Endpoint protection
To protect your network with Bitdefender, you must install the GravityZone security agents on network endpoints. For optimized protection, you can also install Security Servers. For this purpose, you need a Control Center user with administrator privileges over the services you need to install and over the network endpoints under your management.
Requirements for the security agent are different, based on whether has additional server roles, such as Relay, Exchange Protection or Patch Caching Server. For more information on the agent's roles, refer to this section.
Important
Make sure that the HKLM\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy
registry key is set to any value other than 8 = Good only
.
Hardware
Security agent without roles
CPU
Target systems | CPU type | Supported operating systems (OSes) |
---|---|---|
Workstations | Intel® Pentium compatible processors, 2 GHz or faster | Microsoft Windows desktop OSes |
Intel® Core 2 Duo, 2 GHz or faster Apple M-series | macOS | |
Smart devices | Intel® Pentium compatible processors, 800 MHZ or faster | Microsoft Windows Embedded OS |
Servers | Minimum: Intel® Pentium compatible processors, 2.4 GHz | Microsoft Windows Server OSes and Linux OSes |
Recommended: Intel® Xeon multi-core CPU, 1.86 GHz or faster |
Free RAM memory
At installation (MB)
OS | Single Engine | |||||
---|---|---|---|---|---|---|
Local Scanning | Hybrid Scanning | Centralized Scanning | ||||
AV Only | Full Options | AV Only | Full Options | AV Only | Full Options | |
Windows | 1024 | 1200 | 512 | 660 | 256 | 400 |
Linux | 1024 | 1024 | 512 | 512 | 256 | 256 |
macOS | 1024 | 1024 | n/a | n/a | n/a | n/a |
For daily usage (MB)*
OS | Antimalware (single engine) | Protection modules | |||||||
---|---|---|---|---|---|---|---|---|---|
Local | Hybrid | Centralized | Advanced Threat Control | Firewall | Content Control | Power User | Update Server | Advanced Anti-Exploit | |
Windows | 75 | 55 | 30 | +13 | +17 | +41 | +29 | +80 | +13 |
Linux | 200 | 180 | 90 | - | - | - | - | - | +60 |
macOS** | 780 | - | - | +40 | - | +160 | - | - | - |
* The measurements cover the daily endpoint client usage, without taking into account additional tasks, such as on-demand scans or product updates.
** Overall daily usage on macOS is around 1.5 GB of RAM when including other modules such as Full Disk Encryption (~20 MB), Device Control (~50 MB), Network Attack Defense (~160 MB), and Endpoint Detection and Response (~240 MB).
Free disk space
At installation
OS | SINGLE ENGINE | DUAL ENGINE | ||||||||
---|---|---|---|---|---|---|---|---|---|---|
Local Scanning | Hybrid Scanning | Centralized Scanning | Centralized + Local Scanning | Centralized + Hybrid Scanning | ||||||
AV Only | Full Options | AV Only | Full Options | AV Only | Full Options | AV Only | Full Options | AV Only | Full Options | |
Windows | 1024 | 1200 | 500 | 700 | 350 | 570 | 1024 | 1200 | 500 | 700 |
Linux | 2500 | 2500 | 1100 | 1100 | 600 | 600 | 1600 | 1600 | 1100 | 1100 |
macOS | 1024 | 1024 | n/a | n/a | n/a | n/a | n/a | n/a | n/a | n/a |
For daily usage (MB)*
OS | Antivirus (Single Engine) | Protection Modules | |||||||
---|---|---|---|---|---|---|---|---|---|
Local | Hybrid | Centralized | Advanced Threat Control | Firewall | Content Control | Power User | Update Server | Advanced Anti-Exploit | |
Windows | 410 | 190 | 140 | +12 | +5 | +60 | +80 | +10 | +12 |
Linux | 500 | 200 | 110 | - | - | - | - | - | +60 |
macOS | 1700 | - | - | +20 | - | +0 | - | - | - |
* The measurements cover the daily endpoint client usage, without taking into account additional tasks, such as on-demand scans or product updates.
