[Topic 186128]

About this Help Guide

This Help Guide is intended for technical professionals whose responsibilities include administration of Kaspersky Security, and support for organizations using Kaspersky Security. The Guide is intended for technical professionals who have experience working with virtual infrastructures on the VMware vSphere platform and with Kaspersky Security Center, which is a system designed for remote centralized management of Kaspersky applications.

Page top

[Topic 56682]

About Kaspersky Security for Virtualization 6.0 Agentless

Kaspersky Security for Virtualization 6.0 Agentless (hereinafter also "Kaspersky Security") is an integrated solution that protects virtual machines on a VMware ESXi hypervisor against viruses and other malware, as well as network threats.

Kaspersky Security lets you protect virtual machines running Windows guest operating systems, including those running server operating systems, and virtual machines running Linux guest operating systems.

Kaspersky Security lets you configure the protection of virtual machines at any level of the hierarchy of VMware virtual infrastructure objects: VMware vCenter server, Datacenter object, VMware cluster, resource pool, vApp object, and virtual machine. The application supports the protection of virtual machines during their migration within a VMware DRS cluster.

In an infrastructure managed by a VMware vCloud Director server, Kaspersky Security can be used to protect isolated virtual infrastructures, such as virtual Datacenters corresponding to vCloud Director organizations. One instance of Kaspersky Security in multitenancy mode allows multiple tenants of a cloud infrastructure (tenant organizations or divisions of one organization) to independently manage the protection of their own virtual infrastructure.

Kaspersky Security includes the following components:

• File Threat Protection. Protects the file system objects of a virtual machine against infection. The component is launched at the startup of Kaspersky Security. It protects virtual machines and scans the file system of virtual machines.
• Network Threat Protection. This component lets you detect and block activity that is typical of network attacks and other suspicious network activity, and lets you scan web addressed requested by a user or application, and block access to web addresses if a threat is detected.
• Integration Server. The component facilitates interaction between Kaspersky Security components and a VMware virtual infrastructure.

Kaspersky Security features:

• Protection. Kaspersky Security scans all files that the user or an application opens, saves, or launches on a virtual machine.
  • If the file is free of malware, Kaspersky Security will grant access to the file.
  • If malware is detected in the file, Kaspersky Security will perform the action that is specified in its settings. For example, it will delete the file or block access to the file.

  Kaspersky Security protects only powered-on virtual machines that meet all the conditions for virtual machine protection.

• Scan. The application lets you perform a virus scan on files of virtual machines. Virtual machine files must be scanned regularly with new anti-virus databases to prevent the spread of malicious objects. You can perform an on-demand scan or specify a scan schedule.

  Kaspersky Security scans only virtual machines that meet all the conditions for scanning virtual machines. Kaspersky Security can scan virtual machine templates and powered-off virtual machines that have the following file systems: NTFS, FAT32, EXT2, EXT3, EXT4, XFS, BTRFS.

• Intrusion Prevention. Kaspersky Security lets you analyze network traffic of protected virtual machines and detect network attacks and suspicious network activity that may be a sign of an intrusion into the protected infrastructure. When it detects an attempted network attack on a virtual machine or suspicious network activity, Kaspersky Security can terminate the connection and block traffic from the IP address from which the network attack or suspicious network activity originated.
• Web addresses scan. Kaspersky Security lets you scan web addresses that are requested over the HTTP protocol by a user or application installed on the virtual machine. If Kaspersky Security detects a web address from one of the web address categories selected for detection, the application can block access to the web address. By default, Kaspersky Security scans web addresses to check if they are malicious, phishing, or advertising web addresses.
• Storing backup copies of files. The application allows storing backup copies of files that have been deleted or modified during disinfection. Backup copies of files are stored in Backup in a special format and pose no danger. If a disinfected file contained information that is partly or completely inaccessible after disinfection, you can attempt to save the file from its backup copy.
• Application database update. Downloading updated application databases ensures up-to-date protection of the virtual machine against viruses and other malware. You can manually run an application database update or set a schedule for updating application databases.

Kaspersky Security is administered by Kaspersky Security Center, the remote centralized Kaspersky application administration system. You can use Kaspersky Security Center to:

• Configure the application settings
• Administer the application:
  • Manage virtual machine protection by using policies
  • Manage scan tasks
  • Manage license keys for the application
• Update application databases
• Work with backup copies of files in Backup
• Generate application event reports

Kaspersky Security sends the Kaspersky Security Center Administration Server information about all events that occur during anti-virus protection and scanning of virtual machines, as well as information about events that occur when preventing intrusions and scanning web addresses.

Update functionality (including antivirus signature updates and codebase updates) and KSN functionality may not be available in the program in the United States.

[Topic 60184]

Distribution kit

For information about purchasing the application, please visit the Kaspersky website at http://www.kaspersky.com or contact our partners.

The distribution kit contains the files necessary for installing application components, including:

• File for starting the Wizard for installing Kaspersky Security components (the Kaspersky Security administration plug-in, Integration Server, and Integration Server Console).
• File for starting the Wizard for installing the Kaspersky Security administration plug-in for tenants (this plug-in is required if you are using the application in multitenancy mode).
• SVM (secure virtual machine) images with installed Kaspersky Security components.
• MIB files that you can use to receive SVM status information with the aid of the SNMP Monitoring system.
• File containing the text of the End User License Agreement detailing the terms on which you may use the application, and the text of the Privacy Policy describing the handling and transmission of data.

The contents of the distribution kit can vary from region to region.

Information required to activate the application is forwarded by email after payment.

[Topic 56683]

Hardware and software requirements

Requirements for Kaspersky Security Center components

For Kaspersky Security to operate in an organization's local network, one of the following versions of Kaspersky Security Center must be installed:

• Kaspersky Security Center 13.1.
• Kaspersky Security Center 12.
• Kaspersky Security Center 11.

  When using Kaspersky Security Center 11, 12 or 13.1, Kaspersky Security can protect a virtual infrastructure managed by VMware vCloud Director (in a multitenancy mode) or a virtual infrastructure managed by one or more VMware vCenter Servers (multitenancy mode is not being used).

• Kaspersky Security Center 10 Service Pack 3.

  When using Kaspersky Security Center 10 Service Pack 3, Kaspersky Security can protect a virtual infrastructure managed by one or more VMware vCenter Servers (multitenanсy mode is not being used).

If you want to use Kaspersky Security in a multitenanсy mode, you need to install Kaspersky Security Center 11, 12 or 13.1.

The following Kaspersky Security Center components are required in order for the application to work:

• Administration Server.
• Administration Console.
• Network Agent. This component is included in Kaspersky Security SVM images.

For Kaspersky Security Center installation instructions, see the Kaspersky Security Center documentation.

The operating system on which Kaspersky Security Center is installed must be compatible with the Integration Server component.

Software requirements for the Integration Server component

The computer must have one of the following operating systems to support installation and operation of the Integration Server component:

• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 R2 Datacenter / Standard / Essentials

The Microsoft .NET Framework 4.6.1 platform is required for installation of the Integration Server, Integration Server Console, and Kaspersky Security administration plug-in.

Software requirements for the File Threat Protection component

For the File Threat Protection component to work properly, the virtual infrastructure must meet the following software requirements:

• Option 1:
  • VMware ESXi 6.7 hypervisor Update 3, VMware ESXi 6.5 hypervisor Update 3a or VMware ESXi 6.0 hypervisor Update 3a
  • VMware vCenter Server 6.7 Update 3, VMware vCenter Server 6.5 Update 3 or VMware vCenter Server 6.0 Update 3j
  • VMware NSX for vSphere 6.4.6
• Option 2:
  • VMware ESXi 6.5 hypervisor Update 3a or VMware ESXi 6.0 hypervisor Update 3a
  • VMware vCenter Server 6.5 Update 3 or VMware vCenter Server 6.0 Update 3j
  • VMware NSX for vSphere 6.3.7

The File Threat Protection component ensures protection of virtual machines that have the following guest operating systems installed:

• Windows desktop operating systems:
  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7 Service Pack 1
• Windows server operating systems:
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2 without ReFS (Resilient File System) support
  • Windows Server 2012 without ReFS (Resilient File System) support
  • Windows Server 2008 R2 Service Pack 1

  On protected virtual machines running Windows operating systems, one of the following file systems must be used: FAT, FAT32, NTFS, ISO9660, UDF, CIFS.

• Linux server operating systems:
  • Ubuntu Server 14.04 LTS (64-bit)
  • Red Hat Enterprise Linux Server 7 GA (64-bit)
  • SUSE Linux Enterprise Server 12 GA (64-bit)
  • CentOS 7 (64-bit)

  On protected virtual machines running Linux operating systems, one of the following file systems must be used:

  • Local file systems: EXT2, EXT3, EXT4, XFS, BTRFS, VFAT, ISO9660.
  • Network file systems: NFS, CIFS.

To protect virtual machines against file threats on virtual machines, you must install the Guest Introspection driver (NSX File Introspection Driver).

To do so, you must install VMware Tools kit version 11.0.1 on virtual machines running a Windows operating system. When installing the VMware Tools package, you need to install the NSX File Introspection Driver component that is included in the package. The NSX File Introspection Driver component is not installed by default.

Special packages are provided for installation of the NSX File Introspection Driver component on virtual machines running a Linux operating system.

For information on the installation and update of VMware components, please refer to the VMware product documentation.

Software requirements for the Network Threat Protection component

For the Network Threat Protection component to work properly, the VMware virtual infrastructure must meet the following software requirements:

• Option 1:
  • VMware ESXi 6.7 hypervisor Update 3, VMware ESXi 6.5 hypervisor Update 3a or VMware ESXi 6.0 hypervisor Update 3a
  • VMware vCenter Server 6.7 Update 3, VMware vCenter Server 6.5 Update 3 or VMware vCenter Server 6.0 Update 3j
  • VMware NSX for vSphere 6.4.6
• Option 2:
  • VMware ESXi 6.5 hypervisor Update 3a or VMware ESXi 6.0 hypervisor Update 3a
  • VMware vCenter Server 6.5 Update 3 or VMware vCenter Server 6.0 Update 3j
  • VMware NSX for vSphere 6.3.7

The requirements of a guest operating system of the protected virtual machine match the requirements imposed by the File Threat Protection component.

You must install VMware Tools kit version 11.0.1 or open-vm-tools to protect virtual machines from network threats.

A current license for NSX for vSphere Advanced or NSX for vSphere Enterprise is required in order for the Network Threat Protection component to work.

The Network Threat Protection component protects only those virtual machines that use the E1000 or VMXNET3 network adapter.

Software requirements for operation in the multitenancy mode

VMware vCloud Director 9.7.0.3 for Service Providers component must be installed in the virtual infrastructure for application to operate in multitenancy mode.

Hardware requirements

The application distribution kit includes several SVM (secure virtual machine) images with the File Threat Protection component installed and several SVM images with the Network Threat Protection component installed. You can use these images to deploy SVMs with the necessary configuration.

Depending on the selected configuration for an SVM with the File Threat Protection component, the following minimum system resources are required:

Depending on the selected configuration for an SVM with the Network Threat Protection component, the following minimum system resources are required:

The computer must meet the following minimum hardware requirements to support installation and operation of the Integration Server:

• 3 GB of available disk space
• Available RAM:
  • For operation of the Integration Server Console – 50 MB.
  • For operation of the Integration Server that serves no more than 30 hypervisors and 2,000 to 2,500 protected virtual machines – 300 MB. RAM size may change depending on the size of the VMware virtual infrastructure.

