Settings
In this section you can configure the quarantine settings and the scan exclusion rules.
Quarantine
You can configure the following options for the quarantined files from the target endpoints:
Delete files older than (days) - By default, quarantined files older than 30 days are automatically deleted. If you want to change this interval, choose a different option from the menu.
Submit quarantined files to Bitdefender Labs every (hours) - By default, quarantined files are automatically sent to Bitdefender Labs every hour.
You can edit the time interval between quarantined files are being sent (one hour by default). The sample files will be analyzed by the Bitdefender malware researchers. If malware presence is confirmed, a signature is released to allow removing the malware.
Rescan quarantine after security content updates - Keep this option selected to automatically scan locally quarantined files after each security content update. Clean files are automatically moved back to their original location.
Copy files to quarantine before applying the disinfect action - Select this option to prevent data loss in case of false positives and copy each file detected as infected to quarantine before applying the disinfect action. You can afterwards restore legitimate files from the Quarantine page.
Allow users to take actions on local quarantine - This option is controlling the actions that endpoint users can take on local quarantined files via the Bitdefender Endpoint Security Tools interface.
By default, local users can restore or delete quarantined files from their computer using the options available in Bitdefender Endpoint Security Tools.
By disabling this option, users will not have access anymore to the quarantined files action buttons from the Bitdefender Endpoint Security Tools interface.
Note
Availability and functioning of this feature may differ depending on the license included in your current plan.
Centralized Quarantine
If you want to keep the quarantined files from your managed endpoints for further analysis, use the Centralized Quarantine option, which sends an archived copy of each local quarantined file to a network share.
Note
Availability and functioning of this feature may differ depending on the license included in your current plan.
After enabling this option, each quarantined file from the managed endpoints is copied and packed in a password-protected ZIP archive to the specified network location. The archive name is the hash of the quarantined file.
Important
The archive size limit is 100 MB. If the archive exceeds 100 MB, it will not be saved on the network shared location.
To configure the centralized quarantine settings, fill in the following fields:
Archive password - enter the password required for the quarantined files archive.
The password must contain at least one upper case character, at least one lower case character and at least one digit or special character.
Confirm the password in the following field.
Share path - enter the network path where you want to store the archives (for example,
\\computer\folder
).Username and password - required to connect to the network share. The supported formats for username are as follows:
username@domain
domain\username
username
.
For the centralized quarantine to work properly, make sure the following conditions are met:
The shared location is accessible in the network.
The endpoints have connectivity to the network share.
The login credentials are valid and provide write access to the network share.
The network share has enough disk space.
Note
Centralized quarantine does not apply to mail servers quarantine.
If you have a local Sandbox Analyzer instance configured in the Sandbox Analyzer > Endpoint Sensor section, you can select the check box Automatically submit items from quarantine to a Sandbox Analyzer.
Note
Depending on the license included in your current plan, the amount of submitted items may be capsized to a maximum size of 50 MB.
Exclusions
Bitdefender security agent can exclude from scanning certain object types. Antimalware exclusions are to be used in special circumstances, or following Microsoft or Bitdefender recommendations. For Microsoft recommendations, refer to the official documentation.
In this section, you can configure the use of different types of exclusions available with the Bitdefender security agent.
You can define In-policy exclusions for in-house developed applications or customized tools, according to your specific needs. In-policy exclusions are available only to the policy where the have been defined.
You can add one or multiple lists of exclusions to the policy from the Configuration Profiles section. The same exclusion lists are available to multiple policies through options in the Configuration Profiles section.
You can customize the list of enabled recommended vendor and product exclusions.
In-policy exclusions
In-policy antimalware exclusions apply to one or more of the following scanning methods:
On-access scanning
On-execute scanning
On-demand scanning
Advanced Threat Control (ATC/IDS)
Ransomware Mitigation
Important
If you have an EICAR test file that you use periodically to test antimalware protection, you should exclude it from on-access scanning.
If using VMware Horizon View 7 and App Volumes AppStacks, refer to this VMware document.
To exclude specific items from scanning, select the In-policy exclusions option and then add the rules into the table underneath.
To add an exclusion rule:
Select the exclusion type from the menu:
File: only the specified file.
Folder: all files and processes inside the specified folder and from all of its subfolders.
Extension: all items having the specified extension.
Process: any object accessed by the excluded process.
File Hash: the file with the specified hash. GravityZone supports the SHA-256 hash algorithm.
Note
Adding File Hash type exclusions could result in high CPU usage due to the checksum calculations performed.
Certificate Hash: all the applications and PowerShell scripts (for Windows endpoints) under the specified certificate hash (thumbprint).
Threat Name: any item having the detection name (not available for Linux operating systems).
Command Line: the specified command line (available only for Windows operating systems).
Warning
In agentless VMware environments integrated with NSX, you can exclude only folders and extensions.
Provide the details specific to the selected exclusion type:
File, Folder or Process
Enter the path to the item to be excluded from scanning. You have several helpful options to write the path:
Declare the path explicitly:
For example:
C:\temp
To add exclusions for UNC paths, use any of the following syntaxes:
\\hostName\shareName\filePath
\\IPaddress\shareName\filePath
Use the system variables available in the drop-down menu:
For process exclusions, you must also add the name of the application's executable file.
For example:
%ProgramFiles%
- excludes theProgram Files
folder.%WINDIR%\system32
– excludes thesystem32
folder within theWindows
folder.Note
It is advisable to use system variables (where appropriate) to make sure the path is valid on all target computers.
