Bitdefender B2B Help Center

GravityZone Control Center

December 2021 (Version 6.19.1-1)



Join the Early Access Program for the opportunity to access the XEDR improvements, ahead of everyone else. Share your feedback with us and we'll make it a priority and tailor the product to your needs. Contact Customer Support to get the key to these locked features.


We redesigned the Search feature, and now it provides:

  • Enriched data, including raw events to help with investigation efforts

  • An extended number of suggested fields for creating queries. A list of fields with predefined values is available here.

  • Customizable results grid with show/hide columns functionality

  • New predetermined options for the Date field: Last 24 hours, Last 7 days, Last 30 days, and Custom.

Investigation Package

The new Investigation Package functionality enables the collection of forensic data from your environment without requiring a direct interaction with the endpoint involved in an incident.

This feature is designed to improve your SOC team's overall effectiveness by eliminating the time-consuming and labor-intensive task of manually collecting extra incident information from endpoints, allowing your team to mitigate and contain threats faster.

  • You can gather forensic data by using the Collect Investigation Package action from the Details Panel of any endpoint involved in an incident.

  • automatically triggers the collection of an investigation package if an endpoint is part of an incident.

All investigation files are available for download in the Investigation tab of the endpoint's full details page.

Sensors Management

The new Sensors Management dashboard allows you to integrate sensors from all the major cloud service platforms, which enable to gather and correlate data into highly-accurate extended incidents.

Currently in its early stages of development and production, this new feature provides integration with the Microsoft Office 365 platform, which will soon be followed by other integrations.

The feature provides integration with the Microsoft Office 365 platform through the Mail and Audit sensors, which boost the detection capabilities by providing metadata about email traffic and content, as well as user and admin operations retrieved from the Microsoft 365 unified audit log.

All sensors be configured and managed as separate sensor integration instances or together as part of the same instance setup.

The Sensors Management dashboard is available as a new tab in the Configuration page.

Extended incidents

The Graph went through a visual update designed to improve the investigation process. It now always indicates the origin of the incident in the Initial Access area, and all exfiltration and command & control activities in the Exit Points area.

The Graph also provides visual representation for new forensic artifacts collected and correlated from Microsoft Office 365 sensors, namely nodes for O365 users and O365 Mail and Audit sensor integration instances.

The new Overview tab displays the most impactful events of an extended incident, condensed in three major areas:

  • Summary - A synopsis of the entire incident, including data on initial access, tactics and techniques used by attackers, and affected organization assets

  • ATT&CK Tactics and Techniques - All the identified MITRE ATT&CK tactics and techniques used in the incident

  • Highlights - The critical alerts from the most impactful steps in the incident kill chain

Patch Management
Maintenance Windows

introduces Maintenance Windows in Configuration Profiles, a new and powerful way to configure Patch Management settings outside policies. The Maintenance Windows feature provides you with higher control over patch scanning and patch installation than before, with expanded scheduling options.

In the policy, the old Patch Management module is replaced with a simple interface that allows you to assign the maintenance window you want. You can assign the same maintenance window, created by you or other users, to multiple policies. As a partner, you can create and modify maintenance windows for managed companies.

Upon this release, all Patch Management settings from existing policies will automatically be moved into maintenance windows, and then assigned to each policy accordingly. So, no worries there, your previous hard work is in safe hands.

The Maintenance Windows feature requires a valid license with Patch Management.

Read more about Maintenance Windows

Linux support

GravityZone extends support for patch scanning and installation to Linux endpoints. For a unified experience, you can use the same maintenance windows and the same policies as for Windows.

Supported Linux distributions for this feature:

  • CentOS

  • Red Hat Enterprise Linux (RHEL)

  • SUSE Linux Enterprise (SLE)


Unlike for Windows, Patch Management for Linux endpoints do not use relays with Patch Caching Server role. Instead, the security agent downloads the updates directly from vendors’ websites.


This feature will be operational with the next release of for Linux.

Threats Xplorer

The export functionality is now available in Threats Xplorer. You can use this new option to access and manage the centralized data outside , according to your needs. The security events are exported in the widely available CSV format, making it easier to import in other software programs tailored for your business.

Antiphishing Activity report

The Antiphishing Activity report is now capable of organizing Antiphishing detections and affected endpoints based on different criteria. The new features focus on underlining possible security issues in your network while helping you achieve an effortless analysis.

The report now includes:

  • Top 10 domains blocked on endpoints, which details the most frequently detected domains.

  • Top 10 affected endpoints, which informs you about the endpoints that have the most Antiphishing detections.

  • Affected endpoints, which presents the total number of endpoints with at least one detection.

  • Total detections, which provides the total number of phishing detections on all endpoints.


After this update, the last instance of the scheduled report will no longer be available in the View report column. To access the archive containing all instances, select the report, click Download and then select Full archive from the dropdown menu.

Security Audit report

The new improvements simplify the analysis of Antimalware detections in the Security Audit report. The report now classifies the Antimalware detections and affected endpoints based on different criteria as follows:

  • Top 10 malware by number of endpoints, which details the most frequent Antimalware detections.

  • Top 10 endpoints by number of Antimalware detections, which informs you about the endpoints that have the most Antimalware detections.

  • Endpoints, which presents the total number of endpoints with at least one Antimalware detection.

  • Detections, which provides the total number of Antimalware detections on all endpoints.

  • now supports multiple standard products. Products added to the same company must be compatible.

  • The My Company page has been reworked and restructured. The page now provides an improved overall company management experience.

  • Notifications regarding reaching or exceeding a license limit or a license expiring have been modified. Changes include:

    • Notification recurrence

    • Customized information for companies with multiple licenses

MDR for MSPs

As a Managed Service Provider (MSP) you can now benefit of automatic provisioning and billing for the Managed Detection and Response (MDR) service, offering you and your customers protection through outsourced cybersecurity operations 24 hours a day, every day of the year. The MDR service combines cybersecurity for endpoints, network, and security analytics with the threat-hunting expertise of a SOC fully staffed by security analysts from global intelligence agencies.

This service is available in two flavors:

  • MDR Advice - retain full control over end customer environments, with the MDR team acting as a trusted advisor, providing curated recommendations to equip your team to respond to customer incidents.

