Use the Malware Prevention dashboard to drill down to events details of files that are extracted in the data center for deeper monitoring and analysis purposes.

The dashboard can show file events over the last 14 days. For information about the maximum number of file events that are supported on the Distributed Firewall and Gateway Firewall, see the VMware Configuration Maximums tool at https://configmax.vmware.com/home.

The information about file events (file inspections) is shown in two tab pages.
Potential Malware page

Shows aggregated events details of malicious files, suspicious files, and uninspected (allowlisted) files that are extracted in the data center over a specific time period.

A bubble in the bubble chart represents a unique file that is extracted in the data center. A file is uniquely identified by its file hash. The color and the graphic inside the bubble denote whether the file is malicious, suspicious, or uninspected (allowlisted).

A row in the table represents one file. The number on the bubble denotes the threat score computed for the file. The score ranges from 0–100, and it denotes the degree of risk or malicious intent that is associated with the file. A high threat score indicates a greater amount of risk, and the reverse. For example:
  • Score range for benign files is 0–29.
  • Score range for suspicious files is 30–69.
  • Score range for malicious files is 70–100.
  • Uninspected files have a score of -1.

If the verdict of the file is malicious or suspicious, the malware family and malware class for that file is displayed. A single file can belong to multiple malware families and malware classes. However, if malware family and malware class for a file are unknown to NSX, the information is not displayed in the UI.

Note: For each file, the event details (inspection details) are aggregated and shown on the dashboard. For example, if a single file is inspected five times in the data center, five file events are generated. In other words, the count of inspections for the file is five. However, the bubble chart shows a single bubble for the file, and the table has a single row for that file. When you point to a bubble, a summary of inspections done for the file is shown. Similarly, when you expand the row for a file in the table, the details of the most recent file inspection are shown. Nevertheless, the history of all previous inspections for the file is retained and available for you to see.
The following table describes the meaning of the icons used on the bubble chart.
Icon Meaning

Image of a small bubble icon.

A small bubble on the timeline represents a single inspection for a file.


Image of a large bubble icon

A large bubble on the timeline represents multiple inspections for a single file.

Example: Assume that an .exe file is extracted on five guest VMs over three days, and NSX has determined this file as suspicious. In this case, five unique file inspections have occurred for the .exe file in the data center. A large bubble is shown on the suspicious timeline on the last inspected timestamp. You can click the bubble to view the history of all five inspections for this .exe file.


Image of a group of bubbles icon

A group of bubbles on the timeline represents multiple unique file inspections with the same verdict.

Example: Assume that four unique .docx files A, B, C, and D are extracted from the north-south traffic in the data center at the same time (or nearly the same time), and NSX has determined that all these files are malicious. The bubbles for all the four files are grouped together and shown on the malicious timeline of the bubble chart.

All Files page
Shows a tabular view of all the unique files that are extracted in the data center, including the benign files. In other words, this page shows all the unique files regardless of the verdict of the file. Expand a row in the table to view the last inspection details of the file.

Prerequisites

  • NSX Malware Prevention feature is activated successfully in the NSX Application Platform.
  • NSX Malware Prevention feature is activated on the ESXi host clusters or tier-1 gateways, or both, depending on your security requirements.

Procedure

  1. From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
  2. Click Security, and then in the left navigation pane, click Malware Prevention.
    The Potential Malware page is displayed. By default, the bubble chart and the table show files that are extracted in the last one hour. To view the files for a different time period, click the drop-down menu at the top-right corner of this page, and select a different time period.
  3. (Optional) Click the filter icon at the top-right corner of the page, and select the criteria to filter the information on the page.
    The filter criteria are applied to both the bubble chart and the table. In NSX 4.0, the supported filter criteria are Verdict (including Allowlist) and SHA256 hash. Starting in NSX 4.0.1.1, the following filter criteria are also supported:
    • Blocked
    • File Type
    • Malware Class
    • Malware Family
  4. Monitor the file events details (inspections) that are shown on the dashboard.
    1. Point to a bubble to view the summary information about the inspections for a file in a pop-up window.
      The information in the pop-up window varies depending on whether you point to a small bubble, a large bubble, or a group of bubbles. For example, when you point to a small bubble, the pop-up window displays summary information about a single inspection of the file.
    2. Drag the timeline in the bubble chart to zoom out or zoom in, if required.
    3. Click a bubble to jump directly to that file in the table. Expand the row to view complete details about the most recent inspection for this file.
      Field Description

      File Type

      The type of file that is extracted on the transport node (host or edge). For example, PdfDocFile, PeExeFile, ShellScriptFile, and so on.

      File Type Details

      Brief information about the file type.

      Client (Last)

      The destination machine that received the file in the last inspection.

      For files that are extracted on the endpoint VMs in the distributed east-west traffic within the data center, the client is the endpoint VM itself.

      For files that are extracted on the NSX Edges in the north-south traffic, the direction of traffic determines the client.

      For example, if a VM inside the data center is uploading a file to a machine outside the data center, the client is the machine outside the data center. If a VM inside the data center is downloading a file from a machine outside the data center, the client is the VM inside the data center.

      Server (Last)

      The source machine from where the file was received in the last inspection.

      For files that are extracted on the endpoint VMs in the distributed east-west traffic within the data center, NSX Malware Prevention cannot determine the source of the file. Therefore, the Server (Last) box is always empty.

      For files that are extracted on the NSX Edges in the north-south traffic, the direction of traffic determines the server.

      For example, if a VM inside the data center is downloading a file from a machine outside the data center, the server is the machine outside the data center. If a VM inside the data center is uploading a file to a machine outside the data center, the server is the VM inside the data center.

      File Name

      The names associated with the file. A single file has a unique hash, but the clients that received the file might save the file with different names.

      Protocol

      The protocol used for the file transfer. For example, HTTP, FTP, HTTPS, and so on.

      Workloads

      Click the number next to this field to view the list of all workload VMs in the data center that are affected by the file.

      Total Inspections

      Click the number next to this field to view the history of all inspections done for the file. For example, if the file is inspected 10 times in the data center, the pop-up window shows a summary of all 10 inspections.

      Firewall Type

      The value is either Host or Edge.

      If the file was last extracted from the ESXi host where the Distributed Firewall is running, the value is Host.

      If the file was last extracted from the edge where the Gateway Firewall is running, the value is Edge.

      Transport Node

      The ID of the Edge Transport Node or the Host Transport Node where the file was extracted in the last inspection.

      First Inspected

      The date and time when the file was first inspected in the data center.

      Last Inspected

      The date and time when the file was last inspected in the data center.

      Submitted By

      The value is always System, which means that NSX has submitted the file to the cloud for a detailed analysis.

      Analyst UUID

      The UUID of the file submission to the cloud for a detailed analysis. The UUID is displayed regardless of whether the file is submitted to the cloud either during the last inspection or in any of the previous inspections. If the file was submitted to the cloud multiple times, the UUID of the last submission is displayed.

      Blocked

      Denotes whether the file is blocked. Value is either Yes or No.

    4. (Optional) Perform the following additional tasks:
  5. Click the All Files tab.
    This page shows a list of all the unique files that are extracted in the data center regardless of the verdict of the file. By default, files extracted in the last one hour are shown. To view the list of files for a different time period, click the drop-down menu at the top-right corner of this page, and select a different time period.