Familiarize yourself with the key terminologies that are used in NSX Malware Prevention.

Cloud File Analysis

Cloud file analysis is done by the NSX Advanced Threat Prevention service that is running in the cloud. It involves a detailed analysis of unknown files by using the following techniques to detect whether the file is benign, malicious, or suspicious:
  • NSX Malware Prevention sandboxing and behavioral analysis
  • Statistical algorithms
  • Artificial intelligence and machine learning
  • Deep content inspection

NSX sends unknown files over a secure connection to the cloud only when you opt for cloud file analysis in your Malware Prevention security profile.

File Event

An event that is generated when a file is extracted or intercepted from the data path traffic on an NSX Edge or a Guest VM on the host. On an NSX Edge, the file is extracted by the NSX IDPS engine, and on a Guest VM, the file is extracted by the NSX File Introspection driver in the Guest Introspection (GI) thin agent.

Local File Analysis

Local file analysis is done inside the NSX on NSX Edge Transport Nodes and ESXi Host Transport Nodes that are activated for NSX Malware Prevention. It involves a lightweight scanning of unknown files against a known set of file hashes to detect whether the file is benign, malicious, or suspicious.

Malware Class

It is the type of threat. Examples of malware class are virus, trojan horse, worm, adware, ransomware, spyware, and so on.

Malware Family

It is a name that identifies a specific group of malware files, which typically originate from the same source code or developed by the same malware authors. Examples of malware families are valyria, darkside, and so on.

Reputation

Threat information about a file, URL, or other artifacts that provides details about the file, URL.

For example, reputation of a file can include the following details:
  • Name of the file publisher
  • Is the file signed (Yes or No)
  • The signing authority of the file
  • Reputation category of the file (malware, suspect, trusted)
  • Malware class to which the file belongs to. For example, Trojan horse, backdoor, adware, and so on.

File reputation details are stored in the cloud and accessible to all the NSX customers.

Threat Score

It denotes the degree of risk or malicious intent that is associated with the file. A high threat score indicates a greater amount of risk, and the reverse.

Verdict

NSX Malware Prevention reports a decision about the files, which are intercepted in the data center either on the NSX Edges (north-south traffic) or on the guest VMs (east-west traffic). The decision about the file is called a verdict. Verdict can be one of the following values.
Value Description

Benign

The file is good or safe to be downloaded.

Trusted

The file is trusted based on its behavior.

Highly Trusted

The file is from a highly trusted source, for example, Microsoft, Apple, Adobe, and so on.

Malicious

The file is harmful or a threat to the data center.

Suspicious

The file is potentially harmful or unwanted.

Unknown

The file is not known to NSX and therefore no decision is available for the file.

Uninspected

This file is not inspected by NSX Malware Prevention because you had earlier suppressed or allowlisted the file.

Zero-day Threat

A threat that is not seen in NSX before and which does not match any of the known malware signatures.