ON PREMISES SOLUTIONS

Install security agents - use cases

Prepare workstations for Bitdefender Endpoint Security Tools remote deployment

One of the main features that Bitdefender Endpoint Security Tools provides is the possibility to be installed remotely on endpoints, process called deployment.

For the Bitdefender Endpoint Security Tools deployment task to complete successfully on target systems, you need to comply with the following configuration prerequisites:

  1. OS requirements

    • Make sure the target endpoints meet the minimum system requirements. For some endpoints, you may need to install the latest operating system service pack available or free up disk space. Compile a list of endpoints that do not meet the necessary requirements so that you can exclude them from management.

    • When deploying the agent through a Linux relay, the following additional conditions must be met:

      • The Relay endpoint must have installed the Samba package (smbclient) version 4.1.0 or above, and the net binary/command to deploy Windows agents.

        Note

        The net binary/command is usually delivered with the samba-client and / or samba-common packages. On some Linux distributions (such as CentOS 7.4), the net command is only being installed when installing the full Samba suite (Common + Client + Server). Make sure that your Relay endpoint has the net command available.

      • Target Windows endpoints must have Administrative Share and Network Share enabled.

      • Target Linux and Mac endpoints must have SSH enabled and firewall disabled.

  2. Administrative privileges

    The installation requires administrative privileges. Make sure you have the necessary credentials at hand for all computers.

    You must also define the User Account Control (UAC) settings according to the target endpoint configuration:

    • For Windows 8.1 and 10 systems, you need full administrative privileges (the credentials of the built-in administrator account or a domain user account). For more information on how to successfully deploy BEST to Windows 8.1 and 10 stations, please refer to Client software deployment on Windows 8.1/10/2012 and above.

    • For target systems that are part of a Workgroup, you must disable UAC only if you are using other administrative rights credentials except the built-in domain Administrator account when configuring the deployment task. If the deployment task is configured to authenticate with the built-in domain Administrator account (and default UAC settings on the account were not changed in by group policy), it will run without having to change the UAC settings.

    • For target systems that are part of an Active Directory Domain, in addition to the previous recommendations, if the administrator wants to configure the task and provide the deployment credentials of users that are members of the Domain Admins security group, a GPO can be configured to apply this security group with the following settings:

      [Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options]

      Policy

      Setting

      User Access Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

      Elevate without prompting

      User Access Control: Detect application installations and prompt for elevation

      Disable

      User Access Control: Run all administrators in Admin Approval Mode

      Enable

    1342_1.png

    Note

    As security best practice, after the deployment cycle is finished, revert the settings to their defaults. For the UAC default configurations, refer to this Microsoft article.

    • For Windows 7, 8 and 10 systems, you will need to disable User Account Control (UAC), as follows:

      1. Go to Start > Control Panel > User Accounts

      2. Click Change User Account Control Settings

      3. Set UAC on Never Notify and then click OK

        1342_2.png
  3. Connectivity requirements

    On all workstations and servers that you want to manage, which need to have network connectivity to the GravityZone appliance, you will have to configure the firewall to allow the following communication ports, used by the security components:

    • 8443: the communication port between the GravityZone console and Bitdefender Endpoint Security Tools. This port must be allowed on all network computers

    • 7074: the communication port used for deployment and update via a Relay.

      Note

      These ports must not be used by any other application installed in the network.

    It is recommended to use a static IP address for the relay server. If you do not set a static IP, use the machine's hostname.

    Configure each workstation not to use sharing wizard as follows:

    In Windows 7:

    1. Go to Start > Computer > Organize > Layout and select Menu bar;

    2. Click Tools and go to Folder options... > View;

    3. Clear the Use Sharing Wizard check box in the advanced settings list;

    4. Click OK.

    In Windows 8 and 8.1:

    1. Go to Computer > View > Options;

    2. In the Folder options window, click the View tab;

    3. Clear the Use Sharing Wizard check box in the advanced settings list;

    4. Click OK.

    In Windows 10:

    1. Go to This PC > View > Options;

    2. Click the View tab;

    3. Clear the Use Sharing Wizard check box in the advanced settings list;

    4. Click OK.

      1342_3.png
    • Make sure that the File and Printer Sharing protocol is enabled. This service is using TCP ports 139, 445 and UDP ports 137, 138. To verify if the File and Printer Sharing protocol is enabled:

      1. Go to Start > Control Panel > Network and Sharing Center;

      2. Identify which network connection is established and click it;

      3. Click Properties;

        1342_4.png

    Note

    For the connection to be successful:

    • Disable the Windows Firewall, or configure it to allow traffic through File and Printer Sharing protocol. To disable Windows Firewall, open Control Panel > Windows Firewall and click Off.