  • MDR Response - benefit of a fully-managed threat hunting solution that includes state-of-the-art prevention and expert response. The MDR Customer Success Team (CST) will affect real-time changes in your customer’s environments when security incidents are identified, based on a set of pre-approved actions you both agreed upon.

You can activate, deactivate, or switch between service flavors by editing the company details page.


If you are a Partner, the MDR Service needs to be enabled by . If you are an MSP interested in MDR please contact your Partner.

  • The New Company and Edit Company pages have been improved. Managing and displaying company licenses has been updated to support multiple licenses.

  • The Licensing section within the add / edit company flow for the Monthly Subscription license option now offers you easier activation and management of the products, add-ons, and services provided by .

  • Use the new Own use section to enable add-ons and services for your own company, and the Reselling section to grant other partners the right to resell products, add-ons, and services.

Public API
  • The Custom Rules API is now available. For this API, the following methods have been added: etCustomRulesList, createCustomRule, and deleteCustomRule.

  • Patch Management is now available through API. For the Maintenance Windows API, the following methods have been added:

    • createPatchManagementMaintenanceWindow

    • getMaintenanceWindowList

    • getMaintenanceWindowDetails

    • updatePatchManagementMaintenanceWindow

    • deleteMaintenanceWindow

    • assignMaintenanceWindows

    • unassignMaintenanceWindows

  • The Companies, Network and Licensing APIs have been modified as follows:

    • Functionality for the getNetworkInventoryItems and getLicenseInfo methods has been changed.

    • The addProductKey and removeProductKey methods has been added.

    • The createCompany, setMonthlySubscription, getLicenseKey, getLicenseDetails, and getCompanyDetails methods have been modified to properly display multiple standard and add-on licenses, and include information and settings on MDR for MSPs.

Resolved issues

Fixed an error that in some particular cases was preventing incidents from being generated.


Firewall rules are now being imported from if the protocol is set to ICMP.

Configuration Profiles
  • Exclusions imported from larger CSV files no longer go under All exclusions, but in your newly-created list.

  • Exclusion lists created by the current user are now displayed only in the My lists section. They will no longer be added to the Default exclusion lists.


You can now search by company in Add Company page.

Known issues

The License key, License usage and License validity columns in the Companies page will only display a company's first license key for standard products if the company has multiple base products.

November 2021 (Version 6.18.1-2)

  • Improvements made to back end code in preparation for future updates. Changes will have no direct impact on users.

Known issues
  • Starting with version 6.18.1-1, clicking on the License keyLicense validitySubscription end date or Auto-renewal column headers in the Companies page no longer reorders the list of companies.

October 2021 (Version 6.18.1-1)

Minimum requirements:

  • Security agents: (Windows); (Linux); (macOS)



  • XEDR now includes a full interactive Remote Shell feature that enhances your SOC experts’ investigation capabilities. It enables access to any endpoint in your environment, to gather forensic data and respond swiftly to mitigate and contain any suspicious activity.

    You can access this full interactive shell from the side details panel of any endpoint involved in an incident.

    This added functionality is compatible with Windows, Linux, macOS.


    For now, the new Remote Shell functionality is available through the Bitdefender Early Access Program, which you may join by contacting our Customer Support team.

    The Bitdefender Early Access Program will provide exclusive access to many of the new feature releases going forward.

Threats Xplorer

  • Threats Xplorer now automatically retains the columns size selection and displays it accordingly when you return to the page. Additionally, we have also made several adjustments to the default columns size for better visibility.

  • Added the new filter and column SHA256 that helps you easily identify a file hash.


  • The New Company page has been improved and the procedure to create a new company has been changed. For more information, refer to Creating companies.

  • Trial companies now start with a Elite license equivalent and several add-ons, providing access to additional features. For more information, refer to this page.

September 2021 (Version 6.16.1-7)



  • A new option, Automatically copy the label of the Relay to connected endpoints, if not specified otherwise, is now available in the Configuration Network Settings tab. This helps you to manage the labels according to your preferences and choose whether the endpoints connected to a relay should inherit its label or not.

  • Agent packages names now include the product version.

  • You can now find the GravityZone Cloud version under the What's new section .


  • You can now automatically resume on-demand scan tasks using the Resume Scan after Product Update option. To enable this select the option checkbox from the Options Miscellaneous section when you create or edit a scan task.

Network Protection

  • You can now enable Scan SSL for RDP protocols.

September 2021

Resolved issues

Executive Summary

  • In some situations, generating an Executive Summary report resulted in crashes for companies with an exceptionally high number of events.

  • In some cases, generating the Executive Summary PDF file led to crashes. The issue is now fixed.

  • The Monitoring section failed to display its subsections when hovering over it while the GravityZone menu was collapsed.


  • The Allow endpoints to send user login data to GravityZone option was not properly inherited from the main policy.

August 2021

New features

Executive Summary report

The new report focuses on improving data accessibility while centralizing key security information from the Executive Summary page. You can easily export, schedule, and download the report from both the Reports and Executive Summary sections.


GravityZone platform

To help you monitor, analyze and quickly identify valuable information we are introducing Executive Summary as the new landing page for GravityZone Control Center. You can adjust this setting to your preference at any moment from the My Account section.

July 2021

New Features

Container protection

Bitdefender protection is now available for container environments. Container protection monitors both the operating system on the host and running containers, providing server workload EDR and anti-exploit and antimalware scanning services based on licensing.

The feature offers visibility into Linux server and container workload malicious activity in real time and a clear understanding of attack risk exposure at each stage of the attack. It detects complex attacks early with Linux native exploit detection technology and performs threat-hunting campaigns using the GravityZone EDR event search. Once licensed, you can deploy Container protection through two solutions:

  • Best for Linux v7 deployed directly on a container host.

  • Security Container instance deployed on a separate container that protects both the host and its managed containers.

This new feature comes with a new report, Security Container Status, which helps you identify any issues that a specific Security Container might have, with the help of various indicators such as Update Status, Upgrade Status and more.

A new notification is also available, Security Container Status Update, informing you when the product update status changes for a Security Container installed in your network.



Advanced Anti-Exploit feature is now available for Linux.


  • Virtual Machines view renamed into Cloud Workload.

  • Containers group added under Cloud Workload containing container hosts and container endpoints.

