ON PREMISES SOLUTIONS

Install security agents - standard procedure

To protect your physical and virtual endpoints, you must install a security agent on each of them. Besides managing protection on the local endpoint, the security agent also communicates with Control Center to receive the administrator's commands and to send the results of its actions.

To learn about the available security agents, refer to Security agents.

On Windows and Linux machines, the security agent can have two roles and you can install it as follows:

  1. As a simple security agent for your endpoints.

  2. As a Relay, acting as a security agent and also as a communication, proxy and update server for other endpoints in the network.

On macOS machines, the security agent cannot act as a Relay.

You can install the security agents on physical and virtual endpoints by running installation packages locally or by running installation tasks remotely from Control Center.

It is very important to carefully read and follow the instructions to prepare for installation.

In normal mode, the security agents have a minimal user interface. It only allows users to check protection status and run basic security tasks (updates and scans), without providing access to settings.

If enabled by the network administrator via installation package and security policy, the security agent can also run in Power User mode on Windows endpoints, letting the endpoint user view and modify policy settings. Nevertheless, the Control Center administrator can always control which policy settings apply, overriding the Power User mode.

By default, the display language of the user interface on protected Windows endpoints is set at installation time based on the language of your GravityZone account.

On Mac, the display language of the user interface is set at installation time based on the language of the endpoint operating system. On Linux, the security agent does not have a localized user interface.

To install the user interface in another language on certain Windows endpoints, you can create an installation package and set the preferred language in its configuration options. This option is not available for Mac and Linux endpoints. For more information on creating installation packages, refer to Create installation packages.

Preparing for installation

Before installation, follow these preparatory steps to make sure it goes smoothly:

  1. Make sure the target endpoints meet the Endpoint protection minimum system requirements.

    For some endpoints, you may need to install the latest operating system service pack available or free up disk space.

    Compile a list of endpoints that do not meet the necessary requirements so that you can exclude them from management.

  2. Uninstall (not just disable) any existing antimalware or Internet security software from target endpoints.

    Running the security agent simultaneously with other security software on an endpoint may affect their operation and cause major problems with the system.

    Many of the incompatible security programs are automatically detected and removed at installation time.

    Note

    • Windows security features (Windows Defender, Windows Firewall) will be automatically turned off before the agent installation is initiated.

    • After the security agent installation, Windows Defender is automatically re-enabled if enforcement methods are in place (for example, GPO), or you can enable it through the available Windows controls. Once enabled, the security agent no longer manages Windows Defender activation due to the lack of Windows Action Center. This behavior may occur on the following workstations and servers:

      • Windows 7, Windows 8, Windows 8.1

      • Windows Server 2016, Windows Server 2019, Windows Server 2022

      On Windows 10 and 11 systems the feature is dynamically controlled by Windows through Action Center.

    To learn more and to check the list of the security software detected by Bitdefender Endpoint Security Tools, refer to Software incompatible with Bitdefender Endpoint Security Tools.

    Important

    If you want to deploy the security agent on a computer with Bitdefender Antivirus for Mac 5.X, you first must remove the latter manually. For the guiding steps, refer to Deploy Endpoint Security for Mac on a machine with Bitdefender Antivirus for Mac 5.X.

  3. The installation requires administrative privileges and Internet access. If the target endpoints are in an Active Directory domain, you should use domain administrator credentials for remote installation. Otherwise, make sure you have the necessary credentials at hand for all endpoints.

  4. Endpoints must have network connectivity to the GravityZone appliance.

  5. It is recommended to use a static IP address for the Relay server. If you do not set a static IP, use the machine's hostname.

  6. When deploying the agent through a Linux Relay, the following additional conditions must be met:

    • The Relay endpoint must have installed the Samba package (smbclient) version 4.1.0 or above and the net binary/command to deploy Windows agents.

      Note

      The net binary/command is usually delivered with the samba-client and / or samba-common packages. On some Linux distributions (such as CentOS 7.4), the net command is only being installed when installing the full Samba suite (Common + Client + Server). Make sure that your Relay endpoint has the net command available.