For the hardware requirements of Kaspersky Security Center, please refer to the Kaspersky Security Center documentation.

See the VMware product documentation for hardware requirements for the VMware virtual infrastructure.

For hardware requirements for the Windows operating system, see Windows product documentation.

[Topic 62689]

What’s new

New features in Kaspersky Security for Virtualization 6.0 Agentless include:

• New operation mode for the application – multitenancy mode. In an infrastructure managed by a VMware vCloud Director server, Kaspersky Security can be used to protect isolated virtual infrastructures, such as virtual Datacenters corresponding to vCloud Director organizations. In multitenancy mode, one instance of the application installed in the anti-virus protection provider's infrastructure allows multiple tenants of a cloud infrastructure (tenant organizations or divisions of one organization) to independently manage the protection of their own virtual infrastructure.

  Virtual Administration Servers of Kaspersky Security Center are used to manage protection of tenants. The provider's administrator creates a separate virtual Administration Server for each tenant and provides the tenant's administrator with access to it. The tenant's administrator can use the virtual Administration Server and administration plug-in for tenants to manage File Threat Protection of their virtual infrastructure. The provider handles management of network protection, application database updates, application activation, and management of file copies placed in Backup.

• Extended functionality of the Network Threat Protection component:
  • When scanning web addresses, Kaspersky Security can use information about the reputation of web resources received from Global KSN.
  • You can now scan web addresses to check if they belong to advertising web addresses category, or to the category of web addresses associated with the distribution of legitimate applications that could be exploited to harm a virtual machine or user data.
  • You can now view the list of network threat sources that were blocked as a result of operation of each SVM with the Network Threat Protection component. In this list you can unblock traffic from selected IP addresses without waiting for them to be automatically unblocked.
• The capabilities for scanning and protecting virtual machines have been expanded:
  • Support of environment variables added to the lists of exclusions from scanning and protection. The scan tasks and policies now allow to set the path to the objects excluded from the scan scope or protection scope using Windows environment variables.
  • The scan tasks now allow to select the action that Kaspersky Security performs when it detects infected files on powered off virtual machines or virtual machine templates. You can configure separate actions to be taken when a threat is detected on powered on virtual machines and when a threat is detected on powered off virtual machines.
• A policy provides a new method for assigning file protection settings to objects of the protected infrastructure (only for a virtual infrastructure managed by one VMware vCenter Server). You can assign file protection settings by mapping protection profiles to NSX Profile Configurations.
• There is now the capability to use network data storage for storing backup copies of files that have been moved to Backups on SVMs. To prevent deletion of backup copies of files when deleting or updating SVMs, you can configure the use of network data storage for SVMs. If the use of network data storage is enabled, backup copies of files are stored on SVMs and in the network data storage.
• You now have the capability to check the integrity of application components by using the integrity check tool.

[Topic 56684]

Application architecture

Kaspersky Security is supplied as two images of SVM (secure virtual machine):

• Image of the SVM with the File Threat Protection component
• Image of the SVM with the Network Threat Protection component

An SVM (secure virtual machine) is a virtual machine on which a component of Kaspersky Security is installed. An SVM is deployed on a VMware ESXi hypervisor. For protection and scanning, the application does not need to be installed on each virtual machine.

Kaspersky Security components are registered as services in VMware NSX Manager:

• The File Threat Protection component is registered as a file system protection service (Kaspersky File Antimalware Protection).
• The Network Threat Protection component is registered as a network protection service (Kaspersky Network Protection).

Kaspersky Security services are deployed on the VMware cluster during installation of the application. When Kaspersky Security services are deployed, SVMs with Kaspersky Security components are deployed on each hypervisor in the cluster (see the figure below).

Application architecture

SVMs with the File Threat Protection component provide the following:

• Protection against viruses and other malware for all virtual machines that meet the conditions for protection of virtual machines.
• Anti-virus scanning of files of all virtual machines that meet the conditions for scanning virtual machines.

SVMs with the Network Threat Protection component provide protection against network threats for all virtual machines that meet the conditions for protection of virtual machines against network threats.

The Integration Server component enables interaction between the VMware virtual infrastructure and Kaspersky Security components.

The application is managed through Kaspersky Security Center, which is the remote centralized system for managing Kaspersky applications. Kaspersky Security interacts with Kaspersky Security Center via Network Agent, which is a component of Kaspersky Security Center. Network Agent is included in the SVM image.

The Kaspersky Security main administration plug-in provides the interface for managing the Kaspersky Security application through Kaspersky Security Center. If the application is operating in

Kaspersky Security administration plug-ins are included in the Kaspersky Security distribution kit.

Kaspersky Security administration plug-ins must be installed on the computer hosting the Kaspersky Security Center Administration Console.

[Topic 60457]

Contents of the Kaspersky Security SVM images

The image of an SVM with the File Threat Protection component includes the following:

• CentOS 7.6 operating system.
• File Threat Protection component of Kaspersky Security.
• EPSEC library. A component provided by VMware. The EPSEC library provides access to the files on virtual machines protected by Kaspersky Security.
• Network Agent. A component of Kaspersky Security Center. Network Agent interacts with the Kaspersky Security Center Administration Server enabling Kaspersky Security Center to manage Kaspersky Security.

The image of an SVM with the Network Threat Protection component includes the following:

• CentOS 7.6 operating system.
• Network Threat Protection component of Kaspersky Security.
• Guest Introspection SDK. A component provided by VMware. Guest Introspection SDK enables monitoring network traffic of virtual machines at the network packet level and creating virtual filters.
• Network Agent. A component of Kaspersky Security Center. Network Agent interacts with the Kaspersky Security Center Administration Server enabling Kaspersky Security Center to manage Kaspersky Security.

[Topic 60881]

Application usage options

Protecting a virtual infrastructure managed by one or more VMware vCenter Servers

SVMs with Kaspersky Security components are deployed on VMware ESXi hypervisors managed by one or more standalone VMware vCenter Servers and protect the virtual machines running on these hypervisors. The application operates in normal mode.

The Kaspersky Security main administration plug-in is required for application management. You can use the main administration plug-in to configure individual settings for protecting a virtual infrastructure managed by each VMware vCenter Server or general settings for protecting the entire virtual infrastructure.

Protecting a virtual infrastructure managed by VMware vCloud Director

SVMs with Kaspersky Security components are deployed on VMware ESXi hypervisors managed by VMware vCenter Servers connected to the VMware vCloud Director Server. SVMs can protect all virtual machines operating within the virtual infrastructure, including virtual machines that are part of a vCloud Director organization.

This application usage option lets you protect isolated virtual infrastructures of tenant organizations or divisions of one organization (hereinafter also referred to as "tenants"). The application operates in multitenancy mode, which means that one instance of the application installed in the infrastructure of the anti-virus protection provider (hereinafter also referred to as the "provider") simultaneously provides multiple tenants with the capability for independent management of the protection of their virtual infrastructure.

The Kaspersky Security main administration plug-in and administration plug-in for tenants are required for application management. The main administration plug-in lets you configure the general application settings, Network Threat Protection settings, and the File Threat Protection settings of those virtual machines that are not part of vCloud Director organizations, such as the virtual machines of the provider. The administration plug-in for tenants lets you configure the individual settings of File Threat Protection for each tenant.

Virtual Administration Servers of Kaspersky Security Center are used to manage protection of tenants. The provider's administrator creates a separate virtual Administration Server for each tenant and provides the tenant's administrator with access to it. The tenant's administrator can use the virtual Administration Server and administration plug-in for tenants to manage File Threat Protection of their virtual infrastructure. The provider handles management of network protection, application database updates, application activation, and management of file copies placed in Backup.

The provider's administrator can obtain information about the protection of tenants' virtual machines by utilizing the report available on the Integration Server. However, report generation is disabled by default. To find out how to enable data logging to a report and export the report to a file in CSV format, please refer to the Knowledge Base.

The application installation procedure depends on the selected application usage option. It is recommended to select the application usage option before starting the installation. If you decide to switch to using the application in multitenancy mode after installing the application in an infrastructure managed by one or more VMware vCenter Servers, to ensure correct operation of the application you need to perform the additional steps described in the Knowledge Base.

[Topic 90794]

Integration of Kaspersky Security components with VMware virtual infrastructure

Requirements for integration of Kaspersky Security components with VMware virtual infrastructure:

• Virtual infrastructure administration server (VMware vCenter Server, VMware vCloud Director). The component performs administration and centralized management of a VMware virtual infrastructure. The component participates in the deployment of Kaspersky Security. The virtual infrastructure administration server sends the Integration Server information about the VMware virtual infrastructure that is required for operation of the application.
• VMware NSX Manager. The component enables registration and deployment of Kaspersky Security services.
• Virtual filter (VMware DVFilter). This component lets you intercept incoming and outgoing network packets in the traffic of protected virtual machines.
• Guest Introspection driver (NSX File Introspection Driver). The component collects data on virtual machines and transmits files to Kaspersky Security for scanning. To enable Kaspersky Security to protect virtual machines, the NSX File Introspection Driver must be installed on these virtual machines. For more details please refer to documentation attached to VMware products.

• Guest Introspection service and Guest Introspection ESXi Module. The components enable interaction between SVMs and the Guest Introspection driver installed on the virtual machine.

The File Threat Protection component interacts with the VMware virtual infrastructure in the following way:

1. The user or any application opens, saves, or runs files on a virtual machine that is protected by Kaspersky Security.
2. The Guest Introspection driver intercepts information about these events and relays it to the Guest Introspection service.
3. The Guest Introspection service relays information about received events to the File Threat Protection component installed on the SVM.
4. The File Threat Protection component scans files that the user or an application opens, saves, or runs on a protected virtual machine:
   • If no viruses or other malware are detected in the files, Kaspersky Security grants access to the files.
   • If the files contain viruses or other malware, Kaspersky Security performs the action that is specified in the settings of the protection profile assigned to this virtual machine. For example, Kaspersky Security disinfects or blocks a file.

Interaction between the Network Threat Protection component and the VMware virtual infrastructure depends on the traffic processing mode that you selected during registration of the network protection service (Kaspersky Network Protection). If you selected the standard traffic processing mode, the Network Threat Protection component interacts with the VMware virtual infrastructure as follows:

1. The virtual filter (VMware DVFilter) intercepts inbound and outbound network packets in the traffic of protected virtual machines and redirects them to the Network Threat Protection component installed on SVMs.
2. The Network Threat Protection component scans network packets to detect activity typical of network attacks and suspicious network activity that may be a sign of an intrusion into the protected infrastructure, and scans all web addresses in requests over the HTTP protocol to check if they belong to the web address categories that should be detected according to the Web Addresses Scan settings.

   If Kaspersky Security does not detect a network attack, or suspicious network activity, or a web address belonging to the web address categories selected for detection, it allows transfer of the network packet.

   If a network threat is detected, Kaspersky Security does the following:

   • If activity typical of network attacks is detected, Kaspersky Security will perform the action that is specified in the settings of the policy. For example, Kaspersky Security blocks or allows network packets coming from the IP address from which the network attack originated.
   • If suspicious network activity is detected, Kaspersky Security performs the action that is specified in the policy settings. For example, Kaspersky Security blocks or allows network packets coming from the IP address from which the network attack originated.
   • If a web address belongs to one or more of the web address categories selected for detection, Kaspersky Security performs the action that is specified in the policy settings. For example, Kaspersky Security blocks or allows access to the web address.

