This document discusses NSX Malware Detection and Prevention, which detects and prevents the transfer of malicious files wherever they may occur. It provides an overview of the NSX Malware Detection and Prevention capabilities including gateway malware detection, distributed malware detection and prevention, and reporting. The presentation also covers requirements, limitations, and advanced topics related to NSX Malware Detection and Prevention such as high availability, file database population, installation, and upgrade.
2. 2
Detect & Prevent the transfer of malicious
files
Wherever these might occur
NSX Malware Detection and Prevention
NDR
NTA
Malware Prevention
IDS/IPS
Segmentation
3. In This
Session
3
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
4. In This
Session
4
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
5. 5
Detection and Prevention
• Scope
• Dist Malware Detection and
Prevention for Linux
• Dist Malware Detection and
Prevention for all file types
Malware Detection and Prevention 4.0.1.1 Enhancements
Physical Router
VLAN
Tier-0
Overlay
VLAN
VM
Tier-1
Overlay
VM
VM
VM
VM
VM
VM
VM
File type:
exe, xls, vba, zip, etc
6. 6
Detection and Prevention
• Scope
• Dist Malware Detection and
Prevention for Linux
• Dist Malware Detection and
Prevention for all file types
• Performance
• Malware Detection on Baremetal
Edges
Malware Detection and Prevention 4.0.1.1 Enhancements
Physical Router
VLAN
Tier-0
Overlay
VLAN
VM
Tier-1
Overlay
VM
VM
VM
VM
VM
VM
VM
7. 7
Detection and Prevention
• Scope
• Dist Malware Detection and
Prevention for Linux
• Dist Malware Detection and
Prevention for all file types
• Performance
• Malware Detection on Baremetal
Edges
• Operations
• Search Enhancements for Malware
Detection and Prevention
Monitoring
Malware Detection and Prevention 4.0.1.1 Enhancements
8. 8
Detection and Prevention
• Scope
• Dist Malware Detection and
Prevention for Linux
• Dist Malware Detection and
Prevention for all file types
• Performance
• Malware Detection on Baremetal
Edges
• Operations
• Search Enhancements for Malware
Detection and Prevention
Monitoring
• Malware Detection and Prevention
Alarms
Malware Detection and Prevention 4.0.1.1 Enhancements
9. In This
Session
9
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
10. 10
NSX Security
Advanced Threat Prevention
IDS/IPS | Malware Detection & Malware Prevention | Network Traffic Analysis
VMware Threat Analysis Unit
Gateway Firewall
App ID & User ID | FQDN Analysis | URL Filtering | TLS Inspection
Distributed Firewall
App ID & User ID | FQDN Filtering | Malicious IP
VMware NSX Security
Security for East-West and Zone / Cloud Edge Traffic
Security Analytics and Management
App Flow Discovery | Rule Recommendations | Policy Management | Network Detection & Response
ELASTIC SCALE | APPLICATION AWARE | NO NETWORK CHANGES | POLICY AUTOMATION
Multi-Cloud
Physical Server Containers
VMs
Features Set
11. 11
NSX Malware Detection and Prevention is one data source of NSX Network Detection and Response
NSX Malware Detection and Prevention
Malware
Events
Anomaly
Events
Threat
Detection
Events
NDR
Remote Code
Execution
Darkside
Remote Services
Anomaly
DNS Tunneling
12. 12
NSX Malware Detection and Prevention
Malware Detection/Prevention is
enforced in 2 points:
• Central
• On T1 Uplinks and Service
Interfaces
• Malware Detection only
• Distributed
• On Windows and Linux VM
• Malware Detection
• Malware Prevention
Enforcement Points
Physical Router
VLAN
Tier-0
Overlay
VLAN
VM
Tier-1
Overlay
VM
VM
VM
VM
VM
VM
VM
NDR
NTA
Malware Prevention
IDS/IPS
Segmentation
1
2
1
2
2
2
2
13. In This
Session
13
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
14. 14
NSX Malware Detection and Prevention
Malware is enforced in 2 points:
• Central
• Malware Detection only
• Distributed
• Malware Detection and Prevention
High-Level View
Physical Router
Tier-0
Tier-1
VM
Malware Detection
Malware Detection and Prevention
15. 15
Dist-Malware does:
• offer Detection and Prevention
• for both Windows + Linux
Note: Requires Files Introspection Driver on the VM.
• and whatever the protocol used
(HTTP / HTTPS / FTP / SMB / SCP / etc.)
But Dist-Malware does not send events to NDR.
