You can override or suppress the file verdict that NSX has computed. Files with suppressed verdict are listed in the Allowlist table.
Assume that NSX Malware Prevention has extracted an executable file on the guest VMs of some users in the data center, and the verdict for this file is computed as malicious. If the rule in your security policy is set to Detect and Prevent mode, NSX Malware Prevention feature blocks this file on the guest VMs. However, if you have determined that the file is legitimate and not harmful to the users in the data center, you can suppress (override) the NSX computed verdict. The allowlisted verdict is logged in the NSX Manager database for auditing purposes. When this allowlisted file is detected or extracted again in the data center, NSX Malware Prevention does not analyze this file, and returns the verdict as Uninspected. NSX Malware Prevention can analyze this suppressed file again in subsequent file extractions only after you remove the file from the allowlist table.
Procedure
- From your browser, log in to an NSX Manager at https://nsx-manager-ip-address.
- Click Security, and then in the left navigation pane, click Malware Prevention.
The
Potential Malware page is displayed. You can do the subsequent steps on this page or on the
All Files page.
- Click the filter icon at the top-right corner of the page, and select the criteria to filter the information on the page.
Filtering the information can help you quickly find the file that is of interest to you. For example, you can select the
Verdict criterion, and then select the
Malicious option to view files with only malicious verdict on the page.
- In the table, click the Suppress icon for the file whose verdict you want to suppress, and then click Apply.
Note: You can suppress only one file at a time. A batch suppression of multiple files simultaneously is not supported currently.
A new file event is generated for the same file hash with verdict as
Allowlist. The threat score of the file does not change. However, the color of the bubble changes to gray and the bubble of this file hash moves to the Uninspected (Allowlist) timeline in the bubble chart.
- Verify that the suppressed file is added to the Allowlist table.
- Navigate to .
- Click the Refresh icon at the bottom of the table.
The file is shown in the Allowlist table.
- If you want to remove the file from the Allowlist table, select the file, and click Delete. In the information message that appears, click Yes to confirm the delete action.