NSX 4.0-4.1 Anti-Malware 301 ToI - v1.10.pptx

NSX Anti-Malware
Detection and Prevention
NSBU Product Management
January 2023
301 ToI

2
Detect & Prevent the transfer of malicious
files
Wherever these might occur
NSX Malware Detection and Prevention
NDR
NTA
Malware Prevention
IDS/IPS
Segmentation

In This
Session
3
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases

In This
Session
4
3
6
Advanced points:

5
• Scope
• Dist Malware Detection and
Prevention for Linux
Prevention for all file types
Malware Detection and Prevention 4.0.1.1 Enhancements
Physical Router
VLAN
Tier-0
Overlay
VLAN
VM
Tier-1
Overlay
VM
VM
VM
VM
VM
VM
VM
File type:
exe, xls, vba, zip, etc

6
• Scope
• Performance
• Malware Detection on Baremetal
Edges
Physical Router
VLAN
Tier-0
Overlay
VLAN
VM
Tier-1
Overlay
VM
VM
VM
VM
VM
VM
VM

7
• Scope
• Performance
Edges
• Operations
• Search Enhancements for Malware
Monitoring

8
• Scope
• Performance
Edges
• Operations
• Search Enhancements for Malware
Monitoring
Alarms

In This
Session
9
3
6
Advanced points:

10
NSX Security
Advanced Threat Prevention
IDS/IPS | Malware Detection & Malware Prevention | Network Traffic Analysis
VMware Threat Analysis Unit
Gateway Firewall
App ID & User ID | FQDN Analysis | URL Filtering | TLS Inspection
Distributed Firewall
App ID & User ID | FQDN Filtering | Malicious IP
VMware NSX Security
Security for East-West and Zone / Cloud Edge Traffic
Security Analytics and Management
App Flow Discovery | Rule Recommendations | Policy Management | Network Detection & Response
ELASTIC SCALE | APPLICATION AWARE | NO NETWORK CHANGES | POLICY AUTOMATION
Multi-Cloud
Physical Server Containers
VMs
Features Set

11
NSX Malware Detection and Prevention is one data source of NSX Network Detection and Response
Malware
Events
Anomaly
Events
Threat
Detection
Events
NDR
Remote Code
Execution
Darkside
Remote Services
Anomaly
DNS Tunneling

12
Malware Detection/Prevention is
enforced in 2 points:
• Central
• On T1 Uplinks and Service
Interfaces
• Malware Detection only
• Distributed
• On Windows and Linux VM
• Malware Detection
• Malware Prevention
Enforcement Points
Physical Router
VLAN
Tier-0
Overlay
VLAN
VM
Tier-1
Overlay
VM
VM
VM
VM
VM
VM
VM
NDR
NTA
Malware Prevention
IDS/IPS
Segmentation
1
2
1
2
2
2
2

In This
Session
13
3
6
Advanced points:

14
Malware is enforced in 2 points:
• Central
• Distributed
High-Level View
Physical Router
Tier-0
Tier-1
VM
Malware Detection
Malware Detection and Prevention

15
Dist-Malware does:
• offer Detection and Prevention
• for both Windows + Linux
Note: Requires Files Introspection Driver on the VM.
• and whatever the protocol used
(HTTP / HTTPS / FTP / SMB / SCP / etc.)
But Dist-Malware does not send events to NDR.
GW-Malware does:
• offer Detection
• for any type of VM / physical servers / containers
• For some protocols
(HTTP + FTP traffic + HTTPS (if TLS Inspection configured))
• and sends events to NDR
Distributed Malware Detection and Prevention Gateway Malware Detection
Distributed and Gateway Malware Positioning

16
Malware Detection and Prevention:
1. File Characteristics
• To detect if file already seen
• If new file
2. Local File Analysis
– Done locally
– Analyze file structure/code
– (Optional) Determines if further
Cloud Analysis is needed
3. (Optional) Cloud Analysis
– Files sent to NSX Advanced Threat
Prevention Service
– Behavior Analysis in Sandbox
• Network Behaviors
• Read / Write / Encryption on disk
• Processes read / launched / stopped
• etc
Low-Level View
Malware Detection and Prevention
or File Hash
(optional) If Needed,
Cloud Analysis
Tier-1 VM
Known File
or
Benign Malicious or
Suspicious
Unknown File
Local File Analysis
(done locally)
Cloud File Analysis
(in cloud)
Result
or
Benign Malicious or
Suspicious
or
Benign Malicious or
Suspicious
Local
Analysis Result
In Progress
(Require more
analysis)
or
Benign: File safe
(score = 0-29)
Malicious: File harmful and blocked by NSX Malware Prevention
(score = 70-100)
Suspicious: File potentially harmful and not blocked by NSX Malware Prevention
(score = 30-69) Mouse Click
End

