Release date: 2019-11-05

These changes require the following minimum product versions:

• BEST: 6.6.14.198
• Security Server Multi-Platform: 6.1.73.9218

New Features

Network Attack Defense

A brand-new powerful technology focused on detecting network attack techniques designed to gain access on specific endpoints, such as brute-force attacks, network exploits, password stealers.

The Network Attack Defense settings are available under the new Network Protection policy section. A specific notification informs you about incidents in your network, while the Network Incidents report will provide more insight about these detections.

Note: To use the Network Attack Defense module, you need to install it on endpoints. For existing installations, run a Reconfigure Client task with Network Attack Defense selected. For new deployments, edit the installation package to include this module.

Sandbox Analyzer On-Premises

Your own Sandbox Analyzer from Bitdefender is here! Born from the Cloud-based version, the new Sandbox Analyzer On-Premises is delivered as a virtual appliance deployable on an ESXi hypervisor. The built-in installer allows easy deployment and configuration while the integration with GravityZone console provides a single interface for management.

The Sandbox Analyzer on-Premises release is packed with the following features and capabilities:

• Virtual appliance packaging with built-in graphical installer
• Out-of-the-box integration with GravityZone console for management, configuration and deployment.
• Support for custom detonation environments (golden images).
• Integration with specific sensors (Endpoint Sensor, Network Sensor and ICAP Sensor) capable of automatic submission of suspicious samples from file system, network streams and ICAP traffic.
• Support for three detonation profiles (Low, Medium and High), that allow balance between analysis throughput in the sandbox environment with the aggressiveness of the analysis executed for each sample. Detonation profiles are available for automatic submission via sensors, manual submission and submission via API.
• Ability to resubmit samples from the reporting interface.
• Detailed detonation reports containing information about malware classification, behavior analysis or timeline view.
• REST-based API for integration with 3rd party security solutions.

For more details, please visit the Sandbox Analyzer section on www.bitdefender.com.

Remote Troubleshooting

The endpoint information page includes a new Troubleshooting tab, from where you can collect basic and advanced logs remotely. You can start a debug session, so that GravityZone collects the logs while the issue is reproducing. This will help our technical support specialists to perform an in-depth analysis of the issue and provide a resolution faster.

You can save the collected data on a network share, on the target endpoint or on both.

Localization

From now on we speak Chinese!

妈妈说：“今天能完成的事，不要留到明天。”

儿子回答：“好吧，把全蛋糕给我，我今天都吃光了吧。”

Seriously now, you can switch the GravityZone interface to Simplified Chinese, if you please.

System Status

Control Center now includes the System Status section, which displays real-time status information for the main metrics of your GravityZone environment.

Improvements

Security

We have added the option to create a VPN cluster for a more secure communication between the services on the GravityZone appliances. You can enable this option from the GravityZone appliance menu.

Deployment

• Integrating new modules to deployed agents is like playing with modeling clay. We have made the reconfiguring process more flexible.
• You can choose to install Bitdefender security agents without removing the security software from other vendors. This means zero protection gap and faster deployment. Just remember, you’re doing this at your own risk. Some security solutions may affect the Bitdefender installation. Once you are protected by Bitdefender, you can manually remove any previously installed security solution.

Network Inventory

Goodbye to unused virtual machines from your network inventory. The Configuration page offers you the option to schedule automatic cleanup tasks.

Policies

• The new Antimalware > On-Execute section covers Advanced Threat Control and Fileless Attack Protection.
• Network Protection, another new policy section, exposes the new Network Attack Defense technology and shields the Content Control features.
• Content Control went through a big transformation as well:
  • The old Traffic, Web, Data Protection, and Applications sections have been re-organized into new General, Content Control, and Web Protection sections.
  • The new Network Attacks section exposes the Network Attack Defense technology and its settings.
  • The new Global Exclusions option, in the General section, replaces the previous separated Traffic Scan and Antiphishing exclusions. During update, the existing policies will be automatically migrated to the new global exclusions.
• Network Protection replaces the previous Content Control module in the Inheritance Rules settings.
• The GravityZone reports keep tracking the Content Control features, but also include information on Network Attack Defense.
• Location-based policies are now aware of the hostname too. You can to define assignment rules based on endpoint’s hostname.

