Skip to main content

Install security agents - standard procedure

To protect your physical and virtual endpoints, you must install a security agent on each of them. Aside for managing protection on the local endpoint, the security agent also communicates with Control Center to receive the administrator's commands and to send the results of its actions.

To learn about the available security agents, refer to Security agents.

On Windows and Linux machines, the security agent can have two roles and you can install it the following way:

  1. As a simple security agent for your endpoints.

  2. As a Relay, acting as a security agent and also as a communication, proxy and update server for other endpoints in the network.

On macOS machines, the security agent cannot act as a Relay.

You can install the security agents on physical and virtual endpoints by running installation packages locally or by running installation tasks remotely from Control Center.

It is very important to carefully read and follow the instructions to prepare for installation.

In normal mode, the security agents have a minimal user interface. It only allows users to check protection status and run basic security tasks (updates and scans), without providing access to settings.

If enabled by the network administrator via installation package and security policy, the security agent can also run in Power User mode on Windows endpoints, letting the endpoint user view and modify policy settings. Nevertheless, the Control Center administrator can always control which policy settings apply, overriding the Power User mode.

By default, the display language of the user interface on protected Windows endpoints is set at installation time based on the language of your GravityZone account.

On Mac, the display language of the user interface is set at installation time based on the language of the endpoint operating system. On Linux, the security agent does not have a localized user interface.

To install the user interface in another language on certain Windows endpoints, you can create an installation package and set the preferred language in its configuration options. This option is not available for Mac and Linux endpoints. For more information on creating installation packages, refer to Create installation packages.

Prepare for the installation

Before installation, follow these preparatory steps to make sure it goes smoothly:

  1. Make sure the target endpoints meet the Endpoint protection minimum system requirements.

    For some endpoints, you may need to install the latest operating system service pack available or free up disk space.

    Compile a list of endpoints that do not meet the necessary requirements so that you can exclude them from management.

  2. Uninstall (not just disable) any existing antimalware or Internet security software from target endpoints.

    Running the security agent simultaneously with other security software on an endpoint may affect their operation and cause major problems with the system.

    Many of the incompatible security programs are automatically detected and removed during installation.

    Note

    • Windows security features (Windows Defender, Windows Firewall) are automatically turned off before initializing the agent installation.

    • After the security agent installation, Windows Defender is automatically re-enabled if enforcement methods are in place (for example, GPO), or you can enable it through the available Windows controls. Once enabled, the security agent no longer manages the Windows Defender activation due to the lack of Windows Action Center. This behavior may occur on the following workstations and servers:

      • Windows 7, Windows 8, Windows 8.1

      • Windows Server 2016, Windows Server 2019, Windows Server 2022

      On Windows 10 and 11 systems the feature is dynamically controlled by Windows through Action Center.

    To learn more and to check the list of the security software detected by Bitdefender Endpoint Security Tools, refer to Software incompatible with Bitdefender Endpoint Security Tools.

    Important

    If you want to deploy the security agent on a endpoint with Bitdefender Antivirus for Mac 5.X, you first must remove the latter manually. For the guiding steps, refer to Deploying Bitdefender Endpoint Security Tools on a machine with Bitdefender Antivirus for Mac.

  3. The installation requires administrative privileges and internet access. If the target endpoints are in an Active Directory domain, you should use domain administrator credentials for remote installation. Otherwise, make sure you have the necessary credentials at hand for all endpoints.

  4. Endpoints must have network connectivity to the GravityZone appliance.

  5. It is recommended to use a static IP address for the Relay server. If you do not set a static IP, use the machine's hostname.

  6. When deploying the agent through a Linux Relay, the following additional conditions must be met:

    • The Relay endpoint must have installed the Samba package (smbclient) version 4.1.0 or above and the net binary/command to deploy Windows agents.

      Note

      The net binary/command is usually delivered with the samba-client and / or samba-common packages. On some Linux distributions (such as CentOS 7.4), the net command is only being installed when installing the full Samba suite (Common + Client + Server). Make sure that your Relay endpoint has the net command available.

    • Target Windows endpoints must have Administrative Share and Network Share enabled.

    • Target Linux and Mac endpoints must have SSH enabled and the connection must be set up by using a username and password.

