GravityZone Control Center
November 2024 (Version 6.57.0-1)
Early Access
New Network
The new Network section now has more actions and improved functionalities, including:
Resume integrity monitoring
Suspend integrity monitoring
Update agent
Patch scan
Delete
Compliance
The Compliance feature is now available for Early Access.
This new feature provides immediate and continuous visibility into your endpoint compliance posture across numerous widely-adopted industry standards. The Compliance page empowers you to:
Assess compliance posture - View an at-a-glance summary of your organization’s compliance status relative to specific standards.
Review detailed controls - Access a list of individual compliance controls, organized by their respective sections, along with a detailed score for each, helping to pinpoint areas for improvement.
Streamline reporting and auditing - Simplify and accelerate your compliance reporting process with our one-click report generation capability, allowing faster and more effective audit preparations.
This new feature enables you to stay proactive in maintaining regulatory standards and optimizing security efforts with comprehensive insights and convenient reporting options.
New features
Antimalware
Two new options are now available for all on-demand scheduled scan tasks in Policies and for Network Scan, Memory Scan, and Custom Scan in the Network page:
Pause scan when computer is in Battery mode: this option helps you pause the scanning process on endpoints running on battery power and automatically resume it once they are plugged back in.
Enable CPU usage control: this option allows you to adjust the CPU usage allocated for the scanning process and tailor the scan performance to your needs. You can choose from three levels: Low, Medium, and High. The option is available for Linux and macOS systems.
You can now create exclusions for Sensitive Registry Protection using specific IP addresses or a subnet mask. This allows trusted systems to perform necessary registry changes without triggering protection policies. You can add the exclusion in Configuration Profiles using the new option ATC/Sensitive Registry Protection and the IP/mask object type.
XDR
A new sensor integration is available: Atlassian Cloud.
By integrating with Atlassian Cloud apps, your organization gains extensive threat detection, event monitoring, and response capabilities.. This integration effectively addresses security risks that may impact your Atlassian ecosystem, covering Confluence, Jira, and Bitbucket.
EDR
YARA detection rules are now generally available. This feature allows you to define queries that are used to scan endpoints for malicious actions. You can generate custom alerts and security incidents based on these scans.
You can manage the YARA rules on the Incidents > Custom detection rules page.
This feature is available for EDR licenses, with the exception of those that offer only deployment in EDR (Report only) mode.
Licensing
The Buy compatible products section is now available in the Purchase tab of the > My company page.
The section displays a list of products that are compatible with your current main license which you can purchase directly from GravityZone. You can enter a trial to test out the products, or purchase them directly.
The Usage breakdown column in the Companies page has been improved to offer a clearer view of each company's license usage. The same improvements have been applied to the Licensing tab in the My Company window. The improvements apply only to companies using monthly subscriptions.
On the Product Hub page, products that are eligible for direct purchase from GravityZone are marked with a Buy now tag. Clicking on their cards will take you to their individual hub page, where a purchase option is available.
Integrations
New integrations are available for the following SIEMS:
FortiSIEM
Elastic
LogRhythm
Accounts
A new authentication method is available in the Login Security section, located in the account settings on the Edit account and Add account pages. This method regards the option Login using GravityZone Identity Provider, which enables you to authenticate using the GravityZone identity provider corresponding to your region.
Our identity providers use the existing two-factor authentication, so no new or additional credentials will be required.
Improvements
Network Protection
You can now edit the policy assignment of a specific schedule from Configuration Profiles > Web Access Control Scheduler > Edit schedule assignment.
XDR
You can now create exclusion rules on XDR parameters to prevent specific interactions between entities and resources in your organization from generating incidents.
The Historical search section still contains the alerts that would have triggered incidents. You can use the
other.rule_id: <rule_id>
query to identify them.Note
Rules created prior to this update do not apply to XDR technology, even if they use only criteria parameters with no tags. To adapt these rules, go to the Custom exclusion rules page, open each of them for editing, review the existing settings, and save the rule.
New fields are now available for creating custom exclusion rules. The EDR functionality has been enhanced with additional exclusion parameters, allowing you to exclude events and behaviors related to user connections and email activity on your endpoints.
These capabilities are accessible both through the GravityZone console and via the Incidents APIs, specifically the createCustomRule
and getCustomRulesList functions
.
GravityZone platform
Scan actions were changed throughout the GravityZone console as follows:
Ignore and Take no action were renamed Report only.
Disinfect was renamed Remediate.
Delete was removed entirely, and its functionality has been replaced by Remediate.
Only primary actions are now available for infected objects. The alternative actions were removed.
All actions for suspicious files were removed.
These changes are visible in the policies, tasks, reports, notifications, and other sections such as Threats Xplorer.
Risk Analytics
The Risk Management feature has been redesigned and several pages have been renamed for better cross feature uniformity:
The Misconfigurations page is now called Findings.
The User behavior risks page is now called Identity risks.
The Devices page is now called Resources.
The Users page is now called Identities.
Subsequently, all the columns and headers corresponding to the new names have been adjusted as well.
Findings associated to Cloud resources are now available in the Risk Management section, providing a better understanding of the security posture and hardening of the organization.
To view these findings you require a CSPM+ license and a GravityZone base license that provides access to the Risk Management feature.
Policies
The following sections now feature a new design and improved interface texts:
Firewall
Network Protection
These sections add up to those previously revised. The remaining sections will gradually migrate to the new design in future GravityZone releases.
Public API
Accounts API
The
getAccoutDetails
method is now available.
Incidents API
Added additional Detections and exclusion values, criteria, and parameters for the
createCustomRule
method. You can include them in requests to add exclusion for XDR incidents.For more information on custom exclusion rules refer to this KB article.
The
getCustomRulesList
method now returns thefilters
parameter.
Reports
Made key enhancements to the CSV version of the License Status report for managed service providers (MSPs), including renamed, replaced, and new columns to clarify license allocation and availability details for monthly subscription clients.
If your company is using monthly subscription and you are employing scripts that use of the License Status report, we recommend updating them promptly to ensure continued compatibility with these changes.
Container Protection
A new variable has been added to the command that installs a Security Container on a Linux server with Docker installed. The Certificate Signing Request token BSC_CSRTOKEN
is available in the installer.xml
file.
The same parameter has been added to the command that deploys a Security Container instance on a cluster. You can find the csrtoken
value in GravityZone Control Center by selecting your installation package and then clicking Download > Security Container.
Ransomware Mitigation
The new EFS Protection feature has replaced Ransomware Vaccine. You can access EFS Protection under Antimalware > On-Execute > Ransomware Mitigation.
Resolved issues
Risk Analytics
Resolved a minor rounding issue causing lower risk score calculations.
Fixed an issue causing outdated data to be considered in risk score calculation.
Note
These changes may cause an increase in your company's calculated risk score.
GravityZone platform
Company-customized logos are now properly displayed in the GravityZone console.
Security fixes.
Network
Fixed an issue where the endpoint details window incorrectly displayed that the policy was edited by Power User after reinstalling the agent.
October 2024 (Version 6.56.0-1)
Early Access
New Network
More actions have been added to the new Network section.
Install patches
Assign tags
Unassign tags
Mark as Golden Image
Unmark as Golden Image
Isolate endpoint
Remove from isolation
Uninstall agent
Restart endpoint
Repair agent
New features
Control Center
Partner type companies with a monthly subscription will now experience an improved experience when accessing the Control Center landing page. The page will feature user-friendly content that simplifies basic tasks and provides access to the latest news from Bitdefender.
Improvements
EDR
Some endpoint operations are now going to use the configuration settings in Policies > General > Communication > Communication between Endpoints and Relays/GravityZone. For more information, refer to the section with the same name in the Communication page.
Policies
The following sections now feature a new design and improved interface texts:
Device Control
Sandbox Analyzer
These sections add up to those previously revised. The remaining sections will gradually migrate to the new design in future GravityZone releases.
Configuration profiles
When cloning a policy, its configuration profiles are duplicated only if they originate from another company. The duplicated configuration profiles include exclusions, maintenance windows, and Web Access Control schedules.
This behavior applies to policies received from partner companies. Learn more.
User activity
Changes to the policy settings are now recorded with greater detail in the User activity section, under the Edited action and the Policies area.
Public API
Incidents API
A new method is now available:
createResponseAction
. You can use it to take response actions on user nodes generated in GravityZone XDR incidents or your own SOC generated incidents. You can make the request based on an XDR incident ID, or based on user data specified in the node. The following actions are available:Disable the user
Force reset the user credentials
Mark the user as compromised
Delete the user's email
For more information on response actions, refer to this KB article.
The
getResponseActionStatus
method is now available. You can use it to check the status of a requested response action on an XDR incident.
Resolved issues
Network Protection
Fixed an issue where disabling the Network Protection module wouldn't disable the Application Blacklisting option in the policy sent to the endpoint.
GravityZone platform
Security fixes.
September 2024 (Version 6.55.0-1)
Early Access
New Network
Redesigned actions and improved functionalities were added to the new Network section.
New actions:
Malware scan
IOC scan
Exchange scan
New functionalities:
Go to location (replacing Go to container from the old Network)
Reports
Column sorting
Additional
New feedback form after opting out of the Early Access Program
Some features are not currently included or might not work as expected. We will address these issues and add new functionalities in upcoming releases. Your feedback is highly appreciated and can help us refine and improve the new Network. Learn more
New features
Update staging
You can now test different versions of Bitdefender Endpoint Security Tools on user-controlled update rings before deploying them to your production environment. You have the option to choose between Test ring 1, Test ring 2, and Production ring, in addition to the Bitdefender-controlled fast and slow rings.
The settings are available as follows:
In the GravityZone main menu, under Configuration profiles > Update staging.
In the policy settings, under General > Update > Update rings.
On the Installation packages page, in the Download and Send download links menus.
Products that support update staging:
GravityZone Business Security Enterprise
GravityZone Security for Endpoints Physical Workstations
GravityZone Security for Endpoints Physical Servers
GravityZone Security for Virtualized Environments VDI
GravityZone Security for Virtualized Environments VS
GravityZone Security for Workstations
GravityZone Security for Servers
Bitdefender MDR, including Bitdefender MDR Premium and Bitdefender MDR Plus
Note
Update staging with Relay requires BEST Relay version 7.9.15.437 or later on Windows, and 7.2.1.200164 or later on Linux. These versions use a new update technology, Reverse Proxy with Caching, which is necessary for this process.
BEST for Mac supports update staging in version 7.17.46.200025 and later.
XDR
You can now download XDR NSVA packages from the Network > Installation Packages page.
The Suspected actors widget is now available in the Overview tab of the Incidents view window. The widget provides details for identifying and determining the threat actors involved in the incident.
When integrated with the IntelliZone platform, this feature provides additional context on the actor and allows security analysts to take prevention measures to secure their organization against that actor.
Reports
The Simplified Monthly License Usage report is now available for MSP companies. The report is a lightweight version of the Monthly License Usage report, and contains only the company related usage information, omitting the endpoint related bottom half of the report.
Risk Analytics
Compliance reports are now available in GravityZone. You can access the reports from the Risk Management dashboard page. The feature is currently in controlled availability. To learn more, contact your sales representative.
Compliance reports provide you with a detailed, targeted, overview of your company's compliance with corporate governance policies, enterprise risk management, and company regulatory policies. The report gathers data from your company's managed endpoints, groups it into compliance-relevant topics, and creates an easily readable, single source of insight into endpoint compliance.
All checks are made based on CIS V8 compliance standards.
Improvements
Risk Analytics
The Risk Management feature has been completely redesigned and restructured:
The tabs previously available under the Security Risks page have now been redesigned and restructured under separate GravityZone pages.
The Risk Management dashboard has been redesigned to improve visualization and enhance your experience while assessing the overall level of risk your company may be facing:
Hovering over the Company risk score widget now displays a breakdown of the score.
The Industry widget has been renamed to Score breakdown. It displays the company's score breakdown and number of CVEs that apply to it.
The UI and functionality of all new and existing pages have been redesigned to offer a better user experience:
All pages have been enhanced with the Smart views feature.
You can now add any individual misconfiguration, user, or device to a Watchlist. These are available on all pages, as a predefined default view.
You can create a scan task from any of the Risk Management pages, using the Scan button.
You can now pivot between individual widgets in the dashboard and their corresponding pages. When viewing additional risk information, you can pivot directly to the source of the information.
Hovering over the values under the Risk score column displays the breakdown of the score.
Important
The Risk Analytics redesign also comes with a new scoring system, causing old data to no longer be available. Risks previously ignored will be reinstated. To get started with the redesigned feature, start a new scan to gather data.
To ensure optimal results, makes sure all your agents are updated to the latest product and security signatures version.
Policies
This update comes with a new design and improved interface texts for the following policy sections:
Live Search
Relay
These sections add up to those revised previously. The remaining sections will gradually migrate to the new design in future GravityZone releases.
Public API
Companies API
Added new values for the
industry
parameter for thecreateCompany
method.The
industry
attribute returned by thegetCompanyDetails
method now returns additional values.
Network API
The
createSubmitToSandboxAnalyzerTask
method is now available. You can use this method to create a Sandbox Analyzer task and submit up to five files for analysis.The task pulls the files that need to be analyzed from a target endpoint, along with any other files that need to be involved in the process.
The
killProcess
method is now available. You can use this method to terminate an active process using its process ID, its path, the endpoint where it is running, and, if available, the ID of the incident it generated.
Packages API
The
getInstallationLinks
method has been updated to match the changes done to the installation package changes:Added the
ringId
parameter.Adapted method response to provide necessary details.
Network Protection
You can now enable the Inspect TLS Handshake feature in Network Protection > General > Network Protection > Intercept TLS handshake.
This feature intercepts malicious domains during TLS Handshake phase, detecting potential threats without decrypting traffic. It scans outbound processes except the ones defined in Network Protection > General > Network Protection > Intercept encrypted traffic > Scan HTTPS, and allows you to respond by denying access to the page or by resetting the connection.
This feature is compatible only with Windows operating systems.
XDR
The Associated risks widget has been improved and now offers a better graphical representation of the distribution of risks.
User activity
Improved information availability for change partner events.
GravityZone platform
You may notice small design changes at the menu in the upper right corner of the console.
Resolved issues
GravityZone platform
Security fixes.
August 2024 (Version 6.54.0-1)
Improvements
GravityZone platform
Implemented internal optimizations for enhanced performance and stability of GravityZone.
August 2024 (Version 6.53.0-1)
Early Access
New Network
The new Network section offers a range of fresh and enhanced features to help you navigate and manage all entities in your network. You are now able to effortlessly monitor the status of endpoints, allocate resources, and resolve any issues that may come up. In addition, the page provides a user-friendly interface to ensure smooth navigation and effective management of network assets.
The functionality of the old Network section remains unaffected by the introduction of the new Network section. The new section can be found in the main GravityZone menu, labeled as EA Network, once you enroll in the Early Access Program.
This is the first iteration of the new Network. Some features are not currently included or might not work as expected. We will address these issues and add new functionalities in upcoming releases. We also expect feedback from you to continue improving the new Network. Learn more
External Attack Surface Management
Performed several minor visual changes to the EASM Inventory page to improve the user experience.
New features
Antimalware
Advanced Threat Control now includes a new capability. The option Sensitive Registry Protection is designed to safeguard critical registry keys including those associated with the Security Account Manager from unauthorized access or exploitation such as malicious registry key dumping. This technology ensures comprehensive protection of user authentication data and system security policies on your systems.
The option is located in the policy under Antimalware > On-Execute > Advanced Threat Control.
You can find and further analyze this type of event by generating a Security Audit or Blocked Applications report.
Tasks
A new task named Submit to Sandbox Analyzer allows you to remotely send samples from any managed endpoint running Windows to Sandbox Analyzer. The new option is available in the Tasks menu on the Network page.
Improvements
Incidents
New Blocklist rules, including application paths and connections, can now be added and configured in the Incidents section. You can also import local CSV files to easily add a large number of rules at once. Blocklist rules serve as guidelines for creating and managing a list of entities that are denied access due to potential threats.
EDR
Automatic response actions for custom detection rules are now available. Once set up, these actions execute on protected endpoints even when disconnected from GravityZone Control Center. This new feature ensures your security measures stay robust and responsive.
All actions are visible in GravityZone for complete oversight.
XDR
You are now able to monitor multiple network subnets using a single Network Sensor Virtual Appliance. For more information, refer to this article.
Notifications
The Password expiration reminder has been enhanced to include the affected account's email address.
Public API
Incidents API
Version
1.2
is now available for the following methods, providing various user experience improvements:addToBlocklist
getBlocklistItems
removeFromBlocklist
Tip
To use version
1.2
, you will have to change the API URL.Version
1.0
for these methods, while deprecated, is still available for use. Existing methods remain unchanged and the same parameters and attributes apply.The
automaticResponse
setting is now available for the settings parameter for thecreateCustomRule
method. You can use it to configure the automatic actions for Custom detection rules.The
getCustomRulesList
method now returns theenableAutomaticActions
andautomaticActions
settings under the settings object. They provide information regarding automatic actions for Custom detection rules.
Policy API
Version
1.1
is now available for the following method, providing various user experience improvements:getPolicyDetails
Tip
To use version
1.1
, you will have to change the API URL.Version
1.0
for this methods, while deprecated, is still available for use. Existing methods remain unchanged and the same parameters and attributes apply.
Resolved issues
GravityZone platform
Users can save up to 100 offline cleanup rules in Configuration > Network settings > Offline Machines Cleanup.
Security fixes.
Reports
The ATC module is now correctly included in the graph section of the Endpoint Modules Status report.
Risk Management
Fixed an issue causing users to be logged out when trying to load any risk with a large number of affected devices.
July 2024 (Version 6.52.0-1)
Early Access
External Attack Surface Management
External Attack Surface Management (EASM) is now available for Early Access. It is currently in a controlled availability.
EASM solutions help organizations gain a comprehensive view of their external attack surface. These solutions automatically discover and organize all assets, services and potential vulnerabilities that are accessible from the internet. Bitdefender EASM helps companies reduce their attack surface by identifying internal and external assets exposed to the internet, thus enhancing existing GravityZone capabilities.
You can access External Attack Surface Management from the EASM dashboard and EASM inventory pages, under Risk Management.
New features
Antimalware
The Antimalware module capabilities are now enriched with a new feature that enables Unified Extensible Firmware Interface (UEFI) scanning. The new Scan UEFI option ensures the security and integrity of the system's boot process and protects against sophisticated threats that can persist at the firmware level.
The feature is available for on-demand scheduled tasks in the policy and malware scan tasks from the Network page. The option is located under the Miscellaneous section of each Full, Quick, and Custom scan type and is enabled by default when the security level is set to Aggressive.
You can find and further analyze this type of detection event using Threats Xplorer, or by generating a Security Audit report.
Licensing
Company administrators can now make the following changes to their existing yearly licenses:
Increase the number of seats of your license up to 100. If you want to extend your license further, you need to purchase an additional license key.
Extend the expiration date by a period equal to or shorter than the original license duration.
The changes can be done from the Plans and purchase tab, in the Edit company window.
Important
This feature is only available for licenses with less than 100 seats and purchased online, directly from Bitdefender.
Improvements
GravityZone platform
Security for Amazon Web Services now supports the Asia Pacific (Osaka) mandatory region.
Policies
This update comes with a new design and improved interface texts for the following policy sections:
Patch Management
Integrity Monitoring
Encryption
Incidents Sensor
Storage Protection
Risk Management
The remaining sections will gradually migrate to the new design in future GravityZone releases.
All pages with new design now include a link to related GravityZone documentation under Get help from Support Center.
As a Partner, when you access the Policies page, your company's policies are automatically displayed. To view policies from other companies, select a different option in the Company column.
You can now create a maintenance window directly in the Patch Management section of the policy settings if none is available for selection. This maintenance window includes patch scanning settings only. To install patches, go to the main menu and edit the window in the Configuration profiles section.
You now receive relevant messages when trying to import exclusions files with errors in the Storage Protection section.
When disabling Use Bitdefender Global Protective Network to enhance protection in the policy settings, the confirmation message now informs you that you must switch to Local Scan engines if you are using Hybrid Scan engines.
Patch Management
Manually approved patches, including Microsoft Windows Feature Updates and security tools, are now available for Windows endpoints. These updates cannot be installed automatically.
Some highlights:
GravityZone sections such as Dashboard, Network, Tasks, Patch Inventory, Maintenance Windows, and User Activity have been updated to support Manually approved patches.
The Network Patch Status report now includes information related to Manually approved patches.
Network protection
The Time Limiter tab, which allowed you to configure time-based access restrictions, has been removed from Network Protection > Content Control > Web Access Control > Settings.
The Block/Schedule/Allow selector, previously used for auto-selecting intervals in the Time Limiter feature, has also been removed from the Web Access Control section, simplifying the user interface and reducing complexity.
You can now define schedulers in Configuration Profiles > Web Access Control Scheduler without needing to select a category, thus making the Categories field optional.
You must still indicate the required time and day. This modification enables schedulers to accurately represent time-limiter intervals, offering more flexibility in scheduling without being limited by pre-established categories.
You can now add a maximum of 20 schedulers for each Schedule created in Configuration Profiles > Web Access Control Scheduler.
Tasks
The Delete button on the Tasks page now also removes pending subtasks of tasks that are in progress. The confirmation window and the User activity page have been updated to reflect the changes.