GW-Malware does:
• offer Detection
• for any type of VM / physical servers / containers
• For some protocols
(HTTP + FTP traffic + HTTPS (if TLS Inspection configured))
• and sends events to NDR
Distributed Malware Detection and Prevention Gateway Malware Detection
NSX Malware Detection and Prevention
Distributed and Gateway Malware Positioning
16. 16
NSX Malware Detection and Prevention
Malware Detection and Prevention:
1. File Characteristics
• To detect if file already seen
• If new file
2. Local File Analysis
– Done locally
– Analyze file structure/code
– (Optional) Determines if further
Cloud Analysis is needed
3. (Optional) Cloud Analysis
– Files sent to NSX Advanced Threat
Prevention Service
– Behavior Analysis in Sandbox
• Network Behaviors
• Read / Write / Encryption on disk
• Processes read / launched / stopped
• etc
Low-Level View
Malware Detection and Prevention
or File Hash
(optional) If Needed,
Cloud Analysis
Tier-1 VM
Known File
or
Benign Malicious or
Suspicious
Unknown File
Local File Analysis
(done locally)
Cloud File Analysis
(in cloud)
Result
or
Benign Malicious or
Suspicious
or
Benign Malicious or
Suspicious
Local
Analysis Result
In Progress
(Require more
analysis)
or
Benign: File safe
(score = 0-29)
Malicious: File harmful and blocked by NSX Malware Prevention
(score = 70-100)
Suspicious: File potentially harmful and not blocked by NSX Malware Prevention
(score = 30-69) Mouse Click
End
17. 17
• Good for prefiltering clearly Benign Files
• Good at prefiltering obvious Malicious Files
• File signature, file structure, URLs, JS scripts, VBA macros,
XL4 code, key strings Structure analysis, YARA rules,
Images analysis (OCR), etc
• Determines if Cloud Analysis is needed
• Files are sent to the NSX Advanced Threat Prevention
Service (Lastline Next-Gen Sandbox Cloud)
• Behavior Analysis
• Fast – uses a hybrid approach between Full System
Emulation and Hypervisor
• Hard to fingerprint – outside the guest OS
instrumentation
• Has full visibility into subject behavior and system
memory
• Resistant to evasion – dynamically responds to evasion
tricks
Local Analysis Cloud Analysis
NSX Malware Detection and Prevention
Local and Cloud Analysis
18. 18
NSX Malware Detection and Prevention
Cloud Analysis Full System Emulation
Memory
CPU
Typical Enterprise
Sandbox Capabilities
Memory
CPU
HYPERVISOR
Physical Hardware
Web, Files, Apps
Operating Systems
Physical Hardware
Web, Files, Apps
Operating Systems
VMware Cloud
Sandbox Capabilities
Dormant code analysis
Code branch triggering
Code branch replay
Evasion detection
Switching processor mode
from 32 to 64 bit
Analysis does not require
custom OS images or app
versions
Dormant code analysis
locates code blocks that
don’t execute
Code injection
Unpacking
VISIBILITY OF
EVASIVE MALWARE
Incomplete hardware
emulation inhibits
observability of malware
Analyze network capabilities
Object risk assessment
Signature generation
NTA model generation
Network
Full System Emulation
19. In This
Session
19
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
20. 20
Gateway Malware Detection
• Detection of known and unknown
malicious files at the network/zone
perimeter
• Supported on T1 (Uplink and Service
Interface)
• Many file types (documents,
executables, archives, scripts)
• Hash lookup, Local analysis and
Cloud-based dynamic analysis
• No hairpinning, network-latency or
re-architecture
• Full system-emulation cloud sandbox
enables detection of evasive
malware
• IDPS-based file extraction
Capabilities
Physical Router
VLAN
Tier-0
Overlay
VLAN
VM
Tier-1
Overlay
VM
VM
VM
VM
VM
VM
VM
21. 21
Gateway Malware Detection
T1 Gateway Malware:
• On T1 Uplinks and Service Interfaces
• Intercept File
– over HTTP or FTP (or HTTPS if TLS
Inspection is enabled)
– for files download (HTTP and FTP
GET)
– different file types (see Notes for exhaustive
list)
• Malware Detection only
– Detect known and previously unseen
malicious files with local analysis
1. File Hash
2. If File Hash Local = No Match, File Hash
on Security Analyzer
3. If File Hash Security Analyzer = No
Match, Local Analysis
4. (optional) Cloud Analysis if needed and
configured
• (optional) Data Source for NSX NDR
Packet Walk
Physical Router
Tier-1
Overlay
VM
VM
Malware
Detection
Transfer protocol:
HTTP or FTP
(or HTTPS if TLS Inspection enabled)
VLAN
File type:
exe, xls, vba, zip, etc
NDR
Tier-0
Edge Node
Cloud File Analysis
(in cloud)
Send file
to Cloud
Malware Engine
NAPP
Security Analyzer
(optional)
Send file for
Cloud Analysis
Malware
File DB
=
send cloud
analysis report
or
Send local
analysis report
or
=
Mouse Click
if
=
if
=
If hash matches,
send statistic
or
End
if
= send File Hash
result of File Hash
or
23. In This
Session
23
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
24. 24
Distributed Malware Detection and Prevention
• Network-Independent Detection &
Prevention of known and unknown
malicious files
• Windows and Linux VMs
• All files type
• Hash lookup, Local analysis and
Cloud-based dynamic analysis
• No hairpinning, network-latency or
re-architecture
• Full system-emulation cloud sandbox
enables detection of evasive
malware
• Guest-introspection based file-
extraction and blocking for DFW
Capabilities
New NSX
4.0.1
Physical Router
VLAN
Tier-0
Overlay
VLAN
VM
Tier-1
Overlay
VM
VM
VM
VM
VM
VM
VM
25. 25
Distributed Malware Detection and Prevention
Distributed Malware:
• On VM, intercept file
– Done over Disk Write
– Any file types (see Notes for exhaustive list)
• Malware Detection and Prevention
– Detect and block known and
previously unseen malicious files
with local analysis (SVM)
• Send File to SVM for local analysis
1. File Hash Local
2. If File Hash Local = No Match, File
Hash on Security Analyzer
3. If File Hash Security Analyzer = No
Match, Local Analysis
3. (optional) Cloud Analysis if needed
and configured
Packet Walk
Workload-VM
ESXi
VDS-PortGroup
(NSX Segment VLAN or Overlay)
SVM
VSS-vmservice-vswitch
Disk
Guest
Introspection Malware
Detection
and Prevention
Cloud File Analysis
(in cloud)
Send file
to Cloud
NAPP
Security Analyzer
(optional)
Send file for
Cloud Analysis
Malware
File DB
Transfer : Any
(Dist. Malware is not on
Networking but Disk Write access)
File type: Any types
ToR
if
Send file for
local analysis
=
send cloud
analysis report
or
Send local
analysis report
or
=
result of
File Hash
or
if
if
=
if
=
Mouse Click
If hash matches,
send statistic
or
End
send File Hash
result of File Hash
or
26. 26
Distributed Malware Detection and Prevention
Distributed Malware logs are in NAPP
log INFO.
See slide notes to export Edge Node log to external
syslog server.
Currently NAPP exports logs encrypted
and so are not readable by syslog
servers (bug 3062719).
log
Currently Not Available
27. In This
Session
27
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
28. 28
NSX Malware Detection and Prevention
Malware Detection and Prevention:
• Simple and Clear Reports on
inspected files
• with up to 2 weeks history
• Very deep information on the
malware
Reporting
29. In This
Session
29
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
30. 30
Distributed Malware Prevention Gateway NSX Malware Prevention
Requirements
Licensing • Distributed Firewall with Advanced Threat
Prevention License
• Gateway Firewall with Advanced Threat
Prevention License
Pre-Requisites • NAPP
• Internet Connectivity even if Cloud inspection is disabled (see Notes for more information)
• Windows: VMware Tools with NSX File
Introspection Driver
• Linux: File Introspection driver for
supported version of Linux (see Notes)
• On each ESXi for SVM: 4 vCPU / 6 GB RAM /
80 GB Disk
• Web Server for the deployment of SVM
• vCenter-Clusters configured with Transport
Node Profile
• DHCP is required for SVM IP assignment in
case all ESXi in vCenter-Cluster do not share
a VDS-PortGroup / subnet
• Extra Large or BareMetal Edge Nodes
vSphere support • vSphere 6.7+
• Windows: VMware Tools 11.2.5+
• N/A
NSX Malware Detection and Prevention Requirements
New NSX
4.0.1
32. 32
Distributed Malware Prevention Gateway NSX Malware Prevention
Analysis
Local Analysis Yes Yes
Cloud Analysis Yes Yes
VM Operating System Windows (new file),
Linux (new file)
N/A (analyze traffic through T1)
Dataplane protocol N/A (analyze on disk write) HTTP or FTP (or HTTPS if TLS Inspection is
enabled)
(Files download only)
Reporting - Sender Server IP No
(works on disk write and so doesn’t have IP visibility)
Yes
File Size Up to 64 MB Up to 64 MB
File Type (see Notes for more information) exe, xls, vba, zip, etc exe, xls, vba, zip, etc
Anti-Malware events to NDR No Yes
NSX Malware Detection and Prevention Limitations
New NSX
4.0.1
33. 33
NSX Malware Detection and Prevention Scale
Malware Detection and Prevention scale is publicly on configmax: https://configmax.esp.vmware.com
NSX 4.1.0 Malware Detection
and Prevention scale
34. In This
Session
34
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
35. 35
NSX Malware Detection and Prevention High-Availability
T1 Gateway Malware Detection :
• Malware Engine Failure
• Malware Engine restarts
automatically (docker process)
• During failure
• File is NOT inspected
Gateway Malware Detection – Malware Engine Failure (1/3)
Physical Router
Tier-1
Overlay
VM
VM
Malware
Detection
VLAN
Tier-0
Edge Node
Cloud File Analysis
(in cloud)
Malware Engine
NAPP
Security Analyzer
Malware
File DB
36. 36
NSX Malware Detection and Prevention High-Availability