  • Physical and VM container hosts now visible under Computers and Virtual Machines.


  • Monthly License Usage report now contains Container Protection information.

Configuration Profiles

The Configuration Profiles section under Policies enables you to create and manage customized exclusion rule lists, and assign them to your company policies, thus enabling you to scale the usage of exclusions across your network more accurately, to lower the rate of false-positive events and improve system performance.

Every exclusion rule you create can be assigned to one or multiple exclusion lists, and every list can be assigned to one or more policies. Furthermore, you can assign multiple exclusion lists to the same policy, for maximum flexibility.


We fine-tuned the formula for how we calculate the Severity Score, to make it more accurate, by taking into account a wider range of parameters, and incident escalation. We also added new mechanics that allow us to update the formula on-the-fly with new parameters from our evolving correlation technologies.

June 2021


GravityZone platform

  • Now you can view the names of all active users logged on endpoints running Windows.

    This feature brings changes in the following sections of Control Center:

    • Network – the Network grid includes a new searchable column named Users and the endpoint details window displays a dedicated tab also named Users.

    • Reports – the Network Protection Status report includes a searchable column named Users.

    • Policies – a new check box in General > Settings > Options allows you to enable data collection. The information sent by endpoints to GravityZone includes usernames, login time and the login method.

    This feature can serve you in multiple ways:

    • As a GravityZone administrator, you can use the provided information to reach out to the endpoint users in case you need their input.

    • As a Security Analyst, you can correlate the information about the username with other events from GravityZone or 3rd party systems.

    • As a partner, the user-related information is helpful in situations such as when you create a Monthly License Usage report for audit purposes.

    Minimum version of Bitdefender Endpoint Security Tools:

  • Renamed a few elements from the following sections:

    • Threats Xplorer - the columns Device name and Device type are now Endpoint name and Endpoint type.

    • Network - the column Machine type is now Endpoint type.

    • Executive Summary - the Threats breakdown by machine type widget is now Threats breakdown by endpoint type.

  • User Activity page now informs if a user has logged in GravityZone from a third-party platform with which it is integrated.

  • The cleanup rules for offline machines are now more flexible:

    • Name patterns can contain the question mark (?) as wildcard.

    • Name patterns can have any length and no longer require a letter at the beginning. For example, you can use only the asterisk (*) to disregard the machine name.

    • You can select targets that are offline for less than 24 hours or more than 90 days. The cleanup rules will run hourly for machines offline less than a day, and daily for the other ones.

    • The target selection now covers Active Directory inventory as well.

    You can use name patterns of any length.

    Improved the offline machines cleanup rules so that you can now use the question mark (?) as wildcard and select targets that are offline for less than 24 hours.


  • GravityZone extends the endpoint-based threat detection capabilities of the traditional EDR by incorporating network incidents, to successfully counter advanced threats no matter where they emerge in the infrastructure: on endpoints, network or in the cloud. This new EDR component combines the most advanced prevention capabilities, low overhead cross-technology correlation capabilities and Network Traffic Analytics to boost the cyber resilience of your organization.

    In this new light, the Incidents page has been enriched with the Extended Incidents tab, to display all organization-wide incidents which require further investigation.

    The new graphic representation of extended incidents makes it easy to view and investigate the evolution of a complex attack within your network:

    • It includes a detailed timeline of events, displaying the network point of entry, evolution over time, lateral movement and communication with outside agents.

    • It correlates events gathered by Endpoint Detection and Response and Network Traffic Analysis technologies.

    • It associates extended incidents with any detected endpoint incident that makes a potential staged attack.

  • Concurrently, if you are using a 3-rd party ticketing platform or a PSA solution, you will enjoy an enhanced experience through the new redirect links. Clicking on the embedded links will either:

    • direct you to the Endpoint Details page in GravityZone, when you are working on a security incident.

    • direct you to the Incidents section of that specific incident ID in GravityZone.

Threats Xplorer

  • The available filters now dynamically adjust to your company's license type. This way, you can quickly use search and filtering criteria relevant to your company and obtain better results.


    The filters and detection events are available up to 90 days after you change the protection layers. Following this period, the events are deleted and the filters automatically reflect the available features according to your license key.


  • The HyperDetect Activity report now includes the exact name of the detected threat and the file hash.


  • The Network > Packages section now includes macOS downloader, which will make it easier for you to install the security agent on different Mac architectures, whether they are Intel x86 or ARM. The new downloader automatically detects the processor type and downloads and installs the right kit for that specific architecture.


  • From now on GravityZone is also available in Turkish.

Product documentation

  • A unified self-service support experience with the new online help center. All GravityZone help content that was included in PDF guides, knowledge base articles and release notes, is now under one roof, in a more digestible format. Currently it is available only in English, localizations will follow soon.

Public API

  • Network API: The result of the GetNetworkInventoryItems method now includes the policyId and moveState fields.

Resolved issues


  • An overflow of records in the CVEs inventory collection downturned the Indicators of Risk query.

  • The Risk Management data removal step from the Security Risks > Devices section was skipped when BEST uninstall presented errors. The device still appeared to be present in the devices listed with vulnerabilities.

  • Following a Risk Scan, the Risk Management module displayed users as having a high severity score, even if the human risks had been fixed through a previous Risk Scan.

Patch Management

  • Previously installed patches were not displayed in GravityZone after manually rebooting a Virtual Machine.

MSP > Partners

  • The Reconfigure Task failed when trying to add the Exchange module to endpoints from two different companies - with the same configuration - and displayed the error message "Task could not be created. Some task settings could not be applied to all selected product types".

May 2021

New features

Threats Xplorer

Threats Xplorer offers you a highly increased visibility over the detected threats in your network and helps you perform a concise security analysis. The feature centralizes detection events from multiple GravityZone technologies and classifies them by category, threat type, remediation actions, and many others.

Threats Xplorer makes it easy to identify and analyze threats by providing you with:

  • A wide variety of customizable columns with detailed information

  • Diverse filtering and search criteria

  • Detection events from various modules centralized in a single list

  • Infinite scroll functionality for seamless interaction


Executive Summary

Executive Summary now provides you with the possibility to explore multidimensional data, by browsing from a statistical level to a more granular and detailed view.