Security agent with Relay role
The Relay role needs hardware additional resources to the basic security agent's configuration. These requirements are to support the Update Server and installation packages hosted by the endpoint:
Number of connected endpoints | CPU to support Update Server | RAM | Free disk space for Update Server |
---|---|---|---|
1 - 300 | minimum Intel® Core™ i3 or equivalent processor, 2 vCPU per core | 1 GB | 10 GB |
300 - 1000 | minimum Intel® Core™ i5 or equivalent processor, 4 vCPU per core | 1 GB | 10 GB |
Warning
Relay agents require SSD disks, to support the high amount of read/write operations.
Important
If you want to save the installation packages and updates to another partition than the one where the agent is installed, make sure both partitions have sufficient free disk space (10 GB), otherwise, the agent aborts the installation. This is required only at installation.
On Windows endpoints, local to local symbolic links must be enabled.
Security agent with Exchange Protection role
The quarantine for Exchange Servers requires additional hard-disk space on the partition where the security agent is installed.
The quarantine size depends on the number of items stored and their size.
By default, the agent is installed on the system partition.
Security agent with Patch Caching Server role
The agent with Patch Caching Server role must meet the following cumulative requirements:
All hardware requirements of the simple security agent (without roles)
All hardware requirements of the Relay role
Additionally 100 GB of free disk space to store the downloaded patches
Important
If you want to save the patches to another partition than the one where the agent is installed, make sure both partitions have sufficient free disk space (100 GB), otherwise, the agent aborts the installation. This is required only at installation.
The following table indicates the number of simultaneous connections supported by a machine that has only the Patch Caching Server role installed.
Number of connected endpoints | CPU to support Update Server | RAM | Free disk space for Update Server | Disk type |
---|---|---|---|---|
1 - 500 | minimum Intel® Core™ i3 or equivalent processor, 2 vCPU per core | 2 GB | 100 GB | SSD |
500 - 1500 | minimum Intel® Core™ i5 or equivalent processor, 4 vCPU per core | 4 GB | 100 GB | SSD |
Important
Bitdefender performed the tests using machines running Ubuntu 20.04 LTS and Windows Server 2016.
For machines that have other roles installed in addition to Patch Caching Server, you must consider allocating more hardware resources.
Security Containers
Configure the guest operating systems where you are deploying BEST as follows:
Resource | Minimum | Recommended |
---|---|---|
Processor | 2 vCPUs | 4 vCPUs |
Memory (RAM) | 4 GB RAM | 6 GB RAM |
Free Disk Space | 2.5 GB (up to 4 GB disk with debug logs enabled) | 4 GB |
Software requirements
GravityZone requirements
BEST for Linux is compatible with GravityZone Cloud and GravityZone On-Premises versions 6.13.1-1 or newer.
Additional software requirements
On-access scanning is available for supported operating systems as follows:
Kernel 2.6.38 or higher - Supports all Linux distributions. The fanotify kernel option must be enabled.
Kernel 2.6.32 - 2.6.37 - CentOS 6.x Red Hat Enterprise Linux 6.x - Bitdefender provides support via DazukoFS with prebuilt kernel modules.
You need auditd as a fallback mechanism in case kProbes are not available for your Kernel version.
Public Cloud Requirements
Select Instance or VM type where you are deploying BEST as follows:
Cloud Service Provider (CSPs) | Minimum (instance type) | Recommended (instance type) |
---|---|---|
Amazon Web Services (AWS) | T2 medium | Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD |
Microsoft Azure | Standard B2s | Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD |
Google Cloud Platform (GCP) | E2-medium or E2-standard-2 | Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD |
Note
For other CSPs, you should consider the same requirements as described above.
Supported operating systems
GravityZone modules and features are available on all versions of supported operating systems, according to each type of endpoint (Windows, Linux, or macOS). In case of Windows, exceptions are the core versions or systems that lack a graphical user interface. See the features distribution by endpoint type here.
Windows desktop
Windows 11 October 2024 Update (24H2)
Windows 11 October 2023 Update (23h2)
Windows 10 November 2022 Update (22H2)
Windows 11 September 2022 Update (22h2)
Windows 11 (initial release)
Windows 10 November 2021 Update (21H2)
Windows 10 May 2021 Update (21H1)
Windows 10 October 2020 Update (20H2)
Windows 10 May 2020 Update (20H1)
Windows 10 May 2019 Update (19H1)
Windows 10 October 2018 Update (Redstone 5)
Windows 10 April 2018 Update (Redstone 4)
Windows 10 Fall Creators Update (Redstone 3)
Windows 10 Creators Update (Redstone 2)
Windows 10 Anniversary Update (Redstone 1)
Windows 10 November Update (Threshold 2)
Windows 10 (initial release)
Windows 8.1(*)
Windows 8(*)
Windows 8
Windows 7*
Warning
(*) In VMware NSX, the OS version is supported starting with vSphere 5.5 Patch 2.
