Introduction
NSX Malware Prevention is a secure isolation environment that detects malicious artifacts. It analyzes the behavior of objects, such as files and URLs, to determine if they are benign or malicious. Because it does not rely on signatures, the sandbox can detect novel and highly targeted malware that has never been seen before. It uses a combination of static and dynamic program analysis techniques to identify known, as well as previously unknown, malware programs and malicious documents.
Requirements
- This feature requires NAPP to be deployed in the environment
- Requires additional ATP licensing
Deployment of NSX Malware Prevention
Activate NSX Malware Prevention
- Click System
- Click NSX Application Platform
- Use the Scrollbar to navigate to the bottom of the screen
- Make sure NSX NDR has finished activating (If NDR is still Activating, wait a few minutes before activating Malware Prevention (only one service will start at a time))
- Click Activate under NSX Malware Prevention
Run Prechecks
The Cloud Region has been pre-selected for us since we chose US Cloud Region for NDR.
- Click Run Prechecks
- Use the Scrollbar to move down and watch the prechecks validate
Activate NSX Malware Prevention
Activating isn’t enough. We’ll need to enable the features in certain locations and build profiles to look for the bad traffic.
Enable Gateway Malware Prevention
- Click Settings at the top of the page
- Use the Scrollbar to navigate to the bottom of the page
Enable Gateway Malware Prevention for Tier-1-gateway-01
Add Malware Prevention Profile
- Click Malware Prevention
- Click Add Profile
- Click Enter Name and type All Malware Profile
- Click Save
Note: The Cloud File Analysis checkbox. NSX stores a local copy of the online database to know good and bad signatures. By having this selected, any file that cannot be determined as malicious or benign locally will be sent to the VMware Cloud for dynamic analysis. This online analysis may include sandboxing and behavioral analysis, content inspection, statistical algorithms, and Artificial Intelligence/Machine Learning to determine if the file is suspicious, malicious or benign.
Enable Gateway Malware Prevention
- Click Settings at the top of the page
- Use the Scrollbar to navigate to the bottom of the page
Enable Gateway Malware Prevention for Tier-1-gateway-01
- Click the Toggle for Malware Prevention for the Tier-1-gateway-01 to enable the feature
If you receive the Error:
“To enable Malware Prevention feature on the selected gateway, the NSX Application Platform must be deployed with Malware
Prevention feature activated.”
Then your Malware Prevention activation is still in progress. Please wait a few minutes and try again, or view the status of Malware
Prevention’s activation at System > NSX Application Platform > NSX Malware Prevention
Return here to enable Malware Prevention on the gateways once Malware Prevention is Up.
Confirm Enable Gateway Malware Prevention
- Click Yes
Enable Gateway Malware Prevention for Tier-1-VDI
- Click the Toggle for Malware Prevention for the Tier-1-VDI to enable the feature
Confirm Enable Gateway Malware Prevention
- Click Yes
Create Gateway Rules
- Use the Scrollbar to return to the top of the page
- Click Gateway Rules
Create Shared Gateway Policy
- Click All Shared Rules
- Click Add Policy
- Click New Policy and Type Gateway ATP and hit Enter
Add Rule to Gateway ATP Policy
- Click the 3 Dots next to Gateway ATP Policy
- Click Add Rule
Rename Gateway Malware Rule
- Click New Rule and Type Gateway Malware and hit Enter
- Click the Pencil Icon under Security Profile
Select Malware Profile
- Click Malware Prevention Profile
- Click the Radio Button for All Malware Profile
- Click Apply
Note that the Profiles we’re applying to the gateway now are the same profiles we built and applied in the Distributed Rules. We can
reuse these profiles since they’re so generic (All Severity) as you see, or you could build specific profiles for distributed rules and other
profiles for gateway rules.
Edit Applied To for Gateway Malware Rule
- Click the Pencil Icon under Applied To
Select Both Tier-1 Gateways
- Click the Checkbox at the top left to select both Tier-1 Gateways at once
- Click Apply
Check Gateway ATP Policy and Rules
Check that your Policy and Rules look like the screenshot. It’s important that the Malware Rule is above the IDS Rule, and both T1
Gateways are selected for Applied To for both rules.
Publish Gateway ATP Policy and Rules
- Click Publish
View Empty Malware Prevention Events
- Click Malware Prevention
You can see that we have Malware Prevention configured, but no malware has been detected yet.
Please look for another blog where we will showcase some malicious activities for testing NSX ATP capabilities in action in another blog.
That’s it for this blog. have a good one!