ON PREMISES SOLUTIONS

Computer and virtual machines policies

Policy settings can be initially configured when creating the policy. Later on, you can change them as needed anytime you want.

To configure the settings of a policy:

  1. Go to the Policies page.

  2. Choose Computers and Virtual Machines from the views selector.

  3. Click the policy name. This will open the policy settings page.

  4. Configure the policy settings as needed.

    Settings are organized under the following sections:

    Navigate through sections using the menu on the left-side of the page.

    Note

    Availability and functioning of this feature may differ depending on the license included in your current plan.

  5. Click Save to save changes and apply them to the target computers.

    To leave the policy page without saving changes, click Cancel.

Note

To learn how to work with policies, refer to Managing policies.

General

General settings help you manage user interface display options, password protection, proxy settings, power user settings, communication options and update preferences for the target endpoints.

The settings are organized into the following sections:

Details

The Details page contains general policy details:

  • Policy name

  • User who created the policy

  • Date and time when the policy was created

  • Date and time when the policy was last modified

policy-eps-1_1-details.png

You can rename the policy by entering the new name in the corresponding field and clicking the Save button.

Policies should have suggestive names so that you or other administrator can quickly identify them.

Note

By default, only the user who created the policy can modify it. To change that, the policy owner must check the option Allow other users to change this policy from the policy’s Details page.

Inheritance Rules

You can set sections to be inherited from other policies. To do this:

  1. Select the module and the section you want the current policy to inherit. All sections are inheritable, except for General > Details.

  2. Specify the policy you want to inherit the section from.

  3. Click the add_inline.png Add button at the right side of the table.

If a source policy is deleted, the inheritance breaks and the settings of the inherited sections are stored on the child policy.

Inherited sections cannot be further inherited by other policies.

Example 4. Inherited rule mechanics

Policy A inherits the Antimalware > On-Demand section from policy B. Policy C cannot inherit the Antimalware > On-Demand section from policy A.



Technical Support Information

You can customize the technical support and contact information available in the security agent's About window by filling in the corresponding fields.

To configure an email address in the About window so that it opens the default email application on the endpoint, you must add it in the Email field with the "mailto:" prefix. Example: mailto: name@domain.com.

Users can access this information from the security agent console by right-clicking the best_icon.png Bitdefender icon in the system tray and selecting About.

Notifications

In this section you can configure the Bitdefender security agent's user interface display options in a comprehensive and intuitive way.

Note

Availability and functioning of this feature may differ depending on the license included in your current plan.

With just one click, you can enable or disable an entire type of notifications, keeping only what truly matters for you. Also, within the same page, you are provided with total control over the endpoint issues visibility.

policy-eps-1_2_0-display.png
Silent Mode

Use the check box to turn Silent Mode on or off.

Silent Mode is designed to help you easily disable user interaction in the security agent.

When turning on Silent Mode, the following changes are made to the policy configuration:

  • The Show icon in notification area, Display notification pop-ups and Display alert pop-ups options in this section will be disabled.

  • If the firewall protection level was set to Ruleset and ask or Ruleset, known files and ask it will be changed to Ruleset, known files and allow. Otherwise, the protection level setting will remain unchanged.

Show icon in notification area

Select this option to show the best_icon.png Bitdefender icon in the notification area in the taskbar (also known as the system tray).

93475_1.png

The icon informs users on their protection status by changing its appearance and displaying a corresponding notification pop-up. Additionally, users can right-click it to quickly open the security agent main window or the About window.

Display alert pop-ups

Users are informed through alert pop-ups about security events that require action. If you choose not to display alert pop-ups, the security agent automatically takes the recommended action.

Alert pop-ups are generated in the following situations:

  • If the firewall is set to prompt the user for action whenever unknown applications request network or Internet access.

  • If Advanced Threat Control / Intrusion Detection System is enabled, whenever a potentially dangerous application is detected.

  • If device scanning is enabled, whenever an external storage device is connected to the computer.

    You can configure this setting in the Antimalware > On-demand section.

Display notification pop-ups

Different from alert pop-ups, the notification pop-ups inform users about diverse security events. The pop-ups disappear automatically within a few seconds without user intervention.

Select Display notification pop-ups, then click the Show Modular Settings link to choose what events you want the users to be informed about, provided by module.

There are three types of notification pop-ups, based on the severity of the events:

  • Info. Users are informed about significant but harmless security events. For example, an application that has connected to the Internet.

  • Low. Users are informed about important security events that may require attention. For example, has detected a threat and the file has been deleted or quarantined.

  • Critical. These notification pop-ups inform the users about dangerous situations, such as that has detected a threat and the default policy action is Take no action, thus the malware is still present on the endpoint, or an update process that was unable to complete.

Select the check box associated to the type name to enable that kind of pop-ups for all modules at once. Click the check boxes associated to individual modules to enable or disable specific notifications.

For example, after selecting the check boxes associated to Sandbox Analyzer, Bitdefender Endpoint Security Tools informs the user when a file is submitted to behavioral analysis.

The list of modules may vary according to your license.

Endpoint Issues Visibility

Users determine when their endpoint has security configuration issues or other security risks, based on status alerts. For example, users can view whenever there is a problem related to their antimalware protection, such as: module is disabled, or a full system scan is overdue.

Users are informed about their protection status in two ways:

  • Checking the status area of the main window, which displays an appropriate status message and changes its color depending on the severity of the security issues. Users have the possibility to view issues details as well, by clicking the available button.

  • Checking the best_icon.png Bitdefender icon in the system tray, which changes its appearance when issues are detected.

Bitdefender security agent uses the following color scheme in the notification area:

  • Green: No issues are detected.

  • Yellow: The endpoint has non-critical issues that affect its security. Users don’t have to interrupt their current work for resolving these issues.

  • Red: The endpoint has critical issues that require user’s immediate action.

  1. Select Endpoint Issues Visibility, then click the Show Modular Settings link to customize the status alerts displayed in the Bitdefender’s agent user interface.

  2. For each module, you can choose to show the alert as a warning or a critical issue, or not to display it at all. These options are:

    • General - The status alert is generated whenever a system restart is required during or after product installation, and also when the security agent could not connect to Bitdefender .

    • Antimalware - Status alerts are generated in the following situations:

      • is enabled but many local files are skipped.

      • A certain number of days have passed since the last full system scan has been performed on the machine.

        You may select how to show the alerts and define the number of days from the last full system scan.

      • A restart is required to complete a disinfection process.

    • Firewall - This status alert is generated when the Firewall module is disabled.

    • Application Control - This status alert is generated when the Application Control module is modified.

    • Content Control - This status alert is generated when the Content Control module is disabled.

    • Update - The status alert is generated whenever a system restart is required to complete an update operation.

Endpoint Restart Notification

This option displays a restart alert on the endpoint each time a system reboot is required due to changes made to the endpoint by the GravityZone modules selected under modular settings.

Note

Endpoints requiring a system restart have a specific status icon ( vm_pending_restart.png ) in the GravityZone inventory.

You can further customize restart alerts by clicking on Show modular settings. The following options are available:

  • Update - Select this option to activate agent update restart notifications.

    You can configure additional options for endpoint users, such as postponing the reboot or reboot at a certain time, in the General > Update page of the policy settings.

  • Patch Management - Select this option to activate patch install restart notifications.

    You can configure additional settings for endpoint users, such as postponing the reboot or reboot at a certain time, in the maintenance windows for Patch Management.

Settings

In this section you can configure the following settings:

Password Configuration

To prevent users with administrative rights from uninstalling protection, you must set a password.

The uninstall password can be configured before installation by customizing the installation package. If you have done so, select Keep installation settings to keep the current password.

  • To set the password, or to change the current password, select Enable password and enter the desired password.

  • To remove password protection, select Disable password.

Proxy Configuration

If your network is behind a proxy server, you need to define the proxy settings that will allow your endpoints to communicate with the GravityZone solution components. In this case, you need to enable the Proxy Configuration option and fill in the required parameters:

  • Server - enter the IP of the proxy server

  • Port - enter the port used to connect to the proxy server.

  • Username - enter a user name recognized by the proxy.

  • Password - enter the valid password for the specified user.

Power User

The Power User module enables administration rights at endpoint level, allowing the endpoint user to access and modify policy settings via a local console, through the Bitdefender Endpoint Security Tools interface.

Important

The Power User module is available only for supported Windows desktop and server operating systems.

Note

Availability and functioning of this feature may differ depending on the license included in your current plan.

  1. If you want certain endpoints to have Power User rights, you need at first to include this module in the security agent installed on target endpoints.

  2. After that, you need to configure the Power User settings in the policy applied to these endpoints:

    1. Enable the Power User option.

    2. Define a Power User password in the fields below.

      Users accessing the Power User mode from the local endpoint will be prompted to enter the defined password.

  3. To access the Power User module, users must right-click the best_icon.png Bitdefender icon from their system tray and choose Power User from the contextual menu.

  4. After providing the password in the login window, a console containing the currently applied policy settings will show up, where the endpoint user can view and modify the policy settings.

Note

Only certain security features can be accessed locally via the Power User console, concerning the Antimalware, Firewall, Content Control and Device Control modules.

To revert the changes made in Power User mode:

  1. In Control Center, open the policy template assigned to the endpoint with Power User rights and click Save. In this way, the original settings will be reapplied to the target endpoint.

  2. Assign a new policy to the endpoint with Power User rights.

  3. Login to the local endpoint, open the Power User console and click Resync.

To easily find endpoints with policies modified in Power User mode, in the Network page you can:

  • Click the Filters menu and select the Edited by Power User option from the Policy tab.

  • Click the endpoint you are interested in to display the Information window. If the policy was modified in Power User mode, a notification will be displayed in the General tab > Policy section.

Important

The Power User module is specifically designed for troubleshooting purposes, allowing the network administrator to easily view and change policy settings on local computers.

Assigning Power User rights to other users in the company must be limited to authorized personnel, to ensure that the security policies are being always applied on all endpoints of the company network.

Options

Note

The range of settings can vary depending on the license included in your current plan.

In this section you can define the following settings:

  • Remove events older than (days)

    Bitdefender security agent keeps a detailed log of events concerning its activity on the computer (also including computer activities monitored by Content Control).

    By default, events are deleted from the log after 30 days.

    If you want to change this interval, choose a different option from the menu.

  • Submit crash reports to Bitdefender

    Select this option so that reports will be sent to Bitdefender Labs for analysis if the security agent crashes.

    The reports will help our engineers find out what caused the problem and prevent it from occurring again.

    No personal information will be sent.

  • Submit suspicious files for analysis

    Select this option so that files that seem untrustworthy or with suspicious behavior will be sent to the Global Protection Network for automatic analysis.

    Important

    You must restart the endpoint after enabling or disabling this option.

  • Send feedback regarding the security agents' health

    Select this option to send anonymized telemetry data about the endpoint.

  • Use Bitdefender Global Protective Network (GPN) to enhance protection

    Select this option to submit detections to Bitdefender to improve the efficiency of the Antimalware and Network Protection modules.

    If this option is disabled, you may experience the following:

    • A large amount of false positive/negative detections

    • Delays in detecting zero-day attacks

    • Hybrid Scan engines efficiency significantly reduced

    • Web Traffic filtering negatively affected

    • Other modules relying on Antimalware are also affected

    Note

    If you are using Hybrid Scan engines, you must switch to or have fallback to local scan engines before disabling this option.

  • Allow endpoints to send user login data to GravityZone

    For each log in event, the endpoint will send the user name, login time and method used to log in to GravityZone. The information is displayed in the Network grid, endpoint details page and Network Protection Status report.

    Note

    Disabling this option will not remove the information from existing Network Protection Status reports, but will prevent the information from being displayed in Control Center.

  • Submit HVI memory violations to Bitdefender

    By default, HVI sends anonymized information regarding detected violations to Bitdefender Cloud Servers, to be used in statistics and to improve product detection rates. You can clear this check box if you do not want to submit such information from your network.

    Note

    The HVI module may be available for your GravityZone solution with a separate license key.

Communication

In this section, you can assign one or several relay machines to the target endpoints, then configure the proxy preferences for the communication between the target endpoints and GravityZone.

Update

Updates are very important as they allow countering the latest threats. Bitdefender publishes all product and security content updates through the Bitdefender servers on the Internet. All updates are encrypted and digitally signed so that they cannot be tampered with.

Example 5. Update process flow
  1. When a new update is available, the Bitdefender security agent checks the digital signature of the update for authenticity, and the contents of the package for integrity.

  2. Next, each update file is parsed and its version is checked against the installed one.

  3. Newer files are downloaded locally and checked against their MD5 hash to make sure they are not altered.



In this section you can configure the Bitdefender security agent and security content update settings.

policy-eps-1_5_0-update.png
Product Update

Bitdefender security agent automatically checks for, downloads and installs updates every hour (default setting).

Automatic updates are performed silently in the background.

  • Recurrence - To change the automatic update recurrence, choose a different option from the menu and configure it according to your needs in the subsequent fields.

  • Postpone reboot - Some updates require a system restart to install and work properly. By default, the product will keep working with the old files until the computer is restarted, after which it will apply the latest updates.

    A notification in the user interface will prompt the user to restart the system whenever an update requires it.

    It is recommended to leave this option enabled, otherwise, the system will automatically reboot after installing an update that requires it.

    Users will be notified to save their work, but the reboot cannot be canceled.

    • If you choose to postpone reboot, you can set a convenient time when computers will reboot automatically if (still) needed. This can be very useful for servers.

      • Select If needed, reboot after installing updates and specify when it is convenient to reboot (daily or weekly on a certain day, at a certain time of day).

    • For more control over when changing the configuration and updating the staging process, you can configure the BEST agent on your Linux machines to execute EDR kernel module updates via Product Update.

      When the Product Update check box enabled:

      • If you enable the Update Linux EDR modules using product update check box, GravityZone will update kernel versions via Product Update.

      • If you leave this option disabled, the kernel versions will be updated via Security Content Update.

      • If you enable the Update Linux EDR modules using product update check box but disable the Product Update option, the Linux EDR modules will not be updated.

Security Content Update

Security content refers to static and dynamic means of detecting threats, such as, but not limited to, scan engines, machine learning models, heuristics, rules, signatures, and blacklists.

Bitdefender security agent automatically checks for security content update every hour (default setting). Automatic updates are performed silently in the background.

To change the automatic update recurrence, choose a different option from the menu and configure it according to your needs in the subsequent fields.

Update Locations

Bitdefender security agent’s default update location is the local GravityZone update server.

  1. Add an update location either by choosing the predefined locations from the drop-down menu or by entering the IP or hostname of one or several update servers in your network.

  2. Configure their priority using the up and down buttons displayed on mouse-over.

    Note

    If the first update location is unavailable, the next one is used.

  3. To set a local update address, enter the address of the update server in the Add location field.

    You can:

    • Choose a predefined location:

      • Relay Servers - The endpoint will automatically connect to its assigned Relay Server.

        Warning

        Relay Servers are not supported on legacy operating systems.

        Note

        You can check the assigned Relay Server in the Information window. For more details refer to Viewing Computer Details.

      • Local Update Server - Enter the IP or hostname of one or several update servers in your network.

        Use one of these syntaxes:

        • update_server_ip:port

        • update_server_name:port

        The default port is 7074.

        The Use Bitdefender Servers as fallback location check box is selected by default. If the update locations are unavailable, the fallback location will be used.

    Warning

    Disabling the fallback location will stop automatic updates, leaving your network vulnerable when the provided locations are unavailable.

  4. If client computers connect to the local update server through a proxy server, select Use Proxy.

  5. Click the add_inline.png Add button.

  6. Use the up-arrow.png Up / down-arrow.png arrows in the Action column to set priority of defined update locations.

    Note

    If the first update location is not available, the next one is taken into account.

  7. To remove a location from the list, click the corresponding delete_inline.png Delete button. Although you can remove the default update location, this is not recommended.

Update Ring

You can roll out product updates in phases, using update rings:

  • Slow Ring. The machines with a slow ring policy will receive updates at a later date, depending on the response received from the fast ring endpoints. It is a precautionary measure in the update process. This is the default setting.

  • Fast Ring. The machines with a fast ring policy will receive the newest available updates. This setting is recommended for the non-critical machines in production.

Important

In the unlikely event that an issue occurs on the fast ring on machines with a particular configuration, it will be fixed before the slow ring update.

BEST for Windows Legacy does not support staging. The legacy endpoints on staging location must be moved to the production location.

Note

For details on how the update rings selection affects staging, refer to the Update GravityZone > Staging chapter from the GravityZone Installation Guide.

Security Telemetry

Important

This feature requires EDR license and it is available only for Windows endpoints.

With Security Telemetry, you have access to underlying data related to security events, so that you can build custom correlations.

policy_eps_telemetry.png

To ensure optimal performance and data footprint, the agents send only events relevant for the security of your network.

Such events refer to:

  • Processes: create, terminate

  • Files: create, read, modify, move, delete

  • Registry: create and delete keys, modify and delete value

  • User access: login

  • Network connection

The security agent sends this information in a standard industry format (JSON, CEF), directly to the SIEM solution (Splunk).

To send security events from the target endpoints to the SIEM solution, configure the policy as follows:

  1. Select the Security Telemetry check box to enable the feature.

  2. Select the SIEM solution you are going to connect to.

  3. Provide the URL of the SIEM server.

    Warning

    HTTPS protocol with TLS 1.2 or higher is required. Otherwise event submission will fail.

  4. Select Bypass collector CA validation in Control Center, in case a security certificate validation error occurs, but you still want to use the SIEM server against the error.

    Such error occurs if GravityZone cannot check the SSL certificate of the HTTP collector against a Certificate Authority or the DNS of the server. For example, when your HTTP collector uses a self-signed security certificate.

  5. Enter the authorization token that secures the connection.

  6. Select the types of events you want to send from the endpoint to the SIEM.

    By default, all types of events are sent, except registry key creation.

  7. Under the Communication between endpoints and SIEM, choose whether to use a proxy server.

    The agent uses for communication with the SIEM the same proxy server as for the communication with GravityZone.

    You can check its settings in the General > Settings section.

    Once the policy is applied on endpoints, the agent starts sending events as they occur to the configured SIEM server.