    • Allow ICMP traffic (so you can successfully PING the workstation).

    To check that the network stations are correctly configured:

    • Ping the respective network station;

    • Try to log on to the administrative share.

  4. Third-party security software removal

Uninstall (not just disable) any existing antimalware, firewall or Internet security software from computers. Running the security agent simultaneously with other security software on an endpoint may affect their operation and cause major problems with the system.

Many of the incompatible security programs are automatically detected and removed at installation time.

To learn more and to check the list of the security software detected by Bitdefender Endpoint Security Tools for Windows operating systems (Windows 7 / Windows Server 2008 R2 and later), refer to Software incompatible with Bitdefender Endpoint Security Tools.

If you want to deploy the security agent on a computer with Bitdefender Antivirus for Mac 5.X, you first must remove the latter manually. For the guiding steps, please access Deploy Endpoint Security for Mac on a machine with Bitdefender Antivirus for Mac 5.X.

Client software deployment on Windows 8.1/10/2012 and above

To remotely install software on Windows 8.1 / 2012 / 2012 R2 stations, you need to have full administrative privileges on them. In this case, you need the credentials of the built-in administrator account or a domain user account.

To successfully deploy the client software from Bitdefender Control Center to Windows 8.1 / 2012 / 2012 R2 stations, please consider one of the following recommendations:

  • Manually enable the built-in administrator account on target stations. When creating the client installation task for the Windows 8.1 / 2012 / 2012 R2 stations, use the credentials of the built-in administrator account.

    To learn how to enable and disable the built-in administrator account in Windows 8.1 / 2012 / 2012 R2, refer to this KB article.

  • Use the credentials of a domain administrator account, if you are managing an Active Directory network.

  • On the target Windows 8.1 / 2012 / 2012 R2 stations, change the value of the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\EnableLUA from 1 to 0.

    You will be prompted to restart your machine.

Remote deployment of BEST for Linux on Oracle - SAP

This section provides steps on how to remotely deploy BEST Linux on Oracle - SAP.

On Linux Oracle remote deployment via SSH is not possible due to the SFTP service. The same issue occurs on Unbreakable Oracle systems.

Resolution:

1. Edit sshd_config

2. Search for the line starting with: Subsystem

3. Comment and add the following line: Subsystem sftp internal-sftp

Create an uninstall password for Bitdefender Endpoint Security Tools

Overview

In some situations users with administrative privileges can uninstall Bitdefender Endpoint Security Tools (BEST), leaving the system unprotected.

You can help prevent such unauthorized actions by setting up an uninstall password from the GravityZone Control Center.

Set up a password

You can set up an uninstall password for:

  • New deploymentsNew deployments

    To protect future endpoints set up the uninstall password before the deployment, from the installation package.

  • Existing installationsExisting installation

    You can protect the existing endpoints in your network through policy. Edit the policy applied on the endpoints to set up the uninstall password.

    To use multiple passwords for groups of endpoints sharing the same policy across your environment, use the uninstall password setting of the installation package.

New deployments

To set the uninstall password for the installation package:

  1. Log in to GravityZone Control Center.

  2. Go to the Network page and click on the Packages section.

  3. Click the package that you want to install or create a new one

  4. Under Settings, select the Set uninstall password check box.

  5. Enter a password considering the complexity requirements.

  6. Click Save

Use this package to install BEST on endpoints. The password will prevent users from uninstalling the agent afterwards.

Existing installation

To configure the uninstall password from the policy:

  1. Log in to GravityZone Control Center.

  2. Go to the Policies page.

  3. Choose the policy that you applied on your systems.

    If the applied policy is the Default one, you must create and assign a new policy.

  4. Go to the General > Settings page.

  5. Under Uninstall Password Configuration select the Set uninstall password check box.

  6. Enter a password considering the complexity requirements.

  7. Click Save.

Ensure that you apply the policy to your target endpoints.

Deploy Endpoint Security for Mac on a machine with Bitdefender Antivirus for Mac 5.X

This section explains how you can deploy the business product Endpoint Security for Mac on a machine that

If you choose to replace Bitdefender Antivirus for Mac 5.X with Endpoint Security for Mac, you must keep in mind that you can deploy the latter only after you manually remove the consumer product.