The new drill-down capability helps you navigate instantly from widgets to specific sections of the Control Center. Each section displays complex information in a customized way so that you can identify and analyze with ease the aspects you are interested in.

April 2021


GravityZone platform

Control Center leaves the old blue theme behind and comes with a couple of readability and usability improvements such as:

  • Replaced the scroll bar from the main menu with the More button to reveal additional items.

  • Increased the font size for lower screen resolutions.

  • Removed the top blue bar to make room for actual data.

  • Increased the contrast to the top banner for alerts.

The Update Security Server task has two options now, for each type of update you can run, when available:

  • Feature update, for installing the Bitdefender new features, improvements and fixes, and security fixes

  • Run the task with this option to bring the OS of the Security Server to Ubuntu 20.04 LTS, the only supported version until new upgrade.


    Run the task with this option to bring the OS of the Security Server to Ubuntu 20.04 LTS, the only supported version until new upgrade.

The grid in the Network page now includes new columns and several improvements, designed to help you better identify and find endpoints in the inventory:

  • Name. It can now display the MAC address appended to the hostname, to uniquely identify endpoints that may have the same hostname or IP address.

    You need to enable this option in the Configuration > Network Settings > Network Inventory Settings page.

  • Machine type. It shows whether the endpoint is a server or a workstation.

  • OS type. It displays the type of operating system installed on the endpoint.

  • OS version. It shows the version of the operating system installed on the endpoint.

  • Last seen. It now allows you to filter endpoints that were online in the last 24h, 7 days or 30 days.

When creating an installation package in the Packages page, you have now the option to choose the operation mode of the security agent:

  • Detection and prevention, which allows you to choose the modules to include in the package, and to enable their full capabilities.

  • EDR (Report only), which creates an EDR package with a predefined list of modules, their functionality being limited to report-only actions. The package includes the following modules:

    • Advanced Threat Control (ATC)

    • EDR Sensor

    • Network Protection (Content Control, Network Attack Defense)


    Available only with GravityZone Ultra, GravityZone Ultra Plus, and Cloud Security for MSP.

Security Telemetry

New options for configuring Security Telemetry:

  • Bypass validation of the SSL certificate on HTTP collector, in case your HTTP collector uses a self-signed SSL certificate.

  • Granular event type selection, if you are interested in sending to the SIEM only certain types of events.


  • The App Vulnerabilities details panel now allows you to view the devices impacted by a vulnerable application discovered in your environment.

    When you select a vulnerable application and click the View Devices button it will take you to the Devices section and display a list of all impacted devices.

Email Security

  • You will now know when the Email Security license expires. Just make sure to enable the notifications in the Notifications page.


  • The Incidents page now displays suspicious events in the Endpoint Incidents tab, and events detected by prevention technologies, in the Detected Threats tab.

Public API

  • Packages and Network APIs: Added the productType parameter to createPackage and createReconfigureClientTask methods. This parameter is optional and states the operation mode of the agent: EDR (Report only), or Detection and prevention.

  • Event Push Service API:

    • The taskType parameter for Troubleshooting Activity notification is now a string and can have the following values: Gather Logs and Debug Session.

    • Enforced TLS 1.2 encryption.

    • Enforced the use of an authorization header when selecting JSON-RPC format.

Resolved issues

Patch Management

  • Completed Patch install tasks could not be deleted from the Tasks page, returning the error "Items you selected cannot be deleted”.

February 2021

Minimum requirements:

Security agents: (Windows); (Linux); (macOS)

New features

Apple M1 support

Added support for Apple M1 processors. A separate installation package for endpoints, named macOS kit (Apple M1), is available for download in the Network > Packages section. The previous Mac kit has been renamed macOS kit (Intel x86) and is only compatible with Intel-based Macs.

The following protection modules are supported on M1-based systems:

  • Antimalware

  • Device Control

  • Content Control

  • Encryption

Support for other features will be added in time.


New kits will not install on OS X El Capitan (10.11). For details about the end of support for this legacy macOS version, refer to this topic.



Added a new wildcard option when defining custom exclusions for files, folders, and processes. You can now use double asterisks (**) for replacing any character, including path separators (\). For example, with **\example.txt you can match any file named example.txt, regardless its location on the endpoint.

The option is available in both Control Center and Power User policy settings, under Antimalware > Settings > Custom Exclusions section.


The single asterisk (*) substitutes zero or more characters between the path delimiters (\).

Network Inventory

New options to avoid duplicates of cloned endpoints are available in Configuration > Network Settings:

  • Select Applies to cloned physical endpoints that are joined in Active Directory to resolve cloned HDD drives from decommissioned machines.

  • Select Applies to cloned virtual endpoints that are joined in Active Directory to resolve clones created using VMware Instant Clones.

MSP & Partners

  • Changing the product type in the company configuration page triggers a warning message that recommends users to reconfigure the security agents accordingly before the existing product expires on endpoints.

    The new notification Product type has changed reminds users the same details and it is sent seven, three and one day before the grace period ends.

  • The Monthly License Trial license type now includes Bitdefender EDR feature, so you can enjoy the full GravityZone experience.

Sandbox Analyzer

Increased the length limit for detonated URLs from 500 to 1000 characters.


  • The Antiphishing Activity report provides more clarity as it now includes the action taken on each event (Blocked or Detected), when clicking the number in the Detected Websites column. The action is also specified in the Antiphishing event notification.

  • The Security Audit report includes a new event type, Detected Website, which is available in the report details and in the CSV file.

Resolved issues


Fixed a minor issue where Customer companies could select another company in the network when creating an installation package.

MSP & Partners

Fixed an issue where Partner companies with Monthly License Trial could not create trial child companies because of missing Product Type options.

September 2020

GravityZone (Cloud-based) Release Notes for September 2020 Update

New features

Security Telemetry

  • We now offer you the possibility to obtain raw security data from your endpoints right into a SIEM solution. Use this feature if you need a deeper analysis and correlation of the security events in your network.  Because we care about system performance and a low footprint of exported data, we are filtering out redundant information.

Check out the new General > Security Telemetry section of the security policy to enable and configure this feature, and the endpoint’s Information page to verify the connection status between the endpoint and the SIEM.