Public API
Maintenance windows
APIThe
manuallyApprovedPatchesSettings
setting is now available for theupdateType
parameter when making requests using thecreatePatchManagementMaintenanceWindow
andupdatePatchManagementMaintenanceWindow
methods.The response for the
getMaintenanceWindowDetails
method now includes themanuallyApprovedPatchesSettings
setting.A new method is available:
getManuallyApprovedPatches
.
Network
APIThe new
deleteTask
method now removes pending subtasks of tasks that are in progress.
XDR Sensors
When displaying a network sensor in Sensors management, you can now find the complete details of the NSVA, including all the networks it is monitoring and their user provided details.
Resolved issues
Device Control
Some users faced challenges adding exclusions for wireless headphones in Device Control.
Tasks
Tasks performed on endpoints removed from the GravityZone database showed the computer name as obfuscated.
Policies
In some cases, users were unable to save policies containing entries under Exchange Protection > General > Domain IP Check (Antispoofing).
GravityZone platform
Security fixes.
June 2024 (Version 6.51-01)
New features
MSP Product Trials
The EDR Trial report feature offers a summary of the EDR related activity observed during the trial. The report offers MSPs a comprehensive view of the client's current cybersecurity landscape, highlighting connections to EDR data to emphasize the potential risks of security events and the effectiveness of EDR in addressing them.
Partners can download this summary as a PDF file from the Product Trials Hub tab in the Edit company window. The downloaded document is available for each company that has been, or is, enrolled in an EDR Trial, and contains information specific to that company.
Public API
A new method is now available for the Network API:
deleteTask
. The method allows users to delete a specific task, identifying it using its task ID.
Improvements
Licensing
The GravityZone CSPM+ license now also provides access to cloud detection and response features, as follows:
XDR incidents resulted from cloud sensor detections.
The following XDR sensors: CSPM+, AWS, Azure Cloud, and Google Cloud Platform.
The Incidents page, which lists the abovementioned incidents.
Note
Only incidents created from cloud sensors will be made available.
For access to XDR endpoint incidents or other XDR sensors you still require the appropriate license.
Resolved issues
Health Dashboard
Fixed an issue that caused inconsistencies between the number of non-compliant endpoints in the Endpoints policy status widget and the number reported in the Policy Compliance report.
Network
Fixed an issue causing endpoints to incorrectly appear as isolated in GravityZone.
Due to an internal issue, scheduled Reconfigure agent tasks were running immediately on endpoints.
In some cases, users were forcefully logged out of GravityZone after attempting to delete multiple endpoints from the Network grid.
In some cases, the endpoints were not displayed in GravityZone despite BEST being successfully installed.
In some cases, importing a CSV with Content Control exclusions in Policy > Content Control > Web Access Control > Exclusions resulted in uppercase URLs being converted to lowercase, causing exclusions to fail.
XDR
Resolved an issue that caused the Incident Graph to fail loading due to an unexpected error.
Public API
Using the
updateCompanyDetails
method to update a company no longer incorrectly activates its subscription end date, incorrectly adding a value in the company'sendSubscription
attribute.
Licensing
Fixed an issue causing an error message to appear when trying to save changes to a GravityZone company. This would occur due to an inconsistency in the company's recorded subscription end date.
GravityZone platform
Security fixes.
April 2024 (Version 6.50.0-1)
New features
Anti-tampering
Anti-tampering enables you to view when vulnerable drivers are detected on endpoints, and when advanced attack attempts are made to disable the security agent, leading to compromised product integrity.
The feature capabilities are divided in two main categories with distinct targets:
Vulnerable drivers
This pre-tampering technology detects vulnerable drivers on endpoints that can be exploited by attackers, posing threats to the integrity of the product. The technology is compatible with Windows and Linux operating systems.
Callback evasion
This post-tampering technology can detect when the security agent callback functions have been maliciously removed or disabled. New threats or unintentional human error could be engineered to potentially allow unauthorized access to the kernel, leading to compromised product integrity. The technology is compatible with Windows operating systems.
You can enable or disable the feature and configure different actions in the policy under the Antimalware > Anti-tampering section.
To view more information about detection events you can generate a Security Audit or Blocked Applications report or use portlets. Additionally, you can be notified whenever the security agent callbacks are maliciously removed or disabled, or vulnerable drivers are detected on endpoints by using the new Anti-tampering event notification.
Control Center
Customer type companies without a monthly subscription will now experience an improved experience when accessing the control center landing page. The page will feature user-friendly content that simplifies basic tasks and provides access to the latest news from Bitdefender.
Improvements
Quarantine
You can now submit quarantined files to Bitdefender Labs directly from Quarantine. The new option Submit to Bitdefender Labs enables you to submit previously retrieved files for an in-depth analysis that can rule out possible false positive detections. You will receive the analysis results on the email address provided when submitting the file.
You can now remotely retrieve and download quarantined files from endpoints with Linux operating systems.
Notifications
GravityZone email notifications now have a fresh design, revised email subjects and notification titles. Additionally, some notifications in GravityZone Control Center have been renamed. You can find more information in Changes to GravityZone email notifications.
The New incident notification has been improved: all configuration options have been merged into one. Exiting users, with any on the three settings activated prior to the update, now have the New incident notification enabled by default.
Policies
The Actions button from Configuration Profiles > Exclusions has been removed.
The Export Selection and Delete options, previously located under Configuration Profiles > Exclusions > Actions, have been added to the interface for better accessibility and ease of use.
Cloud Security
GravityZone user account permissions now apply to existing roles from the Cloud Security console. Depending on the user rights assigned to your GravityZone account, you will have access only to specific features, actions or sections of the Cloud Security console.
EDR
The Response tab is now also available for EDR incidents.
On demand endpoint actions executed from an incident graph are now displayed in the response grid of that incident.
The status of tasks resulting from EDR response actions is now changed to Failed after being unresponsive for two days.
The Remediation button and the associated section have been removed from the Endpoint Incidents tab and are now available in the new EDR Response tab.
You can now manually mark endpoint response actions as done or dismissed from the Response grid.
MSP
The requirements for Partners, and the procedure for licensing, provisioning, and activating the Bitdefender MDR Service for companies using monthly licenses have changed. To facilitate these changes, there have also been some changes made in the GravityZone console.
The Contact Details section under the My company page is now called Contact details for GravityZone.
A new section is now available under the My company page: Contact details for Bitdefender MDR. This section contains mandatory information required to onboard a partner Company that is new to the MDR console. When saving the information, validation is required, and can be done by sending a code to the email address assigned to the contact.
The information in this section is mandatory to Partner companies that haven't enabled the MDR service and haven't initiated onboarding prior to this release. Until the information is filled in, they will not be able to enable the MDR service for their client companies own use.
Once the information has been saved, an Emergency Contact is automatically created in the Bitdefender MDR console. You can not change this information at a later date from GravityZone.
The requirements for activating the MDR service for reselling for client Partner companies are:
The company must have the The company's Partner can assist with the security management setting enabled.
The requirements for the onboarding process to begin for a Partner company are:
The company must have the Managed Detection and Response Foundations service enabled for resell.
All the information under the direct Partner's Contact details for Bitdefender MDR section is filled in with valid data.
Once all requirements are met, an automatic activation email is sent to the contact listed under Contact details for Bitdefender MDR.
The requirements for activating the MDR service for the own use of client Customer companies are:
The Client company's direct partner has the Bitdefender MDR service enabled for reselling.
Both the Partner and the Client companies must have the The company's Partner can assist with the security management enabled.
At least one of these requirements must be met:
All the information under the direct Partner's Contact details for Bitdefender MDR section is filled in with valid data.
The Bitdefender MDR service has already been enabled and the onboarding process started prior to this release.
Public API
Accounts API
The
phoneNumber
parameter is now available for thecreateAccount
andupdateAccount
methods.
Companies API
The
mdrContactInformation
attribute is now returned by thegetCompanyDetails
method.The
mdrContactInformation
parameter is now available for theupdateCompanyDetails
method.
General API
A new method is available:
generateEmailVerificationCode
. This will allow you to send an email verification code to the email address specified in the MDR contact person section.
Incidents API
Version 1.1 is now available for the
updateIncidentNote
method.
Network API
The
getTaskStatus
method now also includes information for each endpoint the task ran on. The information is organized into subtasks.Important
These changes only apply to version 1.1 of the method.
Resolved issues
Network
In some cases, restoring the Docker host resulted in container duplication and the container inventory failing to load in the Network page.
GravityZone platform
Security fixes.
Known issues
Notifications
GravityZone users from companies using Business Security Premium license are not receiving New incident notifications.
March 2024 (Version 6.49.0-1)
Early Access
YARA detection rules
YARA rules are now available on macOS endpoints starting with the following BEST version: 7.16.42.200016.
New features
MSP Product Trials
MSP Product Trials enables partners to enroll client companies in trials, allowing them to test out features, add-ons, and services that are not included in their subscription. The feature is being released in stages, in a controlled availability manner.
Improvements
Threats Xplorer
You can now filter detection events based on endpoint tags. Using automatic or custom tags helps you view events from specific endpoint groups and efficiently analyze and correlate detections.
Executive Summary
The Incidents status widget was renamed to Incidents breakdown by action taken and for a more granular view, the widget categories are now available as:
Reported: includes Endpoint and Organization incidents upon which no action was taken and require further investigation.
Partially blocked: includes Organization incidents in which the automatic actions defined in the policies have been taken only on some entities.
Blocked: includes Endpoint incidents that were detected and blocked by GravityZone prevention modules.
Help & Support
The Help & Support page has a new design, easier to navigate. Topics are displayed on cards organized in two tabs:
Basics - covers GravityZone general use, technical assistance, legal aspects, and more.
Advanced Configuration - provides information on specific GravityZone features.
As with the previous Help & Support page, the content depends on the company type and the license you are using.
Public API
Packages API
A new method is now available:
updatePackage
. You can use it to update installation packages.
Companies API
The
getCompanyDetails
method now returns theParentCompanyId
attribute.
API Event Push Service
Events sent through the Event Push Service API that fail to deliver are now saved in a buffer, which can hold up to 1000 messages. Once the counter exceeds 1000 messages, Event Push Service will automatically stop sending events, and it will reset the
serviceSettings.status
field used in thegetPushEventsSettings
method to0
.The
getPushEventStats
method now returns themax
attribute, which is an object that contains themessageQueueBytes
andmessageQueueLength
attributes.
User Activity
Entries related to creating or editing a policy now include the list of changed settings in the Details area. The settings are grouped by sections.
XDR
The Sensors Management feature now provides integration with two new sensors:
CSPM+. This new sensor collects telemetry about cloud platforms security posture from Cloud Security to enrich GravityZone XDR incidents and risk information.
Security for Mobile. This new sensor processes mobile device events collected from GravityZone Security for Mobile.
The Associated risks widget is now available in the Overview tab of the Incidents view window. The widget provides a graph detailing a breakdown of all known risks per entity type and links to related entities.
Limitations
Custom rules
Custom detection rules and Custom exclusion rules features will only work if your endpoints have the following version of BEST or newer, as announced in GravityZone banner in January:
7.9.5.324 (Windows)
7.0.3.2271 (Linux)
7.14.32.200019 (macOS)
Resolved issues
Security for AWS
The Amazon EC2 integration experienced synchronization issues, which resulted in previously removed secured instances being displayed in the Network Inventory.
Network protection
Some users experienced an issue where exclusions were still being applied, even when the Use Exclusions option was disabled in the Web access control settings section.
Power User
The Network section and the Policy Compliance report did not reflect changes made by Power User to the policy.
GravityZone platform
Security fixes.
February 2024 (Version 6.48.0-1)
Early Access
Health Dashboard
The export functionality is now available in Health Dashboard. You can use this new option to access and manage the centralized data outside GravityZone Control Center, according to your needs. All events are exported in the widely available CSV format, making it easier to import into other software programs tailored for your business.
A new entry is now available in the Endpoint patch management widget. Patches available, not installed provides you with the number of endpoints in your network that have patches available, but no patch installation task was initiated to install them.
New features
Security Telemetry
You can now enable sending telemetry data from your BEST protected endpoints to integrated platforms in syslog format. The option can be accessed by editing a policy, going to General > Security Telemetry and selecting Syslog (JSON) from the SIEM solution field under the SIEM Connection Settings section.
XDR demo incident
A new demo function is now available on the Incidents page. This feature simulates a scenario from multiple sensors and showcases the capabilities of the XDR feature.
You can access this new capability from the Show demo incident button, on the upper right side of the Incidents page.
GravityZone platform
A new GravityZone Cloud instance hosted in Singapore is now available.
Improvements
Security for AWS
Security for AWS now includes the following improvements:
Licensing compatibility extends to all GravityZone standard products with the exception of Free Risk Assessment Tool and GravityZone EDR Cloud.
It supports multiple Amazon EC2 inventories per company.
Users can now set names for Amazon EC2 integrations.
The Amazon EC2 integration aligns on the same level with Computers and Groups in Network Inventory.
The Integration tags tab now also displays AWS tags. They are available in the Information window of Amazon EC2 instances. You can use tags in Policies > Assignment Rules.
The Tasks Details panel now includes information about the Amazon EC2 integration name.
The new Amazon EC2 subscription type has changed notification informs you whenever your subscription type changes from Marketplace to Partner.
The User Activity page has been updated.
Amazon EC2 Subscription Status report is now available for any company using or managing Amazon EC2 integrations.
Partners can now suspend or reactivate integrations directly from the Amazon EC2 Subscription Status report.
The Amazon EC2 Monthly Usage report now contains two new columns: Integration Name and AWS Account ID.
The Integrations page now includes multiple new columns: Name, Status, Subscription type and Subscription status.
Quarantine
You can now submit quarantined files to Sandbox Analyzer directly from Quarantine. The new option Submit to Sandbox Analyzer enables you to submit previously retrieved files for an in-depth behavioral analysis.
Filtering quarantined files based on the technology that performed the detection is now available. The new Detecting technology filter and column helps you view manually quarantined files and files detected by multiple Antimalware and Integrity Monitoring technologies.
You can now remotely retrieve and download quarantined files from endpoints with macOS operating systems.
Public API
A new version (
1.1
) is now available for the following APIs and methods, providing various quality of life improvements:Version
1.0
for these methods is still available for use.Existing methods remain unchanged and the same parameters and attributes apply.
Network API
getEndpointsList
getNetworkInventoryItems
createReconfigureClientTask
getTaskStatus
Incidents API
createIsolateEndpointTask
createRestoreEndpointFromIsolationTask
Quarantine API
createAddFileToQuarantineTask
createRestoreQuarantineExchangeItemTask
createRestoreQuarantineItemTask
createEmptyQuarantineTask
createRemoveQuarantineItemTask
Tip
To switch to using version
1.1
, you will have to change the API URL.The following changes have been performed for the Integrations API as a result of the changes done to AWS integrations:
The configureAmazonEC2Integration method is no longer available.
The
integrationName
parameter is now available for theconfigureAmazonEC2IntegrationUsingCrossAccountRole
method.The procedure and requirements for generating external IDs has changed, impacting requests using the
generateAmazonEC2ExternalIdForCrossAccountRole
method, and the information returned by thegetAmazonEC2ExternalIdForCrossAccountRole
andconfigureAmazonEC2IntegrationUsingCrossAccountRole
methods.The
integrationName
parameter is now available for thedisableAmazonEC2Integration
method.
The
licensedServices
parameter is now also returned by thegetLicenseInfo
method for companies using yearly licenses.The possible values of the
maxResults
parameter have changed for thefindCompaniesByName
method.
Reports
A new option is available when creating a Monthly License Usage report: Only new customer companies. Enabling this option allows you to display monthly usage reports only for companies created between two specific dates.
Advanced Anti-Exploit
Added Google Chrome to the Predefined Windows Applications list that you can find in the Antimalware > Advanced Anti-Exploit policy settings. Now you have the flexibility to customize browser protection based on your preferences.
Control Center
Customers with CSPM+ licenses will now have an improved experience when accessing the Control Center landing page. The page will feature user-friendly content that simplifies basic tasks and provides access to the latest news from Bitdefender.
Product Trials
Companies using GravityZone Small Business Security can now enroll in Product Trials and and explore new features and products.
Policies
The settings in the Risk Management section have been changed: scheduled scans can now be set to run only daily or weekly.
XDR
The Node Details panel was improved and now inlcudes:
MAC information for the following nodes:
Endpoint
Server
IP
If Endpoint or Server nodes have multiple IPs, the MAC information may contain multiple values.
One or multiple IP addresses for the following nodes:
Domain nodes
Endpoint
Server
One or multiple domain names for the IP node.
The Advanced search panel now includes a new field: network.domain_name
. You can use this field in your search query.
Removed features
Policies
The Update Linux EDR modules using product update option has been removed from the General > Update page in the policy settings.
Resolved issues
Threats Xplorer
Fixed an issue that caused inconsistencies between detection events reported in Threats Xplorer and information displayed in HyperDetect Activity report.
Antimalware
Sometimes, endpoints under Active Directory integrations could not be used as network scanners for on-demand tasks.
Reports
Fixed an issue that was affecting the EC2 Monthly Usage report. Data was being returned for the month previous to the one requested in the report.
MSP
Fixed an issue where disabling EDR for own use on a partner company would incorrectly disable the Live Search feature for all their customers.
Network
Scanned streams summary in the Scan Logs tab of endpoint details had some information duplicated.
GravityZone platform
Security fixes.
Known issues
GravityZone platform
Remotely submitting logs using the Troubleshooting tab to Bitdefender Cloud fails for endpoints that communicate with the GravityZone console using a Relay. This issue affects only the new GravityZone Cloud instance introduced with this release.
Setting up a Security Server requires you to manually configure the communication server address using the option GZ Cloud Custom Address. This issue affects only the new GravityZone Cloud instance introduced with this release.
January 2024 (Version 6.47.0-1)
Early Access
Health Dashboard
The feedback form is now enriched with more details to streamline the way you share your thoughts with us. Your insights, suggestions, and experiences with Health Dashboard play an important role in helping us enhance and refine the feature.
GravityZone Cloud Security
The Asset Inventory page is now available in the GravityZone Cloud Security console.
You can use the feature to access an overview of your inventory list across your cloud resources, different cloud providers and accounts that you have onboarded.
The page consists of two sections:
Resources - provides an overview of all existing resources detected across all your integrated cloud accounts.
Identities - provides an overview of different identity types.
API Integration is now available for GravityZone Cloud Security. You can set up the new feature from the Integrations page in the GravityZone Cloud Security console.
A new remediation option is now available for supported findings detected on AWS cloud resources. This is available in the Posture Management > Rules page: One-click Remediate. The option is represented by a new icon in the rules table.
To allow GravityZone Cloud Security to make changes to your selected AWS cloud account, an additional setup is required for this capability.
Improvements
Quarantine
GravityZone introduces a new capability that enables you to remotely download quarantined files directly from Quarantine. The new functionality is available in Quarantine > Computers and Virtual Machines.
To get the file of interest, you need to first retrieve it from the endpoint using the new Retrieve button. Once the file is retrieved, you can proceed to download it as a password-protected archive using the Download option.
The new functionality is available for all license and company types and for endpoints with Windows operating systems.
You require Manage Networks and Manage Company rights to use the feature.
Child companies can allow their direct partner to retrieve and download files by enabling the option Your Bitdefender partner can download your quarantined files from the My company section. The Partner download permission changed notification is sent whenever this option is enabled or disabled.
The retrieved file is available for download within 24 hours after which it is automatically deleted and requires a new retrieve action.
The File size column was added to provide details about the size of the quarantined files.
Assignment rules
New descriptions are available for locations and exclusions when defining negative conditions for location rules.
GravityZone platform
Bitdefender enforces in GravityZone the use of the HTTPS protocol for Bitdefender Endpoint Security Tools updates to enhance security. For more information, refer to this article.
New values are now available for the Field of activity option when creating or editing a company.
Resolved issues
Threats Xplorer
The detections calendar failed to display weekdays in the proper order after changing the language from the My account section.
Health Dashboard
Fixed an issue that caused inconsistencies in the count of unmanaged endpoints between Health Dashboard and the Network Protection Status report.
XDR / EDR
Fixed an issue that caused inconsistencies between the number of open incidents shown in the EDR - Incidents Status portlet and the Incidents view.
Tasks
In some cases, expired Reconfigure agent tasks ran on endpoints after they came back online.
Network
In some cases, users were unable to view scan logs from the Network inventory > Endpoint details > Scan Logs tab.
Risk Management
Fixed an issue causing incorrect search results to be returned in the name filter in the Risk Management > Security Risks > Misconfigurations page.
December 2023 (Version 6.46.0-1)
Early Access
Health Dashboard
Security Server status is now enriched with new information and a structure that improves readability. The widget includes the total number of Security Servers in your company and a new category for underloaded Security Servers.
The new structure emphasizes three main categories: Total, Underloaded, Overloaded.
Endpoint update status is now available as two separate widgets to enhance flexibility and ease of use:
Product update status
Security content update status
The Endpoint patch management widget now includes the total number of endpoints that have the Patch Management module installed.
Improvements
Sandbox Analyzer
The Sandbox Analyzer page now displays more specific messages for failed detonations.
Product Trials
You can now access even more products through the Product Trials feature:
Advanced Threat Intelligence
Managed Detection & Response
Cloud Security Posture Management
XDR
XDR
The name of the sensor is now displayed in the title setup window during integration.
