You must install the AppDefense Guest Module on the virtual machines (VM) where your application workloads are running. You must have VMware Tools installed on the guest VM. From AppDefense 2.3.2 release, you can install AppDefense Guest Module without a need to reboot the virtual machine.

With VMware Tools 11.0.0 or later installer, AppDefense driver is now divided into two parts, glxgi.sys driver which ensures Guest Integrity, and giappdef.sys driver which ensures guest monitoring for processes and network events. Guest Integrity provides a desired protection from the threat vectors that can manipulate the OS system-level objects.
Note: Power reset of the virtual machine is not required while applying any updates to the virtual machine.
  • AppDefense installs or upgrades VMware Tools version to the latest available version, and installs the AppDefense guest integrity module on the virtual machine.
  • If the VM hardware version is earlier than 13, AppDefense upgrades the VM hardware version to the latest available version. If you do not want AppDefense to upgrade the VM version automatically, you must upgrade the VM version manually to version 13 or later. Follow the Knowledge Base Article for upgrading a VM to the latest hardware version.
  • AppDefense Guest Module is bundled with the latest VMware Tools. If you do not have latest VMware Tools version installed on the VM, then you must upgrade VMware Tools to the latest version.

Prerequisites

  • You have installed and registered AppDefense Appliance.
  • You have installed the AppDefense Host Module.
  • Verify the Windows operating system and VMware Tools version installed on the VM where you want to install the AppDefense Guest Module. For details, see System Requirements For AppDefense.

Procedure

  1. Go to the VM where you want to install AppDefense Guest Module.
  2. On the Summary tab, scroll down to the AppDefense panel. If necessary, expand the panel.
    Alternatively, you can also use the Configure > AppDefense > Security tab.
  3. Click Install AppDefense.
    A confirmation box appears.

    Note: For the AppDefense version 2.3.1, you are also required to select Power Reset of the virtual machine. Power reset enables Guest Integrity.
  4. Click the privacy notice check box, and click Confirm.
    Installer performs the following tasks in the background.
    • Upgrades the VM hardware version to 13 or latest version supported by ESXi.
    • Upgrades the VMware Tools to the latest available version.
    • Installs AppDefense Guest Module from the latest VMware Tools.

    A new task for the guest module install appears in the Recent Tasks pane. After the task is complete, the AppDefense Guest Module is installed. You can verify the installed guest module driver versions. Go to VM > Summary > AppDefense widget. To verify installed version of the guest drivers, point to the version number.

    After installation, giappdef.sys driver and the gisvc service which helps with In-Memory Process Forensics (IMPF), automatic upgrades, collecting process metadata, and so on, starts running, even without a reboot.
  5. To enable the Guest Integrity feature, click the Manage Guest Integrity link. A confirmation dialog box appears.

  6. Click Guest integrity, and then click Reboot VM.
    After rebooting the virtual machine, the guest integrity is enabled by setting the flag in the vmx file of the VM. For enhanced integrity feature, refer to Enhanced Integrity - Beta Feature.

    The AppDefense Guest Module gets installed.

    After installation, giappdef.sys driver and the gisvc service which helps with In-Memory Process Forensics (IMPF), automatic upgrades, collecting process metadata, and so on, starts running, even without a reboot.

Results

Go to VM > Summary > AppDefense widget. To verify installed version of the guest drivers, point to the version number.

What to do next

After installing the AppDefense Host Module on the ESXi host and AppDefense Guest Module on VMs where your application workloads are running, you can start using AppDefense plug-in in the vSphere Client to monitor processes that are running on your workloads.

The AppDefense Dashboard in the vSphere Client shows summary of the hosts and VMs where AppDefense is installed. Dashboard displays overall processes based on the security risk detected by AppDefense. AppDefense engine monitors data and displays the process reputation.

If you have connectivity with AppDefense Service (SaaS), upgrade all Guest VMs in a service to the same version at the same time.