Bitdefender GravityZone

Deployment Guide

On-Cloud Console

Mahmoud El-Masry
Regional Senior Sales Engineer – ME
[email protected]

P a g e 1 | 43
Table of Contents
1. OVERVIEW ...................................................................................................................... 3
BITDEFENDER GRAVITYZONE ULTRA SECURITY ............................................................ 3
1.1 GravityZone Management Console ................................................................................... 9
1.2 Bitdefender Endpoint Security Tools (BEST)................................................................. 10
1.3 Protection Layers............................................................................................................... 11
Hardening and Control ................................................................................................................. 12
Multi-stage Detection ................................................................................................................... 12
1.4 Add on Features & Products ............................................................................................ 15
1.4.1 Patch Management .......................................................................................................... 15
1.4.2 Full Disk Encryption ....................................................................................................... 15
1.4.3 Email Security ................................................................................................................. 15
2. DEPLOYMENT PREREQUISITES.............................................................................. 16
2.1 Assumptions ....................................................................................................................... 16
2.2 System Requirements ........................................................................................................ 17
2.2.1 Bitdefender Endpoint Security Tools (BEST)................................................................. 17
2.2.2 GravityZone Cloud Console Communication ports ........................................................ 18
3. DEPLOYMENT GUIDE ................................................................................................ 19
3.1 Console Setup ..................................................................................................................... 20
3.2 Agent Deployment ............................................................................................................. 23
3.2.1 Installation package preparation...................................................................................... 23
3.2.2 Deployment ways ............................................................................................................ 26
3.3 Configuration ..................................................................................................................... 30

P a g e 2 | 43
1. OVERVIEW

BITDEFENDER GRAVITYZONE ULTRA SECURITY

Unified Endpoint Prevention, Detection, Response and Risk Analytics

Unlike other endpoint security solutions whose poor prevention makes them noisy and
complex to operate, Bitdefender has developed over 30 layers of protection for all of your
endpoints, offering the world’s most effective protection integrated with low overhead
EDR and Endpoint Risk Analytics (ERA) in a single agent, single console architecture.
By incorporating advanced protection, Risk Analytics and hardening innovations into our
endpoint portfolio, we help minimize the endpoint attack surface, making it more difficult for
attackers to penetrate.

With GravityZone Ultra, you can reduce the number of vendors while compressing the time it
takes to respond to threats via an integrated security stack.

P a g e 3 | 43
GravityZone Ultra provides:

▪ The world’s most effective Endpoint Protection which regularly ranks at the top in
independent prevention tests

▪ Low overhead Endpoint Detection and Response which makes it easy for any IT
organization to adopt EDR, improve response time and lower the personnel cost of EDR

▪ Integrated Endpoint Risk Analytics constantly scans your endpoints for

misconfigurations and makes recommendations to reduce your attack surface

▪ Single agent-single console for all capabilities including patch management, firewall,
encryption, application control, content control and more

▪ Optional Patch Management, Advanced Email Security and Data Protection add on
modules streamline security processes and reduce incident response times

▪ The result is seamless threat prevention, accurate incident detection and smart hardening
to minimize exposure to infection and stop breaches

▪ Blocks majority of attacks at the pre- execution phase before they affect your system
via machine learning real-time process inspection and automated sandbox analysis

▪ A single solution that covers physical, virtual, Email, ICAP-Based Storage and cloud
deployments from one console

▪ Optional Network Threat Analytics Solution to provide insights into IoT and potential
network threats

▪ Protection for Complex, Heterogeneous Environments: As an integrated endpoint

protection suite, GravityZone Ultra ensures a consistent level of security across all of
your platforms, from Windows to MacOS, Linux, Vmware to IOS to Android to AWS .
The results is that Attackers can find no gaps in protection to exploit.
GravityZone Ultra relies on a simple, integrated architecture with centralized
management for both endpoints and datacenter. It lets companies deploy the endpoint
protection solution quickly and requires less administration effort after implementation.

P a g e 4 | 43
The World’s Most Effective Endpoint Protection

For end-to-end breach defense

Over 30 protection technologies developed over 18 year by Bitdefender’s world class

researchers, mathematicians and data scientists result in superior protection that is
currently licensed and used in over 38% of all IT security products.

