Bitdefender GravityZone InstallationGuide 7 EnUS

7/26/2019 Bitdefender GravityZone InstallationGuide 7 EnUS

1/115

GravityZone

INSTALLATION GUIDE


2/115

Bitdefender GravityZoneInstallation Guide

Publication date 2015.12.08

Copyright 2015 Bitdefender

Legal NoticeAll rights reserved. No part of this book may be reproduced or transmitted in any form or by any means, electronic

or mechanical,including photocopying, recording, or by any information storage and retrieval system, without writtenpermission from an authorized representative of Bitdefender. The inclusion of brief quotations in reviews may bepossible only with the mention of the quoted source. The content can not be modified in any way.

Warning and Disclaimer. This product and its documentation are protected by copyright. The information in thisdocument is provided on an as is basis, without warranty. Although every precaution has been taken in thepreparation of this document, the authors will not have any liability to any person or entity with respect to any lossor damage caused or alleged to be caused directly or indirectly by the information contained in this work.

This book contains links to third-party Websites that are not under the control of Bitdefender, therefore Bitdefenderis not responsible for the content of any linked site. If you access a third-party website listed in this document, youwill do so at your own risk. Bitdefender provides these links only as a convenience, and theinclusion of thelink doesnot imply that Bitdefender endorses or accepts any responsibility for the content of the third-party site.

Trademarks. Trademark names may appearin thisbook. All registered and unregistered trademarks in thisdocumentare the sole property of their respective owners, and are respectfully acknowledged.

89504E470D0A1A0A0000000D494844520000000D0000000D0804000000D8E22CF700

0000017352474200AECE1CE9000000097048597300000B1300000B1301009A9C18000000B54944415418D33DD0517583501444D19DB762E05AA012A88417095402914024

808420A1480816B0F02C5C09E94769E77FE69C3597FA0E61B6D8F53683D943A0F412

ABD4D9A5704395CA66F7972AD0A3A1544F1C42B37A3AF4188412DA7F6BB26AEEF8406117D2E63847DF4295AE90068790AA74D334A3925ED8AC7ACD28BD0CAADD357CA299

AC3A6177316AAAB2987566E9253C4EA111D7CE97E924A5A64A614569BE1DE2149E31F17BD4A8D7790A21DCB148BDC10FE0EA41B7A65E25860000000049454E44AE426082


3/115

Table of ContentsPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

1. Conventions Used in This Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

1. About GravityZone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1. GravityZone Security Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2. GravityZone Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1.2.1. GravityZone Virtual Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2.2. GravityZone Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2.3. GravityZone Update Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2.4. GravityZone Communication Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.5. Web Console (Control Center). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.6. Security Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.2.7. Security Agents. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2. Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.1. GravityZone Appliance Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2.1.1. Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.1.2. Internet Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.1.3. Control Center Web Console Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

2.2. Physical and Virtual Endpoint Protection Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.2.1. Hardware Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.2.2. Supported Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.2.3. Supported Browsers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

2.2.4. Supported Virtualization Platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.2.5. Supported Virtualization Management Tools. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212.2.6. Security Server Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

2.3. Security for Mobile Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.3.1. Supported Platforms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.3.2. Connectivity Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.3.3. Push Notifications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222.3.4. iOS Management Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.4. Security for Exchange Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.4.1. Supported Microsoft Exchange Environments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.4.2. System Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

2.4.3. Software Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232.5. GravityZone Communication Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

3. Installing Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.1. GravityZone Installation and Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

3.1.1. Prepare for Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263.1.2. Deploy the GravityZone Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273.1.3. Control Center Initial Setup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343.1.4. Configure Control Center Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373.1.5. Managing the GravityZone Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563.1.6. Update GravityZone. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

3.2. License Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683.2.1. Finding a Reseller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

iii


4/115

3.2.2. Entering Your License Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693.2.3. Checking Current License Details. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693.2.4. Resetting the license usage count. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

3.2.5. Deleting License Keys. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 703.3. Installing the Security Server Appliance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

3.3.1. Connecting to the Virtualization Platform. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 713.3.2. Installing Security Server on Hosts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

3.4. Installing Protection on Computers and Virtual Machines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783.4.1. Preparing for Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793.4.2. Local Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 793.4.3. Remote Installation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863.4.4. Support for On-access Scanning on Linux Virtual Machines. . . . . . . . . . . . . . . . . . . . . . . 913.4.5. How Network Discovery Works. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

3.5. Installing Protection on Exchange Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

3.5.1. Preparing for Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 973.5.2. Installing Protection on Exchange Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

3.6. Credentials Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 983.6.1. Operating System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 993.6.2. Virtual Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003.6.3. Deleting Credentials from Credentials Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

3.7. Installing Protection on Mobile Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1013.7.1. Configure External Address for Communication Server. . . . . . . . . . . . . . . . . . . . . . . . . . 1013.7.2. Create and Organize Custom Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1033.7.3. Add Devices to Users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1043.7.4. Install GravityZone Mobile Client on Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

4. Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074.1. Using Support Tool. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

4.1.1. Using Support Tool on Windows Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1074.1.2. Using Support Tool on Linux Operating Systems. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

iv


5/115

Preface

This guide is intended for network administrators in charge with deploying theGravityZone protection within their organization's premises, and also for companyadministrators in search for information about GravityZone requirements andavailable protection modules.

This document aims to explain how to install and configure the GravityZone solutionand its security agents on all types of endpoints in your company.

1. Conventions Used in This Guide

Typographical Conventions

This guide uses several text styles for an improved readability. Learn about theiraspect and meaning from the table below.

DescriptionAppearance

Inline command names and syntaxes, pathsand filenames, configuration file outputs, input

text are printed with monospaced characters.

sample

The URL link is pointing to some externallocation, on http or ftp servers.

http://www.bitdefender.com

E-mail addresses are inserted in the text forcontact information.

[email protected]

This is an internal link, towards some locationinside the document.

Preface (p. v)

All the product options are printed usingboldcharacters.

option

Interface options, keywords or shortcuts arehighlighted usingboldcharacters.

keyword

Admonitions

The admonitions are in-text notes, graphically marked, bringing to your attentionadditional information related to the current paragraph.

Preface v
http://www.bitdefender.com/mailto:[email protected]:[email protected]://www.bitdefender.com/


6/115

NoteThe note is just a short observation. Although you can omit it, the notes can provide

valuable information, such as specific feature or a link to some related topic.

ImportantThis requires your attention and is not recommended to skip over it. Usually, it providesnon-critical but significant information.

WarningThis is critical information you should treat with increased caution. Nothing bad willhappen if you follow the indications. You should read and understand it, because itdescribes something extremely risky.

Preface vi


7/115

1. ABOUT GRAVITYZONE

GravityZone is a business security solution built from ground-up for virtualizationand cloud to deliver security services to physical endpoints, mobile devices, virtualmachines in private, public cloud and Exchange mail servers.

GravityZone is one product with a unified management console available in thecloud, hosted by Bitdefender, or as one virtual appliance to be installed on premise,and it provides a single point for deploying, enforcing and managing security policiesfor any number of endpoints and of any type, in any location.

GravityZone delivers multiple layers of security for endpoints, including Microsoft

Exchange mail servers: antimalware with behavioral monitoring, zero day threatprotection, application control and sandboxing, firewall, device control, contentcontrol, anti-phishing and antispam.

1.1. GravityZone Security Services

GravityZone provides the following security services:

Security for Endpoints

Security for Virtualized Environments Security for Exchange

Security for Mobile


Protects unobtrusively any number of Windows laptops, desktops and servers byusing top-ranked antimalware technologies combined with two-way firewall,intrusion detection, web access control and filtering, sensitive data protection,

application and device control. Low system usage ensures performanceimprovements, while integration with Microsoft Active Directory makes it easy toautomatically apply protection to unmanaged desktops and servers. The solutionprovides an alternative to legacy antimalware systems by combiningindustry-acclaimed security technologies with simplicity of deployment andmanagement through the powerful GravityZone Control Center. Proactive heuristicsis employed to classify malicious processes based on their behavior, detectingnew threats in real time.

