Question About BitDefender Endpoint Security

[sapphirescales]

I don't normally use BitDefender but a client of mine insists on having this on their server. The problem is, Windows Server 2019 will not keep the Group Policy settings when it comes to updates. I have updates set to OFF so the piece of crap doesn't restart in the middle of my client's work, but this server just ignores the Group Policy settings. If I do a gpupdate /force command the settings will return to normal but after a few days, the piece of junk will restart and lose all my client's work. I've never encountered this and it seemed to go away when I removed BitDefender. Does BitDefender constantly check for the ability for Windows to update and then undo whatever Group Policy changes there are for Windows Update? It's worth noting that if I go into the Group Policy editor the policy stays the same. Windows just ignores it until I run a gpupdate /force command. I feel like my only option is to set up a scheduled task where it runs the gpudate /force command every 60 seconds. I'm so done with this crap.

 

[lan101]

I'm of no help here but I feel the pain. I won't use bitdefender on anything that needs peer to peer like a couple workgroup pc's with quickbooks or peachtree. Always F'd something up...once bitdefender got removed all worked good without having to intervene every other day or 2. I thought for a while it was a good A/V and I think it is still......but if it's too good it F's everything up...like on shark tank I'M OUT!! Seldom have trouble with residential clients that still use it though.

@YeOldeStonecat I think uses bitdefender for a lot of their business clients. My apologies in advance if I'm incorrect there.

 

[Moltuae]

I use BitDefender (managed via GravityZone) for all of my business customers' servers and workstations ... Never had any issues.

But why are you trying to disable Windows updates anyway? ... Just update the server then pause the updates. That will keep them paused for just over a month. The following month, just repeat the process before the time is up. Monthly updates should be part of your server maintenance routine and is great source of regular work. I make thousands every month just by routinely updating servers and performing basic system health checks.

 

[YeOldeStonecat]

I use BitDefender (managed via GravityZone) for all of my business customers' servers and workstations ... Never had any issues.

Same here. We used the flavor of BitDefender for many years that came with N-Central when we used that (Called Security AV Defender), and over a year ago we began shifting our RMM to SyncroMSP....and we've moved almost all our clients over to that...so we manage the full blow and much more functional BitDefender via the GravityZone portal. We have around 2,500 endpoints I think.

I don't see how it's impacting your servers updates...which particular version of BitDefender does this client have in the server?

Additionally, in a servers update section, you can control time windows when it will update and bounce. Select the hours when your client is not in the office or working remotely (like...2300 hours to 0600 hours or something).

 

[sapphirescales]

Select the hours when your client is not in the office or working remotely (like...2300 hours to 0600 hours or something).

That's when the backups run. There is no time during the day or night that it's okay for this piece of junk to restart.

That will keep them paused for just over a month.

I'd rather have complete control of when I start the updates and when it restarts.

which particular version of BitDefender does this client have in the server?

Just Endpoint Security (not GravityZone). I installed it via Splashtop's partner program. I don't know why this client is so insistent on BitDefender but I freaking hate this software.

 

[YeOldeStonecat]

Client is probably insistent on it because it is one of the best AVs out there. For many years it's been in the top group over at AV-Comparatives.org, and many...many....MSPs use it across their fleet of clients. Quite a standardized product. And incredibly effective. I have quite a familiarity with a lot of AV products on there, and we've resold a good amount ourselves, BD became and has remained my favorite, the least problems, and most effective of all that I have used.

Re: RTFM!!!

So, many modern antivirus programs also have options to manage patch management. Since, logically, antivirus...and patch management, compliment each other to make for overall better security. The version of BD your client is running has that option. So....I'd go into that and disable that module. We do, we let our RMMs patcher handle this.

Same with the firewall....as with many other modern AV programs, BD has an option to provide a software firewall...to leverage, or even take over, the firewall duties from Windows. Another option you can enable, or disable. We disable it.

 

[Mike McCall]

Yes, patching should be handled by your RMM, and the BD firewall gets disabled on all our systems.

 

[sapphirescales]

Yes, patching should be handled by your RMM

The version of BD your client is running has that option.

Yeah I think this might be the problem. The subscription I'm on doesn't include patch management; only remote support and antivirus. If I want to change to a subscription that includes patch management the price is just insane. Right now I have 10 unattended remote computers + unlimited attended computers for $219/year + $1.30/computer for antivirus. If I want to switch to the subscription that offers patch management it's $479/year for only 25 computers. Perhaps I should be looking for another solution, but I really like Splashtop.

