VMware adds whitelist security to the hypervisor

Overlooked in the hoopla around the VMworld conference was an announcement of the availability of AppDefense, a new product that lets companies restrict the types of operations applications are allowed to run on virtualized servers. 

AppDefense works with the VMware hypervisor and can also connect to third-party provisioning, configuration management and workflow automation platforms. It can send out alerts, quarantine apps, shut them down and even restore a VM from an image. All of this is based on AppDefense catching unusual behavior, such as trying to modify the kernel or communicate with an unrecognized remote server. 

VMware already has some security features built into its NSX and VSAN products, but those are around networking and storage. AppDefense secures the core virtual machines in vSphere itself. It does this by using behavior-based whitelisting, which is not easy to do on desktops because they run a lot of apps. But on a server, especially a virtual server, it’s a much easier proposition. In some cases, virtual servers run only one or two apps, so shutting out everything else is simple.

Whitelists vs. blacklists

There is some debate over which is the better solution: blacklists or whitelists. Blacklists are used in traditional antivirus and are good at spotting known threats, but they are no good at new, unknown threats. Antivirus vendors have tried to get around this problem by using heuristics to look for suspicious behaviors, such as modifying the OS kernel or communicating with remote servers.