    • Target Windows endpoints must have Administrative Share and Network Share enabled.

    • Target Linux and Mac endpoints must have SSH enabled.

  7. Starting with Endpoint Security for Mac macOS High Sierra (10.13), after installing manually or remotely, users are prompted to approve Bitdefender extensions on their computers. Until the users approve the Bitdefender extensions, some Endpoint Security for Mac features will not work. For the necessary procedures, refer to this topic.

    With macOS Big Sur (11.x), Endpoint Security for Mac requires additional user approvals following the changes made by Apple to the operating system. For details, refer to this topic.

    To eliminate user intervention, you can pre-approve the Bitdefender extensions by whitelisting them using a Mobile Device Management tool like Jamf. For details, refer to this topic.

  8. When deploying the agent in an Amazon EC2 inventory, configure the security groups associated with the instances you want to protect in the Amazon EC2 Dashboard > Network & Security as follows:

    • For remote installation, allow SSH* access from the EC2 instance.

    • For local installation, allow SSH* and RDP (Remote Desktop Protocol) access from the computer you connect from.

    * For remote installation on Linux instances you must allow SSH login using username and password.

  9. When deploying the agent in a Microsoft Azure inventory:

    • The target virtual machine must be in the same virtual network with the GravityZone appliance.

    • The target virtual machine must be in the same virtual network with a Relay, which communicates with the GravityZone appliance when the latter is in another network.

Local installation

One way to install the security agent on an endpoint is to locally run an installation package.

You can create and manage installation packages in the Network > Packages page.

packages_page-onpremise.png

Once the first client has been installed, it will be used to detect other endpoints in the same network, based on the network discovery mechanism. For detailed information on network discovery, refer to How network discovery works.

To locally install the security agent on an endpoint, follow the next steps:

  1. Create an installation package according to your needs.

    Note

    This step is not mandatory if an installation package has already been created for the network under your account.

  2. Download the installation package on the target endpoint.

    You can alternately send the installation package download links by email to several users in your network.

  3. Run the installation package on the target endpoint.

Create installation packages

To create an installation package:

  1. Connect and log in to Control Center.

  2. Go to the Network > Packages page.

  3. Click the add.pngAdd button at the upper side of the table. A configuration window will appear.

    packages-create-best-1-general-onpremise-ent.png
  4. Enter a suggestive name and description for the installation package you want to create.

  5. From the Language field, select the desired language for the client's interface.

    Note

    This option is available only for Windows operating systems.

  6. Select the operation mode. This will impact the behavior of the security agents installed through the package deployment on your endpoints.

    Note

    This step is required only for licenses that include the EDR module.

    • Detection and prevention - This operation mode allows you to customize what modules to include in the package, and sets the prevention and detection modules to enable and make use of both block and report capabilities.

    • EDR (Report only) - This operation mode pre-configures your package structure to include a specific set of modules, and sets the prevention and detection modules to enable and make use only of report capabilities.

    Note

    The modules included in an EDR (Report only) package are Advanced Threat Control, EDR Sensor, Network Protection with Content Control and Network Attack Defense.

  7. Select the protection modules you want to install.

    Note

    Only the supported modules for each operating system will be installed. On the right side of each module you will find icons indicating what operating systems it is compatible with.

    For more information, refer to Bitdefender Endpoint Security Tools.

  8. Select the target endpoint role:

    • Relay, to create the package for an endpoint with Relay role. For more information, refer to Relay.

      Warning

      Relay role is not supported on legacy operating systems. For more information, refer to Supported Operating Systems.

    • Patch Management Cache Server, to make the Relay an internal server for distributing software patches. This role is displayed when Relay role is selected. For more information, refer to architecture.agents.best.roles.patchserver

    • Exchange Protection, to install the protection modules for Microsoft Exchange Servers, including antimalware, antispam, content and attachment filtering for the Exchange email traffic and on-demand antimalware scanning of the Exchange databases. For more information, refer to Installing Exchange Protection.