  7. On macOS, after installing Bitdefender Endpoint Security Tools manually or remotely, users are prompted to approve Bitdefender extensions on their endpoints. Until the users approve the Bitdefender extensions, some features will not work. For the necessary procedures, refer to Bitdefender system extension blocked in macOS.

    With macOS Big Sur (version 11), BEST requires additional user approvals following the changes made by Apple to the operating system. For details, refer to Changes to Bitdefender Endpoint Security Tools in macOS Big Sur and later: network extension, proxy configurations and SSL certificate.

    To eliminate user intervention, you can pre-approve the Bitdefender extensions by whitelisting them using a Mobile Device Management tool like Jamf. For details, refer to Whitelisting Bitdefender extensions in Jamf Pro 10.x.

  8. When deploying the agent in an Amazon EC2 inventory, configure the security groups associated with the instances you want to protect in the Amazon EC2 Side Menu > Network & Security > Security Groups as follows:

    • For remote installation, allow SSH* access from the EC2 instance.

    • For local installation, allow SSH* and RDP (Remote Desktop Protocol) access from the endpoint you connect from.

    * For remote installation on Linux instances you must allow SSH login using username and password.

  9. When deploying the agent in a Microsoft Azure inventory:

    • The target virtual machine must be in the same virtual network with the GravityZone appliance.

    • The target virtual machine must be in the same virtual network with a Relay, which communicates with the GravityZone appliance when the latter is in another network.

Local installation

One way to install the security agent on an endpoint is to locally run an installation package.

You can create and manage installation packages on the Network > Installation packages page.

installation_packages_cl_op_en.PNG

Once the first client has been installed, it is going to be used to detect other endpoints in the same network, based on the network discovery mechanism. For detailed information on network discovery, refer to How network discovery works.

To locally install the security agent on an endpoint, follow the these:

  1. Create an installation package according to your needs.

    Note

    This step is not mandatory if an installation package has already been created for the network under your account.

  2. Download the installation package on the target endpoint.

    You can alternately send the installation package download links by email to several users in your network.

  3. Run the installation package on the target endpoint.

Create installation packages

To create an installation package:

  1. Connect and log in to Control Center.

  2. Go to the Network > Installation Packages page from the left side menu.

  3. Click the Create button at the upper side of the table. A configuration window is going to be displayed.

    Installation_packages_module_list_on-prem.png
  4. Enter a suggestive name and description for the installation package you want to create.

  5. From the Language field, select the desired language for the client's interface.

    Note

    This option is available only for Windows operating systems.

  6. Select the operation mode. This will impact the behavior of the security agents installed through the package deployment on your endpoints.

    Note

    This step is required only for licenses that include the EDR module.

    • Detection and prevention - This operation mode allows you to customize what modules to include in the package, and sets the prevention and detection modules to enable and make use of both block and report capabilities.

    • EDR (Report only) - This operation mode pre-configures your package structure to include a specific set of modules, and sets the prevention and detection modules to enable and make use only of report capabilities.

    Note

    The modules included in an EDR(Report only) package are Advanced Threat Control, EDR Sensor, Network Protection with Content Control and Network Attack Defense.

  7. Select the protection modules you want to install.

    Note

    Only the supported modules for each operating system will be installed. On the right side of each module you will find icons indicating what operating systems it is compatible with.

    The module list includes the following components:

    • Antimalware

    • Advanced Threat Control

    • Advanced Anti-Exploit

    • Firewall

    • Network Protection

      • Content Control

      • Antiphishing

      • Web Traffic Scan

      • Network Attack Defense

    • Device Control

    • Power User

    • Application Control

    • Full Disk Encryption

    • Patch Management

    For more information, refer to Bitdefender Endpoint Security Tools.

  8. Select the target endpoint role:

    • Relay, to create the package for an endpoint with Relay role. For more information, refer to the Relay section related to Bitdefender Endpoint Security Tools.

      Warning

      Relay role is only available for Windows and Linux operating systems, and is not supported on legacy operating systems.

      For more information, refer to Supported Operating Systems.

    • Patch Management Cache Server, to make the Relay an internal server for distributing software patches.

      Note

      This role is displayed only when Relay role is selected. For more information, refer to the Patch Caching Server section related to Bitdefender Endpoint Security Tools.

    • Exchange Protection, to install the protection modules for Microsoft Exchange Servers, including antimalware, antispam, content and attachment filtering for the Exchange email traffic and on-demand antimalware scanning of the Exchange databases.

