Install/Modify roles.

Database Server and Update Server packages are stored by default on the virtual appliance. You can install them without Internet connectivity.

Troubleshooting

If the roles installation fails, check the following:

  1. Internet connectivity to download.bitdefender.com server using ping download.bitdefender.com or wget download.bitdefender.com commands.

  2. Your border firewall allows connectivity to download.bitdefender.com and does not block the .deb files.

  3. Check GravityZone proxy settings configuration (if needed). The connectivity to download.bitdefender.com through a proxy can be checked with the following commands:

    • Proxy with authentication:

      wget http://download.bitdefender.com -e use-proxy=yes -e http-proxy=http://username:password@PROXY-IP:PROXY-port

    • Proxy without authentication:

      wget http://download.bitdefender.com -e use-proxy=yes -e http-proxy=http://PROXY-IP:PROXY-port

The troubleshooting log for roles installation is located under: opt/Bitdefender/var/log/installer.log

For further investigations, get the installer.log file from GravityZone machine and send it to Bitdefender Enterprise Support team.

BEST deployments errors on Windows machines

Bitdefender Endpoint Security Tools deployment tasks might encounter different errors while executing. This section provides an overview of the most common cases of unsuccessful deployment tasks and useful tips on how to fix the errors.

In general, the deployment tasks fail if the target systems are not compliant with the deployment prerequisites presented in section the BEST installation prerequisites KB article. Another common reason for failed deployment tasks are networking-related misconfigurations.

Windows unsuccessful deployment task status messages

The deployment task failed because there is no network connectivity between the GravityZone cluster initiating the deployment task and the target system.

To fix this issue, check the following:

  • The target system is accessible on the network: it has the correct DNS entry, and the assigned IP is not duplicated.

  • The local Firewall on the target system allows File and Printer Sharing traffic (TCP ports 139, 445; UDP ports 137, 138).

  • The target system accepts connections to its admin$ administrative share.

The deployment task failed because the administrator provided the wrong credentials when the deployment task was configured.

To fix this issue:

  • Check that the credentials entered in the deployment task Credentials Manager are the right ones and in the correct format.

  • Check that the provided credentials have administrative privileges on the target system.

The deployment task failed because the target machine could not contact the domain controller to validate the remote administrative share authentication request initiated by the GravityZone deployment processor.

To fix this error, check the target system and make sure it has proper network connectivity with the organization's Domain Controller.

The deployment task failed because the administrative share on the target system is not present.

To fix this issue, on the target system make sure that:

  • File and Printer Sharing protocol is enabled on the network interface.

  • User Account Control is disabled.

  • Server service and its dependencies are running.

The deployment task failed because the installer running on the target system could not contact the GravityZone Web Console role to download the security agent package.

To fix this issue, check the following:

  • The organization’s DNS server can resolve the GravityZone virtual appliance(s) hostname.

  • The target system can contact the DNS server and resolve the GravityZone virtual appliance(s) hostname.

To fix this issue:

  • Disable UAC for Windows 7, 8, 10 and Server 2012.

  • For Windows 8 and above, you must deactivate UAC from the registry as well.

    1. In Command Prompt, type regedit to open the registry editor.

    2. Go to: HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Policies/System.

    3. Set EnableLUA to 0.

Modify failed at update stage because of a connection problem between the client and the update server.

The operation may be retried after the connection is established.

Modify failed at update stage because the downloaded files were corrupted. The operation may be retried after any network problem that might corrupt the files is solved.

Modify failed at update stage because the connection to the update server has timed out. Please try again.

Modify failed at update stage because the update server has not yet synchronized the update locations(the update location hasn't been requested yet by any client; the update server will begin to synchronize it at the first request). Please try again.

Modify failed at update stage because the update server isn't configured to synchronize one of the requested locations. Please try again or contact Bitdefender support.

Modify failed at update stage because of other update errors. Contact Bitdefender support.

Modify failed at stopping services.

The operation may be retried after a reboot. Any other modify attempted before rebooting will return reboot required.

Modify actions failed. Contact Bitdefender support.

Any other modify attempted before rebooting will return reboot required.

Installer.exe was stopped by the update process during a modify, to be able to replace the binary or one of its dependencies without a reboot. A new instance of installer.exe will be automatically started to continue the modify operation when the update finishes.