  9. Remove Competitors. It is recommended to keep this check box selected to automatically remove any incompatible security software while the Bitdefender agent installs on endpoint. By deselecting this option, Bitdefender agent will install next to the existing security solution. You can manually remove the previously installed security solution later, at your own risk.

    Important

    Running the Bitdefender agent simultaneously with other security software on an endpoint may affect their operation and cause major problems with the system.

  10. Scan Mode. Choose the scanning technology that best suits your network environment and your endpoints' resources. You can define the scan mode by choosing one of the following types:

    Available scan modes:

    • Local Scan

    • Hybrid Scan with Light Engines (Public Cloud)

    • Hybrid Scan

    • Central Scan in Public or Private Cloud

    • Central Scan (Public or Private Cloud scanning with Security Server) with fallback on Local Scan (Full Engines)

    • Central Scan (Public or Private Cloud scanning with Security Server) with fallback on Hybrid Scan (Public Cloud with Light Engines)

    • Hybrid Scan with fallback on Central Scan

    For more information on scan modes refer to Antimalware

    Available scan types:

    • Automatic. In this case, the security agent will automatically detect the endpoint's configuration and will adapt the scanning technology accordingly:

      • Central Scan in Public or Private Cloud (with Security Server) with fallback on Hybrid Scan (Light Engines), for physical computers with low hardware performance and for virtual machines. This case requires at least one Security Server deployed in the network.

      • Local Scan (with Full Engines) for physical computers with high hardware performance.

      • Local scan for EC2 instances and Microsoft Azure virtual machines.

      Note

      Low performance computers are considered to have the CPU frequency less than 1.5 GHz, or RAM memory less than 1 GB.

    • Custom. In this case, you can configure the scan mode by choosing between several scanning technologies for physical and virtual machines:

      • Central Scan in Public or Private Cloud (with Security Server), which can fallback* on Local Scan (with Full Engines) or on Hybrid Scan (with Light Engines)

      • Hybrid Scan (with Light Engines)

      • Local Scan (with Full Engines)

      Default scan modes:

      • The default scan mode for EC2 instances is Local Scan (security content is stored on the installed security agent, and the scan is run locally on the machine). If you want to scan your EC2 instances with a Security Server, you need to configure the security agent’s installation package and the applied policy accordingly.

        Note

        In this case, the BitdefenderSecurity Server hosted in the AWS region corresponding to the target EC2 instances is automatically assigned.

      • The default scan mode for Microsoft Azure virtual machines is Local Scan (security content is stored on the installed security agent, and the scan is run locally on the machine). If you want to scan your Microsoft Azure virtual machines with a Security Server, you need to configure the security agent’s installation package and the applied policy accordingly.

      • The default scan mode for BEST for Linux v7 when using the Bitdefender for Security Containers add-on is:

        • Hybrid Scan, for physical endpoints (including container hosts) and nodes (in case of Kubernetes).

        • Central Scan with the fallback on Hybrid Scan for endpoints (including container hosts) and nodes (in case of Kubernetes) that are either virtual machines or on a cloud infrastructure (whether IaaS or PaaS) supported by GravityZone integrations.

          Note

          A Security Server needs to be available for this scan to apply. If none is available the scan mode will be set to Hybrid.

      For more information regarding available scanning technologies, refer to Antimalware.

  11. Security Server Assignment.

    When customizing the scan engines using Public or Private Cloud (Security Server) scanning, you are required to select the locally installed Security Servers you want to use and to configure their priority under Security Server Assignment section:

    1. Click the Security Server list in the table header. The list of detected Security Servers is displayed.

    2. Select an entity.

    3. Click the add.pngAdd button from the Actions column header.

      The Security Server is added to the list.

    4. Follow the same steps to add several security servers, if available. In this case, you can configure their priority using the up-arrow.png up and down-arrow.png down arrows available at the right side of each entity. When the first Security Server is unavailable, the next one will be used and so on.

