Service Composer can identify infected systems on your network with 3rd party antivirus solutions and quarantine them to prevent further outbreaks.

Our sample scenario shows how you can protect your desktops end to end.

Figure 1. Configuring Service Composer
workflow
Figure 2. Service Composer Conditional Workflow
test

Prerequisites

We are aware that Symantec tags infected virtual machine with the AntiVirus.virusFound tag.

Procedure

  1. Install, register, and deploy the Symantec Antimalware solution.
  2. Create a security policy for your desktops.
    1. Click the Security Policies tab and click the Add Security Policy icon.
    2. In Name, type DesktopPolicy.
    3. In Description, type Antivirus scan for all desktops.
    4. Change the weight to 51000. The policy precedence is set very high so as to ensure that it is enforced above all other policies.
    5. Click Next.
    6. On the Add Endpoint Service page, click add and fill in the following values.
      Option Value
      Action Do not modify the default value
      Service Type Anti Virus
      Service Name Symantec Antimalware
      Service Configuration Silver
      State Do not modify the default value
      Enforce Do not modify the default value
      Name Desktop AV
      Description Mandatory policy to be applied on all desktops
    7. Click OK.
    8. Do not add any firewall or network introspection services and click Finish.
  3. Create a security policy for infected virtual machines.
    1. Click the Security Policies tab and click the Add Security Policy icon.
    2. In Name, type QuarantinePolicy.
    3. In Description, type Policy to be applied to all infected systems..
    4. Do not change the default weight.
    5. Click Next.
    6. On the Add Endpoint Service page, do not do anything and click Next.
    7. In Firewall, add three rules - one rule to block all outgoing traffic, the next rule to block all traffic with groups, and the last rule to allow incoming traffic only from remediation tools.
    8. Do not add any network introspection services and click Finish.
  4. Move QuarantinePolicy to the top of the security policy table to ensure that it is enforced before all other policies.
    1. Click the Manage Priority icon.
    2. Select QuarantinePolicy and click the Move Up icon.
  5. Create a security group for all desktops in your environment.
    1. Log in to the vSphere Web Client.
    2. Click Networking & Security and then click Service Composer.
    3. Click the Security Groups tab and click the Add Security Group icon.
    4. In Name, type DesktopSecurityGroup.
    5. In Description, type All desktops.
    6. Click Next on the next couple of pages.
    7. Review your selections on the Ready to Complete page and click Finish.
  6. Create a Quarantine security group where the infected virtual machines are to be placed.
    1. Click the Security Groups tab and click the Add Security Group icon.
    2. In Name, type QuarantineSecurityGroup.
    3. In Description, type Dynamic group membership based on infected VMs identified by the antivirus scan.
    4. On the Define membership Criteria page click add and add the following criteria.

      quar

    5. Do not do anything on the Select objects to include or Select objects to exclude pages and click Next.
    6. Review your selections on the Ready to Complete page and click Finish.
  7. Map the DesktopPolicy policy to the DesktopSecurityGroup security group.
    1. On the Security Policies tab, ensure that the DesktopPolicy policy is selected.
    2. Click the Apply Security Policy (apply) icon and select the SG_Desktops group.
    3. Click OK.
      This mapping ensures that all desktops (part of the DesktopSecurityGroup) are scanned when an antivirus scan is triggered.
  8. Navigate to the canvas view to confirm that QuarantineSecurityGroup does not include any virtual machines yet.
    1. Click the Information Security tab.
    2. Confirm that there are 0 virtual machines in the group (vm)
  9. Map QuarantinePolicy to QuarantineSecurityGroup.
    This mapping ensures that no traffic flows to the infected systems.
  10. From the Symantec Antimalware console, trigger a scan on your network.
    The scan discovers infected virtual machine and tags them with the security tag AntiVirus.virusFound. The tagged virtual machines are instantly added to QuarantineSecurityGroup. The QuarantinePolicy allows no traffic to and from the infected systems.