VMware AppDefense | May 2019
What's New (May, 2019)
This release of AppDefense improves user experience by adding more intelligence into the product’s ability to clearly delineate between known and malicious behaviors. The number of events is reduced through better detection of process upgrades and existing connections. Additionally, by enabling process execution monitoring to be turned on by default, AppDefense provides more comprehensive behavior detection and blocking within the environment.
Improved Upgrade Detection
AppDefense has expanded the ways in which it detects when a process has been upgraded. Improving the recognition and verification of upgrades reduces the number of false positive alerts related to new process execution in the environment. The new binary is automatically added to the allowed behavior list, thereby reducing any manual overhead of verifying the upgraded process.
Enhanced Verification of Connections
AppDefense has added capabilities to recognize inbound and outbound connections which were instantiated before the AppDefense Guest Module had been enabled. In this way, AppDefense is able to validate not only new connections, but also existing connections on the system. Additionally, if a rule set is changed, AppDefense verifies that the existing connections do not violate this new rule.
Process Execution Monitoring
The ability to monitor and control execution of process binaries is now enabled by default. This further enhances the ability of AppDefense to verify application intended state.
Support Wildcard in Process Path
AppDefense has introduced support for the wildcard character in the process path for all behaviors in the environment. In many instances, the same process is executed from different paths (such as 32-bit and 64-bit process instances on Windows). Services and behaviors no longer need to account for all such paths with the option to now use the wildcard character to account for this variability.
Support for Appliance Rename and Delete
Users now have the ability to rename the Appliance through the AppDefense Manager. In the case of a testing environment, users can also delete the Appliance and have the updated status appear in the AppDefense Manager.
Change Terminology from “Alarm” to “Alert”
In order to maintain consistency with terminology used in the industry, AppDefense has changed all references of “Alarm” to “Alert” in UI and documentation. This makes for clearer communication within organizations and with the AppDefense team.