Sign In with your
Trend Micro Account
需要協助?
需要協助?

若您需要技術支援,請 按此建立案件。

[Auto-Quarantine] Move Malware Infected VM to an Isolated Network Environment Automatically

    • 更新於:
    • 26 Jul 2022
    • 產品/版本:
    • 作業系統:
    • VMware
概要

This article provides the general steps to integrate the Deep Security Virtual Appliance (DSVA) Anti-Malware detection and NSX-T Security Tags to move VMs in isolation using the NSX-T Distributed Firewall. 

Requirements

  • Licensed Deep Security Manager version 20.0 with Deep Security Virtual Appliance (DSVA) version 20.0, upgrade the DSVA to the latest version using the RHEL7 agent package
  • Licensed NSX-T 3.x and above
  • Configure the  NSX-T Transport Node Profile with both VLAN and Overlay transport zone.   
    • VLAN transport zone to create VLAN segment for VM connections
    • Overlay transport zone for Service segment that use for DSVA deployment
  • Configure the NSX-T VLAN segment which Guest VM connected
  • Configure the NSX-T Inventory > add group that includes the Guest VMs which will protected by DSVA
  • Configure the NSX-T Endpoint Protection Rules > add Rule and Service Profile that will leverage the DS security policies 
  • Configure the NSX-T DFW > add policy to control Guest VM network connection 

Refer to the VMware KB about the NSX-T editions and feature mapping - https://kb.vmware.com/s/article/86095

 

詳情
Public

Configure the following to be able to auto-quarantine VMs with malware detection:

  • Set up the Transport Node profile with VLAN and Overlay transport zone

    image.png

  • Enable the NSX-T security tag from the Deep Security Policy

    image.png

  • Create a new group and provide a suitable name such as  "isolation-VM" that includes the VMs that will be tagged with "ANTI_VIRUS.VirusFound.threat=medium"

    image.png

    image.png

  • Create an NSX-T Distributed Firewall rules to "Reject" outgoing connection from source group "isolation-VM" to destination "Any"

    image.png

  • Create a new segment that connect to VLAN transport zone and assign all Guest VM connect to this segment 

    image.png

    image.png

 
Refer DS 20.0 OLH document for other basic NSX-T configuration -  https://help.deepsecurity.trendmicro.com/20_0/on-premise/appliance-nsxt3x-about.html?Highlight=NSX-T

 

Testing if the configuration works

  1. Login to the Guest VM and verify it can access the internet.
  2. Follow the instructions on this article to simulate a malware detection
  3. Login to the manager console and verify that there are Anti-Malware Events

    image.png

    image.png

  4. From the NSX, verify that the Guest VM has been added into the "Isolation-VM" group

    image.png

  5. Login to the Guest VM, notice that all outgoing connection is rejected by the NSX-T DFW.

    image.png

  6. From the manager console, initiate a manual or scheduled Anti-Malware scan. Once there is no additional detection. The Security Tag will be removed and the Guest VM will no longer be in the "Isolation-VM" group.

    image.png

    image.png

  7. Verify that the Guest VM can access the internet again. 
Premium
Internal
Partner
評價:
分類:
Configure; Remove a Malware / Virus
解決方案ID:
000291307
評定這個解決方案
本文是否幫助解決您的問題?

感謝您的意見!


本意見調查系統為自動運作,將不會回覆如銷售、技術、產品等一般問題.

若您需要協助,請聯繫對應的技術支援窗口. 聯絡我們


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.