What is VMware AppDefense? – From the Eyes of a vSphere Admin

At VMworld 2017, VMware announced a new product offering called AppDefense. In 2018, there were announcements surrounding the product as well (primarily in the form of a new offering, vSphere Platinum). The product has been out for a little over a year, but I’m still not seeing a ton of activity in the community about those who are using it or are even looking to use it. I’ve had the opportunity to see and interact with AppDefense for a while now, so I thought I’d share my experience as part of this blog series.

I want to cover a handful of things in this post. I’m going to try to do it from my own eyes and not use a bunch of marketing terms. Here’s what I hope to hit on:

  • What exactly is VMware AppDefense?
  • What is it not?
  • What is the architecture of the product?
  • What are the operating constraints of the product (operating system support, total endpoints, etc.)

What exactly is VMware AppDefense?

VMware AppDefense uses a positive security model to categorize and protect applications, not just infrastructure, directly from inside the hypervisor. AppDefense learns behaviors of an application and then enforces the “known-good” state. It flips the security model to focus on running what we know is approved to run and doesn’t let any other anomalous things happen… but what does that really mean?

My take is that AppDefense is a pretty neat amalgam of two different types of software. The product is combining application white-listing and behavioral analysis to create the aforementioned “known-good” behavior. With AppDefense, you get the ability to white-list not just a set of binaries on an endpoint, but the communication of those binaries to other parts of the application as well.

Traditional security was more concerned with not allowing bad things to happen – it focused on blacklisting bad behavior. Antivirus is a great example of how that was done. A signature or hash of an executable was determined to be bad. Anything that wasn’t bad was allowed to run. That sounds pretty simple, right? What about the things that are bad that we don’t know about yet? Those can run until those signatures are updated at least. Application white-listing solves that problem by ensuring that the only thing allowed to run is approved ahead of time.

Behavioral analysis comes into play when the Application is still in the Discovery portion of it’s AppDefense-lifecycle. During Discovery, an application has been identified and AppDefense is learning all of the different ways that the application communicates to other systems. After a review, the application is Protected by AppDefense. Behavioral analysis continues to run on the application to help determine whether some new behaviors are anomalous. An example might be updating an existing set of binaries like Java or Python. Java 8 Update 161 is allowed to run, but Java 8 Update 181 isn’t. Behavioral analysis helps to identify that this is an application update and that Java 8 Update 181 should be treated as such. We’ll dig a little deeper into this stuff later. I’m afraid that I might go too deep in an “overview.”

What is it not?

AppDefense is not like traditional security in the data center. Application white-listing has been around for some time now, but the way that AppDefense implements it is different than I have seen in the past. The important differentiation, in my opinion, is the communication with other pieces of the application. Traditional security was very much focused on only a single piece of the puzzle whereas AppDefense works to put the puzzle together and then secure the whole thing.

AppDefense is not likely to be managed by a silo. AppDefense is a product that reaches across the boundaries of IT and Security teams. I firmly believe that IT practitioners are all Security practitioners as well, but there’s a very different level of understanding between the teams. The way I see AppDefense, I see it helping to bridge gaps between IT and Security teams (that’s not to say that there is a gap between all teams, of course). AppDefense has something installed in the hypervisor and impacts my data center – IT is definitely involved. AppDefense is also a Security tool – Security teams are involved, too. As AppDefense integrates further with other VMware products, I can see it being a rally point for these two teams to work together to ensure that the attack surface of the data center is greatly reduced.

AppDefense is not easy – neither is Security. VMware has done their best to make AppDefense as easy as possible for whomever is going to use it. The Discovery phase of the implementation and the behavioral analysis do a ton of work to make it easy. At the end of the day, tuning an application white-listing software is still a lot of work. Don’t fret – it’s not actually as bad as this sounds and I’ll cover how you might do this in another post.

What is the architecture of the product?

Alright – we’ve talked a little about what it’s supposed to do, but what does the deployment of the product actually look like? The vanilla product is comprised of the AppDefense Manager, the AppDefense Appliance, Host Modules, and Guest Modules.

Picture stolen (courtesy of?) from VMware.

AppDefense Manager – This is the control point of the SaaS offering. An org is provisioned by VMware for customers to manage their AppDefense deployment. The AppDefense Manager is where nearly all of the work for a deployment is done. This is where you’ll download the Appliance, initiate installations of other components, create Scopes, add Services to a Scope, and add Members to each Service. You’ll also manage Alerts, Remediation Actions, and Integrations here. We’ll dive deeper into all of that in another post.

AppDefense Appliance – The AppDefense Appliance is provisioned on-premises and is the primary communication point for your infrastructure. The AppDefense Appliance communicates information gathered from hosts and guests in the environment and sends that information to the AppDefense Manager. The VAMI of this appliance is also where you integrate a handful of other on-premises products, but most importantly, where you connect the appliance to vCenter and enter API Key information so that the appliance can communicate the the AppDefense Manager.

Host Module – The Host Module is what allows AppDefense to actually be inside the hypervisor! The Host Module is what protects the integrity of the ESXi host and ensures that the local manifest (information about the Scope) is protected.

Guest Module – The Guest Module is installed in the GuestOS and allows the GuestOS to communicate with the Host Module. This is the piece of this puzzle that detects when the Guest’s kernel is being tampered with.

What are the operating constraints of the product?

Despite being released over a year ago, VMware AppDefense is still a very new product. Add on top of this that VMware’s release cycle feels as though it’s getting faster and faster… each release packs a punch for availability. That said, there are still some constraints that you must work with.

Operating System Support – AppDefense is focused on securing data center workloads. The primary target is server Operating Systems. At present, AppDefense is able to protect applications which are running on:

  • Windows Server 2008 R2 x64
  • Windows Server 2012 x64
  • Windows Server 2012 R2 x64
  • Windows Server 2016 x64
  • CentOS 7.1 – 7.4 x86_x64
  • RHEL – 7.0, 7.3, and 7.4 x86_x64
  • Ububtu – 14.04, 16.04 x86_x64
  • SUSE – 11.4, 12.2, 12.3 x86_x64

Configuration Maximums – Since the AppDefense Appliance can only integrate with a single vCenter Server (you might not have known that since you haven’t seen the VAMI yet…), there’s a fairly large amount of systems that it can protect. Both vSphere 6.5 and 6.7 can have 2,000 ESXi hosts and sustain 25,000 virtual machines. What if you have an enormous environment or multiple vCenter Servers!? Easy – Provision and deploy a new AppDefense Appliance to protect even more.

Configuration Minimum – To run AppDefense you must be running at least vSphere 6.5. My gut tells me that vSphere Platinum was slightly strategic in that it was announced only two weeks before End of General Support for vSphere 5.5. It’s time to upgrade anyway! You might as well add the ability to secure the data center workloads into the mix.

Operating Constraint – The product is still very new. Care and feeding from VMware is sometimes necessary to perform actions related to the AppDefense Manager. For example, there is currently no way for you to manage access to AppDefense Manager nor do there appear to be different roles to assign to team members (there could be, I just haven’t seen it). I imagine that this will mature with the product. To me, this isn’t a deal-breaker.


I’m excited for the fresh new spin that VMware AppDefense will put into the data center. Part white-listing and part behavioral analytics (let’s say AI/ML to capture the buzzword), AppDefense offers the ability to significantly reduce the attack surface of the Software-Defined Data Center. Even more-so when integrated with some other VMware products.

In the next post, I’ll provide an overview of deploying and configuring AppDefense (and maybe setting up your first Scope!). Until then, cheers!

3 thoughts on “What is VMware AppDefense? – From the Eyes of a vSphere Admin

Leave a Reply