Skip to main content


In this section, you can add and configure antimalware scan tasks that will run regularly on the target computers, according to the defined schedule.



This functionality is enabled only if the security agent installed on endpoints is running in Detection and prevention mode. To access this setting, go to the Installation packages page and click on the packages you want to use. You can find it as Operation Mode under the Security Modules and Roles section.

The scanning is performed silently in the background, regardless the user is logged in the system or not.

Though not mandatory, it is recommended to schedule a comprehensive system scan to run weekly on all endpoints. Scanning endpoints regularly is a proactive security measure that can help detect and block malware that might evade real-time protection features.

Besides regular scans, you can also configure the automatic detection and scanning of external storage media.

Managing scan tasks

The Scan Tasks table informs you of the existing scan tasks, providing important information on each of them:

  • Task name and type.

  • Schedule based on which the task runs regularly (recurrence).

  • Time when the task was first run.

You can add and configure the following types of scan tasks:

  • Quick Scan uses in-the-cloud scanning to detect malware running in the system. Running a Quick Scan usually takes less than a minute and uses a fraction of the system resources needed by a regular virus scan.

    When malware or rootkits are found, Bitdefender automatically proceeds with disinfection. If, for any reason, the file cannot be disinfected, then it is moved to quarantine. This type of scanning ignores suspicious files.

    The Quick Scan is a default scan task with preconfigured options that cannot be changed. You can add only one quick scan task for the same policy.

  • Full Scan checks the entire endpoint for all types of malware threatening its security, such as viruses, spyware, adware, rootkits and others.

    Bitdefender automatically tries to disinfect files detected with malware. In case malware cannot be removed, it is contained in quarantine, where it cannot do any harm. Suspicious files are being ignored. If you want to take action on suspicious files as well, or if you want other default actions for infected files, then choose to run a Custom Scan.

    The Full Scan is a default scan task with preconfigured options that cannot be changed. You can add only one full scan task for the same policy.

  • Custom Scan allows you to choose the specific locations to be scanned and to configure the scan options.

  • Network Scan is a type of custom scan, that allows assigning one single managed endpoint to scan network drives, then configuring the scan options and the specific locations to be scanned. For network scan tasks, you need to enter the credentials of a user account with read/write permissions on the target network drives, for the security agent to be able to access and take actions on these network drives.

    The recurrent network scan task will be sent only to the selected scanner endpoint. If the selected endpoint is unavailable, the local scanning settings will apply.


    You can create network scan tasks only within a policy that is already applied to an endpoint that can be used as a scanner.

Besides the default scan tasks (which you cannot delete or duplicate), you can create as many custom and network scan tasks as you want.

To create and configure a new custom or network scan task, click the add.pngAdd button at the right side of the table.

To change the settings of an existing scan task, click the name of that task.

To remove a task from the list, select the task and click the delete.pngDelete button at the right side of the table.

Configuring scan tasks

The scan task settings are organized under three tabs:

  • General - set task name and execution schedule.

  • Options - choose a scan profile for quick configuration of the scan settings and define scan settings for a custom scan.

  • Target - select the files and folders to be scanned and define scan exclusions.

Options are described hereinafter from the first tab to the last:

  • Details

    Choose a suggestive name for the task to help easily identify what it is about. When choosing a name, consider the scan task target and possibly the scan settings.

    By default, scan tasks run with decreased priority. This way, Bitdefender allows other programs to run faster, but increases the time needed for the scan process to finish. Use the Run the task with low priority check box to disable or re-enable this feature.


    This option applies only to Bitdefender Endpoint Security Tools and Endpoint Security (legacy agent).

    Select the Shut down computer when scan is finished check box to turn off your machine if you do not intend to use it for a while.


    This option applies to Bitdefender Endpoint Security Tools, Endpoint Security (legacy agent) and Bitdefender Endpoint Security Tools.

  • Scheduler

    Use the scheduling options to configure the scan schedule.

    You can set the scan to run every few hours, days, or weeks, starting with a specified date and time.

    Endpoints must be powered on when the schedule is due. A scheduled scan will not run when due if the machine is turned off, hibernating, or in sleep mode. In such situations, the scan will be postponed until next time.


    The scheduled scan will run at the target endpoint local time. For example, if the scheduled scan is set to start at 6:00 PM and the endpoint is in a different timezone than Control Center, the scanning will start at 6:00 PM (endpoint time).

    Optionally, you can specify what happens when the scan task could not start at the scheduled time (endpoint was offline or shutdown). Use the option If scheduled run time is missed, run task as soon as possible according to your needs:

    • When you leave the option unchecked, the scan task will attempt to run again at the next scheduled time.