      For more information, refer to Installing Exchange Protection.

  9. Remove Competitors. It is recommended to keep this check box selected to automatically remove any incompatible security software while the Bitdefender agent installs on endpoint. By deselecting this option, Bitdefender agent will install next to the existing security solution. You can manually remove the previously installed security solution later, at your own risk.

    Important

    Running the Bitdefender agent simultaneously with other security software on an endpoint may affect their operation and cause major problems with the system.

  10. Scan Mode. Choose the scanning technology that best suits your network environment and your endpoints' resources. You can define the scan mode by choosing one of the following types:

    Available scan modes:

    • Local Scan

    • Hybrid Scan with Light Engines (Public Cloud)

    • Hybrid Scan

    • Central Scan in Public or Private Cloud

    • Central Scan (Public or Private Cloud scanning with Security Server) with fallback on Local Scan (Full Engines)

    • Central Scan (Public or Private Cloud scanning with Security Server) with fallback on Hybrid Scan (Public Cloud with Light Engines)

    • Hybrid Scan with fallback on Central Scan

    For more information on scan modes refer to Antimalware

    Available scan types:

    • Automatic. In this case, the security agent will automatically detect the endpoint's configuration and will adapt the scanning technology accordingly:

      • Central Scan in Public or Private Cloud (with Security Server) with fallback on Hybrid Scan (Light Engines), for physical endpoints with low hardware performance and for virtual machines. This case requires at least one Security Server deployed in the network.

      • Local Scan (with Full Engines) for physical endpoints with high hardware performance.

      • Central Scan with fallback on Hybrid Scan for virtual machines

      • Local scan for EC2 instances and Microsoft Azure virtual machines.

      Note

      For Central Scan, it is mandatory to firstly deploy a Security Server. For more information on how to install a Security Server, refer to Security Server.

      Low performance endpoints are considered to have the CPU frequency less than 1.5 GHz, or RAM memory less than 1 GB.

    • Custom. In this case, you can configure the scan mode by choosing between several scanning technologies for physical and virtual machines:

      • Central Scan in Public or Private Cloud (with Security Server), which can fallback* on Local Scan (with Full Engines) or on Hybrid Scan (with Light Engines)

      • Hybrid Scan (with Light Engines)

      • Local Scan (with Full Engines)

      Default scan modes:

      • The default scan mode for EC2 instances is Local Scan (security content is stored on the installed security agent, and the scan is run locally on the machine). If you want to scan your EC2 instances with a Security Server, you need to configure the security agent’s installation package and the applied policy accordingly.

        Note

        In this case, the Bitdefender Security Server hosted in the AWS region corresponding to the target EC2 instances is automatically assigned.

      • The default scan mode for Microsoft Azure virtual machines is Local Scan (security content is stored on the installed security agent, and the scan is run locally on the machine). If you want to scan your Microsoft Azure virtual machines with a Security Server, you need to configure the security agent’s installation package and the applied policy accordingly.

      • The default scan mode for BEST for Linux v7 when using the Bitdefender for Security Containers add-on is:

        • Hybrid Scan, for physical endpoints (including container hosts) and nodes (in case of Kubernetes).

        • Central Scan with the fallback on Hybrid Scan for endpoints (including container hosts) and nodes (in case of Kubernetes) that are either virtual machines or on a cloud infrastructure (whether IaaS or PaaS) supported by GravityZone integrations.

          Note

          A Security Server needs to be available for this scan to apply. If none is available the scan mode will be set to Hybrid.

      For more information regarding available scanning technologies, refer to Antimalware.

  11. Security Server Assignment.

    When customizing the scan engines using Public or Private Cloud (Security Server) scanning, you are required to select the locally installed Security Servers you want to use and to configure their priority under Security Server Assignment section:

    1. Click the Security Server list in the table header. The list of detected Security Servers is displayed.

    2. Select an entity.

    3. Click the add.pngAdd button from the Actions column header.

      The Security Server is added to the list.

      In the Security Server Assignment section you can assign a specific name and IP address to the Security Server. After assigning the name click the inline-menu-icon.png to edit it.

    4. Follow the same steps to add several security servers, if available. In this case, you can configure their priority using the up-arrow.png up and down-arrow.png down arrows available at the right side of each entity. When the first Security Server is unavailable, the next one will be used and so on.

