Skip to content

Scan for IOC

At any time, you can choose to run on-demand scanning for known Indicators of Compromise (IOC) on selected endpoints.

Important

This task is only available for plans that include the EDR feature.

  1. Go to the Network page.

  2. Browse the containers and select the endpoints you want to scan.

  3. Click the task.png Tasks button and choose Scan for IOC.

    A configuration page will appear, where you need to select the type of indicators taken into account for IOC scanning.

    IOCscanConfigPage.png

    Important

    You must select at least one type of Indicator of Compromise to create a valid task.

  4. Select one or more IOC types you want to take into account for scanning and write the known IOC name in the newly added field.

    IOCscanAddIOCName.png

    You can select from the following types:

    • MD5

    • SHA1

    • SHA256

    • SHA512

    • File names

    • Process names

    • Registry values

    • Registry keys

    Note

    Content added inside each field must be valid. You will be prompted a warning sign and message if otherwise.

  5. Click Save to create and run the Scan for IOC task.

    A confirmation message will appear.

    You can check the task’s progress in the Network > Tasks page.

    IOCscanTaskProgress.png
  6. Once the task has finished successfully you can click the report_inline.png Reports button to read the generated report and assess the impact of the scanned-for IOC.

Valid file extensions for IOCs added to the task include: exedllcomscrjarmsimscbatps1vbsvbejsjsewsfwshpsc1lnkdocdocxdocmxlsxlsxxlsmpptpptxpptmemlrtfpdfhtmlppsxppsppsmpotpotxpotmocxsysfnrfne, and pif.

The Scan for IOC task will scan the following locations.

  • %Windows%\System32\Drivers

  • %Windows%\System32\WindowsPowerShell\v1.0

  • %Windows%\system32\config\systemprofile\AppData

  • %Windows%\System32\Tasks

  • %Windows%\System32\wbem

  • %Windows%\SysWOW64\WindowsPowerShell\v1.0

  • %Windows%\SysWOW64\config\systemprofile\AppData

  • %Windows%\SysWOW64\sysprep

  • %Windows%\Scripts

  • %Windows%\System

  • %Windows%\Web

  • %Users%

Important

The Scan for IOC tasks will not run / will fail on endpoints in the following situations:

  • The endpoint does not have a Windows operating system.

  • The endpoint’s Bitdefender agent license is invalid.

  • The EDR module is not installed in the security agent installed on the target endpoints.

  • More than 100 Scan for IOC tasks are currently in queue.

  • Invalid data is entered by user in the Scan for IOC task configuration page.

Risk scan

You can anytime choose to run on demand risk scan tasks on selected endpoints, as follows:

  1. Go to the Network page.

  2. Browse the containers from the left-side pane and select the endpoints you want to scan.

  3. Click the task.png Tasks button at the upper side of the table and choose Risk scan.

    A configuration page will appear, where you need to select the indicators taken into account for risk scanning.

    Note

    An Indicator of Risk refers to a registry key value or data of a specific system setting.

  4. Select the indicators of risk you want to take into account for scanning.

    Indicators of risk are grouped by the following attributes:

    • Category (Network, Operating System)

    • Severity (Misconfiguration, Microsoft Security Baseline)

    By default, only a certain number of indicators are selected. You may need to review the list of indicators you want to include for scanning.

    You can also use the search bar to find specific indicators. Note that risk indicator names include terms from local or group policy names. To view the full list of indicators and their description, refer to GravityZone Indicators of Risk.

  5. Click Save to create the scan task. A confirmation message will appear.

Important

The Risk scan tasks will not run / will fail on endpoints in the following situations:

  • The endpoint does not have a Windows operating system.

  • The endpoint’s Bitdefender agent license is invalid.

  • The policy applied to endpoint has the Risk Management module disabled.

You can view and manage the task on the Network > Tasks page. For more information, refer to Viewing and managing tasks.

Exchange scan

You can remotely scan the database of an Exchange Server by running an Exchange scan task.

To be able to scan the Exchange database, you must enable on-demand scanning by providing the credentials of an Exchange administrator. For more information, refer to Exchange Store Scanning.

To scan an Exchange Server database:

  1. Go to the Network page.

  2. From the left-side pane, select the group containing the target Exchange Server. You can find the server displayed in the right-side pane.

    Note

    Optionally, you can apply filters to quickly find the target server:

    • Click the Filters menu and select the following options: Managed (Exchange Servers) from the Security tab and All items recursively from the Depth tab.

    • Enter the server’s hostname or IP in the fields from the corresponding column headers.

  3. Select the check box of the Exchange Server whose database you want to scan.

  4. Click the Tasks button at the upper side of the table and choose Exchange scan. A configuration window will appear.

  5. Configure the scan options:

    • General. Enter a suggestive name for the task.

      For large databases, the scan task may take a long time and may impact the server performance. In such cases, select the check box Stop scan if it takes longer than and choose a convenient time interval from the corresponding menus.

    • policies.computers.exchange.antimalware.store.settings.target

    • policies.computers.exchange.antimalware.transport.rules.settings

    • policies.computers.exchange.antimalware.transport.rules.actions

  6. Click Save to create the scan task. A confirmation message will appear.

  7. You can view and manage the task on the Network > Tasks page. For more information, refer to Viewing and managing tasks.

Install

To protect your endpoints with the Bitdefender security agent, you must install it on each of them.

Once you have installed a Relay agent, it will automatically detect unprotected endpoints in the same network.

The Bitdefender protection can then be installed on endpoints remotely from Control Center.

Remote installation is performed in the background, without the user knowing about it.

Warning

Before installation, be sure to uninstall existing antimalware and firewall software from computers.

Installing the Bitdefender protection over existing security software may affect their operation and cause major problems with the system.

Windows Defender and Windows Firewall will be turned off automatically when installation starts.

If you want to deploy the security agent on a computer with Bitdefender Antivirus for Mac 5.X, you first must remove the latter manually. For the guiding steps, refer to Deploy Endpoint Security for Mac on a machine with Bitdefender Antivirus for Mac 5.X.

When deploying the agent through a Linux Relay, the following conditions must be met:

  • The Relay endpoint must have installed the Samba package (smbclient) version 4.1.0 or above and the net binary/command to deploy Windows agents.

    The net binary/command is usually delivered with the samba-client and / or samba-common packages. On some Linux distributions (such as CentOS 7.4), the net command is only being installed when installing the full Samba suite (Common + Client + Server). Make sure that your Relay endpoint has the net command available.

  • Target Windows endpoints must have Administrative Share and Network Share enabled.

  • Target Linux and Mac endpoints must have SSH enabled and firewall disabled.

To run a remote installation task:

  1. Connect and log in to Control Center.

  2. Go to the Network page.

  3. Select the desired group from the left-side pane.

    The entities contained in the selected group are displayed in the right-side pane table.

    Optionally, you can apply filters to display unmanaged endpoints only. Click the Filters menu and select the following options: Unmanaged from the Security tab and All items recursively from the Depth tab.

    When working with EC2 instances, you can also add the EC2 Instances option in the Type tab, while applying all the other above mentioned criteria.

  4. Select the entities (endpoints or groups of endpoints) on which you want to install protection.

  5. Click the task.png Tasks button at the upper side of the table and choose Install.

    The Install Client wizard is displayed.

    install_client-best-1-general.png
  6. Under Options section, configure the installation time:

    • Now, to launch the deployment immediately.

    • Scheduled, to set up the deployment recurrence interval. In this case, select the time interval that you want (hourly, daily or weekly) and configure it according to your needs.

      For example, when certain operations are required on the target machine before installing the client (such as uninstalling other software and restarting the OS), you can schedule the deployment task to run every 2 hours. The task will start on each target machine every 2 hours until the deployment is successful.

  7. If you want target endpoints to automatically restart for completing the installation, select Automatically reboot (if needed).

  8. Under the Credentials Manager section, specify the administrative credentials required for remote authentication on target endpoints. You can add the credentials by entering the user and password for each target operating system.

