VMware has introduced its own security product: Appdefense. The technology is anchored directly in the hypervisor. Appdefense monitors virtual machines and responds if they are different from a previously created behavior pattern, either by viruses and trojans within the virtual machine, or by tampering with the VM itself. Appdefense can then either automatically initiate countermeasures or warn the system administrator to react ,

Appdefense is implemented as an extra layer in VMware vSphere Hypervisor ESX. This is because the hypervisor runs as a protected zone, regardless of a potentially compromised virtual machine. On the other hand, appropriate countermeasures can be initiated via the hypervisor. This makes Appdefense different from already available solutions from third parties such as bromium.
First, a new virtual machine will be observed in an Appdefense test run. A so-called manifest is created, which summarizes the normal functions and services. If the virtual machine later deviates from this manifest in regular operation, Appdefense can react automatically. Automated countermeasures include turning off the virtual machine or starting a previously created snapshot of a healthy virtual machine. Appdefense already exists in VMware's network virtualization NSX. There, certain network connections of individual virtual machines can be blocked or a virtual machine can be quarantined.

Appdefense is integrated into the current vSphere Server 6.5 and offered as an annual subscription of 500 US dollars per CPU. IBM Security, RSA, Carbonblack, Secureworks and Puppet will integrate Appdefense.