    5. To delete one entity from the list, click the corresponding delete_inline.pngDelete button at the upper side of the table.

    You can choose to encrypt the connection to Security Server by selecting the Use SSL option.

  12. Miscellaneous.

    You can configure the following options on several types of files from the target endpoints:

    • Submit crash dumps. Select this option so that memory dump files will be sent to Bitdefender Labs for analysis if the security agent crashes. The crash dumps will help our engineers find out what caused the problem and prevent it from occurring again. No personal information will be sent.

    • Submit quarantined files to Bitdefender Labs every (hours). By default, quarantined files are automatically sent to Bitdefender Labs every hour. You can edit the time interval between quarantined files are being sent. The sample files will be analyzed by the Bitdefender malware researchers. If malware presence is confirmed, a signature is released to allow removing the malware.

    • Submit suspicious executables to Bitdefender. Select this option so that files that seem untrustworthy or with suspicious behavior will be sent to Bitdefender Labs for analysis.

    • Send feedback regarding the security agents' health

      Select this option to send anonymized telemetry data about the endpoint.

    • Use Bitdefender Global Protective Network (GPN) to enhance protection

      Select this option to submit detections to Bitdefender to improve the efficiency of the Antimalware and Network Protection modules.

      If this option is disabled, you may experience the following:

      • A large amount of false positive/negative detections

      • Delays in detecting zero-day attacks

      • Hybrid Scan engines efficiency significantly reduced

      • Web Traffic filtering negatively affected

      • Other modules relying on Antimalware are also affected

      Important

      If you are using Hybrid Scan engines, you must switch to or have fallback to local scan engines before disabling this option.

  13. On Windows endpoints, Bitdefender Endpoint Security Tools is installed in the default installation directory. Select Use custom installation path if you want to install Bitdefender Endpoint Security Tools in a different location. In this case, enter the desired path in the corresponding field. Use Windows conventions when entering the path (for example, D:\folder). If the specified folder does not exist, it will be created during the installation.

    On Linux endpoints, Bitdefender Endpoint Security Tools is installed by default in the /opt folder.

  14. We recommend setting up a password to prevent users from removing protection.

    Select Set uninstall password and enter the desired password in the corresponding fields.

  15. If the target endpoints are in Network Inventory under Custom Groups, you can choose to move them in a specified folder immediately after the security agent deployment finishes.

    Select Use custom folder and choose a folder in the corresponding table.

  16. Under Deployer section, choose the entity the endpoints will connect to for communication. The installation of the endpoint can be made through a relay or a GravityZone Appliance. It's not necessary for the relay to be same as the one specified in the installation package.

    In the Deployer section, in the Selected relay field, you can see the selected relay from the Relays table.

    • GravityZone Appliance, when endpoints connect directly to the GravityZone appliance.

      In this case, you can also define:

      • A custom communication server appliance by entering its IP or hostname, if required.

      • Proxy settings, if target endpoints communicate with the GravityZone appliance via proxy. In this case, select Use proxy for communication and enter the required proxy settings in the fields below.

    • Endpoint Security Relay, if you want to connect the endpoints to a Relay client installed in your network. All machines with Relay role detected in your network will show-up in the table displayed below. Select the Relay machine that you want. Connected endpoints will communicate with Control Center only via the specified Relay.

      Important

      Port 7074 must be open for the deployment through Bitdefender Endpoint Security Tools Relay to work.

      If you have a Relay with multiple network adapters, you can use it to deploy BEST to endpoints isolated from GravityZone. In this case, in the Custom server name/IP column, add the IP address that does not have connection to GravityZone.

      For example, the Relay has two network adapters, 192.168.0.16 and 192.168.12.12. Only the first one communicates with GravityZone. After you add the second IP address as custom IP, the target endpoints will use the Relay as communication server to install the security agent.

      To add the desired IP address, follow these steps:

      1. Click the three dots menu.

      2. Click Edit custom server name/IP.

        installation_package_deployer_custom_ip_47136_en.png
      3. Enter the IP address in the editable field.

      4. Click the ok-icon.pngOK icon to confirm the change.

  17. Click Save.

Note

The settings configured within an installation package will apply to endpoints immediately after installation. As soon as a policy is applied to the client, the settings configured within the policy will be enforced, replacing certain installation package settings (such as communication servers or proxy settings).

