Updated on: 04 Feb 2021

VMware AppDefense Plug-In 2.3.3 | Released 05 Jan 2021 | Build 17364904

What's in the Release Notes

What's New In AppDefense Plug-In

Release Overview

2.3.3

This release includes product bug fixes and maintenance updates. 2.3.3 release is FIPS compliant for vCenter version 7.0.2 and later.

2.3.2

This release introduces a couple of closed beta programs for key upcoming features and addresses important bugs.

Enhanced Integrity (Beta)

AppDefense announces a beta release of a key security feature - Enhanced Integrity. Enhanced Integrity will improve attack monitoring by leveraging VMware hypervisor's security features. This will be available as an option to enable along with the previously supported Guest Integrity capability. You can easily switch between the two integrity modes. This requires ESXi 7.0 or later. To participate in this beta program, please contact the VMware AppDefense support team.

Encryption (Beta)

AppDefense provides an updated beta of the Encryption feature. Encryption will provide the encryption details primarily the TLS visibility of the end-to-end connection. You can create policies to accept/reject connections based on the encryption setting. Also, you can remediate a connection deemed weaker by the encryption policy without requiring to update the application. To participate in this beta program, please contact the VMware AppDefense support team.

Password Management

AppDefense provides password management in the AppDefense Manager. You can easily get notified about the expiry time-frame and change the password using AppDefense Manager.  

Support for Red Hat Enterprise Linux 7.8, 8.0, and 8.2

AppDefense expands the Linux Guest Operating System support to include Red Hat Enterprise Linux 7.8, 8.0, 8.2. 

Exporting Vulnerability Report

AppDefense allows you to export vulnerability data from your environment in CSV format.

Discontinued Regular Upgrade

AppDefense had released Fail-Safe upgrade feature in the Plug-In 2.2.1. Going forward, Fail-Safe upgrade will be the default method to upgrade the appliance. Previously supported regular upgrade using vCenter Server Appliance Management Interface (VAMI) will be discontinued. If you are using AppDefense Plug-In 2.2.0 or earlier, you can use the regular upgrade method to upgrade to 2.2.1 or 2.3.1 and then use the Fail-Safe upgrade option to upgrade to 2.3.2.

For details on how to upgrade to 2.3.2, refer to Upgrade To 2.3.1 or Later With Fail-Safe Upgrade Compatibility.

2.3.1

This release addresses important bugs related to:

  • Vulnerability Assessment for Windows OS
  • Re-bootless Upgrades
  • Password Expiry

2.3

This release delivers a major update to AppDefense in vCenter. Notably, this release includes OS Integrity features, Behavior Analysis functionality, and an entire suite of vulnerability assessment capabilities. In particular, the vulnerability capabilities are notable because they are available in vCenter only (not SaaS) and they are built specifically for the vAdmin. 

Vulnerability Enumeration

AppDefense announces a full suite of capabilities around vulnerability assessment. AppDefense enumerates vulnerabilities on vSphere components, Operating Systems, as well as the applications running on top. As processes execute, AppDefense determines the vulnerabilities associated with that software. This feature requires outbound internet access.

Vulnerability Prioritization

In addition to enumerating the vulnerabilities in your environment, AppDefense prioritizes every vulnerability using real-time threat information collected from sensors around the world. AppDefense ingests this feed from Kenna Security, the leader in vulnerability prioritization, to determine the overall risk for your environment.

OS Integrity

AppDefense delivers OS Integrity and Module Integrity features to vCenter. On by default, these features prevent against major technique categories in the MITRE ATT&CK Framework, including persistence and defense evasion.

Behavior Analysis

AppDefense announces the ability to analyze network behavior on-premise. With assistance from the App Verification Cloud, AppDefense gathers information about the network activity of known processes and determines if the behavior is trusted. This feature requires outbound internet access but not a full SaaS subscription.

Enriched Dashboard

With this release, the AppDefense Plugin in vCenter is improved to include OS Integrity, Behavior Analysis, and Critical Vulnerabilities. These additional "front page" widgets provide the most important information about risk in your environment in a simple, easily consumable format. Use this page as a jumping-off point to visibility and risk information about specific virtual machines. 

