On the distributed east-west traffic in NSX-T Data Center, NSX Malware Prevention feature uses the file introspection capabilities of the NSX Guest Introspection (GI) Platform.

Note: On the distributed east-west traffic, malware detection and prevention is supported only for Windows Portable Executable (PE) files that are extracted by the GI thin agent on the workload VMs (endpoints). Other file categories are not supported currently by NSX Distributed Malware Prevention. The supported maximum file size limit is 64 MB.
Important: NSX Malware Prevention feature can function as designed only when your NSX-T Data Center is connected to the Internet.

To protect VM endpoints on vSphere host clusters with NSX Malware Prevention feature, you must complete a series of steps.

Workflow:
  1. Prepare your NSX-T Data Center environment for deploying the NSX Distributed Malware Prevention service. This preparation involves the following prerequisite tasks:
    • Set up NSX Proxy Server for Internet Connectivity.
    • Deploy NSX Application Platform.
    • Activate the NSX Malware Prevention feature on the NSX Application Platform.
    • Configure vSphere host clusters as NSX Host Transport Nodes by applying a Transport Node profile.
    • Generate a public-private key pair for an SSH access to the NSX Malware Prevention service virtual machine. A key pair is required for logging in to the service virtual machine to download log files.
    • Do a custom or a complete VMware Tools installation to install NSX File Introspection driver on VMs.
    • Download the OVA file for deploying NSX Malware Prevention service virtual machine (SVM) on host clusters, which are prepared for NSX.
    • Register the NSX Distributed Malware Prevention service.

    For detailed instructions, see Prerequisites for Deploying the NSX Distributed Malware Prevention Service.

  2. Deploy the NSX Distributed Malware Prevention service on NSX-prepared host clusters. This step turns on the NSX Malware Prevention feature on host clusters.

    For detailed instructions, see Deploy the NSX Distributed Malware Prevention Service.

  3. Add a security policy to protect VMs with NSX Distributed Malware Prevention service. This step involves the following Policy Management tasks:
    • Add a Malware Prevention profile.
    • Create groups and add VMs that you want to protect from malware in these groups. You can add VMs as static members, or define membership criteria that evaluate to VMs as effective members.
    • Add Distributed Malware Prevention rules. Attach the Malware Prevention profile to the rules.
    • Publish the rules to push them to the hosts.

    For detailed instructions, see Add Rules for NSX Distributed IDS/IPS and NSX Distributed Malware Prevention.

  4. Monitor and analyze the file events in the NSX Manager UI.

    For detailed instructions, see Monitoring File Events.