T1 Gateway Malware Detection :
• NAPP Security Analyzer Failure
• NAPP Security Analyzer restarts
automatically (docker process)
• During failure
• Gateway Local File hash is done
• Gateway Local Analysis NOT done
• Security Analyzer Cloud Analysis
NOT done
• Failure is reported (under “System - NSX
Application Platform”)
Gateway Malware Detection – NAPP Security Analyzer Failure (2/3)
Physical Router
Tier-1
Overlay
VM
VM
Malware
Detection
VLAN
Tier-0
Edge Node
Cloud File Analysis
(in cloud)
Malware Engine
NAPP
Security Analyzer
Malware
File DB
37. 37
NSX Malware Detection and Prevention High-Availability
T1 Gateway Malware Detection :
• Connectivity to Internet failure
• During failure
• Gateway Local File hash is done
• Gateway Local Analysis done
• Security Analyzer Cloud Analysis
NOT done
• Failure is reported (under “System - NSX
Application Platform”)
Gateway Malware Detection – Internet Connectivity Failure (3/3)
Physical Router
Tier-1
Overlay
VM
VM
Malware
Detection
VLAN
Tier-0
Edge Node
Cloud File Analysis
(in cloud)
Malware Engine
NAPP
Security Analyzer
Malware
File DB
38. 38
NSX Malware Detection and Prevention High-Availability
Distributed Malware Detection and
Prevention:
• VMTools NSX File Introspection
Driver Failure
• VMTools NSX File Introspection
Driver restarts automatically
• During failure
• New files are NOT inspected in
running VMs
• New VMs can NOT be started
• Failure is reported (under “Security -
Security Overview – Configuration”)
Distributed Malware Detection and Prevention – VMTools Failure (1/4)
Workload-VM
ESXi
VDS-PortGroup
(NSX Segment VLAN or Overlay)
SVM
VSS-vmservice-vswitch
Disk VMTools
Malware
Detection
and Prevention
Cloud File Analysis
(in cloud)
NAPP
Security Analyzer
Malware
File DB
ToR
39. 39
NSX Malware Detection and Prevention High-Availability
Distributed Malware Detection and
Prevention:
• SVM Failure
• No high-availability
• During failure
• File is NOT inspected
• Failure is reported (under “System -
Service Deployments - Service Instances” and
“Alarm”)
Distributed Malware Detection and Prevention – SVM Failure (2/4)
Workload-VM
ESXi
VDS-PortGroup
(NSX Segment VLAN or Overlay)
SVM
VSS-vmservice-vswitch
Disk VMTools
Malware
Detection
and Prevention
Cloud File Analysis
(in cloud)
NAPP
Security Analyzer
Malware
File DB
ToR
40. 40
NSX Malware Detection and Prevention High-Availability
Distributed Malware Detection and
Prevention:
• SVM Failure
• No high-availability
• During failure
• SVM Local File hash is done
• SVM Local Analysis NOT done
• Security Analyzer Cloud Analysis
NOT done
• Failure is reported (under “System - NSX
Application Platform”)
Distributed Malware Detection and Prevention – NAPP Security Analyzer Failure (3/4)
Workload-VM
ESXi
VDS-PortGroup
(NSX Segment VLAN or Overlay)
SVM
VSS-vmservice-vswitch
Disk VMTools
Malware
Detection
and Prevention
Cloud File Analysis
(in cloud)
NAPP
Security Analyzer
Malware
File DB
ToR
41. 41
NSX Malware Detection and Prevention High-Availability
Distributed Malware Detection and
Prevention:
• Connectivity to Internet failure
• During failure
• SVM Local File hash is done
• SVM Local Analysis done
• Security Analyzer Cloud Analysis
NOT done
• Failure is reported (under “System - NSX
Application Platform”)
Distributed Malware Detection and Prevention – NAPP Security Analyzer Failure (4/4)
Workload-VM
ESXi
VDS-PortGroup
(NSX Segment VLAN or Overlay)
SVM
VSS-vmservice-vswitch
Disk VMTools
Malware
Detection
and Prevention
Cloud File Analysis
(in cloud)
NAPP
Security Analyzer
Malware
File DB
ToR
42. In This
Session
42
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
43. 44
File Score Determined
by Local Analysis (GW or
SVM)
Endpoint
Malware File DB
Security Analyzer
Malware File DB
Other Endpoints
Malware File DB
Gateway or Distributed
Detection Endpoint
(File score determined by Gateway
or Distributed Endpoint)
File Scoring = File in DB = File in DB = File not in DB
File Scoring = File in DB = File in DB = File in DB =
Files Score Determined by Gateway or Distributed Endpoint
Malware File DB Population
Tier-1
Malware
Detection
Edge Node
Malware Engine
Tier-1
Malware
Detection
Edge Node
Malware Engine
Tier-1
Malware
Detection
Edge Node
Malware Engine
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
Tier-1
Malware
Detection
Edge Node
Malware Engine
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
NAPP
Security Analyzer
Malware
File DB
Tier-1
Malware
Detection
Edge Node
Malware Engine
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
44. 45
File Score Determined
by Security Analyzer or
Cloud
Security Analyzer
Malware File DB
Original Endpoint
Malware File DB
Other Endpoints
Malware File DB
Security Analyzer or Cloud