17
• Good for prefiltering clearly Benign Files
• Good at prefiltering obvious Malicious Files
• File signature, file structure, URLs, JS scripts, VBA macros,
XL4 code, key strings Structure analysis, YARA rules,
Images analysis (OCR), etc
• Determines if Cloud Analysis is needed
• Files are sent to the NSX Advanced Threat Prevention
Service (Lastline Next-Gen Sandbox Cloud)
• Behavior Analysis
• Fast – uses a hybrid approach between Full System
Emulation and Hypervisor
• Hard to fingerprint – outside the guest OS
instrumentation
• Has full visibility into subject behavior and system
memory
• Resistant to evasion – dynamically responds to evasion
tricks
Local Analysis Cloud Analysis
Local and Cloud Analysis

18
Cloud Analysis Full System Emulation
Memory
CPU
Typical Enterprise
Sandbox Capabilities
Memory
CPU
HYPERVISOR
Physical Hardware
Web, Files, Apps
Operating Systems
Physical Hardware
Web, Files, Apps
Operating Systems
VMware Cloud
Sandbox Capabilities
Dormant code analysis
Code branch triggering
Code branch replay
Evasion detection
Switching processor mode
from 32 to 64 bit
Analysis does not require
custom OS images or app
versions
Dormant code analysis
locates code blocks that
don’t execute
Code injection
Unpacking
VISIBILITY OF
EVASIVE MALWARE
Incomplete hardware
emulation inhibits
observability of malware
Analyze network capabilities
Object risk assessment
Signature generation
NTA model generation
Network
Full System Emulation

In This
Session
19
3
6
Advanced points:

20
Gateway Malware Detection
• Detection of known and unknown
malicious files at the network/zone
perimeter
• Supported on T1 (Uplink and Service
Interface)
• Many file types (documents,
executables, archives, scripts)
• Hash lookup, Local analysis and
Cloud-based dynamic analysis
• No hairpinning, network-latency or
re-architecture
• Full system-emulation cloud sandbox
enables detection of evasive
malware
• IDPS-based file extraction
Capabilities
Physical Router
VLAN
Tier-0
Overlay
VLAN
VM
Tier-1
Overlay
VM
VM
VM
VM
VM
VM
VM

21
T1 Gateway Malware:
• On T1 Uplinks and Service Interfaces
• Intercept File
– over HTTP or FTP (or HTTPS if TLS
Inspection is enabled)
– for files download (HTTP and FTP
GET)
– different file types (see Notes for exhaustive
list)
– Detect known and previously unseen
malicious files with local analysis
1. File Hash
2. If File Hash Local = No Match, File Hash
on Security Analyzer
3. If File Hash Security Analyzer = No
Match, Local Analysis
4. (optional) Cloud Analysis if needed and
configured
• (optional) Data Source for NSX NDR
Packet Walk
Physical Router
Tier-1
Overlay
VM
VM
Malware
Detection
Transfer protocol:
HTTP or FTP
(or HTTPS if TLS Inspection enabled)
VLAN
File type:
exe, xls, vba, zip, etc
NDR
Tier-0
Edge Node
Cloud File Analysis
(in cloud)
Send file
to Cloud
Malware Engine
NAPP
Security Analyzer
(optional)
Send file for
Cloud Analysis
Malware
File DB
=
send cloud
analysis report
or
Send local
analysis report
or
=
Mouse Click
if
=
if
=
If hash matches,
send statistic
or
End
if
= send File Hash
result of File Hash
or