    5. To delete one entity from the list, click the corresponding delete_inline.pngDelete button at the upper side of the table.

    You can choose to encrypt the connection to Security Server by selecting the Use SSL option.

  12. Miscellaneous. You can configure the following options on several types of files from the target endpoints:

    • Submit crash dumps. Select this option so that memory dump files will be sent to Bitdefender Labs for analysis if the security agent crashes. The crash dumps will help our engineers find out what caused the problem and prevent it from occurring again. No personal information will be sent.

    • Submit quarantined files to Bitdefender Labs every (hours). By default, quarantined files are automatically sent to Bitdefender Labs every hour. You can edit the time interval between quarantined files are being sent. The sample files will be analyzed by the Bitdefender malware researchers. If malware presence is confirmed, a signature is released to allow removing the malware.

    • Submit suspicious executables to Bitdefender. Select this option so that files that seem untrustworthy or with suspicious behavior will be sent to Bitdefender Labs for analysis.

  13. On Windows endpoints, Bitdefender Endpoint Security Tools is installed in the default installation directory. Select Use custom installation path if you want to install Bitdefender Endpoint Security Tools in a different location. In this case, enter the desired path in the corresponding field. Use Windows conventions when entering the path (for example, D:\folder). If the specified folder does not exist, it will be created during the installation.

    On Linux endpoints, Bitdefender Endpoint Security Tools is installed by default in the /opt folder. By selecting Use custom installation path, you can install the agent in a different path, with some limitations. Bitdefender Endpoint Security Tools does not support installation in the following custom paths:

    • Any path that does not begin with slash (/), excepting %PROGRAMFILES%, which is interpreted as /opt.

    • Any path that is in /tmp or /proc.

    • Any path that contains the following special characters: $, !, *, ?, “, ‘, `, \, (, ), [, ], {, }.

    • The systemd specifier (%).

    Installation on custom path is also not supported on Linux systems with glibc older than 2.21.

    Important

    When using custom path, make sure you have the right installation package for each platform.

  14. If you want to, you can set a password to prevent users from removing protection.

    Select Set uninstall password and enter the desired password in the corresponding fields.

  15. If the target endpoints are in Network Inventory under Custom Groups, you can choose to move them in a specified folder immediately after the security agent deployment finishes.

    Select Use custom folder and choose a folder in the corresponding table.

  16. Under Deployer section, choose the entity to which the target endpoints will connect for installing and updating the client:

    • GravityZone Appliance, when endpoints connect directly to GravityZone Appliance.

      For this case, you can also define:

      • A custom Communication Server by entering its IP or Hostname, if required.

    • Endpoint Security Relay, if you want to connect the endpoints to a Relay client installed in your network. All machines with Relay role detected in your network will show-up in the table displayed below. Select the Relay machine that you want. Connected endpoints will communicate with Control Center only via the specified Relay.

      Important

      Port 7074 must be open for the deployment through Bitdefender Endpoint Security Tools Relay to work.

  17. Click Save.

Note

The settings configured within an installation package will apply to endpoints immediately after installation. As soon as a policy is applied to the client, the settings configured within the policy will be enforced, replacing certain installation package settings (such as communication servers or proxy settings).

Download installation packages

To download the installation packages of the security agents:

  1. Log in to Control Center from the endpoint on which you want to install protection.

  2. Go to the Network > Packages page.

  3. Select the installation package you want to download.

  4. Click the download.pngDownload button at the upper side of the table and select the type of installer you want to use. Two types of installation files are available:

    • Downloader. The downloader first downloads the full installation kit from the Bitdefender cloud servers and then starts the installation. It is small in size and it can be run both on 32-bit and 64-bit systems (Windows and Linux) or 64-bit macOS systems (both Intel x86 and Apple M1 architectures), which makes it easy to distribute. On the downside, it requires an active Internet connection.

    • Full Kit. The full installation kits are bigger in size and they have to be run on the specific operating system type.

      The full kit is to be used to install protection on endpoints with slow or no Internet connection. Download this file to an Internet-connected endpoint, then distribute it to other endpoints using external storage media or a network share.