▪ Local and Cloud based Machine Learning:

Bitdefender first launched machine learning in 2009, resulting in increased threat detection
with low false positives that can stop unknown threats at pre-execution and on-execution
▪ Hyperdetect:
Contains tunable machine learning models and stealth attack detection technology. It forms
an additional layer of security, specifically designed to detect advanced attacks and suspicious
activities in the pre-execution stage.
▪ Anomaly Defense:
Advanced machine learning technology that baselines system services and monitors for
stealthy attack techniques. Able to protect custom apps from malicious attack
▪ Cloud-Based Sandbox:
Provides pre-execution detection of advanced attacks by automatically sending files that
require further deep behavioral analysis to cloud sandbox and taking remediation action based
on the verdict.
▪ Advanced Thread Control “Process Inspector”:
Behavior anomaly detection technology that provides protection against never-before-seen
threats in on-execution stage
▪ Network Attack Defense:
Detect and block new types of network-based attacks earlier in the attack chain, such as brute
force attacks, password stealers, lateral movement and initial access.
▪ Exploit Defense:
With Exploit Defense, the list of exploits blocked is extended to the pre execution stage in
order to enable protection against known and unknown exploits early in the attack chain.
▪ Fileless Attack Defense:
Detect and block script-based, file-less, obfuscated and custom malware with automatic
remediation
▪ Ransomware Mitigation:
Real time back-up of the files before being modified by suspicious processes to mitigate the
risk of losing data during advanced ransomware attacks
▪ Integrated client firewall, application control, device control, web content filtering and
more
▪ Add-on modules:
Email Security, Full Disk Encryption, Patch Management and Security for Storage

P a g e 5 | 43
Low Overhead EDR Made Easy

Full featured investigation tools designed for any size organization

With clear visibility into indicators of compromise (IOCs) and one-click threat investigation and
incident response workflows, GravityZone Ultra reduces resource and skill requirements for security
teams.
Threat analytics module operates in the Management Console and continuously sifts through behavioral
events in system activities and creates a prioritized list of incidents for additional investigation and
response.

Smart response means evolved prevention

Because GravityZone Ultra is an integrated prevent-detect-respond solution, it enables quick response
and restoration of endpoints to a “better- than-before” stage. Leveraging threat intelligence gathered
from the endpoints during the investigation process, a single interface provides the tools to immediately
adjust policy and patch vulnerabilities to prevent future incidents, improving the security of your
environment.

The Ultra Bundle, beside EPP capabilities delivers EDR requirements, such as:
▪ Suspicious activity detection and visualization
▪ Anomaly detection
▪ Root cause analysis
▪ MITRE event tagging
▪ Threat confidence score
▪ Attack indicators
▪ Scan for IOC
▪ Threat hunting and custom behavioral detection
▪ Guided incident investigation & Mitigation
▪ Advanced threat containment options
▪ Sandbox analysis
▪ Incident response “isolation, kill, quarantine, block list, install patch, and remote shell”
▪ Optional Managed Detection and Response service “MDR”.

P a g e 6 | 43
Endpoint Risk Management and Analytics

Actively reduce your organization’s attack surface by continuously assessing, prioritizing,

and addressing endpoint risk coming from misconfigurations and application
vulnerabilities.

The Endpoint Risk Management (ERM) module helps you identify and remediate large
number of network, Browsers, and operating system risks at the endpoint level via risk
scan tasks that can be configured in policy to run recurrently on target endpoints.

▪ View your overall Company Risk Score and understand how various
misconfigurations and application vulnerabilities contribute to it:

▪ Assess prioritized misconfigurations, applications and user-prone vulnerabilities

across your organization’s endpoint estate.

▪ Get a risk snapshot for servers and end-user devices and review the endpoints and
users exposed the most.

P a g e 7 | 43
▪ Zero in on misconfigurations, vulnerable applications, user behavior risks, individual
devices and users and fix misconfigurations or patch vulnerabilities.

P a g e 8 | 43
 1.1 GravityZone Management Console
With proven deployments of over 120,000 endpoints, GravityZone’s Management Center is an
integrated and centralized management console that provides a single-pane-of-glass view of all
security management components, including endpoint security, datacenter security, Patch
management, Risk analytics, reporting and much more. Securely cloud-hosted in AWS highly
secure datacenters,GravityZone’s role-based policy management supports multiple nested
roles and policies

P a g e 9 | 43
 1.2 Bitdefender Endpoint Security Tools (BEST)
A single agent should be installed on each machine managed by Bitdefender. The agent can
have different modules based on administrator’s requirements and adds-on available.
Administrators can create custom installation packages with the following security modules:
▪ Antimalware
o Signature based detection
o HyperDetect (Tunable Machine Learning)
o Anti Fileless Attack
o Anomaly Detection
o Local & Cloud Machine Learning
o Ransomware Mitigation
o Sandbox Analyzer
▪ Advanced Threat Control (Process Inspector)
▪ Advanced Anti-Exploit
▪ Firewall / IDS
▪ Application Control
▪ Content Control
o Web Access Control
o Application Blacklisting
▪ Network Attack Defense
▪ Device Control
▪ Power User*
▪ EDR Sensor
▪ Risk Management
▪ Full Disk Encryption (add-on)
▪ Patch Management (add-on)
▪ Relay Role*
▪ Exchange Protection*

Power User* is a module designed for troubleshooting purposes and gives you administrative
rights at endpoint level. This way you can access and change policy settings locally, through
the Bitdefender Endpoint Security Tools interface.