Download installation packages

To download the installation packages of the security agents:

  1. Log in to Control Center from the endpoint on which you want to install protection.

  2. Go to the Network > Installation packages page in the left side menu.

  3. Select the installation package you want to download.

  4. Click Download at the upper side of the table and select from the drop down list the type of installer you want to use. These types of installation files are available:

    • Downloader. The downloader first downloads the full installation kit from the Bitdefender cloud servers and then starts the installation.

      The downloader is small in size, and it can be run on 32-bit, 64-bit (Windows and Linux) systems, ARM64 systems (Windows only) or 64-bit macOS systems (both Intel x86 and Apple ARM architectures), which makes it easy to distribute. On the downside, it requires an active Internet connection.

    • Full kit. The full installation kits are bigger in size and they have to be run on the specific operating system type.

      The full kit is to be used to install protection on endpoints with slow or no Internet connection. Download this file to an Internet-connected endpoint, then distribute it to other endpoints using external storage media or a network share.

      Note

      Available full kit versions:

      • Windows OS: 32-bit, 64-bit and ARM systems

      • Linux OS: 32-bit and 64-bit systems

      • macOS: 86-bit Intel, macOS Downloader and Apple M-series systems

        After downloading the macOS kit (Apple M-series), you must publish it in the Update > Components page of GravityZone Control Center, otherwise the security agent installation will fail.

      Make sure to use the correct version for the system you install on.

      You cannot download more than one installation kit per minute, therefore you must wait 60 seconds between each download attempt.

  5. Save the file to the endpoint.

    Warning

    • The downloader executable must not be renamed, otherwise it will not be able to download the installation files from Bitdefender server.

  6. Additionally, if you have chosen the Downloader, you can create an MSI package for Windows endpoints. For more information, refer to Install Bitdefender Endpoint Security Tools through an MSI package.

Send installation packages download links by email

You may need to quickly inform other users that an installation package is available to download. In this case, follow the steps described hereinafter:

  1. Go to the Network > Installation packages page in the left side menu.

  2. Select the installation package that you want.

  3. Select the Send download links option. A configuration window will appear.

  4. Enter the email of each user you want to receive the installation package download link. You can add multiple email addresses separated by comma. Press Enter or click the Add button to create the list of the email addresses where the installation package will be sent .

    Note

    Please make sure that each entered email address is valid and unique.

  5. The installation links will also be visible in this window before sending them by email.

  6. Click Send. An email containing the installation link is sent to each specified email address.

Run installation packages

For the installation to work, the installation package must be run using administrator privileges.

The package installs differently on each operating system as follows:

  • On Windows and macOS operating systems:

    1. On the target endpoint, download the installation file from Control Center or copy it from a network share.

    2. If you have downloaded the full kit, extract the files from the archive.

    3. Run the executable file.

    4. Follow the on-screen instructions.

    Note

    On macOS, the installation file is in DMG format. When opened, the file mounts two locations: one on the desktop and the other in Finder (in the left-side menu under Locations).

    The security agent on macOS requires Full Disk Access permissions. You must approve them on the endpoint after the setup is complete, as the agent does not prompt for them during installation. For details, refer to Full Disk Access is not allowed for Bitdefender Endpoint Security Tools in macOS.

    The security agent also requires you to approve Bitdefender system extensions on the endpoint. For details, refer to Bitdefender system extension blocked in macOS.

  • On Linux operating systems:

    1. Connect and log in to Control Center.

    2. Download or copy the installation file to the target endpoint.

    3. If you have downloaded the full kit, extract the files from the archive.

    4. Gain root privileges by running the sudo su command.

    5. Change permissions to the installation file so that you can execute it:

      # chmod +x installer
    6. Run the installation file:

      # ./installer
    7. To check that the agent has been installed on the endpoint, run this command:

      $ systemctl status bdsec*

Once the security agent has been installed, the endpoint will show up as managed in Control Center (Network page) within a few minutes.

Important

If using VMware Horizon View Persona Management, it is recommended to configure Active Directory Group Policy to exclude the following Bitdefender processes (without the full path):

  • bdredline.exe

  • epconsole.exe

  • epintegrationservice.exe

  • epprotectedservice.exe

  • epsecurityservice.exe

  • epupdateservice.exe

  • epupdateserver.exe

These exclusions must apply as long as the security agent runs on endpoint. For details, refer to this VMware Horizon documentation page.