      Note

      Available full kit versions:

      • Windows OS: 32-bit and 64-bit systems

      • Windows OS Legacy: 32-bit and 64-bit systems

      • Linux OS: 32-bit and 64-bit systems

      • macOS: 64-bit Intel and Apple M1 systems

        After downloading the macOS kit (Apple M1), you must publish it in the Update > Components page of GravityZone Control Center, otherwise the security agent installation will fail.

      Make sure to use the correct version for the system you install on.

  5. Save the file to the endpoint.

    Warning

    • The downloader executable must not be renamed, otherwise it will not be able to download the installation files from Bitdefender server.

  6. Additionally, if you have chosen the Downloader, you can create an MSI package for Windows endpoints. For more information, refer to Install Bitdefender Endpoint Security Tools through MSI package.

Send installation packages download links by email

You may need to quickly inform other users that an installation package is available to download. In this case, follow the steps described hereinafter:

  1. Go to the Network > Packages page.

  2. Select the installation package that you want.

  3. Click the packages_download.pngSend download links button at the upper side of the table. A configuration window will appear.

  4. Enter the email of each user you want to receive the installation package download link. Press Enter after each email.

  5. Please make sure that each entered email address is valid.

  6. If you want to view the download links before sending them by email, click the Installation links button.

  7. Click Send. An email containing the installation link is sent to each specified email address.

Run installation packages

For the installation to work, the installation package must be run using administrator privileges.

The package installs differently on each operating system as follows:

  • On Windows and macOS operating systems:

    1. On the target endpoint, download the installation file from Control Center or copy it from a network share.

    2. If you have downloaded the full kit, extract the files from the archive.

    3. Run the executable file.

    4. Follow the on-screen instructions.

    Note

    On Endpoint Security for Mac macOS, after installing , users are prompted to approve Bitdefender kernel extensions on their computers. Until the users approve the Bitdefender kernel extensions, some features of the security agent will not work. For details, refer to Bitdefender system extension blocked on macOS High Sierra (10.13) and later

  • On Linux operating systems:

    1. Connect and log in to Control Center.

    2. Download or copy the installation file to the target endpoint.

    3. If you have downloaded the full kit, extract the files from the archive.

    4. Gain root privileges by running the sudo su command.

    5. Change permissions to the installation file so that you can execute it:

      # chmod +x installer
    6. Run the installation file:

      # ./installer
    7. To check that the agent has been installed on the endpoint, run this command:

      $ systemctl status bdsec

Once the security agent has been installed, the endpoint will show up as managed in Control Center (Network page) within a few minutes.

Important

If using VMware Horizon View Persona Management, it is recommended to configure Active Directory Group Policy to exclude the following Bitdefender processes (without the full path):

  • bdredline.exe

  • epag.exe

  • epconsole.exe

  • epintegrationservice.exe

  • epprotectedservice.exe

  • epsecurityservice.exe

  • epupdateservice.exe

  • epupdateserver.exe

These exclusions must apply as long as the security agent runs on endpoint. For details, refer to this VMware Horizon documentation page.

Remote installation

Control Center allows you to remotely install the security agent on endpoints from environments integrated with Control Center and on other endpoints detected in the network by using installation tasks. In VMware environments, remote installation relies on VMware Tools, while in Citrix XenServer and Nutanix Prism Element environments, it relies on Windows administrative shares and SSH.

Once the security agent is installed on an endpoint, it may take a few minutes for the rest of the network endpoints to become visible in Control Center.

Bitdefender Endpoint Security Tools includes an automatic network discovery mechanism that allows detecting endpoints that are not in Active Directory. Detected endpoints are displayed as unmanaged in the Network page, in Computers view, under Custom Groups. Control Center automatically removes Active Directory endpoints from the detected endpoints list.

To enable network discovery, you must have Bitdefender Endpoint Security Tools already installed on at least one endpoint in the network. This endpoint will be used to scan the network and install Bitdefender Endpoint Security Tools on unprotected endpoints.