Relay Role* can be assigned to any machine (Windows OS Server/Desktop or Linux Server)
to act as a communication proxy Between endpoint clients and the management console, local
update server to deliver threat intelligence updates, product updates and missing patches, and
deployer to remotely deploy the endpoint client to the endpoint clients. Using a Relay server
will help to minimize the bandwidth utilization.

Exchange Protection* will be part of the agent assigned on any Microsoft Exchange server.
This agent will be assigned with a policy to filter connections and emails based on anti-spam,
anti-malware, content, and attachment control.

P a g e 10 | 43
 1.3 Protection Layers
The below table shows the protection layers in terms of Risk Analytics, System Hardening,
Prevention, Detection and Response.

GravityZone Ultra is the Complete solution suite with advanced protection, detection, response
and risk analytics designed to address the entire threat lifecycle. With GravityZone Ultra, you
can reduce the number of vendors while compressing the time it takes to respond to threats via
an integrated security stack.

P a g e 11 | 43
Hardening and Control

▪ Content Control with web reputation, blocking access to malicious, phishing, and fraud
websites in addition to web filtering based on categories, schedules and exceptions.
▪ Device Control to allow/block any peripheral from being inserted to any machine including
USB devices, network adapters, printers, imaging devices, scanners, card readers, etc. Also,
the administrator can specify whitelisted devices based on Device ID and Product ID
▪ Host-based firewall with IDS that will block port scanning, define rules based on
connections and application, blocks DLL injections, installation of malware drivers, etc.
▪ Anti-Phishing capabilities part of the content control module.
▪ Application blacklisting is part of Content Control. The administrator can specify the
applications that are blocked.
▪ Patch Management (add-on) Fully integrated in GravityZone, keeps operating systems and
software applications up to date and provides a comprehensive view on the patch status for
your managed Windows endpoints. The GravityZone Patch Management module includes
several features, such as on-demand / scheduled patch scanning, automatic / manual
patching or missing patch reportingt will deliver patches for Windows machines against
more than 100 vendors such as Microsoft OS/Office, Google, Java, Apple, etc.
▪ Full Disk Encryption (add-on) supported on Windows and Mac devices fully compliant as
it is using native BitLocker for Windows OS and FileVault for Mac.

Multi-stage Detection

o Pre-execution:
▪ Signature lookup that is updated on an hourly basis.
▪ Machine Learning models with more than 7 seven years of experience trained
on millions of samples. Bitdefender has high catching rate and low false
positive as machine learning model is well trained and experienced.
▪ Behavioral Analysis within an emulator to test the behavioral for any file before
being opened within couple of milliseconds.
o On-Execution/Post-Execution:
▪ Advanced Anti-Exploit: Powered by machine learning, Advanced Anti-Exploit
is a proactive technology that stops zero-day attacks carried out through evasive
exploits. Advanced anti-exploit catches the latest exploits in real-time and
mitigates memory corruption vulnerabilities that can evade other security
solutions. It protects the most commonly used applications, such as browsers,
Microsoft Office or Adobe Reader, as well as Any custom/in-house application.
It watches over system processes and protects against security breaches and
hijacking existing processes.
▪ Anti-rootkit for Kernel related malwares.
▪ Process inspector that work on-execution and post-execution by monitoring
each activity for every process and assigning scores – whenever the score
reaches a certain threshold, it is considered malicious and will be killed
accordingly.
▪ Ransomware Vaccine that provides additional layer of protection against
Ransomwares.
▪ Ransomware Advanced Threat Control that catches Ransomware families in
zero-day based on behavioral analysis and machine learning. Already proved
against Ransomware attacks such as WannaCry, Petya, BadRabbit and others
with 0-day detection.

P a g e 12 | 43
HyperDetect (HD)
Bitdefender HyperDetect is an additional layer of security specifically designed to detect
advanced attacks and suspicious activities in the pre-execution stage. HyperDetect contains
machine learning models and stealth attack detection technology against threats such as:
zero-day attacks, advanced persistent threats (APT), obfuscated malware, fileless attacks
(misuse of PowerShell, Windows Management Instrumentation etc.), credential stealing,
targeted attacks, custom malware, script-based attacks, exploits, hacking tools, suspicious
network traffic, potentially unwanted applications (PUA), ransomware.

Fileless Attack Defense

Fileless Attack Defense adds additional capabilities to block attacks from any command
interpreter, such as PowerShell, before they can execute.

