Configuration
The Network Protection settings are organized into the following sections:
General
In this page, you can configure options such as enabling or disabling functionalities and configure exclusions.
The settings are organized into the following sections:

General settings
Intercept Encrypted Traffic- Select this option if you want the Secure Sockets Layer (SSL) web traffic to be inspected by the Bitdefender security agent's protection modules.
for HTTP- Select this option if you want to extend SSL scanning to HTTP protocol.
for RDP- Select this option if you want to extend SSL scanning to RDP protocol.
Scan FTPS - Select this option to enable outbound traffic monitoring over FTPS protocol on Linux machines.
Scan SCP/SSH - Select this option to enable outbound traffic monitoring over SCP and SSH protocols on Linux machines.
For details on the authentication procedures using SSH keys, refer to SSH PKI authentication on endpoint outbound connections.
The FTPS protocol defines at least two different ways to start this sequence: explicit (active) security and implicit (passive) security.
Warning
Network Attack Defense only works with implicit (passive) security.
Show browser toolbar (legacy) - The Bitdefender toolbar informs users about the rating of the web pages they are viewing. The Bitdefender toolbar is not your typical browser toolbar. The only thing it ads to the browser is a small dragger
at the top of every web page. Clicking the dragger opens the toolbar.
Depending on how Bitdefender classifies the web page, one of the following ratings is displayed on the left side of the toolbar:
The message "This page is not safe" appears on a red background.
The message "Caution is advised" appears on an orange background.
The message "This page is safe" appears on a green background.
Note
This option is not available for macOS.
This option is removed from Windows starting with new installations of Bitdefender Endpoint Security Tools version 6.6.5.82.
Browser Search Advisor (legacy)
Search Advisor rates the results of Google, Bing and Yahoo! searches, as well as links from Facebook and Twitter, by placing an icon in front of every result.
Icons used and their meaning:
You should not visit this web page.
This web page may contain dangerous content. Exercise caution if you decide to visit it.
This is a safe page to visit.
Note
This option is not available for macOS.
This option is removed from Windows starting with new installations of Bitdefender Endpoint Security Tools version 6.6.5.82.
Exclusions
You can choose to skip certain traffic of being scanned for malware while the Network Protection options are enabled.
Note
These exclusions apply to Traffic Scan and Antiphishing, in the Web Protection section, and to Network Attack Defense, in the Network Attacks section. Data Protection exclusions are configurable separately, in the Content Control section.
On Linux systems, the exclusions are made at the application level, not at the iptables
level.
To define an exclusion:
Select the exclusion type from the menu.
Depending on the exclusion type, define the traffic entity to be excluded from scanning as follows:
IP/mask - Enter the IP address or the IP mask for which you do not want to scan the incoming and outgoing traffic, which includes network attack techniques.
You can also exclude vulnerability scanners by adding their IP addresses in this section or by duplicating exclusions created in the Firewall section. For details on Firewall exclusions, refer to the "Block port scans" in Firewall Configuration.
URL - Excludes from scanning the specified web addresses. Take into account that URL-based scan exclusions apply differently for HTTP versus HTTPS connections, as explained hereinafter.
You can define a URL-based scan exclusion as follows:
Enter a specific URL, such as
www.example.com/example.html
In the case of HTTP connections, only the specific URL is excluded from scanning.
For HTTPS connections, adding a specific URL excludes the entire domain and any of its subdomains. Therefore, in this case, you can specify directly the domain to be excluded from scanning.
Use wildcards to define web address patterns.
You can use the following wildcards:
Asterisk (*) substitutes for zero or more characters.
Question mark (
?
) substitutes for exactly one character. You can use several question marks to define any combination of a specific number of characters. For example,???
substitutes for any combination of exactly three characters.
In the following table, you can find several syntax samples for specifying web addresses (URLs).
Syntax
Exception Applicability
www.example*
Any URL starting with
www.example
(regardless of the domain extension).The exclusion will not apply to the subdomains of the specified website, such as
subdomain.example.com
.*example.com
Any URL ending in
example.com
, including subdomains thereof.*example.com*
Any URL that contains the specified string.
*.com
Any website having the
.com
domain extension, including subdomains thereof. Use this syntax to exclude from scanning the entire top-level domains.www.example?.com
Any web address starting with
www.example?.com
, where?
can be replaced with any single character.Such websites might include:
www.example1.com
orwww.exampleA.com
.
