To protect VMs from anti-virus using a Guest Introspection security solution, you must install Guest Introspection thin agent, also called Guest Introspection drivers, on the VM. Guest Introspection drivers are included with VMware Tools for Windows, but are not part of the default installation. To install Guest Introspection on a Windows VM, you must perform a custom install and select the drivers or run complete install.

Windows virtual machines with the Guest Introspection drivers installed are automatically protected whenever they are started up on an ESXi host that has the security solution installed and VM protection policies configured. Protected virtual machines retain the security protection through shut downs and restarts, and even after a vMotion move to another ESXi host with the security solution installed.

Prerequisites

Ensure that the guest virtual machine has a supported version of Windows installed.
  • To know the which versions of Windows operating systems are supported on a particular ESXi host version, see the VMware Compatibility Guide. In the Windows Compatibility Guide, narrow your search to Guest OS: In the What are you looking for field, select Guest OS and in the Product Name field, select ESXi and click Update and View Results.

  • To know the guest operating systems supported by VMware Tools, go to VMware Tools Documentation and see the Release Notes of VMware Tools version you want to install. For example, see the VMware Tools 12.1.5 Release Notes to know the supported Windows operating systems.

Procedure

  1. Start the VMware Tools installation, following the instructions for your version of vSphere. Select Custom install.
  2. Expand the VMCI Driver section.

    The options available vary depending on the version of VMware Tools.

  3. Select the driver to be installed on the VM.

    Driver

    Description

    NSX File Introspection Driver

    Select NSX File Introspection Driver to install vsepflt.

  4. In the drop-down menu next to the drivers you want to add, select This feature is installed on the local hard drive.
  5. Follow the remaining steps in the procedure.

What to do next

Verify whether the thin agent is running using the fltmc command with the administrative privileges. The Filter Name column in the output lists the thin agent with an entry vsepflt.