22
Gateway Malware logs are in Edge Node
log INFO.
See slide notes to export Edge Node log to external
syslog server.
Edge Node Log important fields:
• sha256_hash
275a021bbfb6489e54d471899f7db9d1663fc695e
c2fe2a2c4538aabf651fd0f
• file_name
eicar.com.txt
• asds_verdict
VERDICT_MALICIOUS
VERDICT_BENIGN
• Instead of asds_verdict, it could be “rapid_verdict:
INVALID” if dynamic analysis is required
• application_protocol
APPLICATION_PROTOCOL_HTTP
• gateway_id
9eaaad87-1a3b-4900-be95-3b7d69ab7540
• That’s T1 MP UUID
• client
ip_address: "20.20.21.11"
• server
ip_address: "175.45.176.11"
log
2023-04-11T21:43:59.475Z edgenode-03a.corp.local NSX 33 - [nsx@6876 comp="nsx-edge"
subcomp="nsxsh" tid="50" level="INFO"] Security hub inspection event to sa-event-
processor service. Event details - file {#012 md5_hash:
"44d88612fea8a8f36de82e1278abb02f"#012 sha1_hash:
"3395856ce81f2b7382dee72602f798b642f14140"#012 sha256_hash:
"275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f"#012
lastline_file_class: "EicarComExeF"#012 file_size: 68#012 file_name:
"eicar.com.txt"#012}#012file_seen_info {#012 score: 70#012 asds_verdict:
VERDICT_MALICIOUS#012 application_protocol: APPLICATION_PROTOCOL_HTTP#012
http_request_details {#012 domain {#012 fqdn: "175.45.176.11"#012 }#012
method: HTTP_METHOD_GET#012 path: "/eicar.com.txt"#012 referer: ""#012
user_agent: "curl/7.82.0"#012 content_disposition_filename: "eicar.com.txt"#012
}#012 node_id: "818e476e-2292-4eeb-bcae-a9140129ae8d"#012 node_type: EDGE#012
gateway_id: "9eaaad87-1a3b-4900-be95-3b7d69ab7540"#012 status: DONE#012
found_in_asds: true#012 client {#012 ip_address: "20.20.21.11"#012 fqdn:
""#012 port: 49839#012 }#012 server {#012 ip_address: "175.45.176.11"#012
port: 80#012 }#012 timestamp: 1681249439475#012 is_allow_listed: false#012 ttl:
1681422239475#012}#012file_transfer_details {#012 is_file_upload: false#012
start_time: 1681249438396#012 end_time: 1681249438396#012}

In This
Session
23
3
6
Advanced points:

24
Distributed Malware Detection and Prevention
• Network-Independent Detection &
Prevention of known and unknown
malicious files
• Windows and Linux VMs
• All files type
• Hash lookup, Local analysis and
Cloud-based dynamic analysis
• No hairpinning, network-latency or
re-architecture
• Full system-emulation cloud sandbox
enables detection of evasive
malware
• Guest-introspection based file-
extraction and blocking for DFW
Capabilities
New NSX
4.0.1
Physical Router
VLAN
Tier-0
Overlay
VLAN
VM
Tier-1
Overlay
VM
VM
VM
VM
VM
VM
VM

25
Distributed Malware:
• On VM, intercept file
– Done over Disk Write
– Any file types (see Notes for exhaustive list)
– Detect and block known and
previously unseen malicious files
with local analysis (SVM)
• Send File to SVM for local analysis
1. File Hash Local
2. If File Hash Local = No Match, File
Hash on Security Analyzer
3. If File Hash Security Analyzer = No
Match, Local Analysis
3. (optional) Cloud Analysis if needed
and configured
Packet Walk
Workload-VM
ESXi
VDS-PortGroup
(NSX Segment VLAN or Overlay)
SVM
VSS-vmservice-vswitch
Disk
Guest
Introspection Malware
Detection
and Prevention
Cloud File Analysis
(in cloud)
Send file
to Cloud
NAPP
Security Analyzer
(optional)
Send file for
Cloud Analysis
Malware
File DB
Transfer : Any
(Dist. Malware is not on
Networking but Disk Write access)
File type: Any types
ToR
if
Send file for
local analysis
=
send cloud
analysis report
or
Send local
analysis report
or
=
result of
File Hash
or
if
if
=
if
=
Mouse Click
If hash matches,
send statistic
or
End
send File Hash
result of File Hash
or

26
Distributed Malware logs are in NAPP
log INFO.
See slide notes to export Edge Node log to external
syslog server.
Currently NAPP exports logs encrypted
and so are not readable by syslog
servers (bug 3062719).
log
Currently Not Available

In This
Session
27
3
6
Advanced points:

28
Malware Detection and Prevention:
• Simple and Clear Reports on
inspected files
• with up to 2 weeks history
• Very deep information on the
malware
Reporting

In This
Session
29
3
6
Advanced points:

30
Distributed Malware Prevention Gateway NSX Malware Prevention
Requirements
Licensing • Distributed Firewall with Advanced Threat
Prevention License
• Gateway Firewall with Advanced Threat
Prevention License
Pre-Requisites • NAPP
• Internet Connectivity even if Cloud inspection is disabled (see Notes for more information)
• Windows: VMware Tools with NSX File
Introspection Driver
• Linux: File Introspection driver for
supported version of Linux (see Notes)
• On each ESXi for SVM: 4 vCPU / 6 GB RAM /
80 GB Disk
• Web Server for the deployment of SVM
• vCenter-Clusters configured with Transport
Node Profile
• DHCP is required for SVM IP assignment in
case all ESXi in vCenter-Cluster do not share
a VDS-PortGroup / subnet
• Extra Large or BareMetal Edge Nodes
vSphere support • vSphere 6.7+
• Windows: VMware Tools 11.2.5+
• N/A
NSX Malware Detection and Prevention Requirements
New NSX
4.0.1

31
Traffic
Analyzed E/W + N/S N/S
Mode
Detection Yes Yes
Prevention Yes No
NSX Malware Detection and Prevention Limitations
New NSX
4.0.1

32
Analysis
Local Analysis Yes Yes
Cloud Analysis Yes Yes
VM Operating System Windows (new file),
Linux (new file)
N/A (analyze traffic through T1)
Dataplane protocol N/A (analyze on disk write) HTTP or FTP (or HTTPS if TLS Inspection is
enabled)
(Files download only)
Reporting - Sender Server IP No
(works on disk write and so doesn’t have IP visibility)
Yes
File Size Up to 64 MB Up to 64 MB
File Type (see Notes for more information) exe, xls, vba, zip, etc exe, xls, vba, zip, etc
Anti-Malware events to NDR No Yes
NSX Malware Detection and Prevention Limitations
New NSX
4.0.1

33
NSX Malware Detection and Prevention Scale
Malware Detection and Prevention scale is publicly on configmax: https://configmax.esp.vmware.com
NSX 4.1.0 Malware Detection
and Prevention scale

In This
Session
34
3
6
Advanced points:

35
NSX Malware Detection and Prevention High-Availability
T1 Gateway Malware Detection :
• Malware Engine Failure
• Malware Engine restarts
automatically (docker process)
• During failure
• File is NOT inspected
Gateway Malware Detection – Malware Engine Failure (1/3)
Physical Router
Tier-1
Overlay
VM
VM
Malware
Detection
VLAN
Tier-0
Edge Node
Cloud File Analysis
(in cloud)
Malware Engine
NAPP
Security Analyzer
Malware
File DB

36
• NAPP Security Analyzer Failure
• NAPP Security Analyzer restarts
automatically (docker process)
• During failure
• Gateway Local File hash is done
• Gateway Local Analysis NOT done
• Security Analyzer Cloud Analysis
NOT done
• Failure is reported (under “System - NSX
Application Platform”)
Gateway Malware Detection – NAPP Security Analyzer Failure (2/3)
Physical Router
Tier-1
Overlay
VM
VM
Malware
Detection
VLAN
Tier-0
Edge Node
Cloud File Analysis
(in cloud)
Malware Engine
NAPP
Security Analyzer
Malware
File DB

37
• Connectivity to Internet failure
• During failure
• Gateway Local File hash is done
• Gateway Local Analysis done
NOT done
Gateway Malware Detection – Internet Connectivity Failure (3/3)
Physical Router
Tier-1
Overlay
VM
VM
Malware
Detection
VLAN
Tier-0
Edge Node
Cloud File Analysis
(in cloud)
Malware Engine
NAPP
Security Analyzer
Malware
File DB

38
Distributed Malware Detection and
Prevention:
• VMTools NSX File Introspection
Driver Failure
• VMTools NSX File Introspection
Driver restarts automatically
• During failure
• New files are NOT inspected in
running VMs
• New VMs can NOT be started
• Failure is reported (under “Security -
Security Overview – Configuration”)
Distributed Malware Detection and Prevention – VMTools Failure (1/4)
Workload-VM
ESXi
VDS-PortGroup
SVM
Disk VMTools
Malware
Detection
and Prevention
Cloud File Analysis
(in cloud)
NAPP
Security Analyzer
Malware
File DB
ToR

39
Prevention:
• SVM Failure
• No high-availability
• During failure
• File is NOT inspected
• Failure is reported (under “System -
Service Deployments - Service Instances” and
“Alarm”)
Distributed Malware Detection and Prevention – SVM Failure (2/4)
Workload-VM
ESXi
VDS-PortGroup
SVM
Disk VMTools
Malware
Detection
and Prevention
Cloud File Analysis
(in cloud)
NAPP
Security Analyzer
Malware
File DB
ToR

