The Issue:

Some customers are extremely concerned about the security of the data under analysis and, therefore, believe the best policy is to keep all information inside the local network. In this case, "data under analysis" includes files within the network hosts that become infected and files or information that came from the Malscape. Although we at VMWare guard the privacy of all customer information and present in this article the security reasons for the outbound communications at issue, we also provide the means for customers to disable the outbound communication.

This customer concern applies to communication with the NSX Network Detection and Response cloud and the important purpose of Lastline's ability to communicate with a C&C server. This article describes the benefits of allowing these outbound communications and also describes how to use the lastline_setup utility to disable certain outbound communications. The first section describes the benefits of allowing these outbound connections. The second section describes how to use the lastline_setup utility to disallow specific details of outbound communication to the NSX Network Detection and Response cloud.

Reasons for Allowing Outbound Communication

On-premises NSX Network Detection and Response can perform its analysis without communicating anything back to the cloud, but this limitation undermines NSX Network Detection and Response's unparalleled accuracy in determining what the malware is trying to do. This assertion is based on two realities of network security:

Thorough analysis includes observation of the malware doing the bad things it was designed to do. VMWare observes the behavior so that it can track the malware back to its C&C roots. (Keep in mind that the NSX Network Detection and Response sandboxes remain isolated from the network so that no analysis happens inside a customer network, and, therefore, no data inside the network is at risk.) No vendor can honestly claim that an on-premise product can do thorough analysis without letting the malware run fully (which includes the malware's outbound communication attempts).

Malware can do many unexpected and unusual things in different environments. Our cloud-based analysis is best suited for checking for these variations. One part of our product that enables much greater accuracy in these cases is our extensive database of known threats. We can perform an analysis that is more advanced than what is possible on the customer premises.

How to Turn Off Transmission of Information to NSX Network Detection and Response Cloud

The lastline_setup utility has the commands for disabling different communications between the on-premise NSX Network Detection and Response and the NSX Network Detection and Response cloud. (Refer as needed to the installation manual and its screenshots.) The types of change to outbound communication that the utility supports are as follows:

• No files are shared with the NSX Network Detection and Response cloud.
• The metadata for files are not shared with the NSX Network Detection and Response cloud.
• The origin of the artifacts’ download does not go to NSX Network Detection and Response cloud.
• The origin of the malicious artifacts’ download does not go to NSX Network Detection and Response cloud.
• The metadata for malicious files do not go to NSX Network Detection and Response cloud.

After logging into the CLI, starting the lastline_setup utility, and entering your user password at the sudo prompt, the available arguments for which the choice is to turn off a particular communication are as follows:

To disallow all artifact hash sharing with the NSX Network Detection and Response cloud: 

cloud_analysis off

To disallow sharing artifact metadata (IP and host of the server from where the file is downloaded from) with the NSX Network Detection and Response cloud: 

cloud_analysis_push_download_metadata off

To disallow sharing the source of downloaded artifacts (information about protocol details of the file download, including server path, HTTP referrer, HTTP user-agent, and the raw HTTP request) with the NSX Network Detection and Response cloud: 

cloud_analysis_push_download_source off

To disallow sending of file metadata (download origin, filename, type) for malicious files: 

cloud_analysis_push_malicious_download_metadata off

To disallow sharing of the origin of malicious downloads (see download_source above) with the NSX Network Detection and Response cloud: 

cloud_analysis_push_malicious_download_source off

To disallow sharing of the Android APK files with the NSX Network Detection and Response cloud: