In VMware AppDefense, there are a few different methods in which we can roll out the Guest OS modules for the VMs. You might have heard VMware speaking about AppDefense being agentless which is a really cool feature of this security product. But, what do we exactly mean by agentless? Are there other methods of installing the module in the Guest OS without having use VMtools? Thankfully, yes! There are two distinct methods of installing the AppDefense Guest Module that we will cover today.
Method 1 - VMtools
VMtools is a package of system level drivers and tools that make navigating and working within a VM much easier. Many of our customers have implemented VMtools across their entire infrastructure and thus it made sense to just add in this new VMware Security functionality into it. When you enable AppDefense within VMtools it does NOT show AppDefense as a stand-alone program within the operating system but still provides all the security functionality. This is pretty cool but there are some downsides. Versions of the AppDefense module correlate directly to the version of VMtools you are running. For example, if you have VMtools 11 you’ll get AppDefense Module version 2.2 But if you have VMtools version 10.0.10 you would get AppDefense Module version 2.1. Now, to be fair, you do have the ability to upgrade the module once it’s already been enabled in VMtools but this workflow does tend to require a little bit more effort to deploy across workloads. Unless you're willing to upgrade all of your VMtools installs to the latest available version and then enable AppDefense, the best method is method 2.
Method 2 - Standalone Module
Rather than just offer AppDefense via VMtools we also chose to make the AppDefense Guest Module available as it's own standalone install package. We offer a very light weight MSI that installs the AppDefense Module onto supported Windows OS's. The great thing about this option is that with the latest module (version 2.3) this is a completely non-impactful install. This means that there's no reboot required to get the process and network attestation info reported to AppDefense. Also, because it's a standalone package, this can easily be pushed out to Windows machines via readily available package managers such as SCCM. The downside to this method is that AppDefense appears as its own program within the operating system and has a program listed under Programs and Features. Other than that, the module does the exact same thing, with less work and impact than done within VMtools.
In our opinion as implementation experts, we've seen more success utilizing the standalone module for AppDefense. There are, however, benefits and drawbacks to each use case and I hope I've clearly laid out those in this short post and you can determine the best rollout method for your implementation!