Updated on: 29 Oct 2019
VMware AppDefense | Oct 2019
Added known issue related to alert.
What's in the Release Notes
AppDefense announces a significant feature release with version 2.3.0. Most notably, we have expanded the capabilities of the AppDefense Plugin in vCenter to include vulnerability assessment, OS integrity, and behavior analysis with Machine Learning. That’s right, we’re bringing Machine Learning models on premise.
On the SaaS side, we release a slew of features that have been top customer asks, including severity-based process kill (using the cloud to make prevention decisions), our first RBAC capabilities, and rebootless install/upgrade so that you can start protecting your VMs without rebooting them.
Full list of new features:
AppDefense adds the ability to retroactively kill processes that the App Verification Cloud determines are untrusted. Instead of blocking everything immediately, “process kill” enables customers to operate in a semi-restrictive state—preventing only suspected bad behavior while allowing everything else to run. Select “kill process” from the dropdown list in the service rules.
With the “behavior timestamps” feature, AppDefense now reports on when a behavior was last executed within a service. This allows customers to clean up old behaviors that an app no longer needs, as well as determine an app’s most recent executions. The “last seen” field is exposed in the AppDefense Manager at the service card-level, as well as at the individual behavior-level.
Alert Classification Enhancements
AppDefense now lowers the severity of an alert based on its overall similarity to the existing allowed behaviors for that service. This improvement allows the service behaviors to be more flexible and means less work for the operator.
AppDefense now also defines a list of known processes that warrant further investigation. Deviations from processes in this list result in higher severity alerts.
SaaS User Roles
AppDefense now defines two user roles for the operation of the SaaS Manager—“Admin” and “Analyst.” Admins have full privileges, including user configuration and remediation settings (block, suspend, kill, etc). Analyst is the default user role and cannot change remediation settings. For a complete breakdown of responsibilities, consult the user guide.
Rebootless Install and Upgrade
The AppDefense guest module can now be upgraded without requiring a reboot. This is a major improvement in usability and operationalization for the solution. This feature is available if your guest module is 2.2.1 or higher.
Domain Name Support for Allowed Behaviors
AppDefense can now create allowed behaviors based on DNS records, as opposed to IP addresses. This is a major improvement in determining robust manifests for a service, resulting in fewer behaviors to monitor and fewer deviations from the manifest.
All remediation actions, except for block, now only get triggered by critical alerts. All other events (serious, minor, and info) will simply alert. This enhancement should increase comfort with deploying remediation actions, as only the most critical deviations will generate an action on the guest.
Support for NSX-T
AppDefense now supports integration with NSX-T for quarantine remediation. AppDefense will continue to support the existing NSX-V integration.
AppDefense adds SOCKS4 and SOCKS5 Proxy support for the AppDefense Appliance, in addition to the existing HTTP Proxy support.
Health Monitoring for AppDefense Components
If a host or guest module becomes unreachable, AppDefense proactively collects host and guest logs for immediate troubleshooting. This setting is available in the Appliance UI.
AppDefense announces a number of usability improvements to make appliance upgrades simpler and more seamless. One such feature is the ability to automatically roll the appliance back to a stable state in case of failure. Automatic reversion increases comfort with turning on “auto upgrade.” This feature is available in appliance versions 2.2.1 and onward when you partition an additional 60GB of disk space for the automated snapshot.
Increased Scale Targets
Appliance scale targets are increased again to 250 Hosts and 3000 VMs (per vCenter).
With this release, AppDefense curates a list of process CLIs that have higher wildcarded thresholds. This feature gives users greater control over key software in their environment.
This release of AppDefense improves user experience by adding more intelligence into the product’s ability to clearly delineate between known and malicious behaviors. The number of events is reduced through better detection of process upgrades and existing connections. Additionally, by enabling process execution monitoring to be turned on by default, AppDefense provides more comprehensive behavior detection and blocking within the environment.
Improved Upgrade Detection
AppDefense has expanded the ways in which it detects when a process has been upgraded. Improving the recognition and verification of upgrades reduces the number of false positive alerts related to new process execution in the environment. The new binary is automatically added to the allowed behavior list, thereby reducing any manual overhead of verifying the upgraded process.
Enhanced Verification of Connections
AppDefense has added capabilities to recognize inbound and outbound connections which were instantiated before the AppDefense Guest Module had been enabled. In this way, AppDefense is able to validate not only new connections, but also existing connections on the system.
