I think that this might be my longest title for my articles? But I do like descriptive titles. I hope everyone is good today, and I have something interesting for you. I work for a start-up, and we are just starting to have our own IT and as part of that we are going to do anti-malware using our own design. Our IT boss is pretty smart and fun to work with and he is checking things out. I am keeping an eye on things as I love this area, and I need something for my lab. I used to use Trend in my lab but they have not been able to provide me with a 1 year NFR so I need something new. So our IT Manager was checking out this list – and we both thought the first choice on the list was interesting – BitDefender. This is how I ended up today working with BitDefender Advanced Business Security. I am going to get it going and we will see how it works.
Something that is different that I quite like is that the trial, or the actual purchased copy can have a console in the cloud, or have the same console on – premises instead. And if you chose to have the console in your infrastructure you can download an OVF or a VHD. So that makes things a little easier, and I like that thinking! Plus, you can go from a trial license to a production one easy. No uninstall and install again. Really nice and yes, I am saying that due to one package I looked at I would have had to uninstall the trial so I could install the production. Sad.
So lets see how this turns out!
- You can download the bits / docs from here. I am doing vSphere so have the .OVA.
- We need FQDN and IP but don’t define FQDN yet. During the connection of BD to AD it actually does the DNS. In my case it caused an error – but no issues – as I had already created the DNS record.
- Also, I am not doing an implementation which is agent free and utilizes the virtualization layer. I will do that later as that is the best way to protect virtual machines, but now I am doing a traditional implementation which means agents and software installed inside the desktops and servers.
- The BitDefender_GravityZone_InstallationGuide_6_enUS.pdf guide has really a lot of info and detail including ports, and footprint info.
- We need a service account with domain admin capabilities
- We need a service account with vCenter Admin rights
- SMTP information so we can have emailed notification which is handy.
- License info – in my case it is a small code that says 30 days.
- I am using vSphere 5.5 U2 with the latest patches.
- You will need a My BitDefender account which you can create here. Use the Sign Up link in the corner.
Deploying the appliance
We start in the vSphere Web Client.
- We use the Deploy OVF option under the options menu to start things off.
- We browse out to where the OVA file is that we downloaded as part of the trial.
- We now see a screen full of info and something to approve and agree to.
- You can see the check box and that I have checked it so I can continue. What this is about is that there is extra configuration in this OVA that is going to be applied to your VM. Since this could be a security exploit VMware draws you attention to it and shows you the changes in the bottom of the screen. This is the biggest collection of tweaks I have seen but BitDefender is really thinking of things well!
- We are to add a name and select a folder now. But check out the default name above! I will actually change it to a real name but thought it funny this appliance has that sort of name. I hope I didn’t download the wrong appliance!
- Next we worry about where to store the appliance.
- Now we deal with networks. We only select a switch and not configure any network settings so that means we will need to deal with that later.
- In the next screen we see a summary but also an option to power on. Make sure that is selected.
So we are ready to continue!
This includes the basic configuration of the appliance of things like network.
- We need to take care of network first. So while in the vSphere Web Client access the console of this appliance.
- Once in the console we need to change the root password.
- Once we provide a new bdadmin password we see the next screen – and we are prompted to log in as bdadmin.
- You use the password you just entered and log in. You will see a message pass by about the database and then you will see the main screen.
- Start with Configure Hostname and work through it. I got an error at the end of it that said DNS update failed and that was because I had already created a static FQDN for the appliance. I had no idea it would do it!
- Next work with Configure Network Settings and work your way through it. Make sure to use the two show options – Show IP and Show link status to make sure things are good.
- I don’t know how many of you will need to worry about Proxy Settings, or about language but if you do then deal with them.
- The Show locally installed roles is interesting.
- We leave the last option alone at this time.
- I do not know how to leave this screen. I can close the console window I have open but there seems no way to log out. Have done a feature request for logout capability.
I wanted to log into the console and trying doing ping tests to make sure outgoing DNS resolution was good. It was.
Now we need to access the Web UI.
- You need to enter your My BitDefender account info. Once you log in, you will see something like the following.
- Use the Add button and you can add your license or in my case the code I was sent for my 30 day trial.
- We can see that it worked for me and that it is a short trial license.
- Next we need to do company details, and the admin account info.
- We now are in a wizard that we can select a check box so we don’t have to be in it again.
- There is some good info in the wizard – but it is a circle. So you can Next forever so hit Close first.
- Another popup screen is shown that lets us know many of the things we need to do. You can close it.
We are now going to configure the application so it is ready for use.