    Important

    For Windows 8.1 stations, you need to provide the credentials of the built-in administrator account or a domain administrator account. To learn more, refer to Client software deployment on Windows 8.1/10/2012 and above.

    To add the required OS credentials:

    1. Enter the user name and password of an administrator account in the corresponding fields from the table header.

      If computers are in a domain, it suffices to enter the credentials of the domain administrator.

      Use Windows conventions when entering the name of a user account:

      • For Active Directory machines use these syntaxes: username@domain.com and domain\username. To make sure that entered credentials will work, add them in both forms (username@domain.com and domain\username).

      • For Workgroup machines, it suffices to enter only the user name, without the workgroup name.

      Optionally, you can add a description that will help you identify each account more easily.

    2. Enter the user name of an administrator account in the corresponding fields from the table header.

      Use Windows conventions when entering the name of a domain user account, for example, user@domain.com or domain\user. To make sure that entered credentials will work, add them in both forms (user@domain.com and domain\user).

      Note

      If computers are in a domain, it suffices to enter the credentials of the domain administrator.

      Use Windows conventions when entering the name of a domain user account, for example, user@domain.com or domain\user. To make sure that entered credentials will work, add them in both forms (user@domain.com and domain\user).

    3. Select the authentication type from the menu:

      • Password, to use the administrator’s password.

      • Upload .pem file, to use a private key.

    4. If you authenticate using a password, enter the password in the field next to the menu.

    5. If you authenticate using a private key, click the Browse button and select the .pem file containing the corresponding private key.

    6. Optionally, you can add a description that will help you identify each account more easily.

    7. Click the add_inline.png Add button. The account is added to the list of credentials.

      Specified credentials are automatically saved to your Credentials Manager so that you do not have to enter them the next time. To access the Credentials Manager, just point to your username in the upper-right corner of the console.

      Important

      If the provided credentials are invalid, the client deployment will fail on the corresponding endpoints. Make sure to update the entered OS credentials in the Credentials Manager when these are changed on the target endpoints.

  9. Select the check boxes corresponding to the accounts you want to use.

    A warning message is displayed as long as you have not selected any credentials. This step is mandatory to remotely install the security agent on endpoints.

  10. Under Deployer section, configure the Relay to which the target endpoints will connect for installing and updating the client:

    • All machines with Relay role detected in your network will show-up in the table available under the Deployer section. Each new client must be connected to at least one Relay client from the same network, that will serve as communication and update server. Select the Relay that you want to link with the target endpoints. Connected endpoints will communicate with Control Center only via the specified Relay.

      Important

      Port 7074 must be open, for the deployment through the Relay agent to work.

      install_client-best-2-deployer.png
    • If target endpoints communicate with the Relay agent via proxy, you also need to define the proxy settings. In this case, select Use proxy for communication and enter the required proxy settings in the fields below.

  11. You need to select one installation package for the current deployment. Click the Use package list and select the installation package that you want. You can find here all the installation packages previously created for your account and also the default installation package available with Control Center.

  12. If needed, you can modify some of the selected installation package’s settings by clicking the button Customize next to the Use package field.

    The installation package’s settings will appear below and you can make the changes that you need. To find out more about editing installation packages, refer to Creating Installation Packages.

    If you want to save the modifications as a new package, select the Save as package option placed at the bottom of the package settings list, and enter a name for the new installation package.

  13. Click Save.

    A confirmation message will appear.

You can view and manage the task in the Network > Tasks page.

If using VMware Horizon View Persona Management, it is recommended to configure Active Directory Group Policy to exclude the following Bitdefender processes (without the full path):

  • bdredline.exe

  • epag.exe

  • epconsole.exe

  • epintegrationservice.exe

  • epprotectedservice.exe

  • epsecurityservice.exe

  • epupdateservice.exe

  • epupdateserver.exe

These exclusions must apply as long as the security agent runs on endpoint. For details, refer to this VMware Horizon documentation page.

Page Menu