To protect VMs using a Guest Introspection security solution, you must install Guest Introspection thin agent, also called Guest Introspection drivers, on the VM. Guest Introspection drivers are included with VMware Tools for Windows, but are not part of the default installation. To install Guest Introspection on a Windows VM, you must perform a custom install and select the drivers.

Windows virtual machines with the Guest Introspection drivers installed are automatically protected whenever they are started up on an ESXi host that has the security solution installed. Protected virtual machines retain the security protection through shut downs and restarts, and even after a vMotion move to another ESXi host with the security solution installed.

For Linux instructions, see Install the Guest Introspection Thin Agent on Linux Virtual Machines.

Prerequisites

Ensure that the guest virtual machine has a supported version of Windows installed. The following Windows operating systems are supported for NSX Guest Introspection:
  • Windows XP SP3 and above (32 bit)
  • Windows Vista (32 bit)
  • Windows 7 (32/64 bit)
  • Windows 8 (32/64 bit)
  • Windows 8.1 (32/64) -- from vSphere 6.0 and later
  • Windows 10
  • Windows 2003 SP2 and above (32/64 bit)
  • Windows 2003 R2 (32/64 bit)
  • Windows 2008 (32/64 bit)
  • Windows 2008 R2 (64 bit)
  • Win2012 (64)
  • Win2012 R2 (64) -- from vSphere 6.0 and later

Procedure

  1. Start the VMware Tools installation, following the instructions for your version of vSphere. Select Custom install.
  2. Expand the VMCI Driver section.
    The options available will vary depending on the version of VMware Tools.
    Driver Description
    vShield Endpoint Drivers Installs File Introspection (vsepflt) and Network Introspection (vnetflt) drivers.
    Guest Introspection Drivers Installs File Introspection (vsepflt) and Network Introspection (vnetflt) drivers.
    NSX File Introspection Driver and NSX Network Introspection Driver Select NSX File Introspection Driver to install vsepflt.

    Optionally select NSX Network Introspection Driver to install vnetflt (vnetWFP on Windows 10 or later).

    Note: Select NSX Network Introspection Driver only if you are using the Identity Firewall or Endpoint Monitoring features.
  3. In the drop-down menu next to the drivers you want to add, select This feature will be installed on the local hard drive.
  4. Follow the remaining steps in the procedure.

What to do next

Check if the thin agent is running using the fltmc command with the administrative privileges. The Filter Name column in the output lists the thin agent with an entry vsepflt.