ON PREMISES SOLUTIONS

Operation

Scan task

Aside from configuring the Antimalware module in the policy settings, you can run scans at any time on any managed endpoints by using the corresponding task in the Network page.

For details about the Scan task, refer to this section.

Scheduling an antimalware scan task in GravityZone

This section describes how to define a scheduled antimalware scan task from GravityZone Control Center via security policies.

With GravityZone Control Center, you can run anytime an antimalware scan on specific endpoints in your network, using the Tasks > Scan command from the Network page.

At the same time, you can configure a recurrent scan task to run automatically on target endpoints at a scheduled interval via the policy applied to these endpoints.

The following procedure explains how to schedule a scan task using the GravityZone policies.

  1. Login to GravityZone Control Center using an account with Manage Networks rights.

  2. Go to the Policies page.

  3. Click the policy you want to edit (or create a new one). The policy must be applied to the endpoints where you want to run the scheduled scan.

    16079_1.png
  4. In the policy settings, go to Antimalware > On Demand.

  5. Under Scan Tasks, click Add and select the scan type that you want.

    16079_2.png

    Note

    You can run the following types of antimalware scan:

    • Quick Scan, which uses in-the-cloud scanning to detect malware running in the system. Running a quick scan usually takes less than a minute and uses a fraction of the system resources needed by a regular virus scan.

    • Full Scan checks the entire endpoint for all types of malware threatening its security, such as viruses, spyware, adware, rootkits and others.

    • Custom Scan allows you to choose the specific locations to be scanned and to configure the scan options.

    • Network Scan is a type of custom scan, which allows assigning one endpoint to scan network drives, then configuring the scan options and the specific locations to be scanned. For network scan tasks, you need to enter the credentials of a user account with read/write permissions on the target network drives, for the security agent to be able to access and take actions on these network drives.

  6. Configure the scan task options as you want. To send the scan task recurrently to target endpoints, go to General tab > Scheduler section and configure the following settings:

    16079_3.png
    • Start date and time. Specify the time when the scan task starts.

      Note

      The scheduled scan will run at the target endpoint local time. For example, if the scheduled scan is set to start at 6:00 PM and the endpoint is in a different timezone than Control Center, the scanning will start at 6:00 PM (endpoint time).

    • Define the scan recurrence interval, by choosing one of the following options:

      • Specify the recurrence frequency and period (hour, day or week), starting with the specified time and date.

        For example, the task will run every 2 days, starting from October 5 at 00:30.

        16079_4.png
      • Specify a weekly scan by selecting at least one day of the week when the scan task will run.

    • Optionally, you can specify what happens when the scan task could not start at the scheduled time (endpoint was offline or shutdown). Use the option If scheduled run time is missed, run task as soon as possible according to your needs:

      • When you leave the option unchecked, the scan task will attempt to run again at the next scheduled time.

      • When you select the option, you force the scan to run as soon as possible. To fine-tune the best timing for the scan runtime and avoid disturbing the user during the work hours, select Skip if next scheduled scan is due to start in less than, then specify the interval that you want.

  7. Click Save to create the scan task.

  8. Save the policy to apply the settings to target endpoints.

Note

  • Endpoints must be powered-on when the schedule is due. A scheduled scan will not run when due if the machine is turned off, hibernating or in sleep mode. In such situations, the scan will be postponed until next time.

  • The scanning is performed silently in the background, regardless the user is logged in the system or not.

  • Though not mandatory, it is recommended to schedule a comprehensive system scan to run weekly on all endpoints. Scanning endpoints regularly is a proactive security measure that can help detect and block malware that might evade real-time protection features.

Quarantine

Note

Availability and functioning of this feature may differ depending on the license included in your current plan.

The quarantine is an encrypted folder that contains potentially malicious files, such as malware-suspected, malware-infected or other unwanted files. When a virus or other form of malware is in quarantine, it cannot do any harm because it cannot be executed or read.

GravityZone moves files to quarantine according to the policies assigned to endpoints. By default, files that cannot be disinfected are quarantined.

The quarantine is saved locally on each endpoint, except for the VMware vCenter Server integrated with vShield Endpoint and with NSX, where it is saved on the Security Server.

