Note: GZiaB can protect physical, virtual and mobile devices – my focus is on virtual machines, with a particular focus on virtual desktops. For that reason I will skip the part of the appliance that deals with physical and mobile endpoints.

If you have been following my EUC work for a while you’ll know I’ve spent sometime in the lab with Bitdefender GravityZone. I first came across the company when I was writing the “EUC Book” with fellow vExpert Barry Coombs (aka @VirtualisedReal).

Back then I was looking closely at the VMware “vShield” Endpoint technology. In case you don’t know it offloads the demands of AV out of the guest operating system, onto a dedicated appliance. I recently did some updates around Chapter 23 of the book, and Bitdefender were kind enough to sponsor that work which allowed me to give that chapter away for free.

Anyway, more time has elapsed and Bitdefender have been busy (re)developing their offering called “GravityZone-in-a-box” (GZiaB). I did an hour long WebEx with them – where they briefed me on the new offering that have been announced today.

In the full enterprise release of GravityZone a single virtual appliance can be downloaded and configured for a number of different roles including a database, update, communication and web console. The idea is that you can deploy a number of appliances running each role, and drive up scalability. Of course, it’s entirely possible to enable all these roles on the same virtual appliance – which is what I did to keep the setup simple.

What’s new is that Bitdefender now have an appliance designed with SMB’s in mind with all these roles are already setup and configured for us. They have also licensed the “in-a-box” solution at a price point that should make it attractive to the SMB market with a sliding scale of packs based on the number of endpoints you want to protect. Notice how I just said “endpoints” – the GZiaB solution supports protecting physical, virtual and mobile endpoints. At the moment the appliance scales up to about 250 endpoints – so you’ll need have a handle on the number of endpoints you expect have with an licensing period. You’ll also need to work out whether high-availability of the AV management layer was something that was an absolute requirement. That’s something that’s available GZ, but not in GZiaB. There is possibility of out-growing the 250 devices best practise by adding more CPU/Memory to the appliance. But at that stage you might be better of looking at the full GZ model which includes HA. In my session with Bitdefender they did indicate that upgrading from GZiaB to the fully GZ version would be possible. There’d be no need to touch/upgrade the endpoints themselves (phew!) but merely enables the deployment of additional appliances need for GZ (including the SVA appliance mentioned to , and porting of your licenses entitlements to the GZ product.

What makes GZiaB different is that it doesn’t leverage the vShield Endpoint. Personally, that’s a bit of a disappointment to me for reasons that are probably obvious to everyone (you do know I work for VMware, right?). That got me thinking about why that might be the case – and no isn’t Bitdefender putting the best cookies in a jar on the top shelf, and charging top dollar. I think it’s more about easing the deployment of a virtualized AV solution. As you might know vSphere vShield Endpoint is now “free”, in that its now rolled into the mainstream suites and SKUs, where as previously it was available as part of the vCenter Network & Security (vCNS) bundle. Historically, its been bundled with various editions of vSphere and Horizon View – to offer a complete package of end-user compute virtualization, virtual desktops, application virtualization (with ThinApp) and also anti-virus. Apart from the cost of acquiring vShield Endpoint the other barrier was it didn’t provide the virus definitions/scanning/quarantine process expected of AV system. Instead vShield Endpoint provided a robust infrastructure that AV partners like Bitdefender, Trend Micro and Symantec could leverage to build AV solutions. So that was two products you needed to get of the ground – vShield Endpoint and a third-party provider certified in the program.

You would have thought making vShield Endpoint “free” would open the floodgates. But I’m not sure whether it has. I’m going say something that sounds critical here, but I’m going to say it because – well, I think it’s the truth. I think one barrier to adoption is two layers of management that comes hand in hand with the virtual AV (software-defined-AV or SDAV!) There’s the administration of the VMware part, and then the administration of the third-party component. Whilst an able person such as I, who has been working with VMware for some years, and is heavily exposed to the Enterprise products in the stable wouldn’t struggle – sadly, that isn’t the case for your average SMB person. Now that does NOT mean I think SMB people are less able or technology – that’s hogwash. What SMB people are VERY busy, and have to wear many hats – and in some case ALL the hats in an organization. One minute you’re in the AV room fixing a projector, the next you have a Putty session open an VMware ESX host. What I would love to see happen is some rationalization around the deployment process for vShield Endpoint that would enable the third parties to OEM and deploy the vShield Endpoint component. So the deployment of the vShield Endpoint, and the VMCI driver (that’s part of VMware Tools) is something that a third-party could deploy. Anyway I’m not the PM or PMM of Endpoint, and I’m not privy to the roadmap – so I have no clue if this can/will happen – but I figure anything that makes rolling out VMware Endpoint+3rd party would only result in more usage and more revenue for both parties…

Anyway, that’s my two cents – lets check this GZiaB out.

Deploy and Configure GZiaB Appliance

Deploying the appliance was simply an import process in vCenter followed by a power on. At first power on you will be asked to set a password for the appliance for the “bdadmin” user.

TIP: Make a note of the “bdadmin” password as you will need it to login to the Remote Console.

Screen Shot 2013-10-07 at 11.35.49

Once you have authenticated then the console menu appears. The Hostname & Domain settings allow you to join the GZiaB appliance to your Microsoft Active Directory Domain, and the Network Settings allow assigning a static IP address to the appliance.

There should be no further configuration required as all the roles normally associated with scaed-out enterprise deployment have been pre-enabled.