- Log into the application at https://fqdn
- You will see the basic and sort of empty console.
Mail Server Config
- We need to change to Configuration now. Low in the left margin set of choices.
- Since there is no test button make sure everything is correct!
NTP and Syslog
We now change to the Miscellaneous tab. It can be seen in the SMTP screenshot above.
- NTP is already set, but make sure it makes sense for you.
- Also enable syslog if that is something you need and or want.
- I cannot seem to find anything in syslog. I have tried to filter on hostname and IP address with no luck. Will investigate. Oops. Port is wrong. Dang.
I like to have a backup of my configuration. It will not take long before there is enough configuration in this product that will make it handy to have backup!
- So change to the Backup tab.
- Now use the Settings button to create a backup schedule.
- You will now have a screen to configure the backup job. See below how I configured mine.
- I love how we have a Test Settings button. Make sure to use it.
- Once you hit Save, you will not see anything until the schedule fires or you use the Backup Now button. Which I shall do.
- I have to fill in all the settings again, as it doesn’t use the Settings we already configured. Once done the backup is started. The status is shown as Processing for a few minutes. Once you hit the Refresh button you can see it is done.
- Curious what you see at the backup location? I am.
Active Directory Integration
Now we change to the Active Directory tab to configure that connection.
- We enable and configure the connection. There is no Test button which is too bad.
- Once we hit the save button we get immediate feedback. I guess that makes it sort of like a test button. At least it doesn’t wait for the scheduled time to try.
Yes, we change to the Virtualization tab now. Surprise – right? We use the Add button once we are there.
- We fill in the fields as per our own info and see something like below before we save.
- Once we Save, and after a moment use the Refresh button we can see that things worked.
It turns out while doing the configuration I clicked on the bell in the top right to see what the heck.
- Once I clicked on the bell I see Update Available, then I clicked on it, followed by clicking on the Update Available in the left part of the screen and that filled in the Details at the bottom.
- I now change to the Configuration \ Update view.
- Between the Current and Update version fields I can see a very minor update is available.
- So I push the Update now button – after all no users to be impacted yet.
It only took a short time and I was back at the login prompt. So all good.
I am going to continue to use the default policy for a bit and see how it goes. The default policy is pretty good. I will do an article on how it might be changed.
Installation – desktop
We will install the first client on my Windows desktop. We will do this by creating a package that we execute on my desktop manually. It uses the policy settings and I can customize a little. So lets get started.
- Change to the Networks \ Packages view.
- Use the Add button to add a new endpoint package. Give it a name and description.
- I have also deselected the Firewall but made no other choices. Firewalls are hard enough to manage and AD is already doing that for me in the lab.
- We see we have a new package now.
- I am going to select it and download it. I get a lot of choices of what to download.
- I like how this one package – currently with a default policy and simple configuration can be applied in a variety of different operating systems. Very nice.
- I will now execute the kit on my desktop manually. It extracts to just two files.
- I double-click on the .exe and UAC says are you sure.
- Now I see this.
- So removing MSE – good. But this does show this is not a silent process so not yet suited for a login script or GPO distribution. Due to removing MSE there was a restart required and it said it would continue after the restart.
- In fact the install process does restart after the restart and the first thing it does is scan.
- Even with the restart, and scan, the install is finished pretty fast.
- We can see it running in the tray.
- When we start it up we see a minimalist UI which I like.
- My 2 risks go away after a very quick update and a not so quick scan.
I can build a package and enable Exchange support in it very easily and protect both the OS and Exchange itself. Handy.
Installation – Mac
I use the same Power user package but download the Mac Kit for it. It downloaded a .pkg file and that needs to be copied to my local Mac hard drive before I can execute it.
It is a simple install – confirms which disk, asks for authentication and installs. Once it finishes the install not much is seen. But there is a clue it is working – up in the top right corner of the screen.
From it (click on it) I can Open Main Window which is seen below.
So pretty easy! Very nice UI and well done by Mac standards. Uses the OS X notifications nicely too.
Installation – Server
We will install the first server but it seems that we can use the same package as what I used on my desktop. But, I will create a new package that is does not have power user enabled (and no firewall and no device control either) to hopefully minimize the footprint a little.
The package installs the same as on my desktop – described above but without having to remove MSE. So easy.
There was no restart needed.
I am testing the remote install of servers and that is working quite well. And they do happen in the background and are invisible to the users – if there are any on the console of the servers. I am experimenting to see if that is the best way to do mass deployments and will do an article when I confirm.