This is because Bitdefender Antivirus for Mac 5.X has a Tamper protection module, a component that denies any exterior action over the integrity of the product, making impossible the uninstalling process via silent deployment or manual installation.

Thus, to deploy Endpoint Security for Mac on a machine that has Bitdefender Antivirus for Mac 5.X, follow these steps:

  1. Remove manually Bitdefender Antivirus for Mac by using Bitdefender Uninstaller.

    Sometimes, the standard Bitdefender Uninstaller may fail or does not exist at its location. In such a situation, you must use Disk Utility.

  2. Restart your Mac.

  3. Deploy Endpoint Security for Mac as usual, following the instructions described in your GravityZone Installation Guide.

Install Endpoint Security for Mac through Jamf Pro

Jamf Pro (formerly Casper Suite) is a Mac and iOS management software developed exclusively for the Apple platform. It offers a breadth of functionality in package building, inventory, image management, remote imaging, remote updates, iOS mobile device management and a powerful framework for automated support.

Through Jamf Pro 9.x

Bitdefender Endpoint Security for Mac can be installed remotely on your endpoints via Jamf Pro through a Script or from Self Service in User Mode.

Running a Script using a Policy in Jamf Pro
  1. Open Jamf Pro and authenticate.

  2. Go to Computer Management in the left tab.

  3. Add the Bitdefender Endpoint Security for Mac .DMG file as a new payload.

  4. Select the installation .PKG file to be extracted from the .DMG file.

  5. Go to Scripts and type the path as shown below (the downloaded .DMG file location may differ).

    13945_1.png
  6. Configure the policy settings according to your needs.

  7. Click Save.

    The Policy runs on the selected endpoints after the next sync with Jamf Pro.

Installing Bitdefender Endpoint Security for Mac from Self Service
  1. Open Jamf Pro and authenticate.

  2. Go to Computer Management in the left tab.

  3. In the Computer Management – Management Framework section, click Self Service.

  4. Log in, if required.

  5. Select the package from Applications (file name subject to your Administrator’s Application Management).

    13945_2.png
  6. Select one of the following options:

    Click the Install button to deploy the Bitdefender Endpoint Security for Mac installation kit.

    Click the Silent Install button for unattended Bitdefender Endpoint Security for Mac deployment.

Learn more about Jamf Pro from their Administrator's Guide

Through Jamf Pro 10.x

You can use Jamf Pro to remotely deploy Bitdefender Endpoint Security for Mac on your endpoints.

Before you begin

Starting with macOS High Sierra (10.13), after installing Endpoint Security for Mac manually or remotely, the user is prompted to approve the Bitdefender kernel extensions on Mac. Until the user approves the Bitdefender kernel extensions, some Endpoint Security for Mac features will not work. For details, refer to Bitdefender system extension blocked on macOS High Sierra (10.13) and later.

You can pre-approve the Bitdefender kernel extensions and thus eliminate user intervention by whitelisting the Bitdefender extensions using a Mobile Device Management tool such as Jamf Pro. For details, refer to Whitelist Bitdefender Endpoint Security for Mac Kernel Extensions using Jamf Pro 10.x.

Installing Endpoint Security for Mac through Jamf Pro 10.x

Note

  • These steps follow the Jamf Pro version 10.5 interface. The Jamf Pro interface may differ in later versions.

  • Screenshots from this section are indicative and they may be different from your actual experience, based on Jamf Pro version and settings.

  1. Download the Endpoint Security for Mac package from the GravityZone console.

  2. Double-click the Bitdefender_for_MAC.dmg to view the content.

    13945_3.png
  3. Drag both antivirus_for_mac.pkg and installer.xml to a folder (for example: /Users/Shared)

  4. Drag the folder containing the files into Jamf Composer and create an installation file from that folder (for example, a .dmg or a .pkg file).

  5. Log in to Jamf Pro.

  6. In the top-right corner of the console, click Settings. Make sure that the computers have the "User Approved MDM" status.

  7. Click Computer Management, then Packages. In the General tab, you can edit the Display name and Filename.

    13945_4.png
  8. Upload the installation file into Jamf Pro.

  9. In the left-side menu, go to Policies and create a policy for the installation file.

    13945_5.png
  10. Select the installation file in Policies > Packages and set Action to Install.

    13945_6.png
  11. Click Scripts and configure the Files and Processes payload.

  12. Type in the Script tab the following command:

    installer -pkg /Users/Shared/antivirus_for_mac.pkg -target /
    13945_7.png
  13. Scope the policy to computers and click Save.