Advanced Anti-Exploit

• Three new detection techniques are available: VBScript Generic, Shellcode EAF (Export Address Filtering), and Emerging Exploits. These detections will be present from now on in the Security Audit and Blocked Applications reports.
• User Activity now includes logs related to Advanced Anti-Exploit.

Patch Management

Added the option to limit reboot postpones at maximum 48 hours from new patches installation. When the set amount of time expires, endpoints will automatically reboot. Endpoint users will receive a notification regarding this action.

You can find this new option in the policy, under the Notifications > Endpoint Restart Notification modular settings.

Sandbox Analyzer Cloud

• Results from detonation analysis are available with new information-rich reports in HTML format. These reports contain details such as: malware classification, process-level view, network activity, timeline view, registry keys and mutex objects accessed, file systems modifications, IOC attributes.
• The Filters area is expanded by default, so it is easier for you to discover all the options available with the submission cards.
• Under the Submission Type filtering category, the Automatic option has been renamed to Endpoint Sensor.

Note: These features are available for Sandbox Analyzer On-Premises too.

HVI

• New User Space policy option for preventing malicious DLL files from being loaded inside a protected process. This option is enabled by default on all monitoring modes (Aggressive, Normal, and Permissive).
• Modified the defaults for protected User Space processes as follows:
  • Added the thunderbird*, Firefox*, chromium* and MicrosoftEdge* processes to Browsers.
  • Added the Explorer process to Operating System.
  • Added the Apache and apache2 processes to Web Services.
  • Removed the Safari process from Browsers.
• HVI Activity report now includes the source and destination IP addresses and TCP ports for active network connections related to the incident.

  For this purpose, enable the option Network connections details in the HVI User Space policy settings.

• Added the following details about HVI events in the Security Audit report: attack source and target, and action status.
• The Detected Memory Violation email notification now groups identical incidents detected within an hour.

  Note: Incidents are considered identical if they share the same attack source, target, violation type, and action taken.

• Virtual machines that require reboot after a remediation action have a specific icon in the Network Inventory.
• More information available in the Security Server details:
  • The HVI Prerequisites section displays the Bitdefender Supplemental Pack version and the Citrix Hypervisor version and licensing status.
  • The Product section displays a warning when the Knowledge Base is outdated.

Notifications

• Added Blocked Devices notification that alerts you whenever a blocked device connects to the endpoint. This notification is configurable from Notification Settings.
• The Antimalware notification is now triggered during the scan, each time a malware event is detected.

Reports

The Endpoint Modules Status report now includes information on Sandbox Analyzer and HyperDetect.

Integrations

Added compatibility with NSX-T 2.5, which includes agentless antimalware scanning for Linux virtual machines.

Public API

• All GravityZone reports are now available via API as well.
• We have made some improvements here and there:
  • createReconfigureClientTask entered the Network API
  • getManagedEndpointDetails returns all installed modules on a managed endpoint
  • getInstallationLinks returns the installation links for a package
  • getQuarantineItemsList has new filtering options.
• Sandbox Analyzer On-Premises provides various API methods for monitoring detonation infrastructure, managing sample submission and downloading analysis reports. For details, refer to the GravityZone API Guide (On-Premises).

Resolved Issues

Policies

Disabling the Endpoint Issues Visibility option in the Notifications policy section does not disable sub-features as well.

Automatic Update

Automatic product updates failed to start when configuring certain time zones and intervals.

Network

The Mobile Devices view failed to display the Active Directory inventory when creating an integration with the option Sync to Custom Groups enabled.