Process Execution Monitoring
The ability to monitor and control execution of process binaries is now enabled by default. This further enhances the ability of AppDefense to verify application intended state.
Support Wildcard in Process Path
AppDefense has introduced support for the wildcard character in the process path for all behaviors in the environment. In many instances, the same process is executed from different paths (such as 32-bit and 64-bit process instances on Windows). Services and behaviors no longer need to account for all such paths with the option to now use the wildcard character to account for this variability.
Support for Appliance Rename and Delete
Users now have the ability to rename the Appliance through the AppDefense Manager. In the case of a testing environment, users can also delete the Appliance and have the updated status appear in the AppDefense Manager.
Change Terminology from “Alarm” to “Alert”
In order to maintain consistency with terminology used in the industry, AppDefense has changed all references of “Alarm” to “Alert” in UI and documentation. This makes for clearer communication within organizations and with the AppDefense team.
This release addresses following bug fixes and enhancements:
- A bug in the code path that clears data older than 60 days could lead to a potential crash.
- A bug in the user token clean up could potentially result in accumulation of user tokens and a potential crash.
- Added support for http proxy setting from the AppDefense Appliance to establish connection to the AppDefense SaaS Service.
This release of AppDefense has resolved an issue in the upgrade process. When user begins an upgrade, the upgrade process intelligently adopts based on the supported vCenter Server version. For the vCenter Server version lower than 6.7, the upgrade process will not proceed further with plugin installation, avoiding entering into an indefinite loop. Also, the Auto-Upgrade feature in the AppDefense Appliance is disabled by default. This avoids starting the upgrade process automatically.
Note: SUSE Linux Enterprise Server (SLES) 11 Service Pack 4 (SP4) is no longer supported by AppDefense, as General Support for SLES 11 ends in March 2019.
Application Topology Visualization (Beta)
AppDefense announces the new application topology visualization capability in this release. Topology Visualization enables viewing and interacting with a large amount of complex application behavior data easily in a graphical interface. With this feature, user is provided a graphical visualization illustrating application behavior, showing the relationships of the services within the application and also the relationships of the connected components (VMs, private address, public address etc..) to each other. Remote nodes and connectivity information are also displayed in a way to enable users to focus on the application servers that might have the biggest impact to security operations. Top Use Cases:
- Discover how services interact with each other (inter-connectivity within your scope)
- Discover which services talk to the internet (outbound internet connectivity from each service)
- Discover any listening ports on each service and which processes opened them
This release of the AppDefense service provides allowed behavior and alert management enhancements. With this release, AppDefense introduces a completely new Scope Dashboard which summarizes application events with easy-to-understand, real-time data visuals. Last but not least, we made security operations and behavior management significantly easier by automatically adjusting allowed behaviors. These new capabilities further ease security operation and allow user to make informed decisions based on real-time results and data points.
Scope Level Dashboard
With this release, AppDefense has introduced the newly designed scope level dashboard, providing a real-time snapshot of your application scopes. The visual information allows users to see the protection status of your applications, understand quickly if there are any behaviors that need addressing, and also provides an overview of the security validation checks that AppDefense has performed. It simplifies application-specific summaries into the following 4 sections:
Process burndown chart: The process summary info in a graphical representation
Process reputation: Summary of the process reputation information from various sources.
Behavior risk analysis: Behavior risk analysis summary based on machine learning.
Integrity check status: Integrity status summary to show the overall health of the Organization.
Adaptive Allowed Behavior
AppDefense has added the ability to adjust allowed behavior automatically by adapting to security events that have been classified as normal by the AppDefense Verification Engine. This ability to automatically de-classify alerts and dynamically adjust the allowed behavior tremendously reduces ongoing operational tasks and improves operational efficiency.
AppDefense adds the Monitoring Event support to distinguish observed deviation from malicious behaviors which are categorized as critical alerts. Monitoring Events will be classified by AppDefense Verification Engine into three severities: Serious, Minor, and Info. Separating Monitoring Events further increases operational efficiency by allowing customers to focus on the alerts that matter the most.
Usage Counters Improvement
This release also improves usability by adding the following usage counters:
Allowed Behavior count for each service
Connection Count for each process
With these usage counters, users can easily evaluate the health of the application and have a glance at how many allowed behaviors and connections are protected and monitored by AppDefense.
