Solved: VSAN and VMDK Files malware protection

ABDOSAFH · ‎10-22-2019

Hi All,

one question regardiging the security protection for VMDK files from maleware. if i have a vmdk files infected with malware, will it infect others stored VMDK files in SAN. and what are security measure exisit other than VSAN encryption?

Thanks

srodenburg · ‎10-23-2019

Are you referring to an infection "inside" the VMDK ? In other words, the infection happened inside the VM ?

When it happens inside a VM, vSphere is not affected. The actual VMDK itself is fine. What's inside it can be chewed up and destroyed, ESXi won't see it and will not be affected by it. It only present a virtual harddisk after all and has no relationship to whatever happens inside those virtual harddisks.

When speaking about the actual VMDK itself and not from within a VM:

Attacking the VMDK itself in general requires malware that actually runs on an ESXi server. As VMDK files in vSAN are not regular files like on Block or NAS storage but instead, abstractions of multiple components presented to us humans, as a single file (read up on how vSAN works if you want to know more), the malware, running in an ESXi server, would need to use the API to understand the actual construct of a VMDK before it can "attack" it.

It's possible in theory, but i've yet have to hear about malware running on ESXi itself. First, it would have to get on there. SSH is closed by default (and should stay closed you lazy admin friends!) and the "attack vectors" to an ESXi server, being it direct or via vCenter, are generally very limited.

View solution in original post

srodenburg · ‎10-23-2019

Are you referring to an infection "inside" the VMDK ? In other words, the infection happened inside the VM ?

When it happens inside a VM, vSphere is not affected. The actual VMDK itself is fine. What's inside it can be chewed up and destroyed, ESXi won't see it and will not be affected by it. It only present a virtual harddisk after all and has no relationship to whatever happens inside those virtual harddisks.

When speaking about the actual VMDK itself and not from within a VM:

Attacking the VMDK itself in general requires malware that actually runs on an ESXi server. As VMDK files in vSAN are not regular files like on Block or NAS storage but instead, abstractions of multiple components presented to us humans, as a single file (read up on how vSAN works if you want to know more), the malware, running in an ESXi server, would need to use the API to understand the actual construct of a VMDK before it can "attack" it.

It's possible in theory, but i've yet have to hear about malware running on ESXi itself. First, it would have to get on there. SSH is closed by default (and should stay closed you lazy admin friends!) and the "attack vectors" to an ESXi server, being it direct or via vCenter, are generally very limited.

ABDOSAFH · ‎11-03-2019

Hi Bro,

thanks a lot for your valuble support. ya as you said am talking about virtual machine VMDK files. so what i understand is the files are secure as long they are stored in vSAN. and as long the VMDK file was taken while the Virutal Machine is clean right.

i made the diagram to make the picture more cleare, i guess i need to know more about vSAN :-).

thanks

AS