Warning
Bitdefender does not support Windows Insider Program builds.
Starting with BEST Windows version 7 the following patches must be installed on Windows 7 systems. The minimum requirement for this installation is Windows Service Pack 1:
Windows tablet and embedded
Windows 10 IoT Enterprise
Windows Embedded 8.1 Industry
Windows Embedded 8 Standard
Windows Embedded Standard 7
Windows Embedded Compact 7
Windows Embedded POS Ready 7
Windows Embedded Enterprise 7
Windows Server
Windows Server 2022 Core
Windows Server 2022
Windows Server 2019 Core
Windows Server 2019
Windows Server 2016
Windows Server 2016 Core
Windows Server 2012 R2(1)
Windows Server 2012(2)(3)
Windows Small Business Server (SBS) 2011
Windows Server 2008 R2(3)
*Patch Management is not supported.
Important
Bitdefender Endpoint Security Tools supports the Windows Server Failover Cluster (WSFC) technology.
Warning
(1) In VMware NSX, the OS version is supported starting with vSphere 5.5 Patch 2.
(2) In VMware NSX, the OS version is supported starting with vSphere 5.5.
(3) VMware NSX does not support the 32-bit versions of Windows 2012 and Windows Server 2008 R2.
Certificate prerequisites
The following is a list of prerequisites for installing Bitdefender Endpoint Security Tools for Windows:
Import the DigiCert Global Root G2 certificate. It must be imported as a trusted certificate by following these steps:
Download the DigiCert Global Root G2 certificate.
Press Win + R to open the Run window.
Type
mmc
and click Ok. This will open the Microsoft Management Console (MMC) window.Go to File > Add/Remove snap-in.
Select Certificates and click Add.
Select Computer account and click Next.
Select Local computer and click Finish.
Click Ok.
Go to Console Root > Certificates (Local Computer) > Trusted Root Certification Authorities.
Right click Certificates > All tasks > Import > Next.
Navigate to the folder where the DigiCert Global Root G2 was downloaded and select it.
Click Next until the setup wizard is completed.
Close the MMC window and select No when prompted to save any changes.
Enable SHA256 certificates. Without them, the installer does not work at all. For more information, refer to the Microsoft Security Advisory 3033929.
Make sure your root certificates are up to date:
Bitdefender certificates
Timestamp certificates: we generally use Symantech/ Digicert
If the trusted signature is invalid, make sure Automatic Root Certificate Updates are enabled:
Open the Run command window, type
gpedit.msc
and press EnterSelect Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings
Double click Turn off Automatic Root Certificates Update and select the Disabled option.
Open Command Prompt with administrative right and run the following command:
certutil -setreg chain\ChainCacheResyncFiletime @now
In addition, you can manually add the following Digicert certificates, from the Official DigiCert Trusted Root Authority Certificates page:
DigiCert Global Root CA
DigiCert Assured ID Root CA
DigiCert SHA2 Assured ID Code Signing CA
DigiCert Trusted Root G4
DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
VeriSign Universal Root Certification Authority
Enable the Universal Microsoft C Runtime (UCRT) component. The UCRT is available by using Windows Update on older operating systems that are still in extended support. Alternatively, you can find the updates through the Microsoft Download Center.
If the following error occurs, your system is out of date:
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
Note
This only applies to Windows 7 and Windows Server 2008 R2 machines.
Supported cipher modes
As of October 2022, Bitdefender supports the following cipher modes:
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES128-GCM-SHA256
DHE-DSS-AES256-GCM-SHA384
TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
Linux
Note
This applies to both Bitdefender Endpoint Security Tools for Linux and Security Containers.
Important
Linux endpoints use license seats from the pool of licenses for server operating systems.
