Bitdefender

This is a complicated question with no universal answer. For clients with compliance obligations like HIPAA or SOC 2, we typically recommend Enterprise plus the Full Disk Encryption and Email Security add-ons. If you want an (X)EDR solution for any other reasons (like getting a discount on a cyber insurance policy), or just want top-tier protection, Enterprise is still the way to go, but the add-ons may or may not be necessary. If the last sentence about top-tier protection sounded great, but you don’t know (or want to learn) what EDR means, or prefer something you can set and forget, Premium is a great option offering most of the same protection layers.

If you have a significant number of servers or are interested in an on-premise solution, A-la-carte is most likely the right approach. This model lets us fine-tune the license to the makeup of your environment.

Still not sure? Let us know what you’re looking to protect in the contact form below, and we’ll be happy to help find the best fit.

The first time you log into the GravityZone console, you’ll be presented with download links for BEST (Bitdefender Endpoint Security Tools). If you’ve checked the “don’t show again” box on that popup and instead see the Executive Summary after logging in, you’ll need to configure and download a Package.

On the left-hand sidebar, click Packages (under the Network header). If you already see a package, great; you can download BEST by clicking the checkbox next to it then clicking Download at the top of the screen. The various “Downloader” options are small files that will automatically download the latest version of BEST appropriate for the platform it’s being installed on. We don’t recommend using the “kit” options unless you have a compelling reason.

If you don’t have a package, creating one is simple. Click Add at the top of the screen, enter a meaningful name, then arrange the sliders for the various Modules as desired. The icons to the right of each module indicate which operating systems support that feature. Don’t worry if a feature isn’t available on some of your endpoints; the BEST installer will automatically skip those. If you don’t know what you need, turning on all the modules, and leaving the roles and remove competitors as they are is usually a safe bet. There’s an option below Settings to set an uninstall password, which we do recommend, but that password should be set in the Policy instead. Click Save then follow the steps above to download the installer using the package you just created.

These are our recommendations based on numerous deployments across a wide array of customer environments. As with any security effort, you should seek professional advice to ensure you’re properly protected.

Starting from the Default Policy, here’s what we suggest changing. Log into the GravityZone console, click Policies on the left, check the box next to Default Policy, then click Clone Policy at the top of the screen. In order to save space and make this section easier to follow, the steps below are only changes from the default settings, not the full policy. If your console is linked to ours (which it will be if we set up your trial), we can also apply our recommended policy for you.

• General
  • Details
    • Change the name to something short but meaningful. We typically abbreviate the company name and specify which users the policy applies to, or if it’s the global default for that company.
    • Check the Allow other users to change this policy box.
  • Notifications
    • Check the Endpoint Restart Notification box.
  • Settings
    • Choose Set uninstall password and enter a secure password to ensure the software can only be removed by authorized individuals.
    • Check the Power User box and enter a secure password to allow quick and easy access to security settings on individual computers without making changes to the overall policy. Don’t reuse the uninstall password you just set!
    • Check Allow endpoints to send user login data to GravityZone to help keep track of your endpoints in the Network view.
  • Update
    • Check If needed, reboot after installing updates every and choose a time of day that accommodates your business needs.
• Antimalware
  • On-Access
    • Check the Ransomware Vaccine box.
  • On-Execute
    • Check the Ransomware Mitigation box. We strongly recommend leaving Recover set to On Demand.
  • On-Demand
    • Click Add > Full Scan, enter a name like “Weekly Full Scan”, then check the “Run the task with low priority” box to avoid excessively slowing down computers during scans. Next, configure the Recurrence to match the name, and check the If scheduled run time is missed, run task as soon as possible box. We typically enable Skip if next scheduled scan is due to start in less than with the default 1 day period. This will help prevent alerts on endpoints that a full scan has not been conducted in over a week.
• Sandbox Analyzer (Premium, Enterprise, and A-la-carte with Sandbox Analyzer add-on licenses only)
  • Check Automatic sample submission from managed endpoints.
• Firewall
  • General
    • Check Monitor Wi-Fi connections.
  • Rules
    • Change Network Printing to Allow by clicking on the Deny drop-down.
• Network Protection
  • General
    • Check Intercept Encrypted Traffic and Scan HTTPS, then uncheck Browser Search Advisor (legacy).
• Device Control
  • Check the Device Control box, then click each of the below Device Classes and change them to Blocked unless your business uses them:
    • Floppy Disk Drive
    • IEEE 1284.4
    • IEEE 1394
    • Modem
    • Tape Drive
    • Windows Portable
    • SCSI RAID
  • Also consider disabling COM/LPT Ports and External Storage unless you know you need them.
• Risk Management
  • Check the Risk Management box at the top, and check the If scheduled run time is missed box at the bottom. Optionally, you can change the task interval or timing, but this is not necessary.

You’re almost done! Click the blue Save button at the bottom. Check the box next to your newly-created policy then click Set as default at the top of the screen. Leave Keep the current policy assignment unchecked if you’re switching from the original Default Policy, then click OK.

Collecting logged-in user data is disabled in the Default Policy. If you haven’t already, consider reading and applying our recommended policy settings above.

To enable just this feature, log into the GravityZone console, click Policies on the left, select your policy, then click Settings under the “General” header. At the bottom of the main panel, under the “Options” header, check the Allow endpoints to send user login data to GravityZone box, then click Save at the bottom of the screen.

This is usually one of two things: the operating system on your endpoints doesn’t natively support encryption (such as Home editions of Windows), or you don’t have the Full Disk Encryption add-on. We’d be happy to help you with either license; contact us here to let us know what you need.

First, add the following exclusions as Folders under Policies > (your policy) > Antimalware > Settings > Custom Exclusions:

• MacOS:
  • /Volumes/GoogleDrive/
  • ~/Library/Application Support/Google/DriveFS/
  • /Applications/Google Drive File Stream.app/Contents/MacOS/Google Drive File Stream
• Windows:
  • G:\
  • %LOCALAPPDATA%\Google\DriveFS

For consistency, you may also want to set up forced drive letters on Windows per Google’s documentation.

You might also want to disable Device Scanning (or at least the USB storage devices subtype) under Antimalware > On-Demand. Per Bitdefender, as long as On-Access Scanning is still active this doesn’t really pose a security risk, but it should prevent the entire G:\ drive getting scanned when the drive is “plugged in” (i.e. when the Drive sync app comes online). You could also enable Do not scan devices with stored data more than (MB) and set a threshold below your Google Drive volume size.

Lastly, if you’re using Device Control to block external/portable drives, you would need to set External Storage to Custom and change the Other type at the bottom to Allow.