Advanced Threat Control “Process Inspector”

Bitdefender Process Inspector is part of GravityZone Endpoint Security platform. It is a
behavior anomaly detection technology that provides protection against never-before-seen
threats in on-execution stage. It operates on a ‘zero-trust’ model and monitors processes
running in the OS using filters in user mode and kernel model. It looks for behavior specific
to malware and assigns a score for each process based on its action and context. When the
overall score for a process reaches a given threshold, the process is reported as harmful and
appropriate remediation action is taken, including the rollback of changes made by the
malicious process on the endpoint.

Network Attack Defense

Bitdefender Network Attack Defense, a brand-new powerful technology designed to detect
and prevent attacks which use network vulnerabilities. With it we ensure detection of a wide
array of attacks from Lateral Movement (Brute Force; Port Scanners), web-service attacks
(SQL injections), Traffic-Level attacks (botnets; malicious URLs or remote IOT attacks) to
privacy breaches performed via phishing attacks to exfiltrate passwords, credit card or email
addresses.

Anomaly Detection

Anomaly Defense baselines system resources to spotlight unusual behavior based on MITRE
threat techniques and Bitdefender’s own research. Unlike solutions that use cloud-based
machine learning techniques, Bitdefender GravityZone monitors services on the host, in their
local environment, to reduce noise and false positives.

P a g e 13 | 43
Sandbox Analyzer

Bitdefender Sandbox Analyzer provides a powerful layer of protection against advanced

threats by performing automatic, in-depth analysis of suspicious files which are not signed by
Bitdefender antimalware engines yet.

The sandbox employs an extensive set of Bitdefender technologies to execute payloads in a

contained virtual environment hosted by Bitdefender, analyze their behavior and report any
subtle system changes that is indicative of malicious intent. Sandbox Analyzer automatically
submits suspicious files residing on the managed endpoints, yet hidden to signature-based
antimalware services. Dedicated heuristics embedded in the Antimalware on-access module
from Bitdefender Endpoint Security Tools trigger the submission process. The Sandbox
Analyzer service is able to prevent unknown threats from executing on the endpoint. It operates
in either monitoring or blocking mode, allowing or denying access to the suspicious file until
a verdict is received.

Sandbox Analyzer automatically resolves discovered threats according to the remediation

actions defined in the security policy for the affected systems. Additionally, Sandbox Analyzer
allows you to manually submit samples directly from Control Center, letting you decide what
to do further with them.is complete showing no infections. Actions can be taken such as:
Blocking access, disinfect, quarantine, process termination including automatic roll back.

Ransomware Mitigation

Real time back-up of the files before being modified by suspicious processes to mitigate the
risk of losing data during advanced ransomware attacks.
Catches Ransomware families in zero-day based on behavioral analysis and machine learning.
and recover files encrypted by ransomware, as soon as GravityZone protection modules detect
and block the attack

P a g e 14 | 43
 1.4 Add on Features & Products
1.4.1 Patch Management
GravityZone Patch Management module enables organizations to keep OS and Applications up to date
across the entire Windows install base - workstations, physical servers and virtual servers. supports
both automatic and manual patching. It gives organization greater flexibility and efficiency for patch
management, with the ability to create a patch inventory, schedule patch scanning, limit automatic
patching to admin-preferred applications, vary scheduling for security and non-security patches and
postpone reboots for patching requiring a restart.
GravityZone Patch Management allows verification of patching enterprise-wide to comply with policies
and regulations. Patch Management module can be added on top of existing Bitdefender GravityZone
Endpoint Security products. The new module is managed from the same GravityZone console that
customers use today.
https://www.bitdefender.com/business/patch-management/

1.4.2 Full Disk Encryption

Bitdefender Full Disk Encryption Management is leveraging the encryption mechanisms provided by
Windows (BitLocker) and Mac (FileVault), taking advantage of the native device encryption, to ensure
compatibility and performance. There will be no additional agent to deploy and no key management
server to install.
By using existing endpoint security infrastructure (GravityZone Console) also for managing the Full
Disk Encryption, the deployment is fast and painless. Once activated the encryption management
module on the existing console, the deployment of encryption on the endpoints can be centrally initiated
and fully managed.
https://download.bitdefender.com/resources/media/materials/business/en/Bitdefender-2017-NGZ-
Encryption-DS-crea1407-A4-en_EN-web.pdf

1.4.3 Email Security

With GravityZone Email Security organizations benefit from complete business email protection that
goes beyond malware and other traditional threats such as spam, viruses, large-scale phishing attacks
and malicious URLs. It also STOPS modern, targeted and sophisticated email threats including
Business Email Compromise (BEC) and CEO fraud.
GravityZone Email Security leverages a multi-stage threat prevention model which blocks highly
redirected threats with more than 10,000 algorithms and world class reputation engines.
Accommodating virtually any Deployment scenario, it features a unique multi-engine platform for
highly accurate message categorization and threat protection.
https://www.bitdefender.com/business/gravityzone-addons/email-security.html

