Skip to main content

Endpoint protection

To protect your network with Bitdefender, you must install the GravityZone security agents on network endpoints. For optimized protection, you can also install Security Servers. For this purpose, you need a Control Center user with administrator privileges over the services you need to install and over the network endpoints under your management.

Requirements for the security agent are different, based on whether has additional server roles, such as Relay, Exchange Protection or Patch Caching Server. For more information on the agent's roles, refer to this section.

Important

Make sure that the HKLM\SYSTEM\CurrentControlSet\Policies\EarlyLaunch\DriverLoadPolicy registry key is set to any value other than 8 = Good only.

Hardware

Security agent without roles

CPU

Target systems

CPU type

Supported operating systems (OSes)

Workstations

Intel® Pentium compatible processors, 2 GHz or faster

Microsoft Windows desktop OSes

Intel® Core 2 Duo, 2 GHz or faster

Apple M-series

macOS

Smart devices

Intel® Pentium compatible processors, 800 MHZ or faster

Microsoft Windows Embedded OS

Servers

Minimum: Intel® Pentium compatible processors, 2.4 GHz

Microsoft Windows Server OSes and Linux OSes

Recommended: Intel® Xeon multi-core CPU, 1.86 GHz or faster

Free RAM memory

At installation (MB)

OS

Single Engine

Local Scanning

Hybrid Scanning

Centralized Scanning

AV Only

Full Options

AV Only

Full Options

AV Only

Full Options

Windows

1024

1200

512

660

256

400

Linux

1024

1024

512

512

256

256

macOS

1024

1024

n/a

n/a

n/a

n/a

For daily usage (MB)*

OS

Antimalware (single engine)

Protection modules

Local

Hybrid

Centralized

Advanced Threat Control

Firewall

Content Control

Power User

Advanced Anti-Exploit

Windows

75

55

30

+13

+17

+41

+29

+80

+13

Linux

200

180

90

-

-

-

-

-

+60

macOS**

780

-

-

+40

-

+160

-

-

-

* The measurements cover the daily endpoint client usage, without taking into account additional tasks, such as on-demand scans or product updates.

** Overall daily usage on macOS is around 1.5 GB of RAM when including other modules such as Full Disk Encryption (~20 MB), Device Control (~50 MB), Network Attack Defense (~160 MB), and Endpoint Detection and Response (~240 MB).

Free disk space

At installation

OS

SINGLE ENGINE

DUAL ENGINE

Local Scanning

Hybrid Scanning

Centralized Scanning

Centralized + Local Scanning

Centralized + Hybrid Scanning

AV Only

Full Options

AV Only

Full Options

AV Only

Full Options

AV Only

Full Options

AV Only

Full Options

Windows

1024

1200

500

700

350

570

1024

1200

500

700

Linux

2500

2500

1100

1100

600

600

1600

1600

1100

1100

macOS

1024

1024

n/a

n/a

n/a

n/a

n/a

n/a

n/a

n/a

For daily usage (MB)*

OS

Antivirus (Single Engine)

Protection Modules

Local

Hybrid

Centralized

Advanced Threat Control

Firewall

Content Control

Power User

Advanced Anti-Exploit

Windows

410

190

140

+12

+5

+60

+80

+10

+12

Linux

500

200

110

-

-

-

-

-

+60

macOS

1700

-

-

+20

-

+0

-

-

-

* The measurements cover the daily endpoint client usage, without taking into account additional tasks, such as on-demand scans or product updates.

Security agent with Relay role

The Relay role needs hardware additional resources to the basic security agent's configuration. These requirements are to support the Update Server and installation packages hosted by the endpoint:

Number of connected endpoints

CPU to support Update Server

RAM

Free disk space for Update Server

1 - 300

minimum Intel® Core™ i3 or equivalent processor, 2 vCPU per core

1 GB

10 GB

300 - 1000

minimum Intel® Core™ i5 or equivalent processor, 4 vCPU per core

1 GB

10 GB

Warning

  • Relay agents require SSD disks, to support the high amount of read/write operations.