Available only for Windows endpoints and Splunk via HTTPS (TLS 1.2 or higher required).



  • New widgets in the Risk Management Dashboard to show you how many users and devices were scanned across your network.

MSP & Partners

  • As a Bitdefender Partner, you can now disable seat reservation for Partner companies. The option is available unless the company has minimum usage configured.

  • As a Partner with monthly subscription, you will have access to a more detailed view of the Email Security activity in the dashboard of the companies under your direct management (Example: see the sender/receiver/attachments etc).

  • Added an error message when trying to move a company with minimum usage under a Partner with fewer license seats.


  • Forget about redeploying the agent to apply a fix from an update. Just run the new Repair task in the Network page.


  • The new notification Partner Changed informs you when a managed company has moved under a different Partner.

  • License Usage Limit Has Been Reached now includes the list of the unlicensed endpoints within the past 24 hours due to license limit exceeding.

Public API

  • EDR events are now available via Push API in JSON, CEF and Splunk formats. For this purpose, we added new-incident to subscribeToEventTypes. For more information, refer to the Push > Event Types section of GravityZone API documentation.

  • getInstallationLinks and downloadPackageZip now provide full installation kits.

  • As Bitdefender Partner, you can now remove slot reservation for all child companies with one API call. For this purpose, set the new parameter removeReservedSlots in setMonthlySubscription.

March 2020

(Cloud-based) Release Notes for March 2020 Update

This section informs you about the changes delivered with the update in March 2020.

Minimum requirements:
  • Security Agents: [version number] - Windows, [version number] - Linux, [version number] - macOS

  • Security Server: [version number] - Multi-Platform, [version number] - NSX-T, [version number] - NSX-V, [version number] - vShield

New features

Single sign-on (SSO)

Added single sign-on (SSO) authentication capability using the SAML 2.0 standard. The SSO options are available as follows:

  • In the new Configuration > Authentication Settings page, for your company.

  • In the Companies page, for companies you manage.

  • In the Accounts page, for GravityZone users.


The Security bundle now includes the Incidents feature, where we provide the Root Cause Analysis of threats detected and blocked by our preventive technologies, with complex incident filtering options and graphic representation of incidents, as well as isolation, blocklisting, and remote connection capabilities.


introduces the Scan for IOC technology, enabling you to scan your environment for known indicators of compromise in real-time and generate detailed reports.

The Incidents page went through a significant visual and functional transformation, enhancing your experience when analyzing threats in your environment, as follows:

  • The new Overview bar displays open incidents, top alerts, techniques and affected devices, as well as specific filtering capabilities

  • The incidents list is now a fully customizable filterable grid with add/remove columns, for easier content management.

  • The Change Status menu introduces the option to mark incidents as false-positive and leave bulk notes for later consultation.

  • The detailed information for each incident, and their graphic representation and timeline, are now available in quick view mode.

  • The Graph tab unravels a multi-phase representation of staged attacks, as well as in-graph search capabilities.

  • The Node Details panel is now grouping information into more meaningful categories. Above that, the panel is fully expandable, to improve readability.

  • introduces the remediation of Common Vulnerability Exposures of applications currently installed in your environment.

  • The Risk Management Dashboard has been completely redesigned to improve visualization and enhance your experience while assessing the overall level of risk your company may be facing.

  • The company risk score is now calculated by taking into account a wide list of indicators of risks and known application vulnerabilities, showing you its evolution in time.

  • The new score breakdown, and top misconfigurations and vulnerable application widgets make it easier to see where your environment is more vulnerable to attacks and which devices are affected the most.

  • The devices by severity widgets show you exactly how impacted by risks and vulnerabilities are the servers and workstations under your management.

  • The new Security Risk page provides complex filtering options for indicators of risk, application vulnerabilities and devices. Risks in each category can be easily mitigated through the recommendations and actions provided in their Details Panel.

  • The Companies View page is a new feature included in for MSP, providing a comprehensive overview of the overall risk faced by every company under your management, making it easy for you to assess and eliminate risks separately for each of your customers.


You can now configure s’ cache sharing so that you can enable/disable it or restrict it to s from the same network. Not to worry about bandwidth consumption between sites anymore. The settings are available in the Configuration > s Settings page.


Easily remove installed security solutions from your environment when upgrading to a full product license. The feature is ON by default and will remove any existing security software that creates conflicts when installing the protection modules.

Network Inventory (MSP only)

  • Partners (Company Administrator and Partner roles) are now able to move endpoints directly between the companies they manage by dragging and dropping endpoints in the Network page.

  • More comprehensive error messages when moving companies under other Partners.


We eased firewall configuration with the new option to import and export rules.


You can now set rules to exclude drives from encryption.

Remote troubleshooting

  • introduces Cloud as a new storage option for collected logs.

  • Remote troubleshooting is now available for Multi-Platform.

  • You can now restart a troubleshooting session while maintaining its previous settings.

Monthly subscription trials

Two new trial options: Monthly License Trial (Partners only) and Monthly Subscription Trial. Trial companies have access to all features and add-ons available with .The Monthly License Trial is valid for 45 days and covers 25 endpoints.


The Monthly License Usage report includes significant enhancements to simplify add-ons billing per usage:

  • Displays usage and status for all add-ons, including the latest ones, such as Patch Management, (Virtual Servers and Virtual Desktop Infrastructure), Advanced Threat Security, and .

  • Provides more information on each company’s type and monthly subscription and each endpoint installed modules, like Network Attack Defense and Advanced Anti-Exploit.

  • Includes the option to generate the report only for direct companies, ignoring their child companies.

  • The report has some columns renamed. If you use the CSV file to extract usage information into external systems, please see the details here.


  • View portlets in a single scrolling page and update all the information at once using the Refresh Portlets button.

  • Added time filtering for the Endpoint Protection Status, Policy Compliance and Update Status portlets.

Two-factor authentication (2FA)

We moved the 2FA settings of your company in the new Configuration > Authentication Settings page.

What’s New

Rushing to solve a problem and What’s New stays in the way? No more. We wrapped it gently in a gift box next to the Notifications icon. It will showcase the new features in a compact side panel.

Amazon EC2 Integration

Added hourly billing support for the new EC2 instance types.

