Directly contact our Support Team

Integration Guide for Bitdefender Endpoint Security Tools for Pivotal Cloud Foundry (PCF)

This article describes how to install, use and troubleshoot the Bitdefender Endpoint Security Tools for Pivotal Cloud Foundry (PCF) tile.

Overview

Bitdefender Endpoint Security Tools for PCF allows you to easily deploy Bitdefender GravityZone security agents to the VMs managed by your PCF deployment.

Bitdefender Endpoint Security Tools for PCF provides an automated way to incorporate award-winning endpoint security into BOSH-built VM instances upon their creation. With secured VMs, customers can achieve the following:

  • Protect datacenter and cloud VMs from advanced cyberattacks with layered next-generation security from Bitdefender, a Forrester® Wave Leader in Endpoint Security Suites and the AV Comparatives® Outstanding Security Product Award winner.
  • Streamline compliance with PCI DSS, HIPAA, Gramm-Leach-Bliley Act (GLBA), GDPR, and other regulatory standards calling for an anti-malware solution.
  • Eliminate the time and effort required to manually deploy the agent and apply security policies after the fact.

Key Features

Management

  • Automatic deployment of Bitdefender Endpoint Security Tools by BOSH at the time of VM instantiation.
  • Single-console, single-pane-of-glass security management, and consistent policy enforcement across heterogeneous datacenter and cloud infrastructure.
  • Automatic application of security policies at scale and security-license recovery from decommissioned VMs in VMware® vSphere, AWS EC2, and Microsoft Azure environments.
  • Compatibility with Splunk and other SIEM platforms (via Syslog) for security-event analysis.

Security

Layered next-generation endpoint security delivering, among others, the following advanced capabilities:

  • Dynamic Machine Learning (Local and Cloud-Based)

    Leverages proprietary models trained in URL filtering and file analysis on 500M endpoint-sensors and trillions of samples to maximize efficacy and minimize false positives.

  • HyperDetect Tunable Machine Learning

    Allows administrators to adjust threat-detection aggressiveness levels to suit the context and risk profile of their organization to detect high-probability, high-impact attacks while minimizing false positives on lower-risk threats.

  • Process Inspector

    Continuously monitors and scores running processes and system events and tags suspicious activities to provide proactive, dynamic detection and remediation of unknown threats.

  • Anti-Exploit

    Detects exploitation methods and protects the memory space of browsers, document viewers, media players, and office applications.

  • Sandbox Analyzer

    Automatically submits suspicious files from VMs to a cloud- or on-premises-based network sandbox for detonation and behavioral analysis.

  • Application Control

    Provides both whitelisting ("default deny") and blacklisting capabilities to restrict the range of applications allowed to run in a VM.

  • Integrated Patch Management Add-On

    Provides automatic discovery and characterization of vulnerabilities and the widest range of patches for OSs, applications and golden images.

Product Snapshot

Element Details
Tile version 1.0.38
Release date July 10, 2019
Bitdefender agent version Latest version available in the GravityZone console
Compatible Ops Manager version(s) v2.3.x, v2.4.x, v2.5.x and v2.6.x
Compatible Pivotal Application Service version(s) v2.3.x, v2.4.x, v2.5.x and v2.6.x
BOSH stemcell version Ubuntu Xenial, CentOS 7, Windows Server 2012 R2, Windows Server 2016
IaaS support All IaaS
IPsec support Yes

Requirements

Bitdefender Endpoint Security Tools for PCF requires your usage of a Bitdefender GravityZone product.

By downloading the Bitdefender Endpoint Security Tools for PCF you acknowledge and agree that the sole purpose of this product is to protect PCF deployments, which further implies you acquiring a Bitdefender GravityZone product. It is available as a 30 days free trial. After trial period expires you are subjected to licensing terms and conditions.

You can request a trial license here or by emailing Bitdefender Enterprise Sales.

Prerequisites

Bitdefender Endpoint Security Tools for PCF has the following requirements and prerequisites:

  • A PCF operator with administrative rights.
  • A Bitdefender Endpoint Security Tools installation package configured in the GravityZone console for deployment in the PCF environment.
  • To optimize network traffic, install Bitdefender Endpoint Security Tools with the Relay role in your IaaS to have a local distribution mirror for installation files and updates. For more information, see your GravityZone Administrator’s Guide.
  • To use Central Scan, you first must deploy a Security Server in your IaaS. Bitdefender Central Scan engine offloads scanning to a Security Server, a dedicated VM that deduplicates and centralizes most of the anti-malware functionality of anti-malware agents, acting as a scan server. For more information, see your GravityZone Administrator’s Guide.
  • To use on-access scanning on Linux, Fanotify kernel option must be enabled. For more information, please refer to Fanotify man pages.
  • Make sure the protected virtual machines have connectivity to your GravityZone environment and Bitdefender Cloud services. To ensure Internet connectivity on protected virtual machines, you can use the public_ip VM extension.