Incidents
For a better visualization, you can now expand the following panels further:
Node details panel
Alert details panel opened from a node
Alert details panel opened from the Alerts/Events section
Network
There is now consistent behavior between the delete button and the drag-and-drop action within the deleted folder.
Any endpoint that is moved to the deletion folder, either through the delete button or drag-and-drop, will be uninstalled immediately via the uninstall task or later when it reconnects online and communicates. For more details, visit the Deleting endpoints page.
Resolved issues
Network
The sorting settings in Network did not accurately reflect the specified sorting settings for the Last Seen filter.
GravityZone platform
Security fixes.
December 2023 (Version 6.45.0-1)
Improvements
GravityZone platform
Implemented internal optimizations for enhanced performance and stability of GravityZone.
November 2023 (Version 6.45.0-1)
Early Access
GravityZone Cloud Security
Early Access enrollment is now available for GravityZone Cloud Security.
With this feature, you can quickly onboard your cloud inventory, identify risky misconfigurations, and report on your adherence to renowned compliance frameworks.
Health Dashboard
You can now enroll your company in the Early Access program and use Health Dashboard regardless of the number of seats covered by your license.
You can now access and use Health Dashboard without any restrictions based on the network groups assigned to your account. You need to have visibility over at least one endpoint in your company.
New features
Unified Incidents
The Incidents page is improved with multiple new features including a new grid that unifies the Extended Incidents, Endpoint Incidents, and Detected Threats tabs. It offers an improved overall user experience and the possibility to create customized views based on your needs.
This feature correlates host-based EDR incidents with broader attacks detected by XDR, bringing both types of incidents in one place: the Incidents grid.
The new unified grid combines Endpoint and Company incidents in a single view, correlating EDR and XDR child incidents under a parent incident that contains the complete description of an attack. Correlated incidents are displayed in their own column in the grid, in line with the parent incident. They are not listed as separate entries in the grid.
The release comes with a more flexible and improved Smart View, along with new filters and options that allow you to create customized views based on your needs.
Improvements
Unified Incidents
Incidents generated by the EDR or Prevention Modules now display the name of the endpoint in the Entities column.
You can now click on the number of alerts in the Incident details panel to display the Alerts tab.
The new Smart views filtering feature allows you to customize the information that is displayed by the feature, including switching between Organizational and Endpoint incidents Smart views.
You can now use the Change Status button from the top of the Incidents grid to change the status of multiple incidents.
You can now perform bulk actions on all incident types.
New columns and filters are available in the Incidents page:
Entities: it indicates the number and types of incidents involved in an event.
Resources: it allows users to see and filter for resources involved in Organization incidents.
XDR
You can now suspend a user account from an integrated Google Workspace tenant.
You can now delete an email resource from a Google Workspace tenant user mailbox.
The Sensor Setup page now displays what license each type of sensor requires.
Changed the requirements for Azure AD sensor integration: You now require User Administrator and Global Administrator roles for your O365 application.
You can now save up to 50 queries in the Advanced search panel.
Patch Management for Mac
GravityZone extends support for Patch Management to macOS endpoints. Using the same settings in Control Center as for Windows and Linux, you can now keep macOS applications and the operating system up to date in a simple, efficient and unified manner.
Some highlights:
GravityZone sections such as Dashboard, Installation Packages, Network, Tasks, Patch Inventory, Maintenance Windows, and User Activity have been updated to support Patch Management for Mac.
When configuring a maintenance window, macOS applications are displayed separately from the Windows and Linux versions in the Vendors and Products section.
Reports such as Network Patch Status and Network Protection Status and notifications such as Missing patch issue now include information related to Patch Management on macOS endpoints.
Patch Management for Mac is available with existing GravityZone keys and it is licensed per managed endpoint, the same as for Windows and Linux.
This feature is available for macOS Big Sur (11.0) and later and requires Full Disk Access for the Bitdefender agent on endpoints.
To use Patch Management on macOS endpoints, you must reconfigure the security agent installed on them.
Note
GravityZone applies operating system patches only for minor versions, for example from version 13.5 (Ventura) to 13.6 (Ventura), but not from 13.9 (Ventura) to 14.0 (Sonoma).
Executive Summary
The Executive Summary report now includes the custom logo image that you have selected for your company. For the default company settings, the report reflects the general Bitdefender GravityZone logo.
Exchange Protection
There are now two methods of restoring emails from Quarantine:
Release as attachment: the email is sent using a notification email as an attachment to a custom list of mailboxes. Files attached to the original email are not included.
Note
This is the option previously called Restore.
Release to intended recipient: releases the email to reach its intended recipient's mailbox, along with all attached files.
The following secondary actions are now available when configuring Content filtering rules in GravityZone policies:
Notify recipients: Send a notification to the intended recipients when an action is taken on an email. Emails are only sent to mailboxes that belong to a domain accepted by the company email server.
Notify the sender: Send a notification to the sender when an action is taken on an email. Emails are only sent to mailboxes that belong to a domain accepted by the company email server.
Notify users: Send notifications to the specified mailboxes when when an action is taken on an email.
Firewall
Firewall is now available for Windows Servers. This update focuses on simplifying rule management, ensuring essential network traffic, and providing more flexibility.
Users can now edit and delete all existing predefined rules in the policy.
The Firewall can be enabled on the Windows Server operating systems by performing the Reconfigure Task. The activation of the Firewall module is not automatic, even if Firewall is enabled in the policy.
Before enabling the module on their systems, it is important for users to assess and design their Firewall rules for servers. This is necessary to avoid potential service disruptions caused by the configuration of the ruleset, which may block traffic.
The Firewall icon from Installation Packages was updated, and now includes both Windows servers and workstations.
To find the supported Windows Server operating systems refer to this kb article.
Antimalware
All on-demand scan tasks now include the setting Preserve last access time. Using this new option you can control whether to preserve the last access time for a file during a scan or to allow the scanning process to modify the timestamp of that file. The option is available in the Options tab of each type of scan task, under Settings > Miscellaneous, and is enabled by default.
Network protection
Multiple schedules are now available in Configuration Profiles > Web Access Control Scheduler. This allows users to have more flexibility in setting up different time windows for Web Access Control. The Web rules list found in Content Control > Web Access Control Settings > Web Categories Filter has been moved under Policies > Configuration Profiles > Web Access Control Scheduler > Category Scheduler.
Users can now create new schedules with multiple time window settings and assign categories to each schedule. The categories will be removed from the policy and the new schedule will be mapped to a policy.
You can now exclude from scanning any financial domains from Network Protection > General > Network Protection > Intercept Encrypted Traffic > Exclude financial domains.
Network
In the Endpoint details page, the Content Control module now consists of three separate modules: Content Control, Web Traffic Scan, and Antiphishing.
Public API
Network API
A new method is now available:
getTaskStatus
. You can use it to retrieve information about the status of a given task.
Accounts API
The
manageInventory
,managePoliciesRead
, andmanagePoliciesWrite
attributes are now available for therights
parameter. The attributes are available for requests made using the createAccount and updateAccount methods and are returned by requests made with the getAccountsList method.
Maintenance Windows API
The
os
attribute is now available undervendorProductsPairs
for thespecificVendorAndProduct
parameter. You can use it to specify the operating system the vendor-products pair is compatible with.The attribute is available for requests made using the createPatchManagementMaintenanceWindow and updatePatchManagementMaintenanceWindow methods and is returned by requests made with the getMaintenanceWindowDetails method.
Quarantine API
A new method is now available: createReleaseQuarantineExchangeItemTask. You can use it to release items from the quarantine to their intended recipients.
Accounts
Passwords reset links now expire after 24 hours. If the time has passed, you have to repeat the password reset request.
The Manage Networks right for GravityZone user accounts has been replaced by the following options:
Manage Networks. Create and download installation packages; install security agents; manage tasks and quarantined files. You can choose between two levels of customization:
View and Analyze Data
Advanced Investigation
Manage Endpoint Settings. View or manage policies, configuration profiles, assignment rules and any other endpoint setting from other GravityZone areas. You can choose between two levels of customization:
Read only
Read and Write
Resolved issues
Health Dashboard
In some cases, the Endpoint issues widget classified and displayed macOS endpoints without major issues as critical.
Installation Packages
In some cases, installation packages created by a partner included all Security Servers from his managed companies.
GravityZone platform
Fixed an issue causing Email Security monthly usage to be registered for suspended companies.
Security fixes.
November 2023 (Version 6.44.1-1)
Improvements
GravityZone platform
Implemented internal optimizations for enhanced performance and stability of GravityZone.
October 2023 (Version 6.44.1-1)
Early Access
Health Dashboard
Health Dashboard is a brand-new feature designed to provide a comprehensive overview of endpoint issues and status within your network. Different widgets offer important insights into the health and performance of endpoints and highlight critical concerns that require your attention.
You can monitor your network's health with the intuitive visuals and customizable features that Health Dashboard provides in this unified view. Using the endpoint tags filter enables you to focus on data that is most relevant to your organization. You can add, remove, resize, or move widgets according to your needs and create smart views to ensure that essential information is readily available in a single view.
Health Dashboard includes details about:
Managed, active, unmanaged, or offline endpoints
Endpoint types in your network inventory
Endpoints update status
Endpoints issues
Endpoints policy status
Modules coverage on your endpoints
Licensing information for your company
Endpoints encryption status
Patch status on your endpoints
Permission issues present on macOS endpoints
Security Server status
Unified Incidents
You can now copy the incident link directly from the Incidents grid by hovering over a grid entry or selecting one, and clicking the Copy to clipboard button. You can copy the links of the correlated incidents from the Incident info panel.
Improvements
Executive Summary
You can now install security agents directly from Executive Summary, The new options, Install now and Send download links, provide the flexibility to either use the small-size downloader or send an installation package link to multiple users.
Product Trials
The Product Trials feature is now available for all companies that own one of these yearly licenses:
GravityZone Business Security
GravityZone Advanced Business Security
GravityZone Business Security Premium
GravityZone Business Security Enterprise
GravityZone Security for Workstations
GravityZone Security for Servers
You can now access even more products through the Product Trials feature:
MDR
Bitdefender is launching three new MDR products:
MDR Foundations
MDR Enterprise
MDR Premium
The Response flavor is no longer available for the Managed Detection and Response service. The remaining flavor, Foundations, is now the default option. As a result, the service is now called Managed Detection and Response Foundations.
Note
This change only affects companies with monthly subscription licenses.
Container Protection
You can now delete containers from the GravityZone inventory if their host has been offline for more than 24 hours.
Resolved issues
Public API
The following parameters are now returned by API events of the Antimalware type: cleaned
, blocked
, deleted
, quarantined
, ignored
, and present
. The parameters record how many detections originated from the same file or process in the course of a minute.
September 2023 (Version 6.43.1-2)
Improvements
GravityZone platform
Applied new technology optimizations to improve platform performance.
September 2023 (Version 6.43.1-1)
Improvements
GravityZone platform
Implemented internal optimizations for enhanced performance and stability of GravityZone.
September 2023 (Version 6.43.0-1)
Early Access
YARA detection rules
YARA rules are queries you can use to scan endpoints for patterns of malicious behavior. Use the YARA detection rules feature to generate custom alerts and security incidents based on the results of these scans.
This feature is available for Windows and Linux endpoints with the following BEST versions:
Windows: 7.9.5.318 or newer
Linux: 7.0.3.2248 or newer
To create YARA rules, go to Incidents > Custom detection rules, click the Add rule button, and then click YARA. Follow the on-screen instructions.
After you create a YARA detection rule, you cannot convert it into another type of detection rule.
From the Custom detection rules grid, you can enable or disable YARA detection rules, or start on-demand scans by clicking the vertical ellipsis button and then selecting the Scan option.
Clicking a YARA detection rule from the Custom detection rules grid brings up the YARA details panel. From this panel, you can switch to the Search and Incidents sections to view the alerts and incidents generated by the rule.
Unified Incidents
The Parameter filter is now available in the Incidents section. It contains a series of criteria you can use to further filter your grid results and create highly customized smart views.
Improvements
EDR
The Incidents > Custom Rules section has been divided into two sections: Custom detection rules and Custom exclusion rules.
The grids and rule configuration pages have a new design.
Rule settings now include targets. You can now decide whether to apply the rule to the entire company or to specific groups by endpoint tags.
Clicking a grid entry brings up the details panel of the rule. It contains information about the rule, options for navigating rules and for editing the current rule. For custom detection rules, you can use the View alerts and View incidents buttons to switch to the Search and Incidents sections.
In the Incidents > Search section, you can now look up both custom detection rules and custom exclusion rules by using the other.rule_id field in your search query. You can still use the other.exclusion_id field to identify existing alerts for the next 90 days, after which the field will be deprecated.
The Custom detection rules and the Custom exclusion rules sections are now available to Partners even if they do not have an active EDR license on their account.
Partners can now control rules for their managed companies and can use the Company filter in the grid to view the rules created for each company. Customers can also view the rules Partners have applied on their company.
When switching to a new Partner, all custom rules created by the former Partner are disabled. The new Partner will not be able to view the rules applied by the former Partner.
GravityZone platform
Companies switching from a trial license to a monthly subscription will automatically have the Email redaction setting disabled.
New BEST for Linux installation packages are now available for systems with ARM architecture (AArch64).
Minor UI changes to the Add company and Edit company windows, including a different order for the Add-ons displayed in the Licensing tab.
Public API
New limitations are in place to the number of API requests allowed per second. For more information, refer to this kb article.
Resolved issues
Threats Xplorer
In certain instances, when navigating from an Executive Summary widget to Threats Xplorer, the corresponding data did not load successfully.
Reports
Fixed an issue that was affecting the Endpoint Encryption Status report, where endpoints were missing, even if they had encryption module installed and active.
Fixed an issue that was preventing the On-demand Scanning report from correctly opening scan logs.
Notifications
On the Notification Settings page, a single icon for sending options was visible, despite all options being enabled. The issue occurred when the browser window was horizontally resized to a smaller scale.
GravityZone platform
Fixed an issue preventing virtual endpoints from NSX environments from taking up a license seat. The issue occurred for companies with a GravityZone Security for Virtual Env per CPU license.
August 2023 (Version 6.42.0-1)
Early Access
Product Trials
You can now access even more products through the Product Trials feature:
New features
Process Introspection
Process Introspection encompasses various types of attacks such as exploits, injections, and evasion. The feature performs an in-depth analysis of the process state when a child process is created, examining potential indicators of compromise. The analysis offers an overview of detected parent processes and the child processes they have spawned. You can find the feature in the policy, under Advanced Anti-Exploit > System Wide Detections.
Small Business Security
Bitdefender is launching a new product: Bitdefender Small Business Security. This product is available for online purchase only on the Bitdefender website.
Improvements
GravityZone platform
The Help & Support page has been redesigned and restructured. The page now provides an improved overall user experience.
Companies using the Bitdefender MDR service can no longer disable the Your Bitdefender partner can assist you with security management setting.
Partners can no longer disable the The company's Partner can assist with the security management setting for managed companies that use the Bitdefender MDR service.
You can only enable the Bitdefender MDR service for companies (either for own use, or resell) that have the Your Bitdefender partner can assist you with security management setting enabled.
XDR
The Remote Shell feature now supports file upload and download options on Linux endpoints, starting with BEST version 7.0.3.2217.
New Resource types have been added to the XDR Incidents feature.
The Reader role is required for the XDR sensor integration with Azure Cloud. For more information on how to adjust your sensor configuration, refer to Azure Cloud sensor prerequisites.
Configuration Profiles
A new exclusion type is now available in Configuration Profiles. You can use the new option Command line with regex to efficiently define exclusions using regular expressions. By leveraging the power of regular expressions, intricate exclusion patterns can be easily constructed, providing greater control and customization.
Public API
APIs keys are visible only at the time of creation. This now also includes the ones created prior to March 2023. Make sure you save all API keys in a safe location and do not share it with anyone.
Licensing API
The getMonthlyUsage and getMonthlyUsagePerProductType methods now returns the
aLaCarteMonthlyUsage
,mspSecureMonthlyUsage
,mspSecurePlusMonthlyUsage
, andmspSecureExtraMonthlyUsage
attributes.The getLicenseInfo method now returns the
assignedProtectionModel
andadditionalProtectionModels
attributes.The getLicenseInfo and getNetworkInventoryItems methods now return the
manageEventCorrelator
,manageSandboxAnalyzer
, andmanageHyperDetect
settings under theownuse
attribute.The getLicenseInfo and getNetworkInventoryItems methods now return the
manageEventCorrelatorResell
,manageSandboxAnalyzerResell
, andmanageHyperDetectResell
settings under theresell
attribute.The
assignedProtectionModel
andadditionalProtectionModels
parameters are now available for the setMonthlySubscription method.
Network API
The getNetworkInventoryItems method now returns the
assignedProtectionModel
andadditionalProtectionModels
attributes under the1 (company)
item type.The getNetworkInventoryItems now returns the
manageEventCorrelator
,manageSandboxAnalyzer
, andmanageHyperDetect
settings under theownuse
attribute.The getNetworkInventoryItems now returns the
manageEventCorrelatorResell
,manageSandboxAnalyzerResell
, andmanageHyperDetectResell
settings under theresell
attribute.The
options
parameter is now available for the getManagedEndpointDetails method, along with theincludeScanLogs
option.The
includeScanLogs
option is now available for theoptions
parameter for the getEndpointsList method.The
includeScanLogs
option is now available for theoptions
parameter for the getManagedEndpointDetails method.The
includeScanLogs
setting is now available for theendpoints
option under theoptions
parameter for the getNetworkInventoryItems method.
Companies API
The
assignedProtectionModel
andadditionalProtectionModels
parameters are now available for the createCompany method.The
email
attribute is now mandatory when including thecontactPerson
parameter in createCompany and updateCompanyDetails methods requests.If any field under the
contactPerson
attribute is populated, all fields under the attribute will be returned by the getCompanyDetails method (fullName
,email
,phoneNumber
,companyRole
), regardless if hey have a value assigned or not.The
manageEventCorrelator
,manageSandboxAnalyzer
, andmanageHyperDetect
settings are now available under theownuse
parameter for the createCompany and setMonthlySubscription methods.The
manageEventCorrelatorResell
,manageSandboxAnalyzerResell
, andmanageHyperDetectResell
settings are now available under theresell
parameter for the createCompany and setMonthlySubscription methods.
ERA
The Endpoint Risk Analytics feature now has set limits for the number of vulnerabilities it displays: top 100 vulnerabilities per application, and top 500 vulnerabilities per endpoint. The vulnerabilities are ranked by severity. After resolving existing vulnerabilities, you can run a Risk Scan task to discover and display more.
Network Protection
The toggle used for reverting to the previous version of the Installation Packages was removed.
The Reconfigure client task has undergone a redesign and has a new name: Reconfigure agent. It allows for the customization of settings that were initially configured during the installation of the endpoint protection solution.
A new Show all modules option has been added to the Remove menu and allows Admins/Partners to view all modules, regardless of license restrictions. The new option enables them to remove modules that were previously installed but are no longer usable/visible due to license changes or downgrades. This only applies to the Remove option in Reconfigure agent task.
The Scan mode option in Match list becomes available only when the selected endpoints belong to the same company and the Detection and prevention operation mode is chosen. If endpoints from different companies are selected, the Scan Mode section will not be visible.
Reports
You can now filter companies by License Type in MDR Service Status reports.
Resolved issues
XDR
Fixed an issue that was causing the notifications for Sensor integration status to have misaligned text in the body of the email.
GravityZone platform
Deleted virtual machines no longer appear as licensed.
Resolved an issue causing the license usage of a company to remain the same after an endpoint had been moved to another company.
Public API
Users that do not have the Manage Companies right enabled now properly receive an error when attempting to use any method included in Accounts API.
June 2023 (Version 6.41.0-1)
Improvements
XDR
GravityZone eXtended Detection and Response now supports events from Google Cloud Platform through a new sensor integration. The new sensor collects and processes audit information related to Google Cloud resources. The sensor can be configured through the Sensors Management.
A new notification type has been implemented: Sensor integration status. This notification informs you when the status of a sensor integration changes.
Public API
Licensing API
The
manageContainerProtection
andmanageContainerProtectionResell
settings has been added to theownUse
andresell
parameters for the setMonthlySubscription method.
Company API
The
manageContainerProtection
andmanageContainerProtectionResell
settings has been added to theownUse
andresell
parameters for the createCompany method.
Network API
The getNetworkInventoryItems method now returns the
manageContainerProtection
option under theownUse
object and themanageContainerProtectionResell
option under theresell
object.
Packages API
You can now use the
userControl
,antiphishing
, andtrafficScan
settings instead ofcontentControl
under themodules
parameter when using the createPackage method. This modification mirrors the changes done to the GravityZone installation packages.The getPackageDetails method now returns the
userControl
,antiphishing
, andtrafficScan
parameters.
Notifications
The default interval after which notifications are automatically deleted is now 7 days. This change applies to both existing and newly created accounts. To customize the interval according to your needs, refer to Configuring notification settings.
Accounts
Starting with this update, users who have not logged in to the GravityZone console at least once will no longer receive the majority of notifications. This applies to both existing and newly created accounts.
Policies
The Automatic Network Discovery option can now be enabled in the policy under Relay > Communication > Automatic Discovery of new endpoints.