(File score determined Security
Analyzer or Cloud)
File Scoring = File in DB = File in DB = File not in DB
File Scoring = File in DB = File in DB= File in DB=
Files Score Determined by Security Analyzer or Cloud
Malware File DB Population
Tier-1
Malware
Detection
Edge Node
Malware Engine
Tier-1
Malware
Detection
Edge Node
Malware Engine
Tier-1
Malware
Detection
Edge Node
Malware Engine
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
NAPP
Security Analyzer
Malware
File DB
Tier-1
Malware
Detection
Edge Node
Malware Engine
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
NAPP
Security Analyzer
Malware
File DB
45. In This
Session
46
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
46. 47
1. Validate the requirements (see Requirement slides above)
2. Deploy NSX Malware component in NAPP
a. Activate NSX Malware Prevention in NAPP
– Under “System – Configuration – NSX Application Platform”
Malware Detection and Prevention Installation (1/17)
47. 48
2. Deploy NSX Malware component in NAPP
b. Select Cloud region
• The following NSX Advanced Threat Prevention URLs are
contacted
• nsx.west.us.lastline.com
if you selected at the installation “Malware Cloud
Region = United States”
• nsx.nl.emea.lastline.com
if you selected Malware Cloud “Malware Cloud Region
= European Union”
c. Run Pre-Checks
d. Activate
Malware Detection and Prevention Installation (2/17)
48. 49
3. NSX Malware Setup
a. Start wizard
– Under “Security – Policy Management – IDS/IPS & Malware Prevention”
Malware Detection and Prevention Installation (3/17)
50. 51
3. NSX Malware Setup
c. (Optional) Configure Proxy
– If NAPP (K8s Workers IP address) don’t have direct Internet Access
Malware Detection and Prevention Installation (5/17)
51. 52
3. NSX Malware Setup
d. Deploy NAPP if not already done
– In the screenshot below, NAPP has been already deployed
Malware Detection and Prevention Installation (6/17)
52. 54
3. NSX Malware Setup
e. (Optional) Deploy Malware Service VM (SVM)
– Required only for Distributed Malware
Malware Detection and Prevention Installation (7/17)
Required only for
Distributed Malware
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
53. 55
3. NSX Malware Setup
e. (Optional) Deploy Malware Service VM (SVM) – cont.
i. Create SVM Catalog (only API)
• Download SVM OVA from VMware Download
• Unzip the OVA file to an external HTTP or HTTPS web server highly-available (you have 4 files)
• API call to create SVM catalog
Malware Detection and Prevention Installation (8/17)
Attention: Be sure the external web server is configured with MIME types:
• ovf: application/vmware
• ova: application/x-virtualbox-ova
Required only for
Distributed Malware
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
54. 56
3. NSX Malware Setup
e. (Optional) Deploy Malware Service VM (SVM) – cont.
ii. (Optional) Create IP Pool for future SVM Management IP (1 per ESXi) in case Management network doesn’t have DHCP
• Under “Networking – IP Management – IP Address Pools – IP Pools”
Malware Detection and Prevention Installation (9/17)
Attention:
DNS Server + DNS Suffix must be set.
Malware SVM will reach to NAPP via its napp messaging FQDN
Required only for
Distributed Malware
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
55. 57
3. NSX Malware Setup
e. (Optional) Deploy Malware Service VM (SVM) – cont.
iii. Deploy Malware SVM
• Under “System – Configuration – Service Deployments – Deployment”, select “Partner Service – VMware NSX Distributed Malware
Prevention Service”, click ”Deploy Service”
Malware Detection and Prevention Installation (10/17)
DHCP could also be used.
DHCP is required in case all ESXi in the same vCenter-Cluster do not
share a VDS-PortGroup / Subnet.
SSH Public Key for SSH access to the SVM (useful only for
deep-troubleshooting reasons)
(See Notes for steps to enable SSH on SVM + example of SSH
Public Key )
Required only for
Distributed Malware
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
56. 58
3. NSX Malware Setup
e. (Optional) Deploy Malware Service VM (SVM) – cont.
iv. Validation of Malware SVM deployment
• In NSX – Deployment successful
Malware Detection and Prevention Installation (11/17)
Required only for
Distributed Malware
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
57. 59
3. NSX Malware Setup
e. (Optional) Deploy Malware Service VM (SVM) – cont.
iv. Validation of Malware SVM deployment – cont.
• In vCenter – SVM are deployed and running
Malware Detection and Prevention Installation (12/17)
Required only for
Distributed Malware
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
58. 60
3. NSX Malware Setup
e. (Optional) Deploy Malware Service VM (SVM) – cont.
iv. Validation of Malware SVM deployment – cont.