Event Push Service AP

  • New agent-related events for all supported operating systems are now available via JsonRPC, CEF and Splunk. These events refer to agent installation/removal, endpoint move, and hardware ID changes.

  • Added detection timestamps to antimalware (av) and Advanced Threat Control (atc) events. The field is named BitdefenderGZDetectionTime.

Removed features


Removed the Malware Activity report. You can use the Security Audit report instead.


Removed the Malware Activity portlet.


Removed support for scanning Mapped Network drives when On-Demand Device Scanning is used.

Resolved issues

Content Control

Policy inheritance did not work for specific web categories.

January 2020

(Cloud-based) Release Notes for January 2020 Update

This section informs you about the changes delivered with the update in January 2020.



Added the following details to the HyperDetect Activity notification:

  • Parent process name

  • Parent process ID

  • Command line (if available)

Public API

Partners can now use the Companies API to enforce two-factor authentication. For this purpose, the following methods have been updated: createCompany, updateCompanyDetails and getCompanyDetails.

Removed features

Installation kits for Windows Legacy

We removed all options to download installation kits for Windows legacy versions such as Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.

For more information related to this subject, refer to these KB articles:

October 2019

Last revised: 2019-10-16

Minimum agent version:

Minimum Security Server Multi-Platform version:

New features

Email Security

New Email Security service with complete email flow control and protection against spam, targeted phishing and impersonation attacks. Email administration incorporates management and analytics tools.

Email Security management provides the following:

  • Deployment through domain MX record redirect.

  • Customizable policy engine to control email delivery and filter messages through a comprehensive rule builder.

  • Company-wide quarantine.

  • Connection rule configuration to monitor connection attempts to or from your mailboxes.

  • Safe and Deny lists configuration for companies or individual users.

  • Mailbox synchronization through Azure Active Directory and manual import.

  • DNS record configuration with support for SPF, DKIM and DMARC.

The Analytics section delivers:

  • Real-time visibility through email flow charts, rules triggered, and actions taken.

  • Customizable reports for specific events. 

  • Scheduled reports and alerts for specific rules, actions or content

Network Attack Defense

A brand-new powerful technology focused on detecting network attack techniques designed to gain access on specific endpoints, such as brute-force attacks, network exploits, password stealers.

The Network Attack Defense settings are available under the new Network Protection policy section. A specific notification informs you about incidents in your network, while the Network Incidents report will provide more insight about these detections.


To use the Network Attack Defense module, you need to install it on endpoints. For existing installations, run a Reconfigure Client task with Network Attack Defense selected. For new deployments, edit the installation package to include this module.

Remote troubleshooting

The endpoint information page includes a new Troubleshooting tab, from where you can collect basic and advanced logs remotely. You can start a debug session, so that GravityZone collects the logs while the issue is reproducing. This will help our technical support specialists to perform an in-depth analysis of the issue and provide a resolution faster.

You can save the collected data on a network share, on the target endpoint or on both.


From now on we speak Chinese!



Seriously now, you can switch the GravityZone interface to Simplified Chinese, if you please.



The Incidents page went through a major visual and functional makeover, now providing enhanced investigation capabilities.

The Graph tab displays the critical path and all side elements in a fit-to-screen vertical tree. Plus:

  • An interactive incident graph behavior with highlight of node and alternate path to endpoint on mouse-over, and same type elements grouped in expandable clusters.

  • The Filters and Navigator floating menus that allow easy customization and navigation of the incident map.

  • New Node Details, Incident Info and Remediation side panels with collapsible sections that provide information for each element, actions and recommendations to mitigate an attack.

  • Suspicious and malicious nodes now display alerts in their details panel, describing what was detected and how it might be exploited, in accordance with MITRE tactics and techniques.

The Remote Connection tab is now available as an action button on the endpoint node's details panel.

  • Anomaly Detection - a baselining module that spots anomalies in how the system is functioning

  • Network Attack Defense – a new security layer that identifies network-specific breaches

  • Advanced Anti-Exploit – a recently released security layer that detects the most evasive exploits

  • AMSI - detections made by the Windows Antimalware Scan Interface (AMSI)

Two-factor authentication (2FA)

With this update, two-factor authentication is enabled by default when creating a company. When disabling 2FA, you will be prompted with a confirmation message before the changes come into effect.

Company accounts

MSP partners now have the option to add up to five custom fields in their Monthly License Usage report for storing third party or other custom data and facilitating billing automation.

A new page is now available under Companies > Custom Fields, with two sections where you can manage and import data for these fields. You can view the custom fields also when creating or editing a company.


  • Integrating new modules to deployed agents is like playing with modeling clay. We have made the reconfiguring process more flexible.

  • You can choose to install Bitdefender security agents without removing the security software from other vendors. This means zero protection gap and faster deployment.

    Just remember, you’re doing this at your own risk. Some security solutions may affect the Bitdefender installation. Once you are protected by Bitdefender, you can manually remove any previously installed security solution.

Network Inventory

  • Goodbye to unused virtual machines from your network inventory. The new Configuration page offers you the option to schedule automatic cleanup tasks.


  • The new Antimalware > On-Execute section covers Advanced Threat Control and Fileless Attack Protection

  • Network Protection, another new policy section, exposes the new Network Attack Defense technology and shields the Content Control features.

  • Content Control went through a big transformation as well:

    • The old Traffic, Web, Data Protection, and Applications sections have been re-organized into new General, Content Control, and Web Protection sections.

  • The new Network Attacks section exposes the Network Attack Defense technology and its settings.

  • The new Global Exclusions option, in the General section, replaces the previous separated Traffic Scan and Antiphishing exclusions. During update, the existing policies will be automatically migrated to the new global exclusions.

  • Network Protection replaces the previous Content Control module in the Inheritance Rules settings.

  • The GravityZone reports keep tracking the Content Control features, but also include information on Network Attack Defense.

  • Location-based policies are now aware of the hostname too. You can to define assignment rules based on endpoint’s hostname.

  • The Indicators of Risk (IOR) have been reclassified into new and more meaningful categories for increased efficiency in risk analysis and management.

Sandbox Analyzer

  • Results from detonation analysis are available with new information-rich reports in HTML format. These reports contain details such as: malware classification, process-level view, network activity, timeline view, registry keys and mutex objects accessed, file systems modifications, IOC attributes.