Endpoint Security for Mac: Configure Jamf Pro for macOS Big Sur 11.0 and later

Bitdefender Endpoint Security for Mac requires a certain configuration in Jamf Pro when using this tool to deploy on machines running macOS Big Sur 11.0 and later. Specifically, you need to create a configuration profile where you pre-approve:

  • Bitdefender system extension

  • Traffic proxy

  • Full disk access

All these approvals are necessary for Endpoint Security for Mac to work properly, without asking endpoint users for interaction.

Bitdefender system extension

First, you have to approve a configuration profile where you pre-approve the Bitdefender system extension.

  1. Log in to Jamf Pro.

  2. Go to Computers > Configuration Profiles and click New.

  3. In the left-side menu of the new profile, scroll down to System Extensions.

  4. Click Configure.

  5. Under Allowed Team IDs and System Extensions, make this configuration:

    • Under Display Name, enter Bitdefender.

    • From the System Extension Types drop-down list, select Allowed System Extensions.

    • Under Team Identifier, enter GUNFMW623Y.

    • Under Allowed System Extensions, enter the following string: com.bitdefender.cst.net.dci.dci-network-extension

    Once complete, the payload should look as in the image below.

    001-system-extensions.png
  6. Click Save.

Traffic proxy

Endpoint Security for Mac uses a tunneling application (like a VPN) to filter the traffic. To pre-approve this application:

  1. In the left-side menu of the profile, go to Content Filter.

  2. Under Filter Name, enter Bitdefender.

  3. Under Identifier, enter com.bitdefender.epsecurity.BDLDaemonApp

  4. Under Network Filter, enter these strings:

    • For Network Filter Bundle Identifier: com.bitdefender.cst.net.dci.dci-network-extension

    • For Network Filter Designated Requirement: anchor apple generic and identifier "com.bitdefender.cst.net.dci.dci-network-extension" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)

    Once complete, the payload should look as in the image below.

    002-content-filter.png
  5. Click Save.

Full disk access

To allow full disk access for Endpoint Security for Mac:

  1. In the left-side menu of the profile, go to Privacy Preferences Policy Control.

  2. You need to allow full access for the following application:

    • BDLDaemon.app

      To do this:

      1. Under Identifier, enter com.bitdefender.epsecurity.BDLDaemonApp

      2. Under Identifier Type, select Bundle ID.

      3. Under Code Requirement, enter anchor apple generic and identifier "com.bitdefender.epsecurity.BDLDaemonApp" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y)

      4. Click + Add on the right side of the screen.

      5. Under App or Service, select SystemPolicyAllFiles from the drop-down list. Next to it, make sure Access is set to Allow.

      6. Click Save.

    • EndpointSecurityforMac.app

      To do this:

      1. Click the + button on the right side of the screen to add another template.

      2. Under Identifier Type, select Bundle ID.

      3. Under Identifier, enter com.bitdefender.EndpointSecurityforMac

      4. Under Code Requirement, enter identifier "com.bitdefender.EndpointSecurityforMac" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = GUNFMW623Y

      5. Click + Add on the right side of the screen.

      6. Under App or Service, select SystemPolicyAllFiles from the drop-down list. Next to it, make sure Access is set to Allow.

      7. Click Save.

        Once complete, the payload should look as in the image below.

        003-disk-access.png
  3. Click Save.

For details on Endpoint Security for Mac approvals required in macOS Big Sur, refer to this topic.Changes to Bitdefender Endpoint Security for Mac in macOS Big Sur

For steps on Endpoint Security for Mac installation through Jamf Pro 10.x, after creating the configuration profile, refer to this topic.

Whitelist Bitdefender Endpoint Security for Mac Kernel Extensions using Jamf Pro 10.x

This section explains how to whitelist Bitdefender Endpoint Security for Mac kernel extensions using Jamf Pro 10.x.

Starting with macOS High Sierra (10.13), after installing Endpoint Security for Mac manually or remotely, the user is prompted to approve the Bitdefender kernel extensions on his Mac. Until the user approves the Bitdefender kernel extensions, some Endpoint Security for Mac features will not work. For details, refer to Bitdefender system extension blocked on macOS High Sierra (10.13) and later.

You can pre-approve the Bitdefender kernel extensions and thus eliminate user intervention by whitelisting the Bitdefender extensions using a Mobile Device Management tool such as Jamf Pro. This feature is supported starting with macOS 10.13.2 and Jamf Pro version 10.3.0.