For detailed information on network discovery, refer to How network discovery works.

Remote installation requirements

For remote installation to work:

  • On Windows:

    • The admin$ administrative share must be enabled. Configure each target workstation not to use advanced file sharing.

    • Configure User Account Control (UAC) depending on the operating system running on the target endpoints. If the endpoints are in an Active Directory domain, you can use a group policy to configure User Account Control. For details, refer to Prepare workstations for Bitdefender Endpoint Security Tools remote deployment.

    • Disable Windows Firewall or configure it to allow traffic through File and Printer Sharing protocol.

    Note

    Remote deployment works only on modern operating systems, starting with Windows 7 / Windows Server 2008 R2, for which Bitdefender provides full support. For more information, refer to Supported operating systems.

  • On Linux: SSH must be enabled.

  • On macOS: remote login and file sharing must be enabled.

Run remote installation tasks

To run a remote installation task:

  1. Connect and log in to Control Center.

  2. Go to the Network page.

  3. Choose Computers and Virtual Machines from the views selector.

  4. Select the desired group from the left-side pane.

    The entities contained in the selected group are displayed in the right-side pane table.

    Note

    Optionally, you can apply filters to display unmanaged endpoints only. Click the Filters menu and select the following options: Unmanaged from the Security tab and All items recursively from the Depth tab.

  5. Select the entities (endpoints or groups of endpoints) on which you want to install protection.

  6. Click the task.pngTasks button at the upper side of the table and choose Install.

    The Install Client wizard is displayed.

    install_client-best-1-general.png
  7. Under Options section, configure the installation time:

    • Now, to launch the deployment immediately.

    • Scheduled, to set up the deployment recurrence interval. In this case, select the time interval that you want (hourly, daily or weekly) and configure it according to your needs.

      Note

      For example, when certain operations are required on the target machine before installing the client (such as uninstalling other software and restarting the OS), you can schedule the deployment task to run every 2 hours. The task will start on each target machine every 2 hours until the deployment is successful.

  8. If you want target endpoints to automatically restart for completing the installation, select Automatically reboot (if needed).

  9. Under the Credentials Manager section, specify the administrative credentials required for remote authentication on target endpoints. You can add the credentials by entering the user and password for each target operating system.

    Important

    For Windows 8.1 stations, you need to provide the credentials of the built-in administrator account or a domain administrator account. To learn more, refer to Client software deployment on Windows 8.1/10/2012 and above.

    To add the required OS credentials:

    1. Enter the user name and password of an administrator account in the corresponding fields from the table header.

      If computers are in a domain, it suffices to enter the credentials of the domain administrator.

      Use Windows conventions when entering the name of a user account:

      • For Active Directory machines use these syntaxes: username@domain.com and domain\username. To make sure that entered credentials will work, add them in both forms (username@domain.com and domain\username).

      • For Workgroup machines, it suffices to enter only the user name, without the workgroup name.

      Optionally, you can add a description that will help you identify each account more easily.

    2. Click the add_inline.pngAdd button. The account is added to the list of credentials.

      Note

      Specified credentials are automatically saved to your Credentials Manager so that you do not have to enter them the next time. To access the Credentials Manager, just point to your username in the upper-right corner of the console.

      Important

      If the provided credentials are invalid, the client deployment will fail on the corresponding endpoints. Make sure to update the entered OS credentials in the Credentials Manager when these are changed on the target endpoints.

  10. Select the check boxes corresponding to the accounts you want to use.

    Note

    A warning message is displayed as long as you have not selected any credentials. This step is mandatory to remotely install the security agent on endpoints.

  11. Under Deployer section, choose the entity to which the target endpoints will connect for installing and updating the client:

    • GravityZone Appliance, when endpoints connect directly to GravityZone Appliance.

      In this case, you can also define:

      • A custom Communication Server by entering its IP or Hostname, if required.

      • Proxy settings, if target endpoints communicate with GravityZone Appliance via proxy. In this case, select Use proxy for communication and enter the required proxy settings in the fields below.

    • Endpoint Security Relay, if you want to connect the endpoints to a Relay client installed in your network. All machines with Relay role detected in your network will show-up in the table displayed below. Select the Relay machine that you want. Connected endpoints will communicate with Control Center only via the specified Relay.

      Important

      Port 7074 must be open, for the deployment through the Relay agent to work.

      install_client-best-2-deployer.png
  12. Use the Additional targets section if you want to deploy the client to specific machines from your network that are not shown in the network inventory. Expand the section and enter the IP addresses or hostnames of those machines in the dedicated field, separated by a comma. You can add as many IPs as you need.

  13. You need to select one installation package for the current deployment. Click the Use package list and select the installation package that you want. You can find here all the installation packages previously created for your account and also the default installation package available with Control Center.

  14. If needed, you can modify some of the selected installation package's settings by clicking the button Customize next to the Use package field.

    The installation package's settings will appear below and you can make the changes that you need. To learn more about editing installation packages, refer to Create installation packages.

    If you want to save the modifications as a new package, select the Save as package option placed at the bottom of the package settings list, and enter a name for the new installation package.

  15. Click Save.

    A confirmation message will appear.

You can view and manage the task in the Network > Tasks page.

If using VMware Horizon View Persona Management, it is recommended to configure Active Directory Group Policy to exclude the following Bitdefender processes (without the full path):

  • bdredline.exe

  • epag.exe

  • epconsole.exe

  • epintegrationservice.exe

  • epprotectedservice.exe

  • epsecurityservice.exe

  • epupdateservice.exe

  • epupdateserver.exe

These exclusions must apply as long as the security agent runs on endpoint. For details, refer to this VMware Horizon documentation page.

Prepare Linux systems for On-access scanning

Bitdefender Endpoint Security Tools for Linux includes on-access scanning capabilities that work with specific Linux distributions and kernel versions. For more information, refer to Linux system requirements .

Requirements for using on-access scanning with DazukoFS

For DazukoFS and on-access scanning to work together, a series of conditions must be met. Please check if any of the statements below apply to your Linux system and follow the guidelines to avoid issues.

  • The SELinux policy must be either disabled or set to permissive. To check and adjust the SELinux policy setting, edit the /etc/selinux/config file.

  • Bitdefender Endpoint Security Tools is exclusively compatible with the DazukoFS version included in the installation package. If DazukoFS is already installed on the system, remove it prior to installing Bitdefender Endpoint Security Tools.

  • DazukoFS supports certain kernel versions. If the DazukoFS package shipped with Bitdefender Endpoint Security Tools is not compatible with the system's kernel version, the module will fail to load. In such case, you can either update the kernel to the supported version or recompile the DazukoFS module for your kernel version. You can find the DazukoFS package in the Bitdefender Endpoint Security Tools installation directory:

    /opt/BitDefender/share/modules/dazukofs/dazukofs-modules.tar.gz

  • When sharing files using dedicated servers such as NFS, UNFSv3 or Samba, you have to start the services in the following order:

    1. Enable on-access scanning via policy from Control Center.

    2. Start the network sharing service.

      For NFS:

      # service nfs start

      For UNFSv3:

      # service unfs3 start

      For Samba:

      # service smbd start

    Important

    For the NFS service, DazukoFS is compatible only with NFS User Server.

How network discovery works

Besides integration with Active Directory, GravityZone also includes an automatic network discovery mechanism intended to detect workgroup computers.

GravityZone relies on the Microsoft Computer Browser service and NBTscan tool to perform network discovery.

The Computer Browser service is a networking technology used by Windows-based computers to maintain updated lists of domains, workgroups, and the computers within them and to supply these lists to client computers upon request. Computers detected in the network by the Computer Browser service can be viewed by running the net view command in a command prompt window.

net_view.png

The NBTscan tool scans computer networks using NetBIOS. It queries each endpoint in the network and retrieves information such as IP address, NetBIOS computer name, and MAC address.