Important

  • If you want to save the installation packages and updates to another partition than the one where the agent is installed, make sure both partitions have sufficient free disk space (10 GB), otherwise, the agent aborts the installation. This is required only at installation.

  • On Windows endpoints, local to local symbolic links must be enabled.

Security agent with Exchange Protection role

The quarantine for Exchange Servers requires additional hard-disk space on the partition where the security agent is installed.

The quarantine size depends on the number of items stored and their size.

By default, the agent is installed on the system partition.

Security agent with Patch Caching Server role

The agent with Patch Caching Server role must meet the following cumulative requirements:

  • All hardware requirements of the simple security agent (without roles)

  • All hardware requirements of the Relay role

  • Additionally 100 GB of free disk space to store the downloaded patches

Important

If you want to save the patches to another partition than the one where the agent is installed, make sure both partitions have sufficient free disk space (100 GB), otherwise, the agent aborts the installation. This is required only at installation.

The following table indicates the number of simultaneous connections supported by a machine that has only the Patch Caching Server role installed.

Number of connected endpoints

CPU to support Update Server

RAM

Free disk space for Update Server

Disk type

1 - 500

minimum Intel® Core™ i3 or equivalent processor, 2 vCPU per core

2 GB

100 GB

SSD

500 - 1500

minimum Intel® Core™ i5 or equivalent processor, 4 vCPU per core

4 GB

100 GB

SSD

Important

  • Bitdefender performed the tests using machines running Ubuntu 20.04 LTS and Windows Server 2016.

  • For machines that have other roles installed in addition to Patch Caching Server, you must consider allocating more hardware resources.

Security Containers

Configure the guest operating systems where you are deploying BEST as follows:

Resource

Minimum

Recommended

Processor

2 vCPUs

4 vCPUs

Memory (RAM)

4 GB RAM

6 GB RAM

Free Disk Space

2.5 GB (up to 4 GB disk with debug logs enabled)

4 GB

Software requirements

GravityZone requirements

BEST for Linux is compatible with GravityZone Cloud and GravityZone On-Premises versions 6.13.1-1 or newer.

Additional software requirements

  • On-access scanning is available for supported operating systems as follows:

    • Kernel 2.6.38 or higher - Supports all Linux distributions. The fanotify kernel option must be enabled.

    • Kernel 2.6.32 - 2.6.37 - CentOS 6.x Red Hat Enterprise Linux 6.x - Bitdefender provides support via DazukoFS with prebuilt kernel modules.

  • You need auditd as a fallback mechanism in case kProbes are not available for your Kernel version.

Public Cloud Requirements

Select Instance or VM type where you are deploying BEST as follows:

Cloud Service Provider (CSPs)

Minimum (instance type)

Recommended (instance type)

Amazon Web Services (AWS)

T2 medium

Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD

Microsoft Azure

Standard B2s

Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD

Google Cloud Platform (GCP)

E2-medium or E2-standard-2

Any instance ≥ 4 vCPUs, 4 GB RAM, min 4 GB SSD

Note

For other CSPs, you should consider the same requirements as described above.

Supported operating systems

GravityZone modules and features are available on all versions of supported operating systems, according to each type of endpoint (Windows, Linux, or macOS). In case of Windows, exceptions are the core versions or systems that lack a graphical user interface. See the features distribution by endpoint type here.

Windows desktop
  • Windows 11 October 2024 Update (24H2)

  • Windows 11 October 2023 Update (23h2)

  • Windows 10 November 2022 Update (22H2)

  • Windows 11 September 2022 Update (22h2)

  • Windows 11 (initial release)

  • Windows 10 November 2021 Update (21H2)

  • Windows 10 May 2021 Update (21H1)

  • Windows 10 October 2020 Update (20H2)

  • Windows 10 May 2020 Update (20H1)

  • Windows 10 May 2019 Update (19H1)

  • Windows 10 October 2018 Update (Redstone 5)

  • Windows 10 April 2018 Update (Redstone 4)

  • Windows 10 Fall Creators Update (Redstone 3)

  • Windows 10 Creators Update (Redstone 2)

  • Windows 10 Anniversary Update (Redstone 1)

  • Windows 10 November Update (Threshold 2)

  • Windows 10 (initial release)

  • Windows 8.1(*)

  • Windows 8(*)

    Windows 8

  • Windows 7*

Warning

(*) In VMware NSX, the OS version is supported starting with vSphere 5.5 Patch 2.

Warning

Windows tablet and embedded
  • Windows 10 IoT Enterprise

  • Windows Embedded 8.1 Industry

  • Windows Embedded 8 Standard

  • Windows Embedded Standard 7

  • Windows Embedded Compact 7

  • Windows Embedded POS Ready 7

  • Windows Embedded Enterprise 7

Windows Server
  • Windows Server 2022 Core

  • Windows Server 2022

  • Windows Server 2019 Core

  • Windows Server 2019

  • Windows Server 2016

  • Windows Server 2016 Core

  • Windows Server 2012 R2(1)

  • Windows Server 2012(2)(3)

  • Windows Small Business Server (SBS) 2011

  • Windows Server 2008 R2(3)

*Patch Management is not supported.

Important

Bitdefender Endpoint Security Tools supports the Windows Server Failover Cluster (WSFC) technology.

Warning

(1) In VMware NSX, the OS version is supported starting with vSphere 5.5 Patch 2.

(2) In VMware NSX, the OS version is supported starting with vSphere 5.5.

(3) VMware NSX does not support the 32-bit versions of Windows 2012 and Windows Server 2008 R2.

Certificate prerequisites

The following is a list of prerequisites for installing Bitdefender Endpoint Security Tools for Windows:

  • Import the DigiCert Global Root G2 certificate. It must be imported as a trusted certificate by following these steps:

    1. Download the DigiCert Global Root G2 certificate.

    2. Press Win + R to open the Run window.

    3. Type mmc and click Ok. This will open the Microsoft Management Console (MMC) window.

    4. Go to File > Add/Remove snap-in.

    5. Select Certificates and click Add.

    6. Select Computer account and click Next.

    7. Select Local computer and click Finish.

    8. Click Ok.

    9. Go to Console Root > Certificates (Local Computer) > Trusted Root Certification Authorities.

    10. Right click Certificates > All tasks > Import > Next.

    11. Navigate to the folder where the DigiCert Global Root G2 was downloaded and select it.

    12. Click Next until the setup wizard is completed.

    13. Close the MMC window and select No when prompted to save any changes.

  • Enable SHA256 certificates. Without them, the installer does not work at all. For more information, refer to the Microsoft Security Advisory 3033929.

  • Make sure your root certificates are up to date:

    • Bitdefender certificates

    • Timestamp certificates: we generally use Symantech/ Digicert

    If the trusted signature is invalid, make sure Automatic Root Certificate Updates are enabled:

    1. Open the Run command window, type gpedit.msc and press Enter

    2. Select Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication Settings

    3. Double click Turn off Automatic Root Certificates Update and select the Disabled option.

    4. Open Command Prompt with administrative right and run the following command:

      certutil -setreg chain\ChainCacheResyncFiletime @now

    In addition, you can manually add the following Digicert certificates, from the Official DigiCert Trusted Root Authority Certificates page:

    • DigiCert Global Root CA

    • DigiCert Assured ID Root CA

    • DigiCert SHA2 Assured ID Code Signing CA

    • DigiCert Trusted Root G4

    • DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1

    • VeriSign Universal Root Certification Authority

  • Enable the Universal Microsoft C Runtime (UCRT) component. The UCRT is available by using Windows Update on older operating systems that are still in extended support. Alternatively, you can find the updates through the Microsoft Download Center.

  • If the following error occurs, your system is out of date:

    Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

    Note

    This only applies to Windows 7 and Windows Server 2008 R2 machines.

Supported cipher modes

As of October 2022, Bitdefender supports the following cipher modes:

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • DHE-RSA-AES128-GCM-SHA256

  • DHE-RSA-AES256-GCM-SHA384

  • DHE-DSS-AES128-GCM-SHA256

  • DHE-DSS-AES256-GCM-SHA384

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

Linux

Note

This applies to both Bitdefender Endpoint Security Tools for Linux and Security Containers.

Important

Linux endpoints use license seats from the pool of licenses for server operating systems.

Fully Supported Linux Modern Distributions

Distribution 

Architecture

Kernel Versions

Cloud Platform Availability

RPM-based

RHEL 7.x

64-bit

3.10.0.x (starting from build 957)

AWS, AZURE, GCP

RHEL 8.x

64-bit

4.18.0.x

AWS, AZURE, GCP

RHEL 9.x

64-bit

5.14.0.x

AWS

Oracle Linux 7.x UEK

64-bit

4.18.0.x

AWS, AZURE

Oracle Linux 7.x RHCK

64-bit

3.10.0.x (starting from build 957)

AWS, AZURE

Oracle Linux 8.x UEK

64-bit

5.4.17.x / 5.15.0.x

AWS

Oracle Linux 8.x RHCK

64-bit

4.18.0.x

AWS

Oracle Linux 9.x UEK

64-bit

5.15.0.x

AWS

Oracle Linux 9.x RHCK

64-bit

5.14.0.x

AWS

CentOS 7.x

32-bit, 64-bit

3.10.0.x (starting from build 957)

AWS, AZURE, GCP

CentOS 8 Stream

64-bit

4.18.0.x

AWS, AZURE, GCP

CentOS 9 Stream

64-bit

5.14.0.x

AWS, AZURE, GCP

Fedora 37 - 40

64-bit

Supported until it expires.

AWS

AlmaLinux 8.x

64-bit

4.18.0.x

AWS, AZURE, GCP

AlmaLinux 9.x

64-bit

5.14.0.x

AWS

Rocky Linux 8.x

64-bit

4.18.0.x

AWS, AZURE, GCP

Rocky Linux 9.x

64-bit

5.14.0.x

AWS, AZURE, GCP

CloudLinux 7.x

64-bit

3.10.0.x (starting from build 957)