Screen Shot 2013-10-07 at 11.51.18

Connect to Web-based “Control Center”

You connect to the web-based “Control Center” using https, and once connected there’s an initial setup – where you will be required to supply your “Bitdefender” account. This is not the username/password of the appliance, but the username/password your account on the Bitdefender.com website. Next you will need to provide your license key, and the details for setting up the “root” account details:

Screen Shot 2013-10-07 at 14.23.04
The password provided here must meet minimum password complexity requirements – I used a mix of uppercase and lowercase, numbers and special characters. When I log in to get “root” access I will use the account above “mikel” with my complex password.

TIP: Make a note of the root account username and password as you will need this to gain high-level management over the Control Center.

On first use, GZiaB presents a welcome screen that outlines the post-configuration tasks which include:

  • Adding additional licenses for features and devices
  • Integration with Active Directory
  • Integration with Virtualization Management (aka VMware vCenter!)
  • Mail Services – to send alerts to the administration team
  • Security Certificates – used by Apple IOS to trust the appliance and enabled mobile security
  • Creating additional user accounts on the GZiaB appliance for delegation of management – specifically you need at least one “administrator” account to carry out day-to-day network, security and reporting tasks.

Screen Shot 2013-10-07 at 14.27.49

Adding Active Directory…

It is possible to configure GZiaB to communicate to Active Director every hour or more, to retrieve AD information. This can be then used to deploy and manage both physical and virtual machines that are part of that domain.

Screen Shot 2013-10-07 at 14.31.08
There’s no need to supply the user account in the DOMAIN\username format or even in the UPN format username@domain.com. Merely the username on its own is all that is required.

Adding VMware vCenter…

As GZiaB supports both physical and virtual machines, it’s possible to add in your VMware vCenter server into the Control Center scope of management. You merely, select the “Virtualization” tab, and use the plus symbol to add in vCenter – you can specify the username/password used to access vCenter – or reuse the account used for adding Active Directory – assuming that it the user account has rights to both.

Screen Shot 2013-10-07 at 14.32.29

Screen Shot 2013-10-07 at 14.33.00

Enable Mail Server…

Under Settings you will find the options to configure the mail server and optionally the proxy server if you use one.

Screen Shot 2013-10-07 at 15.18.02

Create Administrative User Accounts…

Under accounts you should be able to add additional users to carry out day-to-day tasks such as network, security and reporting administration. This means you do not need to login to the appliance or the Control Center with the “bdadmin” or “root” accounts. It’s this “administrator” account that you will most likely use on daily basis.  In my case I used my domain “administrator” account from my AD domain. The AD search worked because I’d already configured Active Directory access earlier…

Screen Shot 2013-10-07 at 14.47.21

Securing your endpoints

We are now down with the main configuration of the appliance – and we can now switch our focus to protecting the physical and virtual endpoints. We should be able now to logout, and login as our “administrator” account. When you do this you should see another welcome screen that outlines the steps you need to take to protect your endpoints.

Screen Shot 2013-10-07 at 15.48.08

As we added VMware vCenter into GZiaB we are able to browse the Inventory of vCenter, and add VMs into the Control Center. This is done by selecting “Network” in the Control Center, and selecting “Virtual Machines” from the pull-down list.

Screen Shot 2013-10-07 at 15.59.12

By default the Control Center opens up on the “Hosts & Clusters” view of vCenter, but is possible to switch to a “Virtual Machines” perspective using the “Views” option. From here it’s possible to select multiple VMs, and install the Bitdefender client.

Screen Shot 2013-10-07 at 16.03.06

Once the client has been installed the other management options become available. When you select to install the client (referred to as bdtools) you can optionally set a password to prevent uninstalls of the software, additionally you will need to set credentials for an account that will carry out the installation – and once added select the account.

Screen Shot 2013-10-07 at 16.17.50

Screen Shot 2013-10-07 at 16.18.38

The status of the job can be monitored through the “Tasks” under “Network” within the Control Center. I was pleased to find that install of “bdtools” did not require a reboot in Windows 7.

Screen Shot 2013-10-07 at 17.12.19
The ! mark indicates there is a problem. In my case I think the presence of an existing AV solution was causing an issue. The successful task was carried with a clean VM that didn’t have an existing AV solution installed to it.

Screen Shot 2013-10-07 at 17.13.55

Screen Shot 2013-10-07 at 17.14.47

The Bitdefender Tools appear in the task tray in Windows, and provides a UI sufficient for the user to see that they are protected.

Screen Shot 2013-10-07 at 17.16.19

With the Bitdefender Tools installed I could see in the management Control Center, that the VM was flagged with a small “B” indicating the bdtools were installed, and the option to initiate a scan was enabled.

Screen Shot 2013-10-07 at 17.17.28

The GZiaB does ship with a policy system that controls access to the bdtools, and allows you to configure settings that balance security against performance. For example with a policy you could restrict access to the bdtools, and change how aggressive the “on-access scanning” is configured for.

Screen Shot 2013-10-07 at 17.26.03

Screen Shot 2013-10-07 at 17.26.20

Of course you will be keen to test if the anti-virus protection is in place. The easiest way do that is to use the “EICAR Test AV File” – this is a text file that contains a string that identifies itself as a virus. It can be download from the eircar.org website here:

http://www.eicar.org/85-0-Download.html

Once downloaded and executed the AV should scan the file and identify it as virus:

If you try to download the .com or .zip file you should find that this generates events in the bdtools. Where the files are downloaded, a virus detected and then the files are quarantined.

Screen Shot 2013-10-07 at 17.57.26