About GravityZone 1


8/115

Security for Virtualized Environments

GravityZone provides the first platform-agnostic security solution for the dynamic

datacenters of today. Compliant with any known hypervisor, from VMware ESXi toCitrix Xen or Microsoft Hyper-V, Bitdefender Security for Virtualized Environmentsleverages the pooled nature of virtualization by offloading major security processesonto a centralized virtual appliance. Powered by cutting-edge caching technologies,the solution drives significant performance gains and boosts server consolidationby up to 30% compared to traditional antimalware. On a management level, Securityfor Virtualized Environments integrates with third-party platforms such as VMwarevCenter and XenServer to automate administrative tasks and reduce operational

costs.Security for Exchange

Bitdefender Security for Exchange provides antimalware, antispam, antiphishing,attachment and content filtering seamlessly integrated with the Microsoft ExchangeServer, to ensure a secure messaging and collaboration environment and increaseproductivity. Using award-winning antimalware and antispam technologies, itprotects the Exchange users against the latest, most sophisticated malware andagainst attempts to steal users' confidential and valuable data.

Security for Mobile

Unifies enterprise-wide security with management and compliance control ofiPhone, iPad and Android devices by providing reliable software and updatedistribution via Apple or Android marketplaces. The solution has been designed toenable controlled adoption of bring-your-own-device (BYOD) initiatives by enforcingusage policies consistently on all portable devices. Security features include screenlock, authentication control, device location, remote wipe, detection of rooted or

jailbroken devices and security profiles. On Android devices the security level isenhanced with real-time scanning and removable media encryption. As a result,mobile devices are controlled and sensitive business information residing on themis protected.

1.2. GravityZone Architecture

The unique architecture of GravityZone allows the solution to scale with ease andsecure any number of systems. GravityZone can be configured to use multiple

virtual appliances and multiple instances of specific roles (Database,

About GravityZone 2


9/115

Communication Server, Update Server and Web Console) to ensure reliability andscalability.

Each role instance can be installed on a different appliance. Built-in role balancersensure that the GravityZone deployment protects even the largest corporatenetworks without causing slowdowns or bottlenecks. Existing load balancingsoftware or hardware can also be used instead of the built-in balancers, if presentin the network.

Delivered in a virtual container, GravityZone can be imported to run on anyvirtualization platform, including VMware, Citrix, Microsoft Hyper-V.

Integration with VMware vCenter, Citrix XenServer and Microsoft Active Directory

reduces the effort of deploying protection for physical and for virtual endpoints.The GravityZone solution includes the following components:

GravityZone Virtual Appliance Database Update Server Communication Server Web Console (Control Center) Security Server Security Agents

1.2.1. GravityZone Virtual Appliance

GravityZone on-premise solution is delivered as a Linux Ubuntu self-configuringhardened virtual appliance, embedded into a virtual machine image, easy to installand configure through a CLI (Command Line Interface). The virtual appliance isavailable in several formats, compatible with the main virtualization platforms(OVA, XVA, VHD, OVF, RAW).

1.2.2. GravityZone Database

The central logic of GravityZone architecture. Bitdefender uses MongoDBnon-relational database, easy to scale and replicate.

1.2.3. GravityZone Update Server

The Update Server has an important role of updating GravityZone solution andendpoint agents by replicating and publishing the needed packages or installation

files.

About GravityZone 3


10/115

1.2.4. GravityZone Communication Server

The Communication Server is the link between security agents and the database,transferring policies and tasks to protected endpoints and also the events reportedby security agents.

1.2.5. Web Console (Control Center)

Bitdefender security solutions are managed within GravityZone from a single pointof management, Control Center web console, which provides easier managementand access to overall security posture, global security threats, and control over allsecurity modules protecting virtual or physical desktops, servers and mobile devices.

Powered by a Gravity Architecture, Control Center is capable of addressing theneeds of even the largest organizations.

Control Center integrates with the existing system management and monitoringsystems to make it simple to automatically apply protection to unmanageddesktops, servers or mobile devices that appear on the Microsoft Active Directory,VMware vCenter or Citrix XenServer or that are simply detected in the network.

1.2.6. Security Server

The Security Server is a dedicated virtual machine that deduplicates and centralizesmost of the antimalware functionality of antimalware agents, acting as a scanserver.

There are two Security Server versions, for each type of virtualization environments:

Security Server for Multi-Platform environments: must be installed on one ormore hosts so as to accommodate the number of protected virtual machines.

Security Server for VMware environments integrated vShield Endpoint: must

be installed on each host to be protected.

1.2.7. Security Agents

To protect your network with Bitdefender, you must install the appropriateGravityZone security agents on network endpoints.

Bitdefender Endpoint Security Tools Endpoint Security for Mac GravityZone Mobile Client

About GravityZone 4


11/115

Bitdefender Endpoint Security Tools

GravityZone ensures physical and virtual machines protection with Bitdefender

Endpoint Security Tools, an intelligent environment-aware security agent capableto automatically self-configure according to the endpoint type. Bitdefender EndpointSecurity Tools can be deployed on any machine, either virtual or physical, providinga flexible scanning system, being an ideal choice for mixed environments (physical,virtual and cloud).

In addition to file system protection, Bitdefender Endpoint Security Tools alsoincludes mail server protection for Microsoft Exchange Servers.

Bitdefender Endpoint Security Tools uses one single policy template for physical

and virtual machines, and one installation kit source for any environment (physicalor virtual). Bitdefender Endpoint Security Tools is also available for Linux physicalendpoints (servers and desktops).

Scanning Engines

The scanning engines are automatically set during Bitdefender Endpoint SecurityTools packages creation, letting the endpoint agent detect the machine'sconfiguration and adapt the scanning technology accordingly. The administrator

can also customize the scan engines, being able to choose between severalscanning technologies:

1. Local Scan, when the scanning is performed on the local endpoint. The localscanning mode is suited for powerful machines, having all signatures andengines stored locally.

2. Hybrid Scan with Light Engines (Public Cloud), with a medium footprint, usingin-the-cloud scanning and, partially, the local signatures. This scanning modebrings the benefit of better resources consumption, while involving off-premisescanning.

3. Central Scan in Private Cloud, with a small footprint requiring a Security Serverfor scanning. In this case, no signature set is stored locally, and the scanningis offloaded on the Security Server.

4. Central Scan (Private Cloud scanning with Security Server) with fallback* onLocal Scan (Full Engines)

5. Central Scan (Private Cloud scanning with Security Server) with fallback* onHybrid Scan (Public Cloud with Light Engines)

About GravityZone 5


12/115

* When using a dual engines scanning, if the first engine is unavailable, the fallbackengine will be used. Resource consumption and network utilization will be based

on used engines.

Protection Modules

The following protection modules are available with Bitdefender Endpoint SecurityTools:

Antimalware Advanced Threat Control Firewall

Content Control Device Control Power User

Antimalware

The antimalware protection module is based on signature scanning and heuristicanalysis (B-HAVE) against: viruses, worms, trojans, spyware, adware, keyloggers,rootkits and other types of malicious software.

Bitdefender's antimalware scanning technology relies on the following protectionlayers:

First, a traditional scanning method is employed where scanned content ismatched against the signature database. The signature database contains bytepatterns specific to known threats and is regularly updated by Bitdefender. Thisscanning method is effective against confirmed threats that have beenresearched and documented. However, no matter how promptly the signaturedatabase is updated, there is always a vulnerability window between the timewhen a new threat is discovered and when a fix is released

Against brand-new, undocumented threats, a second layer of protection isprovided by B-HAVE, Bitdefender's heuristic engine. Heuristic algorithms detectmalware based on behavioral characteristics. B-HAVE runs suspected malwarein a virtual environment to test its impact on the system and ensure it posesno threat. If a threat is detected, the program is prevented from running.

Advanced Threat Control

For threats that elude even the heuristic engine, a third layer of protection is present

in the form of Advanced Threat Control (ATC).

