7.10. VM Virtual Patch

VM Virtual Patch is a service that detects and protects the Virtual Machine from attacks on vulnerabilities. For OS and application vulnerabilities, it is a service that provides signatures that provide solutions equivalent to the security patches provided by application vendors.

Note

  • VM Virtual Patch uses a signature-based defense against the targeted attack traffic.
  • VM Virtual Patch does not affect the performance of applications.
  • VM Virtual Patch does not fix issues at the software code level, but provides temporary security measures. So please apply the regular security patches provided by each application vendor for long-term measures.

7.10.1. Available Features

You can use the following features with VM Virtual Patch.
Feature Overview
VM Virtual Patch A feature that detects or protects against (blocks) attack traffic directed against vulnerabilities.
Recommended scan A feature that scans Virtual Machine system information, checks whether there are vulnerabilities, and automatically applies VM Virtual Patch corresponding to those vulnerabilities.

7.10.2. VM Virtual Patch Feature

You can choose the detection mode or the prevention mode.
Mode Overview
Detection
Attack traffic is detected.
However, traffic is not blocked even though attack traffic is detected.
Prevention
Attack traffic is detected.
Traffic is blocked when attack traffic is detected.

Note

  • The method for detecting attack packets is described below.
    The contents of packets that use kernel-mode drivers that are bound to L2/Data Link Layer are checked. Matching is carried out based on protocol violations and signature. Packets matching the pattern are identified as attack traffic targeting the vulnerabilities, and protective action is taken.
  • If NTT Communications judges it necessary, we will notify you via Email etc. of detection status and defense (block) status.

7.10.4. Important Points

Virtual Machine System Requirements
The system requirements for operating the VM Virtual Patch agent software (Memory capacity, Disk capacity and OS) are shown below.
Item Overview
Memory Capacity 512 MB or greater
Disk Capacity 1 GB or greater
OS The OSs listed in “Supported OS List of VM Anti-Virus, VM Virtual Patch, and VM Firewall” of the available OSs in Enterprise Cloud

Important

  • When using Linux OS, it is necessary to confirm the kernel version.
  • Please set IPv6 to ON or OFF correctly on Guest OS when using VM Virtual Patch.
Agent Software Installation
In order to use VM Virtual Patch, upload and install agent software on the Virtual Machine. For details, refer to the agent software installation guide.

Important

  • You cannot use the VM Virtual Patch at the same time as other anti-virus software than VM Anti-Virus. Before installing VM Virtual Patch agent software, always make sure to uninstall other virus protection software.

  • Do not upload agents by mounting ISO image files or CD/DVD drives, when uploading it to the VMs.

  • For the virtual server on which the agent software is installed, time needs to be synchronized by using NTP, etc. If the time is not synchronized, activation of the agent software may fail.

  • The port 4118 port is used as the standby port for the agent software. This port number cannot be changed so that be sure to confirm that the same number is not used in other application in the virtual server where agent software is installed.

  • The network interface stops while installing the agent software and it takes a few seconds to restore. New request is generated while using DHCP so that different IP address may be assigned to the recovered connection. See the following Web site for details.

Note

  • We ask you to install the agent software on the Virtual Machine.
  • It is necessary to log in to the target host as the administrator when installing the agent software.
Agent Software Default Install Location
The agent software default install location differs depending on the Virtual Machine OS.
OS Default Install Location
Windows C:\Program Files\Trend Micro\Deep Security Agent
Linux
System files:/opt/ds_agent, /var/opt/ds_agent
Startup scripts:/etc/init.d/ds_agent, /etc/init.d/ds_filter
Communication channel between user and kernel mode components:/dev/dsa, /dev/dsa_ssl, /proc/driver/dsa

Note

  • You can change where it is installed. Also, the install location might change due to agent software version updates, etc.
Communication with the Manager Administered by NTT Communications
The Virtual Machine that uses the VM Virtual Patches must have communication with the Manager administered by NTT Communications.
Please set the routing and the DNS name resolution setting.
Routing Settings
  • Please set the routing from the Virtual Machine to vFirewall/Integrated Network Appliance using either of the following methods.
    • Set the Virtual Machine default gateway to vFirewall/Integrated Network Appliance
    • Set vFirewall/Integrated Network Appliance as the static route gateway for communication addressed to the Manager administered by NTT Communications
  • If the Virtual Machine that uses VM Virtual Patch is connected to a Server Segment that is not directly connected to vFirewall/Integrated Network Appliance, additional Server Segment is required to directly connect the vFirewall/Integrated Network Appliance and the Virtual Machine.
DNS Name Resolution
In order to communicate with the Manager administered by NTT Communications, name resolution for the manager is required. Please use the DNS server inside your environment or the Virtual Machine hosts file to set name resolution for the Manager administered by NTT Communications.
Restrictions
  • We ask you to assume responsibility for monitoring agent software (checking to make sure it is activated at all times).

  • Traffic below is blocked in any mode settings.

    • TCP connections over 100,000

    • UDP connections over 100,000

    • Unusual traffic which is not based on RFC or suspected to be inaccurate.
      No IP header
      Source IP and Destination IP are the same
      Text which is not available for URI
      Using character “/” over 100
      Using ”../../” above route
      And there will be blocking resulting from the shortage of compute resource.
  • If the number of types of applications to be linked with applicable rules exceeds 8 (transmission/reception separately), rules cannot be updated. Therefore, the latest rule cannot be applied in this agent software so it is impossible to respond to new threat. Please consider application of official security patches provided by each application vendor (execution of full-scale response).

  • If you use a Private Catalog to create a template of the Virtual Machine image and store it, please do it before installing the VM Virtual Patch agent software.
    If a template is created and saved from the Virtual Machine image of a Virtual Machine where VM Virtual Patch agent software is installed, or installation and activation (registration to the Manager administered by NTT Communications) is complete, when a Virtual Machine is created using that template, VM Virtual Patch can no longer be used with the Virtual Machine used for creating the template and the newly-built Virtual Machine. The same applies when used for image backup.
  • VM Virtual Patch does not guarantee that the provided VM Virtual Patch feature has integrity or accuracy, or is suitable for your use. Furthermore, the suitability of the signatures (algorithms that judge the degree of danger and attack traffic) provided by the developers or distributors of the devices making up the VM Virtual Patch feature is not guaranteed.

  • The following information might be provided to the developers or distributors of the devices making up the VM Virtual Patch feature.

    • Configuration information obtained from providing VM Virtual Patch
    • Information obtained from controlling VM Virtual Patch, etc.
  • We cannot guarantee recovery from failures that might occur due to incompatibility between the VM Virtual Patch feature and your environment, or failures that occur due to your operations other than those specified by NTT Communications.

  • There may be times when the customer’s environment is affected by maintenance services. An advance notice will be sent when there are possible effects to the customer’s environment. This is not applied when we judge the maintenance work urgent to continue service.

  •  Note for Enterprise Cloud 2.0 Host based Security user, if you have inquiry about that menu, please use ticket system in Enterprise Cloud 2.0.