To enable automatic network discovery, you must have Bitdefender Endpoint Security Tools Relayalready installed on at least one computer in the network. This computer will be used to scan the network.

Important

Control Center does not use network information from Active Directory or from the network map feature available in Windows Vista and later.

Network map relies on a different network discovery technology: the Link Layer Topology Discovery (LLTD) protocol.

Control Center is not actively involved in the Computer Browser service operation. Bitdefender Endpoint Security Tools only queries the Computer Browser service for the list of workstations and servers currently visible in the network (known as the browse list) and then sends it to Control Center.

Control Center processes the browse list, appending newly detected computers to its Unmanaged Computers list.

Previously detected computers are not deleted after a new network discovery query, so you must manually exclude & delete computers that are no longer on the network.

The initial query for the browse list is carried out by the first Bitdefender Endpoint Security Tools installed in the network.

  • If the Relay is installed on a workgroup computer, only computers from that workgroup will be visible in Control Center.

  • If the Relay is installed on a domain computer, only computers from that domain will be visible in Control Center. Computers from other domains can be detected if there is a trust relationship with the domain where the Relay is installed.

Subsequent network discovery queries are performed regularly every hour. For each new query, Control Center divides the managed computers space into visibility areas and then designates one Relay in each area to perform the task.

A visibility area is a group of computers that detect each other. Usually, a visibility area is defined by a workgroup or domain, but this depends on the network topology and configuration. In some cases, a visibility area might consist of multiple domains and workgroups.

If a selected Relay fails to perform the query, Control Center waits for the next scheduled query, without choosing another Relay to try again.

For full network visibility, the Relay must be installed on at least one computer in each workgroup or domain in your network. Ideally, Bitdefender Endpoint Security Tools should be installed on at least one computer in each subnetwork.

More about the Microsoft Computer Browser service

Quick facts about the Computer Browser service:

  • Works independent of Active Directory.

  • Runs exclusively over IPv4 networks and operates independently within the boundaries of a LAN group (workgroup or domain).

    A browse list is compiled and maintained for each LAN group.

  • Typically uses connectionless server broadcasts to communicate between nodes.

  • Uses NetBIOS over TCP/IP (NetBT).

  • Requires NetBIOS name resolution. It is recommended to have a Windows Internet Name Service (WINS) infrastructure up and running in the network.

  • Is not enabled by default in Windows Server 2008 R2.

For detailed information on the Computer Browser service, check the Computer Browser Service Technical Reference on Microsoft Technet.

Network discovery requirements

To successfully discover all the computers (servers and workstations) that will be managed from Control Center, the following are required:

  • Computers must be joined in a workgroup or domain and connected via an IPv4 local network.

    Computer Browser service does not work over IPv6 networks.

  • Several computers in each LAN group (workgroup or domain) must be running the Computer Browser service. Primary Domain Controllers must also run the service.

  • NetBIOS over TCP/IP (NetBT) must be enabled on computers.

    Local firewall must allow NetBT traffic.

  • If using a Linux Relay to discover other Linux or Mac endpoints, you must either install Samba on target endpoints, or join them in Active Directory and use DHCP. This way, NetBIOS will be automatically configured on them.

  • File sharing must be enabled on computers.

    Local firewall must allow file sharing.

  • A Windows Internet Name Service (WINS) infrastructure must be set up and working properly.

  • For Windows Vista and later, network discovery must be turned on (Control Panel > Network and Sharing Center > Change Advanced Sharing Settings).

    To be able to turn on this feature, the following services must first be started:

    • DNS Client

    • Function Discovery Resource Publication

    • SSDP Discovery

    • UPnP Device Host

  • In environments with multiple domains, it is recommended to set up trust relationships between domains so that computers can access browse lists from other domains.

Computers from which Bitdefender Endpoint Security Tools queries the Computer Browser service must be able to resolve NetBIOS names.

Note

The network discovery mechanism works for all supported operating systems, including Windows Embedded versions, provided the requirements are met.