Enabling the option will prompt the Relays to execute the Network Discovery task every 4 hours.
New customers have the option disabled by default, while the option remains enabled for any existing custom policies.
Network
The Antiphishing and Traffic Scan features are now available as separate options under the Network Protection module when creating an installation package.
Renamed Network Protection > Web Protection > Traffic Scan to Web Traffic Scan in both GravityZone new and existing packages.
Tasks
On the Tasks page, the new default value for the Company filter is All recursively, while for Start period it is Last 7 days.
Resolved issues
XDR
Fixed an issue that was causing the deployed Network sensors to be counted as unlicensed endpoints, even though the necessary licenses were active on the company.
Antimalware
Load Balancing options were not saved in the policy when configuring the Redundancy mode for the Security Server.
Reports
In some cases, attached CSV files were not correctly included in certain reports sent via email. The issue is now fixed.
Threats Xplorer
The company selector in Threats Xplorer now accurately displays all companies using the Bitdefender EDR product.
May 2023 (Version 6.40.0-1)
New features
Mobile Security
The Bitdefender GravityZone Security for Mobile is a mobile security solution able to protect mobile devices having Android or iOS operating systems against multiple threat vectors. It is designed to protect an employee’s corporate-owned or BYOD from advanced persistent threats without sacrificing privacy or personal data.
GravityZone Security for Mobile provides the following:
Protection of corporate-owned or BYOD devices from advanced persistent threats, which includes implementing endpoint protection software, keeping software and firmware up to date, implementing network segmentation, and using multi-factor authentication.
Risk intelligence and forensic data necessary.
Detection across all four threat categories — device compromises, network attacks, phishing attempts and malicious apps.
Visibility for the Incident Response teams into mobile threats and risks through integrations with leading UEM, SIEM, SOAR, and XDR systems.
Application vetting to detect malicious apps (Android and iOS) and out of compliance application detection.
Network Protection by detecting network borne threats, recon attempts, weak security connections, MiTM attacks.
Device Protection by detecting OS vulnerabilities as well as vulnerable devices that cannot be updated, and missing encryption, jailbreak/root, system tampering.
Improvements
XDR
You can now remotely upload and download files using the Remote Shell feature. The Upload and Download options are available after you begin a remote shell session.
The files are encrypted throughout the upload and download processes.
You can upload no more than 20 files at a time.
You can view and cancel file downloads by accessing the Network inventory > endpoint details > Investigation tab. You can also retrieve the downloaded files from this section.
If you want to be notified when the files are uploaded or downloaded, configure the New Investigation Files Activity notification type.
Network Protection
The Web rules action categories found in Content Control > Web Access Control Settings > Web Categories Filter have been updated with the new Warn action.
The new action type aims to enhance the administrator's comprehension of the report's warnings and blocks.
In the Security Audit Report, the Event Type column was updated to also filter events by Warned Websites, and Warned & Disregarded Websites.
GravityZone platform
A full installation kit is now available for BEST Windows endpoints that use ARM CPUs.
Search behavior in the company filter is now consistent across multiple pages such as Threats Xplorer, Quarantine, Tasks, Accounts, Installation Packages, Executive Summary, and Tags Management.
This is the expected behavior:
After typing a sequence of characters, GravityZone displays all entries starting with those characters.
When using the asterisk (*) as wildcard, GravityZone displays all entries containing that sequence of characters.
Public API
Licensing API
The
manageRemoteEnginesScanning
andmanageRemoteEnginesScanningResell
settings has been added to theownUse
andresell
parameters for the setMonthlySubscription method.The
manageMobileSecurity
parameter is now available for the setMonthlySubscription method.The getLicenseInfo method now returns the
manageRemoteEnginesScanning
option under theownUse
object and themanageRemoteEnginesScanningResell
option under theresell
object.The getLicenseInfo method now returns the
manageMobileSecurity
setting.The getMonthlyUsage and getMonthlyUsagePerProductType methods now returns the
mobileSecurityMonthlyUsage
object.
Company API
The
manageRemoteEnginesScanning
andmanageRemoteEnginesScanningResell
settings has been added to theownUse
andresell
parameters for the createCompany method.The
manageMobileSecurity
setting has been added under thelicenseSubscription
for he createCompany method.
Network API
The getNetworkInventoryItems method now returns the
manageRemoteEnginesScanning
option under theownUse
object and themanageRemoteEnginesScanningResell
option under theresell
object.The getNetworkInventoryItems method now returns the
manageMobileSecurity
object.
Reports API
A new report type is available under the
type
parameter for the getReportsList method:38 - Mobile Security Monthly License Usage
.A new report type is available under the
type
parameter for the createReport method:38 - Mobile Security Monthly License Usage
.
Network Inventory
Unmanaged endpoints discovered more than 30 days ago will be subject to a removal process in this release.
Unmanaged devices can be discovered by using Relays or on-demand Network Discovery tasks.
Resolved issues
Tasks
Failed tasks displayed the same message that they took more than 48 hours to complete, regardless of the actual reason.
GravityZone platform
Security fixes.
April 2023 (Version 6.39.0-1)
Early Access
Product Trials
Product Trials enable you to try out other products directly from the GravityZone console, even if you already have an active license.
Available product trials will be displayed in the Product Trials Hub page, depending on your current license. Enabling a product trial will make new features available to you for a limited period of time. The feature will be released in stages and has limited availability at the moment.
New features
Live Search
Live Search is now available for all GravityZone users that have access to EDR / XDR. With this feature you can search for real time events and system information from the online endpoints in your network, using OSquery, an SQL-compatible query system.
Improvements
Tasks
The Network > Tasks page has a new look and new options for a better user experience. Some highlights:
Filters and search boxes
Expandable and sortable columns
New details panel for sub-tasks.
Tasks in the Network page have now more intuitive and consistent names. For example, Scan has become Malware scan, Install is now Install agent, and Reconfigure client has been renamed to Reconfigure agent.
The new names are also reflected in the Network > Tasks page, under the Task type category.
With this update, the User Activity page displays actions on tasks under the new names. Existing records under old names remain unchanged.
For the complete list of renamed tasks, refer to Changes to task names in GravityZone Cloud Control Center.
When you, as a Partner, assign a task to multiple companies in the Network page, GravityZone creates individual tasks for each company in the Network > Tasks page. In such a case, a sub-task includes only endpoints from one company.
When accessing the Network > Tasks page as a Partner, you view by default all managed companies recursively.
When you, as a Partner, assign a task in the Network page to multiple companies, you can no longer select the parent company, but only its child companies of Customer type.
XDR / EDR
Now you can see the date when a domain controller was last reported to the Active Directory sensor integration. Find the Last reported field in the integration's details panel.
Now you can delete individual domain controllers from an Active Directory sensor integration.
Accounts
The Accounts page has been redesigned and restructured. The page now provides an improved overall user account management experience.
Notifications
You can now choose to receive notifications via email in plain text format. The new option is available for all notification types and you can find it on the Notifications Settings page.
The notifications email subject is now editable. You can customize the subject according to your needs using the new option Set custom email subject when configuring the notification. The option is available for most notification types.
The HyperDetect Activity notification is now enriched with details such as the detection type, user, company, and the command line used.
The Login from New Device notification includes the email address of the account used.
Policies
In the Policies > Assignment Rules page, you can now apply policies via location rules only to targets you manage.
From now on, the Targets section is always active when you configure a rule. If you do not specify targets, GravityZone automatically selects all the available entities when saving the rule.
Old rules with no targets specified will continue to function as before until you manually save them again.
When you access Policies > Assignment Rules as a Partner, you now view your company rules instead of a blank page with no company selected.
Public API
Accounts API
The following Notifications Visibility Options are now available:
setCustomEmailSubject
- iftrue
, it changes the default subject used in GravityZone notification emails.emailSubject
- it contains the custom text to be used for GravityZone notification emails ifsetCustomEmailSubject
is set toyes
.
Note
These options are only available for specific notification types.
The
sendOnlyPlainTextEmail
parameter is now available for theconfigureNotificationsSettings
method. Enabling this option sends all notification emails in plain text format.The
getNotificationsSettings
method now returns an additional option:sendOnlyPlainTextEmail
.The
passwordLifetime
, andaccountLockdown
parameters are now available for thegetAccountsList
method.
Network API
The
productOutdated
parameter is now available for thegetEndpointsList
method. The parameter indicates if the endpoint is missing one or more agent updates.The
createScanTask
method now return all task IDs created as a result of the request instead of the most recent one.
Companies API
The
country
,state
,industry
, andcontactPerson
parameters are now available for thecreateCompany
andupdateCompanyDetails
methods.The
industry
parameter is now available for thegetCompanyDetails
method.
Patch Management
All Partner companies can now use Patch Management for their managed companies, regardless of their own use licensing settings.
Patch Management features are no longer applicable to companies that have the associated license expired.
Integrity Monitoring
The Integrity Monitoring grid now provides better visibility of the actions within its columns.
Installation Packages
The Network > Packages page has a new design and a new name: Installation Packages.
The Add button has become Create.
All other buttons except Download have been moved under More actions.
The package configuration form also has a new look.
For a limited time, the old design is still accessible via the toggle in the upper right corner of the console.
Network Protection
The Web rules list found in Content Control > Web Access Control Settings > Web Categories Filter has been updated with additional categories. All existing policies are automatically updated to reflect the changes made regarding the updated categories.
Newly added categories:
Astrology
Auto
Food
Kids
Lifestyle
Occult
Pets
Real Estate
Society
Updated categories:
Drugs category was split into the following categories: Alcohol, Tobacco, Pharmacy.
Video Online category was replaced by the Videos category.
Banks category was replaced by the Financial category.
Casual Games, Online Games and Computer Games categories have been merged into the Games category.
GravityZone platform
Raw Events now offers support for Linux. The OS type column in the Raw Events grid indicates which fields are available for Linux endpoints.
The Gather logs feature from Network > endpoint details > Troubleshooting tab has been enhanced. You can now select between three new types of logs:
Product general issues
Malware infection
Malware infection (no cloud services)
The eXtended Detection and Response sensor integration licensing options have been renamed:
Identity providers (includes Active Directory, Azure AD, and Microsoft Intune)
Productivity apps (includes Microsoft Office 365 and Google Workspace)
Network (includes Network sensor)
Cloud workloads (includes AWS, Azure Cloud, and GCP)
Exchange protection
Policy changes to content filtering rules now properly save when adding lookaround assertions in the rule settings. The issue occurred for rules containing body content filters of expression type.
Resolved issues
Policies
Exclusions configured in Configuration Profiles did not propagate to inherited policies.
XDR / EDR
Fixed an issue that was preventing the Incident history tab from displaying the analyst's name correctly after changing the incident status.
The
other.event_id
parameter in the Incidents > Search feature of XDR now returns results when using wildcards.
Tasks
In some cases, users could not delete finished tasks created by accounts no longer active.
Reports
Fixed an issue that caused timezone inconsistencies in the Security Audit Report chart.
Troubleshooting
Fixed an issue that prevented gathering logs from GravityZone using a network share for Linux and macOS endpoints.
GravityZone platform
User Activity logs for API key creation are now visible to all users with the necessary rights.
Selecting the Download > Security container action in the Packages page no longer causes the Download Security Container window to freeze while loading.
Security fixes.
Public API
Partners can now properly use the
createRemoveQuarantineItemTask
method to remove an item from quarantine for a client company. Previously, the request would return anInvalid params
/At least one specified target is invalid.
message.
March 2023 (Version 6.38.1-2)
Resolved issues
GravityZone platform
Fixed compatibility issues between the Active Directory and Security for AWS integrations. Starting with this release, Active Directory is going to be prioritized (for inventory, policy assignments, license flow, etc.).
Users who log in with SAML single sign-on can now access the Investigation Package options without any additional steps.
XDR / EDR
In certain situations, incidents could not be deleted from the Incidents grid when they went past their retention period, resulting in incidents with no details. The issue is now fixed.
Integrity Monitoring
Integrity Monitoring did not display some events for Linux endpoints. The issue is now fixed.
March 2023 (Version 6.38.0-0)
Early Access
Live Search
You can now filter endpoints by their GravityZone tags by using the Tags filter.
The Reset filters button is now available in the Live Search page.
You can inspect the database schema and search for available tables and fields using the new side panel.
Improved the Metadata window:
you can now filter endpoints based on Status and Sent rows
a new button is available that allows you to assign tags to endpoints
Multiple graphical elements have been modified to offer a better user experience.
Improvements
Endpoint tags
This update brings several new options, support for tags management on child companies, and introduces the feature to the GravityZone Cloud Security for MSP users.
In the Network page, you can now create custom tags directly in the Assign custom tags window.
In the Unassign custom tags window, you can remove all custom tags from endpoints at once.
As a Partner, you can control endpoint tags on child companies by using new company columns, filters and selectors in the Network and Tags Management pages.
Each tag in the Tags Management page now includes an inline menu to delete it or to easily create copies and apply them in your company or other companies.
You can review actions taken on tags in each company in the User Activity page.
Non-MSP Partners can now manage endpoint tags on child companies that use a compatible GravityZone product, regardless of their own license. However, Partners need a compatible license to manage tags in their own companies.
For existings GravityZone products that support endpoint tags, refer to the list included in GravityZone November 2022 (version 6.34.0-1) release notes.
For the first time, endpoints tags are available to GravityZone Cloud Security for MSP users, for both Endpoint Security and Bitdefender EDR product types.
MSP Partners have access to tags in their own companies with either a license key or monthly subscription. They can also manage tags on child companies provided those companies meet the licensing conditions.
To manage endpoint tags, Customer companies need a compatible license key or, if they use monthly subscription, they also must have the Advanced Threat Security add-on, with at least one of its components (HyperDetect or Sandbox Analyzer) active.
Note
As a Partner, when you go to the Network page after this update, you will see by default your own company tags. To view endpoint tags for a child company, make sure the Company column is enabled and use its filter to select the company you are interested in. Once the child company has been selected, the Tag filter loads all its tags.
Public API
APIs keys are now visible only at the time of creation. Make sure you save all API keys in a safe location and do not share it with anyone.
Note
Keys generated prior to the release are still visible from the edit window.
The
productOutdated
field has been moved under the Details member forgetNetworkInventoryItems
API responses.
Quarantine
The Company filter now has two new entries: All directly managed and All recursively. You can use them to view quarantined files from all the companies you directly manage or from all companies to which you have access.
The Clear button was renamed to Reset filters and you can use it to readjust filters to their default values.
Exchange Protection
The Send a Copy To secondary action is now available for the Replace file with text, Delete file, and Reject/Delete email actions. The settings can be found in the Policies > Exchange protection > Content Control page, under the Attachment filtering section.
GravityZone platform
Security for Amazon Web Services now supports the following optional regions that can be disabled or enabled from AWS: Cape Town, Hong Kong, Hyderabad, Jakarta, Osaka, Spain, Zurich, United Arab Emirates, Milan.
New event types are now available in Configuration > Raw Events grid. Before enabling them, make sure you first check the Requirements column.
Resolved issues
Integrity Monitoring
Fixed an issue that prevented the directory path validation from working when users added a custom rule.
Fixed an issue that caused Integrity Monitoring to generate empty reports.
Network inventory
Folders indicated issues (red exclamation mark) when endpoints inside them had the Encryption module disabled.
Integrations
Fixed an issue causing the GravityZone integration with Microsoft Azure Sentinel to fail.
eXtended Detection and Response
A partner is now able to delete a pre-existing Network sensor integration for a customer even if the customer has the EDR feature disabled.
GravityZone platform
The GravityZone console displayed a few incorrect translations on French and German interfaces.
February 2023 (Version 6.37.0-2)
Resolved issues
XDR
In certain situations, connecting through Remote Shell using a single sign-on authentication resulted in a connection timeout. The issue is now fixed.
February 2023 (Version 6.37.0-1)
Early Access
Unified Incidents
You can now perform a search from the Incidents grid to view all events and alerts related to an incident. Click the vertical ellipsis button at the right end of the grid entry and then the View events and alerts option. You will be redirected to the Search page, filled with the requested events.
You can now trigger a search from the side panel of entities or resources to view all related events and alerts. Click the vertical ellipsis button and then the View events and alerts option. You will be redirected to the Search page, filled with the requested events.
Live Search
The OS filter is now available for Live Search. You can use it to perform a query for specific endpoints based on their operating system.
Live Search queries will no longer wait for unresponsive endpoints before returning results. This significantly improves query wait time.
The Company filter is now only visible to Partner companies.
When searching for a query, both the name and the syntax are now checked for matches.
Multiple graphical elements have been modified to offer a better user experience.
Improvements
XDR
Information about security risks is now available in the incident Overview > Summary > Root cause section. The text includes links to Endpoint Risk Analytics (ERA), where you can view further details.
The incidents Search function has two new fields, which you can use in queries :
email.sender_address
andemail.sender_name
.The field
email.sender
, which currently contains the same information, will be deprecated in 90 days.Remote Shell now supports single sign-on authentication. Once single sign-on is configured, you will be redirected to your company's login page whenever you start a remote shell session.
GravityZone platform
Improved the communication mechanism between the GravityZone console and endpoints in network-restricted environments. This change requires a firewall rule to be created. The rule should whitelist a new set of web addresses that are used to verify the server certificate revocation and enhance security. For more information, refer to GravityZone (cloud) communication ports.
The Partner Changed notification now clearly indicates if a client company has joined or left your management.
Policies
You now receive an explanatory message every time you cannot save a policy due to invalid data in the Sandbox Analyzer > Endpoint Sensor and Integrity Monitoring > Real Time sections.
Public API
Network API
The
returnTaskId
parameter is now available for thecreatescantask
andcreatescantaskbymac
API methods. The parameter allows you to include the newly created task ID in the API response.The
productOutdated
paramater is now available for thegetnetworkinventoryitems
API method. This parameter allows you to include information about the update status of all the endpoints of a given company in the API response.
Incidents API
The
returnRuleId
parameter is now available for thecreatecustomrule
API method. The parameter allows you to include the newly created rule ID in the API response.
Push API
A new Event Push API alert is now available:
partner-changed
. This event triggers when a client company joins or leaves your management.
Resolved issues
Integrity Monitoring
The License Expires notification now includes the name of the Data Retention Add-on that is soon to expire.
XDR
XDR trial users who installed Network sensor will no longer encounter the "Not licensed" error message when switching to a full license.
GravityZone platform
Security Containers and Security Container hosts no longer incorrectly appear in the Network page as having issues.
Security fixes.
January 2023 (Version 6.36.0-1)
Improvements
GravityZone platform
The way Bitdefender partners view incidents from their companies and child companies has changed:
Partners can view their company's incidents and receive incident notifications only if they have manage rights over the company's network.
Partners can view the Custom Rules page of their company only if they have manage rights over the company's network.
Partners can view incidents and receive incident notifications only from the child companies they have access to.
EDR portlets count incidents only from the companies the partners have access to.
Resolved issues
EDR
In some cases, users could not change the incident Status, Assignee or Priority values. The issue has been fixed, but the fix does not apply retroactively.
December 2022 (Version 6.35.0-1)
Early Access
XDR Live Search
The Endpoint name filter is now available for Live Search. You can use it to perform a query on specific endpoints from a company.
Multiple graphical elements have been modified to offer a better user experience.
Actions taken in the Live Search page are now available in the User Activity records.
Improvements
Integrity Monitoring
You can now create rules using different types of special characters.
MITRE IDs have been added for events generated by default rules. They are displayed in the Event details window.
When a data retention add-on expires, events are kept for only 7 days, if the Integrity Monitoring license is still active. Events generated before the data retention add-on expired are still available for the previous retention period.
Performance improvements.
XDR
Where applicable, the Deactivate AWS account response action is now also displayed as a recommended action in the incident Overview tab, in the Action needed section.
Network Protection
You can now enable outbound traffic monitoring for Network Attack Defense over SFTP and SCP/SSH protocols on Linux machines. The new options are available on the Network Protection > General page in the policy settings. In addition, the Scan SSL option has been renamed to Intercept Encrypted Traffic and Scan HTTP has become Scan HTTPS.
Resolved issues
Integrity Monitoring
Fixed an issue that prevented caching mechanisms from working when querying the Bitdefender Global Protective Network to check if a process is trusted.
Fixed an issue that prevented service events from being generated on SUSE Linux Enterprise Server (SLES) systems.
Fixed an issue that prevented the use of the
mv
command to trigger folder rename events.
Integrations
Fixed a Splunk integration issue that was causing empty
"att_ck_id"
fields in"new-incident"
events.
GravityZone platform
You can now uninstall the Integrity Monitoring, Patch Management, and Full Disk Encryption modules after their corresponding license keys have expired.
Fixed an issue that was preventing partners from enabling the Command-Line Scanner and Antimalware Scan Interface Security Provider features their customers if Fileless Attack Protection was not licensed in their own company.
Fixed an issue that was causing EDR raw event submission to fail for endpoints configured to use a proxy.
Fixed an issue that was causing endpoints with Patch Management installed to display the module as expired. The issue occurred after replacing the license key for the main product.
November 2022 (Version 6.34.0-1)
Early Access
XDR Live Search
The Company filter is now available for Live Search. As an MSP, you can use it to perform a query on endpoints from a specific company.