Note
You can use protocol-relative URLs.
Application - Excludes from scanning the specified process or application. To define an application scan exclusion:
Enter the name of the executable file of the application to be excluded.
For example, enter
calendar
to exclude the Calendar application,firefox
to exclude the Mozilla Firefox browser, orelectron
to exclude the Visual Studio Code application.Use wildcards to specify any applications matching a certain name pattern.
For example:
c*.exe
matches all applications starting with "c" (chrome.exe).??????.exe
matches all applications with a name that contains six characters (chrome.exe, safari.exe, etc.).[^c]*.exe
matches all application except for those starting with "c".[^ci]*.exe
matches all application except for those starting with "c" or "i".
Note
You do not need to enter a path and the executable file does not have an extension. This is different from exclusions in Antimalware, where you need to specify the entire path.
If needed, add a comment in the Remarks field to make it easier to identify the exclusion later.
Click the
Add button at the right side of the table.
To remove an entity from the list, click the corresponding Delete button.
Content Control
The Content Control settings are organized into the following sections:
Note
The Content Control module is available for:
Windows for workstations
Windows for servers
macOS
Important
For macOS, Content Control relies on a kernel or system extension. Installing the extension requires your approval on macOS High Sierra (10.13) and later. The system notifies the user that a system extension from Bitdefender was blocked. You can allow it from Security & Privacy preferences. Until the user approves the Bitdefender system extension, this module will not work and the Bitdefender Endpoint Security Tools user interface will show a critical issue prompting for approval.
To eliminate user intervention, you can pre-approve the Bitdefender extension by whitelisting it using a Mobile Device Management tool. See details about Bitdefender extensions.
Web Access Control
Web Access Control enables you to allow or block web access for users or applications during specified time intervals.
The web pages blocked by Web Access Control are not displayed in the browser. Instead, a default web page is displayed informing the user that the requested web page has been blocked by Web Access Control.

Use the switch to turn Web Access Control on or off.
You have three configuration options:
Select Allow to always grant web access.
Select Block to always deny web access.
Select Schedule to enable time restrictions on web access based on a detailed schedule.
Whether you choose to allow or block the web access, you can define exceptions to these actions for entire web categories or only for specific web addresses.
Click Settings to configure your web access schedule and exceptions as follows:
Scheduler
To restrict the Internet access to certain times of the day on a weekly basis:
Select from the grid the time intervals during which you want Internet access to be blocked.
You can click individual cells, or you can click and drag to cover longer periods. Click again in the cell to reverse the selection.
To start a new selection, click Allow all or Block all, depending on the type of restriction you wish to implement.
Click Save.
Note
Bitdefender security agent will perform updates every hour, no matter if web access is blocked.
Categories
Web Categories Filter dynamically filters access to websites based on their content. You can use the Web Categories Filter for defining exceptions to the selected Web Access Control action (Allow or Block) for entire web categories (such as Games, Mature Content or Online Networks).
To configure Web Categories Filter:
Enable Web Categories Filter.
For a quick configuration, click one of the predefined profiles (Aggressive, Normal or Permissive). Use the description on the right side of the scale to guide your choice. You can view the predefined actions for available web categories by expanding the Web Rules section placed below.
If you are not satisfied with the default settings, you can define a custom filter:
Select Custom.
Click Web Rules to expand the corresponding section.
Find the category that you want in the list and choose the desired action from the menu. For more information about the available website categories, refer to Web Categories in GravityZoneContent Control.
Select the option Treat Web Categories as exceptions for Web Access if you want to ignore the existing Web access settings and apply only the Web Categories Filter.
The default message displayed to the user accessing restricted websites contains also the category that the website's content has matched. Deselect the option Show detailed alerts on client if you want to hide this information from the user.
Note
This option is not available for macOS.
Click Save.
Note
The Allow permission for specific web categories is also taken into account during time intervals when web access is blocked by Web Access Control.
The Allow permissions work only when web access is blocked by Web Access Control, while the Block permissions work only when web access is allowed by Web Access Control.
You can override the category permission for individual web addresses by adding them with opposite permission in Web Access Control > Settings > Exclusions. For example, if a web address is blocked by Web Categories Filter, add a web rule for that address with permission set to Allow.
Exclusions
You can also define web rules to explicitly block or allow certain web addresses, overriding the existing Web Access Control settings. Users will be able, for example, to access a specific webpage also when the web browsing is blocked by Web Access Control.
