Bitdefender behavior during update

wheatfoxrabbit · 2024-10-20T09:17:22+00:00

There was an error rendering this rich post.

wheatfoxrabbit

Hello,

Bitdefender recently carried out a version update.

It was uninstalled and reinstalled without any information.

I was surprised that the Bitdefender icon in the tray had disappeared.

Is this normal behavior?

Does that mean that I am not protected for the moment during the update?

Why am I not asked to restart in order to apply the update?

To be honest, I was shocked that the protection was simply deactivated/uninstalled.

Regards

Find more posts tagged with

update

Comments

Alexandru_BD

Hello @wheatfoxrabbit,

The protection is NOT disabled during the update process. Some modules are turned off for a very short time while the patch is being applied. Bitdefender has many systems that back up each other and provide protection.
By design, the developers would not make an update system that would leave customers vulnerable in any way.

Restarting the device is the recommended action after the update.

In newer versions of Windows, shut down or sleep is no longer equal to restart, due to performance considerations of the operating system. So, unless the user explicitly restarts the system, he would no longer be able to replace the update files as he used to do before - that's about what was wrong with deferring service restarts until the machine is restarted the way they used to be. That's why this flow appeared, so that the software can allow updates to be carried out when necessary and ensure the devices are restarted properly.

There are plans to improve this notification flow as much as possible and the developers have addressed some areas already, but I cannot say what will change and when, at the moment.

When the restart notification appears, it will say that Bitdefender services will restart. This means that Windows will give the user a message that he is no longer protected in the few seconds that Bitdefender services stop and start. It is important, however, that the user sees this pop-up from Bitdefender before seeing the message from Windows, because otherwise it will seem like there is a problem with the antivirus.

wheatfoxrabbit

When the restart notification appears, it will say that Bitdefender services will restart. This means that Windows will give the user a message that he is no longer protected in the few seconds that Bitdefender services stop and start. It is important, however, that the user sees this pop-up from Bitdefender before seeing the message from Windows, because otherwise it will seem like there is a problem with the antivirus.

In one case, I wasn't at the computer at the time and the update was carried out. So you don't even notice it. In another case, the update was simply applied to the device while I was in use. I didn't see any prior notification.

A prior notification with, for example, "A new update is available. Apply now? (The program will restart)" would be useful in this case.

Otherwise it looks as if the AV has been terminated or crashed.

Alexandru_BD

I'll tag @camarie here for a more advised opinion on this. I know that in Bitdefender Central, for example, whenever there's an update available, there will be a yellow banner informing the user about this. But this is not exactly the flow for product updates, since by default, Bitdefender performs automatic updates when you turn on your computer and every hour after that. When an update is detected, it is automatically downloaded and installed.

When it comes to product updates that involve changing the version number, they occur less frequently, typically once every 4 weeks. These updates are important for improving product performance, adding new features, and enhancing security. Product updates are being released gradually and once the staged rollout update reaches 100%, Bitdefender will recommend restarting Windows to enjoy the new version’s added benefits.

Thank you for your feedback regarding this.

camarie

Excluding the flow based on update from Central, which is, indeed, not the normal update flow, it's usually (more or less, variations exists at all levels) like this:

