Skip to main content

Container protection (deployed through BEST)

The Container Protection feature offers protection for Linux container workloads and their host, by extending and augmenting the security layers the host operating system. It makes use of offering server workload Endpoint Detection and Response, Advanced Anti-Exploit, Linux-specific anti-exploit technologies, and Antimalware scanning services and threat prevention. You can selectively enable or disable each security module.


This feature can be deployed through two components:

  • A BEST agent with the Container Protection module included that has been installed on the Linux host that has Docker installed.

  • A Security Container deployed under the Linux host endpoint. A Security Container is a dedicated Docker container running an Ubuntu 20.04 base image and the official Debian package of BEST for Linux. It runs as a privilege container on a container host.

This guide provides you information for how to deploy the feature using a BEST agent installed on a Linux host.


Container Protection uses the following components:

  • GravityZone Virtual Appliance

  • Security agent (Bitdefender Endpoint Security Tools installed on Linux endpoints)

Install and configure Container Protection


The Network Attack Defense feature is not compatible with endpoints where Container Protection is installed.

Test out the new feature

Create a new container and make sure it is detected and appears in GravityZone inventory

For the purpose of this guide, we have chosen creating a Docker image for Ubuntu. You can use any supported Linux distribution when creating containers, as long as the image can be retrieved from the Docker registry. The distribution chosen for the container may differ from the container host’s distribution.

  1. Create a new container:

    root@ubuntu23-x64-tcor:~# docker run -dt ubuntu:latest bash
  2. Check that the container is running:

    root@ubuntu23-x64-tcor:~# docker ps
    CONTAINER ID   IMAGE           COMMAND   CREATED          STATUS          PORTS     NAMES
    529ca9f8970c   ubuntu:latest   "bash"    32 seconds ago   Up 17 seconds             xenodochial_hermann
  3. In GravityZone go to the Network page from the left side menu and check if the new container is displayed and has no issues. For more information, refer to Viewing endpoint details.

  4. Check that the container is displayed on the page.

Test out On-Access protection

  1. Log in to GravityZone with an account that has Manage Networks rights.

  2. Go to the Policies page from the left side menu and open the previously created policy.

  3. Go to the Antimalware > OnAccess and click on the Settings button on the upper right side of the On-access Scanning section.

  4. Select the Advanced tab.

  5. Make sure the On-Access Scanning for Linux setting is enabled and add the /test path in the box below.

  6. Click the Add button.

  7. Go to the General tab and under the Scan Actions section, set the Default action for infected files setting to Delete.

  8. Click Save.

  9. Apply the policy on the previously created container. For more information refer to Assigning policies.

  10. From the endpoint, open a shell in the previously created container:

    root@ubuntu23-x64-tcor:~# docker exec -it 529c bash
  11. Create a test path:

    mkdir /test
  12. Write an Antimalware test file inside a protected path:

    root@529ca9f8970c:/# echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /test/test1.txt

    The Antimalware On-Access protection feature will automatically detect the EICAR file and move it to quarantine.

Check reports for Antimalware activity

Check GravityZone reports for information regarding the deleted file:

  1. Go to the Network page in the left side menu of GravityZone Control Center.

  2. Select the endpoints you want to generate a report for.

  3. Click on the Reports button generate a Malware Status report.

  4. Go to the Reports page and find the request.

  5. Check that the report contains the previously deleted file:



    The file was deleted because the taken action for infected files from the policy was set to Delete.

    Depending on the action selected in the policy, the file will be marked differently:

    • Take no action - Ignored

    • Deny - Unresolved

    • Move to Quarantine - Quarantined

Check the Incidents Sensor for an event corresponding to the detection of the EICAR file

Check that the Incidents Sensor works for files inside the container:

  1. Log in to GravityZone Control Center.

  2. Go to the Incidents page from the left side menu.

  3. Select the Detected Threats tab.

  4. Locate an incident that mentions the hostname where the EICAR was generated:


Check that multiple containers can be created and protected

  1. Create multiple containers (e.g. 5 more containers), from the endpoint:

    root@ubuntu23-x64-tcor:~# for i in {1..5}; do docker run -dt ubuntu:latest bash; done
  2. In GravityZone go to the Network page from the left side menu and check if the new containers are displayed and have no issues. For more information, refer to Viewing endpoint details.