If you selected monitoring mode during registration of the network protection service (Kaspersky Network Protection), the Network Threat Protection component receives a copy of the traffic of virtual machines. When signs of intrusions or attempts to access dangerous or undesirable web addresses are detected, Kaspersky Security does not take any actions to prevent the threats but only relays information about the events to the Kaspersky Security Center Administration Server.

[Topic 90409]

About the Integration Server

The Integration Server is a Kaspersky Security component that enables interaction between Kaspersky Security components and a VMware virtual infrastructure.

The Integration Server is used for performing the following tasks:

• Registration of Kaspersky Security services in VMware NSX Manager: the file system protection service (Kaspersky File Antimalware Protection) and the network protection service (Kaspersky Network Protection). Kaspersky Security services are required for installation of application components in a VMware infrastructure.

  The settings required for registration and deployment of Kaspersky Security services are entered in a Wizard that is started from the Integration Server Console.

• Configuring new SVMs and reconfiguring previously deployed SVMs. The Integration Server sends SVMs the settings that you specify in the Integration Server Console.
• Retrieval of information about a virtual infrastructure (about hypervisors and virtual machines operating on each hypervisor) from VMware vCenter Server and transmission of retrieved information to application components. The Kaspersky Security administration plug-in and SVMs query the Integration Server for information about the virtual infrastructure.
• Configuring the list of mappings of vCloud Director organizations to virtual Administration Servers of Kaspersky Security Center. If you are using Kaspersky Security in multitenancy mode, to protect the virtual infrastructure of each tenant organization, you must map a virtual Administration Server to the vCloud Director organization containing the virtual machines of the tenant. The list of mappings is configured in the Integration Server Console.

During its operation, the Integration Server saves the following information:

• Integration Server connection settings, including passwords for Integration Server accounts
• Settings for connecting the Integration Server to VMware vCenter Server, VMware vCloud Director, and VMware NSX Manager
• SVM configuration settings, including passwords of the root user account and klconfig user account used on SVMs
• List of protected virtual machines, including the time of last events that occurred during protection and scanning of file system objects and during scanning of network traffic and web addresses

All data except the list of protected virtual machines is securely stored. Information is stored on the computer on which Integration Server is installed and is not sent to Kaspersky.

[Topic 62775]

About Integration Server Console

The Integration Server Console contains the following sections:

Integration Server settings section

In this section, you can view information about the Integration Server.

Integration Server user accounts section

In this section, you can change the passwords of accounts that are used to connect to the Integration Server.

The Virtual infrastructure protection section.

This section opens by default after the Integration Server Console is started. In this section, you can configure the connection of the Integration Server to virtual infrastructure administration servers (VMware vCenter Server and VMware vCloud Director), define or change the settings for registering and deploying Kaspersky Security services, or unregister Kaspersky Security services.

The table displays all virtual infrastructure administration servers (VMware vCenter Server and VMware vCloud Director) for which a connection is configured for the Integration Server.

The following buttons are provided above the table:

• The Add button opens the Connection to virtual infrastructure window. In this window, you can select the type of virtual infrastructure administration servers to which you need to configure a connection, and enter the settings for connecting to the VMware vCenter Server or VMware vCloud Director: IP address in IPv4 format or fully qualified domain name (FQDN), name and password of the account used by the Integration Server to connect to the server.
• The Refresh button lets you update the status of interaction between the Integration Server and the virtual infrastructure.

For each VMware vCenter Server, the following information is displayed in the table:

• IP address in IPv4 format or fully qualified domain name (FQDN) of the VMware vCenter Server.
• Group of settings containing connection error messages (if any) and a list of actions that you can perform when configuring the connection to this VMware vCenter Server and for subsequent deployment of protection of the virtual infrastructure managed by this VMware vCenter Server. You can expand or collapse the list of possible actions for each VMware vCenter Server by clicking on the address or name of the server.
• Information about deployment of protection on VMware clusters managed by this VMware vCenter Server, presented in the format N/M, where:
  • N is the number of VMware ESXi hypervisors on which the file system protection service (Kaspersky File Antimalware Protection) is deployed, or a dash if the service is not registered in VMware NSX Manager.
  • M is the number of VMware ESXi hypervisors on which the network protection service (Kaspersky Network Protection) is deployed, or a dash if the service is not registered in VMware NSX Manager.

  The total number of VMware ESXi hypervisors managed by this VMware vCenter Server is indicated in parentheses.

The table displays the following information for each VMware vCloud Director Server:

• IP address in IPv4 format or fully qualified domain name (FQDN) of the VMware vCloud Director server.
• Group of settings containing connection error messages (if any) and a list of actions that you can perform when configuring the connection to this VMware vCloud Director and for subsequent deployment of protection of the virtual infrastructure managed by this VMware vCloud Director. You can expand or collapse the list of possible actions for each VMware vCloud Director server by clicking on the address or name of the server.

If no connection could be established with the VMware vCenter Server, VMware vCloud Director, or VMware NSX Manager, the table shows a warning.

If a connection error occurs because the certificate received from the VMware vCenter Server, VMware vCloud Director, or VMware NSX Manager is not trusted for the Integration Server, but the received certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and establish a connection. To do so, click the link in the problem description to open the Certificate validation window and click the Install certificate button. The received certificate is saved as a trusted certificate for the Integration Server.

Certificates that are trusted in the operating system in which the Integration Server is installed are also considered to be trusted for the Integration Server.

If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

The table also displays a warning if redirection of traffic to the network protection service (Kaspersky Network Protection) is disabled in one or more NSX security policies that are configured to use Kaspersky Security services. If you want to protect virtual machines against network threats, you need to enable redirection of traffic to the network protection service in NSX security policies (Redirect to service setting).

List of possible actions for the VMware vCenter Server:

• Register Kaspersky Security services – starts the Wizard that lets you enter the settings necessary for registering Kaspersky Security services in VMware NSX Manager and deploying those services on VMware clusters, and for configuring new SVMs. When you have finished entering the settings, Integration Server registers the Kaspersky Security services in VMware NSX Manager.
• Change settings of Kaspersky Security – starts the Wizard that lets you change the connection settings for interaction between the Integration Server and VMware NSX Manager, specify or change SVM images for the file system protection service (Kaspersky File Antimalware Protection) and/or the network protection service (Kaspersky Network Protection), and change the SVM configuration settings that are applied on new SVMs and on previously deployed SVMs. When you have finished entering the settings, the Integration Server applies the new settings and, if necessary, re-registers the Kaspersky Security services in VMware NSX Manager.
• Unregister Kaspersky Security services – opens a window in which you can specify the Kaspersky Security service that you need to unregister in VMware NSX Manager. You can unregister one or both Kaspersky Security services. Unregistration is performed by the Integration Server.

  Kaspersky Security services can be unregistered only if all SVMs have been removed from VMware clusters and services are not being used in NSX Security Policies. Removal of SVMs and configuration of NSX Security Policies is performed in the VMware vSphere Web Client console.

• Change VMware vCenter Server connection settings – opens the Connection to virtual infrastructure window in which you can change the settings for connecting the Integration Server to a VMware vCenter Server.
• Remove VMware vCenter Server from the list – opens a window in which you can confirm deletion of the settings for connecting the Integration Server to this VMware vCenter Server. The VMware vCenter Server will be removed from the list of virtual infrastructure administration servers to which the Integration Server connects.

  Removing a VMware vCenter Server from the list is possible only if Kaspersky Security services are not registered in VMware NSX Manager.

List of available actions for VMware vCloud Director:

• Map vCloud Director organizations – opens the vCloud Director organizations to virtual administration Servers mapping list window in which you can map vCloud Director organizations containing virtual machines of tenants to virtual Administration Servers of Kaspersky Security Center.
• Change VMware vCloud Director connection settings – opens the Connection to virtual infrastructure window in which you can change the settings for connecting the Integration Server to VMware vCloud Director.
• Remove VMware vCloud Director from list – opens a window in which you can confirm deletion of the settings for connecting the Integration Server to this VMware vCloud Director. The VMware vCloud Director Server will be removed from the list of virtual infrastructure administration servers to which the Integration Server connects.

Manage protection of tenant organizations section

This section is used only if the application is operating in multitenancy mode.

In this section, you can do the following:

• Connect the Integration Server to the Kaspersky Security Center Administration Server.

  The Integration Server connects to the Kaspersky Security Center Administration Server to receive information about virtual Administration Servers created in Kaspersky Security Center, and to map virtual Administration Servers to vCloud Director organizations that contain virtual machines of tenants.

• View or configure the list of mappings between vCloud Director organizations containing virtual machines of tenants and virtual Administration Servers of Kaspersky Security Center.

  A vCloud Director organization must be mapped to a virtual Administration Server so that Kaspersky Security can be used to protect virtual machines that are part of the vCloud Director organization.

[Topic 172641]

About data processing

During their operation, Kaspersky Security components may save and send to other application components (and to Kaspersky Security Center) the following information that may contain personal data:

• To generate reports and events, SVMs send information about application operation to the Kaspersky Security Center Administration Server. The transmitted information may include the names of processed files and paths to them in the file system, the names and addresses of virtual machines, and processed web addresses.
• To ensure the capability to work with Backup objects via Kaspersky Security Center, SVMs send the Kaspersky Security Center Administration Server information about objects that have been placed in Backup. The transmitted information may include the object name and path to it in the file system. If requested by the administrator, the objects placed in Backup may also be sent to Kaspersky Security Center.
• While tasks are running, SVMs send information about task settings and results to the Kaspersky Security Center Administration Server.
• SVMs send a list of protected virtual machines to the Kaspersky Security Center Administration Server to be displayed in the Kaspersky Security Center Administration Console. The transmitted information may include the name of the protected virtual machine and the path to it in the virtual infrastructure.
• SVMs receive the policy-defined operating settings from the Kaspersky Security Center Administration Server. The transmitted information may include file paths and web addresses.
• While SVMs are being configured, the Integration Server sends the SVMs the user-defined root and klconfig account passwords, the network data storage connection settings for SVMs, the IP address of the Integration Server, and the settings for connecting to the Integration Server and to the Kaspersky Security Center Administration Server.
• To support the operation of the application, the Integration Server receives information about the virtual infrastructure from the VMware vCenter Server and sends that information to SVMs.

The specified information is transmitted over encrypted data channels.

[Topic 83439]

Managing the application via Kaspersky Security Center

Kaspersky Security for Virtualization 6.0 Agentless is controlled via Kaspersky Security Center, a centralized system that enables remote administration of Kaspersky applications. In the case of Kaspersky Security for Virtualization 6.0 Agentless, a client device of Kaspersky Security Center is an SVM. Protected virtual machines are not considered client devices from the perspective of Kaspersky Security Center because the Kaspersky Security Center Network Agent is not installed on them.

After Kaspersky Security has been installed in the virtual infrastructure, SVMs send their details to Kaspersky Security Center. Based on this information, Kaspersky Security Center combines SVMs into KSC clusters (Kaspersky Security Center clusters):

• The "VMware vCenter Agentless" cluster is a KSC cluster that corresponds to the standalone VMware vCenter Server. This cluster contains all SVMs deployed on VMware ESXi hypervisors managed by one standalone VMware vCenter Server.

