Whats New (October, 2019)
AppDefense announces a significant feature release with version 2.3.0. Most notably, we have expanded the capabilities of the
AppDefense Plugin in vCenter to include vulnerability assessment, OS integrity, and behavior analysis with Machine Learning.
That’s right, we’re bringing Machine Learning models on premise.
On the SaaS side, we release a slew of features that have been top customer asks, including severity-based process kill (using
the cloud to make prevention decisions), our first RBAC capabilities, and rebootless install/upgrade so that you can start
protecting your VMs without rebooting them.
Process Kill
AppDefense adds the ability to retroactively kill processes that the App Verification Cloud determines are untrusted. Instead of
blocking everything immediately, “process kill” enables customers to operate in a semi-restrictive state—preventing only
suspected bad behavior while allowing everything else to run. Select “kill process” from the dropdown list in the service rules.
Behavior Timestamps
With the “behavior timestamps” feature, AppDefense now reports on when a behavior was last executed within a service. This
allows customers to clean up old behaviors that an app no longer needs, as well as determine an app’s most recent executions.
The “last seen” field is exposed in the AppDefense Manager at the service card-level, as well as at the individual behavior-level.
Alert Classification Enhancements
AppDefense now lowers the severity of an alert based on its overall similarity to the existing allowed behaviors for that service.
This improvement allows the service behaviors to be more flexible and means less work for the operator.
AppDefense now also defines a list of known processes that warrant further investigation. Deviations from processes in this list
result in higher severity alerts.
SaaS User Roles
AppDefense now defines two user roles for the operation of the SaaS Manager—“Admin” and “Analyst.” Admins have
full privileges, including user configuration and remediation settings (block, suspend, kill, etc). Analyst is the default user
role and cannot change remediation settings. For a complete breakdown of responsibilities, consult the user guide.
Rebootless Install and Upgrade
The AppDefense guest module can now be upgraded without requiring a reboot. This is a major improvement in usability and
operationalization for the solution. This feature is available if your guest module is 2.2.1 or higher.
Domain Name Support for Allowed Behaviors
AppDefense can now create allowed behaviors based on DNS records, as opposed to IP addresses. This is a major improvement
in determining robust manifests for a service, resulting in fewer behaviors to monitor and fewer deviations from the manifest.
Severity-based Remediations
All remediation actions, except for block, now only get triggered by critical alerts. All other events (serious, minor, and info) will
simply alert. This enhancement should increase comfort with deploying remediation actions, as only the most critical deviations
will generate an action on the guest.
Support for NSX-T
AppDefense now supports integration with NSX-T for quarantine remediation. AppDefense will continue to support the existing
NSX-V integration.
Proxy Support
AppDefense adds SOCKS4 and SOCKS5 Proxy support for the AppDefense Appliance, in addition to the existing HTTP Proxy
support.
Health Monitoring for AppDefense Components
If a host or guest module becomes unreachable, AppDefense proactively collects host and guest logs for
immediate troubleshooting. This setting is available in the Appliance UI.
Upgrade Improvements
AppDefense announces a number of usability improvements to make appliance upgrades simpler and more seamless. One such
feature is the ability to automatically roll the appliance back to a stable state in case of failure. Automatic reversion increases
comfort with turning on “auto upgrade.” This feature is available in appliance versions 2.2.1 and onward when you partition an
additional 60GB of disk space for the automated snapshot.
Increased Scale Targets
Appliance scale targets are increased again to 250 Hosts and 3000 VMs (per vCenter).
Intelligent Wildcarding
With this release, AppDefense curates a list of process CLIs that have higher wildcarded thresholds. This feature gives users
greater control over key software in their environment.