P a g e 15 | 43
2. DEPLOYMENT PREREQUISITES

2.1 Assumptions
▪ For success remote deployment, the following points need to be considered …
✓ Privileged domain user account
✓ The target system is accessible on the network: it has the correct DNS entry, and the
assigned IP is not duplicated
✓ The local Firewall on the target system allows File and Printer Sharing traffic (TCP
ports 139, 445; UDP ports 137, 138).
✓ The target system accepts connections to its admin$ administrative share.
✓ File and Printer Sharing protocol is enabled on the network interface.
✓ User Account Control is disabled.
✓ Current AV Uninstallation Password must be removed, in order to let Bitdefender
Endpoint Security agent to uninstall it during the installation process.
✓ Server service and its dependencies are running.
✓ Disable UAC for Windows 7, 8, 10 and Server 2012
✓ The following ports should be opened:
o 7074, when deploying from the Relay.
✓ Legacy windows “XP and 2003” are not supported for remote deployment

P a g e 16 | 43
2.2 System Requirements
2.2.1 Bitdefender Endpoint Security Tools (BEST)

Target Endpoint Prerequisites

Processor
▪ Minimum: 2.4 GHz single-core CPU
▪ Recommended: 1.86 GHz or faster Intel Xeon multi-core CPU

Memory
▪ 1 GB free RAM

Storage
▪ 1.5 GB free HDD space

Supported Operating systems

▪ Modern Windows Versions 7, 8, 8.1, 10, Server 2008, Server 2008 R2,
Server 2012, Server 2016 and Server 2019.
▪ Linux Ubuntu 14.04 LTS or higher, Red Hat Enterprise Linux/CentOS 6.0
or higher, SUSE Linux Enterprise Server 11 SP4, OpenSUSE Leap 42.x,
Fedora 25 or higher, Debian 8 or higher
▪ MacOS versions 10.9.5, 10.10.5, 10.11.x, 10.12.x, 10.13.x, 10.14

P a g e 17 | 43
 2.2.2 GravityZone Cloud Console Communication ports

The following table provides information on the most important ports that GravityZone
components use for communication. You need to have these ports open and to exclude all
addresses mentioned in this table from any gateway security solution or network packet
inspection so that GravityZone functions flawlessly.
Component Direction Port Source / Destination Description
submit.bitdefender.com Port used for submitting endpoint dumps in case of crashes

Downloading updates from the online Bitdefender Update Servers (the official repository)
upgrade.bitdefender.com
80
update.cloud.2d585.cdn.bitdefender.net

lv2.bitdefender.com License validation

53 *.v1.bdnsrt.org DNS requests for signature update checks

Security Agent (BEST,
Endpoint Security for Outbound cloud.gravityzone.bitdefender.com
Downloading installation packages during deployment (Setup Downloader)
Mac) cloudgz.gravityzone.bitdefender.com
cloud-ecs.gravityzone.bitdefender.com
Link between the security agents and Communication Server
cloudgz-ecs.gravityzone.bitdefender.com
443 nimbus.bitdefender.net/elam/blob Early Launch Anti-Malware (ELAM) cloud server

Downloading updates from the online Bitdefender Update Servers (the official repository) over
upgrade.bitdefender.com an encrypted channel
Antimalware, antiphishing and content control scanning with Bitdefender Global Protective
nimbus.bitdefender.net Network
Communication messages (such as settings and events) received from endpoints linked to the
7074 Security agent Relay agent
Inbound
Bitdefender Global Protective Network: Encrypted communication messages proxied from connected endpoints to Bitdefender Global
7076 Protective Network:
nimbus.bitdefender.net/elam/blob
submit.bitdefender.com Port used for submitting endpoint dumps in case of crashes

upgrade.bitdefender.com
80 Downloading updates from the online Bitdefender Update Servers (the official repository)
update.cloud.2d585.cdn.bitdefender.net
lv2.bitdefender.com License validation

53 *.v1.bdnsrt.org DNS requests for signature update checks

cloud.gravityzone.bitdefender.com
Relay agent Downloading installation packages during deployment (Setup Downloader)
cloudgz.gravityzone.bitdefender.com

Outbound cloud-ecs.gravityzone.bitdefender.com
Link between the Relay agent and Communication Server
cloudgz-ecs.gravityzone.bitdefender.com

Early Launch Anti-Malware (ELAM) cloud server, a component of Bitdefender Global

nimbus.bitdefender.net/elam/blob Protective Network
443
Downloading updates from the online Bitdefender Update Servers (the official repository) over
upgrade.bitdefender.com an encrypted channel
Antimalware, antiphishing and content control scanning with Bitdefender Global Protective
nimbus.bitdefender.net Network
Downloading installation packages before deployment from the GravityZone Cloud Control
download.bitdefender.com Center

Used by Security for Storage protection layer for communication between NAS devices
1344 Any compliant with ICAP and Security Server

Inbound 6379 Security Server Allows traffic between Security Servers.

