GravityZone is a business security solution built from ground-up for virtualization and cloud to deliver security services to physical endpoints, mobile devices, virtual machines in private, public cloud and Exchange mail servers.

This article provides information on the changes delivered with the Bitdefender GravityZone version 6.1.29-545, released on January 26th, 2017.

Note: These release notes refer to services that may not be present in your GravityZone solution, such as Security for Exchange.

• New Features and Improvements
• Known Issues
• Limitations

Important: Facing a world with an increasing number of more complex threats, Bitdefender continuously develops advanced and innovative technologies to fight them. Some of these technologies are no longer supported by legacy operating systems. That’s why, starting 30th of January 2017, Bitdefender is limiting protection to Antimalware and Advanced Threat Control for the following legacy Windows operating systems: Windows XP Windows Embedded POSReady 2009 Windows Embedded Standard 2009 Windows XP Embedded with Service Pack 2 Microsoft Windows XP Tablet PC Edition Windows Small Business Server (SBS) 2003 Windows Server 2003 R2 Windows Server 2003 with Service Pack 1 Windows Home Server

New Features and Improvements

Bitdefender and Citrix Join Forces to Root out Deep Threats from Your Infrastructure

In an unprecedented collaboration against targeted attacks, Bitdefender and Citrix put their collective expertize in virtualization and security on the table. The result is Bitdefender Hypervisor Memory Introspection (HVI) - a ground-breaking solution that detects suspicious activities by working directly with raw memory at hypervisor level – a level of insight from which malware cannot hide.

Bitdefender HVI protects virtual machines in datacenters against advanced and sophisticated threats that signature-based engines cannot defeat. HVI enforces strong isolation, ensuring real-time detection of attacks, blocking them as they happen and immediately removing the threats.

Whether the protected machine is a server or a workstation, HVI provides insight at a level that is impossible to achieve from within the guest operating system. By operating at the hypervisor level and leveraging the hypervisor functionalities, HVI overcomes technical challenges of traditional security to reveal malicious activity in datacenters.

By working alongside any endpoint protection (EPP) solution, it provides an unprecedented layer of defense for the most notorious Advanced Persistent Threats (APTs) hitting your organization.

Key Features

• Protects virtual machines running on XenServer 7 Enterprise Edition and above.
• Integrates with Citrix XenServer to import the virtual machines inventory.
• Fast and easy deployment.
• Easy management of the network inventory, using filters and visual elements to quickly identify machines that are protected or that have security issues.
• Security policies that allow you to configure memory protection on two levels:
  • User Space, addressing normal processes of the user applications and attacks, such as code injection, unpacked malicious code, exploits, function detouring.
  • Kernel Space, protecting processes reserved to the core of the operating system.
• Remediation actions to remove or isolate the detected threats.
• Dashboard portlet that contains an easy-to-read chart about HVI activity.
• Detailed report of the incidents detected in your network.
• Notifications to keep you alert when incidents are detected in your network.

HVI at a Glance

Licensing

• HVI protection is licensed separately. Please contact your partner for further commercial details.

Supported Operating Systems

• HVI is a able to protect Windows and Linux virtual machines.

Deployment

• The new Security Server version 6.1.57.4697 coming with this release is providing HVI protection functionality. To enable the introspection functionality, you need to deploy the Security Server and the HVI Supplemental Pack on each Citrix XenServer 7 Enterprise Edition host.

Security Policy

• HVI settings are available in the HVI policy section. You configure which settings to activate on critical VMs in your environment. Protection can be enabled for critical user mode processes and kernel mode structures.
• Policy settings provide the ability to intercept, block or only log attacks from tampering with the memory stack, injecting remediation tools if necessary.
• HVI protection settings can be applied on virtual machines on the fly.

Endpoints Filtering

• You have the option to filter virtual machines protected by HVI, or by HVI and Bitdefender Endpoint Security Tools.

Computer Details

• A newly redesigned window for computer details is able to show at a glance the protection status of your endpoint with all active and licensed modules.

Reports

• A new HVI Activity report that exposes the timeline of the incident, providing timestamp of the attack, global authority details, incident type, and attack source and destination. A corresponding portlet is available as well.
• Information about HVI protection is also present in the next existing reports: Blocked Applications, Endpoint Module Status, Security Audit, Update Status, Virtual Machines Network Protection Status, and Network Status.

Important: Virtual Machines Network Protection Status report has been redesigned to offer more comprehensive information. With this change, existing scheduled reports are no longer displayed in Control Center. Thus, you need to save backup copies of the generated instances and recreate the reports.

Notifications

• HVI sends notifications about its activity via GravityZone Control Center, email and Syslog.

GravityZone APIs

• GravityZone APIs contain information about virtual machines protected by HVI as well.

Known Issues

• Virtual machines deployed and assigned with an HVI policy while the Security Server is suspended do not become managed after resuming the Security Server. In this situation you need to restart the Security Server.
• Initializing HVI on a high amount of virtual machines on a host may lead to machines unresponsiveness up to one minute.
• Linux virtual machines without XenServer tools are displayed in Control Center as Windows OS.
• In some situations the Security Server Status report displays the accurate Power state of the appliance with a few minutes delay.
• Exporting the CSV file of the HVI Activity report with the maximum available reporting interval set might be unsuccessful. Bitdefender recommends lowering the report interval if such situations occur.
• Endpoint Module Status report displays the HVI module status as unavailable instead of disabled for machines where both Bitdefender Endpoint Security Tools and HVI are installed, but HVI is disabled in the policy.
• Protection of processes with names which contains special characters is not supported. HVI protection malfunctions in such cases.
• Some application categories are not localized in the HVI > User Space section of the policy.

Limitations

• To benefit of HVI protection, you have to deploy the Security Server remotely from the Network page of GravityZone Control Center. Do not install locally the Security Server package available in the Packages page.
• HVI is available on the latest Security Server package from the management console. You should redeploy existing Security Server on each Citrix XenServer host if HVI protection is desired.
• In GravityZone environments integrated with Active Directory, virtual machines joined in Active Directory and protected only by HVI appear unmanaged in Computers and Virtual Machines view of the Network page.
• HVI Prerequisites are available in the details window only from the Virtual Machines view of the Network page. The Computers and Virtual Machines view shows only when the Supplemental Pack is outdated.
• SSH sessions or remote desktop connections might time out when changing HVI settings, depending on the tools used. A reconnect is necessary to continue working on the remote machines.
• HVI installs only on standalone Security Server deployments. If you deploy the Security Server as a role of a GravityZone appliance, HVI will not be available.
• Machines protected by HVI become unresponsive for a couple of seconds if the Security Server is overloaded. To avoid such situations, Bitdefender recommends enabling the Overloaded Security Server notification and adding resources when the load is high.
• When forced to shut down, the Security Server does not have the time to update the status of the protected virtual machines and they are still displayed as managed. This situation is resolved as soon as the Security Server is online again.
• Windows Driver Verifier slows down virtual machines with HVI enabled. It is recommended to disable it when using HVI.