EpsdkInstaller has had difficulties in getting the modify result from Installer.exe.

Installer.exe returns this error code if it's the binary file is considered untrusted, blocking installation.

Installer.exe returns this error code if the product installation path contains invalid characters.

Installer.exe returns this error code if any of the installation files is altered, corrupted, or from a different version.

Possible causes:

  • Incorrect function. It can occur when the Firewall is enabled on the Relay and port 7074 is not allowed.

  • Parameter is incorrect. This can occur when the installation kits are not saved on the Relay.

To fix this issue, check the following:

  • DNS entry has been created for the virtual appliance, with the same name as the one entered in the appliance CLI interface (Appliance Options menu). The target Relay can ping the virtual appliance.

  • If internal filters or firewalls are in use, the traffic between the Relay and appliance is excluded.

  • Connection timeouts between the Relay and the GravityZone appliance.

Port 7074 inbound is blocked on the Relay and it must be excluded for internal LAN traffic.

To fix this issue:

  1. Check the Administrative share and credentials format (when deploying from the Relay: user@domain).

  2. Make sure the appliance can resolve the domain name and domain controller name:

    ping domain_nameping dc_name
  3. Make sure the appliance can reach the domain controller on port 389.

    telnet domain_name porttelnet dc_name port

Not enough free space on the selected drive. BEST requires at least 2 GB of free disk space.

This error message usually occurs when another task is in progress. In this case, wait until the task is complete and reboot the server.

The deployment task failed because competitor security software was detected on the target system and the Bitdefender removal routine failed to uninstall it.

This error encounters when the competitor software is password-protected, or the competitor software does not support a silent uninstall function in its uninstall routine.

If the competitor software is password-protected, remove the password protection and retry the deployment task otherwise, proceed with manually removing the competitor software.

Error 50: Installation failed! Microsoft .NET Framework 3.5 SP1 or later is required in order to install Exchange Server Protection role.

To fix this issue:

  1. Check if the target machine is online.

  2. Check that the following ports are open:

    • 8443, when deploying from the GravityZone appliance.

    • 7074, when deploying from the Relay.

  3. Check for any filters or firewalls that might block the traffic between the deployer and the target machine.

The provided installation path is a network drive. Installation not allowed on network drives (including mapped drives).

Port 7074 inbound is blocked on the Relay and it must be excluded for internal LAN traffic/file transfer.

The password provided for a maintenance operation does not match the password set at installation.

The installer was started with an invalid command line or no feature was selected to be installed. Valid installer command-line arguments are defined in the Installer parameters section.

Error 112: Installation failed! Not enough space on the disk for the product to be installed.
Error 161: Installation failed! The provided installation path is invalid.
Error 183: Installation failed! Endpoint Security already installed.

Insufficient rights to perform the necessary changes. Make sure the user account that you are using for deployment, is a Local/Domain/Network Administrator account that has the ability to perform the requested operation.

Installation process failed to install the Visual C++ 2010 Redistributable dependency for the installer package. To fix this error, manually install the x86 or x64 version of the VC++ 2010 Redistributable package and then try again to deploy BEST.

The product configuration JSON could not be run at the end of the installation.

You can find the supported operating systems in the Endpoint Protection Requirements section of the GravityZone Installation Guide.

The installer cannot load one of its configuration files (install_config.xml, install_x86.xml/install_x64.xml) or cannot find additional.dll.

The installer was run under a user with insufficient privileges.

The installer was run under safe mode.

This error message occurs when there is another task in progress. In such a case, check the other task, wait until it finishes, and then reboot the machine.

If the installation was unsuccessful, you may need to use the uninstall tool to clean up the machine. When uninstallation is complete, reboot and try to deploy one more time.

Installation process fails because the Central Scan option was selected after creating the packages and there is no Security Server selected or installed.

For a successful installation, you must change the scan mode to Local, or add a Security Server.

To fix this issue, run the fix from this Microsoft KB article on the target machine.

Note

You can find the Windows Installer 4.5 redistributable here.

Error 1618: Installation failed! Another installation is in progress.

This error message occurs when there is another task in progress. In such a case, check the other task, wait until it finishes, and then reboot the machine.

If the installation was unsuccessful, you may need to use the uninstall tool to clean up the machine. When uninstallation is complete, reboot and try to deploy one more time.