Unified Incidents
This feature correlates host-based EDR incidents with broader attacks detected by XDR, bringing both types of incidents in one place: the Incidents grid.
Correlated incidents are displayed in their own column in the grid, in line with the parent incident. They are not listed as separate entries in the grid.
A new notification type is now available, Correlated incident, informing you when an incident assigned to you is correlated with another incident.
New columns are now available:
Actions taken: shows you whether an attack was blocked by other prevention technologies.
Resources and Entities : replace the former Organization impact. For more information, click an entity or a resource to open their specific side panel.
Filters enhancements include multiple select for the Companies option and a new filter for Correlated incidents.
Views offers you the option to save your current filter and column settings for later use. You can also name, rename, delete or add your views to the Favorites category. The default views are All incidents and Assigned to you.
The Incident - Suspicious activity status and Incident - Suspicious activity portlets in Monitoring > Dashboard now reflect both EDR and XDR incidents. The dashboards count the parent incidents. Correlated incidents are not represented in the charts. Severity scores are grouped by: High (75 - 100), Medium (40 - 74) and Low (10 - 39).
New features
Integrity Monitoring
Integrity Monitoring reviews and validates changes made on Windows and Linux endpoints to assess the integrity of multiple entities.
Integrity Monitoring operates based on default rules, provided by Bitdefender, and custom rules. These rules are available in the Policies > Integrity Monitoring Rules page of Control Center.
Based on these rules, Integrity Monitoring takes action when events are generated for files, folders, registry entries, users, services and installed software. These events are displayed on the Reports > Integrity Monitoring Events page of Control Center.
You can also create a portlet, as well as two types of reports based on Integrity Monitoring events:
Integrity Monitoring activity, which displays events from the events page.
Integrity Monitoring configuration changes, which displays Bitdefender Trusted as well as Unapproved events.
Integrity Monitoring also comes with hardcoded restrictors, which automate best practices to reduce alert fatigue and prevent a negative impact on performance.
Integrity Monitoring is available for all standard products, except for GravityZone EDR and Bitdefender FRAT. It is delivered as an add-on for products with a license key, and as a licensing option for monthly subscriptions.
By default, it stores the detected events for 7 days. In addition, it comes with a data retention add-on to store the events. You have three options from which can choose: 90 days, 180 days and 1 year of data retention.
GravityZone platform
Raw Events is a new feature that helps you filter which Windows or macOS events GravityZone processes. This feature becomes available in the Configuration tab if you have the following:
GravityZone Business Security Enterprise or Bitdefender EDR license
One of the storage add-on licenses: GravityZone EDR 90 days Data Retention Add-on, GravityZone EDR 180 days Data Retention Add-on, or GravityZone EDR 365 days Data Retention Add-on.
EDR or XDR module enabled
You can only send raw events to one feature at a time: either to a SIEM, to Advanced search, or to Bitdefender MDR.
Endpoint tags
You can now assign security policies to endpoints based on tags, in addition to the existing location and user rules. With this release, you can create, edit, delete, and assign tags manually or automatically. As a partner, you can manage endpoint tags only for your own company.
We updated several areas in GravityZone Control Center to accommodate this feature:
Endpoint tags are configurable in the new Network > Tags Management page.
Tag rules are configurable under the new category Endpoint Tag Rule in the Policies > Assignment Rules page.
The Network page includes a new button to assign and unassign tags to endpoints, and a new column that allows tag filtering.
The Accounts > User Activity page records actions such as create, edit, delete, assign and unassign tags.
Endpoint tags are available with the following GravityZone products:
GravityZone Business Security Premium
GravityZone Business Security Enterprise
GravityZone Security for Workstations
GravityZone Security for Servers
GravityZone EDR
Email Security
Sandbox for Email Security
The feature adds a powerful layer of protection to your user's email accounts, sending attachments in email messages to be analyzed in depth and await results before delivering the message .
Sandbox serves as a safe virtual environment for testing potentially malicious files. A real environment is simulated where threats are triggered and payloads are detonated, in order to analyze their behavior and identify malicious intent.
The technology provides:
Advanced threat protection and zero-day exploit detection.
Machine learning algorithms, behavior analysis, anti-evasion techniques and memory snapshot comparison to detect threats.
The capacity to uncover malicious files, including threats designed for undetectable targeted attacks.
Support for a broad range of file types.
Dynamic analysis to detect and defeat advanced malware.
Microsoft Outlook Add-in for Email Security
This add-in enables users to report messages as spam or phishing attacks directly from their inbox.
If a message is reported, it will be sent to Bitdefender and analyzed. The information gathered will be used to improve detection and the overall effectiveness of the Email Security product.
Improvements
GravityZone platform
Emails sent to new GravityZone users now contain one-time links instead of temporary passwords. Users can use the links to create a new password and log in.
The Incident status portlet in Monitoring > Executive Summary now groups incidents based on whether the attacks were blocked by prevention technologies or not. The new values for this portlet are: Blocked attacks and Requires investigation.
You can now view in the endpoint details in Network when the Patch Management and Full Disk Encryption modules are expired and why.
GravityZone now generates and sends email notifications when the license limit for Patch Management or Full Disk Encryption is about to be reached, has been reached or exceeded.
You can now install the Microsoft Hyper-V Security Server for second generation VM hardware.
You now have visibility over tasks created by other users in the same company. You cannot take actions on them, but you can sort and filter them by username in the new Owner column in the Tasks grid.
Users from child companies can view tasks created by their parent company only for entities within their own companies. They can also view the user from the parent company who has created the task. This scenario applies to both Customer and Partner type companies.
Actions taken on your tasks, such as create, restart and delete, are now visible in the Accounts > User Activity page.
The default period for trusted browsers with two-factor authentication (2FA) has been set to 7 days.
XDR
A new response action is now available in the Incidents Graph and Response tabs: Deactivate AWS account. This action creates and applies a policy that deactivates the AWS user account and deletes the associated access keys.
The Sensors Management feature now provides integration with Google Workspace. The new sensor collects and pre-processes activity and usage data related to Google Workspace accounts and services.
Prerequisites for the Active Directory sensor have changed. With the exception of Global Object Access Auditing policies, all group policies in Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies must be set to audit all login events.
The default retention period for alerts has changed to 90 days. Extend retention periods for alerts, incidents or raw events by enabling a different storage add-on: GravityZone EDR 180 days Data Retention Add-on or GravityZone EDR 365 days Data Retention Add-on.
Threats Xplorer
The Detection details panel now includes the web address involved in the attack for each event that is based on the Network Attack Defense technology.
Improved the exclusions mechanism for LSASS Protection events. Now when you add an exclusion from the Detection details panel, the necessary details are automatically configured in the Configuration Profiles page.
Public API
API support is now available for the new Integrity Monitoring feature. The following methods have been updated:
getManagedEndpointDetails
,getNetworkInventoryItems
,createReconfigureClientTask
,createPackage
,createCompany
,setMonthlySubscription
,getLicenseInfo
,getMonthlyUsage
,getMonthlyUsagePerProductType
,createReport
,getReportsList
.
Resolved issues
Licensing
The Patch Management and Full Disk Encryption modules will now be disabled when applied to endpoints after the seat limit on the corresponding license keys has been reached.
Threats Xplorer
The Detection details panel displayed the policy directly assigned to endpoints instead of the active policy at the moment of the detection applied through assignment rules.
GravityZone platform
The Policy tab in the endpoint details no longer displays the status "Cannot determine". The message appeared due to an issue with the cleanup rules that was fixed.
Fixed issue causing Antiphishing reports to display incorrect data for the current month. This issue occurred when the reporting interval was set for the last 2 or 3 months.
Security fixes.
Known issues
Integrity Monitoring
Windows
Integrity Monitoring events are not generated for monitored entities that are modified by processes excluded from Advanced Threat Control scanning.
Integrity Monitoring events are not generated for files that have been modified through Server Message Block (SMB).
Linux
Integrity Monitoring is not compatible with 32-bit operating systems.
Integrity Monitoring is not applicable for Bitdefender Security Container.
Service events are not generated on SUSE Linux Enterprise Server (SLES) systems.
Using
mv
command does not trigger folder rename events.
October 2022 (Version 6.32.0-2)
Improvements
EDR
The following features are generally available to all customers using Bitdefender EDR, GravityZone Endpoint Detection and Response, GravityZone Business Security Premium and GravityZone Business Security Enterprise:
Assignee option to assign the incident to an analyst.
Priority option to assign the incident a priority.
Incident history button shows all actions taken on the incident, including assign and priority.
The above features are in the XDR Incident Overview and EDR Graph View pages as well as in the status bar of the incidents.
September 2022 (Version 6.31.0-2)
Early Access
XDR Live Search
Early Access enrollment is now available for Live Search. With this feature you can directly search for events and system information from the online endpoints in your network, using OSquery, an SQL-compatible query system.
New features
Early Access programs
Early Access allows you to try out specific products, features or functionalities that are still in development, by enrolling in beta programs. Learn more
Remote troubleshooting
Remote troubleshooting is now available for GravityZone Security for Containers.
Improvements
XDR
Auto-complete functionality is now available when adding tags in Incidents > Custom Rules.
The Sensors Management feature now provides integration with Azure Cloud. The new Azure Cloud sensor can collect and pre-process cloud activity data.
A new filter is available for the Status column in the Configuration > Sensor management page.
Integrations with Azure AD can now provide Risky user information in Incidents > Graph. Enable this functionality by setting up the Azure AD sensor with the IdentityRiskyUser.Read.All permission.
Integrations with O365 now allow you to delete a suspicious email directly from Incidents > Graph.
Quarantine
You can now filter and view quarantined items regardless of the time interval. Using the Quarantined on filter you can customize any interval that suits your needs.
GravityZone platform
You can now export the data displayed in the Companies page as a CSV file.
A new filter is available for the Product Status column in the Companies page: you can select between companies with active, expired, trial or no licenses.
Licensing information is now available for the Full Disk Encryption and Patch Management add-ons in the My company, Edit Company and Companies pages.
The primary update location for endpoints and relays is now
https://update-cloud.2d585.cdn.bitdefender.net
. The previous location will still be used as a fallback. You can view the changes in the General and Relay sections of the policy under the Update tab.As GravityZone administrator, you can take ownership over policies created by users that have been deleted. The new Take Ownership is now available in the Policies page, and the Created by column has been renamed Owner.
For user assignment rules, you can select organizational units (OUs) in Active Directory inventories as targets.
The Network Protection Status report now indicates when the Full Disk Encryption and Patch Management modules are expired.
Email Security
You can now activate the Email Redaction setting for your Email Security account. This will mask sensitive information when accessing emails through reports. Learn more
Resolved issues
API
getNetworkInventoryItems
no longer returns an internal server error when users with no rights granted over their own company use the method for child companies.
August 2022 (Version 6.27.2-3)
New features
GravityZone platform
Added the following features to Security for Amazon Web Services:
Sandbox Analyzer - companies can submit files, samples and URLs, and check their status.
HyperDetect - this module is activated from the policy. It detects advanced attacks and suspicious activities in the pre-execution stage.
Fileless Attack Protection - this feature prevents fileless malware attacks. The newly generated event is displayed by BEST. In addition, the event is also visible in the Security Audit Report.
Antimalware Central Scan - this feature enables the Security Server in the Packages section.
Advanced Anti-Exploit - this feature generates anti exploit events when the tool is run on a managed endpoint.
Network Attack Defense - this feature focuses on detecting network attacks designed to gain access on endpoints through specific techniques. In addition, the event is visible in the Notifications section, if Network incident events are enabled.
Incidents - this feature displays all suspicious incidents detected at endpoint level, that require investigation and upon which no action was taken yet.
Endpoint Risk Analytics - you can see new information in the Risk Management dashboard and Security Risks after the risk scan task has successfully finished.
Note
All these features are also available for companies with an existing AWS integration.
Improvements
GravityZone platform
Installation packages are now kept even if the user that created them is deleted.
XDR
The Sensors Management feature now provides integration with Microsoft Intune. The new Microsoft Intune sensor can be configured to collect and pre-process device-related data.
Actions taken on incidents are now visible in Accounts > User Activity.
Firewall
Port scan exclusions are now available. You can create IP-based exclusions to allow port scanning.
Note
This feature brings major changes to the Firewall technology used. We recommend testing this feature before deploying it to your endpoints.
Advanced Anti-Exploit
The LSASS process protection option is now more customizable and provides details about possible exploits that may target Local Security Authority Server Service (LSASS). You can configure block or report actions in the policy, add exclusions for trusted processes in Configuration Profiles and view related user activity. The events are available in the security agent local interface.
Risk Management
The Endpoint Score in the Top Devices at Risk widget now takes User Behavior Risks into account.
Resolved issues
GravityZone platform
The option The company manages endpoint security is no longer disabled when editing partner companies with clients.
Security fixes.
Configuration Profiles
Users were unable to export exclusion lists from a GravityZone On-premises instance and import them in GravityZone Cloud.
Patch Management
Patches for excluded products were incorrectly displayed in Control Center as failed.
August 2022 (Version 6.27.2-2)
Resolved issues
GravityZone platform
Security fixes.
July 2022 (Version 6.27.2-1)
Improvements
XDR / EDR
Added support for multi-value fields in the Incidents > Search section. This functionality is also present in the Details panel.
Alert data is now available in the Incidents > Search section. The raw data is available in the JSON tab of the Details panel.
Alerts now display the corresponding incident number.
New fields have been added to Incidents > Search. The fields are either related to alert data or to resource information normally displayed in the Graph section of an incident.
Added two new columns to the Extended Incidents / Endpoint Incidents tabs in the Incidents page: Assigned to and Priority.
For the XDR Incident Overview and EDR Graph View pages, added the following items:
Assignee option to assign the incident to an analyst.
Priority option to assign the incident a priority.
Notes button providing a list of analyst notes.
History button providing a history of the incident.
Sensors Management
The Sensors Management section now displays the setup steps at the top of the page.
Re-designed authentication-related error messages for the O365, Azure AD and AWS sensors.
Risk Management
Decommissioned endpoints no longer appear in Risk Management. The corresponding risk data is deleted and it no longer impacts risk-related reports and dashboards.
Network
The Restart machine task is now available for all Security Server types in distributed environments.
Policies
The configuration page for location assignment rules now has the Targets section, where you can define specific folders within the network where you can apply a rule. If you do not enable Targets, the rule applies to the entire network.
A new column added in the Assignment Rules grid indicates the status of existing rules:
Running – the rule is active and is applicable to the endpoints.
No target – the rule is not applied to the endpoints because it is missing targets.
Resolved issues
Quarantine
The Restore button is now available again for Exchange Quarantine.
July 2022 (Version 6.26.2-2)
New features
Integrations
You can now integrate GravityZone data into Microsoft Azure Sentinel, allowing automatic transfer of GravityZone events to the Microsoft platform.
Improvements
XDR
Added a new response action to the Incidents Graph and Response tabs: Mark user as compromised. This action marks the user as compromised in Azure AD Identity Protection security tool. The Azure AD and Office 365 sensor requirements have been updated to reflect the type of permissions required for this response action.
As a Partner, you can now view and deploy sensors for all managed companies under your account.
As an MSP, you can collect investigation packages on endpoints from any company under your management.
User activity records are now available for actions taken in the Sensors Management page.
Threats Xplorer
Threats Xplorer now provides you with enriched information about each security event and possible actions that you can take, all in a single view. The new Detection details panel is available when selecting any event from the grid and includes the following:
Details about the threat such as threat type and name, the action taken, the detecting module, and others.
Details about the detected object including the category and object-specific information like process ID, file path, URL, email subject, and others.
Endpoint details such as endpoint name, type and risk score, the assigned policy, any existing vulnerabilities or misconfigurations, and others.
Several investigation and remediation actions like scanning or isolating the endpoint, adding exclusions for files and processes or add detected objects to the Blocklist.
The option to view all the security events on a specific endpoint within the last 24 hours.
A link to a specific endpoint within the Network Inventory.
Licensing
Bitdefender MDR Foundations is now available as an add-on to the Bitdefender Managed Detection and Response service.
XDR is now available as an add-on. Additional licenses need to be enabled for each type of sensor platform. When reselling XDR, all types of sensor platforms will automatically be enabled for client companies.
License trials now offer a maximum of 50 seats.
New trial keys are now generated with 12 characters.
Company Administrators can now enable or disable XDR sensor categories when the XDR add-on is enabled.
Monthly Trial licenses now include XDR and all sensor categories.
Exclusions
Editing exclusions and list assignments now reflects in more detail in the User Activity section, with separate entries for the affected exclusions, lists, and policies.
In Policies > Configuration Profiles, you can assign multiple exclusions to multiple lists by using the new Assign to lists option.
Minor name changes to various buttons and options for more consistency.
GravityZone authentication
The options and messages related to two-factor authentication (2FA) are now referring to “trusting the browser” rather than “remembering the device”, as the settings actually apply per browser. This addresses the scenario where a user might use a computer with multiple browsers to log in to GravityZone Control Center.
Some buttons and options related to 2FA have been redesigned, alongside other minor visual changes.
A new message informs you when you cannot log in to GravityZone Control Center because of an ongoing update.
Sandbox Analyzer
As a partner, you now can see submissions from other companies in the Sandbox Analyzer section of the Control Center main menu. Use the search box or the new drop-down list on the page to switch from the default view of your company's submissions to those from all direct companies or from a specific company.
In the Sandbox Analyzer > Manual Submission section, you can select from the drop-down list a company on whose behalf to submit samples.
Starting with this release, you can retrieve detailed Sandbox Analyzer HTML reports via API. The Sandbox Analyzer Results report, which contains only a summary, is no longer deprecated.
Quarantine
The Quarantine page has a new modern design and includes the following changes:
The views selector was redesigned into two new subsections that are available in the GravityZone menu under Quarantine.
Filters and columns allow more control and customization. You can show or hide filters, add or remove columns and use a compact view.
The company selector is available in a new format as a customizable column and filter for partner companies.
Added new time intervals for the quarantined items.
Renamed a few elements on the page.
Companies
Multiple graphical elements have been modified to offer a better user experience:
For companies that use multiple products, only the total number of products is displayed. You can use the arrow button on the left side of the screen to display all used products.
Multiple buttons have been redesigned, moved, or included under the More actions menu.
Improved the page navigation.
Added the Settings menu, which allows you to customize the information displayed for each company. The menu also provides additional features, including Reset view, Compact View and a search box to find specific columns.
Several improvements have been made to the list of companies:
Added additional filters.
A new Show or hide filters button is available in the upper right side of the page.
You can customize the filters displayed on your screen by using the More menu or by removing individual filters using the button.
A Clear button, allowing you to revert all filter settings to default.
Added several columns, providing access to additional company, product, and usage information.
Renamed License usage to Usage Breakdown and License validity to Expiry date for improved clarity.
The information under Company ID has been moved to a new field called Company hash. Replacing it, will be the company's database ID, which mainly used for API requests.
Companies now have two identifiers in Control Center:
Company ID, the company identifier in GravityZone Database. Use this ID when making API requests.
Company hash, previously shown in Control Center as Company ID. Use the hash when changing the Bitdefender partner via Control Center.
Network
Added two new tasks in the Network > Tasks section: Isolate and Remove from isolation.
API
You can now use the Reports API to download Sandbox Analyzer HTML reports.
Several methods under the Companies, Licensing and Network API have been updated to support the addition of the XDR add-on.
Localization
From now on GravityZone Control Center is available in Japanese.
Resolved issues
GravityZone platform
Companies are now suspended when reaching subscription end date.
API
The 201 response status code is no longer handled as an error for the Event Push Service.
Reports
In some situations, the Security Audit report did not include Advanced Anti-Exploit events.
Risk Management
The Devices grid in Security Risks used to count all misconfigurations, regardless of whether they had been marked as Ignore risks.
June 2022 (Version 6.26.2-1)
New features
EDR
EDR alerts in the Incidents > Search section now display additional information in the JSON tab of the Details panel. The key-value pairs in this tab cannot be used for building queries. However, you can copy the entire data to clipboard for ease of access in your investigations.
Licensing
Early Access Program licenses have been reworked:
You can now add the license on top of any other standalone license that includes EDR.
The license no longer has usage limitations.
Note
Previously generated Early Access Program licenses will be invalidated. Companies currently in the program will need to acquire a new license key.
Improvements
XDR
Only the first two types of attacks are now visible in the Summary section of the incident Overview tab. You may expand the list to view all types of attacks.
The Resources section inside the incident Graph has been redesigned:
The resources under the transition panel are now displayed as a list under each associated alert. The list displays groups of resources, organized by type, and includes the number of items for each type. The full resource details can be accessed from each alert panel.
The list of resources within the alert's details panel is now collapsible, making the details easier to observe.
All details gathered from an email are now grouped under a single resource. Along with the information aggregated from the previously existing resources (subject, URLs, and attachments) additional information will be made available:
Resource type: Email
Email Subject
Email ID
Received on
Sender
Receiver (to / cc / bcc lists)
Attachments
URLs
Remote Shell is now available for Bitdefender XDR. You can find it in the incident Graph tab, in the details panel of endpoints or server nodes.
Network Sensor details are now available in Configuration > Sensors Management.
EDR
The EDR incident page has been redesigned:
A floating bar is now displayed above the Critical path of the incident and contains two functionalities: Search entities and Incident trigger.
The elements of the Incident status bar have been rearranged and the endpoint name is no longer displayed.
Exclusions
You can now add exclusions to Configuration Profiles right from the Blocked Applications report. Use the new Back option at the top-left corner in Configuration Profiles to return to the report if needed.
In Configuration Profiles, the menu option Assign to list has been modified to Edit list assignment. The name of the corresponding configuration page also reflects this change.
The Exclusions grid area in Configuration Profiles includes a new sortable column named Added on, which by default lists the exclusions in reverse chronological order. Only exclusions added after this GravityZone update will display date and time.
Exclusions in Configuration Profiles and in the policy now support the
%SystemDrive%
variable.You can now use the asterisk (*) as wildcard for searching exclusions in the Configuration Profiles section.
To accommodate Linux requirements, exclusions now support up to 4096 characters when defining paths in Configuration Profiles and in the policy. To apply this on Windows systems, make sure
MAX_PATH
is set to support this value on the target machines.
Maintenance Windows
New messages warn you when deleting maintenance windows assigned to policies, and when you remove the last maintenance window from a policy.
You can now sort maintenance windows by name, status, modification time, users who last edited the window, permissions, and policies.
The grid area in Configuration Profiles now displays the list of maintenance windows on multiple pages instead of a page with infinite scrolling.
Minor text changes to the Patch Management section in the policy and in Configuration Profiles.
Policies
You can now scroll through sections inherited from another policy.
Resolved issues
Device Control
Creating a Device Control exclusion rule with multiple devices IDs, separated by commas or space, now correctly saves all information.
GravityZone platform
Security fixes.
May 2022 (Version 6.26.1-2 EFX)
Improvements
Remote troubleshooting
The Debug session now contains a troubleshooting scenario for the Endpoint Detection and Response(EDR) module. Using this new option, you can gather specific logs that target EDR issues such as incidents not generated, false positives, missing incidents data, and others.
The Content Control (traffic scan and user control) scenario now also covers Firewall issues and was renamed Content Control and Firewall.
Note
These changes are available for Windows systems.
May 2022 (Version 6.26.1-2)
Improvements
Threats Xplorer
The detection events category and action taken have a new color design necessary for future developments.
Resolved issues
Configuration Profiles
The Modules column in the grid area was displaying the Unknown status instead of All modules (value "3") for exclusions coming from imported lists.
May 2022 (Version 6.26.1-1)
New features
XDR
You can now request a new sensor type by accessing Configuration > Sensors Management > Add new > Need a different sensor?
Improvements
XDR
Now you can also access the Remote Shell feature from the Network section Action Toolbar. The option becomes available once you select at least one managed device in the list.
Network Protection
The Exclusions table in the General page includes a Remarks column where you can add comments for existing or new rules.
April 2022 (Version 6.24.0-3)
Improvements
GravityZone platform
Two-factor authentication (2FA) becomes mandatory for all GravityZone Cloud accounts on April 12, 2022. From now on, when logging into Control Center, you need to enter a six-digit code from an authenticator app in addition to your GravityZone credentials.
If you do not use 2FA yet, you will be prompted to set it up in a configuration page. You can skip the configuration page up to 5 times.
Bitdefender supports any TOTP authenticator compatible with the standard RFC6238, installed on devices such as smartphones and computers. Learn how to configure an authenticator on your smartphone or computer.
This update comes with the following new options:
Remember this device, on the Control Center login screen. Select this option to trust the device used for accessing Control Center and to skip entering the six-digit code. Different browsers on the same computer mean different devices.
Allow users to remember their device, in the Authentication tab of the company settings. As an administrator, use this option to configure the time interval for skipping 2FA up to 90 days.
Forget all remembered devices and Forget current remembered device, in the account settings, to reset those devices that skip 2FA when signing into GravityZone.
Two-factor authentication cannot be disabled. In case you forget your credentials or lose your authentication device, ask your administrator to reset 2FA from your account settings.
Note
Bitdefender does not enforce two-factor authentication (2FA) to GravityZone accounts using single sign-on (SSO).
Learn more about two-factor authentication and how to enable it from this FAQ article.
Public API
Enforcing two-factor authentication brings the following changes to the public API:
The API calls that had the parameter
enforce2FA
set to false are now automatically set to true forcreateCompany
andupdateCompanyDetails
methods. This change does not return an error message.The new optional parameter
skip2FAPeriod
is available forcreateCompany
andupdateCompanyDetails
methods. This parameter allows you to configure the time interval in days for skipping two-factor authentication by specifying one the values: 0, 1, 3, 7 14, 30, 90. 0 (zero) means this option is disabled and the user must enter the six-digit code when logging into GravityZone.
April 2022 (Version 6.23.0-4)
Minimum requirements:
Security agents: 7.5.1.177 (Windows), 7.0.3.1982 (Linux), 7.4.10.200020 (macOS)
Important
Starting April 12, 2022, two-factor authentication becomes mandatory for all GravityZone Cloud accounts. When signing in after this date, GravityZone will automatically prompt you to configure 2FA. If you are already using 2FA or logging in with an Identity Provider, this change will not affect you. Read more.
A dedicated GravityZone update on April 12 will enforce two-factor authentication for existing users. The same update will bring a new option to remember the device used for signing in, which will allow skipping 2FA for a configurable time interval.
New features
XDR in general availability
eXtended Detection and Response (XDR) consolidates security-relevant endpoint detections with telemetry from non-endpoint sources such as network visibility, email security, identity and access management, or cloud security. XDR focuses on optimizing threat detection, investigation, and real-time threat hunting.
XDR provides advanced investigation tools such as:
The Overview tab - Here you can evaluate the impact of an incident on your organization, and quickly act to contain threats.
The Graph tab - Here you can analyze in detail the Initial access, Exit points, as well as the interactions between the multiple elements of your environment, and affected resources.
Every graph element provides relevant information in their details panel, as well as specific mitigation actions. The Graph displays data correlated from endpoint, network, productivity, identity, and cloud sensors.
The Alerts tab - Here you can see in detail all the security events that make an extended incident, and search for specific events by multiple criteria.
The Response tab - Here you can view and take recommended actions to mitigate threats to your organization, and analyze actions already executed from within the incident graph.
XDR also includes new powerful investigation features such as:
An advanced Search feature you can use to analyze any element or company resource involved in an incident. It provides:
Improved data visualization.
Automatic suggestions for field names, values and operators when typing queries.
Ability to save and name search queries: they will be displayed in the Smart views panel. You can also edit or delete them.
Ability to view more details about an event using the Details panel.
An interactive full Remote Shell feature you can use to connect remotely to any endpoint in your environment, and take immediate action to minimize threats or perform advanced forensics.
An Investigation Package feature you can use to collect data from any endpoint involved in an incident. You can download and analyze data such as BEST product logs, system info, registry files, Windows, macOS and Linux event logs.
To bring all these together, XDR uses advanced correlation engines to process data from multiple sources, such as:
The Incidents sensor
The Network sensor
Productivity sensors:
The O365 Mail and Audit sensors
Identity sensors:
The Active Directory sensor
The Azure AD sensor
Cloud sensors:
The AWS sensor
Important
The Network, Productivity, Identity, and Cloud sensors, as well the Remote Shell feature require a separate license key for activation.
Threats Xplorer
Bitdefender introduces Smart Views, a brand-new GravityZone feature focused on optimizing user experience by adding a new level of personalization in Threats Xplorer. You can now create your own customized views or use predefined ones and quickly switch between them as needed. In a single view, you can customize filters, different time intervals, add or remove columns and scale their size.
Improvements
GravityZone platform
Bitdefender has launched a new product portfolio. We have changed several product names to offer a better representation of our current vision. Learn more.
The package configuration page includes new privacy options in the Miscellaneous section.
The list of supported internet browsers has updated. Learn more.
Threats Xplorer
The company selector is available in a new format as a customizable column and filter for partner companies. Furthermore, the improved filter now helps partners analyze detection events from multiple companies all at once.
Added a new type of detection event for dynamic malware. This uses Fileless Attack Protection and Windows Antimalware Scan Interface (AMSI) technologies integration to detect various fileless threats.
Network Protection
The Content Control module is now available for Windows servers and Citrix virtual apps and desktops. For existing clients, the module is available through the Reconfigure Client task, while new clients need the installation packages configured accordingly. Learn more. Content Control on Windows servers requires Bitdefender Endpoint Security Tools version 7.5.1.177 or later.
The Network Attack Defense module for macOS systems in now supported in GravityZone. The next versions of Bitdefender Endpoint Security Tools will ensure compatibility between endpoints and GravityZone.
On Windows servers, the Network Attack Defense module extends its capabilities on Windows servers beyond RDP connections and it scans web traffic as well when used with the new Content Control capability.
Antimalware
You can now scan the memory of a process using the new Process memory option available in the On-Access Scanning > Settings section of the policy.
Fileless Attack Protection
The new integration with Windows Antimalware Scan Interface (AMSI) technology provides an additional level of protection against dynamic malware such as script-based attacks.
The Command-Line Scanner option allows you to detect fileless attacks at pre-execution stage.
The Antimalware Scan Interface Security Provider option allows you to scan content (scripts, files, URLs etc.) sent by other services that require a security vendor to analyze it before accessing, running, or writing it to the disk.
Configuration Profiles
Bitdefender introduces a series of improvements to the Exclusions section:
The ability to import and export exclusion lists in the CSV format.
The ability to edit exclusions inline and delete or export them in bulk. You can also export selected exclusions.
The ability to sort exclusions and a new pagination system for easier navigation.
A new option in the Blocked Applications report to add exclusions to lists.
Improved performance when using filters.
In the Patch Management section, you can now add multiple custom hostnames or IP addresses for Patch Caching Servers, separated by semicolon (;). The total limit is 256 characters.
Assignment Rules
For location rules, we increased the maximum number of DNS servers addresses to 30, and the field length to 480 characters.
Licensing
The License Usage Limit Has Been Reached or Exceeded and License Limit Is About To Be Reached notifications now apply to Email Security mailboxes as well.
Security Audit
The report now includes an enhanced graphical evolution of all security events that occurred on the selected target. You can view each available module as a single line in the graph and all modules in the graph legend.
The exported report in PDF format now includes a new graph that details the evolution of the Antimalware security events.
Added a new event type for AMSI detections.
Network
The Endpoint details page displays more explicit messages when users have not approved Full Disk Access and Network extension for Bitdefender Endpoint Security Tools components.
Public API
A new connector is available for sending events from GravityZone to SIEMs lacking HTTPS listeners. You can use the new DEB package to deploy the connector as a service. This provides easier installation, maintenance, and upgrades. Learn more.
Localization
From now on GravityZone Control Center is available in Vietnamese.
Sandbox Analyzer
Security improvements to Cloud Sandbox.
March 2022 (Version 6.22.0-1)
Improvements
XDR
Important
Join the Bitdefender Early Access Program for the opportunity to access the XDR improvements, ahead of everyone else. Share your feedback with us and we'll make it a priority and tailor the product to your needs. Contact Customer Support to get the key to these locked features.
The Sensors Management feature now provides integration with AWS. You can configure the new AWS sensor to collect and process configuration changes and actions taken by users, roles, or AWS services.
Extended Incidents now display in graph the users involved in the interaction between two incident entities as an independent identity node, highlighted with a dotted link. The dotted transition also displays the direction, to make it easy to see if the user affects or is affected by the other elements it interacts with.
The Graph offers support for forensic artifacts collected by the AWS sensor from your company's AWS service.
When the same alert is spawned in multiple Graph interactions, this information is now shown in its details panel, to make it easier for you to investigate.
Licensing
The License Expires notification comes with the following changes:
Recurrence: The notification will now be sent 90, 30, 7, and 1 day before expiration, each time containing specific content.
Content: Details include company information, product name, the expired license keys and useful URLs.
Note
For Partners, these changes apply only to notifications about their own licenses.
Configuration Profiles
On the Exclusions page, you can add and remove columns from the grid.
Patch Management
The Patch Management module for Linux now installs only on supported distributions.
Linux machines now display in the endpoint details page explicit error messages for users whenever a Patch Scan or Patch Install task fails.
The Patch Inventory page displays the OS type column dynamically depending on the available endpoint types (Windows or Linux).
Assignment Rules
For location-based rules, the maximum number of IP addresses you can add in the DNS server address category has been increased to 30. The character limit in the corresponding field has been extended to 480.
Public API
The Push API now provides additional information:
modules
events now inform you if the Network Attack Defense module is disabled or enabled on your endpoints.network-sandboxing
events now include the computer identifier and the IDs of your Sandbox Analyzer submissions.
February 2022 (Version 6.21.1-1)
Improvements
GravityZone platform
The User Activity page now includes details about API operations such as editing, creating, and deleting API keys.
You can now add descriptions to your API keys from the API keys section under Account Menu > My Account.
New endpoint packages no longer have the Device Control module on by default.
New privacy options have been added in the following section of the console: Policies > General > Settings > Options.
XDR
Important
Join the Bitdefender Early Access Program for the opportunity to access the XDR improvements, ahead of everyone else. Share your feedback with us and we'll make it a priority and tailor the product to your needs. Contact Customer Support to get the key to these locked features.
The Sensors Management feature now provides integration with Active Directory. The new Active Directory sensor can be configured to collect and process user login information.
The Graph offers support for forensic artifacts collected by the Active Directory sensor from your company's AD Domain Controllers.
The alerts resulted from interactions between incident elements offer additional data about involved entities and resources, displayed in their specific side panel.
The Security Analytics sensor from the menu in the Alerts tab will be replaced by specific sensors that have triggered alerts.
The XDR Search feature now provides automatic suggestions for fields, values and operators, which appear as you type. Syntax highlighting has been added for improved readability.
The new details panel shows further information about the events in the grid, and its data can be used to further refine your search. Support for Office 365 logs is now available.
January 2022 (Version 6.20.1-2)
Resolved issues
GravityZone platform
Endpoint names are no longer clickable in the Endpoint Protection Status report for GravityZone users with Security Analyst role. Previously, clicking endpoint names resulted in Control Center session expiration for such users.
Security fixes.
January 2022 (Version 6.20.1-1)
Minimum requirements:
Security agents: 7.4.2.142 (Windows); 7.0.3.1927 (Linux); 7.4.8.200007 (macOS)
Improvements
XDR
We upgraded the visual mechanics of the Extended Incidents Graph to better represent the events that have occurred within the incident you are investigating.
Triggered alerts that were displayed on both source and target nodes are now displayed as part of the interaction between them, thus eliminating duplicates.
The interactions between nodes is displayed as a separate graph entity that shows all the company resources that were impacted in some way by the triggered alerts.
Important
Join the Bitdefender Early Access Program for the opportunity to access the XDR improvements, ahead of everyone else. Share your feedback with us and we'll make it a priority and tailor the product to your needs. Contact Customer Support to get the key to these locked features.
GravityZone platform
You can now view the names of Mac users logged into GravityZone via SSH. The new information is available in the Network section (Users tab in computer details) and in the Network Protection Status report.
December 2021 (Version 6.19.1-1)
Improvements
XDR
Important
Join the Bitdefender Early Access Program for the opportunity to access the XDR improvements, ahead of everyone else. Share your feedback with us and we'll make it a priority and tailor the product to your needs. Contact Customer Support to get the key to these locked features.
Search
We redesigned the Search feature, and now it provides:
Enriched data, including raw events to help with investigation efforts
An extended number of suggested fields for creating queries. A list of fields with predefined values is available here.
Customizable results grid with show/hide columns functionality
New predetermined options for the Date field: Last 24 hours, Last 7 days, Last 30 days, and Custom.
Investigation Package
The new Investigation Package functionality enables the collection of forensic data from your environment without requiring a direct interaction with the endpoint involved in an incident.
This feature is designed to improve your SOC team's overall effectiveness by eliminating the time-consuming and labor-intensive task of manually collecting extra incident information from endpoints, allowing your team to mitigate and contain threats faster.
You can gather forensic data by using the Collect Investigation Package action from the Details Panel of any endpoint involved in an incident.
All investigation files are available for download in the Investigation tab of the endpoint's full details page.
Sensors Management
The new Sensors Management dashboard allows you to integrate sensors from all the major cloud service platforms, which enable GravityZone to gather and correlate data into highly-accurate extended incidents.
Currently in its early stages of development and production, this new feature provides integration with the Microsoft Office 365 platform, which will soon be followed by other integrations.
The feature provides integration with the Microsoft Office 365 platform through the Mail and Audit sensors, which boost the detection capabilities by providing metadata about email traffic and content, as well as user and admin operations retrieved from the Microsoft 365 unified audit log.
All sensors be configured and managed as separate sensor integration instances or together as part of the same instance setup.
The Sensors Management dashboard is available as a new tab in the Configuration page.
Extended incidents
The Graph went through a visual update designed to improve the investigation process. It now always indicates the origin of the incident in the Initial Access area, and all exfiltration and command & control activities in the Exit Points area.
The Graph also provides visual representation for new forensic artifacts collected and correlated from Microsoft Office 365 sensors, namely nodes for O365 users and O365 Mail and Audit sensor integration instances.
The new Overview tab displays the most impactful events of an extended incident, condensed in three major areas:
Summary - A synopsis of the entire incident, including data on initial access, tactics and techniques used by attackers, and affected organization assets
ATT&CK Tactics and Techniques - All the identified MITRE ATT&CK tactics and techniques used in the incident
Highlights - The critical alerts from the most impactful steps in the incident kill chain
Patch Management
Maintenance Windows
GravityZone introduces Maintenance Windows in Configuration Profiles, a new and powerful way to configure Patch Management settings outside policies. The Maintenance Windows feature provides you with higher control over patch scanning and patch installation than before, with expanded scheduling options.
In the policy, the old Patch Management module is replaced with a simple interface that allows you to assign the maintenance window you want. You can assign the same maintenance window, created by you or other users, to multiple policies. As a partner, you can create and modify maintenance windows for managed companies.
Upon this release, all Patch Management settings from existing policies will automatically be moved into maintenance windows, and then assigned to each policy accordingly. So, no worries there, your previous hard work is in safe hands.
The Maintenance Windows feature requires a valid license with Patch Management.
Read more about Maintenance Windows
Important
Starting with this version, you can no longer configure relays with Patch Caching Server role in the policies of other companies. The Relay and the policy must belong to the same company.
The option Auto-restart machine after (hours) for Patch Management has been migrated from Endpoint Restart Notification section in the policy settings to the new option System restarts automatically after a specific number of minutes in the maintenance window settings. Under the new option, the restart interval has been set to maximum 60 minutes, regardless of any previous value.
Linux support
GravityZone extends support for patch scanning and installation to Linux endpoints. For a unified experience, you can use the same maintenance windows and the same policies as for Windows.
Supported Linux distributions for this feature:
CentOS
Red Hat Enterprise Linux (RHEL)
SUSE Linux Enterprise (SLE)
Note
Unlike for Windows, Patch Management for Linux endpoints does not require Relay role to use the Patch Caching Server role. Instead, the security agent downloads the updates directly from vendors’ websites.
Important
This feature will be operational with the next release of Bitdefender Endpoint Security Tools for Linux.
Threats Xplorer
The export functionality is now available in Threats Xplorer. You can use this new option to access and manage the centralized data outside GravityZone Control Center, according to your needs. The security events are exported in the widely available CSV format, making it easier to import in other software programs tailored for your business.
Reports
Antiphishing Activity report
The Antiphishing Activity report is now capable of organizing Antiphishing detections and affected endpoints based on different criteria. The new features focus on underlining possible security issues in your network while helping you achieve an effortless analysis.
The report now includes:
Top 10 domains blocked on endpoints, which details the most frequently detected domains.
Top 10 affected endpoints, which informs you about the endpoints that have the most Antiphishing detections.
Affected endpoints, which presents the total number of endpoints with at least one detection.
Total detections, which provides the total number of phishing detections on all endpoints.
Important
After this update, the last instance of the scheduled report will no longer be available in the View report column. To access the archive containing all instances, select the report, click Download and then select Full archive from the drop-down menu.
Security Audit report
The new improvements simplify the analysis of Antimalware detections in the Security Audit report. The report now classifies the Antimalware detections and affected endpoints based on different criteria as follows:
Top 10 malware by number of endpoints, which details the most frequent Antimalware detections.
Top 10 endpoints by number of Antimalware detections, which informs you about the endpoints that have the most Antimalware detections.
Endpoints, which presents the total number of endpoints with at least one Antimalware detection.
Detections, which provides the total number of Antimalware detections on all endpoints.
Licensing
GravityZone now supports multiple standard products. Products added to the same company must be compatible.
The My Company page has been reworked and restructured. The page now provides an improved overall company management experience.
Notifications regarding reaching or exceeding a license limit or a license expiring have been modified. Changes include:
Notification recurrence
Customized information for companies with multiple licenses
Partners
Bitdefender MDR for MSPs
As a Managed Service Provider (MSP) you can now benefit of automatic provisioning and billing for the Managed Detection and Response (Bitdefender MDR) service, offering you and your customers protection through outsourced cybersecurity operations 24 hours a day, every day of the year. The Bitdefender MDR service combines cybersecurity for endpoints, network, and security analytics with the threat-hunting expertise of a SOC fully staffed by security analysts from global intelligence agencies.
This service is available in two flavors:
Bitdefender MDR Advice - retain full control over end customer environments, with the MDR team acting as a trusted advisor, providing curated recommendations to equip your team to respond to customer incidents.
Bitdefender MDR Response - benefit of a fully-managed threat hunting solution that includes state-of-the-art prevention and expert response. The Bitdefender Bitdefender MDR Customer Success Team (CST) will affect real-time changes in your customer’s environments when security incidents are identified, based on a set of pre-approved actions you both agreed upon.
You can activate, deactivate, or switch between service flavors by editing the company details page.
Note
If you are a Bitdefender Partner, the Bitdefender MDR Service needs to be enabled by Bitdefender. If you are an MSP interested in Bitdefender MDR, please contact your Partner.
Companies
The New Company and Edit Company pages have been improved. Managing and displaying company licenses has been updated to support multiple licenses.
The Licensing section within the add / edit company flow for the Monthly Subscription license option now offers you easier activation and management of the products, add-ons, and services provided by Bitdefender.
Use the new Own use section to enable add-ons and services for your own company, and the Reselling section to grant other partners the right to resell products, add-ons, and services.
Public API
The Incidents API has new methods for managing custom rules:
getCustomRulesList
,createCustomRule
, anddeleteCustomRule
.Patch Management is now available through API. For the Maintenance Windows API, the following methods have been added:
createPatchManagementMaintenanceWindow
getMaintenanceWindowList
getMaintenanceWindowDetails
updatePatchManagementMaintenanceWindow
deleteMaintenanceWindow
assignMaintenanceWindows
unassignMaintenanceWindows
The Companies, Network and Licensing APIs have been modified as follows:
Functionality for the
getNetworkInventoryItems
andgetLicenseInfo
methods has been changed.The
addProductKey
andremoveProductKey
methods has been added.The
createCompany
,setMonthlySubscription
,getLicenseKey
,getLicenseDetails
, andgetCompanyDetails
methods have been modified to properly display multiple standard and add-on licenses, and include information and settings on Bitdefender MDR for MSPs.
Resolved issues
EDR
Fixed an error that in some particular cases was preventing incidents from being generated.
Firewall
Firewall rules are now being imported from GravityZone if the protocol is set to ICMP.
Configuration Profiles
Exclusions imported from larger CSV files no longer go under All exclusions, but in your newly-created list.
Exclusion lists created by the current user are now displayed only in the My lists section. They will no longer be added to the Default exclusion lists.
Partners
You can now search by company in Add Company page.
Known issues
Partners
The License key, License usage and License validity columns in the Companies page will only display a company's first license key for standard products if the company has multiple base products.
November 2021 (Version 6.18.1-2)
Improvements
Improvements made to back end code in preparation for future updates. Changes will have no direct impact on users.
Known issues
Starting with version 6.18.1-1, clicking the License key, License validity, Subscription end date or Auto-renewal column headers in the Companies page no longer reorders the list of companies.
October 2021 (Version 6.18.1-1)
Minimum requirements:
Security agents: 7.3.2.44 (Windows); 7.0.3.1803 (Linux); 7.2.6.200017 (macOS)
Improvements
XDR
XDR now includes a full interactive Remote Shell feature that enhances your SOC experts’ investigation capabilities. It enables access to any endpoint in your environment, to gather forensic data and respond swiftly to mitigate and contain any suspicious activity.
You can access this full interactive shell from the side details panel of any endpoint involved in an incident.
This added functionality is compatible with Windows, Linux, macOS.
Note
For now, the new Remote Shell functionality is available through the Bitdefender Early Access Program, which you may join by contacting Bitdefender Enterprise Support.
The Bitdefender Early Access Program will provide exclusive access to many of the new GravityZone feature releases going forward.
Threats Xplorer
Threats Xplorer now automatically retains the columns size selection and displays it accordingly when you return to the page. Additionally, we have also made several adjustments to the default columns size for better visibility.
Added the new filter and column SHA256 that helps you easily identify a file hash.
Partners
The New Company page has been improved and the procedure to create a new company has been changed. For more information, refer to Creating companies.
Trial companies now start with a GravityZone Elite license equivalent and several add-ons, providing access to additional GravityZone features. For more information, refer to this page.
September 2021 (Version 6.16.1-7)
Improvements
Platform
A new option, Automatically copy the label of the Relay to connected endpoints, if not specified otherwise, is now available in the Configuration > Network Settings tab. This helps you to manage the labels according to your preferences and choose whether the endpoints connected to a relay should inherit its label or not.
Agent packages names now include the product version.
You can now find the GravityZone Cloud version under the What's new section .
Antimalware
You can now automatically resume on-demand scan tasks using the Resume scan after product update option. To enable this select the option checkbox from the Options > Miscellaneous section when you create or edit a scan task.
Network Protection
You can now enable Scan SSL for RDP protocols.
September 2021
Resolved issues
Executive Summary
In some situations, generating an Executive Summary report resulted in crashes for companies with an exceptionally high number of events.
In some cases, generating the Executive Summary PDF file led to crashes. The issue is now fixed.
The Monitoring section failed to display its subsections when hovering over it while the GravityZone menu was collapsed.
Policies
The Allow endpoints to send user login data to GravityZone option was not properly inherited from the main policy.
August 2021
New features
Executive Summary report
The new report focuses on improving data accessibility while centralizing key security information from the Executive Summary page. You can easily export, schedule, and download the report from both the Reports and Executive Summary sections.
Improvements
GravityZone platform
To help you monitor, analyze and quickly identify valuable information we are introducing Executive Summary as the new landing page for GravityZone Control Center. You can adjust this setting to your preference at any moment from the My Account section.
July 2021
New Features
Container Protection
Bitdefender protection is now available for container environments. Container Protection monitors both the operating system on the host and running containers, providing server workload EDR and anti-exploit and antimalware scanning services based on licensing.
The feature offers visibility into Linux server and container workload malicious activity in real time and a clear understanding of attack risk exposure at each stage of the attack. It detects complex attacks early with Linux native exploit detection technology and performs threat-hunting campaigns using the GravityZone EDR event search. Once licensed, you can deploy Container Protection through two solutions:
BEST for Linux v7 deployed directly on a container host.
A Security Container instance deployed on a separate container that protects both the host and its managed containers.
This new feature comes with a new report, Security Container Status, which helps you identify any issues that a specific Security Container might have, with the help of various indicators such as Update Status, Upgrade Status and more.
A new notification is also available, Security Container Status Update, informing you when the product update status changes for a Security Container installed in your network.
Improvements
Advanced Anti-Exploit
Advanced Anti-Exploit feature is now available for Linux.
Network
Virtual Machines view renamed into Cloud Workload.
Containers group added under Cloud Workload containing container hosts and container endpoints.
Physical and VM container hosts now visible under Computers & Virtual Machines.
Reports
Monthly License Usage report now contains Container Protection information.
Configuration Profiles
The Configuration Profiles section under Policies enables you to create and manage customized exclusion rule lists, and assign them to your company policies, thus enabling you to scale the usage of exclusions across your network more accurately, to lower the rate of false-positive events and improve system performance.
Every exclusion rule you create can be assigned to one or multiple exclusion lists, and every list can be assigned to one or more policies. Furthermore, you can assign multiple exclusion lists to the same policy, for maximum flexibility.
EDR
We fine-tuned the formula for how we calculate the Severity Score, to make it more accurate, by taking into account a wider range of parameters, and incident escalation. We also added new mechanics that allow us to update the formula on-the-fly with new parameters from our evolving correlation technologies.
June 2021
Minimum requirements:
Security agents: : 7.2.1.60 (Windows)
Improvements
GravityZone platform
Now you can view the names of all active users logged on endpoints running Windows.
This feature brings changes in the following sections of Control Center:
Network – the Network grid includes a new searchable column named Users and the endpoint details window displays a dedicated tab also named Users.
Reports – the Network Protection Status report includes a searchable column named Users.
Policies – a new check box in General > Settings > Options allows you to enable data collection. The information sent by endpoints to GravityZone includes usernames, login time and the login method.
This feature can serve you in multiple ways:
As a GravityZone administrator, you can use the provided information to reach out to the endpoint users in case you need their input.
As a Security Analyst, you can correlate the information about the username with other events from GravityZone or 3rd party systems.
As a partner, the user-related information is helpful in situations such as when you create a Monthly License Usage report for audit purposes.
Renamed a few elements from the following sections:
Threats Xplorer - the columns Device name and Device type are now Endpoint name and Endpoint type.
Network - the column Machine type is now Endpoint type.
Executive Summary - the Threats breakdown by machine type widget is now Threats breakdown by endpoint type.
User Activity page now informs if a user has logged in GravityZone from a third-party platform with which it is integrated.
The cleanup rules for offline machines are now more flexible:
Name patterns can contain the question mark (?) as wildcard.
Name patterns can have any length and no longer require a letter at the beginning. For example, you can use only the asterisk (*) to disregard the machine name.
You can select targets that are offline for less than 24 hours or more than 90 days. The cleanup rules will run hourly for machines offline less than a day, and daily for the other ones.
The target selection now covers Active Directory inventory as well.
You can use name patterns of any length.
Improved the offline machines cleanup rules so that you can now use the question mark (?) as wildcard and select targets that are offline for less than 24 hours.
EDR
GravityZone extends the endpoint-based threat detection capabilities of the traditional EDR by incorporating network incidents, to successfully counter advanced threats no matter where they emerge in the infrastructure: on endpoints, network or in the cloud. This new EDR component combines the most advanced prevention capabilities, low overhead cross-technology correlation capabilities and Network Traffic Analytics to boost the cyber resilience of your organization.
In this new light, the Incidents page has been enriched with the Extended Incidents tab, to display all organization-wide incidents which require further investigation.
The new graphic representation of extended incidents makes it easy to view and investigate the evolution of a complex attack within your network:
It includes a detailed timeline of events, displaying the network point of entry, evolution over time, lateral movement and communication with outside agents.
It correlates events gathered by Endpoint Detection and Response and Network Traffic Analysis technologies.
It associates extended incidents with any detected endpoint incident that makes a potential staged attack.
Concurrently, if you are using a 3-rd party ticketing platform or a PSA solution, you will enjoy an enhanced experience through the new redirect links. Clicking on the embedded links will either:
direct you to the Endpoint Details page in GravityZone, when you are working on a security incident.
direct you to the Incidents section of that specific incident ID in GravityZone.
Threats Xplorer
The available filters now dynamically adjust to your company's license type. This way, you can quickly use search and filtering criteria relevant to your company and obtain better results.
Note
The filters and detection events are available up to 90 days after you change the protection layers. Following this period, the events are deleted and the filters automatically reflect the available features according to your license key.
HyperDetect
The HyperDetect Activity report now includes the exact name of the detected threat and the file hash.
Deployment
The Network > Packages section now includes macOS downloader, which will make it easier for you to install the security agent on different Mac architectures, whether they are Intel x86 or ARM. The new downloader automatically detects the processor type and downloads and installs the right kit for that specific architecture.
Localization
From now on GravityZone is also available in Turkish.
Product documentation
A unified self-service support experience with the new online help center. All GravityZone help content that was included in PDF guides, knowledge base articles and release notes, is now under one roof, in a more digestible format. Currently it is available only in English, localizations will follow soon.
Public API
Network API: The result of the
GetNetworkInventoryItems
method now includes thepolicyId
andmoveState
fields.
Resolved issues
ERA
An overflow of records in the CVEs inventory collection downturned the Indicators of Risk query.
The Risk Management data removal step from the Security Risks > Devices section was skipped when BEST uninstall presented errors. The device still appeared to be present in the devices listed with vulnerabilities.
Following a Risk Scan, the Risk Management module displayed users as having a high severity score, even if the human risks had been fixed through a previous Risk Scan.
Patch Management
Previously installed patches were not displayed in GravityZone after manually rebooting a Virtual Machine.
MSP > Partners
The Reconfigure Task failed when trying to add the Exchange module to endpoints from two different companies - with the same configuration - and displayed the error message "Task could not be created. Some task settings could not be applied to all selected product types".
May 2021
New features
Threats Xplorer
Threats Xplorer offers you a highly increased visibility over the detected threats in your network and helps you perform a concise security analysis. The feature centralizes detection events from multiple GravityZone technologies and classifies them by category, threat type, remediation actions, and many others.
Threats Xplorer makes it easy to identify and analyze threats by providing you with:
A wide variety of customizable columns with detailed information
Diverse filtering and search criteria
Detection events from various modules centralized in a single list
Infinite scroll functionality for seamless interaction
Improvements
Executive Summary
Executive Summary now provides you with the possibility to explore multidimensional data, by browsing from a statistical level to a more granular and detailed view.
The new drill-down capability helps you navigate instantly from widgets to specific sections of the Control Center. Each section displays complex information in a customized way so that you can identify and analyze with ease the aspects you are interested in.
April 2021
Improvements
GravityZone platform
Control Center leaves the old blue theme behind and comes with a couple of readability and usability improvements such as:
Replaced the scroll bar from the main menu with the More button to reveal additional items.
Increased the font size for lower screen resolutions.
Removed the top blue bar to make room for actual data.
Increased the contrast to the top banner for alerts.
The Update Security Server task has two options now, for each type of update you can run, when available:
Feature update, for installing the Bitdefender new features, improvements and fixes, and security fixes
Run the task with this option to bring the OS of the Security Server to Ubuntu 20.04 LTS, the only supported version until new upgrade.
Note
Run the task with this option to bring the OS of the Security Server to Ubuntu 20.04 LTS, the only supported version until new upgrade.
The grid in the Network page now includes new columns and several improvements, designed to help you better identify and find endpoints in the inventory:
Name. It can now display the MAC address appended to the hostname, to uniquely identify endpoints that may have the same hostname or IP address.
You need to enable this option in the Configuration > Network Settings > Network Inventory settings page.
Machine type. It shows whether the endpoint is a server or a workstation.
OS type. It displays the type of operating system installed on the endpoint.
OS version. It shows the version of the operating system installed on the endpoint.
Last Seen. It now allows you to filter endpoints that were online in the last 24h, 7 days or 30 days.
When creating an installation package in the Packages page, you have now the option to choose the operation mode of the security agent:
Detection and prevention, which allows you to choose the modules to include in the package, and to enable their full capabilities.
EDR (Report only), which creates an EDR package with a predefined list of modules, their functionality being limited to report-only actions. The package includes the following modules:
Advanced Threat Control (ATC)
EDR Sensor
Network Protection (Content Control, Network Attack Defense)
Note
Available only with GravityZone Business Security Enterprise, GravityZone Business Security Enterprise Plus, and GravityZone Cloud Security for MSP.
Security Telemetry
New options for configuring Security Telemetry:
Bypass validation of the SSL certificate on HTTP collector, in case your HTTP collector uses a self-signed SSL certificate.
Granular event type selection, if you are interested in sending to the SIEM only certain types of events.
ERA
The App Vulnerabilities details panel now allows you to view the devices impacted by a vulnerable application discovered in your environment.
When you select a vulnerable application and click the View Devices button it will take you to the Devices section and display a list of all impacted devices.
Email Security
You will now know when the GravityZone Security for Email license expires. Just make sure to enable the notifications in the Notifications page.
EDR
The Incidents page now displays suspicious events in the Endpoint Incidents tab, and events detected by prevention technologies, in the Detected Threats tab.
Public API
Packages and Network APIs: Added the productType parameter to
createPackage
andcreateReconfigureClientTask
methods. This parameter is optional and states the operation mode of the agent: EDR (Report only), or Detection and prevention.Event Push Service API:
The
taskType
parameter for Troubleshooting activity notification is now a string and can have the following values:Gather Logs
andDebug Session
.Enforced TLS 1.2 encryption.
Enforced the use of an authorization header when selecting JSON-RPC format.
Resolved issues
Patch Management
Completed Patch install tasks could not be deleted from the Tasks page, returning the error "Items you selected cannot be deleted”.
February 2021
Minimum requirements:
Security agents: 6.6.24.337 (Windows); 6.2.21.133 (Linux); 4.16.6.200156 (macOS)
New features
Apple M1 support
Added support for Apple M1 processors. A separate installation package for endpoints, named macOS kit (Apple M1), is available for download in the Network > Packages section. The previous Mac kit has been renamed macOS kit (Intel x86) and is only compatible with Intel-based Macs.
The following protection modules are supported on M1-based systems:
Antimalware
Device Control
Content Control
Full Disk Encryption
Support for other features will be added in time.
Note
New kits will not install on OS X El Capitan (10.11). For details about the end of support for this legacy macOS version, refer to this topic.
Improvements
Antimalware
Added a new wildcard option when defining custom exclusions for files, folders, and processes. You can now use double asterisks (**) for replacing any character, including path separators (\). For example, with **\example.txt
you can match any file named example.txt
, regardless its location on the endpoint.
The option is available in both Control Center and Power User policy settings, under Antimalware > Settings > Custom Exclusions section.
Note
The single asterisk (*) substitutes zero or more characters between the path delimiters (\).
Network Inventory
New options to avoid duplicates of cloned endpoints are available in Configuration > Network Settings:
Select Applies to cloned physical endpoints that are joined in Active Directory to resolve cloned HDD drives from decommissioned machines.
Select Applies to cloned virtual endpoints that are joined in Active Directory to resolve clones created using VMware Instant Clones.
MSP & Partners
Changing the product type in the company configuration page triggers a warning message that recommends users to reconfigure the security agents accordingly before the existing product expires on endpoints.
The new notification Product type has changed reminds users the same details and it is sent seven, three and one day before the grace period ends.
The Monthly License Trial license type now includes Bitdefender EDR feature, so you can enjoy the full GravityZone experience.
Sandbox Analyzer
Increased the length limit for detonated URLs from 500 to 1000 characters.
Reports
The Antiphishing Activity report provides more clarity as it now includes the action taken on each event (Blocked or Detected), when clicking the number in the Detected Websites column. The action is also specified in the Antiphishing event notification.
The Security Audit report includes a new event type, Detected Website, which is available in the report details and in the CSV file.
Resolved issues
Packages
Fixed a minor issue where Customer companies could select another company in the network when creating an installation package.
MSP & Partners
Fixed an issue where Partner companies with Monthly License Trial could not create trial child companies because of missing Product Type options.
September 2020
New features
Security Telemetry
We now offer you the possibility to obtain raw security data from your endpoints right into a SIEM solution. Use this feature if you need a deeper analysis and correlation of the security events in your network. Because we care about system performance and a low footprint of exported data, we are filtering out redundant information.
Check out the new General > Security Telemetry section of the security policy to enable and configure this feature, and the endpoint’s Information page to verify the connection status between the endpoint and the SIEM.
Note
Available only for Windows endpoints and Splunk via HTTPS (TLS 1.2 or higher required).
Improvements
ERA
New widgets in the Risk Management dashboard to show you how many users and devices were scanned across your network.
MSP & Partners
As a Bitdefender Partner, you can now disable seat reservation for Partner companies. The option is available unless the company has minimum usage configured.
As a Partner with monthly subscription, you will have access to a more detailed view of the GravityZone Security for Email activity in the dashboard of the companies under your direct management (Example: see the sender/receiver/attachments etc).
Added an error message when trying to move a company with minimum usage under a Partner with fewer license seats.
Maintenance
Forget about redeploying the agent to apply a fix from an update. Just run the new Repair task in the Network page.
Notifications
The new notification Partner Changed informs you when a managed company has moved under a different Partner.
License Usage Limit Has Been Reached now includes the list of the unlicensed endpoints within the past 24 hours due to license limit exceeding.
Public API
EDR events are now available via Push API in JSON, CEF and Splunk formats. For this purpose, we added
new-incident
tosubscribeToEventTypes
. For more information, refer to the GravityZone API documentation.getInstallationLinks
anddownloadPackageZip
now provide full installation kits.As Bitdefender Partner, you can now remove slot reservation for all child companies with one API call. For this purpose, set the new parameter
removeReservedSlots
insetMonthlySubscription
.
March 2020
New features
Single sign-on (SSO)
Added single sign-on (SSO) authentication capability using the SAML 2.0 standard. The SSO options are available as follows:
In the new Configuration > Authentication Settings page, for your company.
In the Companies page, for companies you manage.
In the Accounts page, for GravityZone users.
Incidents
The GravityZone Bitdefender Security bundle now includes the Incidents feature, where we provide the Root Cause Analysis of threats detected and blocked by our preventive technologies, with complex incident filtering options and graphic representation of incidents, as well as isolation, blocklisting, and remote connection capabilities.
Improvements
EDR
EDR introduces the Scan for IOC technology, enabling you to scan your environment for known indicators of compromise in real-time and generate detailed reports.
The Incidents page went through a significant visual and functional transformation, enhancing your experience when analyzing threats in your environment, as follows:
The new Overview bar displays open incidents, top alerts, techniques and affected devices, as well as specific filtering capabilities
The incidents list is now a fully customizable filterable grid with add/remove columns, for easier content management.
The Change Status menu introduces the option to mark incidents as false-positive and leave bulk notes for later consultation.
The detailed information for each incident, and their graphic representation and timeline, are now available in quick view mode.
The Graph tab unravels a multi-phase representation of staged attacks, as well as in-graph search capabilities.
The Node Details panel is now grouping information into more meaningful categories. Above that, the panel is fully expandable, to improve readability.
Endpoint Risk Analytics
Endpoint Risk Analytics introduces the remediation of Common Vulnerability Exposures of applications currently installed in your environment.
The Risk Management dashboard has been completely redesigned to improve visualization and enhance your experience while assessing the overall level of risk your company may be facing.