Fully Supported Linux Modern Distributions
Distribution | Architecture | Kernel Versions | Cloud Platform Availability |
---|---|---|---|
RPM-based | |||
RHEL 7.x | 64-bit | 3.10.0.x (starting from build 957) | AWS, AZURE, GCP |
RHEL 8.x | 64-bit | 4.18.0.x | AWS, AZURE, GCP |
RHEL 9.x | 64-bit | 5.14.0.x | AWS |
Oracle Linux 7.x UEK | 64-bit | 4.18.0.x | AWS, AZURE |
Oracle Linux 7.x RHCK | 64-bit | 3.10.0.x (starting from build 957) | AWS, AZURE |
Oracle Linux 8.x UEK | 64-bit | 5.4.17.x / 5.15.0.x | AWS |
Oracle Linux 8.x RHCK | 64-bit | 4.18.0.x | AWS |
Oracle Linux 9.x UEK | 64-bit | 5.15.0.x | AWS |
Oracle Linux 9.x RHCK | 64-bit | 5.14.0.x | AWS |
CentOS 7.x | 32-bit, 64-bit | 3.10.0.x (starting from build 957) | AWS, AZURE, GCP |
CentOS 8 Stream | 64-bit | 4.18.0.x | AWS, AZURE, GCP |
CentOS 9 Stream | 64-bit | 5.14.0.x | AWS, AZURE, GCP |
Fedora 37 - 40 | 64-bit | Supported until it expires. | AWS |
AlmaLinux 8.x | 64-bit | 4.18.0.x | AWS, AZURE, GCP |
AlmaLinux 9.x | 64-bit | 5.14.0.x | AWS |
Rocky Linux 8.x | 64-bit | 4.18.0.x | AWS, AZURE, GCP |
Rocky Linux 9.x | 64-bit | 5.14.0.x | AWS, AZURE, GCP |
CloudLinux 7.x | 64-bit | 3.10.0.x (starting from build 957) | AWS, AZURE, GCP |
CloudLinux 8.x | 64-bit | 4.18.0.x | AWS, AZURE, GCP |
Miracle Linux 8.x | 64-bit | 4.18.0.x | |
Kylin v10 RHEL | 64-bit | 4.19.90.x | |
Debian-based | |||
Debian 9 | 32-bit, 64-bit | 4.9.0.x | AWS, AZURE, GCP |
Debian 10 | 32-bit, 64-bit | 4.19.x | AWS, AZURE, GCP |
Debian 11 | 32-bit, 64-bit | 5.10.x | AWS, AZURE, GCP |
Debian 12 | 64-bit | 6.1.0.x | |
Ubuntu 16.04.x | 32-bit, 64-bit | 4.8.x / 4.10.x / 4.13.x / 4.15.x | AWS, AZURE, GCP |
Ubuntu 18.04.x | 64-bit | 5.0.x / 5.3.x / 5.4.x | AWS, AZURE, GCP |
Ubuntu 20.04.x | 64-bit | 5.4.x / 5.8.x / 5.11.x / 5.13.x / 5.15.x | AWS, AZURE, GCP |
Ubuntu 22.04.x | 64-bit | 5.15.x / 5.19.x | AWS, AZURE, GCP |
Ubuntu 23.04.x | 64-bit | 6.2.0.x | AWS, AZURE, GCP |
Ubuntu 24.04.x | 64-bit | 6.8.0.x | AWS, AZURE, GCP |
PopOS 22.04.x | 64-bit | 6.2.6.x | AWS, AZURE, GCP |
Pardus 21 | 64-bit | 5.10.0.x | |
Mint 20.x | 64-bit | 5.4.0.x | |
Mint 21.x | 64-bit | 5.15.0.x | |
Mint 22.x | 64-bit | 6.8.0.x | |
Zorin OS | 64-bit | 6.5.x | |
Linux Mint Debian Edition 6 | 64-bit | 6.1.x | |
SUSE-based | |||
SLES 12 SP4 | 64-bit | 4.12.14-x | AWS |
SLES 12 SP5 | 64-bit | 4.12.14-x | AWS, AZURE, GCP |
SLES 15 SP1 | 64-bit | 4.12.14-x | AWS, AZURE |
SLES 15 SP2 | 64-bit | 5.3.18-x | AWS, AZURE, GCP |
SLES 15 SP3 | 64-bit | 5.3.18-x | AWS, AZURE, GCP |
SLES 15 SP4 | 64-bit | 5.14.21.x | AWS, AZURE, GCP |
SLES 15 SP5 | 64-bit | 5.14.21.x | AWS, AZURE, GCP |
SLES 15 SP6 | 64-bit | 6.4.x | |
SLED 15 SP4 | 64-bit | 5.14.21.x | |
openSUSE Leap 15.4-15.5 | 64-bit | 5.14.21.x | AWS |
Cloud-based | |||
