ESXi ZeroLock® Agent Deployment Guide: Signed Component Command-Line Installer

A guide to install the ZeroLock Agent onto the ESXi Hypervisor using the command-line script with the signed Component Installer.

The ZeroLock Agent (ZA) supports the following ESXi versions:

Installing ZeroLock via Command Line Using the Signed Component Installer

Installing the ZeroLock Agent via the command line on an ESXi host using the signed component installer ensures a secure, policy-compliant deployment — even in environments where vCenter is not available. Here's why this is the preferred method for standalone or scripted installations:

• No Acceptance Level Changes Required:
  The signed component is trusted under the default PartnerSupported acceptance level, eliminating the need to lower the host’s security posture to install the agent.
• Maintains Component Integrity:
  The installer is digitally signed to ensure it hasn't been modified, assuring that the deployed package is authentic and tamper-free.
• CLI-Friendly Deployment:
  Ideal for edge, lab, or air-gapped environments, the signed installer can be deployed using standard esxcli commands without requiring vCenter or GUI interaction.
• Compatible with Future vCenter Integration:
  Even when installed manually, using the signed version allows for future upgrades or management through vSphere Lifecycle Manager (vLCM) should the host later be added to a managed cluster.
• Clear Installation Logging and Auditability:
  Because the package is signed and validated, the installation is logged cleanly within the ESXi host, supporting audit requirements and change tracking in enterprise environments.

Together, these benefits make the signed command-line installer a secure, efficient, and forward-compatible option for installing ZeroLock on ESXi hosts outside of vCenter-managed infrastructure.

Advanced Settings

Before installing any ZeroLock® agent, it is important to configure specific advanced settings, regardless of the installation method. These settings may differ based on the deployment environment and the version of the agent being installed. When using the Component Installer, be sure to select ESXi as the Environment, choose the appropriate Agent Version (in this case, version 3.7.10), and apply the ESXi default as the selected Endpoint Profile.

Once these variables are set, it is critical to specify the Collector Address to ensure the agent can successfully communicate with the ZeroLock Management Console (ZMC). In this document, the Collector Address is set to 172.20.10.80, the IP address of the ZMC. After entering the address, click Save as Default to retain the configuration for future deployments.

Finally, confirm that the Deploy – ESXi screen is displayed before proceeding with the agent installation. This indicates that the deployment settings have been saved correctly, and the system is ready for installation.

 Component Installer Installation 

1. Place the ESXi Host in Maintenance Mode:
   Verify the ESXi host is placed in Maintenance Mode before beginning the installation. Once the host is successfully in Maintenance Mode, you can proceed to Step 2.
2. Download and Copy the Component Installer:
   After completing the Advanced Settings and returning to the Deploy – ESXi home screen, notice the Download section. The Download section contains the package that includes the ZeroLock Agent component, which has been certified by Broadcom to ensure compatibility and performance within VMware-supported environments. Select and download the Component Installer.zip file. 
   
3. Click Copy Install Instructions to copy the installation command.
4. Run the Installation Command

   Copy the signed ZeroLock component to the ESXi host’s scratch folder (e.g., scratch/). Then, in a terminal session on the target system, run the copied installation command or script to begin the installation. Once the installation is complete, a reboot of the ESXi host is required to activate the ZeroLock Agent.

   

Validating Agent Installation

To validate a successful installation, follow the instructions provided by the following link: Validating Agent Installation. Additionally, ensure the ESXi host has been rebooted and that the ZeroLock Agent is running as expected.

To perform additional checks and confirm that the ZeroLock VIB package was installed correctly, you’ll need to temporarily deactivate endpoint protection in the ZeroLock Management Console (ZMC).

Skipping the deactivation step may cause the ZMC to interpret your verification commands as tampering, which could result in your SSH session being automatically terminated.

1. In the ZMC console, navigate to Endpoints and select the endpoint to verify that the ZeroLock VIB was correctly installed.
2. Click the Actions drop-down menu and click Deactivate Endpoint Protection.
3. Verify that endpoint protection has been successfully turned off in the ZMC. The status of the endpoint will change to yellow, indicating that protection is currently deactivated.
4. Once the endpoint is deactivated, verify the installed ZeroLock VIB package, run the following command on the ESXi host:  esxcli software vib get -n val_zerolock
   
5. Click the Actions drop-down menu and click Activate Endpoint Protection.

View ZeroLock Agent Logs on ESXi host

There are two primary components of the ZeroLock Agent: Tyr and Baldur.

• Tyr handles communication with the ZeroLock Management Console (ZMC).
• Baldur functions as the behavior analysis engine, responsible for detection, response, and telemetry, which it reports back to Tyr.

The output from relevant ZeroLock components is now consolidated into a single log file: val_zerolock.log, which is in the /var/log directory on the ESXi host.

To view and verify val_zerolock.log, enter the command below in the terminal window:

• ls -l /scratch/log | grep val_zerolock
  
  

  For more information, please visit the Vali Cyber Support page.