The company risk score is now calculated by taking into account a wide list of indicators of risks and known application vulnerabilities, showing you its evolution in time.
The new score breakdown, and top misconfigurations and vulnerable application widgets make it easier to see where your environment is more vulnerable to attacks and which devices are affected the most.
The devices by severity widgets show you exactly how impacted by risks and vulnerabilities are the servers and workstations under your management.
The new Security Risks page provides complex filtering options for indicators of risk, application vulnerabilities and devices. Risks in each category can be easily mitigated through the recommendations and actions provided in their Details Panel.
The Companies View page is a new feature included in Endpoint Risk Analytics for MSP, providing a comprehensive overview of the overall risk faced by every company under your management, making it easy for you to assess and eliminate risks separately for each of your customers.
Antimalware
You can now configure Security Servers’ cache sharing so that you can enable/disable it or restrict it to Security Servers from the same network. Not to worry about bandwidth consumption between sites anymore. The settings are available in the Configuration > Security Servers Settings page.
Installation
Easily remove installed security solutions from your environment when upgrading to a full product license. The feature is ON by default and will remove any existing security software that creates conflicts when installing the BEST protection modules.
Network Inventory (MSP only)
Partners (Company Administrator and Partner roles) are now able to move endpoints directly between the companies they manage by dragging and dropping endpoints in the Network page.
More comprehensive error messages when moving companies under other Partners.
Firewall
We eased Firewall configuration with the new option to import and export rules.
Full Disk Encryption
You can now set rules to exclude drives from encryption.
Remote troubleshooting
GravityZone introduces Bitdefender Cloud as a new storage option for collected logs.
Remote troubleshooting is now available for Security Server Multi-Platform.
You can now restart a troubleshooting session while maintaining its previous settings.
Monthly subscription trials
Two new trial options: Monthly License Trial (Partners only) and Monthly Subscription Trial. Trial companies have access to all features and add-ons available with GravityZone Cloud Security for MSP.The Monthly License Trial is valid for 45 days and covers 25 endpoints.
Reports
The Monthly License Usage report includes significant enhancements to simplify add-ons billing per usage:
Displays usage and status for all add-ons, including the latest ones, such as Patch Management, Security for Virtualized Environments (Virtual Servers and Virtual Desktop Infrastructure), Advanced Threat Security, and Endpoint Detection and Response.
Provides more information on each company’s type and monthly subscription and each endpoint installed modules, like Network Attack Defense and Advanced Anti-Exploit.
Includes the option to generate the report only for direct companies, ignoring their child companies.
The report has some columns renamed. If you use the CSV file to extract usage information into external systems, please see the details here.
Dashboard
View portlets in a single scrolling page and update all the information at once using the Refresh Portlets button.
Added time filtering for the Endpoint Protection Status, Policy Compliance and Update Status portlets.
Two-factor authentication (2FA)
We moved the 2FA settings of your company in the new Configuration > Authentication Settings page.
What’s New
Rushing to solve a problem and What’s New stays in the way? No more. We wrapped it gently in a gift box next to the Notifications icon. It will showcase the new features in a compact side panel.
Amazon EC2 Integration
Added hourly billing support for the new EC2 instance types.
Event Push Service AP
New agent-related events for all supported operating systems are now available via JsonRPC, CEF and Splunk. These events refer to agent installation/removal, endpoint move, and hardware ID changes.
Added detection timestamps to antimalware (
av
) and Advanced Threat Control (atc
) events. The field is namedBitdefenderGZDetectionTime
.
Removed features
Reports
Removed the Malware Activity report. You can use the Security Audit report instead.
Dashboard
Removed the Malware Activity portlet.
Antimalware
Removed support for scanning Mapped Network drives when On-Demand Device Scanning is used.
Resolved issues
Content Control
Policy inheritance did not work for specific web categories.
January 2020
Improvements
HyperDetect
Added the following details to the HyperDetect Activity notification:
Parent process name
Parent process ID
Command line (if available)
Public API
Bitdefender Partners can now use the Companies API to enforce two-factor authentication. For this purpose, the following methods have been updated: createCompany
, updateCompanyDetails
and getCompanyDetails
.
Removed features
Installation kits for Windows Legacy
We removed all options to download installation kits for Windows legacy versions such as Windows XP, Windows Vista, Windows Server 2003 and Windows Server 2008.
For more information related to this subject, refer to these KB articles:
November 2019
Improvements
Amazon EC2 integration
GravityZone now replicates the instances inventory from region EU Stockholm.
The hourly billing engine for AWS Marketplace subscribers now includes all newer EC2 instance types.
Endpoint Risk Analytics (ERA)
Added new Indicators of Risk:
Macro settings for Microsoft Office applications
Credential storage for several applications including some of the most popular browsers and email management tools out there
Added new recommendations to better manage Local Group policies.
EDR
Updated the Add URL as exception action button to change dynamically into Add IP as exception, when the domain node is an IP instead of an URL.
Network Inventory
A new type of entities in Network Inventory: golden image
Mark the endpoints you use for creating clones and avoid duplicates in Network Inventory. Keep track of your golden images by using the available filters.
Important
This feature is disabled by default. To enable it, select Avoid duplicates of cloned endpoints in Configuration > Network Settings.
More relevant messages in Control Center when Mac clients have issues. For example, now you know if macOS hasn’t granted the agent permissions such as access to the disk drive.
Public API
You can now check the usage of the following features:
Security for Virtualized Environments (Virtual Servers, and VDI)
Advanced Threat Security (HyperDetect and Sandbox Analyzer)
Patch Management
GravityZone Security for Email
EDR
For this purpose, use the
getMonthlyUsage
method.The
getAccountsList
method now returns details about 2FA status.
Resolved issues
EDR
Incident graph was moving outside the display area when Hide nodes was used.
More details button in Navigator menu no longer worked when closing the Node Details panel.
Command lines were not displayed properly in the Node Details panel.
Adding an exception for a domain node (by clicking the Add URL as exception) would not work when the domain was an IP/Mask instead of an URL.
Clicking a notification for a new EDR incident was causing an error.
ERA
Indicators of Risk lane was not loading in Full-screen mode.
Some IOR rules were not being displayed properly in the Device Risk Lane > Details section.
Email Security
Email addresses of previously deleted users were not available to new accounts.
GravityZone Security for Email was unavailable to Partners when the Manage Companies rights were missing.
Added links to guides in the Help & Support page.
Device Control
Deleting a Device Control exclusion from the policy also deleted the first item in the list.
Localization
Some texts and images were untranslated.
Network Inventory
Endpoints appeared duplicated in Network Inventory due to system cloning. We introduced a new entity in Network Inventory, called golden image, to avoid such situations. For details, check the Improvements section.
Reports
Duplicates of some scheduled reports were sent to email.
October 2019
Last revised: 2019-10-16
Minimum agent version: 6.6.11.159
Minimum Security Server Multi-Platform version: 6.1.71.8593
New features
Email Security
New GravityZone Security for Email service with complete email flow control and protection against spam, targeted phishing and impersonation attacks. Email administration incorporates management and analytics tools.
GravityZone Security for Email management provides the following:
Deployment through domain MX record redirect.
Customizable policy engine to control email delivery and filter messages through a comprehensive rule builder.
Company-wide quarantine.
Connection rule configuration to monitor connection attempts to or from your mailboxes.
Safe and Deny lists configuration for companies or individual users.
Mailbox synchronization through Azure Active Directory and manual import.
DNS record configuration with support for SPF, DKIM and DMARC.
The Analytics section delivers:
Real-time visibility through email flow charts, rules triggered, and actions taken.
Customizable reports for specific events.
Scheduled reports and alerts for specific rules, actions or content
Network Attack Defense
A brand-new powerful technology focused on detecting network attack techniques designed to gain access on specific endpoints, such as brute-force attacks, network exploits, password stealers.
The Network Attack Defense settings are available under the new Network Protection policy section. A specific notification informs you about incidents in your network, while the Network Incidents report will provide more insight about these detections.
Note
To use the Network Attack Defense module, you need to install it on endpoints. For existing installations, run a Reconfigure Client task with Network Attack Defense selected. For new deployments, edit the installation package to include this module.
Remote troubleshooting
The endpoint information page includes a new Troubleshooting tab, from where you can collect basic and advanced logs remotely. You can start a debug session, so that GravityZone collects the logs while the issue is reproducing. This will help our technical support specialists to perform an in-depth analysis of the issue and provide a resolution faster.
You can save the collected data on a network share, on the target endpoint or on both.
Localization
From now on we speak Chinese!
妈妈说:“今天能完成的事,不要留到明天。”
儿子回答:“好吧,把全蛋糕给我,我今天都吃光了吧。”
Seriously now, you can switch the GravityZone interface to Simplified Chinese, if you please.
Improvements
EDR
The Incidents page went through a major visual and functional makeover, now providing enhanced investigation capabilities.
The Graph tab displays the critical path and all side elements in a fit-to-screen vertical tree. Plus:
An interactive incident graph behavior with highlight of node and alternate path to endpoint on mouse-over, and same type elements grouped in expandable clusters.
The Filters and Navigator floating menus that allow easy customization and navigation of the incident map.
New Node Details, Incident Info and Remediation side panels with collapsible sections that provide information for each element, actions and recommendations to mitigate an attack.
Suspicious and malicious nodes now display alerts in their details panel, describing what was detected and how it might be exploited, in accordance with MITRE tactics and techniques.
The Remote Connection tab is now available as an action button on the endpoint node's details panel.
Anomaly Detection - a baselining module that spots anomalies in how the system is functioning
Network Attack Defense – a new security layer that identifies network-specific breaches
Advanced Anti-Exploit – a recently released security layer that detects the most evasive exploits
AMSI - detections made by the Windows Antimalware Scan Interface (AMSI)
Two-factor authentication (2FA)
With this update, two-factor authentication is enabled by default when creating a company. When disabling 2FA, you will be prompted with a confirmation message before the changes come into effect.
Company accounts
MSP partners now have the option to add up to five custom fields in their Monthly License Usage report for storing third party or other custom data and facilitating billing automation.
A new page is now available under Companies > Custom Fields, with two sections where you can manage and import data for these fields. You can view the custom fields also when creating or editing a company.
Deployment
Integrating new modules to deployed agents is like playing with modeling clay. We have made the reconfiguring process more flexible.
You can choose to install Bitdefender security agents without removing the security software from other vendors. This means zero protection gap and faster deployment.
Just remember, you’re doing this at your own risk. Some security solutions may affect the Bitdefender installation. Once you are protected by Bitdefender, you can manually remove any previously installed security solution.
Network Inventory
Goodbye to unused virtual machines from your network inventory. The new Configuration page offers you the option to schedule automatic cleanup tasks.
Policies
The new Antimalware > On-Execute section covers Advanced Threat Control and Fileless Attack Protection.
Network Protection, another new policy section, exposes the new Network Attack Defense technology and shields the Content Control features.
Content Control went through a big transformation as well:
The old Traffic, Web, Data Protection, and Applications sections have been re-organized into new General, Content Control, and Web Protection sections.
The new Network Attacks section exposes the Network Attack Defense technology and its settings.
The new Global Exclusions option, in the General section, replaces the previous separated Traffic Scan and Antiphishing exclusions. During update, the existing policies will be automatically migrated to the new global exclusions.
Network Protection replaces the previous Content Control module in the Inheritance Rules settings.
The GravityZone reports keep tracking the Content Control features, but also include information on Network Attack Defense.
Location-based policies are now aware of the hostname, too. You can to define assignment rules based on endpoint’s hostname.
The Indicators of Risk (IOR) have been reclassified into new and more meaningful categories for increased efficiency in risk analysis and management.
Sandbox Analyzer
Results from detonation analysis are available with new information-rich reports in HTML format. These reports contain details such as: malware classification, process-level view, network activity, timeline view, registry keys and mutex objects accessed, file systems modifications, IOC attributes.
The Filters area is expanded by default, so it is easier for first-time users to discover all the options available with the submission cards.
Under the Submission Type filtering category, the Automatic option has been renamed to Endpoint Sensor.
Advanced Anti-Exploit
Three new detection techniques are available: VBScript Generic, Shellcode EAF (Export Address Filtering), and Emerging Exploits. These detections will be present from now on in the Security Audit and Blocked Applications reports. Plus, User Activity now includes logs related to Advanced Anti-Exploit.
Patch Management
Added the option to limit reboot postpones at maximum 48 hours from new patches installation. When the set amount of time expires, endpoints will automatically reboot. Endpoint users will receive a notification regarding this action.
Reports
The Endpoint Modules Status report now includes information on Sandbox Analyzer and HyperDetect.
Policies
MSP partners can enable GravityZone Security for Email and get the usage report via the public API.
All GravityZone reports are now available via API as well.
We have made some improvements here and there:
createReconfigureClientTask
is updated with the latest changesgetManagedEndpointDetails
returns all installed modules on a managed endpointsetMonthlySubscription
allows Bitdefender Partners to revoke seat reservation from companies with monthly licensinggetQuarantineItemsList
has new filtering options
Resolved issues
Policies
Disabling the Endpoint Issues Visibility option in the Notifications policy section does not disable sub-features as well.
Notifications
Some partners were receiving daily License Expires email notifications against their notification settings. We added a new option to filter managed companies that may trigger such notifications.
March 2019
Improvements
EDR
Live Response via Terminal Sessions
Establish remote sessions with endpoints from GravityZone Control Center and execute commands in real-time on their operating system:
Use the Remote Connection tab added to each incident page to establish a terminal session with the involved endpoint.
Run commands on endpoint in the terminal session to remediate the threat immediately (delete files, terminate processes) or collect data for further investigation (list files, processes, registry keys information).
Leverage the network isolation action to all Windows operating systems
The Isolate action for endpoint nodes in incident views is available now for both Windows desktop and server operating systems, whether if the Firewall module is available on the endpoint or not.
Better visibility on important incidents
Two new tabs added to the Incidents page help you discriminate between incidents requiring immediate action and the threats already blocked by Bitdefender. All suspicious activity requiring action and investigation appears under Investigate tab, while the Review tab reveals threats contained by automatic block actions.
Select and edit multiple incidents at once
New option to change the status of multiple incidents at the same time from the Incidents page. You can select multiple incidents while navigating through several entries, and then easily change their status using the Bulk Operations button.
Full Disk Encryption
Encryption on macOS is now performed by FileVault for the boot drive and by the diskutil command-line utility for the non-boot drive.
GravityZonenow takes ownership for macOS boot drives encrypted with FileVault.
Sandbox Analyzer
You can now submit password-protected archives from the Manual Submission page.
Windows Defender ATP Integration
A new and optimized integration flow based on Microsoft Azure Active Directory, replacing the existing one. If you have an active integration, follow these guidelines.
New event types (Process create, User session, and Network connections).
Added response actions from Windows Defender Security Center (Trigger remote scan, Isolate machine).
Important
Future updates related to this integration will be available only for GravityZone Business Security Enterprise. If you want to receive these updates, consider upgrading your GravityZonesolution.
Notifications
You can now receive notifications for license usage on servers.
Syslog events are now available in Common Event Format (CEF) via Event Push Service API.
Reports
The malware status reported by endpoints is now more accurately calculated and displayed in GravityZone reports and portlets:
The Still Infected status has been changed to Unresolved.
Removed the reporting interval options containing "last" ("last week" or "last 2 months") from scheduled reports.
Note
This change affects all existing scheduled reports. You may need to edit your scheduled reports and select another reporting interval option.
Usability
Improvements in policy assignment and deployment troubleshooting.
Deprecated features
The Malware Activity report has become deprecated. The malware information from this report will be moved to another report in a future update.
Resolved issues
Corrected the error messages displayed when creating the AWS integration with incorrect ARN / external ID.
Several minor bug fixes regarding GravityZone Control Center functionalities.
June 2019
Last revised: 2019-07-17
Minimum BEST version: 6.6.11.159
Minimum Security Server Multi-Platform version: 6.1.71.8593
New features
Endpoint Risk Analytics
This update brings Endpoint Risk Analytics, a brand-new feature designed for effectively identifying, assessing and remediating endpoint weaknesses. GravityZone exposes this new feature in the following areas:
Risk Management policy section, including a risk scan scheduler.
New Risk scan task available from the Network page.
Risk Management Dashboards, providing several panels with risk information, one-click resolve action per endpoint and recommendations for exposure mitigation.
Advanced Anti-Exploit
Powered by machine learning, this new proactive technology stops zero-day attacks carried out through evasive exploits. Advanced Anti-Exploit catches the latest exploits in real-time and mitigates memory corruption vulnerabilities that can evade existing solutions.
This security layer is pre-configured with the recommended security settings and you can customize it from the Antimalware > Advanced Anti-Exploit policy section.
You can view Advanced Anti-Exploit events in the Security Audit, Blocked Applications, Endpoint Module Status reports.
Note
This security layer addresses Windows-based systems.
Antimalware
Implemented a new Load Balancing mechanism between endpoints, protected through BEST with Central Scan and Security Servers. You can now choose to distribute the load evenly between the assigned Security Servers.
Improvements
EDR
Added full support for incidents detection and response actions, root cause analysis and MITRE events on Linux OS endpoints.
Enriched the Search section with several predefined queries, covering the most useful investigation scenarios.
Improved security event visualization from the Search page:
New panel in the Graph area displaying the actions and their states for the selected event node in a single view.
New Further Investigation section in the node details area, outlining the additional analysis through Sandbox, Virus Total and Google.
Sandbox Analyzer
Expanded the list of supported file types that can be automatically submitted to Sandbox Analyzer.
Added content pre-filtering capabilities for submitting files to the Sandbox Analyzer. This functionality is configurable in a new policy section.
Added error messages for failed detonations in the submission card section on the Sandbox Analyzer page.
Antimalware
A major increase of the scanning speed in VDI environments due to the new scan cache sharing protocol between Security Servers. To benefit of this feature, enable port 6379 to allow traffic between Security Servers.
Two new statues for Security Server load: Near overloaded and Near underloaded.
New custom exclusion types by file hash, certificate thumbprint, threat name, and command line.
Ability to define custom exclusions by using wildcards:
Asterisk (*) for one or more characters.
Question mark (?) for a single character.
New option to add folder exclusions for ATC/IDS. With this release, existing folder exclusions remain configured for On-Access and On-Demand scanning. To add ATC/IDS as well, you need to select the corresponding check box in the Modules column.
Security for Storage
You can now use a secured connection between Security Servers and the protected NAS servers, provided they use SSL over ICAP.
Usability
Optimized the Control Center workspace with the new display modes of the menu: expanded, collapsed (icon view) and hidden.
Update System
Replaced the Antimalware signatures with a new method to identify known and unknown malware, called Security Content.
Resolved issues
Sandbox Analyzer
Analysis results from a manual submission could not be retrieved if the proxy was in place.
Update System
In Control Center, weekly recurrence for Antimalware updates was resetting upon return, if set only on Sunday. This was only a display issue, the setting being sent correctly to the security agent.
Network
Removed the ghost folders that appeared on some Partner accounts.
Antimalware
Security Server Load Balancing – Equal distribution mode had limited functionality. The scan load was not distributed equally between Security Servers.
Known issues
Antimalware
The new custom exclusion types are not available for custom scanning tasks from the Network page.
The following exclusion types for ATC/IDS are available only for Windows desktop operating systems:
Process with wildcards
File hash
Detection name
Detection name with wildcards
Command line
Certificate thumbprint exclusions are not available for ATC/IDS.
View the full list of known issues for GravityZone Cloud platform.
February 2019
Improvements
Sandbox Analyzer
New perspective on submissions
Advanced reporting interface, in the main menu, offering a single pane of glass view with all samples that were submitted to Sandbox Analyzer.
The info cards based interface adds detailed information about each submission like:
Sample name.
Submission time.
Submission type – automatic or manual.
Source – endpoint name.
Analysis result – clean, infected or unsupported.
Severity score – shows how dangerous the sample is.
Files and processes involved into sample’s actions.
Each card includes a link to a submission report, where you get even more data.
While displaying all new submissions, the reporting interface shows the old manual submissions made before this update as well.
In time, as adding more functionality to it, this reporting interface will replace the Sandbox Analyzer Results report, which from now on has the status deprecated.
As MSP, you view in this interface only your own company submissions. Submissions of Customer companies are available in the Sandbox Analyzer Results report. Also, with this release, the Sandbox Analyzer Detection notification points to:
The new interface for submissions of your company.
The Sandbox Analyzer Results report for submissions of Customer companies.
New manual submission options
You can use these new options when submitting samples:
Submit URLs.
Define command-line arguments for sample analysis.
Set a time limit for analysis execution, the number of reruns and the internet access during analysis.
Exclude samples previously analyzed.
The Manual Submission page is now accessible from the main menu and from the new reporting interface.
User interface improvements at automatic submission in the security policy settings.
Public API
HyperDetect events are now available in Event Push Service API.
Improved the mechanism of generating API keys. You will notice significantly longer API keys. The existing API keys continue to work as before this update, but it is recommended to replace them with new ones.
Resolved issues
In some situations, GravityZone administrators could not modify security policies because the Save button was disabled.
Improved the error message for AWS integration when using invalid ARN or ExternalID.
Addressed a security issue that could affect manual submission to Sandbox Analyzer.
Sometimes, Control Center was displaying inconsistent encryption status for the same endpoints.