NSX Malware Prevention on a Distributed Firewall uses the NSX Guest Introspection (GI) framework. To detect and prevent malware on the Windows guest endpoints (VMs), you must deploy the NSX Distributed Malware Prevention service on the ESXi host clusters that are prepared for NSX.

When you deploy the service on a host cluster, an instance of the NSX Malware Prevention service virtual machine (SVM) is deployed on each host of the cluster. Currently, an SVM of fixed size is deployed and it requires the following resources on each host of the cluster:
  • 4 vCPU
  • 6 GB RAM
  • 80 GB Disk space
Note: On the distributed east-west traffic, malware detection and prevention is supported only for Windows Portable Executable (PE) files that are extracted by the GI thin agent on the workload VMs (endpoints). Other file categories are not supported currently by NSX Distributed Malware Prevention. The supported maximum file size limit is 64 MB.

Before deploying the NSX Distributed Malware Prevention service on host clusters, you must complete the prerequisites that are explained in the following sections. If some prerequisites are already completed, skip those, and proceed with the pending prerequisites.

Add an Appropriate License in NSX-T Data Center

To use the NSX Malware Prevention feature, NSX-T Data Center must use an appropriate license. For information about licenses that support NSX Malware Prevention, see System Requirements for NSX IDS/IPS and NSX Malware Prevention.

To add a license:
  1. In NSX Manager, navigate to System > Licenses > Add License.
  2. Enter the license key.

Verify All Hosts are Managed by vCenter Server

NSX Malware Prevention feature is supported only on vSphere host clusters that are managed by one or multiple vCenter Servers.

  1. In NSX Manager, navigate to System > Fabric > Nodes > Host Transport Nodes.
  2. In the Managed by drop-down menu, select the vCenter Server that manages the vSphere host clusters on which you want to deploy the NSX Malware Prevention SVM.

    The list of vSphere host clusters is displayed. Verify that this list includes the host clusters that are of interest to you for enabling malware protection.

Configure Hosts as Transport Nodes

Apply a Transport Node Profile to the vSphere host clusters to configure the vSphere hosts as Host Transport Nodes.

For detailed instructions, see the following topics in the NSX-T Data Center Installation Guide:

Generate Public-Private Key Pair for SSH Access to SVM

To download log file from the SVM for troubleshooting purposes, read-only SSH access to the NSX Malware Prevention SVM is required.

SSH access to the admin user of the SVM is key-based (public-private key pair). A public key is needed when you are deploying the service on an ESXi host cluster, and a private key is needed when you want to start an SSH session to the SVM.

You can generate the public-private key pair by using any SSH key generation tool. However, the public key must adhere to a specific format, as described in the following subsection. Examples of SSH key generation tools are: ssh-keygen, PuTTY Key Generator, and so on. Supported key sizes are 1024 bits, 2048 bits, and 4096 bits.

Public Key Format
The public key must adhere to the following format:
Example:
ssh-rsa A1b2C3d4E5+F6G7XxYyZzaB67896C4g5xY9+H65aBUyIZzMnJ7329y94t5c%6acD+oUT83iHTR870973TGReXpO67U= rsa-key-20121022

If you are using PuTTY Key Generator, ensure that the public key is copied directly from the UI. If the key pair exists, first load the private key file in the PuTTY Key Generator UI, and then copy the public key that is displayed in the Key text box. Avoid copying the contents from a public key file. The copied contents can take a different format and might not work for the SVM.

If you are generating the key pair by using ssh-keygen utility on Linux systems, the key format always includes ssh-rsa in the public key. Therefore, on Linux systems, you can copy the contents from a public key file.

Recommended Practice

NSX Distributed Malware Prevention service deployment is done at the level of a host cluster. So, a key pair is tied to a host cluster. You can create either a new public-private key pair for a service deployment on each cluster, or use a single key pair for service deployments on all the clusters.

If you plan to use a different public-private key pair for service deployment on each cluster, ensure that the key pairs are named correctly for easy identification.

A good practice is to identify each service deployment with a "compute cluster id" and specify the cluster id in the name of the key pair. For example, let us assume that the cluster id is "1234-abcd". For this cluster, you can specify the service deployment name as "MPS-1234-abcd", and name the key pair to access this service deployment as "id_rsa_1234_abcd.pem". This practice makes it easy for you to maintain and associate keys for each service deployment.

Important: Store the private key securely. Loss of the private key can lead to a loss of SSH access to the NSX Malware Prevention SVM.

Deploy NSX Application Platform

NSX Application Platform is a modern microservices platform that hosts several NSX features that collect, ingest, and correlate network traffic data.

For detailed instructions about deploying the platform, see the Deploying and Managing the VMware NSX Application Platform publication at https://docs.vmware.com/en/VMware-NSX-T-Data-Center/index.html. From the left navigation pane at this link, expand version 3.2 or later, and then click the publication name.

Activate NSX Malware Prevention Feature

For detailed instructions, see Activate NSX Malware Prevention.

When this feature is activated, the microservices that are required for NSX Malware Prevention start running in the NSX Application Platform.

Before proceeding to the next step, verify the status of the NSX Malware Prevention feature on the NSX Application Platform. Do these steps:
  1. In NSX Manager, navigate to System > NSX Application Platform.
  2. Scroll down the page until you see the Features section.
  3. Verify that the NSX Malware Prevention feature card shows Status as Up.

If the status is Down, wait until the status changes to Up, and then proceed to the next step.

Verify VM Hardware Configuration on Guest VMs

Verify that VM Hardware Configuration version 9 or later is running on the Windows guest VMs. Do these steps:
  1. Log in to the vSphere Client.
  2. Go to Hosts and Clusters and navigate to the cluster.
  3. Click the VMs in the cluster, one at a time.
  4. On the Summary page, expand the VM Hardware pane, and observe the Compatibility information of the VM. The VM version number must be 9 or later.
For example:
VM Hardware pane with compatibility information highlighted.

Install NSX File Introspection Driver

NSX File Introspection driver is included with VMware Tools for Windows. However, this driver is not a part of the default VMware Tools installation. To install this driver, you must do a custom or a complete installation and select the NSX File Introspection driver.

For detailed instructions, see Install the Guest Introspection Thin Agent on Windows Virtual Machines.

Download the OVA File of NSX Malware Prevention Service Virtual Machine

  1. In a Web browser, open the Download VMware NSX-T Data Center™ page, and log in with your VMware ID.
  2. Download the OVA file. (VMware-NSX-Malware-Prevention-appliance-3.2.0.0-build_namber.ova)
  3. Extract the OVA file with the following command:
    tar -xvf filename.ova

    Replace filename with the exact name of the OVA file that you downloaded in the previous step.

    Observe that the following four files are available in the root directory where the OVA file is extracted.

    • OVF file (.ovf)
    • Manifest file (.mf)
    • Certificate file (.cert)
    • Virtual machine disk file (.vmdk)
  4. Copy all the extracted files to a Web server that meets the following prerequisites:
    • The Web server must have unauthenticated access over HTTP.
    • The Web server must be accessible to NSX Manager, all ESXi hosts where you plan to deploy the NSX Malware Prevention SVM, and the vCenter Server that is registered to NSX-T.
    • The MIME types for the extracted files must be added to the Web server. For information about adding MIME types to the Web server, see your Web server documentation.
      File Extension MIME Type

      .ovf

      application/vmware

      .vmdk

      application/octet-stream

      .mf

      text/cache-manifest

      .cert

      application/x-x509-user-cert

Note: You can deploy the Web server on the same network where the NSX Manager appliances, ESXi hosts, and the vCenter Server appliance are deployed. The Web server does not require Internet access.

Register the NSX Distributed Malware Prevention Service

Run the following POST API:
POST https://{nsx-manager-ip}/napp/api/v1/malware-prevention/svm-spec
In the request body of this POST API, specify the following details:
  • Complete path to the OVF file on the Web server
  • Name of the deployment specification (SVM is identified by this name on the vCenter Server)
  • SVM version number
Example Request Body:
{
    "ovf_url" : "http://{webserver-ip}/{path-to-ovf-file}/{filename}.ovf",
    "deployment_spec_name" : "NSX_Distributed_MPS",
    "svm_version" : "3.2"
}

For more information about this API including an example response, see API Reference: NSX Distributed Malware Prevention Service.

Verify that the service name is listed on the Catalog page. Do these steps:
  1. In NSX Manager, navigate to System > Service Deployments > Catalog.
  2. Verify that the VMware NSX Distributed Malware Prevention Service is listed on the page.