Process Monitoring for Unclassified Machines

The VM Monitor view in vCenter now includes process information for all processes, including those without network activity. This expands the Guest Monitoring capability which previously only included those processes with network connections. 

Globalization Support

The AppDefense Plugin now supports 7 languages (Japanese, French, German, Simplified Chinese, Traditional Chinese, Spanish, Korean)

Product Lifecycle Matrix

For information about AppDefense and other VMware products that must be upgraded soon, please consult the VMware Lifecycle Product Matrix.

Also, verify the upgrade path provided under the VMware Product Interoperability Matrices.

Resolved Issues

  • AppDefense host module (glxhostuw) is stuck or behaving erratically and the log files vmkernel.* contains out of memory error.

    This issue is resolved. Please upgrade ESXi to ESXi 7.0 U1 and upgrade the AppDefense host module to 2.3.3.

  • Static DNS IP of the AppDefense Appliance reverts back to default.

    This issue is resolved. 

  • Plugin authentication fails in Linked mode.

    This issue is resolved.

Known Issues

  • Unable to upgrade the offline Appliance to 2.3.3 version.

    Upgrade the offline Appliance using the following steps:

    Note : Run the commands as sudo or root.

    1. Download the Appliance upgrade bundle. For example, appdefense-appliance-bundle-2.3.3.0-*********.zip. Here ****** is the <build-number>.
    2.  If your appliance is short of disk space, then first clean the space (cleanup_appliance.sh) before uploading the bundle onto the appliance. Offline upgrades may fail without cleanup.
      • Run the cleanup script using the bash cleanup_appliance.sh

        Or
      • Create an executable and run as ./cleanup_appliance.sh

    3. Upload the upgrade bundle to /opt/vmware/appdefense/etc/upload/
    4. Go to the /opt/vmware/appdefense/etc/upload/ directory.
    5. To change the permissions, execute the following two commands:
      • chown root:appdefense appdefense-appliance-bundle-2.3.3.0-*********.zip
      • chmod 770 appdefense-appliance-bundle-2.3.3.0-*********.zip
    1. Execute the following command to call an API to process the bundle. 

    curl -X POST http://localhost:3050/api/v1/bundle/process \
     -H "Content-Type: application/json" \
     -H "Authorization: Bearer `curl --fail http://localhost:3010/api/v1/service-token/end-to-end`" \
     -d '{"files" : {"appdefense-appliance-bundle-2.3.3.0-*********.zip": "/opt/vmware/appdefense/etc/upload"}}'

    Note: The token is only valid for a minute.

    1. Wait for a minute or two. Log in to the AppDefense Appliance and go to the Upgrade tab. The New Upgrade Available section becomes available with the Upgrade Now option.
    2. Click the Upgrade Now button. Wait until the session gets logged out.
    3. Log in to the appliance again and verify if the appliance upgrade is successful. Go to the Registration tab and see the plugin version.
    4. If the version has not changed to 2.3.3 , re-register only the vCenter Server again. This will automatically change the plugin version to the latest.
  • Initiated from the vCenter Plugin, upgrade fails from 2.3 to 2.3.1 or 2.3.2 when using AppDefense Appliance as the default upgrade source.

    When the AppDefense Appliance is used as the Download Source for upgrading in-guest bits from 2.3 to 2.3.1 or 2.3.2, the upgrade fails. Note: the Appliance is the default download configuration. VMware Tools 11.0.5 and 11.0.6 includes AppDefense 2.3. If the Virtual Machine has VMware Tools 11.0.5 or 11.0.6, the AppDefense install will deploy AppDefense 2.3.  

    Two Options: 

    1) If you would like to still use the vCenter Plugin to upgrade your VMs from 2.3 to 2.3.1 or 2.3.2, the guest VMs need to have access to the internet. Then, you just need to change the download source (on the Appliance UI) so that the new guest module is downloaded directly from the cloud, as opposed to the Appliance. Once you have changed the upgrade source, you can upgrade your module like normal (from the Plugin or from the SaaS console).
    2) If you don't want to use the vCenter Plugin or if the guest VMs don't have access to the internet, you can upgrade the guest module manually with the published MSI. Contact customer success if you would like help in this regard. 