About GravityZone 6


13/115

Advanced Threat Control continuously monitors running processes and gradessuspicious behaviors such as attempts to: disguise the type of process, execute

code in another process's space (hijack process memory for privilege escalation),replicate, drop files, hide from process enumeration applications, etc. Eachsuspicious behavior raises the process rating. When a threshold is reached, analarm is triggered.

ImportantThis module is available only for supported Windows desktop and server operatingsystems.

Firewall

The Firewall controls applications' access to the network and to the Internet. Accessis automatically allowed for a comprehensive database of known, legitimateapplications. Furthermore, the firewall can protect the system against port scans,restrict ICS and warn when new nodes join a Wi-Fi connection.

ImportantThis module is available only for supported Windows workstations.

Content ControlThe Content Control module helps enforce company policies for allowed traffic,web access, data protection and applications control. Administrators can definetraffic scan options and exclusions, schedule web access while blocking or allowingcertain web categories or URLs, configure data protection rules and definepermissions for the use of specific applications.

ImportantThis module is available only for supported Windows workstations.

Device Control

The Device Control module allows preventing the sensitive data leakage andmalware infections via external devices attached to endpoints by applying blockingrules and exceptions via policy to a vast range of device types (such as USB FlashDrives, Bluetooth Devices, CD/DVD-Players, Storage Devices, etc.).

Important

This module is available only for supported Windows desktop and server operatingsystems.

About GravityZone 7


14/115

Power User

Control Center administrators can grant Power User rights to endpoint users via

policy settings. The Power User module enables administration rights at user level,allowing the endpoint user to access and modify security settings via a localconsole. Control Center is being notified when an endpoint is in Power User modeand the Control Center administrator can always overwrite local security settings.

ImportantThis module is available only for supported Windows desktop and server operatingsystems.

Endpoint Roles

Relay Role

Endpoint agents with Bitdefender Endpoint Security Tools Relay role serve ascommunication proxy and update servers for other endpoints in the network.Endpoint agents with relay role are especially required in organizations with isolatednetworks, where all traffic is made through a single access point.

In companies with large distributed networks, relay agents help lowering the

bandwidth usage, by preventing protected endpoints and security servers to connectdirectly to the GravityZone appliance.

Once a Bitdefender Endpoint Security Tools Relay agent is installed in the network,other endpoints can be configured via policy to communicate with Control Centerthrough the relay agent.

Bitdefender Endpoint Security Tools Relay agents serve for the following:

Discovering all unprotected endpoints in the network.

Deploying the endpoint agent inside the local network. Updating protected endpoints in the network.

Ensuring the communication between Control Center and connected endpoints.

Acting as proxy server for protected endpoints.

Optimizing the network traffic during updates, deployments, scanning and otherresource-consuming tasks.

About GravityZone 8


15/115

ImportantThis role is available only for supported Windows desktop and server operating

systems.

Exchange Protection Role

Bitdefender Endpoint Security Tools with Exchange role can be installed onMicrosoft Exchange Servers with the purpose of protecting the Exchange usersfrom email-borne threats.

Bitdefender Endpoint Security Tools with Exchange role protects both the servermachine and the Microsoft Exchange Solution.

Endpoint Security for MacEndpoint Security for Mac is a powerful antimalware scanner, which can detectand remove all kinds of malware, including viruses, spyware, Trojan horses,keyloggers, worms and adware on Intel-based Macintosh workstations and laptopswith Mac OS X version 10.7 or later.

Endpoint Security for Mac includes only the Antimalware module, while the scanningtechnology available isLocal Scan, with all signatures and engines stored locally.

GravityZone Mobile ClientGravityZone Mobile Client extends security policies with ease to on any number ofAndroid and iOS devices, protecting them against unauthorized usage, riskwareand loss of confidential data. Security features include screen lock, authenticationcontrol, device location, remote wipe, detection of rooted or jailbroken devices andsecurity profiles. On Android devices the security level is enhanced with real-timescanning and removable media encryption.

GravityZone Mobile Client is exclusively distributed via Apple App Store and GooglePlay.

About GravityZone 9


16/115

2. INSTALLATION REQUIREMENTS

All of the GravityZone solutions are installed and managed via Control Center.

2.1. GravityZone Appliance Requirements

GravityZone is delivered as a virtual appliance. The GravityZone appliance isavailable in the following formats:

OVA (compatible with VMware vSphere, View, VMware Player) XVA (compatible with Citrix XenServer, XenDesktop, VDI-in-a-Box) VHD (compatible with Microsoft Hyper-V) OVF (compatible with Red Hat Enterprise Virtualization)* OVF (compatible with Oracle VM)* RAW (compatible with Kernel-based Virtual Machine or KVM)*

*OVF and RAW packages are archived in tar.bz2 format.

For Oracle VM VirtualBox platform compatibility, refer tothis KB article.

Support for other formats and virtualization platforms may be provided on request.

2.1.1. Hardware RequirementsDeploy the GravityZone appliance with the following hardware configuration:

Required vCPU

Number of EndpointsComponent

50000*25000*250001000050001000250

1111111Update Server

8664211Web Console

8664211Communication Server

1111111Database arbiter*

6332221Database**

30201611754Total***

* - only for distributed GravityZone environments using database replica set ** - multiply by two for GravityZone environments using database replica set

Installation Requirements 10
http://www.bitdefender.com/support/installing-gravityzone-on-oracle-vm-virtualbox-1328.htmlhttp://www.bitdefender.com/support/installing-gravityzone-on-oracle-vm-virtualbox-1328.html


17/115

*** - total for GravityZone environments without database replica set

Required RAM (GB)


50000*25000*250001000050001000250

2221111Update Server

8664211Web Console

8664211Communication Server

1111111Database arbiter*8886542Database**

353122151075Total***

* - only for distributed GravityZone environments using database replica set ** - multiply by two for GravityZone environments using database replica set *** - total for GravityZone environments without database replica set

Required Hard-Disk Space (GB)


50000*25000*250001000050001000250

40404040404040

Update Server

Web Console

Communication Server

Database arbiter*

80404020202010Database**

2001208060606050Total***

* - only for distributed GravityZone environments using database replica set

*** - total for GravityZone environments without database replica set

** - multiply by two for GravityZone environments using database replica set



18/115

2.1.2. Internet Connection

The GravityZone appliance requires Internet access.

2.1.3. Control Center Web Console Requirements

To access the Control Center web console, the following are required:

Internet Explorer 9+, Mozilla Firefox 14+, Google Chrome 15+, Safari 5+

Recommended screen resolution: 1280x800 or higher

The computer you connect from must have network connectivity to ControlCenter.

WarningControl Center will not work / display properly in Internet Explorer 9+ with theCompatibility View feature enabled, which is equivalent with using an unsupportedbrowser version.

2.2. Physical and Virtual Endpoint ProtectionRequirements

2.2.1. Hardware Requirements

Intel Pentium compatible processor

Workstation Operating Systems

1 GHz or faster for Microsoft Windows XP SP3, Windows XP SP2 64 bit andWindows 7 Enterprise (32 and 64 bit)

2 GHz or faster for Microsoft Windows Vista SP1 or higher (32 and 64 bit),Microsoft Windows 7 (32 and 64 bit), Microsoft Windows 7 SP1 (32 and 64bit),Windows 8

800 MHZ or faster for Microsoft Windows Embedded Standard 7 SP1, MicrosoftWindows POSReady 7, Microsoft Windows POSReady 2009, Microsoft WindowsEmbedded Standard 2009, Microsoft Windows XP Embedded with Service Pack2, Microsoft Windows XP Tablet PC Edition

Server Operating Systems

Minimum: 2.4 GHz single-core CPU



19/115

Recommended: 1.86 GHz or faster Intel Xeon multi-core CPU

Free RAM MemoryRAM Memory Required at Installation (MB)

SINGLE ENGINE

OS Centralized ScanningHybrid ScanningLocal Scanning

FullOptions

AV OnlyFullOptions

AV OnlyFullOptions

AV Only

40025666051212001024Windows25625651251210241024Linux

n/an/an/an/a10241024Mac

RAM Memory for Daily Usage (MB)*

Protection ModulesAntivirus (Single Engine)

OS UpdateServer

PowerUser

ContentControlFirewall

BehavioralScanCentralizedHybridLocal

+76+29+41+17+13305575Windows

-----90180200Linux

* The measurements cover the daily endpoint client usage, without taking intoaccount additional tasks, such as on-demand scans or product updates.



20/115

HDD Requirements

Free HDD Space Required at Installation (MB)

DUAL ENGINESINGLE ENGINE

OS

Centralized +Hybrid

Scanning

Centralized +Local

Scanning

CentralizedScanning

HybridScanning

LocalScanning

Full

Options

AV

Only

Full

Options

AV

Only

Full

Options

AV

Only

Full

Options

AV

Only

Full

Options

AV

Only7005001200102457035070050012001024Windows

4004001024102425025040040010241024Linux

n/an/an/an/an/an/an/an/a10241024Mac

Note At least 10 GB additional free disk space is required for entities with

Bitdefender Endpoint Security Tools Relay role, as they will store all updates

and installation packages. The quarantine for Exchange Servers requires additional hard-disk space onthe partition where the security agent is installed.

The quarantine size depends on the number of items stored and their size.

By default, the agent is installed on the system partition.

Free HDD Space for Daily Usage (MB)*

Protection ModulesAntivirus (Single Engine)

OS UpdateServer

PowerUser

ContentControlFirewall

BehavioralScanCentralizedHybridLocal

+10+80+60+5+12140190410Windows

-----110200500Linux

* The measurements cover the daily endpoint client usage, without taking intoaccount additional tasks, such as on-demand scans or product updates.



21/115

Traffic Usage

Product updates traffic between endpoint client and update server

Each periodical Bitdefender Endpoint Security Tools product update generatesthe following download traffic on each endpoint client:

On Windows OS: ~20 MB

On Linux OS: ~26 MB

Downloaded signature updates traffic between endpoint client and updateserver

Scan Engine TypeUpdate Server Type

CentralizedHybridLocal

555865Relay (MB / day)

33.53Bitdefender Update Server (MB / day)

Central Scan traffic between endpoint client and Security Server

Upload (MB)Download (MB)Traffic TypeScanned Objects

Files* 84127First scan

38213Cached scan

Websites** First scan N/A621Web traffic

105054Security Server

Cached Scan N/A654Web traffic0.50.2Security Server

* The provided data has been measured for 3.49 GB of files (6,658 files), ofwhich 1.16 GB are Portable Executable (PE) files.

** The provided data has been measured for the top-ranked 500 websites.



22/115

Hybrid scan traffic between endpoint client and Bitdefender Cloud Services

Upload (MB)Download (MB)Traffic TypeScanned Objects

Files* 0.61.7First scan

0.30.6Cached scan

Web traffic** N/A650Web traffic

2.72.6Bitdefender Cloud Services

* The provided data has been measured for 3.49 GB of files (6,658 files), ofwhich 1.16 GB are Portable Executable (PE) files.

** The provided data has been measured for the top-ranked 500 websites.

Signatures download traffic between Bitdefender Endpoint Security Tools Relayclients and update server

Clients with Bitdefender Endpoint Security Tools Relay role download ~16 MB/ day* from update server.

* Available with Bitdefender Endpoint Security Tools clients starting from6.2.3.569 version.

Traffic between endpoint clients and Control Center web console

An average traffic of 618 KB / day is generated between endpoint clients andControl Center web console.

Requirements and footprint for systems integrated in VMwareenvironments with vShield Endpoint

Disk SpaceRAMPlatform

24 MB6-16* MB (~ 10 MB for GUI)Windows

10-11 MB9-10 MBLinux

*5 MB when the Silent Mode option is enabled and 10 MB when it is disabled. WhenSilent Mode is enabled, Bitdefender Endpoint Security Tools graphical user interface(GUI) is not loaded automatically at system startup, freeing up associated resources.



23/115

2.2.2. Supported Operating Systems

Windows Operating SystemsDesktop Operating Systems

Windows 10 TH2.(1)

Windows 10(1)

Windows 8.1(2)

Windows 8(3)

Windows 7 Windows Vista with Service Pack 1

(4)

Windows XP with Service Pack 2 64 bit(4)

Windows XP with Service Pack 3(4)

Tablet and embedded operating systems

Windows Embedded 8.1 Industry

Windows Embedded 8 Standard Windows Embedded Standard 7

Windows Embedded Compact 7

Windows Embedded POSReady 7

Windows Embedded Enterprise 7

Windows Embedded POSReady 2009

Windows Embedded Standard 2009

Windows XP Embedded with Service Pack 2(5)

Windows XP Tablet PC Edition(5)

Server operating systems:

Windows Server 2012(4)

/ Windows Server 2012 R2(2)

Windows Server 2008 / Windows Server 2008 R2

Windows Server 2003 / Windows Server 2003 R2

Windows Small Business Server (SBS) 2011



24/115



Windows Home Server

ImportantBitdefender Endpoint Security Tools supports the Windows Server FailoverCluster (WSFC) technology.

Note(1) Windows 10 support is available for Endpoint Security starting with 5.3.23.704version and for Bitdefender Endpoint Security Tools starting with 6.2.4.582 version.

(2) VMware vShield platform (Agentless version) support for Windows 8.1 (32/64 bit)and Windows Server 2012 R2 (64 bit) is available starting with VMware vSphere 5.5 ESXi build 1892794 and above.(3) VMware vShield platform (Agentless version) support for Windows 8 and WindowsServer 2012 is available starting with VMware vShield Manager version 5.5.(4) VMware vShield Endpoint does not support the 64-bit versions of Windows XPand Vista.(5) Specific embedded operating system modules must be installed for BitdefenderEndpoint Security Tools to work.

Linux Operating Systems

Red Hat Enterprise Linux / CentOS 5.6 or higher Ubuntu 10.04 LTS or higher SUSE Linux Enterprise Server 11 or higher OpenSUSE 11 or higher Fedora 15 or higher Debian 5.0 or higher Oracle Solaris 11, 10 (only in VMware vShield environments)

On-access scanning is available for all supported guest operating systems. OnLinux systems, on-access scanning support is provided in the following situations:

On-access scanning supportLinux DistributionKernel Version

The fanotify kernel option must beenabled.

All supported2.6.38 or higher

For Debian 8 systems, refer tothis

KB article.

http://www.bitdefender.com/support/bitdefender-endpoint-security-tools-compatibility-with-debian-8-1482.htmlhttp://www.bitdefender.com/support/bitdefender-endpoint-security-tools-compatibility-with-debian-8-1482.htmlhttp://www.bitdefender.com/support/bitdefender-endpoint-security-tools-compatibility-with-debian-8-1482.htmlhttp://www.bitdefender.com/support/bitdefender-endpoint-security-tools-compatibility-with-debian-8-1482.html


25/115

On-access scanning supportLinux DistributionKernel Version

Bitdefender provides support viaDazukoFS with prebuilt kernelmodules.

Debian 5.0, 6.0 Ubuntu10.04 LTS CentOS 6.x RedHat Enterprise Linux 6.x

2.6.18 - 2.6.37

For any other distribution or kernel version you need to manually compile theDazukoFS module. To view the procedure for manual compilation of DazukoFS,refer to:Support for On-access Scanning on Linux Virtual Machines (p. 91).

NoteFanotify and DazukoFS enable third-party applications to control file access on Linuxsystems. For more information, refer to:

Fanotify man pages:http://www.xypron.de/projects/fanotify-manpages/man7/fanotify.7.html.

Dazuko project website:http://dazuko.dnsalias.org/wiki/index.php/About.

Mac OS X Operating Systems

Mac OS X El Capitan (10.11.x)

Mac OS X Yosemite (10.10.x) Mac OS X Mavericks (10.9.x)

Mac OS X Mountain Lion (10.8.x)

2.2.3. Supported Browsers

Endpoint browser security is verified to be working with the following browsers:

Internet Explorer 8+

Mozilla Firefox 8+

Google Chrome 15+

Safari 4+

2.2.4. Supported Virtualization Platforms

Security for Virtualized Environments provides out-of-the-box support for thefollowing virtualization platforms:

http://www.xypron.de/projects/fanotify-manpages/man7/fanotify.7.htmlhttp://dazuko.dnsalias.org/wiki/index.php/Abouthttp://dazuko.dnsalias.org/wiki/index.php/Abouthttp://www.xypron.de/projects/fanotify-manpages/man7/fanotify.7.html


26/115

VMware vSphere 6.0, 5.5, 5.1, 5.0, 4.1 with VMware vCenter Server 6.0, 5.5, 5.1,5.0, 4.1

VMware View 5.3, 5.2, 5.1, 5.0

VMware Workstation 8.0.6, 9.x, 10.x, 11.x

VMware Player 5.x, 6.x, 7.x

Citrix XenServer 6.2, 6.0, 5.6 or 5.5 (including Xen Hypervisor)

Citrix XenDesktop 7.5, 5.5 or 5.0 (including Xen Hypervisor)

Citrix VDI-in-a-Box 5.x

Microsoft Hyper-V Server 2008 R2, 2012, 2012 R2 or Windows Server 2008 R2,2012, 2012 R2 (including Hyper-V Hypervisor)

Red Hat Enterprise Virtualization 3.0 (including KVM Hypervisor)

Oracle VM 3.0

NoteSupport for other virtualization platforms may be provided on request.

Integration with VMware vShield Endpoint Requirements ESXi 6.0, 5.5, 5.1, 5.0 (build 474610 or higher), 4.1 (build 433742 or higher)

vCenter Server 6.0, 5.5, 5.1, 5.0, 4.1

vCloud Networking and Security 5.5.4, 5.5.3, 5.5.2, 5.5.1

vShield Manager 5.5, 5.1, 5.0

vShield Endpoint installed by vShield Manager on the host/hosts protected bySecurity for Virtualized Environments

VMware Tools 8.6.0 build 446312 or higher installed on the protected virtualmachines in the complete mode or with the vShield Endpoint driver selectedunder VMCI in custom mode.

ImportantIt is recommended that you keep all VMware products updated with the latest patch.

If you are using ESXi 5.5, to support Windows 2012 R2 and Windows 8.1 guestoperating systems it is required to apply VMware ESXi 5.5, Patch

ESXi550-201407401-BG: Updates esx-base (2077407).

http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2077407http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2077407http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2077407http://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2077407


27/115

If you are using ESXi 5.0, it is highly recommended to applyVMware ESXi 5.0Patch ESXi500-201204401-BG: Updates tools-light, which solves critical issuesin the vShield Endpoint guest drivers. The patch updates VMware Tools to version8.6.5 build 652272.

If you are using ESXi 4.1 P3, you must obtain the updated VMware Tools versionand install it in the virtual machines. For more information, refer to this KB article.

2.2.5. Supported Virtualization Management Tools

Control Center currently integrates with the following virtualization managementtools:

VMware vCenter Server

Citrix XenServer

To set up integration, you must provide the username and password of anadministrator.

2.2.6. Security Server Requirements

Security Server is a preconfigured virtual machine running on an Ubuntu Server

12.04 LTS (3.2 kernel).Memory and CPU resource allocation for the Security Server depends on the numberand type of VMs running on the host. The following table lists the recommendedresources to be allocated:

CPUsRAMNumber of protected VMs

2 CPUs2 GB1-50 VMs

4 CPUs2 GB51-100 VMs

6 CPUs4 GB101-200 VMs

Other requirements depend on whether or not the appliance integrates with VMwarevShield Endpoint:

In VMware environments with vShield Endpoint:

Security Server must be installed on each ESXi host to be protected.

You must provision 80 GB disk space on each host.

In other environments:

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2015461http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2015461http://www.bitdefender.com/site/support/How-to-upgrade-VMware-Tools-in-ESXi-4-1-to-meet-the-Security-for-Virtualized-Environments-requirements-978.htmlhttp://www.bitdefender.com/site/support/How-to-upgrade-VMware-Tools-in-ESXi-4-1-to-meet-the-Security-for-Virtualized-Environments-requirements-978.htmlhttp://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2015461http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2015461


28/115

Although not mandatory, Bitdefender recommends installing Security Serveron each physical host for improved performance.

You must provision 8 GB disk space on each Security Server host.

2.3. Security for Mobile Requirements

2.3.1. Supported Platforms

Security for Mobile supports the following types of mobile devices and operatingsystems:

Apple iPhones and iPad tablets (iOS 5.1+) Google Android smartphones and tablets (2.3+)

2.3.2. Connectivity Requirements

Mobile devices must have an active cellular data or Wi-Fi connection andconnectivity with the Communication Server.

2.3.3. Push Notifications

Security for Mobile uses push notifications to alert mobile clients when policyupdates and tasks are available. Push notifications are sent by the CommunicationServer via the service provided by the operating system manufacturer:

Google Cloud Messaging (GCM) service for Android devices. For GCM to work,the following are required:

Google Play Store must be installed.

Devices running a version lower than Android 4.0.4 must also have at leastone logged in Google account.

To send push notifications,a number of portsmust be open. Apple Push Notifications service (APNs) for iOS devices. For more information,

refer to thisApple KB article.

To learn more about GravityZone Mobile Device Management workflow, pleaserefer tothis KB article.

http://support.apple.com/kb/TS4264?viewlocale=en_UShttp://www.bitdefender.com/support/mobile-device-management-workflow-1138.htmlhttp://www.bitdefender.com/support/mobile-device-management-workflow-1138.htmlhttp://support.apple.com/kb/TS4264?viewlocale=en_US


29/115

2.3.4. iOS Management Certificates

To set up the infrastructure for iOS mobile device management, you must providea number of security certificates.

For more information, refer toCertificates (p. 50).

2.4. Security for Exchange Requirements

Security for Exchange is delivered through Bitdefender Endpoint Security Tools,which protects both the file system and the Microsoft Exchange mail server.

2.4.1. Supported Microsoft Exchange EnvironmentsSecurity for Exchange supports the following Microsoft Exchange versions androles:

Exchange Server 2016 with Edge Transport or Mailbox role

Exchange Server 2013 with Edge Transport or Mailbox role

Exchange Server 2010 with Edge Transport, Hub Transport or Mailbox role

Exchange Server 2007 with Edge Transport, Hub Transport or Mailbox role

Security for Exchange is compatible with Microsoft Exchange Database AvailabilityGroups (DAGs).

2.4.2. System Requirements

Security for Exchange is compatible with any physical or virtual 64-bit server (Intelor AMD) running a supported Microsoft Exchange Server version and role. Fordetails regarding the Bitdefender Endpoint Security Tools system requirements,refer toSupported Operating Systems (p. 17).

Recommended server resource availability:

Free RAM memory: 1 GB

Free HDD space: 1 GB

2.4.3. Software Requirements

For Microsoft Exchange Server 2013 with Service Pack 1: KB2938053fromMicrosoft.

http://support.microsoft.com/kb/2938053http://support.microsoft.com/kb/2938053


30/115

For Microsoft Exchange Server 2007: .NET Framework 3.5 Service Pack 1 orhigher

2.5. GravityZone Communication Ports

The following table provides information on the ports used by the GravityZonecomponents:

UsagePort

Port used to access the Control Center web console.80 (HTTP) / 443(HTTPS)

Bitdefender Cloud Antispam Detection ServiceHTTP(s) 80 / 443

Port used by client/agent software to connect to theCommunication Server.

8443 (HTTPS)

Update Server port7074 (HTTP)

Communication with Endpoint Security Relay* (if available)

Handles communication between GravityZone services andthe outside world.

7075

Ports used to allow communication between Control Centerand Communication Server.

4369 / 6150

Default port used by the Communication Server and ControlCenter to access the Database.