  • The Filters area is expanded by default, so it is easier for first-time users to discover all the options available with the submission cards.

  • Under the Submission Type filtering category, the Automatic option has been renamed to Endpoint Sensor.

Advanced Anti-Exploit

Three new detection techniques are available: VBScript Generic, Shellcode EAF (Export Address Filtering), and Emerging Exploits. These detections will be present from now on in the Security Audit and Blocked Applications reports. Plus, User Activity now includes logs related to Advanced Anti-Exploit.

Patch Management

Added the option to limit reboot postpones at maximum 48 hours from new patches installation. When the set amount of time expires, endpoints will automatically reboot. Endpoint users will receive a notification regarding this action.


The Endpoint Modules Status report now includes information on Sandbox Analyzer and HyperDetect.


  • MSP partners can enable Email Security and get the usage report via the public API.

  • All GravityZone reports are now available via API as well.

  • We have made some improvements here and there:

    • createReconfigureClientTask is updated with the latest changes

    • getManagedEndpointDetails returns all installed modules on a managed endpoint

    • setMonthlySubscription allows Bitdefender Partners to revoke seat reservation from companies with monthly licensing

    • getQuarantineItemsList has new filtering options

Resolved issues


Disabling the Endpoint Issues Visibility option in the Notifications policy section does not disable sub-features as well.


Some partners were receiving daily License Expires email notifications against their notification settings. We added a new option to filter managed companies that may trigger such notifications.

November 2019

(Cloud-based) Release Notes for November 2019 Update

This section informs you about the changes delivered with the update in November 2019.


Amazon EC2 integration

  • now replicates the instances inventory from region EU Stockholm.

  • The hourly billing engine for AWS Marketplace subscribers now includes all newer EC2 instance types.

Endpoint Risk Analytics (ERA)

  • Added new Indicators of Risk:

    • Macro settings for Microsoft Office applications

    • Credential storage for several applications including some of the most popular browsers and email management tools out there

  • Added new recommendations to better manage Local Group policies.


  • Updated the Add URL as exception action button to change dynamically into Add IP as exception, when the domain node is an IP instead of an URL.

Network Inventory

  • A new type of entities in Network Inventory: golden golden_image.png

    Mark the endpoints you use for creating clones and avoid duplicates in Network Inventory. Keep track of your golden images by using the available filters.


    This feature is disabled by default. To enable it, select Avoid duplicates of cloned endpoints in Configuration > Network Settings.

  • More relevant messages in when Mac clients have issues. For example, now you know if macOS hasn’t granted the agent permissions such as access to the disk drive.

Public API

  • You can now check the usage of the following features:

    • (Virtual Servers, and VDI)

    • Advanced Threat Security (HyperDetect and Sandbox Analyzer)

    • Patch Management

    • Email Security

    • EDR

    For this purpose, use the getMonthlyUsage method.

  • The getAccountsList method now returns details about 2FA status.

Resolved issues


  • Incident graph was moving outside the display area when Hide nodes was used.

  • More Details button in Navigator menu no longer worked when closing the Node Details panel.

  • Command lines were not displayed properly in the Node Details panel.

  • Adding an exception for a domain node (by clicking the Add URL as exception) would not work when the domain was an IP/Mask instead of an URL.

  • Clicking a notification for a new EDR incident was causing an error.


  • Indicators of Risk lane was not loading in Full-screen mode.

  • Some IOR rules were not being displayed properly in the Device Risk Lane > Details section.

Email Security

  • Email addresses of previously deleted users were not available to new accounts.

  • Email Security was unavailable to Partners when the Manage Companies rights were missing.

  • Added links to guides in the Help & Support page.

Device Control

  • Deleting a Device Control exclusion from the policy also deleted the first item in the list.


  • Some texts and images were untranslated.

Network Inventory

  • Endpoints appeared duplicated in Network Inventory due to system cloning. We introduced a new entity in Network Inventory, called golden image, to avoid such situations. For details, check the Improvements section.


  • Duplicates of some scheduled reports were sent to email.

March 2019



  • Live Response via Terminal Sessions

    Establish remote sessions with endpoints from GravityZone Control Center and execute commands in real-time on their operating system:

    • Use the Remote Connection tab added to each incident page to establish a terminal session with the involved endpoint.

    • Run commands on endpoint in the terminal session to remediate the threat immediately (delete files, terminate processes) or collect data for further investigation (list files, processes, registry keys information).

  • Leverage the network isolation action to all Windows operating systems

    The Isolate action for endpoint nodes in incident views is available now for both Windows desktop and server operating systems, whether if the Firewall module is available on the endpoint or not.

  • Better visibility on important incidents

    Two new tabs added to the Incidents page help you discriminate between incidents requiring immediate action and the threats already blocked by Bitdefender. All suspicious activity requiring action and investigation appears under Investigate tab, while the Review tab reveals threats contained by automatic block actions.

  • Select and edit multiple incidents at once

    New option to change the status of multiple incidents at the same time from the Incidents page. You can select multiple incidents while navigating through several entries, and then easily change their status using the Bulk Operations button.

Full Disk Encryption

  • Encryption on macOS is now performed by FileVault for the boot drive and by the diskutil command-line utility for the non-boot drive.

  • GravityZonenow takes ownership for macOS boot drives encrypted with FileVault.

Sandbox Analyzer

  • You can now submit password-protected archives from the Manual Submission page.

Windows Defender ATP Integration

  • A new and optimized integration flow based on Microsoft Azure Active Directory, replacing the existing one. If you have an active integration, follow these guidelines.

  • New event types (Process create, User session, and Network connections).

  • Added response actions from Windows Defender Security Center (Trigger remote scan, Isolate machine).


Future updates related to this integration will be available only for GravityZone Ultra Security. If you want to receive these updates, consider upgrading your GravityZonesolution.


  • You can now receive notifications for license usage on servers.

  • Syslog events are now available in Common Event Format (CEF) via Event Push Service API.


The malware status reported by endpoints is now more accurately calculated and displayed in GravityZone reports and portlets:

  • The Still Infected status has been changed to Unresolved.

  • Removed the reporting interval options containing "last" ("last week" or "last 2 months") from scheduled reports.