Watch a full video tutorial on the topic here:

Remote installation

Control Center allows you to remotely install the security agent on endpoints from environments integrated with Control Center and on other endpoints detected in the network by using installation tasks. In VMware environments, remote installation relies on VMware Tools, while in Citrix XenServer and Nutanix Prism Element environments, it relies on Windows administrative shares and SSH.

Once the security agent is installed on an endpoint, it may take a few minutes for the rest of the network endpoints to become visible in the Control Center.

Bitdefender Endpoint Security Tools includes an automatic network discovery mechanism that allows detecting endpoints that are not in Active Directory. Detected endpoints are displayed as unmanaged in the Network page, in endpoints view, under Custom Groups. Control Center automatically removes Active Directory endpoints from the detected endpoints list.

To enable network discovery, you must have Bitdefender Endpoint Security Tools already installed on at least one endpoint in the network. This endpoint is used to scan the network and install Bitdefender Endpoint Security Tools on unprotected endpoints.

For detailed information on network discovery, refer to How network discovery works.

Remote installation requirements

For remote installation to work:

  • On Windows:

    • The admin$ administrative share must be enabled. Configure each target workstation not to use advanced file sharing.

    • Configure User Account Control (UAC) depending on the operating system running on the target endpoints. If the endpoints are in an Active Directory domain, you can use a group policy to configure User Account Control. For details, refer to Preparing workstations for Bitdefender Endpoint Security Tools remote deployment.

    • Disable Windows Firewall or configure it to allow traffic through File and Printer Sharing protocol.

    Note

    Remote deployment works only on modern operating systems, starting with Windows 7 / Windows Server 2008 R2, for which Bitdefender provides full support. For more information, refer to Supported operating systems.

  • On Linux: SSH must be enabled.

  • On macOS: remote login and file sharing must be enabled.

Run remote installation tasks

To run a remote installation task:

  1. Connect and log in to Control Center.

  2. Go to the Network page from the left side menu.

  3. Choose Endpoints and Virtual Machines from the views selector.

  4. Select the desired group from the left-side pane.

    The entities contained in the selected group are displayed in the right-side pane table.

    Note

    Optionally, you can apply filters to display unmanaged endpoints only. Click the Filters menu and select the following options: Unmanaged from the Security tab and All items recursively from the Depth tab.

  5. Select the entities (endpoints or groups of endpoints) on which you want to install protection.

  6. Click the task.pngTasks button at the upper side of the table and choose Install agent.

    The Install agent task wizard is displayed.

    install_agent_task_47136_en.png
  7. Under Options section, configure the installation time:

    • Now, to launch the deployment immediately.

    • Scheduled, to set up the deployment recurrence interval. In this case, select the time interval that you want (hourly, daily or weekly) and configure it according to your needs.

      Note

      For example, when certain operations are required on the target machine before installing the client (such as uninstalling other software and restarting the OS), you can schedule the deployment task to run every two hours. The task will start on each target machine every two hours until the deployment is successful.

  8. If you want target endpoints to automatically restart for completing the installation, select Automatically reboot (if needed).

  9. Under the Credentials Manager section, specify the administrative credentials required for remote authentication on target endpoints. You can add the credentials by entering the user and password for each target operating system.

    Important

    For Windows 8.1 stations, you need to provide the credentials of the built-in administrator account or a domain administrator account. To learn more, refer to Client software deployment on Windows 8.1/10/2012 and above.Client software deployment on Windows 8.1/10/2012 and above

    To add the required OS credentials:

    1. Enter the user name and password of an administrator account in the corresponding fields from the table header.

      If endpoints are in a domain, you only need to enter the credentials of the domain administrator.

      Use Windows conventions when entering the name of a user account:

      • For Active Directory machines use the following syntaxes: [email protected] and domain\username.

        To make sure that entered credentials will work, add them in both forms ([email protected] and domain\username).

      • For Workgroup machines, you only need to enter the user name, without the workgroup name.

      Optionally, you can add a description that will help you identify each account more easily.