7081 Any Antimalware traffic scanning sent by the Security Agent

7083 Any Antimalware traffic scanning sent by the Security Agent over SSL

nimbus.bitdefender.net Periodical verification of antimalware detections with Bitdefender Global Protective Network

Downloading updates from the online Bitdefender Update Servers (the official repository) over
upgrade.bitdefender.com an encrypted channel
Security Server
(Multi-Platform) Downloading updates from the online Bitdefender Update Servers (the official repository) over
443 *.cdn.bitdefender.net:443 an encrypted channel

cloud-ecs.gravityzone.bitdefender.com
Outbound Link between Security Server and Communication Server
cloudgz-ecs.gravityzone.bitdefender.com
download.bitdefender.com Downloading updates

upgrade.bitdefender.com Fallback for downloading updates from the Bitdefender Update Servers (the official repository)

80 download.bitdefender.com Downloading installation kits

*.cdn.bitdefender.net:80 Downloading updates from the online Bitdefender Update Servers (the official repository)

Allows communication between the endpoint and the Sandbox Analyzer Portal.
Sandbox Analyzer Both 443 Sandbox Analyzer Portal Handles file submission to sandbox-portal.gravityzone.bitdefender.com.

More about GravityZone communications ports are available on:

https://www.bitdefender.com/support/bitdefender-gravityzone-(cloud-console)-communication-ports-1256.html

P a g e 18 | 43
 3. DEPLOYMENT GUIDE

Deployment Structure

https://Gravityzone.bitdefender.com

Relay Relay
Remote Site Remote Site

Workstations Workstations

HQ
Servers

Relays

Workstations
Virtual Servers

P a g e 19 | 43
 3.1 Console Setup
Bitdefender Cloud Console can be accessed from this URL:
https://gravityzone.bitdefender.com/

You need to type your account credential which sent to your email

In case Sales Team of Bitdefender has shared a proper license key, the following steps should
be followed to update the proper key that can be Elite/Ultra or an add-on features:
Click on your account name in the right corner and choose “My Company”

Then, all the details can be edited including License key, and Add-on with a visibility on the
expiry date and usage.

P a g e 20 | 43
Make sure to know the Company ID as per the below screenshot.

Make sure to click on “Save” when to apply the changes.

P a g e 21 | 43
In your account details, you might need to change your password, enable Two-Factor
Authentication, or changing the console Session Timeout

P a g e 22 | 43
 3.2 Agent Deployment

3.2.1 Installation package preparation

Before deploying Bitdefender Endpoint Security Tool “BEST” on clients, you need first to
prepare at least 2 packages, one for Relays and one for clients

Go to Network and choose Packages to add new installation package

Relay Installation Package

Click on Add an refer to the following snapshot and click Save when you finished

P a g e 23 | 43
P a g e 24 | 43
Clients installation Package:

P a g e 25 | 43
 3.2.2 Deployment ways
After preparing the installation packages, you now ready to deploy them on your clients by
deferent ways as following ...

Manually

1- You can download the full installation package corresponding to target machine OS
and CPU architecture (64bit or 32bit) and copy it to target machine and install it.

2- You can download only a windows downloader “5 MB” and copy it to target machine
then install it and it will download the corresponding package.

3- You can send the installation package download links by email to remote recipients
and they can download and install it.

P a g e 26 | 43
Remotely

Note: Before using Bitdefender remote installation task, you must have at least one Relay
Agent which will do the following…
1- Network discovery
2- Active Directory Integration
3- Remote Deployment
4- Communication relay agent
5- Update relay agent
6- Patch Remote Deployment “incase you have Patch Management license”

Relay Agent preparation

You need to choose powerful computer or server “should be part of your domain” and install
Bitdefender relay agent installation package manually

Active Directory Integration

Once you have relay agent installed, you can set it as Active Directory Integrator
By finding it in Network > Computers and Groups then right click and choose Set as
Active Directory Integrator

After some seconds, you will see Active Directory node under Network which have all your
AD structure.

P a g e 27 | 43
Remote Deployment Task

Note: BEST can uninstall the current AV if exist, but you need to remove AV Uninstallation
Password, in order to let BEST agent to uninstall it during the deployment process.

You need to locate the target computer/s from Network > Active Directory and then right click on it
and choose Install from Tasks.

P a g e 28 | 43
By Click on Save, a new task will be added to Tasks, wait until it finished, then you will see the
target client appears protected and Managed

P a g e 29 | 43
 3.3 Configuration
Policies can be set by clicking on Add Policy and then, setup its parameters:

General:

Details, Name of the policy can be set here.

