You can delete the behaviors that are not seen for the last few months. The behaviors are timestamped and AppDefense displays when a behavior was last executed within a service. You can retire old behaviors that an application no longer needs; reducing the attack surface. The last seen parameter is exposed at the service card-level, and at the individual behavior-level.

Prerequisites

  • The behavior time stamp feature is enabled by default. To disable the feature, contact the VMware support team at https://www.vmware.com/support/contacts.html.
  • AppDefense Appliance, AppDefense Guest Module, and AppDefense Host Module must have version 2.3.0.0 or later.

Procedure

  1. Log in to the AppDefense Manager.
  2. From the left navigation pane, filter and click the required scope.
  3. Click the Services tab.
  4. Search and click the required service.
    In the right panel, make sure that you are in the Behaviors tab.
  5. Filter behaviors based on the time frame. For example, you can filter behaviors seen before last six months.
  6. To verify the behavior, click the behavior card.
    You can view the behavior details.
    The behavior time stamp verifies behaviors at a process level and connection level. The time stamp at the MD5 level is the time when the executable ran, whereas time at the connection level is the time at which particular connection was made by the executable. The Last seen time stamp on the behavior card is the latest of both the timestamps; process level and connection level. You can view the behavior count as well. If your behaviors are aggregated under a common abstraction (for example, CIDR range from multiple IPs), AppDefense provides the abstraction count, which starts at zero when it is created.

  7. If you decide to retire the behavior, click Delete.
    A confirmation dialog box appears.
  8. Click Delete.