40
Prevention:
• SVM Failure
• No high-availability
• During failure
• SVM Local File hash is done
• SVM Local Analysis NOT done
NOT done
Distributed Malware Detection and Prevention – NAPP Security Analyzer Failure (3/4)
Workload-VM
ESXi
VDS-PortGroup
SVM
Disk VMTools
Malware
Detection
and Prevention
Cloud File Analysis
(in cloud)
NAPP
Security Analyzer
Malware
File DB
ToR

41
Prevention:
• Connectivity to Internet failure
• During failure
• SVM Local File hash is done
• SVM Local Analysis done
NOT done
Distributed Malware Detection and Prevention – NAPP Security Analyzer Failure (4/4)
Workload-VM
ESXi
VDS-PortGroup
SVM
Disk VMTools
Malware
Detection
and Prevention
Cloud File Analysis
(in cloud)
NAPP
Security Analyzer
Malware
File DB
ToR

In This
Session
42
3
6
Advanced points:

44
File Score Determined
by Local Analysis (GW or
SVM)
Endpoint
Malware File DB
Security Analyzer
Malware File DB
Other Endpoints
Malware File DB
Gateway or Distributed
Detection Endpoint
(File score determined by Gateway
or Distributed Endpoint)
File Scoring = File in DB = File in DB = File not in DB
File Scoring = File in DB = File in DB = File in DB =
Files Score Determined by Gateway or Distributed Endpoint
Malware File DB Population
Tier-1
Malware
Detection
Edge Node
Malware Engine
Tier-1
Malware
Detection
Edge Node
Malware Engine
Tier-1
Malware
Detection
Edge Node
Malware Engine
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management
Tier-1
Malware
Detection
Edge Node
Malware Engine
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management
NAPP
Security Analyzer
Malware
File DB
Tier-1
Malware
Detection
Edge Node
Malware Engine
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management

45
File Score Determined
by Security Analyzer or
Cloud
Security Analyzer
Malware File DB
Original Endpoint
Malware File DB
Other Endpoints
Malware File DB
Security Analyzer or Cloud
(File score determined Security
Analyzer or Cloud)
File Scoring = File in DB = File in DB = File not in DB
File Scoring = File in DB = File in DB= File in DB=
Files Score Determined by Security Analyzer or Cloud
Malware File DB Population
Tier-1
Malware
Detection
Edge Node
Malware Engine
Tier-1
Malware
Detection
Edge Node
Malware Engine
Tier-1
Malware
Detection
Edge Node
Malware Engine
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management
NAPP
Security Analyzer
Malware
File DB
Tier-1
Malware
Detection
Edge Node
Malware Engine
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management
NAPP
Security Analyzer
Malware
File DB

In This
Session
46
3
6
Advanced points:

47
1. Validate the requirements (see Requirement slides above)
2. Deploy NSX Malware component in NAPP
a. Activate NSX Malware Prevention in NAPP
– Under “System – Configuration – NSX Application Platform”
Malware Detection and Prevention Installation (1/17)

48
2. Deploy NSX Malware component in NAPP
b. Select Cloud region
• The following NSX Advanced Threat Prevention URLs are
contacted
• nsx.west.us.lastline.com
if you selected at the installation “Malware Cloud
Region = United States”
• nsx.nl.emea.lastline.com
if you selected Malware Cloud “Malware Cloud Region
= European Union”
c. Run Pre-Checks
d. Activate

49
3. NSX Malware Setup
a. Start wizard
– Under “Security – Policy Management – IDS/IPS & Malware Prevention”

50
b. Select Malware Prevention
– “North-South Traffic” (for GW Malware)
– “East—West Traffic” (for Distributed Malware)

51
c. (Optional) Configure Proxy
– If NAPP (K8s Workers IP address) don’t have direct Internet Access

52
d. Deploy NAPP if not already done
– In the screenshot below, NAPP has been already deployed

54
e. (Optional) Deploy Malware Service VM (SVM)
– Required only for Distributed Malware
Required only for
Distributed Malware
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management

55
e. (Optional) Deploy Malware Service VM (SVM) – cont.
i. Create SVM Catalog (only API)
• Download SVM OVA from VMware Download
• Unzip the OVA file to an external HTTP or HTTPS web server highly-available (you have 4 files)
• API call to create SVM catalog
Attention: Be sure the external web server is configured with MIME types:
• ovf: application/vmware
• ova: application/x-virtualbox-ova
Required only for
Distributed Malware
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management