• ESXi – New isolated VSS
Malware Detection and Prevention Installation (13/17)
Required only for
Distributed Malware
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
59. 61
3. NSX Malware Setup
f. Enable Malware on Nodes
i. (Optional) Enable Distributed Malware on vCenter Clusters
• Done in previous step
Malware Detection and Prevention Installation (14/17)
Required only for
Distributed Malware
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
60. 62
3. NSX Malware Setup
f. Enable Malware on Nodes – cont.
ii. (Optional) Enable Malware on Gateways
• Select the T1 Gateway(s)
Malware Detection and Prevention Installation (15/17)
Tier-1
Malware
Detection
Edge Node
Malware Engine
Required only for
Gateway Malware
61. 63
4. (Optional) Install File Introspection Driver on VMs (Windows / Linux)
- Required only for Distributed Malware
a. Windows
Malware Detection and Prevention Installation (16/17)
Required only for
Distributed Malware
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
62. 64
4. (Optional) Install File Introspection Driver on VMs (Windows / Linux)
- Required only for Distributed Malware
b. Linux
See NSX Administration https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-4871C429-CFE6-41C9-86C9-
7FCFE9C95EC8.html
Example of Installation for Ubuntu 20.04 (Focal)
1. Obtain and import the VMware packaging public keys using the following commands.
curl -O https://packages.vmware.com/packages/nsx-gi/keys/VMWARE-PACKAGING-NSX-GI-GPG-RSA-KEY.pub
sudo apt-key add VMWARE-PACKAGING-NSX-GI-GPG-RSA-KEY.pub
2. Create a new file named vmware.list file under /etc/apt/sources.list.d
3. Edit the file with the following content:
deb [arch=amd64] https://packages.vmware.com/packages/nsx-gi/latest/ubuntu/ focal main
4. Install the package.
sudo apt-get update
sudo apt-get install vmware-nsx-gi-file
5. Validate installation.
sudo systemctl status vsepd
Malware Detection and Prevention Installation (17/17)
Required only for
Distributed Malware
ESXi
SVM
VSS-vmservice-vswitch
Malware
Detection
and Prevention
VM
VM
Management
63. In This
Session
65
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
64. 66
Malware components in NAPP
NSX Malware Detection and Prevention Upgrade (1/2)
• Upgrade Malware components in NAPP
• This step is done automatically during the NAPP upgrade
65. 67
SVM VMs
NSX Malware Detection and Prevention Upgrade (2/2)
• Upgrade SVM VMs
• API call to create new SVM catalog
• Change Appliance in Service Deployment
More details in the Admin Guide here.
66. In This
Session
68
1 What’s new in NSX 4.0.1
2 NSX Malware Detection and Prevention – What is it?
3
How does NSX Malware Detection and Prevention work?
• Malware Detection and Prevention
• Gateway Malware Detection
• Distributed Malware Detection and Prevention
4 NSX Malware Detection and Prevention - Reporting
5 NSX Malware Detection and Prevention Requirements / Limitations / Scale
6
Advanced points:
• NSX Malware Detection and Prevention High-Availability
• Malware File DB Population
• NSX Malware Detection and Prevention Installation
• NSX Malware Detection and Prevention Upgrade
• Supported Windows versions and VMware Tools releases
67. 69
To know which VMware Tools releases are supported on Windows for each NSX release for Malware:
• Refer to interop matrix to find the supported VMware Tool version supported for each NSX release
VMware Tool releases
Supported Windows versions and VMware Tools releases (1/2)
68. 70
To know which Windows OS are supported for each VMware Tool release:
Check the VMware Tool Release Note https://docs.vmware.com/en/VMware-Tools/index.html for its specific
release
Windows OS
Supported Windows versions and VMware Tools releases (2/2)
Linux Requirements:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-4871C429-CFE6-41C9-86C9-7FCFE9C95EC8.html
Operating System
Red Hat Enterprise Linux (RHEL) 7.6, 7.7, 8.2 (64 bit) GA
SUSE Linux Enterprise Server (SLES) 12 SP3+, 15 SP1 (64 bit) GA
Ubuntu 16.04.5, 16.04.6, 18.04, 20.04 (64 bit) GA
CentOS 7.6, 7.7, 8.2 (64 bit) GA
Software
File Introspection driver for Linux
The File Introspection driver for Linux is available as part of the operating system specific packages (OSPs). The packages are hosted on VMware packages portal. Enterprise or Security Administrator (non-NSX Administrator) can install the Guest Introspection thin agent on Linux guest VMs outside of NSX. Installing open-vm-tools or VM Tools is not required for Linux.
GLib 2.0
Example of Installation for Ubuntu
Obtain and import the VMware packaging public keys using the following commands.
curl -O https://packages.vmware.com/packages/nsx-gi/keys/VMWARE-PACKAGING-NSX-GI-GPG-RSA-KEY.pub
sudo apt-key add VMWARE-PACKAGING-NSX-GI-GPG-RSA-KEY.pub
Create a new file named vmware.list file under /etc/apt/sources.list.d
Edit the file with the following content:
deb [arch=amd64] https://packages.vmware.com/packages/nsx-gi/latest/ubuntu/ xenial main
Install the package.
sudo apt-get update
sudo apt-get install vmware-nsx-gi-file
Validate installation.
sudo systemctl status vsepd
And NSX Malware is one data source in NDR to build its campaigns information.