    Steps for option1: If guest VM's have internet connectivity.
      I) Trigger upgrade using cloud:
         1. Login to Appliance UI.
         2. In the Dashboard section select ApplianceUpgrade.
         3. Click the edit option, and select from cloud under VM Upgrade Source.
         4. Save configuration and trigger the upgrade.
      II) For SaaS enabled customers, follow steps: https://docs.vmware.com/en/VMware-AppDefense/services/install-appdefense/GUID-38E257E5-A4E0-4457-BAA7-3EC1D193B9A8.html

    Steps for Option 2: If guest VM's do not have internet connectivity.
      I) Download and manually install using these steps: https://docs.vmware.com/en/VMware-AppDefense/2.3/install-appdefense-plugin/GUID-6044B3B8-3DA2-4649-A055-57D637BAA5A1.html.
         -OR-
      II) Download and manually install using appliance hosted MSI.
         1. On the guest VM, open a browser.
         2. Go to the URL: https://{appliance_ip}/download/guest/2.3.1.0/windows/AppDefense-x64-2.3.1.0-15594155.msi.
         3. URL might fail to open with "connection not private" or similar error message, select proceed/continue with download option.
         4. Run/execute the MSI manually to install.

  • Log In to AppDefense Appliance With Certificate does not work.

    You may not be able to log in to AppDefense Appliance with certificate.

    This issue will be fixed in next release.

  • Upgrading VMware Tools from earlier versions than 10.3.2 to 11.x will require a reboot. If not rebooted after upgrade to 11.x, AppDefense installation will fail.

    When the VMware Tools from earlier versions than 10.3.2  on a Guest virtual machine is upgraded to 11.x, reboot of the Guest virtual machine is required. If you try to install AppDefense without reboot, it will fail. This behavior is not observed if the VMware Tools version on the Guest virtual machine was 10.3.2 or above prior to an upgrade to 11.x

    Reboot the Guest virtual machine after upgrading the VMware Tools from earlier versions than 10.3.2 to 11.x. After reboot, you can successfully install AppDefense.

  • Two AppDefense plugin menu entries in the vCenter console after upgrading AppDefense for certain configurations

    When the AppDefense plugin versions 2.3.0.0 or earlier is upgraded to the higher version, this can result in two AppDefense plugin menu entries in the vCenter Server console. This will happen only with the vCenter Server versions 7.0 or earlier.

    Prior to upgrading the AppDefense plugin, unregister the plugin from vCenter Server. After the upgrade, register the plugin with the vCenter Server. If you accidentally upgrade without unregistering the plugin, you will see two AppDefense plugin menus. This can be resolved by simply restarting the VMware vSphere Client service from the vCenter Appliance. 

  • After upgrading AppDefense to 2.3.2.0, you see an error "ERROR: Unable to connect Appliance" on the vSphere console.

    To resolve this issue, first, unregister the plugin, then restart VMware vSphere Client service from the vCenter Appliance, and then register the plugin with vCenter Server again from the Appliance UI. 

    After reregistration, if you see errors on the host module as Unsupported or Not installed, you must perform Config Sync for that host from AppDefense Manager as follows.

    • Log in to AppDefense Manager
    • Click Inventory, and then click the Hosts tab.
    • Click the required host, and then click Config Sync. This action sync up the hosts with the new appliance configuration. After the sync is complete, the status of the host becomes Active.
  • Software module is not behaving as expected after AppDefense installation.

    After AppDefense is installed, some software modules/agents may fail to perform optimally.

    AppDefense need to be configured to skip monitoring of the software module load and unload events. This can be achieved by adding the software module to the AppDefense skiplist at an organization level. Please contact VMware support team for updating the skiplist with the software module. Note that a reboot is needed after the skiplist is updated.

check-circle-line exclamation-circle-line close-line
Scroll to top icon