Skip to main content

On-Access

In this section you can configure the antimalware protection components:

antimalware_on-access_48187_en.png

Important

This functionality is enabled only if the security agent installed on endpoints is running in Detection and prevention mode. To access this setting, go to the Installation packages page and click on the packages you want to use. You can find it as Operation Mode under the Security Modules and Roles section.

On-access Scanning

On-access scanning prevents new malware threats from entering the system by scanning local and network files when they are accessed (opened, moved, copied or executed), boot sectors and potentially unwanted applications (PUA).

Note

This feature has certain limitations on Linux-based systems. For details, see to the requirements for GravityZone.

To configure on-access scanning:

  1. Use the check box to turn on-access scanning on or off.

    Warning

    If you turn off on-access scanning, endpoints will be vulnerable to malware.

  2. For a quick configuration, select the security level that best suits your needs (Aggressive, Normal or Permissive).

    Use the description on the right side of the scale to guide your choice.

  3. You can configure the scan settings in detail by selecting the Custom protection level and clicking the Settings link.

    This will display the On-access scanning settings window, containing several options organized under the General and Advanced tabs.

    The Advanced tab addresses the on-access scanning for Linux machines. Use the checkbox to turn it on or off.

    In the table below, you can configure the Linux directories you want to scan. By default, there are five entries, each one corresponding to a specific location on endpoints: /home, /bin, /sbin, /usr, /etc.

    To add more entries:

    • Write down any custom location name in the search field, at the upper side of the table.

    • Select the predefined directories from the list displayed when clicking the arrow at the right end of the search field.

    Click the add_inline.png Add button to save a location to the table and the delete_inline.png Delete button to remove it.

General tab options:

  • File location - Use these options to specify which types of files you want to be scanned. Scanning preferences can be configured separately for local files (stored on the local endpoint) or network files (stored on network shares).

    • If antimalware protection is installed on all computers in the network, you may disable the network file scan to allow faster network access.

      You can set the security agent to scan all accessed files (regardless of their file extension), application files only or specific file extensions you consider to be dangerous.

    • Scanning all accessed files provides the best protection while scanning applications only can increase the system's performance.

      Note

      Application files are considerably more vulnerable to malware attacks than other types of files. For more information, refer to Application file types.

    • If you want only specific extensions to be scanned, choose User defined extensions from the menu and then enter the extensions in the edit field, pressing Enter after each extension.

      Note

      On Linux-based systems, file extensions are case sensitive and the files with the same name but with different extension are considered distinct objects. For example, file.txt is different from file.TXT.

    • For system performance reasons, you can also exclude large files from scanning.

      Select Maximum size (MB) checkbox and specify the size limit of the files which will be scanned. Use this option wisely because malware can affect larger files too.

  • Scan - Select the corresponding check boxes to enable the desired scan options:

    • Only new or changed files

      By scanning only new and changed files, you may greatly improve overall system responsiveness with a minimum trade-off in security.

    • Boot sectors

      Scans the system’s boot sector.

      This sector of the hard disk contains the necessary code to start the boot process.

      When a virus infects the boot sector, the drive may become inaccessible and you may not be able to start your system and access your data.

    • Process memory

       Scans the memory of a process to detect in-memory malicious behavior.

    • For keyloggers

      Keyloggers record what you type on your keyboard and send reports over the Internet to a malicious person (hacker).

      The hacker can find out sensitive information from the stolen data, such as bank account numbers and passwords, and use it to gain personal benefits.

    • For Potentially Unwanted Applications (PUA)

      A Potentially Unwanted Application (PUA) is a program that may be unwanted on the PC and sometimes comes bundled with freeware software. Such programs can be installed without the user's consent (also called adware) or will be included by default in the express installation kit (ad-supported). Potential effects of these programs include the display of pop-ups, installing unwanted toolbars in the default browser or running several processes in the background and slowing down the PC performance.

    • Archives

      Select this option if you want to enable on-access scanning of archived files. Scanning inside archives is a slow and resource-intensive process, which is therefore not recommended for real-time protection. Archives containing infected files are not an immediate threat to system security. The malware can affect the system only if the infected file is extracted from the archive and executed without having on-access scanning enabled.

      If you decide on using this option, you can configure the following optimization options:

      • Archive maximum size (MB)

        You can set a maximum accepted size limit of archives to be scanned on-access.

        Select the corresponding check box and type the maximum archive size (in MB).

      • Archive maximum depth (levels)

        Select the corresponding check box and choose the maximum archive depth from the menu.

        For best performance choose the lowest value, for maximum protection choose the highest value.

    • Deferred scanning

      Deferred scanning improves system performance when performing file access operations. For example, system resources are not affected when large files are copied. This option is enabled by default.

  • Scan actions - Depending on the type of detected file, the following actions are taken automatically:

    • Default action for infected files

      Bitdefender detects files as infected through various advanced mechanisms, which include malware signatures, machine learning and artificial intelligence (AI) based technologies.

      Bitdefender security agent can normally remove the malware code from an infected file and reconstruct the original file. This operation is known as disinfection.

      By default, if an infected file is detected, Bitdefender security agent will automatically attempt to disinfect it.

      If disinfection fails, the file is moved to quarantine to contain the infection.

      You can change this recommended flow according to your needs.

      Important

      For particular types of malware, disinfection is not possible because the detected file is entirely malicious. In such cases, the infected file is deleted from the disk.

    • Default action for suspect files

      Files are detected as suspicious by the heuristic analysis and other Bitdefender technologies.

      These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.

      Suspect files cannot be disinfected, because no disinfection routine is available.