AWS, AZURE, GCP

CloudLinux 8.x

64-bit

4.18.0.x

AWS, AZURE, GCP

Miracle Linux 8.x

64-bit

4.18.0.x

Kylin v10 RHEL

64-bit

4.19.90.x

Debian-based

Debian 9

32-bit, 64-bit

4.9.0.x

AWS, AZURE, GCP

Debian 10

32-bit, 64-bit

4.19.x

AWS, AZURE, GCP

Debian 11

32-bit, 64-bit

5.10.x

AWS, AZURE, GCP

Debian 12

64-bit

6.1.0.x

Ubuntu 16.04.x

32-bit, 64-bit

4.8.x / 4.10.x / 4.13.x / 4.15.x

AWS, AZURE, GCP

Ubuntu 18.04.x

64-bit

5.0.x / 5.3.x / 5.4.x

AWS, AZURE, GCP

Ubuntu 20.04.x

64-bit

5.4.x / 5.8.x / 5.11.x / 5.13.x / 5.15.x

AWS, AZURE, GCP

Ubuntu 22.04.x

64-bit

5.15.x / 5.19.x

AWS, AZURE, GCP

Ubuntu 23.04.x

64-bit

6.2.0.x

AWS, AZURE, GCP

Ubuntu 24.04.x

64-bit

6.8.0.x

AWS, AZURE, GCP

PopOS 22.04.x

64-bit

6.2.6.x

AWS, AZURE, GCP

Pardus 21

64-bit

5.10.0.x

Mint 20.x

64-bit

5.4.0.x

Mint 21.x

64-bit

5.15.0.x

Mint 22.x

64-bit

6.8.0.x

SUSE-based

SLES 12 SP4 

64-bit

4.12.14-x

AWS

SLES 12 SP5

64-bit

4.12.14-x

AWS, AZURE, GCP

SLES 15 SP1 

64-bit

4.12.14-x

AWS, AZURE

SLES 15 SP2

64-bit

5.3.18-x

AWS, AZURE, GCP

SLES 15 SP3

64-bit

5.3.18-x

AWS, AZURE, GCP

SLES 15 SP4

64-bit

5.14.21.x

AWS, AZURE, GCP

SLES 15 SP5

64-bit

5.14.21.x

AWS, AZURE, GCP

SLED 15 SP4

64-bit

5.14.21.x

openSUSE Leap 15.4-15.5

64-bit

5.14.21.x

AWS

Cloud-based

AWS Bottlerocket 2020.03

64-bit

5.4.x / 5.10.x

AWS

Amazon Linux v2

64-bit

4.14.x / 4.19.x / 5.10

AWS

Amazon Linux 2023

64-bit

6.1.0.x

AWS

Google COS Milestones 77, 81, 85

64-bit

4.19.112 / 5.4.49 

GCP

Azure Mariner 2

64-bit

5.15.x

AZURE

Fully Supported Linux Modern Distributions for ARM architecture

Distribution

Kernel versions

Cloud Platform Availability

RPM-based

RHEL 8.x

4.18.0-x

AZURE

RHEL 9.x

5.14.x

GCP, AZURE, AWS

AlmaLinux 9.x

5.14.x

AZURE

Rocky Linux 9.x

5.14.x

GCP, AZURE, AWS

Debian-based

Debian 11

5.10.x/6.1.x

GCP, AZURE, AWS

Debian 12

6.1.0.x

Ubuntu 20.04.x

5.15.x

GCP, AZURE, AWS

Ubuntu 22.04.x

5.15.x/5.19.x

GCP, AZURE, AWS

Ubuntu 24.04.x

6.8.0.x

GCP, AZURE, AWS

SUSE-based

SLES 15 SP4

5.14.21-x

GCP, AZURE, AWS

openSUSE Leap 15.4-15.5

5.14.21-x

AZURE

Cloud-based only

Amazon Linux v2

5.10.x

AWS

Amazon Linux 2023

6.1.x

AWS

Supported Linux Legacy Distributions

Distro 

Architecture

Kernel Versions

RPM-based

RHEL 6.10

32-bit, 64-bit

2.6.32-754

CentOS 6.10

32-bit, 64-bit

2.6.32-754

Oracle Linux 6.10 UEK

64-bit

4.1.12-124

Amazon Linux v1 2018.03

64-bit

4.14.x

Debian-based

Ubuntu 14.04 LTS

32-bit, 64-bit

4.4

Ubuntu 16.04.x

32-bit, 64-bit

4.15

Warning

(1) On Fedora 28, Bitdefender Endpoint Security Tools requires manual installation of the libnsl package, by running the following command:

sudo dnf install libnsl -y
Containers
  • Google COS

Note

This applies only to Security Container deployments.

On-access scanning support

On-access scanning is available for all supported guest operating systems. On Linux systems, on-access scanning support is provided in the following situations:

Kernel versions

Linux distributions

On-access requirements

2.6.38 or higher*

Red Hat Enterprise Linux /CentOS 6.0 or higher

Ubuntu 14.04 or higher

SUSE Linux Enterprise Server11 SP4 or higher

OpenSUSE Leap 42.x

Fedora 25 or higher

Debian 9.0 or higher

Oracle Linux 6.3 or higher

Amazon Linux AMI 2016.09 or higher

Fanotify (kernel option) must be enabled.

2.6.38 or higher

Debian 8

Fanotify must be enabled and set to enforcing mode and then the kernel package must be rebuilt.

For details, refer to Bitdefender Endpoint Security Tools compatibility with Debian 8

2.6.32-754.35.1.el6

CentOS 6.x

Red Hat Enterprise Linux 6.x

Bitdefender provides support via DazukoFS with prebuilt kernel modules.

All other kernels

All other supported systems

These systems require the DazukoFS third-party kernel module. For more details, refer to this topic.

* With certain limitations described below.

On-access scanning limitations

Kernel versions

Linux distributions

Details

2.6.38 or higher

All supported systems

On-access scanning monitors mounted network shares only under these conditions:

  • Fanotify is enabled on both remote and local systems.

  • The share is based on the CIFS and NFS filesystems.

Note

On-access scanning does not scan network shares mounted using SSH or FTP.

