On the distributed east-west traffic, NSX Malware Prevention feature uses the file introspection capabilities of the NSX Guest Introspection (GI) Platform.

  • In NSX 4.0, malware detection and prevention on the distributed east-west traffic is supported only for Windows Portable Executable (PE) files that are extracted by the GI thin agent on the Windows guest endpoints (VMs). Other file categories are not supported by NSX Distributed Malware Prevention.
  • Starting in NSX 4.0.1.1, malware detection and prevention on the distributed east-west traffic is supported for all the file categories on both Windows and Linux guest endpoints. To view the list of supported file categories, see File Categories Supported for NSX Malware Prevention.
  • The supported maximum file size limit is 64 MB.
Important: NSX Malware Prevention feature can function as designed only when your NSX environment is connected to the Internet.

To protect guest VMs on vSphere host clusters with NSX Malware Prevention feature, you must complete a series of steps.

Workflow:
  1. Prepare your NSX environment for deploying the NSX Distributed Malware Prevention service. This preparation involves the following prerequisite tasks:
    • Set up NSX Proxy Server for Internet Connectivity.
    • Deploy NSX Application Platform.
    • Activate the NSX Malware Prevention feature on the NSX Application Platform.
    • Configure vSphere host clusters as NSX Host Transport Nodes by applying a Transport Node profile.
    • Generate a public-private key pair for an SSH access to the NSX Malware Prevention service virtual machine. A key pair is required for logging in to the service virtual machine to download log files.
    • Do a custom or a complete VMware Tools installation to install NSX File Introspection driver on VMs.
    • Download the OVA file for deploying NSX Malware Prevention service virtual machine (SVM) on host clusters, which are prepared for NSX.
    • Register the NSX Distributed Malware Prevention service.

    For detailed instructions, see Prerequisites for Deploying the NSX Distributed Malware Prevention Service.

  2. Deploy the NSX Distributed Malware Prevention service on NSX-prepared host clusters. This step turns on the NSX Malware Prevention feature on host clusters.

    For detailed instructions, see Deploy the NSX Distributed Malware Prevention Service.

  3. Add a security policy to protect VMs with NSX Distributed Malware Prevention service. This step involves the following Policy Management tasks:
    • Add a Malware Prevention profile.
    • Create groups and add VMs that you want to protect from malware in these groups. You can add VMs as static members, or define membership criteria that evaluate to VMs as effective members.
    • Add Distributed Malware Prevention rules. Attach the Malware Prevention profile to the rules.
    • Publish the rules to push them to the hosts.

    For detailed instructions, see Add Rules for NSX Distributed IDS/IPS and NSX Distributed Malware Prevention.

  4. Monitor and analyze the file events in the NSX Manager UI.

    For detailed instructions, see Monitoring File Events.