A Malware Prevention profile determines the file categories that you want to analyze for malware, and whether you want NSX to send the files to the cloud for a detailed analysis.

You can use either the default Malware Prevention profile in your firewall rules or add new profiles depending on the requirements of your security policies. In the profile, you can select the file categories that NSX Malware Prevention should capture and analyze for malicious behavior. File analysis is done locally on NSX Host Transport Nodes and NSX Edge Transport Nodes that are activated for NSX Malware Prevention. If you opt to send the files to the cloud, a detailed file analysis is also done in the cloud.

In NSX 4.0, some restrictions apply to the file categories that are supported for Distributed Malware Prevention firewall rules. However, starting in NSX 4.0.1.1, the restrictions are removed. For more information, see File Categories Supported for NSX Malware Prevention.

When you apply the profile to Distributed Malware Prevention rules, NSX Malware Prevention analyzes the files that are intercepted or captured on the Host Transport Nodes. When you apply the profile to Gateway Malware Prevention rules, NSX Malware Prevention analyzes the files that are intercepted or captured on the Edge Transport Nodes.

You can add multiple Malware Prevention profiles with different configurations and use separate profiles in the Distributed Malware Prevention firewall rules and Gateway Malware Prevention firewall rules. You can use a different profile in the firewall rules of each tier-1 gateway that you have activated for NSX Malware Prevention. For example, let us say you have two profiles: A and B. In profile A configuration, you choose not to send the files to the cloud for analysis, whereas in profile B, you choose to send the files to the cloud for analysis. You use profile A for Distributed Malware Prevention rules and profile B for Gateway Malware Prevention rules.

Caution: You must observe caution while using different or inconsistent Malware Prevention profile configurations for Distributed Malware Prevention rules and Gateway Malware Prevention rules, or while using different profile configurations on each tier-1 gateway that is activated for NSX Malware Prevention. Using different profile configurations might result in NSX returning a different verdict for a file depending on where the file is intercepted (Host Transport Node or Edge Transport Node). Cloud file analysis performs deep content inspection, including sandboxing and machine learning techniques. This deep content inspection can detect malware behaviors with greater accuracy. Local file analysis does not have sufficient resources to perform such a deep analysis and hence might yield less precise results.

You can attach only a single Malware Prevention profile to a firewall rule at a time. However, a single Malware Prevention profile can be attached to multiple Distributed Malware Prevention rules and Gateway Malware Prevention rules simultaneously, if required.

Prerequisites

Set up your NSX for NSX Malware Prevention.

For detailed instructions, see Preparing the Data Center for NSX IDS/IPS and NSX Malware Prevention.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://nsx-manager-ip-address.
  2. Navigate to Security > IDS/IPS & Malware Prevention > Profiles > Malware Prevention.
  3. Click Add Profile.
  4. Enter a name for the profile.
  5. (Optional) Enter a description for the profile and add tags.
  6. Select the file categories to include for local file analysis and cloud file analysis. By default, all categories are selected.
    Note: In NSX 4.0, the File Category options are applicable only to Gateway Malware Prevention rules. For Distributed Malware Prevention rules, malware detection and prevention is supported only for Windows Portable Executable (PE) files on Windows guest endpoints (VMs). Other file categories are not supported for malware detection and prevention on the VMs. In other words, NSX 4.0 ignores the File Category options for Distributed Malware Prevention rules.

    Starting in NSX 4.0.1.1, the File Category options are applicable to both Distributed Malware Prevention rules and Gateway Malware Prevention rules.

  7. (Optional) Deselect the Send files to NSX Advanced Threat Prevention cloud service check box.
    By default, cloud file analysis is selected.
  8. Click Save.

Results

Malware Prevention profile is saved and the Status column shows Successful.

What to do next

Attach this profile to Gateway Malware Prevention rules or Distributed Malware Prevention rules, or both, depending on the requirements of your security policies.