PARTNERS

Endpoint protection

To protect your network with Bitdefender, you must install the GravityZone security agents on network endpoints. For optimized protection, you can also install Security Servers. For this purpose, you need a Control Center user with administrator privileges over the services you need to install and over the network endpoints under your management.

Requirements for the security agent are different, based on whether has additional server roles, such as Relay, Exchange Protection or Patch Caching Server. For more information on the agent's roles, refer to this section.

Hardware

Security agent without roles

CPU

Target systems

CPU type

Supported operating systems (OSes)

Workstations

Intel® Pentium compatible processors, 2 GHz or faster

Microsoft Windows desktop OSes

Intel® Core 2 Duo, 2 GHz or faster

Apple M1

macOS

Smart devices

Intel® Pentium compatible processors, 800 MHZ or faster

Microsoft Windows Embedded OS

Servers

Minimum: Intel® Pentium compatible processors, 2.4 GHz

Microsoft Windows Server OSes and Linux OSes

Recommended: Intel® Xeon multi-core CPU, 1.86 GHz or faster

Free RAM memory

At installation (MB)

OS

Single Engine

Local Scanning

Hybrid Scanning

Centralized Scanning

AV Only

Full Options

AV Only

Full Options

AV Only

Full Options

Windows

1024

1200

512

660

256

400

Linux

1024

1024

512

512

256

256

macOS

1024

1024

n/a

n/a

n/a

n/a

For daily usage (MB)*

OS

Antimalware (single engine)

Protection modules

Local

Hybrid

Centralized

Behavioral Scan

Firewall

Content Control

Power User

Update Server

Windows

75

55

30

+13

+17

+41

+29

+80

Linux

200

180

90

-

-

-

-

-

macOS

650

-

-

+100

-

+50

-

-

* The measurements cover the daily endpoint client usage, without taking into account additional tasks, such as on-demand scans or product updates.

Free disk space

At installation

OS

SINGLE ENGINE

DUAL ENGINE

Local Scanning

Hybrid Scanning

Centralized Scanning

Centralized + Local Scanning

Centralized + Hybrid Scanning

AV Only

Full Options

AV Only

Full Options

AV Only

Full Options

AV Only

Full Options

AV Only

Full Options

Windows

1024

1200

500

700

350

570

1024

1200

500

700

Linux

1600

1600

1100

1100

600

600

1600

1600

1100

1100

macOS

1024

1024

n/a

n/a

n/a

n/a

n/a

n/a

n/a

n/a

For daily usage (MB)*

OS

Antivirus (Single Engine)

Protection Modules

Local

Hybrid

Centralized

Behavioral Scan

Firewall

Content Control

Power User

Update Server

Windows

410

190

140

+12

+5

+60

+80

+10

Linux

500

200

110

-

-

-

-

-

macOS

1700

-

-

+20

-

+0

-

-

* The measurements cover the daily endpoint client usage, without taking into account additional tasks, such as on-demand scans or product updates.

Security agent with Relay role

The Relay role needs hardware additional resources to the basic security agent's configuration. These requirements are to support the Update Server and installation packages hosted by the endpoint:

Number of connected endpoints

CPU to support Update Server

RAM

Free disk space for Update Server

1-300

minimum Intel® Core™ i3 or equivalent processor, 2 vCPU percore

1 GB

10 GB

300-1000

minimum Intel® Core™ i5 or equivalent processor, 4 vCPU percore

1 GB

10 GB

Warning

  • Relay agents require SSD disks, to support the high amount of read/write operations.

Important

  • If you want to save the installation packages and updates to another partition than the one where the agent is installed, make sure both partitions have sufficient free disk space (10 GB), otherwise, the agent aborts the installation. This is required only at installation.

  • On Windows endpoints, local to local symbolic links must be enabled.

Security agent with Exchange Protection role

The quarantine for Exchange Servers requires additional hard-disk space on the partition where the security agent is installed.

The quarantine size depends on the number of items stored and their size.

By default, the agent is installed on the system partition.

Security agent with Patch Caching Server role

The agent with Patch Caching Server role must meet the following cumulative requirements:

  • All hardware requirements of the simple security agent (without roles)

  • All hardware requirements of the Relay role

  • Additionally 100 GB of free disk space to store the downloaded patches

Important

If you want to save the patches to another partition than the one where the agent is installed, make sure both partitions have sufficient free disk space (100 GB), otherwise, the agent aborts the installation. This is required only at installation.

Requirements for VMware vShield environments

These are Bitdefender Tools requirements and footprint for systems integrated in VMware environments with vShield Endpoint.

Platform

RAM

Disk space

Windows

6-16* MB (~ 10 MB for GUI)

24 MB

Linux

9-10 MB

10-11 MB

*5 MB when the Silent Mode option is enabled and 10 MB when it is disabled.

When Silent Mode is enabled, Bitdefender Tools graphical user interface (GUI) is not loaded automatically at system startup, freeing up associated resources.

Security Containers

Configure the guest operating systems where you are deploying BEST as follows:

Resource

Minimum

Recommended

Processor

2 vCPUs

4 vCPUs

Memory (RAM)

2 GB RAM

4 GB RAM

Free Disk Space

1.5 GB (up to 3 GB disk with debug logs enabled)

3 GB

Software requirements

GravityZone requirements

BEST for Linux is compatible with GravityZone Cloud and GravityZone On-Premises versions 6.13.1-1 or newer.

Additional software requirements

  • On-access scanning is available for supported operating systems as follows:

    • Kernel 2.6.38 or higher - Supports all Linux distributions. The fanotify kernel option must be enabled.

    • Kernel 2.6.32 - 2.6.37 - CentOS 6.x Red Hat Enterprise Linux 6.x - Bitdefender provides support via DazukoFS with prebuilt kernel modules.

  • You need auditd as a fallback mechanism in case kProbes are not available for your Kernel version.

  • You need to disable Selinux before installing BEST for Linux.

Public Cloud Requirements

Select Instance or VM type where you are deploying BEST as follows:

Cloud Service Provider (CSPs)

Minimum (instance type)

Recommended (instance type)

Amazon Web Services (AWS)

T3 small

Any instance ≥ 4 vCPUs, 4 GB RAM, min 3 GB SSD

Microsoft Azure

Standard B2s

Any instance ≥ 4 vCPUs, 4 GB RAM, min 3 GB SSD

Google Cloud Platform (GCP)

E2 small or custom

Any instance ≥ 4 vCPUs, 4 GB RAM, min 3 GB SSD

Note

For other CSPs, you should consider the same requirements as described above.

Supported operating systems

Windows desktop
  • Windows 11 (initial release)

  • Windows 10 November 2021 Update (21H2)

  • Windows 10 May 2021 Update (21H1)

  • Windows 10 October 2020 Update (20H2)

  • Windows 10 May 2020 Update (20H1)

  • Windows 10 May 2019 Update (19H1)

  • Windows 10 October 2018 Update (Redstone 5)

  • Windows 10 April 2018 Update (Redstone 4)

  • Windows 10 Fall Creators Update (Redstone 3)

  • Windows 10 Creators Update (Redstone 2)

  • Windows 10 Anniversary Update (Redstone 1)

  • Windows 10 November Update (Threshold 2)

  • Windows 10 (initial release)

  • Windows 8.1

  • Windows 8

  • Windows 7

Warning

Bitdefender does not support Windows Insider Program builds.

Windows tablet and embedded
  • Windows 10 IoT Enterprise

  • Windows Embedded 8.1 Industry

  • Windows Embedded 8 Standard

  • Windows Embedded Standard 7

  • Windows Embedded Compact 7

  • Windows Embedded POS Ready 7

  • Windows Embedded Enterprise 7

Windows Server
  • Windows Server 2022

  • Windows Server 2019 Core

  • Windows Server 2019

  • Windows Server 2016

  • Windows Server 2016 Core

  • Windows Server 2012 R2

  • Windows Server 2012

  • Windows Small Business Server (SBS) 2011

  • Windows Server 2008 R2

Important

Bitdefender Endpoint Security Tools supports the Windows Server Failover Cluster (WSFC) technology.

Linux

Note

This applies to both Best for Linux and Security Containers.

Important

Linux endpoints use license seats from the pool of licenses for server operating systems.

Fully Supported Linux Modern Distributions

Distribution

Kernel versions

RHEL 7.x & 8.x

3.10.0-957 - 4.18.0

Oracle Linux 7.x (UEK +RHCK)

3.10.0-957 - 4.18.0

Oracle Linux 8.x (UEK +RHCK)

3.10.0-957 - 4.18.0

CentOS 7.x

3.10.0-957 - 4.18.0

CentOS 8.x

3.10.0-957 - 4.18.0

Debian 9

4.9.0

Debian 10

4.19

Debian 11

5.10

Ubuntu 16.04.x

4.4.x

Ubuntu 18.04.x

5.0/5.3

Ubuntu 20.04.x

5.4

Ubuntu 21.04.x

5.11

Ubuntu 21.10.x

5.13

SLES 12 SP4

4.12.14-x

SLES 12 SP5

4.12.14-x

SLES 15 SP1

4.12.14-x

SLES 15 SP2

5.3.18-x

SLES 15 SP3

5.3.18-x

openSUSE Leap 15.2

5.3.18

AWS Bottlerocket 2020.03

5.4.x, 5.10.x

Amazon Linux v2

4.14.x / 4.19.x

Google COS 

Milestones 77, 81, 85

4.19.112 / 5.4.49

Azure Mariner

5.4, 5.10

Fedora 31 - 34

Supported until it expires.