  The KSC cluster corresponding to the VMware vCenter Server is assigned the name VMware vCenter '<name>' (<IP address or domain name>) Agentless, where:

  • <name> is the name of the VMware vCenter Server corresponding to this KSC cluster. If the name of the VMware vCenter Server is not defined or matches its IP address, the name is omitted.
  • <IP address or domain name> is the IP address or domain name of the VMware vCenter Server corresponding to this KSC cluster.

  Virtual machines that are managed by this VMware vCenter Server form the protected infrastructure of the "VMware vCenter Agentless" cluster.

• A VMware vCloud Director Agentless cluster is a KSC cluster corresponding to the VMware vCloud Director server. This cluster contains all SVMs deployed on VMware ESXi hypervisors under all VMware vCenter Servers connected to one VMware vCloud Director.

  The name VMware vCloud Director (<IP address or domain name>) Agentless is assigned to the KSC cluster corresponding to the VMware vCloud Director server (<IP address or domain name> refers to the IP address or domain name of the VMware vCloud Director corresponding to this KSC cluster).

  Virtual machines that are managed by VMware vCenter Servers connected to this VMware vCloud Director Server, including virtual machines within vCloud Director organizations, form the protected infrastructure of the "VMware vCloud Director Agentless" cluster corresponding to the VMware vCloud Director.

Kaspersky Security Center creates a separate administration group for each KSC cluster in the Managed devices folder of the Administration Console and assigns the name of the KSC cluster to this group. When an administration group with the name of a KSC cluster is selected in the console tree, the Devices tab in the workspace displays a list of SVMs belonging to this KSC cluster.

You can open the cluster properties window by selecting the Clusters and server arrays subfolder within the folder of the administration group named after the KSC cluster. In the properties window of the KSC cluster, you can view the following:

• List of SVMs within this KSC cluster (Nodes section)
• List of virtual machines within the protected infrastructure of this KSC cluster
• List of tasks created for SVMs of this KSC cluster

Kaspersky Security is managed through Kaspersky Security Center by using policies and tasks:

• A policy is a set of application settings that are defined for an administration group. For Kaspersky Security, a policy is applied on SVMs and determines the settings used by SVMs to protect virtual machines that are within the scope of the policy.

  Each policy contains one or multiple protection profiles. Protection profiles let you configure the settings for file protection of virtual machines.

• Tasks are performed on SVMs and they implement application functions such as application activation, scanning of virtual machines, updating application databases, and automatic installation of patches for the application.

For more detailed information about policies and tasks, please refer to the Kaspersky Security Center documentation.

[Topic 60176]

About Kaspersky Security policies

When configuring virtual infrastructure protection, it is recommended to account for the specific features of Kaspersky Security policies.

The policy scope, which is a set of virtual machines for which a policy can be used for protection, depends on the type of policy and the protected infrastructure that was selected during configuration of the policy and policy scope (set of SVMs on which the policy is applied).

Kaspersky Security policy types

The following types of policies are provided for Kaspersky Security:

• Main policy. This policy lets you configure the settings for virtual machine file threat protection using protection profiles, network threat protection settings, and the following application settings:
  • Settings of notifications about events in application operation.
  • Backup settings.
  • Kaspersky Security Network usage settings.
  • SNMP monitoring settings.

  If the application is operating in multitenancy mode, the main policy determines the Network Threat Protection settings for all virtual machines and the File Threat Protection settings for virtual machines that are not part of vCloud Director organizations.

  It is recommended to create main policies on the main Administration Server of Kaspersky Security Center. Main policies are created using the Kaspersky Security main administration plug-in.

• Tenant policy (used only if the application is operating in multitenancy mode). This policy lets you configure the settings of protection for virtual machines that are part of vCloud Director organizations. You can use this policy to define the following settings:
  • Settings of notifications about events that occur when protecting and scanning virtual machines of a tenant (only in a policy that was created on the main Administration Server of Kaspersky Security Center).
  • Individual file protection settings for virtual machines of the tenant.
  • KSN usage settings for the tenant organization.

  You can create tenant policies on the main Administration Server or on virtual Administration Servers of Kaspersky Security Center by using the Kaspersky Security administration plug-in for tenants.

Protected infrastructure of a policy

Depending on the protected infrastructure that you select when configuring a policy, the following policies are distinguished as follows:

• Policy for one VMware vCenter Server – lets you configure the settings for protecting a virtual infrastructure managed by one VMware vCenter Server.
• Policy for the entire protected infrastructure – lets you configure the settings for protecting a virtual infrastructure managed by all VMware vCenter Servers to which the Integration Server connects.

Policy application scope

In Kaspersky Security, a policy is applied on SVMs. Each SVM can protect only the virtual machines running on the same hypervisor where the SVM is deployed. Therefore, the policy protection scope (set of virtual machines for which a policy can be used for protection) depends on the policy application scope (set of SVMs on which the policy is applied).

The policy application scope is determined by the location of the policy within the hierarchy of Kaspersky Security Center administration groups. A policy is applied on SVMs as follows:

• The main policy in an administration group containing a KSC cluster is applied on all SVMs of this KSC cluster.
• The main policy in an administration group or folder that is the parent in relation to the groups containing KSC clusters is applied on all SVMs of child KSC clusters.
• The tenant policy on a virtual Administration Server created in the group of the "VMware vCloud Director Agentless" cluster corresponding to the VMware vCloud Director is applied on all SVMs of this KSC cluster.

Inheriting policy settings

According to the order of inheritance of Kaspersky Security Center policies, by default the settings of policies are transferred to policies of nested administration groups and subordinate Administration Servers (for more details, please refer to the Kaspersky Security Center documentation). The settings and settings groups of policies have a "lock" attribute, that shows whether or not you are allowed to change these settings in nested policies. If a setting or a group of settings in a policy is "locked" (), the values of these settings are defined in nested policies and cannot be redefined.

[Topic 83441]

About Kaspersky Security protection profiles

The following protection profiles are provided in Kaspersky Security policies:

• The main protection profile is automatically created when a policy is created. Although the main protection profile cannot be deleted, you can edit its settings.
• You can create additional protection profiles after creating a policy. Additional protection profiles let you flexibly configure different protection settings for different virtual machines within the protected infrastructure. A policy can contain multiple additional protection profiles.

You can configure the following File Threat Protection settings in protection profiles:

• Security level. You can select one of the preset security levels (High, Recommended, Low) or configure your own security level (Custom). The security level defines the following scan settings:
  • Scanning of archives, self-unpacking archives, embedded OLE objects, and compound files
  • Restriction on file scan duration
  • List of objects to detect
• Action that Kaspersky Security performs after detecting infected files.
• Protection scope (scanning of network drives during protection of virtual machines).
• Exclusions from protection (by name, by file extension or full path, by file mask or path to the folder containing files to be skipped).

A protection profile can be assigned to an individual VMware virtual infrastructure object or to the root element of the protected infrastructure, which can include an Integration Server, for example (see the figure below).

Protection profiles

By default, a protection profile assigned to the root element of a protected infrastructure is inherited by all child elements of the protected infrastructure (for example, by all VMware vCenter Servers to which the Integration Server connects). Protection profiles are also inherited according to the hierarchy of VMware virtual infrastructure objects: by default, the protection profile assigned to a virtual infrastructure object is inherited by all of its child objects, including by virtual machines. You can either assign a specific protection profile to a virtual machine, or let it inherit the protection profile that is used by its parent object.

In the main policy, which determines the protection settings for a virtual infrastructure managed by one VMware vCenter Server, you can directly assign protection profiles to virtual infrastructure objects or use NSX Profile Configurations to assign file protection settings.

Only one protection profile may be assigned to a single virtual infrastructure object. Kaspersky Security protects virtual machines according to the settings that are specified in the protection profile assigned to these virtual machines.

Virtual infrastructure objects that have no assigned protection profile are excluded from protection.

If you exclude a virtual infrastructure object from protection, all child objects are also excluded from protection by default. You can indicate whether or not to exclude child objects that have been assigned their own protection profile.

Protection profile inheritance makes it possible to simultaneously assign identical protection settings to multiple virtual machines or exclude them from protection. For example, you can assign identical protection profiles to the virtual machines within a VMware cluster or resource pool.

[Topic 58474]

About managing policies

Policies are created by using the Wizard, which is started by clicking the New policy button located in the workspace of the folder or administration group on the Policies tab.

In a folder or administration group, you can create multiple policies but only one of them can be active. When you create a new active policy, the previous active policy becomes inactive.

You can change the settings of a policy after its creation in the policy properties window.

To open the policy properties window:

1. In the Kaspersky Security Center Administration Console, select the folder or administration group in which the policy was created.
2. In the workspace, select the Policies tab.
3. In the list of policies, select the policy and open the Properties: <Policy name> window by double-clicking on the policy or by selecting Properties in the context menu.

You can also perform the following actions with policies:

• Copy policies from one folder or administration group into another.
• Export policies to a file and import policies from a file.
• Convert policies of the previous version of the application.
• Delete policies.

For more information about managing policies, see Kaspersky Security Center documentation.

[Topic 58063]

Special considerations when using Kaspersky Security policies

Main policy in the Managed devices folder of the main Administration Server

This policy is automatically created using the Quick Start Wizard for the managed application after installing the Kaspersky Security main administration plug-in. You can also create such policy manually using the Policy Wizard.

The policy is applied on all SVMs of all KSC clusters.

The entire protected infrastructure must be selected as the protected infrastructure for this policy. The Integration Server serves as the root element of the protected infrastructure.

The scope of this policy includes the following virtual machines:

• File protection applies to all virtual machines within the protected infrastructure of the policy, except for virtual machines that are part of vCloud Director organizations.
• Network protection applies to all virtual machines within the protected infrastructure of the policy (including virtual machines that are part of vCloud Director organizations).

File protection and network protection are disabled by default.

To enable file protection, you need to assign protection profiles to objects of the protected infrastructure in policy properties. You can assign the automatically created main protection profile or create and assign additional protection profiles.

Please keep in mind that the settings of the main policy located in the Managed devices folder are inherited by the main policies located in all nested administration groups. Settings that are closed with a "lock" cannot be redefined in nested policies.

To enable network protection, you need to configure the settings for Intrusion Prevention and Web Addresses Scan in policy properties.

Main policy in the group that contains the "VMware vCenter Agentless" cluster

You can create this policy manually by using the New Policy Wizard. The policy is applied on all SVMs of this "VMware vCenter Agentless" cluster.

You must select one VMware vCenter Server as the protected infrastructure for this policy and indicate the VMware vCenter Server corresponding to the "VMware vCenter Agentless" cluster. The root element of the protected infrastructure is the indicated VMware vCenter Server.

The scope of this policy includes all virtual machines within the protected infrastructure of this "VMware vCenter Agentless" cluster.

File protection is enabled by default: the main protection profile is assigned to the VMware vCenter Server and is inherited by all child objects of the virtual infrastructure. If you want to configure different file protection settings for different virtual machines within the protected infrastructure of this KSC cluster, you need to create and assign additional protection profiles in the policy properties.

Network protection is disabled by default. To enable network protection, you need to configure the settings for Intrusion Prevention and Web Addresses Scan in policy properties.

Main policy in the group that contains the "VMware vCloud Director Agentless" cluster

You can create this policy manually by using the New Policy Wizard. The policy is applied on all SVMs of this "VMware vCloud Director Agentless" cluster.

The entire protected infrastructure must be selected as the protected infrastructure for this policy. The Integration Server serves as the root element of the protected infrastructure.