This release coincides with the release of vSphere Platinum, a new vSphere SKU with built-in security capabilities delivered by AppDefense. With this release, AppDefense introduces a completely new way to access the AppDefense product via a new vCenter Plugin. Available with the Platinum SKU, this plugin provides immediate visibility and one-click lifecycle management, directly from vCenter. This release also improves usability, performance, and product compliance. These new capabilities further reduce false positives and make AppDefense applicable to new markets and additional use cases.
AppDefense vCenter Server Plugin
This release announces the availability of AppDefense as an integrated component of vCenter Server. The integration delivers several new features for the core vSphere user, including:
- A new plugin dashboard that provides aggregated security metrics, visibility, and health statistics for applications and workloads running on vSphere.
- Integrated lifecycle management that provides one-click, integrated installation and upgrade workflows for AppDefense directly within vCenter. For more information, see the AppDefense Plugin Guide.
- A new virtual machine monitor tab that provides VM-specific behavior monitoring for visibility, security assessment, and troubleshooting directly within vCenter. For more information, see the AppDefense Plugin Guide.
- Three "Connectivity Modes" that enable offline, online, and full SaaS configurations for the Plugin.
You can view AppDefense plugin release notes at: https://docs.vmware.com/en/VMware-AppDefense/2.0/rn/appdefense-plugin-release-notes.html.
New AppDefense Appliance
With this release, AppDefense delivers a completely redesigned virtual appliance, increasing usability, scale, and performance numbers across the board. In addition, the new appliance provides three connectivity modes that support on-premise operating models for a subset of features. For more information see “Connectivity Modes” in the AppDefense Install Guide.
We are here to help you. With this release, customers now have 24/5 access to the AppDefense support team via an in-app chat service. Clicking on the chat icon in the AppDefense manager gives you personalized and immediate access to our support specialists. Customers can open severity 1 cases for weekend support.
New SaaS Hosting Locations (Frankfurt and Sydney)
AppDefense adds two additional hosting locations for its SaaS service in Frankfurt, Germany (AWS eu-central-1) and Sydney, Australia (AWS ap-southeast-2). Now, customers have two additional options when choosing where they want to access and store their data for GDPR and/or performance reasons.
AppDefense adds an integration with Ansible to automatically assign VMs to scopes and services at deployment time. This integration creates the following mappings (Ansible -> AppDefense): Inventory -> Scope, Group -> Service, and Host -> Virtual Machine. By automating service and scope assignments, the Ansible integration, like the Puppet and vRealize Automation integrations, reduces operational overhead and promotes cyber hygiene on your workloads.
Expanded Coverage for Behavior Verification
AppDefense announces expanded coverage for it's Machine Learning-based behavior verification engine. This expanded coverage enhances AppDefense's ability to pre-verify network behavior as trusted in Discovery mode and also to flag anomalous behaviors in Protected mode. More pre-verification and analysis in the AppDefense ML engine maximizes the effectiveness of the security admin responding to alerts.
For information about AppDefense and other VMware products that must be upgraded soon, please consult the VMware Lifecycle Product Matrix.
This release of the AppDefense service focuses on improving ease of operation as well as addressing net-new security use cases with the GA of partner native container support. With this release, AppDefense improves the alarm remediation workflow by automatically de-classifying benign alarms. We also improved allowed behavior creation by introducing global services that better reflect the true network patterns of an application. Finally, the Aqua Security integration extends the AppDefense vision to container workloads. These improvements and others expand the addressable customer use cases and makes it easier for our customers to operationalize AppDefense at scale.
VMware Tools Embedded Release for Windows
The AppDefense Guest Module for Windows is now packaged with the 10.3.0 VMware Tools release. For customers that are already deploying VMware Tools on their VMs, AppDefense features can be delivered without any additional agents. This integration with the VMware ecosystem reduces the operational burden of security on IT.
Partner Native Container Support
AppDefense adds containers workloads as a supported use case with the GA of its partner native container support integration with Aqua Security. Working in combination with the Aqua Security manager, AppDefense customers can now have visibility into the inventory, behavior, and security profile of container workloads in their environment, side-by-side with their VMs.
AppDefense has added the ability to leverage anonymized process data from other organizations in order to de-classify alarms. In practice, this means if a particular process is marked as anomalous for one organization, but is well-known within the ecosystem, AppDefense uses that information to lower the criticality of that alarm. This feature utilizes the unique qualities of the SaaS offering to significantly increase efficacy for organizations utilizing the service.
AppDefense has added severity levels for all security alarms, increasing operational efficiency by allowing customers to focus on the alarms that matter most. Alarms are classified in four severities: Critical, Serious, Minor, and Info. AppDefense automatically classifies alarms into different severities based on a number of factors, including 3rd party reputation, behavior analysis via machine learning (ML), and prevalence across the global population. Automatically classifying alerts reduces the operational burden on security teams.