Installer.exe is not compliant with the operating system architecture.

Error 1638: Another version of this product is already installed. Installation of this version cannot continue. To configure or remove the existing version of this product, use Add/Remove Programs from Control Panel.

Error code returned when the installer runs silent and it needs a reboot to finish its maintenance process.

By default, the reboot will not be performed automatically and the operation will not be resumed automatically.

Cases when installer might ask for a reboot: when removing 3rd party AV products, after scanning before install, after a repair/modify/uninstall operation.

Error 3017: ERROR_FAIL_REBOOT_REQUIRED

A restart action is pending as a result of another maintenance (install, repair, modify, uninstall) operation that required a restart in order to finish correctly. The error code indicates that the current maintenance operation cannot continue until the restart is performed. Another case when this code is returned is when the repair or uninstall fails and will try again after a reboot.

The deployment task failed because:

  • There is another deployment task already running on the target system.

    In this case, let the other deployment task finish executing.

  • A previous deployment task failed due to a crash of a process it depends on, causing the Bitdefender temporary deployment service to remain registered on the target system.

    In this case:

    1. Log in to the target system as administrator.

    2. Open a Command Prompt window and execute the following commands:

      C:\> sc stop bddepsrvC:\> sc delete bddepsrv
    3. Reboot the machine and retry the deployment task.

In addition to these scenarios, depending on different anomalies of the operating system on the target machine, the deployment task can return a generic Windows Installer error code. For more details about Windows Installer error codes, refer to this Microsoft KB article

IPV6_NOT_SUPPORTED - IPv6 not supported. Please use the IPv4 protocol.
INSTALATION_IS_TAKING_MORE_THEN_EXPECTED - Installation is taking more than expected. Configure the installation task by unchecking "Scan before installation" option (if checked) and run the task again.

Check if the package in question exists in the Network > Packages page of the Control Center.

To fix this error, delete and recreate the package.

VM_IS_SVA - The target machine is a Security Server. Cannot deploy the agent on Security Server.
VM_TOOLS_NOT_INSTALLED - VMware Tools are not installed. Install VMware Tools on target machines and run the task again.
VM_TOOLS_NOT_RUNNING - VMware Tools are not running. Please check the VMware Tools status on target machines. VMware Tools is required for security agent deployment to work.
CAN_NOT_DETERMINE_VM_TOOLS_STATUS - Cannot determine the VMware Tools status. Please check the VMware Tools status on target machines. VMware Tools is required for security agent deployment to work.

Check the following information:

  • The username and the password configured in Control Center are correct: Log in to vSphere Client with the same credentials or try using another account.

  • The user provided for VMware integration has vCenter Administrator permissions.

This error occurs when deploying the security agent on virtual machines.

To fix the problem, change the following registry entries:

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > lanmanserver > parameters > size to 3

HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > Session Manager > Memory Management > LargeSystemCache to 1

9509_1.jpg

Cause:

  • The full kit is being run from within the archive

  • The installer.xml file is not located right next to the full kit

  • The full kit is unable to read installer.xml when the files are both located on a network drive

Solution:

To resolve this issue, ensure that both the installer.xml and the full kit files are unpacked and set to run from the local drive.

Blue Screen Of Death caused by BEST

The purpose of this section is to assist the Bitdefender customers using GravityZone in solving the Blue Screen Of Death (BSOD) issues after installing Endpoint Security or BEST on one of the following operating systems:

  • Windows Vista with Service Pack 2 (SP2)

  • Windows Server 2008 with Service Pack 2 (SP2)

  • Windows 7

  • Windows 7 with Service Pack 1 (SP1)

  • Windows Server 2008 R2

  • Windows Server 2008 R2 with Service Pack 1 (SP1)

Introduction

Endpoint Security and BEST use the Windows Filtering Platform API in Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista. This issue occurs because the FwpsStreamInjectAsync0 function in the API causes the Interrupt Request Level (IRQL) to leak. The FwpsStreamInjectAsync0 function injects TCP data segments into a TCP data stream.

The BSOD event is mostly random and it involves the Endpoint Security endpointservice.exe / BEST epsecurityservice.exe service that is using Windows Filtering Platform Callout Drivers and calls the FwpsStreamInjectAsync0 function that in its default state is vulnerable to injections.

Resolution

If you have encountered this issue and you have one of the operating systems specified, follow this Microsoft knowledge base article related to this issue: Computer stops responding when you run an application that uses the Windows Filtering Platform API in Windows 7, Windows Server 2008 R2, Windows Server 2008, or Windows Vista.

In this article, Microsoft provides you with a hotfix that helps you solve this issue.

The hotfix does not replace any other hotfixes and does not require manual editing of the registry keys. Still, the hotfix requires a reboot.

After installing the hotfix, make sure to update your operating system.

“Web Installer error!” when installing Bitdefender Endpoint Security Tools for Windows

In this section, you will learn how to troubleshoot “Web Installer error!” in Bitdefender Endpoint Security Tools for Windows.

Context

To install the security agent, you have to create an installation package in Network > Packages page within Control Center, then download it and run it manually, or through remote deployment on the target endpoint. You can choose from two types of installation files, the full kit installation file, or the Windows Downloader. When you choose Windows Downloader, you download a full installation kit from the Bitdefender cloud servers.

Issue

When you run the installation file, you may encounter a Web Installer error, seen in the screenshot below.

16212_1.png
Solution

The following table presents the most common issues in which you receive the Web Installer error and their correspondent solutions. The table contains minimum instructions on how to rename, create, download, and run installation packages, or how to run an installation task. For more information, refer to the Installing Security Agents chapter in the GravityZone Installation Guide.

Issue

Solution

The original name of the installation file has been changed.

Make sure that the installation file name is not changed in any way.

The installation file was truncated after it was downloaded through Microsoft Edge or Internet Explorer.

To download the installation file, use another browser of your choice, such as Google Chrome and Mozilla Firefox.

The package created in Control Center has been deleted, or the company associated with it has been removed. This issue is exclusive to Bitdefender Cloud solutions.

The installation file is associated with a package and a company in Control Center. You can download an installation file from an existing package, or from a new one.

The deployer is no longer available, unreachable, it has been decommissioned, or its IP address has been changed. This issue is exclusive to remote deployments of the security agent.

To resolve this communication issue, create an installation package and run a remote installation task

The installation file has been downloaded before an installation package was created. This issue is exclusive to Bitdefender Cloud solutions.

Create an installation package before you download the installation file.

Bitdefender system extension blocked on macOS High Sierra (10.13) and later

Bitdefender Endpoint Security for Mac uses macOS system extensions (also known as kernel extensions) to ensure protection cannot be tampered with and to provide Content Control and Device Control functionality.

Starting with macOS High Sierra (10.13), user approval is required for loading kernel extensions. Until the user approves the Bitdefender kernel extensions, Endpoint Security for Mac tamper protection, Content Control and Device Control modules will not work. Also, Endpoint Security for Mac user interface will show a critical issue.

Note

The kernel extensions do not require approval if they were installed before upgrading to macOS High Sierra or later, or they are replacing previously approved extensions.

Important

In macOS Big Sur, Apple replaced kernel extensions with a new generation of system extensions. To accommodate this change, Endpoint Security for Mac requires additional approvals from users. For details, refer to this topic.

Issue

Immediately after a manual installation or remote deployment of Endpoint Security for Mac on macOS High Sierra (10.13) and later, the operating system shows the System Extension Blocked warning:

14938_1.png

Note

You may receive one or several System Extension Blocked warnings, depending on the number of protection modules installed.

If the user does not allow the Bitdefender system extensions to load, the Endpoint Security for Mac user interface shows the You are at risk warning:

14938_2.png
Solution

When you receive the System Extension Blocked warning:

  1. Click Open Security Preferences (if available). Alternatively, click OK, go to System Preferences in the Dock or in the Apple menu, then click Security & Privacy.

    14938_3.png
  2. Click Allow for the blocked system software from Bitdefender.

    Note

    In some situations, the Allow button may be disabled:

    • When you remotely access the computer.

    • When a remote connection is open or was recently open. To enable the Allow button you may need to restart the computer.

    • If you are using a third-party application to emulate mouse or trackpad, such as MagicPrefs, BetterTouchTool, Synergy. Close the application to enable the Allow button.

If you receive the notification You are at risk in the Endpoint Security for Mac user interface:

  1. Click View Issues.

  2. Click Fix now to open the Security & Privacy window.

    14938_4.png
  3. Click Allow for the blocked system software from Bitdefender.

After allowing kernel extensions from Bitdefender, the Endpoint Security for Mac user interface will inform you that your Mac is safe.

14938_5.png

Important

System administrators can use MDM to whitelist specific kernel extensions and thus suppress these warnings. For more details, please refer to these Apple resources:

GravityZone console does not currently provide information about Mac endpoints with unapproved Bitdefender kernel extensions. It is recommended to disable Silent Mode to make sure users can view the issue if they ignore the system prompt.

Network discovery issues in Bitdefender GravityZone

This section provides instructions for troubleshooting network discovery issues. To learn how network discovery works, refer to How network discovery works

Bitdefender relies on the Microsoft Computer Browser Service to perform network discovery. Network discovery issues are usually related to the Computer Browser service operation. Occasionally, network discovery might fail due to NetBIOS name resolution issues, communication problems between Bitdefender Endpoint Security Tools (BEST) and Control Center or to internal errors.

Important

Before proceeding to troubleshooting, consider the following:

  • In complex network environments consisting of multiple workgroups and domains, it might take up to a few hours until all computers are detected and displayed in Control Center.

  • When new computers are connected to the network, they do not show up in Control Center immediately. The Computer Browser service requires some time to learn about the new computers (in the worst case, up to about one hour). Additional time is added depending on when BEST queries the service for the new computer list.

Normally, in a few minutes after installing BEST on a computer in your network, most of the computers from the client’s visibility area (workgroup, domain) should be displayed as unmanaged in Control Center, on the Computers page.

To resolve this issue, follow the steps below:

  1. Check that the client is displayed as managed computer in Control Center and that it is online. Go to the Computers page to view this information. If the client does not appear as managed computer or if it is offline for some time, you must identify and troubleshoot the condition that prevents communication between BEST and Control Center. After solving the communication problem, you must wait for about an hour until network discovery is performed again.

  2. Run the net view command on the client computer and check the results. This command displays the list of computers from the client’s visibility area (workgroup, domain). The same computer list should be available in Control Center.

    1. Press the Windows and R keys simultaneously to open the Windows Run dialog.

    2. Type cmd and press Enter to open a command prompt window.

    3. Type net view and press Enter.

  3. Proceed as follows:

    • If no computers are displayed, go to the next troubleshooting step. The problem is related to the Computer Browser service.

    • If the net view command does return a list of computers, contact us to further investigate this issue.

  4. Make sure the Computer Browser service is started on the client computer.

    1. Press the Windows and R keys simultaneously to open the Windows Run dialog.

    2. Type services.msc and press Enter to open the Services window.

    3. Locate the service in the list and check its status. If the service is stopped, start it. You must wait for about an hour before computer detection is performed again.

  5. Check if the client computer can reach the WINS server and resolve NetBIOS names.

  6. Make sure the client computer is in a workgroup or domain and connected to an IPv4 local network.

  7. If the computer is in a workgroup, check if there are other network computers in the same workgroup. If the workgroup includes just a few computers, chances are the Computer Browser service is not working properly within the workgroup.

  8. Check that the NetBIOS over TCP/IP protocol is enabled and allowed by the local firewall.

  9. Check that the network computers have a policy assigned to them in the Policies > View Policies section in the Control Center. If a policy is not assigned, create one from the Policies > Create New Policy section.

The previous troubleshooting steps must be performed for each computer with BEST installed. Alternatively, you can check the general requirements for network discovery to work, as described hereinafter.

Note

After installing each BEST, you might need to wait for about an hour before network discovery is performed and detected computers show up in Control Center.

If some computers have not been detected, check the following possible causes:

  • Computers directly connected to the Internet, but having no connection to the local network, will never be detected.

  • Computers in a workgroup or domain where BEST has not been installed yet will not be detected.

    • For full network visibility, BEST must be installed on at least one computer in each workgroup or domain in your network.  Ideally, BEST should be installed on at least one computer in each subnetwork.

    • To detect computers in another domain, there must be a trust relationship between domains.

  • On the computers that have not been detected, make sure the following conditions are met:

    • Computer Browser service is started.

    • File sharing is enabled and allowed by the local firewall.

    • Network discovery is turned on (for Windows Vista or later).

    • NetBIOS over TCP/IP is enabled and allowed by the local firewall.

  • The Windows Internet Name Service (WINS) infrastructure must be set up and working properly across the entire network.

  • Computer Browser does not work over IPv6 networks. Computers using IPv6 addresses only will not be detected.

For additional information, refer to this article on the Microsoft Support website.

BEST compatibility issues with PC-Sheriff

In order to resolve BEST / Endpoint Security compatibility issues with PC-Sheriff, follow the below steps.

  1. If Bitdefender Endpoint is already installed, uninstall it and reboot the computer.

  2. Delete the following folders if they are present:

    • Program Files > Bitdefender

    • Program Files (x86) > Bitdefender

    • Program Files > Common Files > Bitdefender

    • Program Files (x86) > Common Files > Bitdefender

    • Program Data > Bitdefender

    • Program Data > bdlogging

  3. Install PC-sheriff and create an exclusion partition.

    Note

    If you want to install just Bitdefender Endpoint, you must have at least 1.5GB of free space on the Exclusion Drive. If you want to install Bitdefender Endpoint with the Relay role, you must have at least 12GB of free space on the Exclusion Drive.

    If you already have PC-Sherif installed with an Exclusion Drive, Bitdefender Endpoint can reside on the same Exclusion Drive if the space requirements are met.

  4. Install Bitdefender Endpoint on the Exclusion Drive. This can be accomplished by modifying the package in the GravityZone console by specifying a custom install location.

  5. In the PC-Sheriff software add the following registry exclusions:

    • HKLM > SOFTWARE > Bitdefender

    • HKLM > System > CurrentControlSet > Services > gzflt

  6. Update Bitdefender Endpoint

    Note

    Make sure Bitdefender Endpoint is up to date, make subsequent updates.

    If Bitdefender Endpoint makes a product update during the initial update and requires restart, you MUST Update Baseline from the PC-Sheriff software before restarting and Update Baseline again after restart.

  7. Update Baseline from the PC-Sheriff software.

    Note

    After each Bitdefender product update you must Update Baseline from the PC-Sheriff software.

Allow full disk access to Bitdefender Endpoint Security for Mac in macOS Mojave (10.14) and later

Starting with macOS Mojave (10.14), Apple has introduced certain privacy protections that by default block applications’ access to specific system application folders and resources, such as Mail, Messages, Safari, Time Machine backups.

In order for Endpoint Security for Mac to scan such protected folders, the user must allow full disk access for the BDLDaemon or BDLDaemon.app, and Endpoint Security for Mac application files. The Endpoint Security for Mac user interface will show a critical issue until access is granted.

Issue

On systems running macOS Mojave (10.14), the Endpoint Security for Mac user interface displays a critical issue prompting the user to add the following application files to the Full Disk Access list in the Security & Privacy > Privacy.

On macOS Mojave (10.14) and Catalina (10.15), the following files require full disk access:

  • BDLDaemon

  • EndpointSecurityforMac.app

On macOS Big Sur (11.x), the following files require full disk access:

  • BDLDaemon.app

  • EndpointSecurityforMac.app

Note

In case of a network with various macOS versions, it is recommended to allow all BDLDaemon, BDLDaemon.app, and EndpointSecurityforMac.app files.

The path to these files is /Library/Bitdefender/AVP.

Solution

To allow full disk access to the Endpoint Security for Mac files and fix the issue:

  1. In the View Issues window, click the Open Privacy button to go to the Security & Privacy window > Privacy tab > Full Disk Access folder.

  2. Click the lock to make changes and enter an administrator password.

  3. Click the + button to manually add the EndpointSecurityforMac.app, BDLDaemon and BDLDaemon.app files to the Full Disk Access list.

    15446_2.png

Note

  • The above steps apply for Endpoint Security for Mac 4.4.85.179550 and later.

  • To be fully functional, Endpoint Security for Mac also requires kernel extension approval in macOS High Sierra (10.13), Mojave (10.14), and Catalina (10.15). For details, refer to this topic.

  • In macOS Big Sur (11.x), Apple replaced kernel extensions with a new generation of system extensions. To accommodate this change, Endpoint Security for Mac requires additional approvals from users. For details, refer to this topic.

  • For details on how to configure Jamf Pro for macOS Big Sur 11.0 and later, including system extensions, traffic proxy and full disk access, refer to this topic.