Use the Malware Prevention dashboard to drill down to events details of files that are extracted in the data center for deeper monitoring and analysis purposes.
The dashboard can show file events over the last 14 days. For information about the maximum number of file events that are supported on the Distributed Firewall and Gateway Firewall, see the VMware Configuration Maximums tool at https://configmax.vmware.com/home.
- Potential Malware page
-
Shows aggregated events details of malicious files, suspicious files, and uninspected (allowlisted) files that are extracted in the data center over a specific time period.
A bubble in the bubble chart represents a unique file that is extracted in the data center. A file is uniquely identified by its file hash. The color and the graphic inside the bubble denote whether the file is malicious, suspicious, or uninspected (allowlisted).
A row in the table represents one file. The number on the bubble denotes the threat score computed for the file. The score ranges from 0–100, and it denotes the degree of risk or malicious intent that is associated with the file. A high threat score indicates a greater amount of risk, and the reverse. For example:- Score range for benign files is 0–29.
- Score range for suspicious files is 30–69.
- Score range for malicious files is 70–100.
- Uninspected files have a score of -1.
If the verdict of the file is malicious or suspicious, the malware family and malware class for that file is displayed. A single file can belong to multiple malware families and malware classes. However, if malware family and malware class for a file are unknown to NSX, the information is not displayed in the UI.
Note: For each file, the event details (inspection details) are aggregated and shown on the dashboard. For example, if a single file is inspected five times in the data center, five file events are generated. In other words, the count of inspections for the file is five. However, the bubble chart shows a single bubble for the file, and the table has a single row for that file. When you point to a bubble, a summary of inspections done for the file is shown. Similarly, when you expand the row for a file in the table, the details of the most recent file inspection are shown. Nevertheless, the history of all previous inspections for the file is retained and available for you to see.The following table describes the meaning of the icons used on the bubble chart.Icon Meaning
A small bubble on the timeline represents a single inspection for a file.
A large bubble on the timeline represents multiple inspections for a single file.
Example: Assume that an .exe file is extracted on five guest VMs over three days, and NSX has determined this file as suspicious. In this case, five unique file inspections have occurred for the .exe file in the data center. A large bubble is shown on the suspicious timeline on the last inspected timestamp. You can click the bubble to view the history of all five inspections for this .exe file.
A group of bubbles on the timeline represents multiple unique file inspections with the same verdict.
Example: Assume that four unique .docx files A, B, C, and D are extracted from the north-south traffic in the data center at the same time (or nearly the same time), and NSX has determined that all these files are malicious. The bubbles for all the four files are grouped together and shown on the malicious timeline of the bubble chart.
- All Files page
- Shows a tabular view of all the unique files that are extracted in the data center, including the benign files. In other words, this page shows all the unique files regardless of the verdict of the file. Expand a row in the table to view the last inspection details of the file.
Prerequisites
- NSX Malware Prevention feature is activated successfully in the NSX Application Platform.
- NSX Malware Prevention feature is activated on the ESXi host clusters or tier-1 gateways, or both, depending on your security requirements.