Sanbox timeout
Sandbox maximum time to provide file inspection result = 2h (usually a couple of minutes)
Local Analysis versus Cloud Analysis:
prefiler files which are clearly benign:
~95% of MS Office documents are filtered out, and only ~5% submitted to analysis into the cloud.
~99% of PDF documents are filtered out, and only ~1% submitted to analysis into the cloud.
PE files signed by valid and trusted signature are filtered out. I don't have exact numbers, but it is minority of files (on average, of course it varies from customer to customer). Thus, majority of executable files are submitted to the cloud for analysis.
quickly detect malware which can be statically detected. It is used to mostly:
improve customer experience by providing quick results.
prevent overload of cloud infrastructure when some customers using thousands of known malware files to test our product at once.
The local analysis efficiency depends on malware family and type; thus, it will vary from customer to customer and even from attack to attack. On average, I don't expect it to exceed 60%.
Question on Cloud Sandbox Privacy:
VMware NSX – Privacy Datasheet: https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmw-datasheet-nsx.pdf
“Any files the service finds that are malicious, are kept indefinitely for research purposes. NSX Sandbox file uploads and associated metadata and logs are retained for up to 12 months and deleted 180 days after license expiration. Any files the service finds that are malicious, are kept indefinitely for research purposes.”
Sandbox emulation:
If the OnPrem NSX datacenter customer is physically in North America or South America or EMEA
Files are analyzed using our full system emulation on Windows 7 + Windows 10 with guest OS localizations (German, France, etc).
If the OnPrem NSX datacenter customer is physically APAC
Files are analyzed using our full system emulation on Windows 10.
List of file types inspected by T1 Gateway Malware:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-0EDE5C08-F59D-45F3-8E48-0D7D038207ED.html
Note:
Gateway file interception is based on IDS-based file extraction.
However IDS/IPS on T1-GW is not required to enable T1-GW Malware Detection.
Edge Node logs can be sent to external syslog with syslog configuration on the Edge Node:
edgenode-03a> set logging-server 192.168.110.10 proto udp level info
edgenode-03a> get logging-servers
Tue Apr 11 2023 UTC 22:24:59.697
192.168.110.10:514 proto udp level info exporter_name 960017b1-7792-461e-b473-e5072a421f97
Linux Requirements:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-4871C429-CFE6-41C9-86C9-7FCFE9C95EC8.html
Operating System
Red Hat Enterprise Linux (RHEL) 7.6, 7.7, 8.2 (64 bit) GA
SUSE Linux Enterprise Server (SLES) 12 SP3+, 15 SP1 (64 bit) GA
Ubuntu 16.04.5, 16.04.6, 18.04, 20.04 (64 bit) GA
CentOS 7.6, 7.7, 8.2 (64 bit) GA
Software
File Introspection driver for Linux
The File Introspection driver for Linux is available as part of the operating system specific packages (OSPs). The packages are hosted on VMware packages portal. Enterprise or Security Administrator (non-NSX Administrator) can install the Guest Introspection thin agent on Linux guest VMs outside of NSX. Installing open-vm-tools or VM Tools is not required for Linux.
GLib 2.0
Example of Installation for Ubuntu
Obtain and import the VMware packaging public keys using the following commands.
curl -O https://packages.vmware.com/packages/nsx-gi/keys/VMWARE-PACKAGING-NSX-GI-GPG-RSA-KEY.pub
apt-key add VMWARE-PACKAGING-NSX-GI-GPG-RSA-KEY.pub
Create a new file named vmware.list file under /etc/apt/sources.list.d
Edit the file with the following content:
deb [arch=amd64] https://packages.vmware.com/packages/nsx-gi/latest/ubuntu/ xenial main
Install the package.
apt-get update
apt-get install vmware-nsx-gi-file
List of file types inspected by Distributed Malware:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-0EDE5C08-F59D-45F3-8E48-0D7D038207ED.html
On Windows: Inspection is done on new files + file modification.
On Linux: Inspection is done on new files only (Note: When Firefox downloads a file, it creates first an empty file and then push content in the file. That’s why with Firefox downloaded files are not inspected).
Edge Node logs can be sent to external syslog with syslog configuration on the Edge Node:
edgenode-03a> set logging-server 192.168.110.10 proto udp level info
edgenode-03a> get logging-servers
Tue Apr 11 2023 UTC 22:24:59.697
192.168.110.10:514 proto udp level info exporter_name 960017b1-7792-461e-b473-e5072a421f97
Note: (Sender) Server IP information is available with Gateway NSX Malware only (Distributed NSX Malware works on “disk write” and so does not have visibility of the Server IP).
List of External sites / IP access required:
Malware Detection and Prevention requires Internet access to download the latest signatures and to send files for cloud analysis.
This communication is done on HTTPS
From NAPP (K8s Workers IP address) or HTTP Proxy if NAPP is configured with Proxy
To NSX Cloud Service
nsx.lastline.com
nsx.west.us.lastline.com if you selected at the installation “Malware Cloud Region = United States”
nsx.nl.emea.lastline.com if you selected Malware Cloud “Malware Cloud Region = European Union”
Linux Requirements:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-4871C429-CFE6-41C9-86C9-7FCFE9C95EC8.html
Operating System
Red Hat Enterprise Linux (RHEL) 7.6, 7.7, 8.2 (64 bit) GA
SUSE Linux Enterprise Server (SLES) 12 SP3+, 15 SP1 (64 bit) GA
Ubuntu 16.04.5, 16.04.6, 18.04, 20.04 (64 bit) GA
CentOS 7.6, 7.7, 8.2 (64 bit) GA
Software
File Introspection driver for Linux
The File Introspection driver for Linux is available as part of the operating system specific packages (OSPs). The packages are hosted on VMware packages portal. Enterprise or Security Administrator (non-NSX Administrator) can install the Guest Introspection thin agent on Linux guest VMs outside of NSX. Installing open-vm-tools or VM Tools is not required for Linux.
GLib 2.0
Example of Installation for Ubuntu
Obtain and import the VMware packaging public keys using the following commands.
curl -O https://packages.vmware.com/packages/nsx-gi/keys/VMWARE-PACKAGING-NSX-GI-GPG-RSA-KEY.pub
sudo apt-key add VMWARE-PACKAGING-NSX-GI-GPG-RSA-KEY.pub
Create a new file named vmware.list file under /etc/apt/sources.list.d
Edit the file with the following content:
deb [arch=amd64] https://packages.vmware.com/packages/nsx-gi/latest/ubuntu/ xenial main
Install the package.
sudo apt-get update
sudo apt-get install vmware-nsx-gi-file
Validate installation.
sudo systemctl status vsepd
List of file types inspected by Distributed Malware:
https://docs.vmware.com/en/VMware-NSX/4.1/administration/GUID-0EDE5C08-F59D-45F3-8E48-0D7D038207ED.html
New File:
Any new file created on disk will be forwarded for Malware inspection.
Updated/Modified/Overwritten files are not inspected.
File Hash TTL in Malware File DB:
Malicious file hash TTL is 48 hours
Note: We keep the file hash for 2 days only because:
Most of the malwares today are polymorphic, meaning it changes itself every time it replicates, so in that case, keeping the hash for a long time has little value https://sensorstechforum.com/97-of-malware-infections-are-polymorphic-researchers-say/
False Positive file analysis where the False Positive entry will stay only on short period of time in customer DB
Benign file hash TTL is 14 days
How to update web server MIME types:
https://www.developershome.com/wap/wapServerSetup/tutorial.asp?page=settingUpMIME
API call to create SVM catalog:
POST https://lm-paris/napp/api/v1/malware-prevention/svm-spec
{
"ovf_url": "http://192.168.110.10/Malware/nsx-svm-appliance-3.2.1.0.0.19801960.ovf",
"deployment_spec_name": "Malware_SVM",
"svm_version": "3.2.1"
}
API call to delete SVM catalog (deletion is possible if the catalog is NOT used in any deployment):
DELETE https://lm-paris/napp/api/v1/malware-prevention/svm-spec?deployment_spec_name=Malware_SVM2
How to enable SSH on SVM:
From SVM ESXi Console
Log in as “root” with password “vmware” and you’re prompted to configure a new password for user root.
Start SSH: “systemctl start ssh”
Validate SSH is running: “systemctl status ssh”
(optional) Make SSH start automatically: “systemctl enable ssh”
How to access SVM via SSH:
From SSH Client (like putty)
User: admin
Private Key: the one you configured in the Malware SVM Deployment
Example of SSH Public Key:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCmQN7JO2gOoaVvX5o5zbLs84YZk4TWIP1bNZsrfjfLJ0kBBVcf7y+UlczyKBSHztfbIuyc7GuHAnX/8IxsaFqEiyYAUCKcM+ycF6Eb0gVxEYAiG+yRdwbNXMTBdbZz1RU8h74LuufcAF9LokngeQgQoNXVIHCOq2Gpz3XhGliBJae4PEkIZ9Rc5iLIVO3ps3yN4BF4YebDXy4TCrDo9280T8EQP34RZMpYIwBxmVhUOVY6UxeiMqpYDJdhrxS1a2iAihtgHnGwXCLQrSEAqn2No/puOFQqeugZo440Uk2Upe6puuFf8HScvvHtNcHi6w49ppzEpvzs53ggSwjAUqaV rsa-key-20220215
https://confluence.eng.vmware.com/display/NSBU/NSX-ATD%3A+High+Level+Functional+Specification
The Cloud Connector component acts as gateway between on-premises services and the NSX Advanced Threat Prevention Service. Its purpose is to centralize communication with cloud services and provide an authenticated channel between clients and the cloud.