Bitdefender

Bitdefender Update

Continued from July 19th 3 Cause’s of the Crowdstrike down in reality

Keep in mind this is my personal opinion..please prove me wrong if you can.

3 Cause’s of the CrowdStrike down
1) Bad Developer file uploaded/downloaded
2) Microsoft Software runs the operating systems sort of like a monopoly, we all know it in reality it is.
3) Distribution of software via Cloudflare

Keep in mind this is my personal opinion..please prove me wrong if you can.

I read something today that shocked me. CloudStrike was going pay techs globally $10.00 coffee vouchers to remove sys file issue. I work with four hundred plus tech firms through out the US I have never heard of a computer Tech working for a $10.00 coffee voucher.
Normal Tech rates run from entry level $50.00 to $500.00 a hour.

(Bloomberg) — Microsoft Corp. said Delta Air Lines Inc. turned down repeated offers for assistance following last month’s catastrophic system outage, echoing claims by CrowdStrike Holdings Inc. in an increasingly contentious conflict between the carrier and its technology partners.
Now I am not a strong proponent of Ed Bastien (to full of himself) nor do I fly Delta.

If read/sift through all the garbage it really was all 3 firms that caused the outage.
No matter what OS Delta was running, Windows, Apple, Linux, The Falcon Platform runs on all 3. So in my opinion Delta does deserve the money for the down time.

Even thou in my opinion Mark S Cheffo when :“Even though Microsoft’s software had not caused the CrowdStrike incident, Microsoft immediately jumped in and offered to assist Delta at no charge,” I did not hear they were going to fly Techs to fix all Delta’s machines, for that matter globally let alone Delta

When does a end user or SMB company ever able to talk to Microsoft Support and receive a response within a reasonable amount of time?

So right now I see 2 parties at fault (Microsoft & CroudStrike)
But there is a 3rd party involved, CloudFlare, have you ever asked yourself what they do:Protecting it from online threats and optimizing performance there web Site.

Cloudflare is a company that provides services like content delivery network (CDN), cloud cybersecurity, DDoS mitigation, Domain Name Service (DNS), and domain registration. They help improve website speed, security, and reliability by acting as a mediator between a website’s server and its visitors, protecting it from online threats and optimizing performance.

Cloudflare
American internet infrastructure and website security company
cloudflare.com

Cloudflare, Inc. is an American company that provides content delivery network services, cloud cybersecurity, DDoS mitigation, Domain Name Service, and ICANN-accredited domain registration services. Cloudflare’s headquarters are in San Francisco, California. According to The Hill, Cloudflare is used by more than 20% of the Internet for its web security services, as of 2022. Wikipedia

Now all this is my opinion but should help create and finish a Class Action Law Suit, all 3 need to named as defendants.

Last Pay Your developers and Tech Support folks more money, Take it out of the C-Levels paychecks/bonuses. It appears that most firms have forgotten with out staff the company would be nothing.

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishing Simulation & Cyber Security Training
“Where Service and Technical Skills Count”

Bitdefender loaded a bad file so in most case if you look at this it will of a issue

To all my partners login to Gravity Zone and review but it is easier to look at  say multiple desktops (Show)

The error is this: ( even though  you are a partner please take the time to do random check on your clients IMPORTANT) I have already reported it to Romania

Update Process Failed because the endpoint could not resolve the update server address Please contact your system administrator. Error-1002

For at least the time being go to the dashboard and grab all the systems on line and run a UPDATE task that will for the time being bring it back on line and clean.

One last thing Bitdefender uses O365 and MailChimp..in the case if you are as concerned about security as myself I use GEO blocking globally except the US please start using to protect your clients, for the time being until Bitdefender fixs the issue mail will at best be random but your client will be protected.

In my mail filter product we can activate for you.

If you are struggling with your RMMs system lack of support come on board as a partner

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, Phishing Simulation & Cyber Security Training

“Where Service and Technical Skills Count”

 

Bitdefender Changes access to Power user

Bitdefender recently made major changes to the Power User capability, and the main driver for this change is security. The 3rd party technology we use for PowerUser could pose some security risks in the future, and we had to act quickly to mitigate those risks. Also, the latest version of the technology is not compatible with any operating system before Windows 10, which does not fall in line with our target to offer backward compatibility.

Therefore, we’ve decided to provide a change which will let us continue PowerUser for all the supported operating systems. The new CLI will help us provide a lighter agent footprint, and much more precise control of all modules going forward.