update is downloaded and prepare to install by detecting which files needs to be replaced and which one of these are in use
detects if a product reconfiguration is needed; for example, when switching a subscription, changing a license, migrations from other older products and overall changes signals then need for a full product reconfigure
detects which patches, if any, needs to be run at various stages of update: pre install, post install, and, if a restart is needed, post restart
if a file is in use and loaded by an executable (or it is an executable itself), that executable is marked for restart (the executable, not the entire Windows) so that the updated file; in this example with the tray icon, which is loaded and displayed by the application agent (bdagent.exe) dissapears, it means bdagent.exe or a dll loaded by bdagent needs to be replaced; for this to happen, a special command is issued to bdagent to stop itself, the file or files are replaced with the updated version, then bdagent.exe is restarted at a later time
if an operating system component (usually a driver, such as the firewall driver) needs to be updated, this usually needs restart by the operating system design, so this is the most common case when a Windows restart is asked; other cases might include migrations from old versions of product; components loaded by Windows Explorer (these might be solved only by restarting explorer instead of full OS restart, but there are so many cases where things can go wrong, such as removable disks not unmounting, external programs having components loaded in explorer and not behaving correctly etc. so a Windows restart is preferable)
the protection is not disabled during an update; if a protection component needs to be replaced and it is not possible without a restart, then a Windows restart is asked and its replacement occurs very early in the reboot process; even so, protection service and a handful of critical defense are present nonetheless
other cases for restart might include components loaded in third party applications, such as Outlook, Thunberbird, Chrome, Firefox etc. and restarting them can prove dangerous since the process is external to Bitdefender and we have no real full control over it so that we do not affect that external application, and instead we ask the Windows to restart and let the application cleanly close itself as normal
the notification from Windows regarding protection does not exactly mean "You are unprotected"; Windows displays this by doing two things:

1. offer a programmatic way to protection solutions such as ours to register as a WSC (Windows Security Center) provider; cases when Windows might display this can be when uninstalling such a registered product (obviously), when the communication component itself needs an update and is restarted for a brief period (meaning not the protection, but the executable in charge with WSC communication is briefly off)

2. communicating with these providers executables for various state information - I believe this is the case when such a notification occurs. Simply restarting the agent, for example, or even services loading product functionality does not mean the device drivers directly interacting with Windows are off, just that they work using their current configuration until the product is updated and back running, when the interaction is resumed.

@Alexandru_BD is right; the notification coming from our product is important to let the user know it is not a problem with the product itself, and also indicating there is a maintenance operation to be done. If an update is carried out automatically and the user does not see anything, as in the described case, the update event is still recorded and available on the Notifications panel.

To make a long story short; the drivers are always on (unless Windows reboot and they are updated, but the protection driver is still on); the backend product (services) update can temporarily restart for reload/reconfiguring, this meaning the drivers will continue momentarily without interacting with these functionality services (meaning they will continue to work using the last known configuration - but even if this changes after restarting services, these will inform the drivers about the changes and continue accordingly), and the application (front end and user processes) update will cut off momentarily the interaction with the user, but the backend and drivers are still running.

Of course, the whole story is even more complex than that - what I wrote mainly covers the product restart - but there are signatures and sensors, for example; such components have their own update process and we are interacting only to control the update flow (automatic or ask user), starting the appropriate update commands, reload the updated versions etc. - probably one does not need to hear everything dissected to this detail level.

And a quick disclaimer: while I have a pretty good idea about how Windows works and the product update process, I don't know in great detail each and every component involved (I was involved in the update itself only every now and then, not as an active update developer of update or protection and reading each and every line of code involved).

I hope this explains a little more about this topic.

wheatfoxrabbit

Thanks for the detailed answer.
This explains that even if the tray icon disappears, you are not left without protection.

As I wrote above, I would prefer that a message is displayed beforehand so that it does not appear that the security software has stopped or crashed. Otherwise, that could confuse many users.

The bdagent.exe is just the tray icon and ui?

camarie

bdagent takes care of the following (directly or in conjunction with other components) - just to name a few:

tray icon and its contexual menu (about, update, main interface launcher)
notifications and alerts
some of the user processes functionality
watchers (various processes, including bdagent) for other processes
user events
product components: device status, recommendations, full screen detection, contextual scan commands, USB immunizer, WSC notifications, product alerts etc.
cooperation with other components in regard of user context (sending/receving messages from service components, status display for certain product features etc.)

Alexandru_BD

Very insightful and useful information, thank you for sharing it with us @camarie 👍️

wheatfoxrabbit

Thank you @camarie and @Alexandru_BD 🙂