Bitdefender GravityZone - How network discovery works

Bitdefender GravityZone - How network discovery works

Besides integration with Active Directory, GravityZone also includes an automatic network discovery mechanism intended to detect workgroup computers.

GravityZone relies on the Microsoft Computer Browser service and NBTscan tool to perform network discovery.

The Computer Browser service is a networking technology used by Windows-based computers to maintain updated lists of domains, workgroups, and the computers within them and to supply these lists to client computers upon request. Computers detected in the network by the Computer Browser service can be viewed by running the net view command in a command prompt window.


The NBTscan tool scans computer networks using NetBIOS. It queries each endpoint in the network and retrieves information such as IP address, NetBIOS computer name, and MAC address.

To enable automatic network discovery, you must have Bitdefender Endpoint Security Tools Relayalready installed on at least one computer in the network. This computer will be used to scan the network.


Control Center does not use network information from Active Directory or from the network map feature available in Windows Vista and later.

Network map relies on a different network discovery technology: the Link Layer Topology Discovery (LLTD) protocol.

Control Center is not actively involved in the Computer Browser service operation. Bitdefender Endpoint Security Tools only queries the Computer Browser service for the list of workstations and servers currently visible in the network (known as the browse list) and then sends it to Control Center.

Control Center processes the browse list, appending newly detected computers to its Unmanaged Computers list.

Previously detected computers are not deleted after a new network discovery query, so you must manually exclude & delete computers that are no longer on the network.

The initial query for the browse list is carried out by the first Bitdefender Endpoint Security Tools installed in the network.

  • If the Relay is installed on a workgroup computer, only computers from that workgroup will be visible in Control Center.

  • If the Relay is installed on a domain computer, only computers from that domain will be visible in Control Center. Computers from other domains can be detected if there is a trust relationship with the domain where the Relay is installed.

Subsequent network discovery queries are performed regularly every hour. For each new query, Control Center divides the managed computers space into visibility areas and then designates one Relay in each area to perform the task.

A visibility area is a group of computers that detect each other. Usually, a visibility area is defined by a workgroup or domain, but this depends on the network topology and configuration. In some cases, a visibility area might consist of multiple domains and workgroups.

If a selected Relay fails to perform the query, Control Center waits for the next scheduled query, without choosing another Relay to try again.

For full network visibility, the Relay must be installed on at least one computer in each workgroup or domain in your network. Ideally, Bitdefender Endpoint Security Tools should be installed on at least one computer in each subnetwork.

More about the Microsoft Computer Browser service

Quick facts about the Computer Browser service:

  • Works independent of Active Directory.

  • Runs exclusively over IPv4 networks and operates independently within the boundaries of a LAN group (workgroup or domain).

    A browse list is compiled and maintained for each LAN group.

  • Typically uses connectionless server broadcasts to communicate between nodes.

  • Uses NetBIOS over TCP/IP (NetBT).

  • Requires NetBIOS name resolution. It is recommended to have a Windows Internet Name Service (WINS) infrastructure up and running in the network.

  • Is not enabled by default in Windows Server 2008 R2.

For detailed information on the Computer Browser service, check the Computer Browser Service Technical Reference on Microsoft Technet.

Network discovery requirements

To successfully discover all the computers (servers and workstations) that will be managed from Control Center, the following are required:

  • Computers must be joined in a workgroup or domain and connected via an IPv4 local network.

    Computer Browser service does not work over IPv6 networks.

  • Several computers in each LAN group (workgroup or domain) must be running the Computer Browser service. Primary Domain Controllers must also run the service.

  • NetBIOS over TCP/IP (NetBT) must be enabled on computers.

    Local firewall must allow NetBT traffic.

  • If using a Linux Relay to discover other Linux or Mac endpoints, you must either install Samba on target endpoints, or join them in Active Directory and use DHCP. This way, NetBIOS will be automatically configured on them.

  • File sharing must be enabled on computers.

    Local firewall must allow file sharing.

  • A Windows Internet Name Service (WINS) infrastructure must be set up and working properly.

  • For Windows Vista and later, network discovery must be turned on (Control Panel > Network and Sharing Center > Change Advanced Sharing Settings).

    To be able to turn on this feature, the following services must first be started:

    • DNS Client

    • Function Discovery Resource Publication

    • SSDP Discovery

    • UPnP Device Host

  • In environments with multiple domains, it is recommended to set up trust relationships between domains so that computers can access browse lists from other domains.

Computers from which Bitdefender Endpoint Security Tools queries the Computer Browser service must be able to resolve NetBIOS names.


The network discovery mechanism works for all supported operating systems, including Windows Embedded versions, provided the requirements are met.