    2. Click the add_inline.png Add button. The account is added to the list of credentials.

      Note

      Specified credentials are automatically saved to your Credentials Manager so that you do not have to enter them the next time.

      To access the Credentials Manager, hover over your username in the upper-right corner of the console.

      Important

      If the provided credentials are invalid, the client deployment is going to fail on the corresponding endpoints.

      Make sure to update the entered OS credentials in the Credentials Manager when these are changed on the target endpoints.

  10. Select the check boxes corresponding to the accounts you want to use.

    Note

    A warning message is displayed as long as you have not selected any credentials.

    This step is mandatory to remotely install the security agent on endpoints.

  11. Under Deployer, choose the entity to which the target endpoints will connect for installing and updating the agent:

    • GravityZone Appliance, when endpoints connect directly to GravityZone Appliance.

      In this case, you can also define:

      • A custom communication server appliance by entering its IP or Hostname, if required.

      • Proxy settings, if target endpoints communicate with GravityZone Appliance via proxy. In this case, select Use proxy for communication and enter the required proxy settings in the fields below.

    • Endpoint Security Relay, if you want to connect the endpoints to a Relay client installed in your network. All machines with the Relay role detected in your network are doing to be displayed in the table below. Select the Relay machine that you want. Connected endpoints going to communicate with Control Center only via the specified Relay.

      Important

      Port 7074 must be open, for the deployment through the Relay agent to work.

      install_agent_deployer_47136_en.png
    • If you have a Relay with multiple network adapters, you can use it to deploy BEST to endpoints isolated from GravityZone. In this case, in the Custom Server Name/IP column, click the corresponding field to add the IP address that does not have connection to GravityZone.

      For example, the Relay has two network adapters, 192.168.0.16 and 192.168.12.12. Only the first one communicates with GravityZone. After you add the second IP address as custom IP, the target endpoints will use the Relay as communication server to install the security agent.

      install_agent_custom_ip_47136_en.png
  12. Use the Additional targets section if you want to deploy the client to specific machines from your network that are not shown in the network inventory. Expand the section and enter the IP addresses or hostnames of those machines in the dedicated field, separated by a comma. You can add as many IPs as you need.

  13. You need to select one installation package for the current deployment. Click the Use package list and select the installation package that you want. You can find here all the installation packages previously created for your account and also the default installation package available with Control Center.

  14. If needed, you can modify some of the selected installation package's settings by clicking the button Customize next to the Use package field.

    The installation package's settings will appear below and you can make the changes that you need. To learn more about editing installation packages, refer to Create installation packages.

    If you want to save the modifications as a new package, select the Save as package option placed at the bottom of the package settings list, and enter a name for the new installation package.

  15. Click Save.

    A confirmation message will appear.

You can view and manage the task in the Network > Tasks page.

If using VMware Horizon View Persona Management, it is recommended to configure Active Directory Group Policy to exclude the following Bitdefender processes (without the full path):

  • bdredline.exe

  • epconsole.exe

  • epintegrationservice.exe

  • epprotectedservice.exe

  • epsecurityservice.exe

  • epupdateservice.exe

  • epupdateserver.exe

These exclusions must apply as long as the security agent runs on endpoint. For details, refer to this VMware Horizon documentation page.

Prepare Linux systems for On-access scanning

Bitdefender Endpoint Security Tools for Linux includes on-access scanning capabilities that work with specific Linux distributions and kernel versions. For more information, refer to Linux system requirements .

Requirements for using on-access scanning with DazukoFS

For DazukoFS and on-access scanning to work together, a series of conditions must be met. Please check if any of the statements below apply to your Linux system and follow the guidelines to avoid issues.

  • The SELinux policy must be either disabled or set to permissive. To check and adjust the SELinux policy setting, edit the /etc/selinux/config file.

  • Bitdefender Endpoint Security Tools is exclusively compatible with the DazukoFS version included in the installation package. If DazukoFS is already installed on the system, remove it prior to installing Bitdefender Endpoint Security Tools.

  • DazukoFS supports certain kernel versions. If the DazukoFS package shipped with Bitdefender Endpoint Security Tools is not compatible with the system's kernel version, the module will fail to load. In such case, you can either update the kernel to the supported version or recompile the DazukoFS module for your kernel version. You can find the DazukoFS package in the Bitdefender Endpoint Security Tools installation path:

    /opt/bitdefender-security-tools/share/dazukofs-modules.tar.gz
  • When sharing files using dedicated servers such as NFS, UNFSv3 or Samba, you have to start the services in the following order:

    1. Enable on-access scanning via policy from Control Center.

    2. Start the network sharing service.

      For NFS:

      # service nfs start

      For UNFSv3:

      # service unfs3 start

      For Samba:

      # service smbd start

    Important

    For the NFS service, DazukoFS is compatible only with NFS User Server.

How network discovery works

Besides integration with Active Directory, GravityZone also includes an automatic network discovery mechanism intended to detect workgroup endpoints.

GravityZone relies on multiple network scanning techniques to perform network discovery. On Windows systems information is gathered from multiple sources, such as Function Discovery, Active Directory (when the system is joined to a domain). Therefore, the list of systems identified and reported by network discovery can be different than the list of machines displayed under File Explorer > Network on the machine running network explorer.

On Linux systems network discovery relies on the ARP protocol to discover entities in a Local Area Network and also on port scanning in order to reliably identify machines.

To enable automatic network discovery, Bitdefender Endpoint Security Tools Relay should be already installed on at least one endpoint in the network and it should have applied a policy with “Automatic discovery of new endpoints” checked. This endpoint will be used to scan the network.

Besides the automatic network discovery, there is also the possibility of running one time only network discovery by selecting any managed Windows/Linux endpoint and applying a “Run network discovery” task.

Important

On Linux systems that are domain-joined, Active Directory is not used as a source of information.

BEST Relay only queries the network to obtain the list of workstations and servers (known as the browse list), and then sends it to Control Center. Control Center processes the browse list, appending newly detected endpoints to its Unmanaged endpoints list.

Previously detected endpoints are not deleted after a new network discovery query, so you must manually exclude and delete endpoints that are no longer on the network.

Note

BEST Relay performs network discovery and communicates with Control Center via the epintegrationservice for Windows and the epagng service for Linux.

The initial query for the browse list is carried out by the first BEST Relay installed on the network.

  • If the Relay is installed on a workgroup endpoint, its workgroup is used as a source of information.

  • If the Relay is installed on a domain endpoint, its domain is used as a source of information. Only endpoints from that domain and the network the Relay belongs to will be visible in Control Center. Endpoints from other domains can be detected if there is a trust relationship with the domain where the Relay is installed.

Important

Network discovery uses all information sources that are present on an endpoint. For example, if a Windows endpoint has Function Discovery services running and it is domain-joined, network discovery pulls data from both sources.

Subsequent network discovery queries are performed regularly every four hours when Automatic discovery of new endpoints is checked in the applied policy. For each new query, Control Center divides the managed endpoints space into visibility areas and then designates one Relay in each area to perform the task.

A visibility area is a group of endpoints that detect each other. Usually, a visibility area is defined by a workgroup or domain, but this depends on the network topology and configuration. In some cases, a visibility area might consist of multiple domains and workgroups.

If a selected Relay fails to perform the query, Control Center waits for the next scheduled query, without choosing another Relay to try again.

For full network visibility, the Relay should be installed on at least one endpoint in each workgroup or domain in your network and it should have applied a policy with “Automatic discovery of new endpoints” checked. Ideally, Bitdefender Endpoint Security Tools should be installed on at least one endpoint in each subnetwork.

Network discovery will report IPv4 addresses of the discovered endpoints.

Network discovery requirements

To successfully discover all the endpoints (servers and workstations) that will be managed from Control Center, the network scanning techniques require the following settings and services:

Windows systems

  • Endpoint is joined in a workgroup or domain, connected via an IPv4 local network.

  • Media streaming is turned on.

  • Network discovery is enabled in the Control Panel > Network and Sharing Center > Change advanced sharing settings section.

  • The following services are running:

    • DNS Client

    • Function Discovery Provider Host

    • Function Discovery Resource Publication

    • SSDP Discovery

    • UPnP Device Host

  • For environments with multiple domains, a trust relationships between domains is set up and endpoints can access browse lists from other domains.

Linux systems

  • A Web Service Discovery host daemon implemented by a custom wsdd service is running (applies for Ubuntu OS).

Mac systems

  • File sharing is enabled.

Note

The best results are achieved, meaning the largest amount of endpoints are discovered, when all the above requirements are met.