We need to configure some basic notification so that when malware strikes or when an update is available I get an email. When preparing packages about you saw where Notifications was about letting the users know if they had an incident on their computer. In this we are going to configure the system to let you – the admin – know when certain things occur – like malware strikes, or updates waiting for you. So log into the GravityZone appliance.
- You need to point at and click on the bell in the top right next to your name. It will expand and then you select See All Notifications.
- You will be in a different area now where you can see all of the notifications but more too.
- Early in the implementation of any product I like to have more notification rather then less. So I will not delete any of the notification we see above and don’t forget you can click on one to see more info in the section below.
- Lets use the Configure button we see above highlighted with a red arrow.
- At the top of the screen we can see pictured above there is how long before deleting notifications. I think for now that can say as is.
- Below that you can say who gets the email notification. Often it might be a security group.
- Below that, in a window, there is a long list of things that can be enabled for different things.
- I have clicked on and highlight the first item – Malware Outbreak and see what changes to the right? We can change the visibility. Also notice that without clicking you can point at the Malware Outbreak and learn more about what that means. Essentially it means if at least 5% of your protected machines get infected at or near the same time it is an Outbreak. You decided if you like the visibility settings and change as necessary and move to the next item.
- For me, I set Send per email on for the following:
- Malware Outbreak
- All of the License related items
- Update available
- All of the Exchange related items
- Antimalware and Antiphishing
- Security event status
- Note that some of these items have further configuration that might help email overload.
- Once you Save, you are returned to the Notifications view. You will now get information via email as you configured.
This will help you be more efficient as you will be proactively notified when necessary and not have to check the Dashboard all of the time!
We need to make sure that we can detect a virus but also notify appropriately but also handle the virus properly. However we do not use a real virus for this!
First to see that the software is installed and communicating with the management – which is very important, so we look at the Dashboard.
The portlet that is on the right, titled Computers – Malware Status, can be clicked on. It will open up a new window.
Notice how all four machines that I have installed BD on are shown here. In fact one is a Mac too. If we select one of them we can see more info.
So we know that our installed software is working and talking to the management so that is good.
Next we need to test our notifications. So I get a test malware sample from here which is a test virus that BitDefender (and all of the major players too) will see as a virus but it is in fact not one. With my current and default policy it did not catch this file in real – time but it was caught in a scan. I may need to improve the default policy but that will be part of another article. See the email below.
You can see the scan log with the detection below.
So we are good now. We have machines protected – both Windows and Mac, as well as different flavors of Windows, we are using default policy but we can update and improve that as we see how things are going. BTW, another way to trigger a malware alert is to create a text file that contains format c: /autotest and it will be deleted after you save and you will get an notification – if you have configured that.
I am impressed. My first time with this software but I am impressed. That means I like the feature set, and the capabilities, and the footprint. I see very little impact on the protected machines. It is not perfect. I am tracking issues:
- The Mac BitDefender client starts after a restart as full and not invisible. Minor but an issue.
- Messages don’t seem to be delivered to syslog. Yes I did at one time have the wrong port in use but have fixed that, and restarted even, but nothing is going to syslog. Update: may be working now. I have gotten one event so far!
I also have questions:
- I am looking into such as the best way to do mass deployments. Pushing packages seems less efficient then maybe an MSI via GPO and AD. BitDefender support suggests that it is the best way – to use push a package – and alternatively you can use third party tools.
- It seems default is to take policy and updates from the appliance, but it seems the Mac client can get updates via the Internet too. How do we control that? BitDefender support suggests that this can be controlled by policy. Will investigate that in my policy article.
But anything as complex as anti-malware will have issues and these are all minor!
You will see more articles – how to do mass deployments, and about improving policy. Plus as I learn more I will update this article too. Getting Exchange protected – both at OS level and application level was pretty easy and smooth but I may look into that more and see if an article is needed.
Questions and comments are welcome. BTW, you can watch this tag for all BitDefender related articles if you like.
- 6/9/15 – I seem to have syslog traffic now. Only for malware incidents and it occured after a support guy wondered through my UI and a restart. Will continue to monitor and have sent full logs out. I have attached above a screenshot of the event.
- 6/9/15 – support confirmed that by default that a client can get updates from the internet even when set to get updates from the management server. This is good I think. I have done further testing on mass deployments and agree using BitDefender to do that is pretty good. You can find out the results as well so that helps.
- 6/8/15 – support got dev involved for my syslog issue. No luck yet. Odd. The root password is the same as the password you created and assigned during setup for the dbadmin. I realized that is not obvious.
=== END ===