All kernels

All supported systems

On-access scanning is not supported on systems with DazukoFS for network shares mounted on paths already protected by the On-access module.

Note

Fanotify and DazukoFS enable third-party applications to control file access on Linux systems. For more information, refer to:

macOS
  • macOS Sequoia (15.x)

  • macOS Sonoma (14.x)

  • macOS Ventura (13.x)

  • macOS Monterey (12.x)

  • macOS Big Sur (11.x)

Supported file systems

Bitdefender installs on and protects the following file systems:

AFS, APFS, BTRFS, ext2, ext3, ext4, FAT, FAT16, FAT32, VFAT, exFAT, NTFS, UFS, ISO 9660 / UDF, NFS, CIFS/SMB, VXFS, XFS.

Note

On-access scanning support is not provided for NFS and CIFS/SMB.

Supported browsers

Endpoint browser security is verified to be working with the following browsers:

  • Internet Explorer 8+

  • Mozilla Firefox 30+

  • Google Chrome 34+

  • Safari 4+

  • Microsoft Edge 20+

  • Opera 21+

Supported virtualization platforms

Security for Virtualized Environments provides out-of-the-box support for the following virtualization platforms:

  • VMware vSphere and vCenter Server versions:

    • version 6.5

    • version 6.7, including update 1, update 2a and update 3

    • version 7.0, including update 1, update 2, update 2b, update 2c and update 2d

    • version 8.0, including update 1, update 2

    Note

    The Workload Management functionality in vSphere 7.0 is not supported.

  • VMware Horizon/View 7.8, 7.7, 7.6, 7.5, 7.1, 6.x, 5.x

  • VMware Workstation 11.x, 10.x, 9.x, 8.0.6

  • VMware Player 7.x, 6.x, 5.x

  • Citrix Xen Hypervisor: 7.1 (with the XS71ECU2060 hotfix), 8.2.

    Note

    • Paravirtualized (PV) mode VMs are not supported on Citrix Hypervisor 8.2. The Control Center deployment is working only for Citrix Xen Hypervisor 7.1 and for the OVA import on 8.2.

    • For more information about the Citrix Product Matrix lifecycle, refer to the official Citrix Product Matrix.

  • Citrix Virtual Apps and Desktops 7 1808, 7 1811, 7 1903, 7 1906

  • Citrix XenApp and XenDesktop 7.18, 7.17, 7.16, 7.15 LTSR, 7.6 LTSR

  • Citrix VDI-in-a-Box 5.x

  • Microsoft Hyper-V Server 2008 R2, 2012, 2012 R2, 2016, 2019 or Windows Server 2008 R2, 2012, 2012 R2, 2016, 2019 (including Hyper-V Hypervisor)

  • Red Hat Enterprise Virtualization 3.0 (including KVM Hypervisor)

  • Oracle VM 3.0

  • Oracle VM VirtualBox 5.2, 5.1

  • Nutanix Prism with AOS 5.6, 5.5, 5.20 LTS, 5.18 STS, 5.15 LTS, 5.11, 5.10 (Enterprise Edition)

  • Nutanix Prism with AHV 20170830.115, 20170830.301, 20170830.395 and 20190916.294 (Community Edition)

Note

Support for other virtualization platforms may be provided on request.

Integration with VMware NSX-V requirements

  • ESXi 5.5 or later for each server

  • vCenter Server 5.5 or later

  • NSX Manager 6.2.4 or later

  • VMware Tools 9.1.0 or later, with Guest Introspection thin agent.

    Note

    VMware recommends using the following VMware Tools versions:

    • 10.0.8 or later, to resolve slow VMs after upgrading VMware Tools in NSX / vCloud Networking and Security (VMware Knowledge Base article 2144236).

    • 10.0.9 and later for Windows 10 support.

Important

It is recommended that you keep all VMware products updated with the latest patch.

