Automatically quarantine VM upon malware detection using NSX

In this use-case, once ESET Virtualization Security detects malware, it will automatically tag the infected VM (see Understanding of Security Tags and how ESET triggers them) and the VM will fall into Quarantine Security Group. This will block all network access to the infected VM until the machine is scanned and cleaned. Once the machine has been cleaned, the VM is moved to its previous Group and network access is reinstated.

Prerequisites

1.A valid Standard edition VMware NSX license or higher (not one included in vSphere license).

2.Deployed NSX Distributed Switch on your hosts.

3.Distributed Port Group as Network adapter on VMs.

4.NSX Components and Firewall must be installed and enabled on Cluster and Hosts in vCenter > Networking & Security > Installation > Host Preparation.

Creation of Quarantine Security Group

1.In vCenter, click Networking & Security > Service Composer > Security Groups.

2.Click New Security Group NEW_GROUP_ICON, name it Quarantine and click Next.

3.Under Define dynamic membership click Add, from Entity drop-down menu choose Security Tag and type a tag name you registered during Registration*.

4.Click Finish.

 

* To view all available tags, click Networking & Security > Networking & Security Inventory > NSX Managers > IP Address > Manage > Security Tags.

SECURITY_TAGS

 

Create a Quarantine Security Policy

1.Click Security Policies > Create Security Policy NEW_POLICY_ICON and name it Block network access.

2.Click 3 Firewall Rules and click ADD_ICON.

3.Next to Action, select Block.

4.For Source, choose Policy’s Security Groups.

5.For Destination, select Any.

6.State Enabled.

7.Click OK.

8.Click ADD_ICON.

9.Next to Action, select Block.

10.For Source, choose Any.

11.For Destination, select Policy's Security Groups.

12.State Enabled.

13.Click OK.

14.Click OK.

15.Click Finish.

16.Verify the newly created policy is number one in the priority list. To adjust the order, click Manage Priority PRIORITY_ICON.

QUARANTINE_RULES

Assign a Quarantine Security Policy to the Quarantine Security Group

1.Select the appropriate Security Policy and click the Apply Security Policy icon APPLY_POLICY_ICON.

2.Check Quarantine group and click OK.

note

To automatically start on-demand scan when malware is detected by real-time protection, refer to Automate On-Demand Scan after infection.