The procedure implies creating and applying an MDM configuration profile in Jamf Pro 10.x that whitelists the Bitdefender kernel extensions to the target computers.

Note

The computers must have the "User Approved MDM" status.

For details about User Approved MDM, refer to these articles:

How to create the MDM configuration profile in Jamf Pro 10.x
  1. Log in to Jamf Pro.

  2. Go to Computers > Configuration Profiles > New.

  3. Scroll down to Approved Kernel Extensions.

  4. Enter a Display name and the Team ID. The Bitdefender Team ID is GUNFMW623Y.

    15210_1.png

    Note

    Specifying individual kernel extensions to be approved is not required.

  5. Save the changes.

  6. Deploy the profile to the computers.

Install Bitdefender Endpoint Security Tools through MSI package

Bitdefender Endpoint Security Tools (BEST), the GravityZone security agent, uses one installation package for any environment (physical or virtual). On Windows, GravityZone delivers the installation packages as executable kits, only in EXE format. This may be inconvenient if you want to deploy the agent via Windows Group Policy or any other third-party application that supports MSI packages.

The solution implies applying an MSI wrapper over Windows Downloader, the standard lite installer for BEST. This section provides the guidelines for downloading the installer and a few methods on how to deploy the BEST using the MSI package.

Get Windows Downloader

Warning

  • Do not alter the Windows Downloader file name. Otherwise, the installation files will not download from the Bitdefender servers.

  • Because Microsoft Edge may trim long file names such as the one of Windows Downloader, we recommend using another browser.

To download BEST installer:

  1. Log in to GravityZone Control Center.

  2. Navigate to Network > Packages.

  3. Select the installation package you want to download.

    Important: This procedure currently does not support installation packages with proxy settings.

  4. Click Download at the upper side of the table and select Windows Downloader.

    The installation package is saved to your default download location as an EXE file.

Deploy BEST using Microsoft Endpoint Configuration Manager (SCCM)

Important

This procedure does not support installation packages with proxy settings.

To deploy BEST through SCCM follow these steps:

1. Get the installer hash

This can be done through one of these methods:

  1. Log in to GravityZone Control Center.

  2. Navigate to Network > Packages.

  3. Select the installation package you want to deploy.

  4. Click on the Send download links.

  5. Expand the Installation links area.

  6. Extract the installer hash from between the square brackets [ ] and save it.

    sccm2.JPG

Warning

  • Do not alter the Windows Downloader file name. Otherwise, the installation files will not download from the Bitdefender servers.

  • Because Microsoft Edge may trim long file names such as the one of Windows Downloader, we recommend using another browser.

To download BEST installer:

  1. Log in to GravityZone Control Center.

  2. Navigate to Network > Packages.

  3. Select the installation package you want to deploy.

  4. Click Download at the upper side of the table and select Windows Downloader.

  5. Extract the installer hash from between the square brackets [ ] and save it.

    sccm3.JPG
2. Create the installation MSI package
  1. Download the MSI Wrapper.

    BESTmsi.PNG
  2. Copy the MSI file to the Software Library share from your Configuration Manager.

  3. Open Configuration Manager > Software Library > Applications

    sccm1.JPG
  4. Click on the Create Application button.

  5. Locate the MSI wrapper and click Next.

    newsccm4.JPG
  6. Wait for the information to be imported and click Next.

  7. On the General Information page add the following parameters to the Installation program command line:

    msiexec /i "BEST_downloaderWrapper.msi" /qn GZ_PACKAGE_ID=installerhash REBOOT_IF_NEEDED=1

    The edited line should look like this:

    msiexec /i "BEST_downloaderWrapper.msi" /qn GZ_PACKAGE_ID=aHR0cHM6Ly9jbG91ZGd6LWVjcy5ncmF2aXR5em9ucS5iaXRkZWZlbmRlci5jb20vUGFja2FnZXMvQlNUV0lOLzAvcV9Ib0VML2luc3RhbGxlci54bWw-bGFuZz1lbi1VUw== REBOOT_IF_NEEDED=1
    
  8. Select Install for system if resource is device; otherwise install for user as Install behavior.

    newsccm5.JPG
  9. Click Next to apply the settings.

  10. Review the information and click Next to create the application.

  11. Bitdefender Endpoint Security Tools will be displayed in the Applications list.

    sccm6.JPG
3. Deploy the installation package
  1. Right-click the application and select Deploy.

    sccm7.JPG
  2. Click Browse and specify the collection as All Systems. Click Next.

    sccm8.JPG
  3. To add the Distribution Points, click in Add and choose your distribution point.

    sccm9.JPG
  4. Choose Action as Install and Purpose as Required. Click Next.

    sccm10.JPG
  5. Schedule the deployment and click Next.

    sccm11.JPG
  6. Configure User notifications and click Next.

    sccm12.JPG
  7. Specify alert options and click Next.

    sccm13.JPG
  8. Confirm the settings and click Next.

    sccm14.JPG
  9. Wait for the operation to complete and click Close.

    sccm15.JPG

Deployments incremented with the number of devices under SCCM:

sccm16.JPG

On the left-hand side of the console select Monitoring > Deployments. Here, you can see information about the application that was deployed.

sccm17.JPG
Deploy BEST via msiexec.exe command line

This method is suitable for command-line deployment tools that accept instructions with parameters. The method uses the msiexec command, having the MSI wrapper and the installer ID as parameters. The MSI wrapper is digitally signed by Bitdefender.

  1. Download the MSI Wrapper.

  2. Open Command Prompt as Administrator.

  3. Run the following command to deploy BEST:

    msiexec /i full_path\BEST_downloaderWrapper.msi /qn GZ_PACKAGE_ID=[string] REBOOT_IF_NEEDED=1 [parameter]

    Where:

    • full_path is the actual path to the MSI Wrapper

    • string is the actual string between brackets, from the installation package name

    • parameter (optional) that reboots the machine when you deploy BEST over a competitor's product;

      1 = TRUE

      a notification prompts the user with a 10-minute time frame before restarting the machine.

    For example:

    Installation package name:

    setupdownloader_[aHR0cH-bGFuZz1lbi1VUw==].exe

    GZ_PACKAGE_ID value:

    aHR0cH-bGFuZz1lbi1VUw==

    Note

    The string in the example is only for illustration purposes only. The actual string is different and much longer.

Deploy BEST via installer.xml

Use this method when you have a proxy configured into the installation package or when you use a proxy on a target machine.

  1. Log in to GravityZone Control Center

  2. Navigate to Network > Packages.

  3. Click Add at the upper side of the table.

  4. Configure the package and click Save.

  5. Click Download at the upper side of the table and select Windows kit (32-bit or 64-bit).

  6. Extract the installer.xml from the installation package to any location.

  7. Download the MSI Wrapper.

  8. Place the MSI wrapper in the same location with installer.xml.

  9. Rename the MSI Wrapper using the Windows Downloader to embed installer.exe

    For example:

    Installation package name: setupdownloader_[aHR0cH-bGFuZz1lbi1VUw==].exe

    MSI Wrapper name: BEST_downloaderWrapper.msi

    MSI Wrapper embedded with installer.xml: BEST_downloaderWrapper_[aHR0cH-bGFuZz1lbi1VUw==].msi

  10. Run the following command to deploy BEST:

    msiexec /i full_path\BEST_downloaderWrapper_[aHR0cH-bGFuZz1lbi1VUw==].msi

Deploy BEST via Windows Group Policy (GPO)

Follow this method if all you need is to run the MSI file. In this case, you need to customize the wrapper with Orca.exe, to link it to the Windows Downloader. To avoid security warnings when running the resulted MSI file, you need to unblock it.

Warning

This method alters the digital signature of the MSI Wrapper.

  1. Install Orca.exe

    Orca is a tool for creating and editing Windows Installer packages.

    1. Download and run Windows SDK Components for Windows Installer Developers

    2. Select the MSI Tools checkbox when asked to select the features to be installed.

      MSI Tools includes Orca.exe. For more information about Orca.exe, refer to this Microsoft topic

      10359_1.png
    3. Click Install.

  2. Customize the MSI Wrapper

    1. Download the MSI Wrapper.

    2. Right-click the MSI template and select Edit with Orca.

    3. In Orca, navigate to Tables > Property.

      MSI_Orca.PNG
    4. In the right panel, locate GZ_PACKAGE_ID under the Property column.

    5. Under the Value column, click the corresponding cell to enter a new value.

    6. Insert the string between brackets from the installation package EXE file.

      For example:

      Installation package name:

      setupdownloader_[aHR0cH-bGFuZz1lbi1VUw==].exe

      GZ_PACKAGE_ID value:

      aHR0cHbGFuZz1lbi1VUw==

      Note

      The string in the example is only for illustration purposes. The actual string is much longer.

    7. Add the following parameter (including its value) to reboot the machine when you deploy BEST over a competitor's product:

      REBOOT_IF_NEEDED=1

      A notification prompts the user with a 10-minute time frame before restarting the machine.

    8. Click OK to confirm.

    9. Save changes made to the MSI Wrapper.

  3. Unblock MSI Wrapper to avoid security warnings

    Windows may prevent you from running files downloaded from the internet and raise a security warning. To avoid this situation with MSI Wrapper, follow these steps:

    1. Right-click the MSI Wrapper template and select Properties.

    2. In the General tab, select Unblock at the bottom of the window.

      MSI_Properties.PNG
    3. Click OK or Apply.

  4. Deploy the MSI package

    Use the modified MSI Wrapper to deploy the Bitdefender security agent through Windows Group Policy or any other third-party application that supports MSI packages.

    Note

    For silent installations, use the following parameters: /qn or /quiet.

Install Bitdefender Endpoint Security Tools using Casper

In order to remotely install Bitdefender Endpoint Security Tools using Casper, follow these instructions:

Copy the pkg file on the machine and run this command:

/path/to/Installer.app/Contents/MacOS/InstallationDeployer --install installer -pkg /path/to/the_package_to_be_installed.pkg -target /

"Installer.app/Contents/MacOS/InstallationDeployer" is an application from the Casper suite used to install pkg files.

Install Bitdefender Endpoint Security Tools manually on Linux virtual machines

This section describes how to install manually the GravityZone security agent on Linux virtual machines from a GravityZone on-premises environment.

Requirements and prerequisites

Before installation, check the security agent requirements on Linux.

Licensing

Linux endpoints use license seats from the pool of licenses for server operating systems.

Installation

The procedure includes how to download the appropriate installation package to the machine, unpack the archive and manually install it via a terminal session.

  1. In GravityZone Control Center, go to Network > Packages.

  2. Select the installation package from the list.

  3. Click the Download button at the upper side of the page and select the Linux kit (32-bit or 64-bit, according to your virtual machine OS type).

    10359_4.png

    Note

    If the security agent kit is not already available in GravityZone, it will be automatically downloaded to the appliance when downloading the specific installation package. When an installation package is unavailable, go to Configuration > Miscellaneous menu (it requires a GravityZone account with manage solution rights), and review the options for When an unavailable kit is needed.

  4. Transfer the downloaded archive to the target virtual machine using, for example, a SSH client or through a SAMBA share.

  5. Open a terminal session on the Linux virtual machine using an account with administrative privileges.

  6. Run the following commands to unpack and run the installer:

    cd /root

    tar –xvf fullKit_unix64.tar

    chmod +x installer

    ./installer

    Note

    The cd /root command is an example for specifying the virtual machine folder where you have transferred the downloaded installation archive. The package name mentioned above is also an example. You must enter the name of the specific package you have downloaded.

  7. Bitdefender Endpoint Security Tools for Linux will be installed in a few moments. To check that the agent has been installed on the endpoint, run this command:

    $ service bd status

In a few minutes after the security agent has been installed, the endpoint will show up as managed in the GravityZone network inventory.

Install protection on virtual machines in a Microsoft Hyper-V environment

GravityZone does not have integration with Microsoft Hyper-V, therefore the Security Servers installation and configuration in this environment has to be done manually.

Download Security Server (Microsoft Hyper-V)

Once the GravityZone appliance has been imported and properly configured on the Hyper-V host, it is required to download the Security Server component:

  1. Log on to GravityZone Control Center with a Company Administrator account.

  2. Go to Configuration > Update page, Product Update tab.

  3. Under Components section, select Security Server (Microsoft Hyper-V) and click the Download button. This will download the Hyper-V Security Server image to the GravityZone appliance.

    10359_6.png
  4. Click the Refresh button at the upper side of the Components table to check the download status.