The scope of this policy includes the following virtual machines:

• File protection applies to all virtual machines within the protected infrastructure of the "VMware vCloud Director Agentless" cluster that are not part of vCloud Director organizations.
• Network protection applies to all virtual machines within the protected infrastructure of the "VMware vCloud Director Agentless" cluster, including virtual machines that are part of vCloud Director organizations.

File protection and network protection are disabled by default.

To enable file protection, you need to assign protection profiles to objects of the protected infrastructure in policy properties. You can assign the automatically created main protection profile or create and assign additional protection profiles.

In the properties of the main policy for the "VMware vCloud Director Agentless" cluster, you can assign protection profiles to any objects of the protected infrastructure. However, file protection settings will be applied only for protecting virtual machines that are not part of vCloud Director organizations and that are managed by VMware vCenter Servers connected to VMware vCloud Director mapped to the "VMware vCloud Director Agentless" cluster.

To enable network protection, you need to configure the settings for Intrusion Prevention and Web Addresses Scan in policy properties.

Tenant policy in the Managed devices folder of the main Administration Server

This policy is automatically created using the Quick Start Wizard for the managed application after installing the Kaspersky Security administration plug-in for tenants on the main Administration Server. You can also create such policy manually using the Policy Wizard.

If the Managed devices folder of the main Administration Server is missing a tenant policy, Kaspersky Security Center does not register events that occur when scanning and protecting virtual machines of tenants, and does not display virtual machines of tenants within the KSC cluster protected infrastructure or in the list of virtual machines protected by SVMs.

The settings of this policy are not used directly for the protection of virtual machines: the protected infrastructure is not selected for this policy. However, the settings of the main protection profile and KSN usage settings configured in this policy may be inherited in tenant policies located in nested administration groups, for example, in the Managed devices folder of the virtual Administration Server. This way, you can define the same file protection settings for the virtual infrastructures of all tenants.

In this policy, you can configure the settings for notifications about events that occur when protecting and scanning virtual machines of tenants.

Please keep in mind that the settings that are closed with a "lock" in a tenant policy on the main Administration Server will be unavailable for editing on virtual Administration Servers. The administrators of tenants will not be able to configure these settings.

If you want to centrally enable the use of Kaspersky Security Network for protection of all virtual machines of tenants, you need to first obtain the consent of tenants to send KSN usage information and other information to Kaspersky depending on the KSN usage mode that you selected (standard KSN or extended KSN).

Tenant policy in the group that contains the "VMware vCloud Director Agentless" cluster

This policy is equivalent to a tenant policy in the Managed devices folder of the main Administration Server (see above). You can create this policy manually by using the New Policy Wizard.

Tenant policy in the Managed devices folder of the virtual Administration Server

You can create this policy manually by using the New Policy Wizard.

The policy is applied on all SVMs of the "VMware vCloud Director Agentless" cluster corresponding to the VMware vCloud Director mapped to the vCloud Director organization containing the virtual machines of the tenant.

The protected infrastructure for this policy is selected automatically. The root element is the "vCloud Director organization" that combines all virtual Datacenters of the tenant.

The scope of this policy includes all virtual machines within the vCloud Director organization that corresponds to this virtual Administration Server.

File protection is enabled by default: the main protection profile is assigned to the root element "vCloud Director organization" and is inherited by all objects of the virtual infrastructure of the tenant. If you want to configure different file protection settings for different virtual machines within the virtual infrastructure of the tenant, you need to create and assign additional protection profiles in the policy properties.

[Topic 60077]

About Kaspersky Security tasks

It is recommended to use the following types of tasks for managing Kaspersky Security through Kaspersky Security Center:

• Group task – a task that is performed on the client devices of the selected administration group. For Kaspersky Security, group tasks can be run on SVMs of one KSC cluster or on all SVMs.
• Global task. A task for one or more SVMs regardless of whether or not they are included in an administration group.

For more information about managing tasks, see Kaspersky Security Center manuals.

The following tasks are available for Kaspersky Security:

• Full and Custom Scan tasks, which let you scan all or just the specified virtual machines within the task scope.
• Service tasks, which let you activate the application, update the application databases, roll back updates, and install application patches.

[Topic 187399]

Full Scan task

The Full Scan task lets you run a virus scan on the files of all virtual machines within the task scope. The scope of a task depends on where the task is located within the hierarchy of administration groups of Kaspersky Security Center, and depends on the Kaspersky Security administration plug-in that you use to create the task.

You can create Full Scan tasks by using one of the Kaspersky Security administration plug-ins:

• Main administration plug-in – to scan virtual machines that are not part of a vCloud Director organization.
• Administration plug-in for tenants – to scan virtual machines that are part of a vCloud Director organization, which means to scan virtual machines of tenants.

Full Scan task created using the main administration plug-in

If you are creating a Full Scan task using the Kaspersky Security main administration plug-in, the task scope is determined as follows:

• This task in the Managed devices folder of the main Administration Server of Kaspersky Security Center lets you scan all virtual machines within the entire protected infrastructure that are not part of a vCloud Director organization.
• This task in a group that contains a KSC cluster lets you scan all virtual machines within the protected infrastructure of this KSC cluster that are not part of a vCloud Director organization.
• The task in the Tasks folder configured for one or more SVMs lets you scan all virtual machines that are protected by the specified SVMs but that are not part of a vCloud Director organization.

  An SVM can scan only the virtual machines running on the same hypervisor where the SVM is deployed.

Full Scan task created using the administration plug-in for tenants

Creation of a Full Scan task for virtual machines of tenants is supported only on a virtual Administration Server of Kaspersky Security Center. You can create a Full Scan task using the Kaspersky Security administration plug-in for tenants in the Managed devices folder of the virtual Administration Server. The scope of this task includes all virtual machines within the vCloud Director organization that corresponds to this virtual Administration Server.

[Topic 187400]

Custom Scan task

The Custom Scan task lets you run a virus scan on files of specified virtual machines from the task scope. The scope of a task depends on where the task is located within the hierarchy of administration groups of Kaspersky Security Center, and depends on the Kaspersky Security administration plug-in that you use to create the task.

You can create Custom Scan tasks by using one of the Kaspersky Security administration plug-ins:

• Main administration plug-in – to scan virtual machines that are not part of a vCloud Director organization.
• Administration plug-in for tenants – to scan virtual machines that are part of a vCloud Director organization, which means to scan virtual machines of tenants.

Custom Scan task created using the main administration plug-in

A Custom Scan task created using the main administration plug-in lets you scan virtual machines that are managed by one VMware vCenter Server and are not part of a vCloud Director organization.

It is recommended to create Custom Scan tasks by using the main administration plug-in in the following administration groups:

• If you want to scan virtual machines that are managed by a standalone VMware vCenter Server, you need to create a task in the group that contains the VMware vCenter Agentless cluster corresponding to this VMware vCenter Server and indicate this VMware vCenter Server as the task scope.
• If you want to scan virtual machines managed by a VMware vCenter Server connected to VMware vCloud Director, you need to create a task in the group that contains the "VMware vCloud Director Agentless" cluster corresponding to VMware vCloud Director, and indicate the necessary VMware vCenter Server as the task scope. You need to create a separate Custom Scan task for each VMware vCenter Server connected to VMware vCloud Director.

In the selected scope, you need to indicate the virtual machines that need to be scanned. You can specify individual virtual machines, VMware virtual infrastructure objects of a higher level of the hierarchy, or NSX Security Groups that include the relevant virtual machines.

Due to the specifics of configuring the scope of a Custom Scan task, it is recommended to create a Custom Scan task only in the specified administration groups, which means group tasks. If a Custom Scan task is configured for one or more SVMs (meaning a local or global task), correct configuration of the task scope cannot be guaranteed.

Custom Scan task created using the administration plug-in for tenants

Creation of a Custom Scan task for virtual machines of tenants is supported only on a virtual Administration Server of Kaspersky Security Center. You can create a Custom Scan task using the Kaspersky Security administration plug-in for tenants in the Managed devices folder of the virtual Administration Server. The scope of this task includes all virtual machines within the vCloud Director organization that corresponds to this virtual Administration Server. In this scope, you need to indicate the virtual machines that need to be scanned. You can specify individual virtual machines or VMware virtual infrastructure objects of a higher level of the hierarchy.

[Topic 187401]

Service tasks

You can use the following service tasks to manage the application:

• Update. This task installs updates for application databases on the SVMs on which the task is run.
• Rollback. This task rolls back the last update of application databases on the SVMs on which the task is run.
• Application activation. As a result of this task, a license key for activating the application or for renewing the license term is added to SVMs on which the task is run.
• Automatic installation of patches. This task installs application patches on the SVMs on which the task is run.

You can create service tasks using the Kaspersky Security main administration plug-in on the main Administration Server.

The set of SVMs on which service tasks are run depends on the task's location within the hierarchy of Kaspersky Security Center administration groups:

• A task in the Managed devices folder is run on all SVMs.
• A task in a group that contains a KSC cluster is run on all SVMs of one KSC cluster.
• A task in the Tasks folder configured for one or more SVMs is run on the specified SVMs.

[Topic 58065]

About task management

Tasks are created by using the Wizard, which is started by clicking the New task button located in the workspace of the folder or administration group on the Tasks tab.

You can change the settings of a task after its creation in the task properties window.

To open the task properties window:

1. In the Kaspersky Security Center Administration Console, select the folder or administration group in which the task was created.
2. In the workspace, select the Tasks tab.
3. In the list of tasks, select the task and open the Properties: <Task name> window by double-clicking on the task or by selecting Properties in the context menu.

Regardless of the selected task run mode, you can start or stop the task at any time.

To start or stop a task:

1. In the Kaspersky Security Center Administration Console, select the folder or administration group in which the task was created.
2. In the workspace, select the Tasks tab.
3. In the list of tasks, select the task that you want to start or stop.
4. Click the Start or Stop button. The buttons are located to the right of the task list.

Information about the progress and results of the task can be viewed in the Kaspersky Security Center Administration Console in one of the following ways:

• In the Task results window. To open the window, click the View results link on the right of the task list displayed in the Tasks folder of the Kaspersky Security Center console tree or on the Tasks tab in the workspace of the folder or administration group.
• In the list of events that SVMs send to the Kaspersky Security Center Administration Server. The event list is displayed on the Events tab in the workspace of the Administration Server node.

You can also perform the following actions with tasks:

• Copy tasks from one folder or administration group into another.
• Export tasks to a file and import tasks from a file.
• Convert tasks from the previous version of the application.
• Delete tasks.

For more information about managing tasks, see Kaspersky Security Center documentation.

[Topic 96369]

About access rights to the settings of policies and tasks

The rights to access the settings of policies and tasks (read, write, execute) are defined for each user who has access to the Kaspersky Security Center Administration Server. In the Kaspersky Security Center Administration Console, you can grant user accounts the rights to perform certain actions within functional scopes of Kaspersky Security.