Notifications, Agent can be installed in silent mode or the administrator can setup how pop-ups and
notifications can be seen at the end user side.

Settings, password to protect the agent can be set to replace the one created under the package by
keeping installation settings. Proxy configuration can be set for communication between agents and
communication server. Power User password can be defined as well:

Updates can be identified where the administrator can set Updates for product or signatures with their
location that can be either Relay(s), Main Console or Bitdefender Cloud as a fallback scenario for the
case of roaming devices.
Update Ring: for product upgrade should be configured as Slow Ring so agents will only
download and upgrade to stable release

P a g e 30 | 43
Antimalware:
The best practices are to go with the following configuration …

On-Access
On-Access scanning must be enabled, and the default level is Normal mode in addition to enabling
Ransomware Vaccine that will provide additional of protection against some kinds of ransomwares.

On-Execute
Advanced Threat Control and File less Attack Protection must be enabled for detecting advanced
threats, fileless and targeted attacks

P a g e 31 | 43
On-Access Scanning and On-Execute “Advanced-Threat Control” can be set to Aggressive mode in
case they are protecting mission critical devices or can be set to permissive as well depending on the
environment to be protected.

On-Demand, Scan Tasks can be set here where the administrator can set Quick, Full, or Customized
Scans based on a schedule. Furthermore, Device Scanning can be enabled when inserting any USB
Storage Device or CD/DVD Media in addition to Mapped Network Drives.

Hyperdetect, can be configured to detect elusive threats that are related to file-less attacks, script-
based attacks, APTs, etc. Each type of detected malware can be customized based on severity level in
addition to defined actions on files and on network:

P a g e 32 | 43
Advanced Anti-Exploit
Advanced Anti-Exploit must be enabled as well

Settings, the administrator can add exceptions in terms of files, folders, processes, and extensions with
a defined period for quarantine.

Security Servers, the administrator can assign which security servers will be connected to each light
agent based on priorities. Also, the security servers will be identified automatically when they are
installed into the virtualized environment.

P a g e 33 | 43
Sandbox Analyzer:
The administrator can enable sandbox analyzer to automatically submit suspicious objects into
Bitdefender cloud. Furthermore, it can be configured in Monitoring or Blocking mode where:
- Monitoring Mode allows the user to access the objects.
- Blocking Mode denies the user the access the objects unless clean result is returned.
Actions can be defined as well in the case of blocking mode.

Also, the administrator can submit manually suspicious file to the sandbox analyzer by clicking on
Snadbox Analyzer in the left bottom side of the console, browsing the file, then upload it – after
some time, the result will be shown as “Clean” or “Infected” with a report.

Firewall:
This part of the policy enables host-based firewall and IDS with blocking port scans.
Furthermore, under Rules, policies related to connections and applications can be set based on
local/remote IPs, Protocols, details, etc.

P a g e 34 | 43
Content Control:
Web reputation and web filtering can be assigned in this part of the policy in addition to application
blacklisting.

Web filtering allows/blocks users from accessing websites based on categories, schedule, and
exceptions. By default, when enabling protection against fraud and phishing, content control module
will block users from accessing malicious websites.

Device Control:
This part of the policy will provide to the administrator to allow/block the users from accessing
Bluetooth devices, CDROM Drives, Floppy Disks, Imaging, Modems, Tape Drives, SCSI Raid,
Printers, Wireless Network Adapters, Internal/External Storage, etc. where in the actions can be
identified as Read Only, Allow, Block, and Custom.
Furthermore, exceptions can be added manually based on Device ID or Product ID and even from
discovered devices.

P a g e 35 | 43
Patch Management:

Note: Patch Management is addon license and not part from Ultra “you need to add its license to see
it available in the console”

If you don’t see Patch Management module in the installation package or in the policy, it means you
don’t have Patch Management licenses added to your console

To configure Patch Management properly you need to do the following …

1- Be sure that Patch Management module is added to Clients installation package and installed
on all clients

If Patch Management module was not installed on clients or you just added Patch Management
license and want to add its module to all clients which have BEST agent installed already, you can use
Reconfigure Clients Task to add only Patch Management module to all installed BEST clients.

P a g e 36 | 43
2- You should have a Relay gent “recommended to be a server” with Patch Management Cache
Server enabled, the server required to have 100 GB free disk space on drive C: so it can
download all required patches and save it on its HDD disk.
And all clients will contact this relay to download the required patches.