    For details, refer to these knownledge base articles:

  • Make sure the protected VMs meet the Bitdefender Endpoint Security Tools system requirements:
    note Note:
    The Linux agent currently installs on the system partition. It is recommended to install Bitdefender Endpoint Security Tools for PCF with Central Scan or Hybrid Scan.
    note Note:
    Using fallback engines (such as Central Scan + Local Scan or Central Scan + Hybrid Scan) or installing additional features requires more resources. For detailed information on system requirements, please check your GravityZone Installation Guide.
    note Note:
    Actual RAM and disk usage after installation is lower.
    • CPU:
      • Minimum: Intel® Pentium compatible processors, 2.4 GHz.
      • Recommended: Intel® Xeon multi-core CPU, 1.86 GHz or faster.
    • Free RAM Memory at installation: 1024 MB
    • Free disk space required at installation (Antimalware only):
      OS Platform Central Scan Hybrid Scan Local Scan
      Linux 300 MB 800 MB 1300 MB
      Windows 350 MB 500 MB 1024 MB

Installing and Configuring Bitdefender Endpoint Security Tools for PCF

Configure Installation Package in GravityZone

Bitdefender Endpoint Security Tools for PCF tile downloads and installs a specific Bitdefender Endpoint Security Tools package configured in your GravityZone console.

Here are the best practices to create and configure an installation package in GravityZone for use in a PCF deployment:

  1. Connect and log in to GravityZone console using an administrator account.
  2. Go to the Network > Packages page.
  3. Click the Add button at the upper side of the table. A configuration window appears.
  4. Enter a suggestive name and description for the installation package you want to create. For example, BEST for PCF.
  5. Select the protection modules you want to install:
    1. For Linux deployments, only the Antimalware module is available.
    2. For Windows server deployments, you can install additional protection modules beside Antimalware, including Advanced Threat Control, Application Control and Patch Management (if available with your GravityZone license).
      note Important:
      Make sure the Relay checkbox is unselected to avoid installing the agent with Relay role across all virtual machines and generating high network traffic.
  6. Configure Scan Mode. Bitdefender Endpoint Security Tools provides three types of engines:

    Choose the scanning technology that best suits your network environment and your endpoints' resources. Keep Automatic for predefined defaults or choose Custom to configure as needed. If you use Central Scan, make sure the virtual machines have connection to a Bitdefender Security Server to perform scanning tasks.

    • Local Scan - most of the scanning activity is performed locally, all signatures and engines stored locally.
    • Central Scan - offloads scanning to a Security Server, a dedicated virtual machine that deduplicates and centralizes most of the antimalware functionality of antimalware agents, acting as a scan server.
    • Hybrid Scan – uses a combination of in-the-cloud scanning and a reduced set of local signatures.
  7. Under the Settings section:
    • Disable the Scan before installation checkbox to speed up deployment time.
    • You can select Use custom folders and choose a custom folder from the GravityZone Network inventory where virtual machines will show up automatically after installation, if they do not match an existing GravityZone inventory integration.
  8. Under the Deployer section, you can choose from where to download the package for installation:
    • By default, this is set to Bitdefender Cloud servers or your GravityZone on-premises server.
    • If you have installed a relay in your IaaS to mirror installation and update files, choose **Endpoint Security Relay** and select it from the table or complete the required information.
    note Important:
    Port 7074 must be open for the deployment through Bitdefender Endpoint Security Tools Relay to work.
    note Important:
    At this moment, Bitdefender Endpoint Security Tools for PCF does not support connectivity via proxy. For more information, please contact Bitdefender Business Support.
  9. Click Save to create the installation package.

    The new package is displayed in the Network > Packages page.

note Warning:
Deleting the package from the GravityZone console causes Bitdefender Endpoint Security Tools installation to fail.

Get Bitdefender Package Download Links

To configure the Bitdefender Endpoint Security Tools for PCF tile, you need the package download URLs for Windows and Linux agents, depending on the operating system running on Pivotal stemcells.