Kaspersky Security has the following functional scopes:

• Anti-Virus protection. This functional scope includes the following settings and functions:
  • Enables or disables the anti-virus protection function.
  • All security level settings in policies:
    • Scan archives, self-extracting archives and embedded OLE objects.
    • Scan large compound files.
    • File scan duration limit.
    • List of objects to detect.
  • Action that Kaspersky Security performs when it detects infected files during virtual machine protection.
  • Scan files on network drives during virtual machine protection.
  • Enabling and disabling the web address scanning function.
  • List of web address categories detected by Kaspersky Security.
  • Action that Kaspersky Security performs if it detects a web address that belongs to one or more of the web address categories selected for detection.
  • Backup settings.
  • KSN usage settings.
  • List of additional protection profiles in a policy.
  • Assigning or changing the protected infrastructure for a policy.
  • Assigning protection profiles to VMware virtual infrastructure objects.
  • Full scan tasks and custom scan tasks.
• Basic functionality. This functional scope includes the following settings and functions:
  • SNMP monitoring settings.
  • Language of the blocked web address notification that is displayed in the browser on the protected virtual machine.
  • Application database update task and latest application database update rollback task.
  • Application activation task.
  • Automatic patch installation task.
• Intrusion Prevention. This functional scope includes the following settings and functions:
  • Enabling and disabling the Network Attack Blocker feature.
  • Action that Kaspersky Security performs when it detects a network attack.
  • Enabling and disabling Network Activity Scanner for virtual machines.
  • Action that Kaspersky Security performs when it detects suspicious network activity.
  • List of application categories whose signs of network activity are detected by Kaspersky Security.
  • Duration for blocking the IP address from which the network attack or suspicious network activity originated.
• Trusted zone. This functional scope includes the following settings and functions:
  • List of file extensions excluded from protection.
  • List of file extensions included in the protection scope.
  • List of folders and files excluded from protection.
  • List of rules for identifying suspicious network activity that Kaspersky Security does not apply when analyzing traffic of protected virtual machines.
  • List of network threat protection exclusion rules.
  • List of web addresses that Kaspersky Security does not block, regardless of the configured web address scan settings.

The following actions are available to the user regardless of the rights of the user account within the functional scopes of Kaspersky Security:

• Viewing the settings of policies and tasks.
• Creating a policy.

Rights within the functional scopes of Kaspersky Security are required for performing the following actions with policies and tasks:

• To reconfigure a previously saved policy, the user account must have modification rights within the functional scopes of those settings.
• To modify the status of a policy (active / inactive) or remove a policy, the user account must have modification rights within the functional scopes of all policy settings. If a user account does not have the rights to edit any policy setting, the user cannot remove the policy or change the status of the policy.
• To create, remove, or configure the settings of tasks, the user account must have modification rights within the functional scope of the task.
• To run a task, the user account must have execution rights within the functional scope of the task.

Access to functional scopes of Kaspersky Security is configured in the properties window of the Kaspersky Security Center Administration Server in the Security section.

By default, the Security section is not displayed in the Administration Server properties window. To enable the display of the Security section, you must select the Display security settings sections check box in the Configure interface window (View → Configure interface menu) and restart the Kaspersky Security Center Administration Console.

For more details on access rights to Kaspersky Security Center objects, please refer to the Kaspersky Security Center documentation.

[Topic 56687]

Preparing for application installation

Before installing Kaspersky Security components, perform the following:

• Check whether the Kaspersky Security Center components and VMware components meet the software requirements of Kaspersky Security.
• Prepare the VMware virtual infrastructure for the application installation.
• You can download the files required for the installation of the application from Kaspersky website.

  The file necessary for running the Kaspersky Security components Installation Wizard and SVM images are also available for downloading in the Kaspersky Security Center Administration Console in the list of current versions of Kaspersky applications. The list of up-to-date application versions is displayed in the workspace of the Administration Server node on the Monitoring tab in the Update section by clicking the View current versions of Kaspersky applications link. You can filter the list by Virtualization value.

• Make sure that the SVM images were received from a trusted source. For more detailed information about validating the SVM image, please refer to the application page in the Knowledge Base.
• Place all SVM image files in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol. For example, you can publish SVM images on the Kaspersky Security Center Web Server.
• In the settings of the network equipment or software used for monitoring traffic, open the ports that are required for operation of the application.
• Configure the settings of the accounts that are required for installation and operation of the application.
• If you are planning to use network data storage for SVMs, create a network folder for hosting the network data storage and a user account for connecting SVMs. Network data storage is used for storing backup copies of files that have been moved to Backups on SVMs. The amount of space necessary for the network data storage can be estimated based on the following formula: (N+1) GB, where N is the number of SVMs that connect to the network data storage.

  You need to make sure that the amount of space allocated for network data storage is sufficient for storing backup copies of files. Kaspersky Security does not monitor the availability of free space in your network data storage and does not notify you if backup copies of files cannot be stored. It is recommended to use third-party tools to monitor the available space in the network folder.

[Topic 57184]

Preparing the VMware virtual infrastructure

Prior to installing the application in a VMware infrastructure, you must perform the following actions:

• Combine VMware ESXi hypervisors into one or several VMware clusters.
• Configure the Agent VM Settings in the properties of each hypervisor: select a network and storage for service virtual machines and SVMs. For details on configuring Agent VM Settings, please refer to the VMware product documentation.
• Deploy the Guest Introspection service on each VMware cluster on which SVMs with the File Threat Protection component will be deployed.
• On each VMware cluster on which SVMs with the Network Threat Protection component will be deployed, prepare hypervisors for network protection deployment. To do so, you must install VMware NSX components on hypervisors. Installation is performed in the VMware vSphere Web Client console in the Networking & Security → Installation and Upgrade section on the Host Preparation tab. To install VMware NSX components to hypervisors, you must select Actions → Install for the VMware cluster. Refer to the Knowledge Base for more details.
• Install the Guest Introspection driver (NSX File Introspection Driver) on each virtual machine that you want to protect using Kaspersky Security.

  To do so, you must install VMware Tools kit version 11.0.1. on virtual machines running a Windows operating system. When installing the VMware Tools package, you need to install the NSX File Introspection Driver component that is included in the package. The NSX File Introspection Driver component is not installed by default.

  Special packages are provided for installation of the NSX File Introspection Driver component on virtual machines running a Linux operating system. For more details please refer to documentation attached to VMware products.

• If you want to install the Network Threat Protection component, make sure that a license for NSX for vSphere Advanced or NSX for vSphere Enterprise is being used for VMware NSX for vSphere.

[Topic 71371]

Deploying the Guest Introspection service

For proper functioning of Kaspersky Security, you must deploy the Guest Introspection service on each VMware cluster on which SVMs with the File Threat Protection component will be deployed.

After deploying the Guest Introspection service on a VMware cluster, the Guest Introspection service virtual machines are deployed on each hypervisor that is part of the cluster.

Deployment of the Guest Introspection service is performed in the VMware vSphere Web Client console.

To deploy the Guest Introspection service:

1. In the VMware vSphere Web Client console, start the Deployment Wizard for network services and protection services for virtual machines (the Networking & Security → Installation and Upgrade section on the Service Deployments tab).
2. Use the Wizard to specify the following settings for deploying the Guest Introspection service:
   1. Select the Guest Introspection service in the table.
   2. Select one or several VMware clusters on which you want to install the File Threat Protection component.
   3. If required, change the default settings for all Guest Introspection service virtual machines that will be deployed on hypervisors within the selected VMware cluster:
      • Network that will be used by the service virtual machines.
      • Storage for deployment of service virtual machines.
      • Method of assigning IP addresses. By default, service virtual machines receive network settings via the DHCP protocol. You can configure a static pool of IP addresses that will be used for assigning IP addresses to service virtual machines.
3. Finish the Wizard and wait for deployment of the Guest Introspection service to complete.

   A Guest Introspection service virtual machine will be deployed on each hypervisor within the VMware cluster that you selected.

For more details about deploying the Guest Introspection service, please refer to the Knowledge Base.

[Topic 57699]

Viewing information about the license for NSX for vSphere

To utilize Network Threat Protection component functionality, you must have a current license for NSX for vSphere Advanced or NSX for vSphere Enterprise.

When using a standard NSX for vSphere license, the Network Service Insertion (Third Party Integration) function that is required for enabling protection against network threats on VMware ESXi hypervisors is unavailable.

You can view information about the utilized licenses in the VMware vSphere Web Client console in the Administration → Licenses section on the Products tab (for more details, please refer to the Knowledge Base).

For more details on working with NSX for vSphere licenses, please refer to the VMware product documentation.

[Topic 97629]

Publishing SVM images on the Kaspersky Security Center Web Server

You can publish SVM images on the Kaspersky Security Center Web Server or place them on another network resource that is accessible over the HTTP or HTTPS protocol.

To publish SVM images on the Kaspersky Security Center Web Server:

1. Make sure that the Web Server is running. To do so, start the services.msc snap-in and verify that the Kaspersky Web Server service has the Running status.
2. In the shared folder of the Administration Server, create a subfolder named public.

   To find out the path to the shared folder:

   1. View the shared folder name and the name of the computer on which it is located in the Administration Server properties window in the Additional → Administration Server shared folder section.
   2. On the specified computer, run the following command in the command line: net share <shared folder name>.

      After this command is executed, the Path row will show the path to the shared folder in the file system.

3. Copy all Kaspersky Security SVM image files into the public folder.
4. Make sure that the SVM images have been published. To do so, open your browser and enter the following in the address bar:

   http://<IP address for connecting to the Kaspersky Security Center Administration Server>:8060/public

   An IP address must be specified as the Administration Server address; localhost should not be specified.

   Port 8060 is used by default. If you have modified the default settings, in the address field specify the port that is defined in the Web server section of the Kaspersky Security Center Administration Server properties window.

If publication of SVM images completed successfully, you will see a page containing a list of Kaspersky Security image files.

[Topic 97889]

Ports used

To install and run application components, in the network hardware or software settings used to control network traffic between virtual machines, you must open the following ports as described in the table below.

Ports used by the application

Page top

[Topic 58064]

Accounts for installing and using the application

User account for installing the Kaspersky Security administration plug-in and Integration Server

Installation of the Kaspersky Security administration plug-in and Integration Server requires an account that has software installation privileges (for example, an account from the group of local administrators).

If the computer hosting the Kaspersky Security Center Administration Console belongs to an Active Directory domain, connection to the Integration Server requires a domain account that belongs to the KLAdmins group or an account that belongs to the group of local administrators.

To prevent unauthorized access, it is recommended to ensure the security of the account that is used to connect to the Integration Server.

User accounts for deploying and removing SVMs, and for operation of the application

The following user accounts are required for deployment and removal of SVMs that have Kaspersky Security components:

• VMware vCenter Server account to which the preset system role ReadOnly has been assigned. To ensure that powered-off virtual machines can be scanned, the following privileges need to be assigned to this account:
  • Virtual machine → Change Configuration → Add existing disk
  • Virtual machine → Change Configuration → Add or remove device
  • Virtual machine → Change Configuration → Remove disk
  • ESX Agent Manager → Modify
• A VMware NSX Manager account that has been assigned the Enterprise Administrator role.
• If you want to use Kaspersky Security to protect a virtual infrastructure managed by VMware vCloud Director, you also need a VMware vCloud Director account that has the following permissions:
  • General → Perform administrator queries
  • Organization → View Organizations

Roles must be assigned to user accounts at the top level of the hierarchy of VMware virtual infrastructure objects.

For information on how to create user accounts in a VMware infrastructure, please refer to VMware documentation.

User account for connecting the Integration Server to Kaspersky Security Center

This account is used if the application is operating in multitenancy mode.

The Integration Server connects to Kaspersky Security Center to receive information about virtual Administration Servers created in Kaspersky Security Center, and to map virtual Administration Servers to vCloud Director organizations that contain virtual machines of tenants. Connecting the Integration Server to Kaspersky Security Center requires an account with read rights in the functional scope of Basic functionality → Virtual Administration Servers.

You can create and configure the account used for connecting the Integration Server to Kaspersky Security Center in the properties window of the Kaspersky Security Center Administration Server in the Security section.

