ZeroLock® Agent: ESXi QuickStart Guide

A guide for installing the ZeroLock Agent on the ESXi Hypervisor


Between 2021 and 2022 there was an approximately three-fold increase in ransomware targeting the ESXi Hypervisor OS.  The driver behind this increase is that, as organizations continue virtualizing their critical infrastructure and business systems, attackers see ESXi as a high-yielding target where they can deploy malware once and encrypt numerous servers with a single command.   

In response to this activity, developing effective protection for ESXi has become a priority for Vali Cyber.  As such, we have developed a ZeroLock® Agent specifically to protect the ESXi environment. 

The following information will ensure the successful installation and configuration of the ZeroLock Agent on the ESXi Hypervisor operating system. 



The following must be enabled: 

  1. The ssh and ESXi shell for terminal access. 
  2. The firewall ruleset (httpClient) permits connections between the ESXi endpoint and the Zerolock Server. (Port 443) 
  3. ESXi 8.0 update 2+ disables the Runtime ptrace by default, so this capability must be enabled (True), and the system must be rebooted before installing the agent. 

The following table provides the support matrix for the listed ESXi versions. Support Table with Background

Agent Installation 

Four (4) methods can be used to install the ZeroLock® ESXi agent: 

  1. Wget
  2. Self-Extracting Installer 
  3. Tar Installer 
  4. VIB (vSphere Installation Bundle)
Deploy Screen ESXi_4 Options_1

To run the installation commands on an ESXi system from the Deploy page, the user must manually modify the command, changing any place that uses bash to sh


Normal Linux installation:  bash 

ESXi installation:                  sh 


As a reboot is not required with either .tgz or wget, it doesn’t matter if secure boot is enabled.  However, if the system is rebooted at some point, run the following command to restart the ZeroLock ESXi agent: 

mkdir -p /tmp/zerolock && cp /scratch/zerolock_root/zerolock-tyr-runner /tmp/zerolock/ && sh /tmp/zerolock/zerolock-tyr-runner


Note: The .tgz and wget installers disable execInstalledOnly. ZeroLock provides a similar feature through its program filter. 


The recommended default configuration for ESXi will place the file cache in whatever directory is specified in the configuration profile.  Given that most traditional file locations on ESXi have strict size limits, it is recommended that the file cache be placed in the /scratch directory or an NFS if available. 

The max file size cache setting should be adjusted to ensure ZeroLock can back up and roll back the largest VM file on the system. 100GB is the recommended minimum size for the max file size cache unless larger VMs are available. 

Ransomware sensitivity should be set to HIGH on ESXi, and the automatic response should be set to KILL

Currently Supported Features 

  1. Program Access Rules 
  2. File Access Rules 
  3. Anti-tamper, both file and kill signal 
  4. Ransomware detection and rollback 
  5. In-UI Shell 
  6. Baldur Queries 
  7. Install, uninstall, agent shutdown, agent upgrade, protection on/off 

Configuring Your Environment

Endpoint Configuration

Updating the Default Lockdown Ruleset  

Applying the Recommended Ruleset via Policy

Configuration Profiles

Creating a Configuration Profile

Applying Policy to Configuration Profile

Applying Configuration Profile to an Endpoint

Control Policy and Lockdown Rule Types

Creating and Assigning Endpoint Groups

Users and User Roles 

Adding a ZeroLock User 

User Role Settings Explained 

How to Create a User Role  

How to Assign User Roles 



Handling Threats Using the ZeroLock Management Console


Updating a ZeroLock Environment

Updating the ZeroLock Management Console

Updating the ZeroLock Agent Version on Endpoints

Network Connectivity

Iptable Values