NSX Guest Introspection is comprised of several related components:
The partner management console is responsible for registering the service (e.g. agentless anti-virus) with NSX, configuring and monitoring the deployed partner security virtual machines (Partner SVM) and sending VM tagging operations messages to NSX Manager.
vCenter manages the ESX Agent Manager (EAM) which is responsible for deploying the Partner SVM and Guest Introspection security virtual machine (GI-SVM) to hosts on clusters that have the partner service configured.
The NSX Manager is the central control for Guest Introspection and provides information to EAM regarding which hosts require a Partner SVM and GI-SVM to be deployed, sends GI configuration information to the GI SVM, receives GI health monitoring information from the host and executes tagging commands received from the Partner Management Console.
On the host, the Partner SVM receives activity events and information from the GI components through the EPSEC library, and performs security operations and analytics to detect potential threats or vulnerabilities. The Partner SVM communicates these events to the Partner Management Console to take NSX actions, such as grouping and tagging. The GI ESX module in the hypervisor acts like a switch to pass relevant events from the thin agents installed on VM’s, to the appropriate Partner SVM for analysis. The GI SVM uses configuration information received from NSX Manager to configure the GI ESX Module appropriately as VM’s are instantiated or moved, generate NSX Identity Firewall and Endpoint Monitoring context, and send GI-related health information back to NSX Manager.
Common questions asked about SVMs and GI SVMs:
Is there a difference between an SVM and a GI USVM? SVMs refer to third party (partners), such as Trend, and McAfee. USVM is NSX GI SVM.
What are the key characteristics of SVMs and GI SVMs that make them different from a regular VM? Guest introspection offloads anti-virus and anti-malware agent processing to a dedicated secure virtual appliance. Since the secure virtual appliance (unlike a guest virtual machine) doesn't go offline, it can continuously update anti- virus signatures thereby giving uninterrupted protection to the virtual machines on the host.
The Guest Introspection Universal Security Virtual Machine (GI USVM), provides a framework for third-party anti-virus products to be run on guest virtual machines from the outside, removing the need for anti-virus agents in every virtual machine. SVMs contain specific binaries and applications added by the vendor of the SVM. The GI USVM vendor is NSX.
Can any VM be deployed/managed as a SVM? No, SVMs are prebuilt and provided by the vendor.
Is there a SVM/ GI USVM specification for logging? No, there is no specification.
Is there a public guide on SVM/USVM related events? No, the SVM logs are for internal troubleshooting purposes