ZeroLock® Agent: ESXi QuickStart Guide

A guide for installing the ZeroLock Agent on the ESXi Hypervisor

Overview 

Between 2021 and 2022 there was an approximately three-fold increase in ransomware targeting the ESXi Hypervisor OS.  The driver behind this increase is that, as organizations continue virtualizing their critical infrastructure and business systems, attackers see ESXi as a high-yielding target where they can deploy malware once and encrypt numerous servers with a single command.   

In response to this activity, developing effective protection for ESXi has become a priority for Vali Cyber.  As such, we have developed a ZeroLock® Agent specifically to protect the ESXi environment. 

The following information will ensure the successful installation and configuration of the ZeroLock Agent on the ESXi Hypervisor operating system. 

  


Prerequisites 

The following must be enabled: 

  1. The ssh and ESXi shell for terminal access. 
  2. The firewall ruleset (httpClient) permits connections between the ESXi endpoint and the Zerolock Server. (Port 443) 
  3. ESXi 8.0 update 2+ disables the Runtime ptrace by default, so this capability must be enabled (True), and the system must be rebooted before installing the agent. 

The following table provides the support matrix for the listed ESXi versions. Support Table with Background


Agent Installation 

Four (4) methods can be used to install the ZeroLock® ESXi agent: 

  1. Wget
  2. Self-Extracting Installer 
  3. Tar Installer 
  4. VIB (vSphere Installation Bundle)
Deploy Screen ESXi_4 Options_1

To run the installation commands on an ESXi system from the Deploy page, the user must manually modify the command, changing any place that uses bash to sh

Example:  

Normal Linux installation:  bash install-zerolock-2.2.2.sh 

ESXi installation:                  sh install-zerolock-2.2.2.sh 

  

As a reboot is not required with either .tgz or wget, it doesn’t matter if secure boot is enabled.  However, if the system is rebooted at some point, run the following command to restart the ZeroLock ESXi agent: 

mkdir -p /tmp/zerolock && cp /scratch/zerolock_root/zerolock-tyr-runner /tmp/zerolock/ && sh /tmp/zerolock/zerolock-tyr-runner

 

Note: The .tgz and wget installers disable execInstalledOnly. ZeroLock provides a similar feature through its program filter. 


Configuration 

The recommended default configuration for ESXi will place the file cache in whatever directory is specified in the configuration profile.  Given that most traditional file locations on ESXi have strict size limits, it is recommended that the file cache be placed in the /scratch directory or an NFS if available. 

The max file size cache setting should be adjusted to ensure ZeroLock can back up and roll back the largest VM file on the system. 100GB is the recommended minimum size for the max file size cache unless larger VMs are available. 

Ransomware sensitivity should be set to HIGH on ESXi, and the automatic response should be set to KILL


Currently Supported Features 

  1. Program Access Rules 
  2. File Access Rules 
  3. Anti-tamper, both file and kill signal 
  4. Ransomware detection and rollback 
  5. In-UI Shell 
  6. Baldur Queries 
  7. Install, uninstall, agent shutdown, agent upgrade, protection on/off 

Configuring Your Environment

Endpoint Configuration

Updating the Default Lockdown Ruleset  

Applying the Recommended Ruleset via Policy


Configuration Profiles

Creating a Configuration Profile

Applying Policy to Configuration Profile

Applying Configuration Profile to an Endpoint

Control Policy and Lockdown Rule Types

Creating and Assigning Endpoint Groups


Users and User Roles 

Adding a ZeroLock User 

User Role Settings Explained 

How to Create a User Role  

How to Assign User Roles 


Alerts

Alerts

Handling Threats Using the ZeroLock Management Console


Updating

Updating a ZeroLock Environment

Updating the ZeroLock Management Console

Updating the ZeroLock Agent Version on Endpoints


Network Connectivity

Iptable Values