      When a suspect file is detected, users will be denied access to that file to prevent a potential infection.

    Though not recommended, you can change the default actions. You can define two actions for each type of file. The following actions are available:

    • Deny access

      Deny access to detected files.

      Important

      For MAC endpoints, Move to quarantine action is taken instead of Deny access.

    • Disinfect

      Remove the malware code from infected files. It is recommended to always keep this as the first action to be taken on infected files.

    • Delete

      Delete detected files from the disk, without any warning. It is advisable to avoid using this action.

    • Move to quarantine

      Move detected files from their current location to the quarantine folder. Quarantined files cannot be executed or opened; therefore, the risk of getting infected disappears. You can manage quarantine files from the Quarantine page of the console.

    • Take no action

      Only report the infected files detected by Bitdefender.

Ransomware Vaccine

Ransomware vaccine immunizes your machines against known ransomware blocking the encryption process even if the computer is infected. Use the check box to turn Ransomware vaccine on or off.

The Ransomware vaccine feature is deactivated by default. Bitdefender Labs analyze the behavior of widespread ransomware, and new signatures are delivered with each security content update, to address the latest threats.

Warning

To further increase protection against ransomware infections, be cautious about unsolicited or suspicious attachments and make sure security content is updated.

Note

Ransomware vaccine is available only if machines are protected by Bitdefender Endpoint Security Tools and Endpoint Security (legacy agent).

DazukoFS third-party kernel module

DazukoFS third-party kernel module enables Bitdefender Endpoint Security Tools to perform on-access scanning on Linux. For information on enabling on-access scanning and specifying the directories to be scanned on Linux, refer to the Antimalware On-access scanning section.

The Linux version of Bitdefender Endpoint Security Tools includes an on-access scanning module that, for specific Linux distributions and kernel versions, requires the third-party DazukoFS loadable kernel module. DazukoFS is a stackable file system that enables third-party applications to control file access on Linux systems.

The Bitdefender Endpoint Security Tools installation package includes and automatically installs DazukoFS for selected supported Linux kernel versions. The DazukoFS package shipped with Bitdefender Endpoint Security Tools is compiled for the kernel versions listed in the table below:

Linux Distribution

Kernel version

CentOS 6.x

2.6.32-754.35.1.el6

Red Hat Enterprise Linux 6.x

To use on-access scanning on supported Linux distributions with lower kernel versions that are unsupported by DazukoFS, you must manually compile and install the DazukoFS package for the corresponding kernel.

Important

DazukoFS is a legacy solution. To perform on-access scanning on Linux systems with kernel versions 2.6.38 and higher, you need to enable Fanotify. For the on-access scanning requirements on Linux, including the list of kernels supporting DazukoFS and Fanotify, refer to this article.

To learn more about possible issues with on-access scanning on Linux, refer to On-access scanning in Bitdefender Endpoint Security Tools for Linux.

Other useful topics:

Manually compile and install the DazukoFS module

In this section, you will learn how to manually compile and install the DazukoFS module. Follow these steps:

  1. Download the proper kernel headers.

    • On Ubuntu systems, run this command:

      $ sudo apt-get install linux-headers-'uname-r'

    • On RHEL/CentOS systems, run this command:

      $ sudo yum install kernel-devel kernel-headers-'uname-r'

    • On Ubuntu systems, you need build-essential:

      $ sudo apt-get install build-essential

    • On RHEL/CentOS systems, you need yum-utils:

      $ yum install -y yum-utils

  3. Copy and extract the DazukoFS source code in a preferred directory:

    # mkdir /tmp/Dazukotemp

    # cd /tmp/Dazukotemp

    # cp /opt/bitdefender-security-tools/share/src/dazukofs-source.tar.gz .

    # tar -xzvf dazukofs-source.tar.gz

    # cd dazukofs-3.1.4

  4. Compile the module:

    # make

  5. Install and load the module:

    # make dazukofs_install

DazukoFS limitations

For DazukoFS and on-access scanning module to work together, a series of conditions must be met. Please check if any of the statements below apply to your Linux system and follow the guidelines to avoid issues:

  • The SELinux policy must be either disabled or set to permissive. To check and adjust the SELinux policy setting, edit the /etc/selinux/config file.

  • Bitdefender Endpoint Security Tools is exclusively compatible with the DazukoFS version included in the installation package. If DazukoFS is already installed on the system, remove it prior to installing Bitdefender Endpoint Security Tools .

  • DazukoFS supports the following kernel versions:

    • 2.6.32-754.35.1.el6.x86_64

    • 2.6.32-754.35.1.el6.centos.plus.x86_64

    • 2.6.32-754.35.1.el6.i686

    • 2.6.32-754.35.1.el6.centos.plus.i686

    If the DazukoFS package shipped with Bitdefender Endpoint Security Tools is not compatible with the system's kernel version, the module will fail to load. In such case, you can either update the kernel to the supported version or recompile the DazukoFS module for your kernel version. You can find the DazukoFS package in the Bitdefender Endpoint Security Tools installation directory:

    /opt/bitdefender-security-tools/share/modules/dazukofs/dazukofs-modules.tar.gz

  • When sharing files using dedicated servers such as NFS, UNFSv3 or Samba, you first need to enable on-access scanning and then mount the network shares, as follows:

    1. Enable on-access scanning via policy from Control Center. For more information, refer to On-Access policy settings.

    2. Start the network sharing service.

      Note

      • For NFS:

        # service nfs start

      • For UNFSv3:

        # service unfs3 start

      • For Samba:

        # service smbd start

      Important

      For the NFS service, DazukoFS is compatible only with NFS User Server.

In this section: