What’s New in GravityZone April 2025 (v 6.61)

Bitdefender recently rolled out new functionality in Bitdefender GravityZone, a comprehensive cybersecurity platform that provides prevention, protection, detection, and response capabilities for organizations of all sizes. The new features, consistent with our multi-layered security strategy, ease the workload of security analysts, administrators, and users.  

What’s New for Security Analysts

In a dynamic cybersecurity landscape, security analysts are responsible for uncovering any signs of potentially sophisticated attacks and to make the invisible, visible. This section describes new functionality designed to elevate the capabilities of analysts, offering enhanced tools for threat detection, investigation, and response.  

AD Sensor Enhancements 

Sensors in Bitdefender GravityZone actively monitor your IT infrastructure – devices, networks, cloud, identities, and productivity applications – for potential threats, including ransomware attacks. This gives you complete visibility into your network activity, empowering you to stop attacks before they cause damage. 

With the latest update, we've simplified the deployment of the AD Sensor. You now have the possibility to install it as an add-on on to the BEST agent, not only on servers with the DC role, but also on servers with the Certificate Authority (CA) role only. This flexible deployment option streamlines the setup and configuration of your on-premises AD Sensor and enhances monitoring and detection capabilities across hybrid AD environments. When the CA is part of a domain and the AD Sensor is installed, suspicious certificate request events can be detected and forwarded to the correlation engine. 

API Enhancements 

Bitdefender Control Center APIs enable developers to automate business workflows. These APIs are exposed via the JSON-RPC 2.0 protocol, and you can find usage examples and documentation in our Support Center, here. 

With the latest release, you will have four additional API calls. The UpdateAccount API modifies the user's "Authentication Method" setting. The getNetworkInventoryItems API provides company and endpoint risk scores from Risk Management. With getMissingPatches and getInstalledPatches  you can easily retrieve information about missing and installed patches. 

To enhance threat hunting capabilities, the Live Search API allows you to retrieve real-time information from active endpoints. Endpoints execute the Live Search task and upload results to an S3 bucket that you specify in the API request. Live Search enables you to identify misconfigurations and software vulnerabilities, and check system compliance with regulations and standards, enabling your organization to remain vigilant in detecting and responding to emerging threats. 

To learn more about the Public API, see our Bitdefender Support Center, here. 

What’s New for Administrators 

With administrators constantly juggling numerous tasks and responsibilities, tools designed to make their daily tasks easier are highly appreciated. This section describes new functionality designed to facilitate the management of features responsible for prevention, protection, and detection in a defense-in-depth security architecture. 

Proactive Hardening and Attack Surface Reduction (PHASR)  

Attackers exploit compromised credentials and unmanaged devices to 'log in,' then use playbooks leveraging 'Living off the Land' (LOTL) tools to blend malicious actions with normal system operations. This highlights the need for security systems that can dynamically adapt beyond static, manually updated rules. 

Bitdefender recently announced the global release of GravityZone PHASR, which dynamically creates Proactive Hardening and Attack Surface Reduction, by analyzing user and application behavior, creating behavioral profiles and comparing this against known threat actor playbooks to prevent malicious activities.  

Bitdefender GravityZone PHASR Dashboard 

GravityZone PHASR monitors processes within five defined activity types:  

• Living off the Land Binaries – tools, such as PowerShell.exe, WMIC.exe, and Ftp.exe, are pre-installed within an operating system for administrative and operational purposes. Attackers abuse them to perform malicious activities and blend them with normal system activity.
• Tampering Tools – tools, such as procexp.exe, vmmap.exe, and LiveKd.exe, are utilities used to modify software applications. They are leveraged for bypassing security controls.
• Piracy Tools - software piracy tools such as keygen and crack. They are used to bypass software licensing and activation.
• Miners – tools such as PhoenixMiner, XMRig, and CCMiner, use a computer's processing power to generate cryptocurrency. They are abused for cryptojacking through unauthorized installation on the victim's system.
• Remote Admin Tools – often used for legitimate systems management, these tools enable remote access and control of computer systems. Attackers use them to gain unauthorized access and deploy malware. 

PHASR provides you granular blocking strategies, including standard application blocking, which restricts entire applications like Process Explorer and CCMiner, and action-level blocking, which focuses on specific malicious behaviors within applications, such as using PowerShell for downloads. This significantly reduces your attack surface and minimizes the risk of successful LOTL attacks. 

PHASR operates in two modes: Autopilot for automated policy enforcement or Direct Control for manual review, allowing you tailored protection. For precise control, you can fine-tune over 300 of PHASR's monitored rules directly within GravityZone. This allows you to adapt PHASR to your specific environment and security requirements, ensuring optimal protection. 

Bitdefender GravityZone PHASR Recommendations 

PHASR utilizes a continuous learning cycle, analyzing user actions, adapting to new user behaviors and modifying existing monitored rules – or providing you with new recommendations. For detailed information about GravityZone PHASR, read Introducing Proactive Hardening and Attack Surface Reduction. 

Kernel-API Monitoring 

Advanced Threat Control (ATC) actively monitors process behavior in real time to distinguish malicious from benign activity. It employs over 300 heuristics and machine learning models to analyze process actions and API calls, identifying threats like credential theft, process injection, persistence attempts, and ransomware. 

With the latest release, ATC enhanced by Kernel-API Monitoring enables advanced kernel-level monitoring for detecting system integrity exploitation attempts. It can, for example, detect malicious attempts to manipulate kernel APIs for privilege escalation, such as unauthorized modifications to process tokens. This often indicates an attacker's effort to gain elevated system privileges. This module updates automatically, ensuring continuous protection without requiring any administrative actions. The module is disabled by default, and we recommend testing it in a controlled environment first to verify its impact and compatibility with your system. 

GravityZone Network Section 

The new Network section, introduced in the August 2024 edition of our EAP program, has evolved over the past few months to reach its final state. With the latest update release, the new Network section replaces the existing one in the GravityZone cloud console, providing an improved interface and functionality for enhanced network management. 

Two Network settings from the GravityZone configuration section, specifically save network inventory filters and remember last browsed location in network inventory until I log out, are no longer necessary. Instead, GravityZone automatically keeps your grid, filters, sorting, and tree view as you navigate through other sections and between login sessions, resulting in a more streamlined and intuitive navigation experience.

GravityZone Network 

In this update, the Suspend/Resume endpoint protection actions, which manage endpoint security, are now also available for Linux BEST endpoints. Furthermore, the Network section now offers a Guided Tour that leads you through the most important sections of the Network and it is visible when you navigate to each specific section for the first time. Now you can also verify the applied policy on folders, making it easier to view and organize your network environment. An inline action menu enables quick actions on selected entities. 

The Network section also allows you to create companies and groups, as well as rename, move, or delete entities. Smart views offer a flat, centralized list of predefined and customizable profiles with advanced filtering and sorting options. Clipboard integration allows you to copy entity details directly to the clipboard, streamlining administrative tasks and external reporting. The section also provides flexible layout and filtering, with full column customization (allowing you to show/hide, reorder, and resize columns) to suit your needs. 

Enhanced AWS integration now allows you to perform assigned actions directly on all discovered EC2 instances within the Network section, further expanding the management capabilities of this feature. 

Blocklist Enhancements 

The Blocklist feature allows you to manage and control access to files via hash and path, and to block network connections identified as potential threats during incident investigations. 

With the latest release, blocklist has been extended to include the following file types: .exe, .bat, .cmd, .js, .vbs, .ps1, .jar, .scr, .dll, .hta, .reg, .lnk, .msi, .cpl, .com, .pif, and .tmp. The Application Hash now supports DLL files for Windows, .dylib files for macOS and .so for Linux. Script files are supported on Windows, Linux, and macOS platforms. 

For more granular control, the blocklist rules created in GravityZone defined at the company level can now be enabled or disabled within the policy assigned to endpoints.
 

Policy Configuration Redesign 

With the latest release, we continue a series of updates aimed at redesigning the GravityZone policies section and implementing a user interface based on Web Components. This update introduces a redesigned policy configuration side menu, featuring module grouping under General and Policy Monitoring sections. 

The new Search section allows you to quickly find settings by name across all modules within the policy configuration. Side menu statuses now clearly display the actual status of modules, including information about enabled/disabled configurations and error statuses. 

For ease of use, you'll find we now offer a Clone button directly in the read-only policy. This is an easier way to clone policies that cannot be modified such as default policies and those created by other administrators that must remain unmodifiable. Up until now, this could be done only from the Policies Grid. 

For improved visibility and usability: 

• The Inheritance Rules Configuration has been moved from the General -> Details section to its own dedicated page, accessible under the Policy section.
• For More Intuitive Navigation, we've split the General module into "Policy" and "Agent" modules and brought the "Relay" module next to them. Existing inheritance rules have been updated so you won't need to take any action to accommodate these changes.
• All Sections Within Policy Configuration, such as Antimalware and Sandbox Analyzer, have been redesigned.
• You'll find we have moved Antimalware Exclusions from Antimalware->Settings section to its own Antimalware->Exclusions section. Existing inheritance rules have been updated so you won't need to take any action to accommodate these changes.
  
  

Custom Detection Rule Enhancements for MSP 

Custom detection rules allow you to define custom Indicators of Compromise (IoCs) to identify specific behaviors within your environment and trigger automatic actions. These rules enable actions such as antimalware and risk scanning, host isolation, and investigation package collection. 

With the latest release, the MSP partners will have the ability to assign custom detection rules to multiple companies, streamlining threat response and management across their client base. 

Security Server Enhancements 

The Security Server is used as a caching mechanism to deduplicate antimalware scanning, optimizing this process for Bitdefender GravityZone cloud deployments. 

With the latest release, you can also configure Security Server Password Expiration Settings. The expiration period is now configurable, ranging from the default 90 days up to a maximum of 365 days. 

Incident Section Enhancements 

The Incident section displays all suspicious incidents detected at the endpoint level (EDR) and consolidated incidents and detections from sensors for XDR subscriptions.  

We also added the ability to export the incidents grid as a CSV file as it was a highly requested feature by our users.

Notification Enhancements 

Control Center notifies you of your environment's security status based on network events. With the latest update, the 'New Incident Notification' has been renamed to 'Incident Activity.' By default, when you receive a notification for a new incident, subsequent updates within the next hour will enter a throttling period, and only the latest update will be sent. You can also configure to receive all incident updates. 

Dark Mode 

Dark mode is now available for GravityZone Control Center, offering an alternative interface that aligns with modern design preferences and allows for personalized customization. 

Summary

The Bitdefender GravityZone platform stands out from the crowd, offering a one-stop solution for all your organization's security needs. As the digital landscape evolves, Bitdefender remains proactive, providing prevention, protection, detection, and response capabilities, ensuring the ongoing safety of organizations of all sizes worldwide.  

To learn more about the Bitdefender GravityZone platform, contact us or a Bitdefender partner for more information. You can also start a free trial by requesting a demo here.