AppDefense has added the ability to detect when an application’s software has been upgraded, automatically adding and logging the new binary to allowed behavior. By automatically analyzing and verifying the new binary, AppDefense reduces the operational burden of keeping your allowed behavior up-to-date when upgrades occur.
Behavior Analysis in Protected Mode
AppDefense adds the ability to analyze behaviors with its machine learning (ML) algorithms at any point in the application lifecycle. This increased capability, backed by a significant infrastructure investment, greatly increases the runtime protections for an organization’s applications.
AppDefense adds the ability to logically group IP addresses as an allowed group. For example, there are a number of “Windows update” IPs that are learned by a variety of applications in Discovery Mode. Sharing the aggregate list of those IPs as an allowed behavior reduces false positives and increases visibility.
AppDefense adds the ability to whitelist or blacklist processes across the entire organization. Processes in the blacklist will never be added to allowed behaviors. Alarms for processes added to the whitelist will be de-classified.
New SaaS Hosting Location (London)
AppDefense adds an additional hosting location for its SaaS service in London, UK (AWS eu-west-2). Now, customers can choose where they want to access and store their data for GDPR and/or performance reasons.
This release of the AppDefense service expands the platform support to various Linux distributions and versions. AppDefense protection can now be applied to the following Linux OS distributions.
|CentOS||7.1, 7.2, 7.3, 7.4|
|RHEL||7.0, 7.3, 7.4|
Some of the key features available for Linux include:
Network Behavior Monitoring for both outbound and inbound connections
Intelligent network behavior abstraction support for false alarm reduction and adaptable security enforcement
Process Execution Monitoring
Automated and non-disruptive upgrade of the guest modules
Note: In general, feature parity is maintained across Windows and Linux platforms. Please note that operating system (OS) kernel integrity protection and guest agent integrity are not supported for Linux at this point.
This release of the AppDefense service provides exciting new features to improve the learning/discovery process, security profile, and alert management. With this release, AppDefense has added a significant protection with native application control and whitelisting, which can control behavior on the machine even if it does not touch the network. We also made security management significantly easier through more flexible allowed behavior definition and alert grouping. These improvements make our customers management of a least privilege security architecture easier and more scalable.
Expanded Platform Support: Windows 2008 R2 Support
AppDefense now supports (including OS kernel integrity) Windows 2008 R2 VMs.
Enrichment of application intended with the inclusion process execution monitoring
AppDefense has added the ability to monitor and control the execution of process binaries (traditional Application Control/Whitelisting). The process violations can take the same remediations available to other AppDefense rules (block, alert, etc.).
Intelligent network behavior abstraction support for false alarm reduction
AppDefense now allows for the abstraction of network behaviors in the application manifest. Previously all outbound behavior was defined either by an AppDefense service or a specific IP address or port. With abstractions, behavior can be grouped into IP addresses or ports. The automatic creation of groups/ranges takes the type of object class into account. For example, while ephemeral ports and private addresses are grouped to optimize for reduction in false alarms, well known ports and public IP addresses are not grouped for greater security. This allows intended state definition to achieve the twin goals of better security and reduced false positives.
Alert grouping for alert reduction and easy analysis of alerts
AppDefense provides the capability to group alerts into their high-level violation, and then collect all events related to that violation into one entry. For example, if a new process shows up on a machine and starts creating many different network connections, the events are grouped into a “New Process New Behavior” alert, and then the events related to that alert are captured in the details. This allows customers to avoid alert noise, reduce the clutter of what they need to analyze, and make security alerts more manageable.
Machine Learning-based behavior verification
AppDefense now includes behavioral verification for all network behaviors seen by common Windows processes. The ML-algorithm informs you during discovery mode when it sees behavior that is anomalous for that process based on the VMware population. This feature simplifies the verification of intended state for the customer.
Verification of behavior is now done through SHA256 hashes vs. MD5.
Process card view and filters for simplified review of allowed behaviors
The Allowed Behavior view for a scope is now provided through process cards, which makes for easier grouping and visualization of the manifest. In addition, the filters provide efficient faceted search of allowed behaviors.
Puppet integration enhancements for easy scope and service creation
The Puppet plugin can now be used with Puppet Enterprise and does not require the use of Puppet Orchestrator. Services that are managed with Puppet also ingest and show package data associated with that Service.
