Discovery Phase and Protected Mode
VMware AppDefense learns your data center’s (good) behaviors during the Discovery phase of deployment. This phase typically lasts between 2-3 weeks and provides users with visibility into all the processes and network connection details in their environment, along with guest integrity checks for security and/or infrastructure engineers. After a virtual machine has been moved to Protected mode, AppDefense sends alerts based on the rule settings set at the service in the manager console. Alerts page provides a way to monitor the deviations from the known good state of a VM.
VMware AppDefense categorizes alerts based on their threat level which can be viewed by logging into AppDefense Manager. Each alert is based on the process name hence, you can see multiple alerts for the same VM and/or scope. In the alerts page, AppDefense shows alerts which are highest in severity.
As you can see, AppDefense generates different types and categories of alerts and events. In this blog we will be focusing on the Alerts page only. However, the Alerts page displays the event type column which shows all the types of events generated by AppDefense. Now. Let’s get started…
Types of Alerts
The AppDefense guest module monitors network & process attestation along with guest integrity checks for Windows based systems. The main event types include:
- Process & Network monitoring events
- OS Integrity events
- Management events
There are additional categories of events under each event type. I am going to explain these sub-categories further by defining the event types.
Process and Network monitoring events subcategories –
Process Monitoring events – This type of event is generated when AppDefense notices:
- New Process: This could be due to change in process md5, sha256 hash or full path
- New CLI: This could be due to execution of an allowed process with new parameters
- New Behavior: Due to learning of new behavior for a combination of allowed process & CLI
In order to tag the severity to an event, AppDefense performs up to two checks. Process reputation threat and trust score, which are provided by Carbon Black data feeds, and IP reputation, which is provided by the AppDefense ML model. Other than these subcategories we have another type of event which monitors whether the new process is an upgrade of an existing allowed process by AppDefense. These types of events are categorized as Upgrade Events and can be monitored from the events page.
OS Integrity Events – All types of events in this category are highest in severity and are visible in the alerts page:
- AppDefense Module Integrity: Checks the AppDefense module’s code section for unauthorized manipulation
- Guest OS Integrity: Checks the OS kernel for unauthorized manipulation
These events are generated by performing nine integrity and code checks in the module and OS kernel. I’ve included a brief overview below:
- Guest Integrity Data: Checking the AppDefense module’s data section for unauthorized manipulation
- Guest Integrity Heap: Checking the AppDefense module’s data heap section for unauthorized manipulation
- Guest Integrity Hooks: Checking for any unauthorized manipulation of the callback hooks registered by the AppDefense module
- Kernel Code: Checking for unauthorized manipulation of the NTOS kernel’s code section
- Kernel Data: Checking for unauthorized manipulation of certain kernel data structures like the Interrupt descriptor table (IDT), Global descriptor table (GDT) and System service dispatch table (SSDT)
- Reconcile Module: Checking the system for hidden kernel modules. AppDefense can see these processes, but they are being hidden (likely maliciously) from the operating system
- Reconcile Process: Checking the system for hidden processes. AppDefense can see these modules, but they are being hidden (likely maliciously) from the operating system
- Third-party Driver Code: Checking the code section of all drivers loaded in the system for unauthorized manipulation
- Verify Signature: Verifying the signature of all drivers loaded in the system (with embedded signatures)
Management Events – There are two types of alerts under this category and both event types are of critical severity.
- Management alerts are triggered when a blocking rule is set at the scope and an upgrade event is detected followed by a block action. As per the block rule action is taken by guest module at the OS level to block the execution of a new process which is later recognized as an upgrade event by AppDefense verification cloud.
- Guest Module Down events are triggered when an active guest in AppDefense stops sending heartbeats to AppDefense manager cloud.
In this blog I focused on alerts and events generated in VMware AppDefense. We also reviewed subcategories and scenarios in which each alert is generated in the AppDefense manager. Having a clear understanding of the alert types in AppDefense and what causes them will help customers respond to events generated by AppDefense to protect their organization’s critical workloads and applications.