56
ii. (Optional) Create IP Pool for future SVM Management IP (1 per ESXi) in case Management network doesn’t have DHCP
• Under “Networking – IP Management – IP Address Pools – IP Pools”
Attention:
DNS Server + DNS Suffix must be set.
Malware SVM will reach to NAPP via its napp messaging FQDN
Required only for
Distributed Malware
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management

57
iii. Deploy Malware SVM
• Under “System – Configuration – Service Deployments – Deployment”, select “Partner Service – VMware NSX Distributed Malware
Prevention Service”, click ”Deploy Service”
DHCP could also be used.
DHCP is required in case all ESXi in the same vCenter-Cluster do not
share a VDS-PortGroup / Subnet.
SSH Public Key for SSH access to the SVM (useful only for
deep-troubleshooting reasons)
(See Notes for steps to enable SSH on SVM + example of SSH
Public Key )
Required only for
Distributed Malware
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management

58
iv. Validation of Malware SVM deployment
• In NSX – Deployment successful
Required only for
Distributed Malware
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management

59
iv. Validation of Malware SVM deployment – cont.
• In vCenter – SVM are deployed and running
Required only for
Distributed Malware
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management

60
iv. Validation of Malware SVM deployment – cont.
• ESXi – New isolated VSS
Required only for
Distributed Malware
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management

61
f. Enable Malware on Nodes
i. (Optional) Enable Distributed Malware on vCenter Clusters
• Done in previous step
Required only for
Distributed Malware
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management

62
f. Enable Malware on Nodes – cont.
ii. (Optional) Enable Malware on Gateways
• Select the T1 Gateway(s)
Tier-1
Malware
Detection
Edge Node
Malware Engine
Required only for
Gateway Malware

63
4. (Optional) Install File Introspection Driver on VMs (Windows / Linux)
- Required only for Distributed Malware
a. Windows
Required only for
Distributed Malware
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management

64
4. (Optional) Install File Introspection Driver on VMs (Windows / Linux)
- Required only for Distributed Malware
b. Linux
See NSX Administration https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-4871C429-CFE6-41C9-86C9-
7FCFE9C95EC8.html
Example of Installation for Ubuntu 20.04 (Focal)
1. Obtain and import the VMware packaging public keys using the following commands.
curl -O https://packages.vmware.com/packages/nsx-gi/keys/VMWARE-PACKAGING-NSX-GI-GPG-RSA-KEY.pub
sudo apt-key add VMWARE-PACKAGING-NSX-GI-GPG-RSA-KEY.pub
2. Create a new file named vmware.list file under /etc/apt/sources.list.d
3. Edit the file with the following content:
deb [arch=amd64] https://packages.vmware.com/packages/nsx-gi/latest/ubuntu/ focal main
4. Install the package.
sudo apt-get update
sudo apt-get install vmware-nsx-gi-file
5. Validate installation.
sudo systemctl status vsepd
Required only for
Distributed Malware
ESXi
SVM
Malware
Detection
and Prevention
VM
VM
Management

In This
Session
65
3
6
Advanced points:

66
Malware components in NAPP
NSX Malware Detection and Prevention Upgrade (1/2)
• Upgrade Malware components in NAPP
• This step is done automatically during the NAPP upgrade

67
SVM VMs
NSX Malware Detection and Prevention Upgrade (2/2)
• Upgrade SVM VMs
• API call to create new SVM catalog
• Change Appliance in Service Deployment
More details in the Admin Guide here.

In This
Session
68
3
6
Advanced points:

69
To know which VMware Tools releases are supported on Windows for each NSX release for Malware:
• Refer to interop matrix to find the supported VMware Tool version supported for each NSX release
VMware Tool releases
Supported Windows versions and VMware Tools releases (1/2)

70
To know which Windows OS are supported for each VMware Tool release:
 Check the VMware Tool Release Note https://docs.vmware.com/en/VMware-Tools/index.html for its specific
release
Windows OS
Supported Windows versions and VMware Tools releases (2/2)

NSX 4.0-4.1 Anti-Malware 301 ToI - v1.10.pptx

Recommandé

Recommandé

Contenu connexe

Similaire à NSX 4.0-4.1 Anti-Malware 301 ToI - v1.10.pptx

Similaire à NSX 4.0-4.1 Anti-Malware 301 ToI - v1.10.pptx (20)

Dernier

Dernier (20)

NSX 4.0-4.1 Anti-Malware 301 ToI - v1.10.pptx

Notes de l'éditeur