We are currently working on adding new commands in PowerUser ComandLine to support additional actions and we plan to expend its coverage as we move forward.
Considering the feedback we recently received from some of our customers and partners, we also plan to release example scripts in our documentation, and allow the use of our existing Power User capability. It will be accessible only by running the process EPPowerConsole.exe directly, and it will be limited to Windows 10 and above operating systems.

An important project we have ongoing right now is the development of a new BEST GUI, which will offer some of the Power User capabilities in the endpoint GUI.
We aim to introduce as many settings as possible going forward on this new UI and CLI. Your feedback is most welcome, as it will determine what options will be available in the upcoming BEST GUI.”

I spoke to a nice gentleman in Romaina (BD Head Quarters, and he stated it had changed to only getting to it: By following these steps Windows/program Files/Bitdefender/endpoint security/ run as admin EPPowerConsole.exe-> then put the password in to bring up the UI. A little painful but secure

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishing Simulation & Cyber Security Training
“Where Service and Technical Skills Count”

ConnectWise ScreenConnect Mass Exploitation Delivers Ransomware

Hundreds of initial access brokers and cybercrime gangs are jumping on the max-critical CVE-2024-1709 authentication bypass, threatening orgs and downstream customers.
BY Tara Seals, Managing Editor, News, Dark Reading February 23, 2024

Just days after initial exploitation reports started rolling in for a critical security vulnerability in the ConnectWise ScreenConnect remote desktop management service, researchers are warning that a supply chain attack of outsized proportions could be poised to erupt.

Once the bugs are exploited, hackers will gain remote access into “upwards of ten thousand servers that control hundreds of thousands of endpoints,” Huntress CEO Kyle Hanslovan said in emailed commentary, opining that it’s time to prepare for “the biggest cybersecurity incident of 2024.”

ScreenConnect can be used by tech support and others to authenticate to a machine as though they were the user. As such, it could allow threat actors to infiltrate high-value endpoints and exploit their privileges.

Even worse, the application is widely used by managed service providers (MSP) to connect to customer environments, so it can also open the door to threat actors looking to use those MSPs for downstream access, similar to the tsunami of Kaseya attacks that businesses faced in 2021.
ConnectWise Bugs Get CVEs

ConnectWise disclosed the bugs on Monday with no CVEs, after which proof-of-concept (PoC) exploits quickly appeared. On Tuesday, ConnectWise warned that the bugs were under active cyberattack. By Wednesday, multiple researchers were reporting snowballing cyber activity.

The vulnerabilities now have tracking CVEs. One of them is a max-severity authentication bypass (CVE-2024-1709, CVSS 10), which allows an attacker with network access to the management interface to create a new, administrator-level account on affected devices. It can be paired with a second bug, a path-traversal issue (CVE-2024-1708, CVSS 8.4) that allows unauthorized file access.
Initial Access Brokers Ramp Up Activity

According to the Shadowserver Foundation, there are at least 8,200 vulnerable instances of the platform exposed to the Internet within its telemetry, with the majority of them located in the US.

“CVE-2024-1709 is widely exploited in the wild: 643 IPs seen attacking to date by our sensors,” it said in a LinkedIn post.

Huntress researchers said a source within the US intelligence community told them that initial access brokers (IABs) have started pouncing on the bugs to set up shop inside various endpoints, with the intent of selling that access to ransomware groups.

And indeed, on one instance, Huntress observed cyberattackers using the security vulnerabilities to deploy ransomware to a local government, including endpoints likely linked to 911 systems.

“The sheer prevalence of this software and the access afforded by this vulnerability signals we are on the cusp of a ransomware free-for-all,” Hanslovan said. “Hospitals, critical infrastructure, and state institutions are proven at risk.”

He added: “And once they start pushing their data encryptors, I’d be willing to bet 90% of preventative security software won’t catch it because it’s coming from a trusted source.”

Bitdefender researchers, meanwhile, corroborated the activity, noting that threat actors are using malicious extensions to deploy a downloader capable of installing additional malware on compromised machines.

“We’ve noticed several instances of potential attacks leveraging the extensions folder of ScreenConnect, [while security tooling] suggests the presence of a downloader based on the certutil.exe built-in tool,” according to a Bitdefender blog post on the ConnectWise cyber activity. “Threat actors commonly employ this tool … to initiate the download of additional malicious payloads onto the victim’s system.”

The US Cybersecurity and Infrastructure Security Agency (CISA) has added the bugs to its Known Exploited Vulnerabilities catalog.
Mitigation for CVE-2024-1709, CVE-2024-1708

On-premises versions up to and including 23.9.7 are vulnerable — so the best protection is identifying all systems where ConnectWise ScreenConnect is deployed and applying the patches, issued with ScreenConnect version 23.9.8.

Organizations should also keep a lookout for indicators of compromise (IoCs) listed by ConnectWise in its advisory. Bitdefender researchers advocate monitoring the “C:\Program Files (x86)\ScreenConnect\App_Extensions\” folder; Bitdefender flagged that any suspicious .ashx and .aspx files stored directly in the root of that folder may indicate unauthorized code execution.

Also, there could be good news on the horizon: “ConnectWise stated they revoked licenses for unpatched servers, and while it’s unclear on our end how this works, it appears this vulnerability is still a major concern for anyone running a vulnerable version or who did not patch swiftly,” Bitdefender researchers added. “This is not to say ConnectWise’s actions aren’t working, we’re unsure of how this played out at this time.”

Article ( https://www.darkreading.com/remote-workforce/connectwise-screenconnect-mass-exploitation-delivers-ransomware?_mc=NL_DR_EDT_DR_weekly_20240229&cid=NL_DR_EDT_DR_weekly_20240229&sp_aid=121742&elq_cid=34964379&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_eh=949bacdba1e2c4851acc11df0ff47140b1c6468716621bc723fe5fe498198bd9&sp_cid=52262)

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Phishline Training
“Where Service and Technical Skills Count”

Bitdefender Changes Scanning Techniques

This can be good or Bad..depends on how you look at it

I mange thousand of endpoints of Bitdefender

So i have been running the new changes for about a week ( I am satisfied so far)

Bitdefender is a policy based platform

In this point, there are several things to do:
1. Remove the scan archive from the Quick scans because these are designed to scan some resources fast.
2. Add the scan archives in the Full scan profile if not already done so it can be inherited and the report be populated as desired.
3) With all this, a malware located in an archive doesn’t pose a threat because when resources from the archive are accessed or unpacked they will be scanned and detected by the on access real time protection.

Read this link (https://www.bitdefender.com/business/support/en/71263-85158-contact.html) updates coming and some answers also

LAST IF YOU ARE NOT USING 2FA PLEASE TAKE THE TIME TO SETUP IT IS NOT HARD. personally  I use a high end 2FA program for all sites and I use it from one computer only. I do not use  cell phones to log in, the program that I use allows it.. security is a utmost concern to me in protecting myself and my partners

If you have questions and you are a MspPortal Partner feel free to contact me

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, Phish Line Training

“Where Service and Technical Skills Count”

 

Bitdefender- New Content Policy

Bitdefender Modified the existing content filter in November

Network Attack Defense

Key is to be in Partner Mode

The Network Attack Defense module relies on a Bitdefender technology that focuses on detecting network attacks designed to gain access on endpoints through specific techniques, such as: brute-force attacks, network exploits, password stealers, drive-by-download infection vectors, bots, and Trojans.

Short Version
From the latest updates, the Web rules list found in Content Control > Web Access Control Settings > Web Categories Filter has been moved under Policies > Configuration Profiles > Web Access Control Scheduler > Category Scheduler.
You can now create new schedules with multiple time window settings and assign categories to each schedule. The categories will be removed from the policy and the new schedule will be mapped to a policy.

Please refer to this article (https://www.bitdefender.com/business/support/en/77209-452409-web-access-control-scheduler.html#UUID-4d237376-d2f8-7403-25fd-59e8bf11a543) from our documentation regarding how to create a scheduler and also assign it to a policy. Note that a scheduler can be assigned to more policies simultaneously.

Long Version
(https://www.bitdefender.com/business/support/en/77211-376315-network-attack-defense.html)

If you need assistance contact me

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

 

Bitdefender Experiencing Server App Slowness

Write this rule in the policy for the company in question

Network Performance Issues
Rules to write
In the Policy
Sections
Antimalware->Settings->In-policy exclusions->type IP/mask-> ip address of the server machine serving the app->Ransomeware Mitigation
Network Protection->type IP/Mask->ip address of the server machine serving the app.
Save
Do the same on the workstation Policy
The push a task update policy to all machines

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, Axcient

“Where Service and Technical Skills Count”

GravityZone Control Center Update for September (Read Important Changes)

September 2023 (Version 6.43.0-1)
Early Access
YARA detection rules

YARA rules are queries you can use to scan endpoints for patterns of malicious behavior. Use the YARA detection rules feature to generate custom alerts and security incidents based on the results of these scans.

This feature is available for Windows and Linux endpoints with the following BEST versions:

Windows: 7.9.5.318 or newer

Linux: 7.0.3.2248 or newer

To create YARA rules, go to Incidents > Custom detection rules, click the Add rule button, and then click YARA. Follow the on-screen instructions.

After you create a YARA detection rule, you cannot convert it into another type of detection rule.

From the Custom detection rules grid, you can enable or disable YARA detection rules, or start on-demand scans by clicking the 151926_1.png vertical ellipsis button and then selecting the Scan option.

Clicking a YARA detection rule from the Custom detection rules grid brings up the YARA details panel. From this panel, you can switch to the Search and Incidents sections to view the alerts and incidents generated by the rule.
Unified Incidents

The Parameter filter is now available in the Incidents section. It contains a series of criteria you can use to further filter your grid results and create highly customized smart views.
Improvements
EDR

The Incidents > Custom Rules section has been divided into two sections: Custom detection rules and Custom exclusion rules.

The grids and rule configuration pages have a new design.
Rule settings now include targets. You can now decide whether to apply the rule to the entire company or to specific groups by endpoint tags.

Clicking a grid entry brings up the details panel of the rule. It contains information about the rule, options for navigating rules and for editing the current rule. For custom detection rules, you can use the View alerts and View incidents buttons to switch to the Search and Incidents sections.

In the Incidents > Search section, you can now look up both custom detection rules and custom exclusion rules by using the other.rule_id field in your search query. You can still use the other.exclusion_id field to identify existing alerts for the next 90 days, after which the field will be deprecated.

The Custom detection rules and the Custom exclusion rules sections are now available to Partners even if they do not have an active EDR license on their account.

Partners can now control rules for their managed companies and can use the Company filter in the grid to view the rules created for each company. Customers can also view the rules Partners have applied on their company.

When switching to a new Partner, all custom rules created by the former Partner are disabled. The new Partner will not be able to view the rules applied by the former Partner.

GravityZone platform

Companies switching from a trial license to a monthly subscription will automatically have the Email redaction setting disabled.

New BEST for Linux installation packages are now available for systems with ARM architecture (AArch64).

Minor UI changes to the Add company and Edit company windows, including a different order for the Add-ons displayed in the Licensing tab.

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, Axcient

“Where Service and Technical Skills Count”

Bitdefender Gravity Zone Mobile Device Manager is now ready to Activate

I finally met with the Project Manager today, to go over security

If you are a partner of MspPortal Partners Inc I can activate the account and now support it, Bitdefender has no tech support available yet.

We starting playing with the project over 2 weeks ago when it was released..Great Product..Pricing is stellar a must have for your clients

Contact the office for activation

Roy Miehe | MspPortal Partners Inc. | Ceo/President
Security Software Distributor: Bitdefender , Barracuda, Axcient
“Where Service and Technical Skills Count”

Bitdefender releases MDM protection finally Gravity Zone Portal

Security for Mobile is a cloud-only mobile security solution able to protect mobile devices with Android or iOS operating systems against multiple threat vectors.

  • Features:
  • Advanced malware detection – safeguards mobile devices from a broad variety of threats by offering comprehensive malware detection capabilities.
  • Phishing protection – analyses incoming messages and detects any malicious links or content that could be used to acquire sensitive data or credentials.
  • Network security – offers an extensive set of tools for protecting mobile devices against a variety of network-based hazards. It helps assure the security and integrity of mobile devices in the current threat landscape by monitoring network traffic, providing secure connectivity, and detecting and preventing attacks.·
  • Compliance and policy enforcement – assist organizations in protecting their mobile devices from a variety of threats and ensuring that they are used securely and compliantly by making sure that all applications are properly vetted.
  • Mobile threat intelligence – provides users the real-time security and analytics they need to protect their mobile devices from a variety of threats.
  • Integration with mobile device management (MDM) solutions – enhances mobile security features. Because of the integration, enterprises may install the mobile threat defense solution using their existing MDM infrastructure. The integration also enables mobile device security policies to be enforced automatically.
  • Web content filtering – warns and prevent users from accessing potentially harmful websites and links, such as malware, phishing, botnets, and suspicious domains, or websites that violate your organization’s standards.
  • Are you an ISP, MSP, VAR or reseller?
  • All MspPortal Partners currently can be provisioned upon request, pricing is very aggressive tier pricing available no contract, just monthly usage.
  • Contact Us

Roy Miehe | MspPortal Partners Inc. | Ceo/President

Security Software Distributor: Bitdefender , Barracuda, Axcient

“Where Service and Technical Skills Count”