KB: Ransomware Vulnerability Monitoring

Monitor your vSphere environment for Ransomware Vulnerability and be one step ahead

Description:

Now days securing your VMware fundament for possible hacking is becoming more and more important. To be informed if your environment is vulnerable, we provide an addon management pack called ‘VMware Ransomware Vulnerability Monitoring’ that runs on top the base VMware monitoring you already have implemented. We have followed the Security Configuration Guides for VMware vSphere and implemented in SCOM for most of the compliancy checks a corresponding monitor. If any of the checks are Non Complaint you will get a SCOM alert that contains knowledge how to remediate using PowerCli.

For every VMware vSphere version there’s a special Security Configuration Guide and Management Pack. See this link below for the latest official guide provided by VMware.

Security Configuration Guides for VMware vSphere

Configuration:

In the installation package the VMware Ransomware Vulnerability Monitoring management packs are located in the “/managementpacks/Ransomware Vulnerability Monitoring” folder.

Import the correct management pack belonging to the vSphere version you have. We will add the monitors on the objects VMware ESX Server , VMware Virtual Machine and VMware Distributed Virtual Switch. You can find them under the security rollup category.

By default all compliance monitors for the ESX Server and Distributed Virtual Switch are enabled and the monitors for the Virtual Machines are disabled. But for all targets we have an overall monitor enabled that will provide a status view for the target for all compliance checks.The monitoring interval is 6h.

If you change this interval please change it for all monitors else you would break the cook down resulting in a utilisation impact.

VMware Virtual Machine details

If you want more compliance details on the virtual machines you can import the group management pack that belong to the correct version. This will create a group called ‘VMware V70 VMs with Full Ransomware Vulnerability Check Enabled’ (depend on version used). When you add the virtual machine(s) to this group the detail monitors will be enabled.

If you have a mixed vSphere environment, for example you monitor vSphere V6.7 and V7.0 you could import both versions. But keep in mind that this will result in some double checks and alerts.