AppDefense announces a significant feature release with version 2.3.0. Most notably, we have expanded the capabilities of the
AppDefense Plugin in vCenter to include vulnerability assessment, OS integrity, and behavior analysis with Machine Learning.
That’s right, we’re bringing Machine Learning models on premise.
On the SaaS side, we release a slew of features that have been top customer asks, including severity-based process kill (using
the cloud to make prevention decisions), our first RBAC capabilities, and rebootless install/upgrade so that you can start
protecting your VMs without rebooting them.
AppDefense adds the ability to retroactively kill processes that the App Verification Cloud determines are untrusted. Instead of
blocking everything immediately, “process kill” enables customers to operate in a semi-restrictive state—preventing only
suspected bad behavior while allowing everything else to run. Select “kill process” from the dropdown list in the service rules.
With the “behavior timestamps” feature, AppDefense now reports on when a behavior was last executed within a service. This
allows customers to clean up old behaviors that an app no longer needs, as well as determine an app’s most recent executions.
The “last seen” field is exposed in the AppDefense Manager at the service card-level, as well as at the individual behavior-level.
AppDefense now lowers the severity of an alert based on its overall similarity to the existing allowed behaviors for that service.
This improvement allows the service behaviors to be more flexible and means less work for the operator.
AppDefense now also defines a list of known processes that warrant further investigation. Deviations from processes in this list
result in higher severity alerts.
AppDefense now defines two user roles for the operation of the SaaS Manager—“Admin” and “Analyst.” Admins have
full privileges, including user configuration and remediation settings (block, suspend, kill, etc). Analyst is the default user
role and cannot change remediation settings. For a complete breakdown of responsibilities, consult the user guide.
The AppDefense guest module can now be upgraded without requiring a reboot. This is a major improvement in usability and
operationalization for the solution. This feature is available if your guest module is 2.2.1 or higher.
AppDefense can now create allowed behaviors based on DNS records, as opposed to IP addresses. This is a major improvement
in determining robust manifests for a service, resulting in fewer behaviors to monitor and fewer deviations from the manifest.
All remediation actions, except for block, now only get triggered by critical alerts. All other events (serious, minor, and info) will
simply alert. This enhancement should increase comfort with deploying remediation actions, as only the most critical deviations
will generate an action on the guest.
AppDefense now supports integration with NSX-T for quarantine remediation. AppDefense will continue to support the existing
AppDefense adds SOCKS4 and SOCKS5 Proxy support for the AppDefense Appliance, in addition to the existing HTTP Proxy
If a host or guest module becomes unreachable, AppDefense proactively collects host and guest logs for
immediate troubleshooting. This setting is available in the Appliance UI.
AppDefense announces a number of usability improvements to make appliance upgrades simpler and more seamless. One such
feature is the ability to automatically roll the appliance back to a stable state in case of failure. Automatic reversion increases
comfort with turning on “auto upgrade.” This feature is available in appliance versions 2.2.1 and onward when you partition an
additional 60GB of disk space for the automated snapshot.
Appliance scale targets are increased again to 250 Hosts and 3000 VMs (per vCenter).
With this release, AppDefense curates a list of process CLIs that have higher wildcarded thresholds. This feature gives users
greater control over key software in their environment.