 

[Mike McCall]

What (if any) RMM are you using? Splashtop (which I have) is only a backup for the primary remote access included in my RMM. The RMM handles everything machine/network-related, and BD GZ handles machine security including web content filtering. I pay a flat rate of $2.00 per endpoint for both the RMM and BD GZ. It seems you're taking an ad-hoc approach to this or you're just using the wrong tools for what you're trying to do.

 

[sapphirescales]

What (if any) RMM are you using? Splashtop (which I have) is only a backup for the primary remote access included in my RMM. The RMM handles everything machine/network-related, and BD GZ handles machine security including web content filtering. I pay a flat rate of $2.00 per endpoint for both the RMM and BD GZ. It seems you're taking an ad-hoc approach to this or you're just using the wrong tools for what you're trying to do.

I don't really do managed services much anymore. I only really do on-demand support these days. My clients are usually too small to warrant patch management and monitoring. To be frank, I think it's a waste of money for most home users and small businesses and I don't like working with big businesses so I moved away from RMM.

 

[Moltuae]

That's when the backups run. There is no time during the day or night that it's okay for this piece of junk to restart.

So it's a piece of junk, yet it's so critical to their infrastructure that it must run 24/7? Sounds like a recipe for disaster to me. So when are software patches and urgent critical security updates installed?

I would simply refuse to provide support if maintenance is not possible or practical. If (or rather when) the system is out of action due to a lack of maintenance or security patching, in the customer's eyes at least, YOU will be the one to blame. This is not the way to do business IT support. You're setting yourself up for a lot of pain and hassle with little reward. Done properly, business IT is stress-free and lucrative. If the system really is that critical, there should be some kind of failover in place, with more than one physical server and a means to take a server down for maintenance without affecting business continuity.

I would discuss the situation with the Customer. Discuss various potential scenarios, including total hardware failure, the resulting downtime and the impact this would have on the business, in particular the associated costs and loss of reputation. If downtime is considered expensive or unacceptable but they are not prepared to spend to prevent (or at least mitigate) disaster, walk away -- let some pizza tech have the hassle instead. Focus instead on professional businesses who require professional support.

 

[sapphirescales]

So it's a piece of junk

It's not a piece of junk, Windows/BitDefender are pieces of junk. If you can't even control when a critical piece of hardware restarts, then it's a terrible software.

when are software patches and urgent critical security updates installed?

I remote in every once in a while and do it. The time changes.

If the system really is that critical

It's not that the server is that critical, but if it can't be relied upon because Windows/BitDefender is constantly screwing it up, then it's worthless. A second server would do nothing to fix that. I know, I know Active Hours. But who's to say that Active Hours won't be ignored in the next round of updates? I want complete control. Is that too much to ask for? Before Windows 10, we had complete control.

I talked to Splashtop about this and they think it's a limitation of their integration with BitDefender. They're consulting with their software guys and will get back to me. In the meantime I'm checking out other RMM solutions that offer BitDefender. I don't know what an RMM company is going to think about me only having a couple of clients though because I really don't want to offer managed services anymore.

 

[frase]

BitDefender is not junk - one just needs to understand how to use it correctly. As @Mike McCall directed me to Techs Together.
They can start you off with MSP with minimal endpoints.

 

[sapphirescales]

BitDefender is not junk

It is if it does things without your permission with no ability to control it. Admittedly I think the blame lies with Splashtop since their integration doesn't offer control over updates with their standard remote support package, but still, I don't want my antivirus forcefully changing my Windows settings. The UI of BitDefender is laughable, presumably because it's meant to be centrally managed, but I don't have that option with Splashtop. Literally the only thing I can do is do a scan or look at my quarantine log. There are NO settings of any kind. Now that's crap. At least with Webroot you can see the settings and if you try to edit them it gives you a warning saying that you can't because it's centrally managed. BitDefender tells you nothing and offers you nothing.

 

[Sky-Knight]

That's a design choice with them, AV that reveals settings on the client side is a security risk.

But yes, it makes troubleshooting a giant pain in the rump, and all you're doing here is reinforcing my decision to never use 3rd party AV ever. If clients want "better" they can spring for M365 Business Premium, and have inTune managed AV Defender Advanced.

 

[frase]

There are ways to set rules, yes I agree it is convoluted and can be over zealous. Just manage the exceptions and you will be ok. Though once one understands how it works it is fine.