By default, the Security section is not displayed in the Administration Server properties window. To enable the display of the Security section, you must select the Display security settings sections check box in the Configure interface window (View → Configure interface menu) and restart the Kaspersky Security Center Administration Console.

For more details on the rights of user accounts in Kaspersky Security Center, please refer to the Kaspersky Security Center documentation.

User account for connecting SVMs to network data storage

This user account is required if you are using network data storage for SVMs. Network data storage is used for storing backup copies of files that have been moved to Backups on SVMs.

To connect SVMs to network data storage, you need an account with read and write permissions in the network folder hosting the storage.

It is recommended to restrict access to this network folder for all other user accounts.

[Topic 56686]

Installing the application

Installation of Kaspersky Security consists of the following steps:

1. Installation of the Kaspersky Security administration plug-in(s) and Integration Server.

   Regardless of the selected application usage option, you need to install the Kaspersky Security main administration plug-in, Integration Server, and Integration Server Console.

   If you want to use the application in multitenancy mode, you need to also install Kaspersky Security administration plug-in for tenants.

   When the Kaspersky Security Center Administration Console starts for the first time after the Kaspersky Security administration plug-ins are installed, the Quick Start Wizard for the managed application is automatically started. The Wizard lets you create default policies and tasks.

   If the Quick Start Wizard for the managed application was not started automatically, it is recommended to start it manually. Default policies let you register events and display protected virtual machines in the Kaspersky Security Center Administration Console immediately after installing the application.

2. Configuring the settings for connecting the Integration Server to one or more virtual infrastructure administration servers.
3. Registering Kaspersky Security services in VMware NSX Manager.

   If you want to install the File Threat Protection component, you need to register the file system protection service (Kaspersky File Antimalware Protection).

   If you want to install the Network Threat Protection component, you need to register the network protection service (Kaspersky Network Protection).

   The settings required for registration and deployment of Kaspersky Security services are entered through a Wizard that is started from the Integration Server Console. When you have finished entering the settings, Integration Server registers the Kaspersky Security services in VMware NSX Manager.

   In the VMware vSphere Web Client console, you can verify that registration of Kaspersky Security services completed successfully.

4. Deploying SVMs with the File Threat Protection component and SVMs with the Network Threat Protection component on VMware ESXi hypervisors. Deployment of SVMs is performed in the VMware vSphere Web Client console.

   After SVMs are deployed, the Integration Server sends each new SVM the configuration settings that you specified when you registered Kaspersky Security services.

   Kaspersky Security Center places the deployed SVMs to KSC clusters.

5. Configuration of NSX Security Groups and NSX Security Policies.

   To protect virtual machines, you need to do the following in the VMware vSphere Web Client console:

   1. Include virtual machines into one or multiple NSX Security Groups.
   2. Configure one or multiple NSX Security Policies and apply the security policies to the NSX Security Groups.
6. Getting started.

   After the application is installed, you must activate the application on all new SVMs, make sure that the application databases have been updated on all new SVMs, and configure the application operation settings by using a policy.

If you want to use the application in multitenancy mode, you need to configure protection of tenant organizations after the application is installed.

[Topic 57046]

Installation of the Kaspersky Security main administration plug-in and Integration Server

Prior to beginning installation of the Kaspersky Security main administration plug-in, Integration Server, and Integration Server Console, it is recommended to close the Kaspersky Security Center Administration Console.

You can install the Kaspersky Security main administration plug-in, Integration Server, and the Integration Server Console by using one of the following methods:

• In interactive mode using the Wizard
• In silent mode via the command line

The main administration plug-in for Kaspersky Security and Integration Server components should be installed using an account that has software installation privileges (for example, an account from the group of local administrators).

The Kaspersky Security main administration plug-in and Integration Server Console must be installed on the computer on which the Kaspersky Security Center Administration Console is installed. The Integration Server must be installed on the computer on which the Administration Server of Kaspersky Security Center is installed.

The Microsoft .NET Framework 4.6.1 platform is required for installation of the Integration Server, Integration Server Console, and Kaspersky Security administration plug-in. You can install the Microsoft .NET Framework 4.6.1 platform in advance or it will be installed automatically during the installation of Kaspersky Security application components. If there are any problems with the installation of Microsoft .NET Framework 4.6.1, make sure that Windows updates KB2919442 and KB2919355 have been installed on the computer.

Depending on the availability of Kaspersky Security Center components installed on the computer, the following operations are performed once installation is started:

• If only the Administration Console of Kaspersky Security Center is installed on the computer, the Kaspersky Security administration plug-in and the Integration Server Console are installed.
• If the Kaspersky Security Center Administration Server and the Administration Console of Kaspersky Security Center are installed on the computer, the Kaspersky Security administration plug-in, the Integration Server, and the Integration Server Console are installed.

A secure SSL connection is used for interaction between the Integration Server and the Integration Server Console, SVMs, the VMware vCenter Server, and VMware NSX Manager. To eliminate known vulnerabilities in the operating system for the SSL protocol, during installation of the Integration Server changes described in the Microsoft technical support database are made to the operating system registry. These changes result in the disabling of the following encryption ciphers and protocols:

• SSL 3.0
• SSL 2.0
• AES 128
• RC2 40/56/128
• RC4 40/56/64/128
• 3DES 168

While the Integration Server is being installed, the Integration Server's self-signed SSL certificate used for establishing a secure connection with the Integration Server is installed in the operating system registry. If necessary, you can replace the SSL certificate of the Integration Server (the certificate replacement procedure is described in the Knowledge Base).

If the Integration Server was previously installed in your virtual infrastructure and you removed it but saved data used in the operation of the Integration Server, this data is used automatically when you install the Integration Server again.

[Topic 90410]

Installation in interactive mode

To install the Kaspersky Security main administration plug-in and Integration Server components in interactive mode using the Wizard:

1. On the computer hosting the Administration Console and Administration Server of Kaspersky Security Center, start the ksv-components_6.0.0.XXX_mlg.exe file, where 6.0.0.XXX is the application version number. This file is included in the distribution kit.

   If the Kaspersky Security Center Administration Server is not installed on a computer, the Integration Server will not be installed on that computer. Only the Kaspersky Security administration plug-in and Integration Server Console will be installed.

   The Kaspersky Security Components Installation Wizard will start.

2. Select the localization language of the Wizard and of the Kaspersky Security components and proceed to the next step of the Wizard.

   By default, the window uses the localization language of the operating system installed on the computer where the Wizard was started.

3. Read the End User License Agreement concluded between you and Kaspersky, and the Privacy Policy describing the handling and transmission of data.

   To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy. To confirm, select both check boxes in the window of the Wizard.

   Proceed to the next step of the wizard.

4. If the Kaspersky Security Center Administration Server is installed on the computer running the Wizard and this computer does not belong to an Active Directory domain, you must create a password for the Integration Server administrator account. The Integration Server administrator account (admin) is used for managing the Integration Server.

   Enter a password in the Password and Confirm password fields. The account name cannot be edited.

   A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

   Proceed to the next step of the wizard.

5. If the Kaspersky Security Center Administration Server is installed on the computer running the Wizard and port 7271 used to connect to the Integration Server by default is busy, you must specify a port number for connecting to the Integration Server.

   In the Port field, specify a port number in the range of 1025–65536 and proceed to the next step of the Wizard.

6. Review the information about the actions that the Wizard will perform and click Next to begin performing the listed actions.
7. Wait for the wizard to finish.

   If an error occurs during wizard operation, the wizard rolls back the changes made.

8. Click Finish to close the Wizard window.

Information about the work of the Wizard is written to Kaspersky Security Components Installation Wizard trace files. If the Wizard ended with an error, you can use these files when contacting Technical Support.

[Topic 90411]

Installing via the command line

Prior to installing the administration plug-in, it is recommended to carefully read the text of the End User License Agreement and the Privacy Policy. To do so, type the following command in the command line:

ksv-components_6.0.0.XXX_mlg.exe --lang=<language ID> --show-EulaAndPrivacyPolicy

where 6.0.0.XXX is the number of the application version.

The text of the End User License Agreement and the Privacy Policy is output to the EulaAndPrivacyPolicy_<language ID>.txt file in the %temp% folder.

To install the Kaspersky Security main administration plug-in and Integration Server components via the command line,

type one of the following commands in the command line:

• if the computer on which installation is performed belongs to an Active Directory domain:

  ksv-components_6.0.0.XXX_mlg.exe -q --lang=<language ID> --accept-EulaAndPrivacyPolicy=yes

• if the computer on which installation is performed does not belong to an Active Directory domain:

  ksv-components_6.0.0.XXX_mlg.exe -q --lang=<language ID> --accept-EulaAndPrivacyPolicy=yes --viisPass=<password>

where:

• 6.0.0.XXX is the number of the application version.
• <language ID> is the ID of the language of components to install.

  The language ID must be indicated in the following format: ru, en, de, fr, zh-Hans, ja. It is case sensitive.

• <password> is the password of the Integration Server administrator account. If the computer on which Integration Server is installed does not belong to an Active Directory domain, the Integration Server administrator account (admin) is used to manage the Integration Server.

  A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

• accept-EulaAndPrivacyPolicy=yes means that you accept the terms of the End User License Agreement and the Privacy Policy describing the handling and transmission of data. By setting the value to yes, you confirm the following:
  • You have fully read, understand, and accept the provisions and terms of the End User License Agreement.
  • You have fully read and understand the Privacy Policy, you understand and consent that your data will be processed and transmitted (including to third-party countries) in accordance with the Privacy Policy.

  You must accept the terms of the End User License Agreement and Privacy Policy if you want to install the Kaspersky Security administration plug-in and Integration Server components.

Port number 7271 is used by default for connecting to the Integration Server. If you want to use a different port to connect to the Integration Server, specify --viisPort=<port number in the range of 1025–65536> in the command.

Installation of the Kaspersky Security main administration plug-in and Integration Server components may take some time. Information about the installation result is written to Kaspersky Security Components Installation Wizard trace files. If installation ended with an error, you can use these files when contacting Technical Support.

[Topic 58299]

Installation of the Kaspersky Security administration plug-in for tenants

The actions described in this section must be performed only if you are using the application in multitenancy mode.

Prior to beginning installation of the Kaspersky Security administration plug-in for tenants, it is recommended to close the Kaspersky Security Center Administration Console.

You can install the Kaspersky Security administration plug-in for tenants in one of the following ways:

• In interactive mode using the Wizard
• In silent mode via the command line

The administration plug-in for tenants should be installed using an account that has software installation privileges (for example, an account from the group of local administrators).

The Kaspersky Security administration plug-in for tenants must be installed on the same computer on which the Kaspersky Security Center Administration Console is installed.

[Topic 58298]

Installation in interactive mode

To install the Kaspersky Security administration plug-in for tenants in interactive mode using the Wizard:

1. On the computer where the Kaspersky Security Center Administration Console is installed, start the file named ksv-t-components_6.0.0.XXX_mlg.exe (6.0.0.ХХХ represents the application version number). This file is included in the distribution kit.

   The Installation Wizard starts for the Kaspersky Security administration plug-in for tenants.

2. Select the localization language of the Wizard and the Kaspersky Security administration plug-in for tenants and proceed to the next step of the Wizard.

   By default, the window uses the localization language of the operating system installed on the computer where the Wizard was started.

3. Read the End User License Agreement concluded between you and Kaspersky, and the Privacy Policy describing the handling and transmission of data.