Use wildcards:
The asterisk (*) substitutes for zero or more characters excepting path delimiters. Double asterisk (**) substitutes for zero or more characters including path delimiters. The question mark (?) substitutes for exactly one character. You can use several question marks to define any combination of a specific number of characters. For example, ??? substitutes for any combination of exactly three characters.
For example:
C:\Test\*.*
– excludes all files in the Test folder.C:\Test\*.png
– excludes all PNG files in the Test folder.C:\Test\*
- excludes all files in the Test folder.**\file.txt
- excludes all the files that have the namefile.txt
, regardless where these files are located.**\my_folder\*\file.txt
- excludes all the folders on all levels abovemy_folder
and all subfolders on a single level undermy_folder
that containfile.txt
.**\application*.exe
- excludes all the files that have the nameapplication
and variations of this name followed by one or more characters, regardless where the files are located.C:\MyApp\**
- excludes all files and folders inMyApp
folder, regardless of the depth level.C:\Program Files\WindowsApps\Microsoft.Not??.exe
– excludes the Microsoft Notes processes.
Note
The double asterisk (**) can lead to undesired exclusions when misused, therefore we recommend caution.
The double asterisk (**) is not available on macOS. On this operating system you can only use the asterisk (*) and the question mark (?) as wildcards.
Process exclusions do not support wildcards on Linux operating systems.
Extension
Enter one or more file extensions to be excluded from scanning, separating them with a semicolon ";". You can enter extensions with or without the preceding dot. For example, enter txt to exclude text files.
Note
On Linux-based systems, file extensions are case sensitive and the files with the same name but with different extension are considered distinct objects. For example,
file.txt
is different fromfile.TXT
.File hash, Certificate hash, Threat name, or Command line
Enter the file hash, certificate thumbprint (hash), the exact name of the threat or the command line depending on the exclusion rule. You can use one item per exclusion.
Select the scanning methods to which the rule applies. Some exclusions may be relevant for just one of the scanning modules (On-access scanning, On-demand scanning, ATC/IDS, Ransomware Mitigation), while others may be recommended for all of the modules.
Optionally, click the Show remarks button to add a note in the Remarks column about the rule.
Click the Add button.
The new rule will be added to the policy.
To remove a rule from the policy, click the corresponding Delete button.
Important
On-demand scanning exclusions do NOT apply to contextual scanning. Contextual scanning is initiated by right-clicking a file or folder and selecting Scan with Bitdefender Endpoint Security Tools.
Importing exclusions
You can reuse the exclusion rules in more policies by importing them.
To import custom exclusions:
Click Import. The Import Policy Exclusions window opens.
Click Add and then select the CSV file.
Click Save.
The table is populated with the valid rules.
Note
If the CSV file contains invalid rules, a warning informs you of the corresponding row numbers.
Each row in the CSV file corresponds to a single rule, having the fields in the following order:
<exclusion type>, <object to be excluded>, <modules>
These are the available values for the CSV fields:
Exclusion type:
1
, for file exclusions2
, for folder exclusions3
, for extension exclusions4
, for process exclusions5
, for file hash exclusions6
, for certificate hash exclusions7
, for threat name exclusions8
, for command line exclusionsObject to be excluded:
A path or a file extension
Modules:
1
, for on-demand scanning2
, for on-access scanning3
, for all modules4
, for ATC/IDS6
, for Ransomware Mitigation
For example, a CSV file containing antimalware exclusions may look like this:
1,"d:\\temp",1 2,%WinDir%,3 4,"%WINDIR%\\system32",4
Note
The Windows paths must have the backslash (\) character doubled. For example, %WinDir%\\System32\\LogFiles
.
Vendor and product exclusions
Vendor and product exclusions refer to all recommended exclusions included in Bitdefender security agent. This option is enabled by default.
Caution
You can choose to disable vendor and product exclusions, if you want to scan all types of objects, but this option will considerably impact the machine performance and will increase the scan time.
With the vendor and product exclusions option enabled:
If you disable the Custom button, all the recommended vendor and product exclusions are added by default to the policy.
If you enable the Custom button, from the drop-down menu you can select which vendor and product exclusions to apply to the policy.
Adding exclusion lists from configuration profiles to policy
To add exclusion lists from configuration profiles to the policy:
From the drop-down menu, select the lists you want to add to the policy.
Each list selected from the drop-down will populate the grid area, where you can see how many endpoints will be impacted by the added exclusion list.
After assessing which lists to include, click Save to complete the process.
Note
For more details on how to create and manage exclusion lists, refer to Configuration profiles .
Overriding exclusions
You can run scan tasks with another set of exclusions than the general ones in the Antimalware > Settings policy section. These exclusions apply only to on-demand scanning.
Open the custom scan task configuration window:
For instant scan tasks (runs once)
Log in to GravityZone Control Center.
Go to the Network page from the left side menu.
Select the target endpoints.
Click the Tasks button in the Action Toolbar and select Scan.
In the General tab, select Custom scan.
For scheduled scan tasks
Log in to GravityZone Control Center.
Go to the Policies page from the left side menu.
Open the policy template assigned to your target endpoint.
Go to the Antimalware > On-demand section.
Click Add, and then select Custom. If you already have a task created, select the task from the list.
Configure the other available settings. For details, refer to Managing Network Objects > Computers > Running Tasks > Scan section of the GravityZone Administrator's Guide.
In the Target tab > Exclusions section, choose the option Define custom exclusions for this scan.
Add the exclusion rules. For more info, refer to In-policy exclusions.
Click Save to add the exclusion rule.
Click Save once more to save the policy.