Lower operational overhead with centralized management of guest and host modules
Updates for both the host and guest modules can now be remotely managed from the AppDefense console. Updates can be triggered from the console or set to auto-update. Auto-update provides options to update these modules as soon as they are available or to schedule them at as per your maintenance window.
- Application Topology Visualization Beta: Global Services data displayed incorrectly
In the Topology Visualization, when viewed by process, Global Services data are displayed incorrectly. If your scope includes connections to Global Services, the process-specific view shows incorrect data. This bug also impacts the "UDP" tab, which shows a clone of the TCP data instead of UDP data.
- Application Topology Visualization Beta: Inbound UDP connections show incorrect wildcarded ports
When selecting inbound connections on the Topology Visualization, there are some * ports in addition to the actual UDP ports for certain processes. This has been fixed in the TCP tab to display only specific ports, but on the UDP tab we seem to still display * ports.
- Process count shows different values
The number of processes in the Service Reputation by Process widget on the Scope Dashboard sometimes has a different value than what is shown in the Services menu. This occurs due to the dashboard view taking number of CLIs into account. A consistent implementation of process count will be available in a future release.
- Integrity Checks in Dashboard are showing disabled rules
Due to false positives that we were seeing with a select few integrity checks (Module Reconciliation, Third Party Driver Data, and Signature Verification), we have temporarily disabled these checks. The Dashboard UI widget now reflects these changes.
These false positives were being generated in some organizations by non-malicious processes modifying underlying kernel data (something you might want to know, but likely can't change easily) and/or organizations running unsigned modules. If you wish to re-enable these checks, please send us a note in the in-app chat service and we can easily turn them on.
The dashboard accurately reports the enabled/disabled rules as of the Jun 4th AppDefense Manager update.
- Open VM Tools version on Ubuntu 16.0.4 and SLES 12
open-vm-tools version 10.2.* on Ubuntu-16.04 and SLES-12 causes Guest unreachability. The problem is not observed on CentOS distributions.
Workaround: We recommend the customer to update their open-vm-tools version on Ubuntu and SLES VMs to 10.3.*
- Host Module does not get installed on ESXi with versions less than 6.5 U1
AppDefense Host Module does not get installed on ESXi with versions less than 6.5 U1 because vib downloads over https is not supported. In vCenter tasks, the status is shown as completed but the actual vib does not get installed.
- Download the VIB from http://downloads.vmwaredrx.com/.
- Install the VIB using esxcli.
- In SaaS mode: Click update configuration from host inventory page from the AppDefense Manager.
- In Online and Offline mode: Click install AppDefense from the Plugin UI after install of VIB.
- Editing the application context fields during blueprint deployment may not create the expected service name
When application context fields are edited during blueprint deployment, service name created in cloud manager may be different from the one entered.
Workaround: Enter the values for application context at the design phase of the blueprint to get around this issue.
- Cannot modify network settings of AppDefense Appliance
The network parameters of the AppDefense Appliance cannot be modified through the UI after initial deployment.
Run the vami_set_network command.
- Plugin UI can have HTTP Status 503 error
This issue does not occur often, but it is possible to hit a timing issue which creates an error “"HTTP Status 503 – Service Unavailable" in the AppDefense Plugin UI.
Refresh the UI or navigate to another screen and back.
- Alert is generated with unknown CLI when mounting/unmount NFS
When mounting/unmounting NFS, an alert is generated with an unknown CLI
- Driver error when two guest module versions (example: 1.3.4 and 2.0) are in the same service
Driver Error: Encountered errors in reading some allowedService entries.
AppDefense will not support multiple driver versions in the same service. Update the trailing driver in order to remediate the issue.
- The custom repository feature for guest upgrades does not work
In the Appliance UI Upgrade configuration, do not use the custom repository feature for guest upgrades, as it does not work.
- Upgrade from 2.0.0 to 2.3.0 is not supported
The 2.0.0 appliance goes out of support with this release. See Product Lifecycle Matrix. If you are running 2.0 or earlier appliance, then first upgrade to 2.2.1 version, before upgrading to the 2.3 version. Direct upgrade path is not supported.
- Alert Details do not show Allowed Behaviors
An alert with description of "Known Process New Behavior" may not display the associated allowed connections when viewing behaviors allowed. This issue occurs intermittently.
Workaround: In order to view associated allowed connections, navigate to the Scope and Service indicated in the Alert details and view the Behaviors cards for the associated Process.