Protection for VMware environments

Trend Micro Deep Security has worked closely with VMware to offer agentless security at the hypervisor level. This security is provided by the Deep Security Virtual Appliance. The appliance is deployed at the cluster level through NSX Manager to offer protection to VMs on the same ESXi host.

Topics on this page:

Deep Security Virtual Appliance features

Scan caching

The scan cache allows the results of an Anti-Malware scan to be used when scanning multiple machines with the same files. When the appliance scans the original guest virtual machine, it keeps track of attributes of the files it is scanning. When other virtual machines are scanned, it can compare these attributes for each file. This means that subsequent files with the same attributes do not need to be scanned fully a second time, which reduces the overall scan time. In situations like virtual desktop infrastructure (VDI) where the images are nearly identical, the performance savings from scan cache are greater.

Scan storm optimization

A 'scan storm' occurs where many scans occur concurrently, causing performance slowdowns. Typically, scan storms occur in large-scale VDI deployments. When performing Anti-Malware scanning, the appliance can use the scan cache feature to optimize its resource usage during a scan storm.

Ease of management

Generally, deploying one Deep Security Virtual Appliance to each ESXi host is easier than deploying a Deep Security Agent on multiple VMs. With NSX, this management savings increases because NSX Manager automatically deploys Deep Security the service when you add a new ESXi host to the cluster.

The virtual appliance can also help with network flexibility. Each Deep Security Agent requires network connectivity to resolve the Deep Security Manager and Relay. By using the Deep Security Virtual Appliance, this network connectivity is limited to the virtual appliance and connectivity to each VM is not required.

In some cases, the infrastructure and VMs may be managed by different teams. By using the virtual appliance, the infrastructure team does not require access to the virtual machine to add protection because it can be deployed at the hypervisor level to protect each of the virtual machines.

VMware deployments with the virtual appliance and NSX

If you want to use the Deep Security Virtual Appliance to protect your guest VMs, you'll need to use VMware NSX Data Center for vSphere (NSX-V) or NSX-T Data Center. NSX-V and NSX-T have several license types. These license types are shown in the table below, along with the Deep Security features supported by each.

For a more detailed list of supported features and sub-features that are supported by the Deep Security Virtual Appliance, see Deep Security Virtual Appliance 20 (NSX) supported guest operating systems.


    Deep Security Virtual Appliance deployment

NSX for vSphere (NSX-V) 6.4.x

NSX for vSphere (NSX-V) 6.4.x


NSX-T 3.x




NSX for vShield Endpoint (free)

Advanced Enterprise

NSX Data Center Standard


NSX for vShield Endpoint (free)

NSX Data Center Professional NSX Data Center Advanced NSX Data Center Enterprise Plus NSX Data Center for Remote Office Branch Office
Anti-Malware 1 1 1 1 1 1 1 1
Integrity Monitoring 1 1 1 1 1 1 1 1
Firewall X X X
Intrusion Prevention X X X
Web Reputation X X X
Log Inspection X X X X X X X X
Application Control X X X X X X X X

1 Available on Windows guest VMs only

If a feature is not supported by the appliance (X), it can be procured through the agent. When you install agents to supplement the virtual appliance's functionality, this is known as combined mode.

Some key points when considering combined mode:

  • Management: Deep Security has deployment scripts that can be used to script the deployment of the Deep Security Agent using various orchestration tools (Chef, Puppet, etc). Using the deployment scripts allows for easier deployment of the agent. These scripts also allow activation and assignment of policy. They help to reduce the manual intervention required and reduce the management cost when deploying the agent in a VMware environment.
  • Scan caching performance improvements and Scan storm optimization: In combined mode, the virtual appliance will do scan caching and scan storm optimization for Anti-Malware scanning. This allows the agent footprint on each VM to remain small because only a network driver needs to be installed.

For details on how to set up the Deep Security Virtual Appliance environment, see Deploy the appliance (NSX-T 3.x), or Deploy the appliance (NSX-V)

VMware deployments with the agent only

If you want to protect VMware environments without the virtual appliance or NSX, you can do so by deploying the Deep Security Agent to each of your VMs. In this scenario, you don't need the Deep Security Virtual Appliance, since all protection is provided by the agents. By using the Deep Security Agent, you get all of main features of Deep Security, namely: Anti-Malware, Integrity Monitoring, Firewall, Intrusion Prevention, Web Reputation, Log Inspection, and Application Control. In addition, the agent has the following characteristics:

  • It is lightweight (a Smart Agent). Only the protection modules that you specify (for example, Anti-Malware and Integrity Monitoring) are installed using a policy that you set up on the manager. Further, Deep Security has a feature called 'recommendation scanning', which allows you to only assign rules necessary for the specific workload you are protecting.
  • Windows agents include an Anti-Malware scan cache, containing hashes of previously-scanned files that are frequently accessed, so that they don't need to be rescanned.

To deploy agents, Trend Micro has provided deployment scripts that can be used with various orchestration tools (Chef, Puppet, etc). You can also install the agent manually.

Additional information