To get the download links from the GravityZone console:

  1. In the Network > Packages page, select the checkbox corresponding to the package you created for use in your PCF environment.
  2. Click the Send download links icon in the action toolbar.
  3. In the new window, click the expanding arrow for Installation links section.
  4. Copy the corresponding links for Windows Downloader and Linux Installer.

Upload Tile

  1. Download the Bitdefender Endpoint Security Tools for PCF tile from Pivotal Network.
  2. Navigate to the Ops Manager Installation Dashboard and click Import a Product.
  3. Upload the product file.
  4. After uploading, the Bitdefender Endpoint Security Tools tile appears. Initially, the tile is orange, indicating configuration is required. Once configured, the tile appears green.

Configure Tile

The Bitdefender Endpoint Security Tools for PCF tile from Ops Manager Installation Dashboard contains two forms, displayed under the Settings tab:

note Important:
Make sure to configure both Windows and Linux forms with the download URL and appropriate installation target and/or exclusion rules. Pre-configured exclusions are in place for default stemcell operating systems, in order to avoid deploying the Linux agent on a Windows VM or the Windows agent on a Linux VM. Even if you do not plan to deploy on a specific platform (Windows or Linux), you must configure the download URL and add a dummy installation target for that platform.

After you configure the tile, BOSH Director installs Bitdefender Endpoint Security Tools at the same time with other applications, when deploying the Pivotal VMs.

Configure Bitdefender Endpoint Security Tools for Linux

To configure the Bitdefender Linux agent installation:

  1. Click the Linux Agent Configuration option.
  2. Under Linux Downloader Package URL section, enter the corresponding URL copied from the GravityZone console.
  3. Configure the Linux installation targets by any of these criteria:
    • Stemcell OS - Bitdefender Linux agent will install on the virtual machines running the specified operating systems.

      The Linux Agent Configuration page includes the following default inclusions:

      • Ubuntu Trusty
      • Ubuntu Xenial
      • CentOS 7
      note Important:
      You are required to have at least one default installation target when configuring the Bitdefender Linux agent. Deleting all default installation targets may generate deployment issues.
    • Job names and releases - Bitdefender Linux agent will install on the virtual machines running the specified job names and releases.
    • Deployment name - Bitdefender Linux agent will install on the virtual machines having the specified deployment name.
  4. If needed, you can configure specific Linux targets to be excluded from installation by any of these criteria:
    • Stemcell OS - Bitdefender Linux agent will not install on the virtual machines running the specified operating systems.
    • Job names and releases – Bitdefender Linux agent will not install on the virtual machines running the specified jobs.
    • Deployment name – Bitdefender Linux agent will not install on the virtual machines having the specified deployment name.
  5. Click Save.

Configure Bitdefender Endpoint Security Tools for Windows

To configure Bitdefender Windows agent installation:

  1. Click the Windows Agent Configuration option.
  2. Under Windows Downloader Package URL section, enter the corresponding URL copied from GravityZone.
  3. Configure Windows installation targets by any of these criteria:
    • Stemcell OS - Bitdefender Windows agent will install on the virtual machines running the specified operating systems.

      The Windows Agent Configuration page includes the following default inclusions:

      • Windows Server 1803
      • Windows 2012 R2
      • Windows 2016
      • Windows 2019
      note Important:
      You are required to have at least one default installation target when configuring the Bitdefender Linux agent. Deleting all default installation targets may generate deployment issues.
    • Job names and releases - Bitdefender Windows agent will install on the virtual machines running the specified job names and releases.
    • Deployment name - Bitdefender Windows agent will install on the virtual machines having the specified deployment name.
  4. If needed, you can configure specific Windows targets to be excluded from installation by any of these criteria:
    • Stemcell OS - Bitdefender Windows agent will not install on the virtual machines running the specified operating systems.
    • Job names and releases - Bitdefender Windows agent will not install on the virtual machines running the specified jobs.
    • Deployment name - Bitdefender Windows agent will not install on the virtual machines having the specified deployment name.
  5. Click Save.

Deploy Tile

After saving the Bitdefender Endpoint Security Tools for PCF tile configuration, you can deploy it:

  1. In the Ops Manager Installation Dashboard, click Review Pending Changes.
  2. In the screen containing the product list, select the checkbox corresponding to Bitdefender Endpoint Security Tools.
  3. Click Apply changes.
note Important:
This will only update the runtime configuration, without affecting the existing virtual machines. You must redeploy them to install the Bitdefender agents.