Note
Exclusions configured in this section only work if the Web Categories Filter option in the Categories section is enabled.
To create a web rule:
Enable the Use Exceptions option.
Enter the address you want to allow or block in the Web Address field.
Select Allow or Block from the Permission menu.
Click the
Add button at the right side of the table to add the address to the exceptions list.
Click Save.
To edit a web rule:
Click the web address you want to edit.
Modify the existing URL.
Click Save.
To remove a web rule, click the corresponding
Delete button.
Application Blacklisting
In this section you can configure Application Blacklisting, which helps you completely block or restrict users' access to applications on their computers. Games, media and messaging software, as well as other categories of software and malware can be blocked in this way.

To configure Application Blacklisting:
Enable the Application Blacklisting option.
Specify the applications you want to restrict access to. To restrict access to an application:
Click the
Add button at the upper side of the table. A configuration window is displayed.
You must specify the path to the application executable file on the target computers. There are two ways to do this:
Choose from the menu a predefined location and complete the path as needed in the edit field. For example, for an application installed in the
Program Files
folder, select%ProgramFiles
and complete the path by adding a backslash (\) and the name of the application folder.Enter the full path in the edit field. It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.
Access Scheduler. Schedule the applications access during certain times of day on a weekly basis:
Select from the grid the time intervals during which you want to block access to the application. You can click individual cells, or you can click and drag to cover longer periods. Click again in the cell to reverse the selection.
To start a new selection, click Allow All or Block All, depending on the type of restriction you wish to implement.
Click Save. The new rule will be added to the list.
To remove a rule from the list, select it and click the Delete button at the upper side of the table. To edit an existing rule, click it to open its configuration window.
Data Protection
Data Protection prevents unauthorized disclosure of sensitive data based on administrator-defined rules.
Note
This feature is not available for macOS.

You can create rules to protect any piece of personal or confidential information, such as:
Customer personal information
Names and key details of in-development products and technologies
Contact information of company executives
Protected information might include names, phone numbers, credit card and bank account information, email addresses and so on.
Based on the data protection rules you create, Bitdefender Endpoint Security Tools scans the web and outgoing email traffic for specific character strings (for example, a credit card number). If there is a match, the respective web page or email message is blocked in order to prevent protected data from being sent.
The user is immediately informed about the action taken by Bitdefender Endpoint Security Tools through an alert web page or email.
To configure Data Protection:
Use the checkbox to turn on Data Protection.
Create data protection rules for all of the sensitive data you want to protect.
To create a rule:
Click the
Add button at the upper side of the table.
A configuration window is displayed.
Enter the name under which the rule will be listed in the rules table.
Choose a suggestive name so that you or other administrator can easily identify what the rule is about.
Select the type of data you want to protect.
Enter the data you want to protect (for example, the phone number of a company executive or the internal name of a new product the company is working on).
Any combination of words, numbers or strings consisting of alphanumerical and special characters (such as @, # or $) is accepted.
Make sure to enter at least five characters in order to avoid the mistaken blocking of email messages and web pages.
Important
Provided data is stored in encrypted form on protected endpoints, but it can be seen on your Control Center account.
For extra safety, do not enter all of the data you want to protect.
In this case, you must clear the Match whole words option.
Configure the traffic scan options as needed.
Scan web (HTTP traffic) - scans the HTTP (web) traffic and blocks the outgoing data that matches the rule data.
Scan email (SMTP traffic) - scans the SMTP (mail) traffic and blocks the outgoing email messages that contain the rule data.
You can choose to apply the rule only if the rule data matches whole words or if the rule data and the detected string case match.
Click Save.
The new rule will be added to the list.
Configure exclusions to data protection rules so that users can still send protected data to authorized websites and recipients.
Exclusions can be applied globally (to all rules) or to specific rules only.
To add an exclusion:
Click the
Add button at the upper side of the table.
A configuration window is displayed.
Enter the web or email address that users are authorized to disclose protected data to.
Select the type of exclusion (web or email address).
From the Rules table, select the data protection rules(s) on which this exclusion should be applied.
Click Save. The new exclusion rule will be added to the list.
Note
If an email containing blocked data is addressed to multiple recipients, those for which exclusions have been defined will receive it.
To remove a rule or an exclusion from the list, click the corresponding Delete button at the right side of the table.
Web Protection
In this page, the settings are organized under the following sections:
Antiphishing
Web Traffic Scan
Email Traffic Scan
Note
On endpoints, the Web protection settings are displayed under the Content Control module.

Antiphishing
Antiphishing protection automatically blocks known phishing web pages to prevent users from inadvertently disclosing private or confidential information to online fraudsters. Instead of the phishing web page, a special warning page is displayed in the browser to inform the user that the requested web page is dangerous.
Select Antiphishing to activate antiphishing protection. You can further tune Antiphishing by configuring the following settings:
Protection against fraud - Select this option if you want to extend protection to other types of scams besides phishing.
For example, websites representing fake companies, which do not directly request private information, but instead try to pose as legitimate businesses and make a profit by tricking people into doing business with them.
Protection against phishing - Keep this option selected to protect users against phishing attempts.
If a legitimate web page is incorrectly detected as phishing and blocked, you can add it to the whitelist to allow users to access it. The list should contain only websites you fully trust.
To manage antiphishing exceptions:
Click Exclusions.
Enter the web address and click the Add button.
If you want to exclude an entire website, write the domain name, such as
http://www.website.com
, and if you want to exclude only a webpage, write the exact web address of that page.Note
Wildcards are not accepted for building URLs.
To remove an exception from the list, click the corresponding Delete button.
Click Save.
Web Traffic Scan
Web traffic are scanned in real time to prevent malware from being downloaded to the endpoint. Scanning the web traffic may slow down web browsing a little, but it will block malware coming from the Internet, including drive-by downloads.
If a web page contains or distributes malware, it is automatically blocked. A special warning page is displayed instead to inform the user that the requested web page is dangerous.
Important
Though not recommended, you can disable web traffic scan to increase system performance. This is not a major threat as long as on-access scanning of local files remains enabled.
Email Traffic Scan
Incoming emails (POP3) are scanned in real time to prevent malware from being downloaded to the endpoint. Outgoing emails (SMTP) are scanned to prevent malware from infecting other endpoints.
When an email is found infected, it is replaced automatically with a standard email informing the receiver of the original infected email.
Important
Though not recommended, you can disable email scan to increase system performance. This is not a major threat as long as on-access scanning of local files remains enabled.
Note
The Incoming emails and Outgoing emails options are not available for macOS.
Network Attacks
The Network Attacks page displays Network Attack Defense settings.
Network Attack Defense provides a security layer based on a Bitdefender technology that detects and takes actions against network attacks designed to gain access on endpoints through specific techniques such as: brute-force attacks, network exploits and password stealers.
Note
The Network Attack Defense module is available for:
Windows for workstations
Windows for servers
On Windows servers, Network Attack Defense detects and prevents RDP brute-force attacks by scanning incoming connections on the RDP ports to identify authentication anomalies. Network Attack Defense also scans web traffic when used with Content Control.
macOS
Linux

To configure Network Attack Defense:
Select the Network Attack Defense check box to enable the module.
Select the corresponding check boxes to enable protection against each network attack category. The network attack techniques are grouped according to MITRE's ATT&CK knowledge based as follows:
Initial Access - the attacker gains entry within a network by various means, including vulnerabilities of public-facing web servers. For example: information disclosure exploits, SQL injection exploits, drive-by download injection vectors.
Credential Access - the attacker steals credentials like usernames and passwords to gain access into the systems. For example: brute-force attacks, unauthorized authentication exploits, password stealers.
Discovery - the attacker, once infiltrated, tries to obtain information about the systems and the internal network, before deciding what to do next. For example: directory traversal exploits, HTTP directory traversal exploits.
Lateral Movement - the attacker explores the network, often by moving through multiple systems, to find the main target. The attacker may use specific tools to accomplish the objective. For example: command injection exploits, Shellshock exploits, double extension exploits.
Crimeware - this category comprises techniques designed to automate cybercrime. For example, Crimeware techniques are: nuclear exploits, various malware software such as Trojans and bots.
Select the actions you want to take against each category of network attack techniques from the following options:
Block - Network Attack Defense stops the attack attempt once detected.
Report Only - Network Attack Defense informs you about the detected attack attempt, but it will not try to stop it.
You can easily restore the initial settings by clicking the Reset to Default button at the lower side of the page.
Details about network attack attempts are available in the Network Incidents report and in the Network Incidents event notification.