    • When you select the option, you force the scan to run as soon as possible. To fine-tune the best timing for the scan runtime and avoid disturbing the user during work hours, select Skip if next scheduled scan is due to start in less than, then specify the interval that you want.

  • Scan Options

    Click the security level that best suits your needs (Aggressive, Normal, or Permissive).

    Use the description on the right side of the scale to guide your choice.

    Based on the selected profile, the scan options in the Settings section are automatically configured. However, if you want to, you can configure them in detail.

    To do that, select the Custom check box and then go to the Settings section.

  • File Types

    Use these options to specify which types of files you want to be scanned.

    You can set the security agent to scan all files (regardless of their file extension), application files only or specific file extensions you consider to be dangerous.

    Scanning all files provides best protection, while scanning applications only can be used to perform a quicker scan.


    Application files are far more vulnerable to malware attacks than other types of files.

    For more information, refer to Application file types.

    If you want only specific extensions to be scanned, choose User Defined Extensions from the menu and then enter the extensions in the edit field, pressing Enter after each extension.

  • Archives

    Archives containing infected files are not an immediate threat to system security.

    The malware can affect the system only if the infected file is extracted from the archive and executed without having real-time protection enabled.

    However, it is recommended to use this option in order to detect and remove any potential threat, even if it is not an immediate threat.


    Scanning archived files increases the overall scanning time and requires more system resources.

    • Scan inside archives

      Select this option if you want to check archived files for malware.

      If you decide to use this option, you can configure the following optimization options:

      • Limit archive size to (MB)

        You can set a maximum accepted size limit of archives to be scanned.

        Select the corresponding check box and type the maximum archive size (in MB).

      • Maximum archive depth (levels)

        Select the corresponding check box and choose the maximum archive depth from the menu.

        For best performance choose the lowest value, for maximum protection choose the highest value.

    • Scan email archives

      Select this option if you want to enable scanning of email message files and email databases, including file formats such as .eml, .msg, .pst, .dbx, .mbx, .tbb, and others.


      Email archive scanning is resource-intensive and can impact system performance.

  • Miscellaneous

    Select the corresponding checkboxes to enable the desired scan options.

    • Scan boot sectors

      Scans the system’s boot sector.

      This sector of the hard disk contains the necessary code to start the boot process.

      When a virus infects the boot sector, the drive may become inaccessible and you may not be able to start your system and access your data.

    • Scan UEFI

      This option enables Unified Extensible Firmware Interface (UEFI) scanning that ensures the security and integrity of the system's boot process and protects against sophisticated threats that can persist at the firmware level.

      The option is available for FullQuick, and Custom scan types and is enabled by default when the security level is set to Aggressive.

    • Scan registry

      Select this option to scan registry keys.

      Windows Registry is a database that stores configuration settings and options for the Windows operating system components, as well as for installed applications.

    • Scan for rootkits

      Select this option to scan for rootkits and objects hidden using such software.

    • Scan for keyloggers

      Select this option to scan for keylogger software.

    • Scan network shares

      This option scans mounted network drives.

      For quick scans, this option is deactivated by default. For full scans, it is activated by default. For custom scans, if you set the security level to Aggressive/Normal, the Scan network shares option is automatically enabled. If you set the security level to Permissive, the Scan network shares option is automatically disabled.

    • Scan memory

      Select this option to scan programs running in the system's memory.

    • Scan cookies

      Select this option to scan the cookies stored by browsers on the endpoint.

    • Scan only new and changed files

      By scanning only new and changed files, you may greatly improve overall system responsiveness with a minimum trade-off in security.

    • Scan for Potentially Unwanted Applications (PUA)

      A Potentially Unwanted Application (PUA) is a program that may be unwanted on the PC and sometimes comes bundled with freeware software. Such programs can be installed without the user's consent (also called adware) or will be included by default in the express installation kit (ad-supported). Potential effects of these programs include the display of pop-ups, installing unwanted toolbars in the default browser or running several processes in the background, and slowing down the PC performance.

    • Resume Scan after Product Update

      Select this option to automatically resume on-demand scan tasks after being interrupted.

    • Preserve last access time

      This option helps you control whether to preserve the last access time for a file during a scan or to allow the scanning process to modify the timestamp of that file. The option is enabled by default.

  • Actions

    Depending on the type of detected file, the following actions are taken automatically:

    • Default action for infected files

      Bitdefender detects files as infected through various advanced mechanisms, which include malware signatures, machine learning, and artificial intelligence (AI) based technologies.

      The security agent can normally remove the malware code from an infected file and reconstruct the original file. This operation is known as disinfection.