Managing Protection from GravityZone

This section provides best practices on using the GravityZone console for managing and monitoring Bitdefender protection installed on the virtual machines from your PCF deployment. For detailed information, refer to your GravityZone Administrator's Guide.

Check Protected Machines

Once deployed on the virtual machines from your PCF deployment, Bitdefender Endpoint Security Tools automatically syncs with the GravityZone console to receive configuration policies and tasks and to send status or security events.

Protected virtual machines from your PCF deployment will show up in the GravityZone Network inventory. Depending on your IaaS and inventory integrations configured in GravityZone, the virtual machines will show up in GravityZone under your IaaS infrastructure, Active Directory inventory or Custom Groups (in the custom folder configured in the package settings).

Click a virtual machine in the Network inventory to see if protection is installed and check protection details.

Manage Protection Settings

Protected virtual machines are assigned a default policy, but you may want to create a dedicated policy for your PCF deployment to configure or customize specific settings, such as:

  • Security Servers to connect to, in case Bitdefender Endpoint Security Tools is configured to use the Central Scan engine.
  • Local Relay endpoint to connect to, for optimized update traffic.
  • Protection settings specific to your PCF environment.
  • Disable Windows agent graphical user interface to minimize resource consumption.

Assign the policy to the folders where the virtual machines from your PCF deployment are added.

note Important:

VM instances may appear as failing during product updates, when the services are restarted. To avoid this situation, you can disable the automatic product updates in the GravityZone security policy.

To make sure the Bitdefender agents are up-to-date, you can either run an Update task from GravityZone or redeploy your instances once new Bitdefender agent kits become available.

Monitor Protection and Security Events

To monitor protection, you can check the activity reports in GravityZone or configure notifications to be sent for specific status or security events via email or syslog.

Troubleshooting Bitdefender Endpoint Security Tools for PCF

This section provides instructions for troubleshooting Bitdefender Endpoint Security Tools for PCF.

Failed Installations

Symptom

PCF deployments fail after the installation of the Bitdefender Endpoint Security Tools for PCF tile.

Explanation

This may happen because the Bitdefender Endpoint Security Tools installation on eligible virtual machines fails.

Solution

For advanced troubleshooting, the Bitdefender support engineers require installation logs:

  • The Linux agent logs to standard error and output at installation time.
  • The Windows agent delivers separate logs in the same location used by BOSH Director to collect them. Therefore, the logs collected by the BOSH Director for the failing VM deployments will also contain Bitdefender installation logs.

Virtual Machines Not Showing Up in GravityZone

Symptom

Virtual machines from your PCF deployment are not showing up in GravityZone.

Explanation

Bitdefender Endpoint Security Tools has not been successfully deployed in your PCF deployment.

Solution

Check connectivity from the virtual machine to Bitdefender Cloud Servers or Bitdefender Security Server:

Antimalware Issue in GravityZone

Symptom

The GravityZone console indicates issues with Antimalware module for PCF virtual machines, in the Network inventory.

Explanations

  • There is no connectivity to Bitdefender Cloud Servers.
  • There is no connectivity to a Bitdefender Security Server when using the Central Scan engine.

Solution

Check connectivity from the virtual machine to Bitdefender Cloud Servers or Bitdefender Security Server:

Failed Updates

 

Symptom

The update tasks applied to the virtual machines fail.

Explanation

There is no connectivity from the virtual machines to the assigned update servers (Relay, Bitdefender Cloud servers or GravityZone on-premises appliance).

Solution

Check the connectivity from the virtual machines to the assigned update servers:

Uninstalling Bitdefender Endpoint Security Tools for PCF

To uninstall Bitdefender Endpoint Security for Tools for PCF:

  1. From the Ops Manager Installation Dashboard, click the trash icon on Bitdefender Endpoint Security Tools for PCF tile.
  2. Click Confirm in the Delete Product window.
  3. Click Review Pending Changes, then Apply Changes.

The tile is removed from the Installation Dashboard and the BOSH Runtime Config. However, the tile still appears in the Available Products view.

note Important:
Please remember you must redeploy in order to actually remove the Bitdefender Endpoint Security Tools agents from the virtual machines.
note Important:

Do not run the Uninstall Client task from the GravityZone console on virtual machines from your PCF deployment.

If you try to uninstall the Linux agent from the GravityZone console, the target machines will appear as failing, because the PCF monitor will see that the Bitdefender watchdog process is not running (because it will not exist anymore).


Rate this article:

Submit