In a virtual environment, use the guest introspection platform to provide antivirus and antimalware protection to guest VMs.

As an NSX administrator, you implement an antivirus and antimalware solution that is deployed as a Service Virtual Machine (Service VM, or SVM) to monitor a file, network, or process activity on a guest VM. Whenever a file is accessed, such as a file open attempt, the antimalware Service VM is notified of the event. The Service VM then determines how to respond to the event. For example, to inspect the file for virus signatures.

  • If the Service VM determines that the file contains no viruses, then it allows the file open operation to succeed.

  • If the Service VM detects a virus in the file, it requests the Thin Agent on the guest VM to act in one of the following ways:
    • Delete the infected file or deny access to the file.

    • Infected VMs can be assigned a tag by NSX. Moreover, you can define a rule that automatically moves such tagged guest VMs to a security group that quarantines the infected VM for additional scan and isolation from the network until the infection is completely removed.
The benefits of using the guest introspection platform to protect guest VM endpoints:
  • Reduced consumption of compute resources: Guest introspection offloads virus signatures and security scanning logic from each endpoint on a host to a third-party partner Service VM on the host. As virus scanning happens only on the Service VM, there is no need to spend compute resources on guest VMs to run virus scans.
  • Better management: As virus scans are offloaded to a Service VM, virus signatures need to be updated to only one object per host. Such a mechanism works better than agent-based solution where same virus signatures need updates on all guest VMs.

  • Continuous antivirus and antimalware protection: As the Service VM runs continuously, a guest VM is not mandated to run the latest virus signatures. For example, a snapshot VM might run some older version of the virus signature making it vulnerable in the traditional way of protecting endpoints. With the guest introspection platform, the Service VM is continuously running the latest virus and malware signatures thereby ensuring that any newly added VM is also protected with the latest virus signatures.
  • Offloaded virus signatures to a Service VM: Virus database lifecycle is outside of guest VM lifecycle and so the Service VM is not affected by guest VM outages.