AWS Bottlerocket 2020.03 | 64-bit | 5.4.x / 5.10.x | AWS |
Amazon Linux v2 | 64-bit | 4.14.x / 4.19.x / 5.10 | AWS |
Amazon Linux 2023 | 64-bit | 6.1.0.x | AWS |
Google COS Milestones 77, 81, 85 | 64-bit | 4.19.112 / 5.4.49 | GCP |
Azure Mariner 2 | 64-bit | 5.15.x | AZURE |
Fully Supported Linux Modern Distributions for ARM architecture
Distribution | Kernel versions | Cloud Platform Availability |
---|---|---|
RPM-based | ||
RHEL 8.x | 4.18.0-x | AZURE |
RHEL 9.x | 5.14.x | GCP, AZURE, AWS |
AlmaLinux 9.x | 5.14.x | AZURE |
Rocky Linux 9.x | 5.14.x | GCP, AZURE, AWS |
Debian-based | ||
Debian 11 | 5.10.x/6.1.x | GCP, AZURE, AWS |
Debian 12 | 6.1.0.x | |
Ubuntu 20.04.x | 5.15.x | GCP, AZURE, AWS |
Ubuntu 22.04.x | 5.15.x/5.19.x | GCP, AZURE, AWS |
Ubuntu 24.04.x | 6.8.0.x | GCP, AZURE, AWS |
SUSE-based | ||
SLES 15 SP4 | 5.14.21-x | GCP, AZURE, AWS |
openSUSE Leap 15.4-15.5 | 5.14.21-x | AZURE |
Cloud-based only | ||
Amazon Linux v2 | 5.10.x | AWS |
Amazon Linux 2023 | 6.1.x | AWS |
Supported Linux Legacy Distributions
Distro | Architecture | Kernel Versions |
---|---|---|
RPM-based | ||
RHEL 6.10 | 32-bit, 64-bit | 2.6.32-754 |
CentOS 6.10 | 32-bit, 64-bit | 2.6.32-754 |
Oracle Linux 6.10 UEK | 64-bit | 4.1.12-124 |
Amazon Linux v1 2018.03 | 64-bit | 4.14.x |
Debian-based | ||
Ubuntu 14.04 LTS | 32-bit, 64-bit | 4.4 |
Ubuntu 16.04.x | 32-bit, 64-bit | 4.15 |
Warning
(1) On Fedora 28, Bitdefender Endpoint Security Tools requires manual installation of the libnsl
package, by running the following command:
sudo dnf install libnsl -y
Containers
Google COS
Note
This applies only to Security Container deployments.
On-access scanning support
On-access scanning is available for all supported guest operating systems. On Linux systems, on-access scanning support is provided in the following situations:
Kernel versions | Linux distributions | On-access requirements |
---|---|---|
2.6.38 or higher* | Red Hat Enterprise Linux /CentOS 6.0 or higher Ubuntu 14.04 or higher SUSE Linux Enterprise Server11 SP4 or higher OpenSUSE Leap 42.x Fedora 25 or higher Debian 9.0 or higher Oracle Linux 6.3 or higher Amazon Linux AMI 2016.09 or higher | Fanotify (kernel option) must be enabled. |
2.6.38 or higher | Debian 8 | Fanotify must be enabled and set to enforcing mode and then the kernel package must be rebuilt. For details, refer to Bitdefender Endpoint Security Tools compatibility with Debian 8 |
2.6.32-754.35.1.el6 | CentOS 6.x Red Hat Enterprise Linux 6.x | Bitdefender provides support via DazukoFS with prebuilt kernel modules. |
All other kernels | All other supported systems | These systems require the DazukoFS third-party kernel module. For more details, refer to this topic. |
* With certain limitations described below.
On-access scanning limitations
Kernel versions | Linux distributions | Details |
---|---|---|
2.6.38 or higher | All supported systems | On-access scanning monitors mounted network shares only under these conditions:
NoteOn-access scanning does not scan network shares mounted using SSH or FTP. |
All kernels | All supported systems | On-access scanning is not supported on systems with DazukoFS for network shares mounted on paths already protected by the On-access module. |
Note
Fanotify and DazukoFS enable third-party applications to control file access on Linux systems. For more information, refer to:
Fanotify man pages: https://man7.org/linux/man-pages/man7/fanotify.7.htmll
Dazuko project website: http://dazuko.dnsalias.org/wiki/index.php/About
macOS
macOS Sequoia (15.x)
macOS Sonoma (14.x)
macOS Ventura (13.x)
macOS Monterey (12.x)
macOS Big Sur (11.x)
Supported file systems
Bitdefender installs on and protects the following file systems:
AFS, APFS, BTRFS, ext2, ext3, ext4, FAT, FAT16, FAT32, VFAT, exFAT, NTFS, UFS, ISO 9660 / UDF, NFS, CIFS/SMB, VXFS, XFS.
Note
On-access scanning support is not provided for NFS and CIFS/SMB.
Supported browsers
Endpoint browser security is verified to be working with the following browsers:
Internet Explorer 8+
Mozilla Firefox 30+
Google Chrome 34+
Safari 4+
Microsoft Edge 20+
Opera 21+
Supported virtualization platforms
Security for Virtualized Environments provides out-of-the-box support for the following virtualization platforms:
VMware vSphere and vCenter Server versions:
version 6.5
version 6.7, including update 1, update 2a and update 3
version 7.0, including update 1, update 2, update 2b, update 2c and update 2d
version 8.0, including update 1, update 2
Note
The Workload Management functionality in vSphere 7.0 is not supported.
VMware Horizon/View 7.8, 7.7, 7.6, 7.5, 7.1, 6.x, 5.x
VMware Workstation 11.x, 10.x, 9.x, 8.0.6
VMware Player 7.x, 6.x, 5.x
Citrix Xen Hypervisor: 7.1 (with the XS71ECU2060 hotfix), 8.2.
Note
Paravirtualized (PV) mode VMs are not supported on Citrix Hypervisor 8.2. The Control Center deployment is working only for Citrix Xen Hypervisor 7.1 and for the OVA import on 8.2.
For more information about the Citrix Product Matrix lifecycle, refer to the official Citrix Product Matrix.
Citrix Virtual Apps and Desktops 7 1808, 7 1811, 7 1903, 7 1906
Citrix XenApp and XenDesktop 7.18, 7.17, 7.16, 7.15 LTSR, 7.6 LTSR
Citrix VDI-in-a-Box 5.x
Microsoft Hyper-V Server 2008 R2, 2012, 2012 R2, 2016, 2019 or Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019 (including Hyper-V Hypervisor)
Red Hat Enterprise Virtualization 3.0 (including KVM Hypervisor)
Oracle VM 3.0
Oracle VM VirtualBox 5.2, 5.1
Nutanix Prism with AOS 5.6, 5.5, 5.20 LTS, 5.18 STS, 5.15 LTS, 5.11, 5.10 (Enterprise Edition)
Nutanix Prism with AHV 20170830.115, 20170830.301, 20170830.395 and 20190916.294 (Community Edition)
Note
Support for other virtualization platforms may be provided on request.
Integration with VMware NSX-V requirements
ESXi 5.5 or later for each server
vCenter Server 5.5 or later
NSX Manager 6.2.4 or later
VMware Tools 9.1.0 or later, with Guest Introspection thin agent.
For Windows Virtual Machines refer to the following VMware Docs article.
For Linux Virtual Machines refer to the following VMware Docs article.
Note
VMware recommends using the following VMware Tools versions:
10.0.8 or later, to resolve slow VMs after upgrading VMware Tools in NSX / vCloud Networking and Security (VMware Knowledge Base article 2144236).
10.0.9 and later for Windows 10 support.
Important
It is recommended that you keep all VMware products updated with the latest patch.
Integration with VMware NSX-T Data Center requirements
VMware NSX-T Manager 2.4, 2.5, 3.0 or 3.1
ESXi compatible with the NSX-T Manager version
vCenter Server & vSphere compatible with the NSX-T Manager version
VMware Tools with Guest Introspection thin agent, compatible with the NSX-T Manager version
For more compatibility details, refer to these VMware webpages:
VMware Compatibility Guide – GravityZone vs. NSX-T Manager
VMware Product Interoperability Matrices - NSX-T Data Center vs. VMware vCenter and VMware Tools
Integration with Nutanix Prism Element requirements
Credentials of a Nutanix Prism Element user with administrative privileges (Cluster Admin or User Admin)
Nutanix Prism with AOS 5.6, 5.5, 5.20 LTS, 5.18 STS, 5.15 LTS, 5.11, 5.10
Nutanix Prism with AHV 20170830.115, 20170830.301, 20170830.395 and 20190916.294 Community Edition
Supported cloud platforms
Along with on premise virtualization environments, GravityZone can also integrate with the following cloud platforms:
Amazon EC2
As an Amazon EC2 customer, you can integrate the inventory of EC2 instances grouped by Regions and Availability Zones with the GravityZone network inventory.
Microsoft Azure
As a Microsoft Azure customer, you can integrate the Microsoft Azure virtual machines grouped by Regions and Availability Zones with the GravityZone network inventory.
Compatibility with desktop and application virtualization technologies
GravityZone is compatible with the following virtualization technologies, starting with Bitdefender Endpoint Security Tools version 6.6.16.226:
VMware
VMware V-App (same version with vCenter Server)
VMware ThinApp 5.2.6
VMware AppVolumes 2.180
Important
It is recommended not to install in Application Stack or Writable Volumes.
Microsoft
Microsoft App-V 5.0, 5.1
Microsoft FSLogix 2.9.7237
Citrix
Citrix App Layering 19.10
Citrix Appdisks 7.12
Important
Assign policies based on user rules so that Device Control would not prevent OS and platform layers creation.
You may need to configure the GravityZone Firewall rules to allow network traffic for each of these applications. For more information, refer to Citrix App Layering Product Documentation.
Compatibility with container infrastructure
The following infrastructure is supported:
Amazon ECS, except serverless deployments
Amazon EKS
Google GKE
Docker
Podman
Kubernetes
Azure AKS
Supported virtualization management tools
Control Center currently integrates with the following virtualization management tools:
VMware vCenter Server
Citrix XenServer
Nutanix Prism Element
To set up the integration, you must provide the username and password of an administrator.
Security Server
Security Server is a preconfigured virtual machine running on an Ubuntu Server with the following versions:
20.04 (VMware NSX and Multi-Platform)
Note
Your product license may not include this feature.
Memory and CPU
The memory and CPU resource allocation for the Security Server depends on the number and type of VMs running on the host. The following table lists the recommended resources to be allocated:
Consolidation | Number of protected VMs | RAM | CPUs |
---|---|---|---|
Low | 1 - 30 | 2 GB | 2 CPUs |
31 - 50 | 4 GB | 2 CPUs | |
Medium | 51-100 | 4 GB | 4 CPUs |
High | 101-200 | 4 GB | 6 CPUs |
Security Server for NSX comes with a predefined hardware configuration (CPU and RAM), which you can adjust in VMware vSphere Web Client by turning off the machine, editing its settings and then turning it back on. For detailed information, refer to Installing Security Server for VMware NSX.
HDD Space
Environment | HDD space provisioning |
---|---|
VMware NSX-V / NSX-T | 40 GB |
Other | 16 GB |
Security Server distribution on hosts
Environment | Security Server vs. hosts |
---|---|
VMware NSX-V / NSX-T | Security Server automatically installs on each ESXi host in the cluster to be protected, at the time of the Bitdefender service deployment. |
Other | Although not mandatory, Bitdefender recommends installing Security Server on each physical host for improved performance. |
Network latency
The communication latency between Security Server and the protected endpoints must be under 50 ms.
Storage Protection load
The impact of Storage Protection on Security Server when scanning 20 GB is as follows:
Storage Protection status | Security Server resources | Security Server load | Transfer time (mm:ss) |
---|---|---|---|
Disabled (baseline) | N/A | N/A | 10:10 |
Enabled | 4 vCPU 4 GB RAM | Normal | 10:30 |
Enabled | 2 vCPU 2 GB RAM | Heavy | 11:23 |
Note
These results are obtained with a sample of varied file types (.exe, .txt, .doc, .eml, .pdf, .zip etc.), ranging from 10 KB to 200 MB. The transfer duration corresponds to 20 GB of data contained in 46,500 files.
Traffic usage
Product updates traffic between endpoint client and update server
Each periodical Bitdefender Endpoint Security Tools product update generates the following download traffic on each endpoint client:
On Windows OS: ~20 MB
On Linux OS: ~26 MB
On macOS: ~25 MB
Downloaded security content updates traffic between endpoint client and Update Server (MB / day)
Update Server type
Scan engine type
Local
Hybrid
Centralized
Relay
65
58
55
Bitdefender Public Update Server
3
3.5
3
Update Server (GravityZone Virtual Appliance)
65
58
55
Central Scan traffic between endpoint client and Security Server
Scanned objects
Traffic type
Download (MB)
Upload (MB)
Files*
First scan
27
841
Cached scan
13
382
Websites**
First scan
Web traffic
621
N/A
Security Server
54
1050
Cached Scan
Web traffic
654
N/A
Security Server
0.2
0.5
* The provided data has been measured for 3.49 GB of files (6,658 files), of which 1.16 GB are Portable Executable (PE) files.
** The provided data has been measured for the top-ranked 500 websites.
Hybrid scan traffic between endpoint client and Bitdefender Bitdefender Cloud Services
Scanned objects
Traffic type
Download (MB)
Upload (MB)
Files*
First scan
1.7
0.6
Cached scan
0.6
0.3
Web traffic**
Web traffic
650
N/A
Bitdefender Cloud Services
2.6
2.7
* The provided data has been measured for 3.49 GB of files (6,658 files), of which 1.16 GB are Portable Executable (PE) files.
** The provided data has been measured for the top-ranked 500 websites.
Traffic between Bitdefender Endpoint Security Tools Relay clients and update server for downloading security content
Clients with Bitdefender Endpoint Security Tools Relay role download ~16 MB / day* from update server.
* Available with Bitdefender Endpoint Security Tools clients starting from 6.2.3.569 version.
Traffic between endpoint clients and Control Center web console
An average traffic of 618 KB / day is generated between endpoint clients and Control Center web console.
Recommended virtual machines sizes for GravityZone Business Security Premium deployment in Azure
The size of the virtual machine you are using for deploying GravityZone Business Security Premium in Azure depends on the number of endpoints you are planning to protect, the type of deployment (all-in-one or distributed) and the type of integration.
The following table displays the Azure virtual machine sizes recommended for GravityZone deployments that include the following roles: Update Server, Web Console (Control Center), Communication Server, and Database.
Number of endpoints (up to) | Azure VM size | vCPU | RAM (GB) |
---|---|---|---|
250 | Standard_F8s_v2 | 8 | 16 |
Standard_F8s | 8 | 16 | |
Standard_F16s_v2 | 16 | 32 | |
Standard_F16s | 16 | 32 | |
500 | Standard_F16s_v2 | 16 | 32 |
Standard_F16s | 16 | 32 | |
1,000 | Standard_F16s_v2 | 16 | 32 |
Standard_F16s | 16 | 32 | |
3,000 | Standard_F16s_v2 | 16 | 32 |
Standard_F16s | 16 | 32 | |
5,000 | Standard_F32s_v2 | 32 | 64 |
10,000 | Standard_F32s_v2 | 32 | 64 |
25,000 | Standard_F64s_v2 | 64 | 128 |
50,000 | Standard_F64s_v2 | 64 | 128 |
Important
These VM sizes support GravityZone deployments without the Incidents Server role installed. This role requires the following resources:
2 vCPU and 2 GB RAM for deployments up to 3000 endpoints
4 vCPU and 2 GB RAM for deployments up to 10,000 endpoints
6 vCPU and 4 GB RAM for deployments up to 50,000 endpoints
30 GB of additional disk space for the Database role, regardless of deployment.
For distributed GravityZone deployments, with various configurations and integrations, refer to the GravityZone Virtual Appliance hardware requirements.
For the procedure of deploying GravityZone in Azure, refer to Install GravityZone Business Security Premium BYOL in Microsoft Azure.