27017

Ports used by the endpoint agent to connect to SecurityServer.

7081 / 7083 (SSL)

Communication port between the Bitdefender Endpoint

Security Tools agent for Linux and Security Server in VMwareenvironments with vShield Endpoint.

48651

Communication port between the hypervisor (vmkernel) andSecurity Server in VMware environments with vShieldEndpoint.

48652

Google Cloud Messaging (GCM) ports. The CommunicationServer uses GCM to send push notifications to managedAndroid devices.

5228, 5229, 5230



31/115

UsagePort

Apple Push Notification service (APNs) ports. Ports 2195and 2196 are used by the Communication Server to

2195, 2196, 5223

communicate with the APNs servers. Port 5223 is used bymanaged iOS devices to communicate with the APNs serversover Wi-Fi in specific conditions. For more information, referto thisApple KB article.

User Datagram Protocol (UDP) port used by GravityZoneappliances for time synchronization with the NTP server.

123 (UDP)

Port used for Realtime Blackhole List (RBLs)53 (UDP)

* Since the relay is an update server that needs to listen all the time on a port,Bitdefender provides a mechanism able to automatically open a random port onlocalhost (127.0.0.1), so that the update server can receive proper configurationdetails. This mechanism applies when the default port 7074 is used by anotherapplication. In this case, the update server tries to open the 7075 port to listen onlocalhost. If 7075 port is also unavailable, the update server will search for anotherport that is free (in range of 1025 to 65535) and successfully bind to listen on

localhost.For detailed information regarding GravityZone ports, refer tothis KB article.

http://support.apple.com/kb/TS4264?viewlocale=en_UShttp://www.bitdefender.com/support/gravityzone-communication-ports-1132.htmlhttp://www.bitdefender.com/support/gravityzone-communication-ports-1132.htmlhttp://support.apple.com/kb/TS4264?viewlocale=en_US


32/115

3. INSTALLING PROTECTION

To protect your network with Bitdefender, you must install the GravityZone securityagents on endpoints. For this purpose, you need a Control Center user withadministrator privileges over the services you need to install and over the endpointsunder your management.

The following table shows the types of endpoints each service is designed toprotect:

EndpointsService

Physical computers (workstations, laptops andservers) running on Microsoft Windows, Linux andMac OS X


Security for VirtualizedEnvironments Virtual machines running on Microsoft Windows

or Linux, under any virtualization platform

iPhone, iPad and Android devicesSecurity for Mobile

Microsoft Exchange ServersSecurity for Exchange

3.1. GravityZone Installation and SetupTo make sure installation goes smoothly, follow these steps:

1. Prepare for installation

2. Deploy and set up the GravityZone virtual appliance

3. Connect to Control Center and set up the first user account

4. Configure Control Center settings

3.1.1. Prepare for Installation

For installation, you need a GravityZone virtual appliance image. After you deployand set up the GravityZone appliance, you can remotely install the client or downloadthe necessary installation packages for all security services components from theControl Center web interface.

The GravityZone appliance image is available in several different formats,compatible with the main virtualization platforms. You can obtain the download

links by registering for a trial on the Bitdefender Enterprise website product pages.

Installing Protection 26
http://www.bitdefender.com/businesshttp://www.bitdefender.com/business


33/115

For installation and initial setup, you must have the following at hand:

DNS names or fixed IP addresses (either by static configuration or via a DHCP

reservation) for the GravityZone appliances

Username and password of a domain administrator

vCenter Server, vShield Manager, XenServer details (hostname or IP address,communication port, administrator username and password)

License key for each GravityZone security service (check the trial registrationor purchase email)

Outgoing mail server settings

If needed, proxy server settings

Security certificates

Additional prerequisites must be met in order to install services.

3.1.2. Deploy the GravityZone Appliance

The GravityZone appliance can run one, several or all of the following roles:

Database Server

Update Server

Web Console

Communication Server

A GravityZone deployment requires running one instance of each role. Consequently,depending on how you prefer to distribute the GravityZone roles, you will deployone to four GravityZone appliances. The Database Server role is the first to beinstalled. In a scenario with multiple GravityZone appliances, you will install theDatabase Server role on the first appliance and configure all other appliances toconnect to the existing database instance.

To deploy and set up the GravityZone appliance:

1. Import the GravityZone virtual appliance image in your virtualized environment.

2. Power on the appliance.

3. From your virtualization management tool, access the console interface of theGravityZone appliance.



34/115

4. Configure the password for the built-inbdadminsystem administrator.

Appliance console interface: enter new password

5. Login with the password you have set.

Appliance console interface: login

6. You will access the appliance configuration interface. Use the arrow keys andtheTabkey to navigate through menus and options. PressEnterto select a

specific option.



35/115

Appliance console interface: main menu

Initially, the appliance configuration interface is in English language.

To change the interface language:

a. SelectConfigure Languagefrom the main menu.

b. Select the language from the available options. A confirmation messagewill appear.

NoteYou may need to scroll down to view your language.

c. SelectOKto save the changes.

7. Configure the network settings.

You can configure the appliance to automatically obtain network settings fromthe DHCP server or you can manually configure network settings. If you chooseto use DHCP, you must configure the DHCP Server to reserve a specific IPaddress for the appliance.

a. From the main menu, selectConfigure Network Settings.



36/115

Appliance console interface: network settings option

b. Select the network interface.

c. Select the configuration method:

Configure network settings manually. You must specify the IP address,

network mask, gateway address and DNS server addresses.

Obtain network settings automatically via DHCP. Use this option onlyif you have configured the DHCP Server to reserve a specific IP addressfor the appliance.



37/115

Appliance console interface: network configuration

d. You can check current IP configuration details or link status by selectingthe corresponding options.

8. Configure the hostname settings.

Communication with the GravityZone roles is performed using the IP addressor DNS name of the appliance they are installed on. By default, the GravityZonecomponents communicate using IP addresses. If you want to enablecommunication via DNS names, you must configure GravityZone applianceswith a DNS name and make sure it correctly resolves to the configured IPaddress of the appliance.

Prerequisites:

Configure the DNS record in the DNS server.

The DNS name must correctly resolve to the configured IP address of theappliance. Therefore, you must make sure the appliance is configured withthe correct IP address.

To configure the hostname settings:

a. From the main menu, selectConfigure Hostname Settings.

b. Enter the hostname of the appliance and the Active Directory domain name(if needed).

c. SelectOKto save the changes.



38/115

9. Configure Proxy Settings.

If the appliance connects to the Internet through a proxy server, you must

configure the proxy settings:

a. From the main menu, selectConfigure Proxy Settings.

b. SelectConfigure proxy settings.

Appliance console interface: configure proxy settings

c. Enter the proxy server address. Use the following syntax:

If the proxy server does not require authentication:

http(s)://:

If the proxy server requires authentication:

http(s)://:@:

d. SelectOKto save the changes.

10. Install GravityZone roles. You can choose to install the roles either manually orautomatically. During automatic installation all roles install on the sameappliance. When manually installing the GravityZone appliance, you canconfigure it, for example, to install only the roles you need, or to connect to anexisting database instance.

To automatically install the roles:



39/115

a. From the main menu, select Automatic Installation. You will be asked toread and accept the EULA and a confirmation message will appear,

informing you of the roles that will install.

NoteThe Security Server will also be installed, but it will be available to useonly if your license key allows it.

b. SelectYesto confirm.

Note

This option is available only at the initial setup of GravityZone appliance.

To manually install the roles:

a. From the main menu, selectAdvanced Settings.

Appliance console interface: install roles

b. SelectInstall/Uninstall Roles to install the appliance in a GravityZoneenvironment with a single database server.

NoteIf you install the appliance to extend your GravityZone environment, refer

toConnect to Existing Database (p. 62).



40/115

c. SelectAdd or remove roles. A confirmation message will appear.

d. PressEnterto continue and wait until the installation finishes.

e. Press the Space bar and then Enter to install the Database Server role.

You must confirm your choice by pressing Enteragain and then wait

for the installation to complete.

f. Install the other roles by choosing Add or remove roles from theInstall/Uninstall Roles menu and then the roles to install. Press the Space

bar to select a role and Enter to proceed. You must confirm your choice

by pressing Enteragain and then wait for the installation to complete.

Note

Each role is normally installed within a few minutes. During installation, requiredfiles are downloaded from the Internet. Consequently, the installation takes moretime if the Internet connection is slow. If the installation hangs, redeploy theappliance.

After deploying and setting-up the GravityZone appliance, you can anytime edit theappliance settings using the configuration interface. For more information regardingthe GravityZone appliance configuration, refer to Managing the GravityZoneAppliance (p. 56).

3.1.3. Control Center Initial Setup

After deploying and setting up the GravityZone appliance, you must access theControl Center web interface and configure your company administrator account.

1. In the address bar of your web browser, enter the IP address or the DNS

hostname of the Control Center appliance (using the https:// prefix). Aconfiguration wizard will appear.

2. You must first register your GravityZone deployment to a Bitdefender account.Provide the username and password of your Bitdefender account. If you do nothave a Bitdefender account yet, click the corresponding link to create one.

If an internet connection is not available, select Use offline registration. In thiscase, the Bitdefender account is not necessary.



41/115

Initial setup - Provide MyBitdefender account

3. ClickNextto continue.

4. Provide the license keys required for validating the purchased GravityZonesecurity services. Check the trial registration or purchase email to find yourlicense keys.

a. Click the Add button at the upper side of the table. A configuration windowwill appear.

b. Select the license registration type (online or offline).

c. Enter the license key in theLicense keyfield. For offline registration, youare required to provide also the registration code.

d. Wait until the license key is validated. ClickAddto finish.

The license key will appear in the license table. You can also view the securityservice, status, expiry date and current usage for each license key in thecorresponding columns.

NoteDuring the initial setup, at least one valid license key must be provided to startusing GravityZone. You can afterwards add more license keys or modify theexisting ones.



42/115

Initial setup - Provide license keys

5. ClickNextto continue.

6. Fill in your company information, such as company name, address and phone.

7. You can change the logo displayed in Control Center and also in your company'sreports and email notifications as follows:

Click Change to browse for the image logo on your computer. The image fileformat must be .png or .jpg and the image size must be 200x30 pixels.

Click Default to delete the image and reset to the image provided byBitdefender.

8. Specify the required details for your company administrator account: username,email address and a password. The password must contain at least one uppercase character, at least one lower case character and at least one digit or specialcharacter.



43/115

Initial setup - Configure your account

9. ClickCreate account.

The company administrator account will be created and you will automatically logon with the new account to Bitdefender Control Center.

3.1.4. Configure Control Center Settings

After the initial setup, you need to configure Control Center settings. As CompanyAdministrator, you can do the following:

Configure mail, proxy and other general settings.

Run or schedule a Control Center database backup.

Set up integration with Active Directory and virtualization management tools(vCenter Server, XenServer).

Install security certificates.



44/115

Mail Server settings

Mail Server

Control Center requires an external mail server to send email communications.

Note

It is recommended to create a dedicated mail account to be used by Control Center.

To enable Control Center to send emails:

1. Go to theConfigurationpage.

2. Select theMail Servertab.

3. SelectMail Server Settingsand configure the required settings:

Mail server (SMTP). Enter the IP address or hostname of the mail serverthat is going to send the emails.

Port. Enter the port used to connect to the mail server.

Encryption type. If the mail server requires an encrypted connection, choosethe appropriate type from the menu (SSL, TLS or STARTTLS).

From email. Enter the email address that you want to appear in the Fromfield of the email (sender's email address).

Use authentication. Select this check box if the mail server requiresauthentication. You must specify a valid username / email address andpassword.



45/115

4. ClickSave.

Control Center automatically validates the mail settings when you save them. If

the provided settings cannot be validated, an error message informs you of theincorrect setting. Correct the setting and try again.

Proxy

If your company connects to the Internet through a proxy server, you must configurethe proxy settings:

1. Go to theConfigurationpage.

2. Select theProxytab.3. SelectUse Proxy Settingsand configure the required settings:

Address- type in the IP address of the proxy server.

Port- type in the port used to connect to the proxy server.

Username- type in a user name recognized by the proxy.

Password- type in the valid password of the previously specified user.

4. ClickSave.

Miscellaneous

From the Configuration page >Miscellaneous tab you can configure the followinggeneral preferences:

When an unavailable Security Server image is needed. The GravityZoneappliance does not include by default the Security Server virtual machine images.If an administrator tries to download a Security Server image or to run a SecurityServer installation task, the action is going to fail. You can configure anautomated action for this situation by choosing one of the following options:

Download the image automatically

Notify the administrator and do not download

Note

To avoid interference with administrator's work, you can manually download thenecessary Security Server packages from the Update page, on the Product Updatetab. For more information, refer toUpdating GravityZone Appliances (p. 66).



46/115

When an unavailable package is needed. You can configure an automatedaction for this situation by choosing one of the following options:

Download the package automatically

Notify the administrator and do not download

Concurrent deployments. Administrators can remotely deploy securitycomponents by running installation tasks. Use this option to specify themaximum number of simultaneous deployments that can be performed at atime.

For example, if the maximum number of concurrent deployments is set to 10

and a remote client installation task is assigned to 100 computers, ControlCenter will initially send 10 installation packages through the network. In thiscase, the client installation is performed simultaneously on a maximum numberof 10 computers, all the other sub-tasks being in pending state. As soon as asub-task is done, another installation package is sent, and so on.

NTP Server Settings. The NTP server is used to synchronize time between allGravityZone appliances. A default NTP server address is provided, which youcan change in theNTP Server Addressfield.

NoteFor the GravityZone appliances to communicate with the NTP Server, 123 (UDP)port must be open.

Enable Syslog. By enabling this feature, you allow GravityZone to sendnotifications to a logging server that uses the Syslog protocol. This way youhave the possibility to better monitor GravityZone events.

To view or configure the list of notifications sent to the Syslog server, refer to

theNotificationschapter from GravityZone Administrators Guide.To enable logging to a remote Syslog server:

1. Select theEnable Syslogcheckbox.

2. Enter the server name or IP, the preferred protocol and the port Syslog listensto.

3. Click the Addbutton from theActioncolumn.

ClickSaveto apply the changes.



47/115

Backup

To make sure all your Control Center data are safe, you may want to backup the

GravityZone database. You can run as many database backups as you want, oryou can schedule periodic backups to run automatically at a specified time interval.

Each database backup command creates a tgz file (GZIP Compressed Tar Archive

file) to the location specified in the backup settings.

When several administrators have manage privileges over the Control Centersettings, you can also configure theNotification Settingsto alert you each time adatabase backup has been completed. For more information, refer to theNotificationschapter from GravityZone Administrators Guide.

To run a database backup:

1. Go to theConfigurationpage in Control Center and click the Backuptab.

2. Click the Backup Nowbutton at the upper side of the table. A configurationwindow will appear.

3. Select the type of location where the backup archive will be saved:

Local, for saving the backup archive to the GravityZone appliance. In this

case, you have to specify the path to the specific directory from theGravityZone appliance where the archive will be saved.

The GravityZone appliance has a Linux directory structure. For example, youcan choose to create the backup to the tmpdirectory. In this case, enter

/tmpin thePathfield.

FTP, for saving the backup archive to a FTP server. In this case, enter theFTP details in the following fields.

Network, for saving the backup archive to a network share. In this case,enter the path to the network location that you want (for example,\\computer\folder), the domain name and and the domain user

credentials.

4. Click the Test Settings button. A text notification will inform you if the specifiedsettings are valid or invalid.

To create a backup, all the settings have to be valid.



48/115

5. ClickGenerate. TheBackuppage will be displayed. A new backup entry will beadded to the list. Check the Status of the new backup. When the backup is

completed, you will find thetgzarchive at the specified location.

NoteThe list available in the Backuppage contains the logs of all created backups.These logs do not provide access to the backup archives; they only display detailsof the created backups.

To schedule a database backup:

1. Go to theConfigurationpage in Control Center and click the Backuptab.

2. Click the Backup Settings button at the upper side of the table. A configurationwindow will appear.

3. SelectScheduled Backup.

4. Configure the backup interval (daily, weekly or monthly) and the start time.

For example, you can schedule backups to run weekly, every Friday, starting at22:00.

5. Configure the scheduled backup location.6. Select the type of location where the backup archive will be saved:

Local, for saving the backup archive to the GravityZone appliance. In thiscase, you have to specify the path to the specific directory from theGravityZone appliance where the archive will be saved.

The GravityZone appliance has a Linux directory structure. For example, youcan choose to create the backup to the tmpdirectory. In this case, enter

/tmpin thePathfield.

FTP, for saving the backup archive to a FTP server. In this case, enter theFTP details in the following fields.

Network, for saving the backup archive to a network share. In this case,enter the path to the network location that you want (for example,\\computer\folder), the domain name and and the domain user

credentials.

7. Click the Test Settings button. A text notification will inform you if the specified

settings are valid or invalid.



49/115

To create a backup, all the settings have to be valid.

8. ClickSaveto create the scheduled backup.

How to restore a GravityZone database backup

When from various reasons your GravityZone instance is working improperly (failedupdates, dysfunctional interface, corrupted files, errors, etc.), you can restore theGravityZone database from a backup copy:

Using the same appliance Using a fresh GravityZone image Using the Replica Set feature

Choose the option that best suits your situation and proceed with the restorationprocedure only after you have carefully read the prerequisites described hereinafter.

Restoring the database to the same GravityZone VA

Prerequisites

A SSH connection to the GravityZone appliance, using therootprivileges.

You can useputtyand bdadmins credentials to connect to the appliance viaSSH, then run the commandsudo suto switch to therootaccount.

The GravityZone infrastructure has not changed since the backup.

Both backup files (.jsonand.tgz) are available.

In distributed architectures, GravityZone has not been configured to usedatabase replication (Replica Set).

To verify the configuration, follow these steps:

1. Open the/etc/mongodb.conffile.2. Check thatreplSetis not configured, as in the example below:

# replSet = setname

To restore the database when Replica Set is enabled, refer tothis section.

No CLI processes are running.

To make sure all CLI processes are stopped, run the following command:

http://localhost/var/www/apps/conversion/tmp/scratch_5/http://localhost/var/www/apps/conversion/tmp/scratch_5/


50/115

# killall -9 perl

Themongoconsolepackage is installed on the appliance.

To verify the condition is met, run this command:

# /opt/bitdefender/bin/mongoshellrestore --version

The command should not return any errors, otherwise run:

# apt-get update# apt-get install --upgrade mongoconsole

Restoring the database

1. Extract the files from the backup archive:

# cd /directory-with-backup

# tar -xvf gz-backup.tgz

, where directory-with-backup is the path to the place where you saved thebackup files andgz-backup.tgzis the.tgzarchive file of the selected backup.

The files are unpacked in a new folder with the same name as the .tgz file, underthe current directory. The files are unpacked in a new folder with the same nameas the.tgzfile, under the current directory.

For example:

# cd /tmp/backup

# tar -xvf gz-backup-2014-11-24_16h20m.tgz

# lsgz-backup-2014-11-24_16h20m.json gz-backup-2014-11-24_16h20m.tgzgz-backup-2014-11-24_16h20m

2. Restore the database.



51/115

# nohup /opt/bitdefender/bin/mongoshellrestore --drop -u bd -p \ptqZChPE /directory-with-backup/gz-backup >\

/directory-with-backup/restore.log 2>\/directory-with-backup/restore-err.log & tail -f \/directory-with-backup/restore*.log

The restore command creates two log files in the directory with the backup:restore.log,restore-err.log.

For example:

# nohup /opt/bitdefender/bin/mongoshellrestore --drop -u bd -p \ptqZ/tmp/backup/restore.log 2>/tmp/backup/restore-err.log & tail -f/tmp/backup/restore*.log

3. Wait until no new message is listed on the screen, then press CTRL + C.

4. Restart the GravityZone appliance(s). The database restoration is now complete.

Restoring the database from a decommissioned GravityZone VA

Prerequisites

A fresh GravityZone VA installation:

With the same IP as the old appliance

Havingonlythe Database Server role installed.

You can download the GravityZone VA image fromhere.

A SSH connection to the GravityZone virtual appliance, using the root privileges.

The GravityZone infrastructure has not changed since the backup was made.

Both backup files (.jsonand.tgz) are available.

In distributed architectures, GravityZone has not been configured to usedatabase replication (Replica Set).

If you use Replica Set in your GravityZone environment, you also have theDatabase Server role installed on other appliance instances.

To restore the database when Replica Set is enabled, refer tothis section.

http://download.bitdefender.com/SMB/[GravityZone]/Current/http://localhost/var/www/apps/conversion/tmp/scratch_5/http://localhost/var/www/apps/conversion/tmp/scratch_5/http://download.bitdefender.com/SMB/[GravityZone]/Current/


52/115

Restoring the database

1. Stop VASync.

# stop vasync

2. Extract the files from the backup archive:

# cd /directory-with-backup

# tar -xvf gz-backup.tgz

, where directory-with-backup is the path to the place where you saved thebackup files andgz-backup.tgzis the.tgzarchive file of the selected backup.

The files are unpacked in a new folder with the same name as the .tgz file(gz-backup), under the current directory.

For example:

# cd /tmp/backup

# tar -xvf gz-backup-2014-11-24_16h20m.tgz

3. Restore the database.

# nohup /opt/bitdefender/bin/mongoshellrestore --drop -u bd \-p ptqZChPE /directory-with-backup/gz-backup >\/directory-with-backup/restore.log 2>\/directory-with-backup/restore-err.log & tail -f \/directory-with-backup/restore*.log

The restore command creates two log files in the directory with the backup:restore.log,restore-err.log.

For example:

# nohup /opt/bitdefender/bin/mongoshellrestore --drop -u bd -p \ptqZChPE /tmp/backup/gz-backup-2014-11-24_16h20m >\/tmp/backup/restore.log 2>/tmp/backup/restore-err.log & \

tail -f /tmp/backup/restore*.log



53/115

4. Wait until no new message is listed on the screen, then press CTRL + C.

5. Restore the old appliance ID:

# /opt/bitdefender/bin/mongoshell -u bd -p ptqZChPE devdb \eval print(db.applianceInstalls.findOne({name:'db'}).\applianceId)" --quiet > /opt/bitdefender/etc/applianceid

6. Note down any other roles that were installed from the backup.

7. Remove the old roles from the database.

# /opt/bitdefender/bin/mongoshell -u bd -p ptqZChPE devdb \eval "db.applianceInstalls.remove({ip:db.applianceInstalls.\findOne({name:'db'}).ip,name:{'$ne': 'db'}});" --quiet

8. Start VASync.

# start vasync

9. Reinstall the other roles that were previously on the appliance.

10. Restart the GravityZone appliance(s). The database restoration is now complete.

Restoring the database in a Replica Set environment

If you have deployed the database in a Replica Set environment, you can find theofficial restore procedure on themongoDB online manual(English only).

NoteThe procedure requires advanced technical skills and should be done only by a trainedengineer. If you encounter difficulties, please contact our Technical Support to assistyou in restoring the database.

Active Directory

Through Active Directory integration, the existing Active Directory inventory isimported into Control Center, simplifying security deployment, management,monitoring and reporting. Additionally, Active Directory users can be assigned

different user roles in Control Center.

http://docs.mongodb.org/manual/tutorial/restore-replica-set-from-backup/http://www.bitdefender.com/support/con

Bitdefender GravityZone InstallationGuide 7 EnUS

Documents

Transcript of Bitdefender GravityZone InstallationGuide 7 EnUS