Integration with VMware NSX-T Data Center requirements

  • VMware NSX-T Manager 2.4, 2.5, 3.0 or 3.1

  • ESXi compatible with the NSX-T Manager version

  • vCenter Server & vSphere compatible with the NSX-T Manager version

  • VMware Tools with Guest Introspection thin agent, compatible with the NSX-T Manager version

For more compatibility details, refer to these VMware webpages:

Integration with Nutanix Prism Element requirements

  • Credentials of a Nutanix Prism Element user with administrative privileges (Cluster Admin or User Admin)

  • Nutanix Prism with AOS 5.6, 5.5, 5.20 LTS, 5.18 STS, 5.15 LTS, 5.11, 5.10

  • Nutanix Prism with AHV 20170830.115, 20170830.301, 20170830.395 and 20190916.294 Community Edition

Supported cloud platforms

Along with on premise virtualization environments, GravityZone can also integrate with the following cloud platforms:

  • Amazon EC2

    As an Amazon EC2 customer, you can integrate the inventory of EC2 instances grouped by Regions and Availability Zones with the GravityZone network inventory.

  • Microsoft Azure

    As a Microsoft Azure customer, you can integrate the Microsoft Azure virtual machines grouped by Regions and Availability Zones with the GravityZone network inventory.

Compatibility with desktop and application virtualization technologies

GravityZone is compatible with the following virtualization technologies, starting with Bitdefender Endpoint Security Tools version 6.6.16.226:

  • VMware

    VMware V-App (same version with vCenter Server)

    VMware ThinApp 5.2.6

    VMware AppVolumes 2.180

    Important

    It is recommended not to install in Application Stack or Writable Volumes.

  • Microsoft

    Microsoft App-V 5.0, 5.1

    Microsoft FSLogix 2.9.7237

  • Citrix

    Citrix App Layering 19.10

    Citrix Appdisks 7.12

    Important

    Assign policies based on user rules so that Device Control would not prevent OS and platform layers creation.

    You may need to configure the GravityZone Firewall rules to allow network traffic for each of these applications. For more information, refer to Citrix App Layering Product Documentation.

Compatibility with container infrastructure

The following infrastructure is supported:

  • Amazon ECS, except serverless deployments

  • Amazon EKS

  • Google GKE

  • Docker

  • Podman

  • Kubernetes

  • Azure AKS

Supported virtualization management tools

Control Center currently integrates with the following virtualization management tools:

  • VMware vCenter Server

  • Citrix XenServer

  • Nutanix Prism Element

To set up the integration, you must provide the username and password of an administrator.

Security Server

Security Server is a preconfigured virtual machine running on an Ubuntu Server with the following versions:

  • 20.04 (VMware NSX and Multi-Platform)

Note

Your product license may not include this feature.

Memory and CPU

The memory and CPU resource allocation for the Security Server depends on the number and type of VMs running on the host. The following table lists the recommended resources to be allocated:

Consolidation

Number of protected VMs

RAM

CPUs

Low

1 - 30

2 GB

2 CPUs

31 - 50

4 GB

2 CPUs

Medium

51-100

4 GB

4 CPUs

High

101-200

4 GB

6 CPUs

Security Server for NSX comes with a predefined hardware configuration (CPU and RAM), which you can adjust in VMware vSphere Web Client by turning off the machine, editing its settings and then turning it back on. For detailed information, refer to Installing Security Server for VMware NSX.

HDD Space

Environment

HDD space provisioning

VMware NSX-V / NSX-T

40 GB

Other

16 GB

Security Server distribution on hosts

Environment

Security Server vs. hosts

VMware NSX-V / NSX-T

Security Server automatically installs on each ESXi host in the cluster to be protected, at the time of the Bitdefender service deployment.

Other

Although not mandatory, Bitdefender recommends installing Security Server on each physical host for improved performance.

Network latency

The communication latency between Security Server and the protected endpoints must be under 50 ms.

Storage Protection load

The impact of Storage Protection on Security Server when scanning 20 GB is as follows:

Storage Protection status

Security Server resources

Security Server load

Transfer time (mm:ss)

Disabled (baseline)

N/A

N/A

10:10

Enabled

4 vCPU

4 GB RAM

Normal

10:30

Enabled

2 vCPU

2 GB RAM

Heavy

11:23

Note

These results are obtained with a sample of varied file types (.exe, .txt, .doc, .eml, .pdf, .zip etc.), ranging from 10 KB to 200 MB. The transfer duration corresponds to 20 GB of data contained in 46,500 files.

Traffic usage

  • Product updates traffic between endpoint client and update server

    Each periodical Bitdefender Endpoint Security Tools product update generates the following download traffic on each endpoint client:

    • On Windows OS: ~20 MB

    • On Linux OS: ~26 MB

    • On macOS: ~25 MB

  • Downloaded security content updates traffic between endpoint client and Update Server (MB / day)

    Update Server type

    Scan engine type

    Local

    Hybrid

    Centralized

    Relay

    65

    58

    55

    Bitdefender Public Update Server

    3

    3.5

    3

    Update Server (GravityZone Virtual Appliance)

    65

    58

    55

  • Central Scan traffic between endpoint client and Security Server

    Scanned objects

    Traffic type

    Download (MB)

    Upload (MB)

    Files*

    First scan

    27

    841

    Cached scan

    13

    382

    Websites**

    First scan

    Web traffic

    621

    N/A

    Security Server

    54

    1050

    Cached Scan

    Web traffic

    654

    N/A

    Security Server

    0.2

    0.5

    * The provided data has been measured for 3.49 GB of files (6,658 files), of which 1.16 GB are Portable Executable (PE) files.

    ** The provided data has been measured for the top-ranked 500 websites.

  • Hybrid scan traffic between endpoint client and Bitdefender Bitdefender Cloud Services

    Scanned objects

    Traffic type

    Download (MB)

    Upload (MB)

    Files*

    First scan

    1.7

    0.6

    Cached scan

    0.6

    0.3

    Web traffic**

    Web traffic

    650

    N/A

    Bitdefender Cloud Services

    2.6

    2.7

    * The provided data has been measured for 3.49 GB of files (6,658 files), of which 1.16 GB are Portable Executable (PE) files.

    ** The provided data has been measured for the top-ranked 500 websites.

  • Traffic between Bitdefender Endpoint Security Tools Relay clients and update server for downloading security content

    Clients with Bitdefender Endpoint Security Tools Relay role download ~16 MB / day* from update server.

    * Available with Bitdefender Endpoint Security Tools clients starting from 6.2.3.569 version.

  • Traffic between endpoint clients and Control Center web console

    An average traffic of 618 KB / day is generated between endpoint clients and Control Center web console.

Recommended virtual machines sizes for GravityZone Business Security Premium deployment in Azure

The size of the virtual machine you are using for deploying GravityZone Business Security Premium in Azure depends on the number of endpoints you are planning to protect, the type of deployment (all-in-one or distributed) and the type of integration.

The following table displays the Azure virtual machine sizes recommended for GravityZone deployments that include the following roles: Update Server, Web Console (Control Center), Communication Server, and Database.

Number of endpoints (up to)

Azure VM size

vCPU

RAM (GB)

250

Standard_F8s_v2

8

16

Standard_F8s

8

16

Standard_F16s_v2

16

32

Standard_F16s

16

32

500

Standard_F16s_v2

16

32

Standard_F16s

16

32

1,000

Standard_F16s_v2

16

32

Standard_F16s

16

32

3,000

Standard_F16s_v2

16

32

Standard_F16s

16

32

5,000

Standard_F32s_v2

32

64

10,000

Standard_F32s_v2

32

64

25,000

Standard_F64s_v2

64

128

50,000

Standard_F64s_v2

64

128

Important

These VM sizes support GravityZone deployments without the Incidents Server role installed. This role requires the following resources:

  • 2 vCPU and 2 GB RAM for deployments up to 3000 endpoints

  • 4 vCPU and 2 GB RAM for deployments up to 10,000 endpoints

  • 6 vCPU and 4 GB RAM for deployments up to 50,000 endpoints

  • 30 GB of additional disk space for the Database role, regardless of deployment.

For distributed GravityZone deployments, with various configurations and integrations, refer to the GravityZone Virtual Appliance hardware requirements.

For the procedure of deploying GravityZone in Azure, refer to Install GravityZone Business Security Premium BYOL in Microsoft Azure.