   To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy. To confirm, select both check boxes in the window of the Wizard.

   Proceed to the next step of the wizard.

4. Review the information about the actions that the Wizard will perform and click Next to begin performing the listed actions.
5. Wait for the wizard to finish.

   If an error occurs during wizard operation, the wizard rolls back the changes made.

6. Click Finish to close the Wizard window.

Information about the work of the Wizard is written to Kaspersky Security administration plug-in for tenants Installation Wizard trace files. If the Wizard ended with an error, you can use these files when contacting Technical Support.

[Topic 187734]

Installing via the command line

Prior to installing the administration plug-in, it is recommended to carefully read the text of the End User License Agreement and the Privacy Policy. To do so, type the following command in the command line:

ksv-t-components_6.0.0.ХХХ_mlg.exe --lang=<language ID> --show-EulaAndPrivacyPolicy

where 6.0.0.XXX is the number of the application version.

The text of the End User License Agreement and the Privacy Policy is output to the EulaAndPrivacyPolicy_<language ID>.txt file in the %temp% folder.

To install the Kaspersky Security administration plug-in for tenants, enter the following command in the command line:

ksv-t-components_6.0.0.ХХХ_mlg.exe -q --lang=<language ID> --accept-EulaAndPrivacyPolicy=yes

where:

• 6.0.0.XXX is the number of the application version.
• <language ID> is the ID of the language of components to install.

  The language ID must be indicated in the following format: ru, en, de, fr, zh-Hans, ja. It is case sensitive.

• accept-EulaAndPrivacyPolicy=yes means that you accept the terms of the End User License Agreement and the Privacy Policy describing the handling and transmission of data. By setting the value to yes, you confirm the following:
  • You have fully read, understand, and accept the provisions and terms of the End User License Agreement.
  • You have fully read and understand the Privacy Policy, you understand and consent that your data will be processed and transmitted (including to third-party countries) in accordance with the Privacy Policy.

  You must accept the terms of the End User License Agreement and Privacy Policy if you want to install the Kaspersky Security administration plug-in.

Information about the installation result is written to Kaspersky Security administration plug-in for tenants Installation Wizard trace files. If installation ended with an error, you can use these files when contacting Technical Support.

[Topic 90146]

Result of installation of the Kaspersky Security administration plug-ins and Integration Server

Installation of the Kaspersky Security main administration plug-in and Integration Server components includes the following:

1. In the Kaspersky Security Center Administration Console, the following link is created for starting the Integration Server Console: Manage Kaspersky Security for Virtualization 6.0 Agentless. The link is displayed in the workspace of the Administration Server node on the Monitoring tab in the Deployment section.
2. When the Kaspersky Security Center Administration Console is started for the first time after the administration plug-in is installed, the Managed Application Quick Start Wizard starts and creates the default main policy and tasks in the Managed devices folder of the main Administration Server. The Wizard can also be started manually.
3. The Kaspersky Security main administration plug-in appears in the list of installed administration plug-ins in the properties of the Kaspersky Security Center Administration Server.

Installation of the Kaspersky Security administration plug-in for tenants results in the following:

1. When the Kaspersky Security Center Administration Console is started for the first time after the administration plug-in is installed, the Managed Application Quick Start Wizard starts and creates the default tenant policy in the Managed devices folder of the main Administration Server. The Wizard can also be started manually.
2. The Kaspersky Security administration plug-in for tenants appears in the list of installed administration plug-ins in the properties of the Kaspersky Security Center Administration Server.

[Topic 58072]

Viewing the list of installed administration plug-ins

To view the list of installed administration plug-ins:

1. In the Kaspersky Security Center Administration Console, select the Administration Server node.
2. Open the Administration Server properties window in one of the following ways:
   • Select Properties in the context menu of the node.
   • In the workspace in the Administration Server section, click the Administration Server properties link.

   The Properties: Administration Server window opens.

3. In the Administration Server properties window in the Additional section, select the Information about the installed application administration plug-ins subsection.

   The Kaspersky Security main administration plug-in of Kaspersky Security for Virtualization 6.0 Agentless is displayed in the list of installed administration plug-ins in the right part of the window.

   If you installed the Kaspersky Security administration plug-in for tenants, Kaspersky Security for Virtualization 6.0 Agentless (for tenants) is also displayed.

[Topic 58301]

Starting the Quick Start Wizard for the managed application

When the Kaspersky Security Center Administration Console starts for the first time after the Kaspersky Security main administration plug-in is installed, the Quick Start Wizard for the managed application is automatically started. The Wizard will result in the creation of a default main policy, application database update task, and Full Scan task for virtual machines that are not part of a vCloud Director organization in the Managed devices folder of the main Administration Server of Kaspersky Security Center.

If you also installed the Kaspersky Security administration plug-in for tenants, the Quick Start Wizard for the managed application is started again and automatically creates a default tenant policy in the Managed devices folder of the main Administration Server.

A default tenant policy is not created automatically on a virtual Administration Server of Kaspersky Security Center.

If the Quick Start Wizard for the managed application was not started automatically, it is recommended to start it manually. Default policies let you register events and display protected virtual machines in the Kaspersky Security Center Administration Console immediately after installing the application.

To manually start the Initial Configuration Wizard:

1. In the Kaspersky Security Center Administration Console, select the Administration Server node.
2. In the context menu of the node, select All Tasks → Managed Application Quick Start Wizard.
3. In the window of the welcome screen, click Next.
4. At the next step, select the managed application: Kaspersky Security for Virtualization 6.0 Agentless and click Next.
5. Wait for the Wizard to finish and close the Wizard window.
6. If you use the application in a multitenancy mode, repeat steps 1–3, and select the managed application at the next step: Kaspersky Security for Virtualization 6.0 Agentless (for tenants). Then click Next.
7. Wait for the Wizard to finish and close the Wizard window.

[Topic 158555]

Default policies and tasks

As a result of the Initial Configuration Wizard for the managed application, the following policies and tasks are created in the Managed devices folder of the main Kaspersky Security Center Administration Server.

Default main policy

This policy is displayed in the workspace of the Managed devices folder of the main Administration Server on the Policies tab and is named KSV Agentless 6.0 default policy.

Default policy settings take the following values:

• File Threat Protection disabled (a protection profile is not assigned to objects of the protected infrastructure).
• SNMP monitoring of the status of SVMs is disabled.
• Use of Backup is enabled. Storage period for backup copies of files is 30 days.
• Use of Kaspersky Security Network is disabled.
• Network Threat Protection is disabled.

If you want to use the default main policy for virtual machine protection, you need to enable anti-virus protection and configure Network Threat Protection in this policy.

All settings of the default main policy can be redefined in nested policies (all "locks" are open).

The availability of a default main policy lets you use the following capabilities of Kaspersky Security Center immediately after SVM deployment and before you manually create a policy:

• Display the list of protected virtual machines in KSC cluster properties.
• Register events that occur during scans and protection of virtual machines that are not part of vCloud Director organizations.
• Display information about the virtual machines whose protection involves the use of license keys in a key report.
• Display information about protected virtual machines in a protection status report.

If you want to delete the default main policy, make sure that one of the policies created by you is applied on all SVMs. If the main policy is not applied on an SVM, Kaspersky Security Center does not register this SVM's events that occur during scans and protection of virtual machines that are not part of vCloud Director organizations, and does not display these virtual machines in reports.

Default tenant policy

This policy is created only on the main Kaspersky Security Center Administration Server if you installed the Kaspersky Security administration plug-in for tenants.

This policy is displayed in the workspace of the Managed devices folder of the main Administration Server on the Policies tab and is named KSV Agentless 6.0 (for tenants) default policy.

The settings of this policy are not used directly for the protection of virtual machines. However, the settings of the main protection profile and KSN usage settings configured in this policy may be inherited in tenant policies located in nested administration groups, for example, in the Managed devices folder of the virtual Administration Server.

If you want to centrally enable the use of KSN for protection of all virtual machines of tenants, you need to first obtain the consent of tenants to send KSN usage information and other information to Kaspersky depending on the KSN usage mode that you selected (standard KSN or extended KSN).

All settings of the default tenant policy can be redefined in nested policies (all "locks" are open).

There must be a tenant policy in the Managed devices folder of the main Administration Server of Kaspersky Security Center to register events that occur during scans and protection of virtual machines of tenants, and to display virtual machines of tenants within the protected infrastructure of the KSC cluster and in the list of virtual machines protected by SVMs.

In the default tenant policy, you can configure the settings for notifications about events that occur during scans and protection of virtual machines of tenants.

Application database default update task

This task is displayed in the workspace of the Managed devices folder of the main Administration Server on the Tasks tab and is named Program database update.

The task is started each time an update package is downloaded to the storage of Kaspersky Security Center Administration Server, and it lets you update the databases on all SVMs.

Default Full Scan task

This task is displayed in the workspace of the Managed devices folder of the main Administration Server on the Tasks tab and is named Default Full Scan task.

This task lets you scan all virtual machines that are within the entire protected infrastructure but are not part of a vCloud Director organization.

The settings of the full scan task take the following values:

• Security level – Recommended:
  • Archive scanning is disabled.
  • Scanning of self-extracting archives and embedded OLE objects is enabled.
  • Kaspersky Security does not scan compound files larger than 8 MB.
  • File scan duration is unlimited.
  • Kaspersky Security scans files of virtual machines to detect viruses, worms, Trojans, malicious tools, auto-dialers, adware, and multi-packed files.
• Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.
• Kaspersky Security does not scan powered-off virtual machines, virtual machine templates, or files on optical drives.
• The scan task ends 120 minutes after the task was started.
• Scan task exclusions are not defined.

You can manually run this task.

[Topic 57952]

Configuring the Integration Server

After installing the Integration Server, you must configure the settings for connecting the Integration Server to the virtual infrastructure.

The settings of the Integration Server can be configured in the Integration Server Console.

[Topic 90833]

Starting the Integration Server Console

If the computer hosting the Integration Server Console belongs to an Active Directory domain, make sure that your domain account belongs to the KLAdmins group or the group of local administrators on the computer where the Integration Server is installed.

To install the Integration Server Console:

1. In the Kaspersky Security Center Administration Console, select the Administration Server node.
2. Start the Integration Server Console by clicking the Manage Kaspersky Security for Virtualization 6.0 Agentless link on the Monitoring tab in the Deployment section.
3. If one of the following conditions is satisfied, a window opens for entering the Integration Server connection settings:
   • If the computer hosting the Integration Server Console does not belong to an Active Directory domain.
   • If the computer hosting the Integration Server Console belongs to a domain but a connection to the Integration Server could not be established using the connection address and port specified in the Integration Server Console settings.

   Specify the following connection settings:

   • Address and port of the Integration Server to which the connection is established.
   • User account for connecting to the Integration Server:
     • If the computer hosting the Integration Server Console belongs to a domain or your domain account belongs to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, you can use the domain account. To do so, select the Use domain account check box.

       If you want to use the account of an Integration Server administrator (admin), enter the administrator account password in the Password field.

     • If the computer hosting the Integration Server Console does not belong to a domain, or the computer belongs to a domain but your domain account does not belong to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, you can use only the account of the Integration Server administrator (admin). Enter the password of the Integration Server administrator account in the Password field.

   Click the Connect button.

4. The console checks the SSL certificate received from the Integration Server. If the received certificate is not trusted or does not match the previously installed certificate, the Certificate verification window with the appropriate message opens. