Home  >  APT29  >  Results  >  Bitdefender  >  Configuration

Bitdefender Configuration

Product Versions

Bitdefender GravityZone Ultra

  • The bundle includes Prevention, Detection and Response, Hardening and Endpoint Risk Analytics modules
  • Version


GravityZone Ultra consists of 30 plus layers of protection to defend endpoints from cyber-attacks such as malware, fileless threats, exploits, zero-day threats, and targeted attacks. It supports Windows, macOS and Linux platforms. The solution is delivered via a single SaaS console and a single endpoint agent that combines:

  • Prevention
    • Machine learning based anti-malware
    • Exploit mitigation
    • Network Attack Defense
    • Tunable machine learning (aka HyperDetect)
    • Sandbox Analyzer
    • Fileless Attack Defense
    • Malicious process monitoring
  • Hardening
    • Patch and Vulnerability Management
    • Risk Analytics
    • Device Control
    • Web Threat Protection
    • Full Disk Encryption
  • Detection and Response
    • EDR
    • Anomaly Defense
    • Root Cause Analysis
    • MITRE event tagging
    • Optional Managed Services

Each layer is designed to stop specific types of threats, tools or techniques, covering multiple stages of the attacks. It includes hardening controls that proactively reduce the attack surface, pre-execution detection powered by machine learning, and on-execution detection via behavior engines and anti-exploit capabilities.

Bitdefender patented machine-learning technology uses local machine learning models as well as cloud machine learning models for detecting malicious files and URLs. More than 50,000 static and dynamic features are extracted using different extraction techniques such as emulator, unpacked routine, and cryptographic filters. The models are trained and tested constantly using extensive data set of fresh samples and varied and representative malware. This ensures malware detection accuracy and efficacy. Process Inspector is a behavioral detection technology that constantly monitors and scores active applications and processes and acts when a threat is detected.

The EDR module collects and analyzes endpoint events to detect suspicious activity. It has adopted MITRE ATT&CK framework. When applicable, incident description and visualization in GravityZone Ultra provides references to MITRE ATT&CK techniques. Security analysts can also search endpoint events based on MITRE ATT&CK indicators. GravityZone Ultra includes baselining capabilities modeled on MITRE ATT&CK framework. Any deviation from the baseline is reported as an incident in GravityZone Ultra.

Product Configuration

Policy Configuration:

  • All prevention engines enabled but in report only mode
  • EDR enabled