Create the Security Server virtual machine

Once the Security Server image has been downloaded to the GravityZone appliance, you will have to download the Security Server's VHD file to a network share or a storage device accessible from the host:

  1. Go to Network > Packages page.

  2. Right click on the Default Security Server Package > Download.

  3. Select Microsoft Hyper-V (VHD). Wait for the download to complete.

    10359_7.png

Next, you need to deploy the Security Server image on the host, by creating a new virtual machine and attaching the downloaded vhd file to it. This procedure is similar with importing the GravityZone appliance into this type of host. For more information on how to import a virtual appliance to Hyper-V, see Installing GravityZone.Installing GravityZone

Configure Security Server

Once the virtual machine has been created, you need to start it and configure it to communicate with the GravityZone components. For this, follow the next steps:

  1. Connect to the appliance via SSH, using the default credentials:

    • username: root

    • password: sve

  2. Run the sva-setup command.

  3. Configure the appliance with DHCP/static network settings.

    If you have created an IP reservation for the appliance on the DHCP server, skip this configuration by pressing Enter. If you configure with static network settings, follow these steps:

    1. Type Y and press Enter to continue.

    2. Enter the network settings: IP address, network mask, gateway, DNS servers.

    3. Type Y and press Enter. to save the changes.

  4. Configure the Security Console IP: enter the Control Center IP address (e.g. 192.168.0.101).

  5. Configure the Communication Server IP address. https://CommServer-IP:8443 (e.g. https://192.168.0.101:8443).

  6. Configure Update Server address: enter the IP address or hostname of the Update Server (e.g. 192.168.0.101).

  7. Configure the Update Server port: 7074.

Note

the above IP address is just an example of a GravityZone appliance with all the roles installed on the same instance.

Once the configuration is finished, the specific services of Bitdefender will start on the virtual machine. The Security Server will be visible in the Network page of the GravityZone Control Center, in Virtual Machines > Custom Groups in no more that 2 or 3 minutes.

10359_8.png
Network discovery mechanism

The installation of BEST needs to be done manually only on the first virtual machine within the network. The rest of the virtual machines will be discovered by BEST and you will be able to deploy the product from GravityZone Control Center.

BEST includes an automatic network discovery mechanism intended to detect other virtual machines. It relies on the Microsoft Computer Browser service to perform network discovery. The Computer Browser service is a networking technology used by Windows-based computers to maintain updated lists of domains, workgroups, and the computers within them and to supply these lists to client computers upon request. Computers detected in the network by the Computer Browser service can be viewed by running the net view command in a Command Prompt window.

10359_13.png

In order to successfully discover other virtual machines, the following are required:

  • Computers must be joined in a workgroup or domain and connected via an IPv4 local network. Computer Browser service does not work over IPv6 networks.

  • Several computers in each LAN group (workgroup or domain) must be running the Computer Browser service. Primary Domain Controllers must also run the service.

  • NetBIOS over TCP/IP (NetBT) must be enabled on computers. Local firewall must allow NetBT traffic.

  • File sharing must be enabled on computers. Local firewall must allow file sharing.

  • A Windows Internet Name Service (WINS) infrastructure must be set up and working properly.

  • For Windows Vista and later, network discovery must be turned on (Control Panel > Network and Sharing Center > Change Advanced Sharing Settings). To be able to turn on this feature, the following services must first be started:

    • DNS Client

    • Function Discovery Resource Publication

    • SSDP Discovery

    • UPnP Device Host

  • In environments with multiple domains, it is recommended to set up trust relationships between domains so that computers can access browse lists from other domains.

  • Computers from which BEST queries the Computer Browser service must be able to resolve NetBIOS names

Note

All virtual machines (protected and unprotected) from a Hyper-V hosts will be displayed in Control Center, in Virtual Machines > Custom Groups. Therefore, you need to make sure that the account you are using to access Control Center has the permissions to see this container.

Install Bitdefender Endpoint Security Tools using the credentials of a non-root user

In environments integrated with Control Center, you can remotely install Bitdefender Endpoint Security Tools on machines by using installation tasks. These tasks require administrative privileges on the target machines. On Linux machines, you can provide the credentials of either the root or a non-root user with administrative access.

To install BEST with a non-root user:

  1. On each target machine:

    1. Run the next command as root to open the /etc/sudoers configuration file for safe editing:

      #visudo

    2. Type I to enable editing.

    3. Ensure that your user can perform packages installations with the sudo command:

      1. Locate the following line:

        root ALL = (ALL) ALL

        A similar line with the one above but with the user name should be present in the next lines.

      2. If you cannot find the line for your user, add it as follows:

        username ALL = (ALL) ALL

        This setting grants the user the right to use sudo for all commands that require root privileges.

    4. Comment the following lines:

      Defaults requiretty

      Defaults targetpw

      Defaults runaspw

      Defaults rootpw

      Defaults !visiblepw

    5. Save the file and exit: press ESC and type :wq .

  2. From Control Center, follow the deployment steps described in GravityZone platform .

    When asked for credentials, provide the authentication details of the non-root user.