AV Defender - FAQ
What are the hardware requirements for installing AV Defender software?
Devices must have a minimum of 1 GB of free disk space on the drive where the root directory (%programfiles%) is located.
Devices that are configured as AV Defender Update Servers must have a minimum of 11 GB of free disk space on the drive where the root directory (%programfiles%) is located.
AV Defender only runs on supported OSs. for more information, see Hardware requirements for AV Defender.
What are the IP addresses or the FQDNs of all the external update servers that AV Defender uses?
See the Bitdefender web site to help you configure your firewall to allow the needed traffic.
Is there a limit to the number or processes that can be excluded?
No, there is no limit.
Is there a limit to the number for file and folder exclusions that I can create?
There is a maximum of 1024 files and folders using AV Defender version 5.3.23 and above. AV Defender version 5.3.15 and below allows a maximum of 64 File/Folder exclusions.
Can I use wildcard characters for any File/Folder or Process exclusions?
No, wildcards are not allowed.
What do I need to specify to configure an exclusion for files, folders, and processes?
For files and folders, the format is c:\example\file.jpg.
For Processes, the format is c:\example\process.exe.
For Network Scans, the format is 192.168.0.*.
Leaving the field blank on each tab will include a sample structure requirement per exclusion.
Where does the Update Server download its updates?
The update server downloads updates from upgrade.bitdefender.com.
Where does the Probe download the installation files for AV Defender?
Installation files for AV Defender are downloaded from the N-able Server In The Sky (SIS) at http://sis.n-able.com or https://sis.n-able.com.
How do devices select the correct Update Server if there are multiple servers available?
If you have any internal Update Servers, it will be the first server in the list of Update Servers that are applied for signature configuration.
Based on the availability of the signature or state of the Update Server, AV Defender will select the correct server.
What existing antivirus software can be automatically uninstalled?
For information, see AV Defender software uninstall limitations.
If a specific version is not listed for a competing antivirus solution, N-able N-central will attempt to locate the installer or .MSI file and append the /s/u switches so that the software can be uninstalled. If uninstalling the software fails, please contact your Channel Sales Specialist to request that the antivirus software be added to those that AV Defender can uninstall. You can look up your PDS and their contact information in the N-able Resource Center under My Account.
Should I upgrade Report Manager?
Yes. You should be running the latest version of Report Manager. If Report Manager is not updated, some security information will not be available.
How should I replace existing antivirus software from competitors like Kaseya?
If you currently have an antivirus solution deployed, you will see best results by removing the software through the competitive platform first, and then try to Installing Security Manager.
If you are using Kaseya and there is a password configured for the installer, the software will not be automatically removed. For example, Kaspersky will not be removed even if it is a supported version for removal if there is an installer password.
When removing Kaspersky through Kaseya, you may experience an issue where the uninstaller fails to remove some registry filters and leaves the USB hub/root, CD-ROM drives and some other ports unavailable and displays Unable to start error messages in the Windows Device Manager.
This will result in keyboard and mouse being disabled if they are USB devices. To resolve these issues, you will need to run the kavremover.exe application to manually remove the entries. On one computer, you will need to perform a system restore, reinstall Kaspersky Antivirus, uninstall it, and then proceed with the deployment of AV Defender.
What AV Defender Profile should I use for Windows XP computers?
If you are deploying AV Defender to Windows XP computers, clone the Default Profile - Laptops/Workstations Low Resource and use it as a template to configure your own profile.
Why is my computer slow after installing AV Defender?
Check the system resources. AV Defender requires at least 500 MB of free memory in order to function properly.
How do I enable an Update Server?
You can configure an Update Server on any Server - Windows device or any device that has a Probe installed on it. You do not need AV Defender installed on the device but when you enable it, it installs a non-functioning version of AV Defender on the device. It will not remove any existing antivirus software. The update location cannot be changed and it will store the updates at C:\Program Files\N-able Technologies\Bitdefender Update Server\var\cache\update-cache. The port used is 7074.
What ports are used for N-able N-central applications?