    This change affects all existing scheduled reports. You may need to edit your scheduled reports and select another reporting interval option.


  • Improvements in policy assignment and deployment troubleshooting.

Deprecated features
  • The Malware Activity report has become deprecated. The malware information from this report will be moved to another report in a future update.

Resolved issues
  • Corrected the error messages displayed when creating the AWS integration with incorrect ARN / external ID.

  • Several minor bug fixes regarding GravityZone Control Center functionalities.

June 2019

Last revised: 2019-07-17

Minimum BEST version:

Minimum Security Server Multi-Platform version:

New features

Endpoint Risk Analytics

This update brings Endpoint Risk Analytics, a brand-new feature designed for effectively identifying, assessing and remediating endpoint weaknesses. GravityZone exposes this new feature in the following areas:

  • Risk Management policy section, including a risk scan scheduler.

  • New Risk Scan task available from the Network page.

  • Risk Management Dashboard, providing several panels with risk information, one-click resolve action per endpoint and recommendations for exposure mitigation.

Advanced Anti-Exploit

Powered by machine learning, this new proactive technology stops zero-day attacks carried out through evasive exploits. Advanced Anti-Exploit catches the latest exploits in real-time and mitigates memory corruption vulnerabilities that can evade existing solutions.

This security layer is pre-configured with the recommended security settings and you can customize it from the Antimalware > Advanced Anti-Exploit policy section.

You can view Advanced Anti-Exploit events in the Security Audit, Blocked Application, Endpoint Module Status reports.


This security layer addresses Windows-based systems.


Implemented a new Load Balancing mechanism between endpoints, protected through BEST with Central Scan and Security Servers. You can now choose to distribute the load evenly between the assigned Security Servers.



  • Added full support for incidents detection and response actions, root cause analysis and MITRE events on Linux OS endpoints.

  • Enriched the Search section with several predefined queries, covering the most useful investigation scenarios.

    Improved security event visualization from the Search page:

    • New panel in the graph area displaying the actions and their states for the selected event node in a single view.

    • New Further Investigation section in the node details area, outlining the additional analysis through Sandbox, Virus Total and Google.

Sandbox Analyzer

  • Expanded the list of supported file types that can be automatically submitted to Sandbox Analyzer.

  • Added content pre-filtering capabilities for submitting files to the Sandbox Analyzer. This functionality is configurable in a new policy section.

  • Added error messages for failed detonations in the submission card section on the Sandbox Analyzer page.


  • A major increase of the scanning speed in VDI environments due to the new scan cache sharing protocol between Security Servers. To benefit of this feature, enable port 6379 to allow traffic between Security Servers.

  • Two new statues for Security Server load: Near overloaded and Near underloaded.

  • New custom exclusion types by file hash, certificate thumbprint, threat name, and command line.

  • Ability to define custom exclusions by using wildcards:

    • Asterisk (*) for one or more characters.

    • Question mark (?) for a single character.

  • New option to add folder exclusions for ATC/IDS. With this release, existing folder exclusions remain configured for on-access and on-demand scanning. To add ATC/IDS as well, you need to select the corresponding check box in the Modules column.

Storage Protection

You can now use a secured connection between Security Servers and the protected NAS servers, provided they use SSL over ICAP.


Optimized the Control Center workspace with the new display modes of the menu: expanded, collapsed (icon view) and hidden.

Update System

Replaced the antimalware signatures with a new method to identify known and unknown malware, called Security Content.

Resolved issues

Sandbox Analyzer

Analysis results from a manual submission could not be retrieved if the proxy was in place

Update System

In Control Center, weekly recurrence for antimalware updates was resetting upon return, if set only on Sunday. This was only a display issue, the setting being sent correctly to the security agent.


Removed the ghost folders that appeared on some Partner accounts.


Security Server Load Balancing – Equal distribution mode had limited functionality. The scan load was not distributed equally between Security Servers.

Known issues


  • The new custom exclusion types are not available for custom scanning tasks from the Network page.

  • The following exclusion types for ATC/IDS are available only for Windows desktop operating systems:

    • Process with wildcards

    • File hash

    • Detection name

    • Detection name with wildcards

    • Command line

  • Certificate thumbprint exclusions are not available for ATC/IDS.

View the full list of known issues for GravitZone Cloud platform.

February 2019


Sandbox Analyzer

  • New perspective on submissions

    • Advanced reporting interface, in the main menu, offering a single pane of glass view with all samples that were submitted to Sandbox Analyzer.

      The info cards based interface adds detailed information about each submission like:

      • Sample name.

      • Submission time.

      • Submission type – automatic or manual.

      • Source – endpoint name.

      • Analysis result – clean, infected or unsupported.

      • Severity score – shows how dangerous the sample is.

      • Files and processes involved into sample’s actions.

      Each card includes a link to a submission report, where you get even more data.

    • While displaying all new submissions, the reporting interface shows the old manual submissions made before this update as well.

    • In time, as adding more functionality to it, this reporting interface will replace the Sandbox Analyzer Results report, which from now on has the status deprecated;.

    • As MSP, you view in this interface only your own company submissions. Submissions of Customer companies are available in the Sandbox Analyzer Results report. Also, with this release, the Sandbox Analyzer Detection notification points to:

      • The new interface for submissions of your company.

      • The Sandbox Analyzer Results report for submissions of Customer companies.

  • New manual submission options

    • You can use these new options when submitting samples:

      • Submit URLs.

      • Define command-line arguments for sample analysis.

      • Set a time limit for analysis execution, the number of reruns and the internet access during analysis.

      • Exclude samples previously analyzed.

    • The Manual Submission page is now accessible from the main menu and from the new reporting interface.

  • User interface improvements at automatic submission in the security policy settings.

Public API

  • Hyper Detect events are now available in Event Push Service API.

  • Improved the mechanism of generating API keys. You will notice significantly longer API keys. The existing API keys continue to work as before this update, but it is recommended to replace them with new ones.

Resolved issues
  • In some situations, GravityZone administrators could not modify security policies because the Save button was disabled.

  • Improved the error message for AWS integration when using invalid ARN or ExternalID.

  • Addressed a security issue that could affect manual submission to Sandbox Analyzer.

  • Sometimes, Control Center was displaying inconsistent encryption status for the same endpoints.