Configure the following to be able to auto-quarantine VMs with malware detection:

• Set up the Transport Node profile with VLAN and Overlay transport zone

  

• Enable the NSX-T security tag from the Deep Security Policy

  

• Create a new group and provide a suitable name such as  "isolation-VM" that includes the VMs that will be tagged with "ANTI_VIRUS.VirusFound.threat=medium"

  

  

• Create an NSX-T Distributed Firewall rules to "Reject" outgoing connection from source group "isolation-VM" to destination "Any"

  

• Create a new segment that connect to VLAN transport zone and assign all Guest VM connect to this segment 

  

  

Testing if the configuration works

1. Login to the Guest VM and verify it can access the internet.
2. Follow the instructions on this article to simulate a malware detection
3. Login to the manager console and verify that there are Anti-Malware Events

   

   

4. From the NSX, verify that the Guest VM has been added into the "Isolation-VM" group

   

5. Login to the Guest VM, notice that all outgoing connection is rejected by the NSX-T DFW.

   

6. From the manager console, initiate a manual or scheduled Anti-Malware scan. Once there is no additional detection. The Security Tag will be removed and the Guest VM will no longer be in the "Isolation-VM" group.

   

   

7. Verify that the Guest VM can access the internet again.