By default, quarantined files are automatically sent to Bitdefender Labs to be analyzed by the Bitdefender malware researchers. If malware presence is confirmed, a signature is released to allow removing the malware. In addition, quarantined files are scanned after each malware signature update. Cleaned files are automatically moved back to their original location. These features are relative to each security policy in the Policies page and you can choose whether to keep or deactivate them.

Important

Quarantine is not available for mobile devices.

Exploring the quarantine

The Quarantine page provides detailed information regarding the quarantined files from all endpoints you manage.

quarantine_page-onpremise.png

The Quarantine page consists of two views:

The views selector at the upper side of the page allows switching between these views.

Information about quarantined files is displayed in a table. Depending on the number of managed endpoints and the infection degree, the Quarantine table can include a large number of entries. The table can span several pages (by default, only 20 entries are displayed per page).

To move through the pages, use the navigation buttons at the bottom of the table. To change the number of entries displayed on a page, select an option from the menu next to the navigation buttons.

For a better visibility of the data you are interested in, you can use the search boxes from the column headers to filter displayed data. For example, you can search for a specific threat detected in the network or for a specific network object. You can also click the column headers to sort data by a specific column.

To make sure the latest information is being displayed, click the refresh.png Refresh button at the upper side of the table. This may be needed when you spend more time on the page.

Computers and virtual machines quarantine

By default, quarantined files are automatically sent to Bitdefender Labs to be analyzed by the Bitdefender malware researchers. If malware presence is confirmed, a signature is released to allow removing the malware. In addition, quarantined files are scanned after each malware signature update. Cleaned files are automatically moved back to their original location. These features are relative to each security policy in the Policies page and you can choose whether to keep or deactivate them. For more information, refer to Quarantine.

Viewing the quarantine details

The Quarantine table provides you with the following information:

  • The name of endpoint the threat was detected on.

  • IP of the endpoint the threat was detected on.

  • Path to the infected or suspicious file on the endpoint it was detected on.

  • Name given to the malware threat by the Bitdefender security researchers.

  • The date and time when the file was quarantined.

  • The status of the action requested to be taken on the quarantined file.

Managing the quarantined files

The behavior of the quarantine is different for each environment:

  • Security for Endpoints stores the quarantined files on each managed computer. Using Control Center you have the option to either delete or restore specific quarantined files.

  • Bitdefender Endpoint Security Tools Relay (Multi-Platform) stores the quarantined files on each managed virtual machine. Using Control Center you have the option to either delete or restore specific quarantined files.

  • Bitdefender Endpoint Security Tools Relay (integrated with VMware vShield Endpoint or NSX) stores the quarantined files on the Security Server appliance. Using Control Center you have the option to delete quarantined files or download them to a location of your choice.

Restoring quarantined files

On particular occasions, you may need to restore quarantined files, either to their original location or to an alternate location. One such situation is when you want to recover important files stored in an infected archive that has been quarantined.

Note

Restoring quarantined files is only possible in environments protected by Security for Endpoints and Bitdefender Endpoint Security Tools Relay (Multi-Platform).

To restore one or more quarantined files:

  1. Go to the Quarantine page.

  2. Choose Computers and Virtual Machines from the views selector available at the upper side of the page.

  3. Select the check boxes corresponding to the quarantined files you want to restore.

  4. Click the restore.png Restore button at the upper side of the table.

  5. Choose the location where you want the selected files to be restored (either the original or a custom location on the target computer).

    If you choose to restore to a custom location, you must enter the absolute path in the corresponding field.

  6. Select Automatically add exclusion in policy to exclude the files to be restored from future scans. The exclusion applies to all policies affecting the selected files, except for the default policy, which cannot be modified.

  7. Click Save to request the file restore action.

    You can notice the pending status in the Action column.

  8. The requested action is sent to the target endpoints immediately or as soon as they get back online.

    You can view details regarding the action status in the Tasks page. Once a file is restored, the corresponding entry will disappear from the Quarantine table.