3- Policy configuration can be like the following snapshots …

P a g e 37 | 43
 *WINSERVER here is Relay agent with Patch Management Cache Server

Incidents Sensor “EDR”

For Ultra, EDR sensor must be enabled so that security events are collected and correlated:

P a g e 38 | 43
Risk Management
For Ultra, Risk Management must be enabled so that security risks are collected

P a g e 39 | 43
Exchange Protection:
Security for Exchange comes with highly configurable settings, securing the Microsoft Exchange
Servers against threats such as malware, spam and phishing. With Exchange Protection installed on
your mail server, you can also filter emails containing attachments or content considered dangerous
according to your company's security policies.
To keep the server's performance at normal levels, the email traffic is processed by the Security for
Exchange filters in the following order:
1- Antispam filtering
2- Content Control > Content filtering
3- Content Control > Attachment filtering
4- Antimalware filtering
General
In this section you can create and manage groups of email accounts, define the age of the quarantined
items, and ban specific senders. User Groups Control Center allows creating user groups to apply
different scanning and filtering policies to different user categories. For example, you can create
appropriate policies for the IT department, for the sales team or for the managers of your company.

Settings
• Delete quarantined files older than (days). By default, quarantined files older than 30 days are
automatically deleted. If you want to change this interval, enter a different value in the
corresponding field.
• Connection Blacklist. With this option enabled, Exchange Server rejects all emails from the
blacklisted senders.
Domain IP Check (Anti-spoofing)
Use this filter to prevent spammers from spoofing the sender's email address and making the email
appear as being sent by someone trusted. You can specify the IP addresses authorized to send email
for your email domains and, if needed, for other known email domains. If an email appears to be from
a listed domain, but the sender's IP address does not match one of the specified IP addresses, the
email is rejected.

P a g e 40 | 43
Antimalware
The Antimalware module protects Exchange mail servers against all kinds of malware threats
(viruses, Trojans, spyware, rootkits, adware, etc.), by detecting infected or suspect items and
attempting to disinfect them or isolating the infection, according to the specified actions.

Transport Level Scanning

Bitdefender Endpoint Security Tools integrates with the mail transport agents to scan all email traffic.
By default, transport level scanning is enabled. Bitdefender Endpoint Security Tools is filtering the
email traffic and, if required, informs the users of the taken actions by adding a text in the email body.
Use the Antimalware filtering check box to disable or re-enable this feature.

Anti-Malware Rules:

Exchange Store Scanning

Exchange Protection uses Exchange Web Services (EWS) from Microsoft to allow scanning the
Exchange mailbox and public folder databases. You can configure the antimalware module to run on-
demand scan tasks regularly on the target databases, according to the schedule you specify.

P a g e 41 | 43
Antispam
An email is checked against the antispam filtering rules based on the sender and recipients groups, by
order of priority, until it matches a rule. The email is then processed according to the rule options, and
actions are taken on the detected spam. Certain antispam filters are configurable, and you can control
whether to use them or not. This is the list of the optional filters:
• Charset Filter. Many spam emails are written in Cyrillic or Asian charsets. The Charset Filter
detects this kind of emails and tags them as SPAM.
• Sexually Explicit Tagged Content. Spam that contains sexually oriented material must include
the warning SEXUALLY-EXPLICIT: in the subject line. This filter detects emails marked as
SEXUALLY-EXPLICIT: in the subject line and tags them as spam.
• URL Filter. Almost all spam emails include links to various web locations. Usually, these
locations contain more advertising and offer the possibility to buy things. Sometimes, they are
also used for phishing. Bitdefender maintains a database of such links. The URL filter checks
every URL link in an email against its database. If a match is made, the email is tagged as
spam.
• Realtime Blackhole List (RBL). This is a filter that allows checking the sender’s mail server
against third party RBL servers. The filter uses the DNSBL protocol and RBL servers to filter
spam based on mail servers' reputation as spam senders.
• Heuristic Filter. Developed by Bitdefender, the Heuristic filter detects new and unknown
spam. The filter is automatically trained on large volumes of spam emails inside the
Bitdefender Antispam Lab.
• Bitdefender Cloud Query. Bitdefender maintains a constantly evolving database of spam mail
"fingerprints" in the cloud. A query containing the email fingerprint is sent to the servers in
the cloud to verify on the fly if the email is spam.

P a g e 42 | 43
Content Filtering
Content Filtering helps you filter email traffic based on the character strings you have previously
defined. These strings are compared with the email subject or with the text content of the email body.
By using Content Filtering, you can achieve the following goals:
• Prevent unwanted email content from entering the Exchange Server mailboxes.
• Block outgoing emails containing confidential data.
• Archive emails that meet specific conditions to a different email account or on the disk. For
example, you can save the emails sent to your company's support email address to a folder on
the local disk.

Attachment Filtering
The Attachment Filtering module provides filtering features for mail attachments. It can detect
attachments with certain name patterns or of a certain type. By using Attachment Filtering, you can:
• Block potentially dangerous attachments, such as .vbs or .exe files, or the emails containing
them.
• Block attachments having offensive names or the emails containing them.

P a g e 43 | 43