      If an infected file is detected, the security agent will automatically attempt to disinfect it.

      If disinfection fails, the file is moved to quarantine in order to contain the infection.


      For particular types of malware, disinfection is not possible because the detected file is entirely malicious. In such cases, the infected file is deleted from the disk.

    • Default action for suspect files

      Files are detected as suspicious by the heuristic analysis and other Bitdefender technologies.

      These provide a high detection rate, but the users must be aware of certain false positives (clean files detected as suspicious) in some cases.

      Suspect files cannot be disinfected, because no disinfection routine is available.

      Scan tasks are configured by default to ignore suspect files.

      You may want to change the default action in order to move suspect files to quarantine.

      Quarantined files are sent for analysis to Bitdefender Labs on a regular basis.

      If malware presence is confirmed, a signature is released to allow removing the malware.

    • Default action for rootkits

      Rootkits represent specialized software used to hide files from the operating system.

      Though not malicious in nature, rootkits are often used to hide malware or to conceal the presence of an intruder into the system.

      Detected rootkits and hidden files are ignored by default.

    Though not recommended, you can change the default actions.

    You can specify a second action to be taken if the first one fails and different actions for each category.

    Choose from the corresponding menus the first and the second action to be taken on each type of detected file.

    The following actions are available:

    • Ignore

      No action will be taken on detected files. These files will only appear in the scan log.

    • Disinfect

      Remove the malware code from infected files.

      It is recommended to always keep this as the first action to be taken on infected files.

    • Delete

      Delete detected files from the disk, without any warning.

      It is advisable to avoid using this action.

    • Move to quarantine

      Move detected files from their current location to the quarantine folder.

      Quarantined files cannot be executed or opened; therefore, the risk of getting infected disappears.

      You can manage quarantine files from the quarantine Quarantine page of the console.

  • Scan Target

    Add to the list all the locations you want to be scanned on the target computers.

    To add a new file or folder to be scanned:

    1. Choose a predefined location from the drop-down menu or enter the Specific paths you want to scan.

    2. Specify the path to the object to be scanned in the edit field.

      • If you have chosen a predefined location, complete the path as needed.

        For example, to scan the entire Program Files folder, it suffices to select the corresponding predefined location from the drop-down menu.

        To scan a specific folder from Program Files, you must complete the path by adding a backslash (\) and the folder name.

      • If you have chosen Specific paths, enter the full path to the object to be scanned.

        It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.

    3. Click the corresponding add_inline.pngAdd button.

    To edit an existing location, click it.

    To remove a location from the list, move the cursor over it and click the corresponding delete.pngDelete button.

  • For network scan tasks, you need to enter the credentials of a user account with read/write permissions on the target network drives, for the security agent to be able to access and take actions on these network drives.

  • Exclusions

    You can either use the exclusions defined in the Antimalware > Exclusions section of the current policy, or you can define custom exclusions for the current scan task.

    For more details, refer to Exclusions.

Scan settings

These settings allow you to change the default behavior of two scan types: Contextual scan and External devices scan.

  • Contextual scan

    Right-click on local files or folders to start a scan directly from the Windows Explorer contextual menu.


    The Contextual scan policy settings allow you to change the default behavior of this type of scan.

  • External devices scan

    These settings allow you to customize the scans performed on external devices.

For both scan types, you can set how aggressive or permissive the scans are, what is being scanned, the type of threats the scans are searching for, and what actions BEST should take once suspicious activity is detected.

Device scanning

You can configure the security agent to automatically detect and scan external storage devices when they are connected to a Windows endpoint.

Detected devices fall into one of these categories:

  • CDs/DVDs

  • USB storage devices, such as flash pens and external hard drives

  • Devices with more than a specified amount of stored data.

Device scans automatically attempt to disinfect files detected as infected or to move them to quarantine if disinfection is not possible.


some devices such as CDs/DVDs are read-only. No action can be taken on infected files contained on such storage support.


During a device scan, the user can access any data from the device.

If alert pop-ups are enabled in the General > Notifications section, the user is prompted whether or not to scan the detected device instead of the scan starting automatically.

When a device scan is started:

  • A notification pop-up informs the user about the device scan, provided that notification pop-ups are enabled in the General > Notifications section.

Once the scan is completed, the user must check detected threats, if any.

Select Device Scanning option to enable the automatic detection and scanning of storage devices. To configure device scanning individually for each type of device, use the following options:

  • CD/DVD media

  • USB storage devices

  • Do not scan devices with stored data more than (MB). Use this option to automatically skip scanning of a detected device if the amount of stored data exceeds the specified size. Type the size limit (in megabytes) in the corresponding field. Zero means that no size restriction is imposed.