Kaspersky Security for Virtualization 6.0 Agentless

Integration of Kaspersky Security components with VMware virtual infrastructure

Requirements for integration of Kaspersky Security components with VMware virtual infrastructure:

• Virtual infrastructure administration server (VMware vCenter Server, VMware vCloud Director). The component performs administration and centralized management of a VMware virtual infrastructure. The component participates in the deployment of Kaspersky Security. The virtual infrastructure administration server sends the Integration Server information about the VMware virtual infrastructure that is required for operation of the application.
• VMware NSX Manager. The component enables registration and deployment of Kaspersky Security services.
• Virtual filter (VMware DVFilter). This component lets you intercept incoming and outgoing network packets in the traffic of protected virtual machines.
• Guest Introspection driver (NSX File Introspection Driver). The component collects data on virtual machines and transmits files to Kaspersky Security for scanning. To enable Kaspersky Security to protect virtual machines, the NSX File Introspection Driver must be installed on these virtual machines. For more details please refer to documentation attached to VMware products.

• Guest Introspection service and Guest Introspection ESXi Module. The components enable interaction between SVMs and the Guest Introspection driver installed on the virtual machine.

The File Threat Protection component interacts with the VMware virtual infrastructure in the following way:

1. The user or any application opens, saves, or runs files on a virtual machine that is protected by Kaspersky Security.
2. The Guest Introspection driver intercepts information about these events and relays it to the Guest Introspection service.
3. The Guest Introspection service relays information about received events to the File Threat Protection component installed on the SVM.
4. The File Threat Protection component scans files that the user or an application opens, saves, or runs on a protected virtual machine:
   • If no viruses or other malware are detected in the files, Kaspersky Security grants access to the files.
   • If the files contain viruses or other malware, Kaspersky Security performs the action that is specified in the settings of the protection profile assigned to this virtual machine. For example, Kaspersky Security disinfects or blocks a file.

Interaction between the Network Threat Protection component and the VMware virtual infrastructure depends on the traffic processing mode that you selected during registration of the network protection service (Kaspersky Network Protection). If you selected the standard traffic processing mode, the Network Threat Protection component interacts with the VMware virtual infrastructure as follows:

1. The virtual filter (VMware DVFilter) intercepts inbound and outbound network packets in the traffic of protected virtual machines and redirects them to the Network Threat Protection component installed on SVMs.
2. The Network Threat Protection component scans network packets to detect activity typical of network attacks and suspicious network activity that may be a sign of an intrusion into the protected infrastructure, and scans all web addresses in requests over the HTTP protocol to check if they belong to the web address categories that should be detected according to the Web Addresses Scan settings.

   If Kaspersky Security does not detect a network attack, or suspicious network activity, or a web address belonging to the web address categories selected for detection, it allows transfer of the network packet.

   If a network threat is detected, Kaspersky Security does the following:

   • If activity typical of network attacks is detected, Kaspersky Security will perform the action that is specified in the settings of the policy. For example, Kaspersky Security blocks or allows network packets coming from the IP address from which the network attack originated.
   • If suspicious network activity is detected, Kaspersky Security performs the action that is specified in the policy settings. For example, Kaspersky Security blocks or allows network packets coming from the IP address from which the network attack originated.
   • If a web address belongs to one or more of the web address categories selected for detection, Kaspersky Security performs the action that is specified in the policy settings. For example, Kaspersky Security blocks or allows access to the web address.

If you selected monitoring mode during registration of the network protection service (Kaspersky Network Protection), the Network Threat Protection component receives a copy of the traffic of virtual machines. When signs of intrusions or attempts to access dangerous or undesirable web addresses are detected, Kaspersky Security does not take any actions to prevent the threats but only relays information about the events to the Kaspersky Security Center Administration Server.