Downloading quarantined files

In VMware virtualized environments integrated with vShield Endpoint or NSX, the quarantine is saved on the Security Server. If you want to examine or recover data from quarantined files, you must download them from the Security Server using Control Center. Quarantined files are downloaded as an encrypted, password-protected ZIP archive to prevent accidental malware infection.

To open the archive and extract its content, you must use the Quarantine Tool, a Bitdefender standalone application that does not require installation.

Quarantine Tool is available for the following operating systems:

  • Windows XP or newer

  • Most Linux 32-bit distributions with a graphical user interface (GUI).

Note

Quarantine Tool does not have a command line interface.

Warning

Use caution when extracting the quarantined files because they can infect your system. It is recommended to extract and analyze the quarantined files on a test or isolated system, preferably running on Linux. Malware infections are easier to contain on Linux.

To download quarantined files to your computer:

  1. Go to the Quarantine page.

  2. Choose Computers and Virtual Machines from the views selector available at the upper side of the page.

  3. Filter the table data by entering the Security Server hostname or IP address in the corresponding field from the table header.

    If the quarantine is large, to view the files you are interested in, you may need to apply additional filters or increase the number of files listed per page.

  4. Select the check boxes corresponding to the files you want to download.

  5. Click the download.png Download button at the upper side of the table. Depending on your browser settings, you will be asked to save the files to a folder of your choice, or the files will be downloaded automatically to the default download location.

To access the restored files:

  1. Download the appropriate Quarantine Tool for your operating system from the Help & Support page or from the following addresses:

    Note

    Quarantine Tool for Linux is archived in a tar file.

  2. Run the Quarantine Tool executable file.

    main_window.png
  3. On the File menu, click Open (CTRL+O) or click the open.png Open button to load the archive into the tool.

    Files are organized in the archive by virtual machine they were detected on and preserving their original path.

  4. Before extracting the archived files, if on-access antimalware scan is enabled on the system, make sure to either disable it or configure a scan exclusion for the location where you will extract the files. Otherwise, your antimalware program will detect and take action on extracted files.

  5. Select the files you want to extract.

  6. On the File menu, click Extract (CTRL+E) or click the extract.png Extract button.

  7. Select the destination folder. The files are extracted at the selected location, preserving the original folder structure.

Automatic deletion of quarantined Files

By default, quarantined files older than 30 days are automatically deleted. This setting can be changed by editing the policy assigned to the managed endpoints.

To change the automatic deletion interval for quarantined files:

  1. Go to the Policies page.

  2. Find the policy assigned to the endpoints on which you want to change the setting and click its name.

  3. Go to the Antimalware > Settings page.

  4. In the Quarantine section, select the number of days after which files are being deleted.

  5. Click Save to apply changes.

Manual deletion of quarantined files

If you want to manually delete quarantined files, you should first make sure the files you choose to delete are not needed.

A file may actually be the malware itself. If your research leads you to such a situation, you can search the quarantine for the specific threat and delete it from the quarantine.

To delete one or more quarantined files:

  1. Go to the Quarantine page.

  2. Select Computers and Virtual Machines from the views selector available at the upper side of the page.

  3. Select the check boxes corresponding to the quarantined files you want to delete.

  4. Click the delete.png Delete button at the upper side of the table. You will have to confirm your action by clicking Yes.

    You can notice the pending status in the Action column.

    The requested action is sent to the target network objects immediately or as soon as they get back online. Once a file is deleted, the corresponding entry will disappear from the Quarantine table.

Emptying the Quarantine

To delete all the quarantined objects:

  1. Go to the Quarantine page.

  2. Select Computers and Virtual Machines from the views selector.

  3. Click the Empty Quarantine button.

    You will have to confirm your action by clicking Yes.

All the entries from the Quarantine table are cleared. The requested action is sent to the target network objects immediately or as soon as they get back online.

Accessing and restoring quarantined files in VMware environments integrated with NSX

This document is meant to help you understand the procedure of restoring quarantined files in VMware environments integrated with NSX.

Overview

By default, the GravityZone security services isolate suspicious files and the malware-infected files that cannot be disinfected in a secure area named quarantine. When a virus is in quarantine it cannot do any harm because it cannot be executed or read.

In a virtualized environment protected by Security for Virtualized Environments (Multi-Platform), Bitdefender GravityZone offers the possibility to restore quarantined files to their original location directly from the Control Center interface.

In virtualized environments integrated with NSX, on the other hand, quarantined files are not stored on the virtual machines, but on the Security Server appliance. Consequently, for this type of environment, you cannot restore quarantined files automatically from Control Center.

If you want to examine or recover data from quarantined files, you can download them from the Security Server using Control Center. Quarantined files are downloaded as an encrypted, password-protected ZIP archive to prevent accidental malware infection.

To open the archive and extract its content, you must use the Quarantine Tool.

Downloading the Quarantine Tool

Quarantine Tool is a standalone application that does not require installation. Two versions are available: one for Windows and the other for Linux.

  • The Windows version runs on Windows XP or later.

  • The Linux version runs on recent versions of most 32-bit Linux distributions with graphical user interface (GUI). The tool is compatible with any desktop environment. Note that Quarantine Tool for Linux does not have command line interface.

You can download the appropriate Quarantine Tool for your operating system from the links below:

Downloading quarantined files to your computer

To download quarantined files to your computer:

  1. Log in to Control Center

  2. Go to the Quarantine page.

  3. Choose Virtual Machines from the service selector.

  4. Select the files you want to download.

  5. Click the Download button at the right side of the Quarantine table.

Depending on your browser settings, the files may be downloaded automatically to a default download location.

Accessing and restoring quarantined files

To access the quarantined files:

  1. Open Quarantine Tool (for example, by double-clicking it).

  2. Open the archive containing the quarantined files in Quarantine Tool by doing any of the following:

    • From the File menu, choose Open.

    • Click the Open icon on the toolbar.

    • Use the Ctrl+O keyboard shortcut.

    Files are organized in the archive by virtual machine they were detected on and preserving their original path.

  3. Before extracting the archived files, if on-access antimalware scan is enabled on the system, make sure to either completely disable it or configure a scan exclusion for the location where you will extract the files. Otherwise, your antimalware program will detect and take action on extracted files.

  4. Extract the archived files to the location of your choosing by doing any of the following:

    • From the File menu, choose Extract.

    • Click the Extract icon on the toolbar.

    • Use the Ctrl+E keyboard shortcut.

To restore the files to their original location, you need to manually transfer them to the location on the virtual machine they were detected on after you save them on your computer.

Using quarantine in GravityZone

This section describes how GravityZone quarantine works and how to restore, delete and download quarantined files.

Overview

By default, the GravityZone security services isolate suspicious files and the malware-infected files that cannot be disinfected in a secure area named quarantine. When a virus is in quarantine it cannot do any harm because it cannot be executed or read.

Important

Quarantine is only available in Security for Endpoints and Security for Virtualized Environments.

The behavior of the quarantine is different for each component:

  • Security for Endpoints stores the quarantined files on each managed computer. Using Control Center you have the option to either delete or restore specific quarantined files.

  • Security for Virtualized Environments (Multi-Platform) stores the quarantined files on each managed virtual machine. Using Control Center you have the option to either delete or restore specific quarantined files.

  • Security for Virtualized Environments (integrated with VMware vShield Endpoint) stores the quarantined files on the Security Server appliance. Using Control Center you have the option to delete quarantined files or download them to a location of your choice.

By default, quarantined files are automatically sent to Bitdefender Labs in order to be analyzed by the Bitdefender malware researchers. If malware presence is confirmed, a signature is released to allow removing the malware.

In addition, quarantined files are scanned after each malware signature update. Cleaned files are automatically moved back to their original location.

Control Center provides detailed information on all files moved to quarantine on the network objects managed from your account.

To check and manage quarantined files, go to the Quarantine page and choose the desired network object from the service selector.

Information about quarantined files is displayed in a table. You are provided with the following information:

  • The name of network object the threat was detected on.

  • The IP of network object the threat was detected on.

  • Path to the infected or suspicious file on the network object it was detected on.

  • Name given to the malware threat by the Bitdefender security researchers.

  • Time when the file was quarantined.

  • Pending action requested by administrator to be taken on the quarantined file.

To make sure the latest information is being displayed, click the Refresh button at the top of the table. This may be needed when you spend more time on the page.

Restoring Quarantined Files

On particular occasions, you may need to restore quarantined files, either to their original location or to an alternate location. One such situation is when you want to recover important files stored in an infected archive that has been quarantined.

  1. Go to the Quarantine page

  2. Choose the desired network object from the service selector.

    Note

    Restoring quarantined files is only possible in environments protected by Security for Endpoints and Security for Virtualized Environments (Multi-Platform).

  3. Select the check boxes corresponding to the quarantined files you want to restore.

  4. Click the Restore button.

  5. Choose the location where you want the selected files to be restored (either the original or a custom location on the target computer).

    Note

    If you choose to restore to a custom location, you must enter the path in the corresponding field. It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.

  6. Click Restore to request the file restore action. You can notice the pending action in the Action status column.

The requested action is sent to the target computers immediately or as soon as they get back online. Once a file is restored, the corresponding entry will disappear from the Quarantine table.

Automatic Deletion of Quarantined Files

By default, quarantined files older than 30 days are automatically deleted. This setting can be changed by editing the policy assigned to the managed network objects.

To change the automatic deletion interval for quarantined files:

  1. Log in to GravityZone web console.

  2. Go to the Policies section.

  3. Find the policy assigned to your target endpoints and click its name to edit it.

  4. Navigate to Antimalware > Settings.

  5. Under Quarantine, specify the number of days after which the quarantine files are to be deleted.

  6. Click Save.

    The option is saved to your policy.

Deleting Quarantined Files

If you want to delete quarantined files manually, you should first make sure the files you choose to delete are not needed. Use these tips when deleting quarantined files:

  • A file may actually be the malware itself. If your research leads you to such a situation, you can search the quarantine for the specific threat and delete it from quarantine.

  • You can safely delete:

    • Unimportant archive files.

    • Infected setup files.

To delete one or more quarantined files:

  1. Log in to GravityZone web console.

  2. Go to the Quarantine page.

  3. Select the files you want to delete.

  4. Click Delete at the upper side of the table.

    To remove all files from the quarantine, click Empty Quarantine.

Downloading Quarantined Files in VMware Environments Integrated with vShield Endpoint

If you want to examine or recover data from quarantined files, you can download them from the Security Server using Control Center. Quarantined files are downloaded as an encrypted, password-protected ZIP archive to prevent accidental malware infection. To open the archive and extract its content, you must use the Quarantine Tool.

Quarantine Tool is a standalone application that does not require installation. Two versions are available: one for Windows and the other for Linux.

  • The Windows version runs on Windows XP or later.

  • The Linux version runs on recent versions of most 32-bit Linux distributions with graphicaluser interface (GUI). The tool is compatible with any desktop environment. Note that Quarantine Tool for Linux does not have command line interface.

Warning

Use caution when extracting the quarantined files because they can infect your system. It is recommended to extract and analyze the quarantined files on a test or isolated system, preferably running on Linux. Malware infections are easier to contain on Linux.

To download quarantined files to your computer:

  1. Go to the Quarantine page.

  2. Choose Virtual Machines from the service selector.

  3. Select the files you want to download.

  4. Click the Download button at the right side of the Quarantine table.

Depending on your browser settings, the files may be downloaded automatically to a default download location.

To access the quarantined files:

  1. Download the appropriate Quarantine Tool for your computer from the following addresses:

  2. Open Quarantine Tool (for example, by double-clicking it).

  3. Open the archive containing the quarantined files in Quarantine Tool by doing any of the following:

    • From the File menu, choose Open.

    • Click the Open icon on the toolbar.

    • Use the Ctrl+O keyboard shortcut.

    Files are organized in the archive by virtual machine they were detected on and preserving their original path.

  4. Before extracting the archived files, if on-access antimalware scan is enabled on the system, make sure to either completely disable it or configure a scan exclusion for the location where you will extract the files. Otherwise, your antimalware program will detect and take action on extracted files.

  5. Extract the archived files to the location of your choosing by doing any of the following:

    • From the File menu, choose Extract.

    • Click the Extract icon on the toolbar.

    • Use the Ctrl+E keyboard shortcut.