Ports used for AV Defender and other services include:
| Port | Source/Destination | Description |
|---|---|---|
| 80 |
submit.bitdefender.com |
Port used for submitting endpoint dumps in case of crashes. |
| https://custom-update-server.logicnow.us | Bitdefender update server. | |
| upgrade.bitdefender.com | Bitdefender upgrade server. | |
| lv2.bitdefender.com | License validation. | |
| 53 | *.v1.bdnsrt.org | DNS requests for signature update checks. |
| 7074 | Update Server | Downloading updates from local Update Server. An update server cannot acquire updates from another local Update Server; it is not possible to cascade them. |
| 443 | avc-fu.nimbus.bitdefender.net | Antimalware behavior scanning with Bitdefender Cloud servers. |
| nimbus.bitdefender.net/elam/blob | Early Launch Anti-Malware (ELAM) cloud server. | |
| elam-fu.nimbus.bitdefender.net/submission | Submission to Bitdefender cloud servers of unrecognized applications by Early Launch Anti-Malware (ELAM) module. | |
| nimbus.bitdefender.net | Antimalware, antiphishing and content control scanning with Bitdefender Cloud servers. |
The Probe automatically creates firewall rules for these ports.
To ensure signature updates and minor updates to AV Defender can occur, ensure that DNS and outbound TCP port 80 access to http://upgrade.bitdefender.com are available through the firewall.
How does an Agent determine the appropriate Probe to use for downloading updates?
The Agent pings the device. The results and where to find it are shown below. The PatchCacheMonitor.log may be useful as it will record the Agent testing available Probes. Sample log:
[5] 2013-11-13 03:10:48,214 <<*>> <---------------------------- Patch Cache Monitor Started ------------------------->
[GetConfig] 2013-11-13 03:11:13,874 <<*>> All probes in appliance config [192.168.1.252,9.2.1.166]
[GetConfig] 2013-11-13 03:11:14,034 <<*>> Cache [192.168.1.252] took [0.1437867] seconds
[GetConfig] 2013-11-13 03:11:14,034 <<*>> Cache [192.168.1.252] selected as download source
Can you change the location of where files are stored?
This is not available to users as it was not included in the development requirements for AV Defender.
Does the Update Server ever remove outdated signature files?
No, there is no automatic removal of outdated signature files.
If I enable the Update Server on another device that does not have AV Defender installed but it does have a competitive antivirus product installed, what will happen?
N-able N-central will install a non-functioning version of AV Defender which will remove the existing antivirus solution. It is strongly recommended that you only enable Update Server on devices that have AV Defender already installed.
What modules are responsible for the internet traffic light appearing?
The Anti-phishing, Content Control, and the Network modules can trigger the display of the traffic light icon. To prevent this from being displayed when accessing a web site, you must add a Global Exclusion.
What processes are excluded by default?
The processes that are excluded by default include all of the processes required for the Probe and Agent to run properly.
Pre-configured Exclusions
By default, AV Defender includes preconfigured exclusions following guidelines provided by N-able N-central and Microsoft. These preconfigured exclusions are embedded in AV Defender and are not subject to user modification. Files are located in the associated N-able Technologies agent/probe folders on the device or server.
Windows agent exclusions
| agent.exe | NAAgentImplServer.exe |
| AgentMaint.exe | NableAVDBridge.exe |
| AgentMonitor.exe | NableAVDUSBridge.exe |
| AVDIU.exe | NRMInstallHelper.exe |
| BASupTSHelper.exe | PIU.exe |
| bitsadmin.exe | Popup.exe |
| ESCleaner.exe | ProxyConfig.exe |
| KillWTSMessageBox.exe | RebootMessage.exe |
Windows probe exclusions
| AMTPowerManager.exe | VmWareClient.exe |
| NableUpdateDiagnose.exe | wsp.exe |
| NableUpdateService.exe | WSPMaint.exe |
| RemoteService.exe | WSPMonitor.exe |
Other
- NableAVDBridge.exe
- NableAVDUSBridge.exe
- ThirdPartyPatch.exe
- BASupApp.exe
Backup Manager exclusions
Files are located in the associated Backup Manager folders on the device or server.
| BackupIP.exe | mysql.exe |
| BRMigrationTool.exe | InstallDriver.exe |
| ClientTool.exe | vddkReporter.exe |
| VdrAgent.exe | vmware-vdiskmanager.exe |
| BackupUP.exe | BackupFP.exe |
| ProcessController.exe | BackupUP.exe |
| BackupFP.exe | BackupIP.exe |
| xtrabackup.exe | vmware-mount.exe |
| vmware-mount.exe | vmware-vdiskmanager.exe |
What Compressed Files and Compression Applications does Security Manager Support?