AlmaLinux 8.x

4.18.0

Rocky Linux 8.x

4.18.0

CloudLinux 8.x

4.18.0

CloudLinux 7.x

3.10

Pardus 21

5.10

Supported Linux Legacy Distributions

Distribution

Kernel versions

RHEL 6.x

2.6.32-x

Oracle Linux 6.x (6.3 or newer)

2.6.32-x

Ubuntu 14.04 LTS

4.4.x  (14.04.5)

SLES 11, SP4

3.0.x

Amazon Linux v1 2018.03

4.14.x

Warning

(1) On Fedora 28, Bitdefender Endpoint Security Tools requires manual installation of the libnsl package, by running the following command:

sudo dnf install libnsl -y

Important

The Beta version of GravityZone does not support Bitdefender Endpoint Security Tools remote installation on Amazon instances with Linux operating systems. Nevertheless, the client can be installed on Linux instances by locally downloading and running a Bitdefender Endpoint Security Tools installation package.

Containers
  • Google COS

Note

This applies only to Security Container deployments.

Active Directory prerequisites

When integrating Linux endpoints with an Active Directory domain via the System Security Services Daemon (SSSD), ensure that the ldbsearch, krb5-user, and krb5-config tools are installed and kerberos is configured properly.

/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
        default_realm = DOMAIN.NAME
        dns_lookup_realm = true
        dns_lookup_kdc = true
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
        fcc-mit-ticketflags = true
        default_keytab_name = FILE:/etc/krb5.keytab
		
[realms]
        DOMAIN.NAME = {
                        kdc = dc1.domain.name
                        kdc = dc2.domain.name
                        admin_server = dc.domain.com
                        default_domain = domain.com
        }
		
[domain_realm]
 domain.name = DOMAIN.NAME
 .domain.name = DOMAIN.NAME
 
[appdefaults]
 pam = {
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false
        }
					

Note

All entries are key-sensitive.

On-access scanning support

On-access scanning is available for all supported guest operating systems. On Linux systems, on-access scanning support is provided in the following situations:

Kernel Versions

Linux distributions

On-access requirements

2.6.38 or higher*

Red Hat Enterprise Linux /CentOS 6.0 or higher

Ubuntu 14.04 or higher

SUSE Linux Enterprise Server11 SP4 or higher

OpenSUSE Leap 42.x

Fedora 25 or higher

Debian 9.0 or higher

Oracle Linux 6.3 or higher

Amazon Linux AMI 2016.09 or higher

Fanotify (kernel option) must be enabled.

2.6.38 or higher

Debian 8

Fanotify must be enabled and set to enforcing mode and then the kernel package must be rebuilt.

For details, refer to Bitdefender Endpoint Security Tools compatibility with Debian 8

2.6.32 - 2.6.37

CentOS 6.x

Red Hat Enterprise Linux 6.x

Bitdefender provides support via DazukoFS with prebuilt kernel modules.

All other kernels

All other supported systems

The DazukoFS module must be manually compiled. For more details, refer to Manually compile the DazukoFS moduleInstalling security agents

* With certain limitations described below.

On-access scanning limitations

Kernel versions

Linux distributions

Details

2.6.38 or higher

All supported systems

On-access scanning monitors mounted network shares only under these conditions:

  • Fanotify is enabled on both remote and local systems.

  • The share is based on the CIFS and NFS filesystems.

Note

On-access scanning does not scan network shares mounted using SSH or FTP.

All kernels

All supported systems

On-access scanning is not supported on systems with DazukoFS for network shares mounted on paths already protected by the On-access module.

Note

Fanotify and DazukoFS enable third-party applications to control file access on Linux systems. For more information, refer to:

macOS
  • macOS Monterey (12.x)

  • macOS Big Sur (11.x)

  • macOS Catalina (10.15)

  • macOS Mojave (10.14)

  • macOS High Sierra (10.13)

  • macOS Sierra (10.12)

Supported file systems

Bitdefender installs on and protects the following file systems:

AFS, BTRFS, ext2, ext3, ext4, FAT, FAT16, FAT32, VFAT, exFAT, NTFS, UFS, ISO 9660 / UDF, NFS, CIFS/SMB, VXFS, XFS.

Note

On-access scanning support is not provided for NFS and CIFS/SMB.

Supported browsers

Endpoint browser security is verified to be working with the following browsers:

  • Internet Explorer 8+

  • Mozilla Firefox 30+

  • Google Chrome 34+

  • Safari 4+

  • Microsoft Edge 20+

  • Opera 21+

Security Server

Security Server is a preconfigured virtual machine running on an Ubuntu Server 20.04 LTS.

Note

Your product license may not include this feature.

Memory and CPU

The memory and CPU resource allocation for the Security Server depends on the number and type of VMs running on the host. The following table lists the recommended resources to be allocated:

Consolidation

Number of protected VMs

RAM

CPUs

Low

1 - 30

2 GB

2

31 - 50

4 GB

4

Medium

51-100

4 GB

4

High

101-200

4 GB

6

Security Server for NSX comes with a predefined hardware configuration (CPU and RAM), which you can adjust in VMware vSphere Web Client by turning off the machine, editing its settings and then turning it back on. For detailed information, refer to Installing Security Server for VMware NSX.

HDD Space

Environment

HDD space provisioning

VMware NSX-V / NSX-T

40 GB

VMware with vShield Endpoint

40 GB

Other

16 GB

Security Server distribution on hosts

Environment

Security Server vs. hosts

VMware NSX-V / NSX-T

Security Server automatically installs on each ESXi host in the cluster to be protected, at the time of the Bitdefender service deployment.

VMware with vShield Endpoint

Security Server must be installed on each ESXi host to be protected.

Other

Although not mandatory, Bitdefender recommends installing Security Server on each physical host for improved performance.

Network latency

The communication latency between Security Server and the protected endpoints must be under 50 ms.

Storage Protection load

The impact of Storage Protection on Security Server when scanning 20 GB is as follows:

Storage Protection status

Security Server resources

Security Server load

Transfer time (mm:ss)

Disabled (baseline)

N/A

N/A

10:10

Enabled

4 vCPU

4 GB RAM

Normal

10:30

Enabled

2 vCPU

2 GB RAM

Heavy

11:23

Note

These results are obtained with a sample of varied file types (.exe, .txt, .doc, .eml, .pdf, .zip etc.), ranging from 10 KB to 200 MB. The transfer duration corresponds to 20 GB of data contained in 46,500 files.

Traffic usage

  • Product updates traffic between endpoint client and update server

    Each periodical Bitdefender Endpoint Security Tools product update generates the following download traffic on each endpoint client:

    • On Windows OS: ~20 MB

    • On Linux OS: ~26 MB

    • On macOS: ~25 MB

  • Downloaded security content updates traffic between endpoint client and Update Server (MB / day)

    Update Server Type

    Scan Engine Type

    Local

    Hybrid

    Centralized

    Relay

    65

    58

    55

    Bitdefender Public Update Server

    3

    3.5

    3

  • Central Scan traffic between endpoint client and Security Server

    Scanned Objects

    Traffic Type

    Download (MB)

    Upload (MB)

    Files*

    First scan

    27

    841

    Cached scan

    13

    382

    Websites**

    First scan

    Web traffic

    621

    N/A

    Security Server

    54

    1050

    Cached Scan

    Web traffic

    654

    N/A

    Security Server

    0.2

    0.5

    * The provided data has been measured for 3.49 GB of files (6,658 files), of which 1.16 GB are Portable Executable (PE) files.

    ** The provided data has been measured for the top-ranked 500 websites.

  • Hybrid scan traffic between endpoint client and Bitdefender Cloud Services

    Scanned Objects

    Traffic Type

    Download (MB)

    Upload (MB)

    Files*

    First scan

    1.7

    0.6

    Cached scan

    0.6

    0.3

    Web traffic**

    Web traffic

    650

    N/A

    Bitdefender Cloud Services

    2.6

    2.7

    * The provided data has been measured for 3.49 GB of files (6,658 files), of which 1.16 GB are Portable Executable (PE) files.

    ** The provided data has been measured for the top-ranked 500 websites.

    Note

    The network latency between endpoint client and Bitdefender Cloud Server must be under 1 second.

  • Traffic between Bitdefender Endpoint Security Tools Relay clients and update server for downloading security content

    Clients with Bitdefender Endpoint Security Tools Relay role download ~16 MB / day* from update server.

    * Available with Bitdefender Endpoint Security Tools clients starting from 6.2.3.569 version.

  • Traffic between endpoint clients and Control Center web console

    An average traffic of 618 KB / day is generated between endpoint clients and Control Center web console.