Security Manager provides security for archived and compressed files, but certain archive formats cannot be disinfected. The table below lists popular file archive/compression applications as well as a description of any limitations placed by the archive format.
Password protected files belong, in most cases, to certain legitimate software. They are protected with a randomly generated password by their developers to avoid reverse engineering for malicious purposes.
Password protected items would need to be first decrypted and only then can they be scanned.
Should the contents be extracted, Bitdefender's on access scan feature will flag them as malicious if need be. Otherwise, when archived, the files, even if malicious are inactive.
In the Disinfect column, AV Defender support is tagged as:
- No: Decompression, scanning and detection of the archive contents is possible but disinfection of infected files cannot be performed due to restrictions on updating the container.
- Yes: Disinfection and repacking of the archive container can be performed.
Name Type Disinfect 7-ZIP archive No ACE archive No ALZip archive No GNU AR (.deb files) archive No ARJ archive No debug scripts archive No BZIP2 archive Yes CAB (No quantum compression) archive No CHMfiles archive No cpio archive Yes Doc files and MSI installers archive packer Yes VISE installer archive No WIM images (LZX support only) archive No WISE Installer archive No XAR archive No IE cookies extractor archive Yes InstallShield archive No InstallShield7 archive No Zip archive packer Yes Z archive No Symbian installers (SIS) archive No gzip archive Yes BinHex archive No IMP archive No INNo installer archive No Instyler archive No ISO disk images archive No LHA archive No LYME SFX archive No MSO archive Yes NSIS installer archive No objects archive No Batch file compiler archive No RAR archive No Windows Registry archive Yes rpm archive No Generic SFX installers archive No SoulEngine archive No SWF flash archive No Tar archive Yes TeleDisk image archive No TNEF archive No Universal Image Format archive No UUDecoder archive No MS-Access packer No NTFS streams packer Yes HTML parser packer Yes packer No RTF packer No Unpackers packer Support depends on the specific unpacker application. There are too many to list here. Modifications carry a modified unpacking code and therefore cannot be reliably packed back into the container. DBX Partial Plain MailBox Yes MBX No MIME Yes PST AV Defender scans PST/OST files but will not quarantine the entire archive if the scan was started from the management console (as opposed to a manual scan started locally). If an email message is detected as infected inside the Outlook data file, the scan log will contain specific information as follows:
- When there is a file that can be disinfected, and attached directly to an email message, it is cleaned it up (by replacing the file content with zeroes at the byte level). The path of the PST archive is reported in the scan log (Ex: c:\Users\administrator\Desktop\Outlook1.pst).
- When there is a file that cannot be disinfected, and attached directly to the email message, it is not cleaned up. The path of the PST archive is reported in the scan log (Ex: c:\Users\administrator\Desktop\Outlook1.pst).
- When there is a file that can be disinfected, including those in a zip archive, it is cleaned up. The file is removed from the zip file, leaving an empty archive). The exact path for the file from its PST archive is reported in the scan log (Ex: C:\Users\administrator\Desktop\Outlook1.pst=>[Time: 2016=>03=>21 16:09:38][Subject: test in zip ]=>dialers1ecdc6b00f2021e94c6664c81597de86.zip=>dialers1ecdc6b00f2021e94c6664c81597de86).
- When there is a file that cannot be disinfected, including those in a zip archive, it is not cleaned up. The exact path for the file from its PST archive is reported in the scan log (Ex: C:\Users\administrator\Desktop\Outlook1.pst=>[Time: 2016=>03=>21 16:54:05][Subject: non dis in zip]=>009_non-dis.zip=>009_non-dis.dat).
- When files are in RAR archives, the files are not deleted.
- The behavior is similar whether the PST is in use in Outlook or not.
If a manual scan was started locally, then the local end-user is instructed to choose to Quarantine/Disinfect or Delete the file directly.
TheBat mailbox Yes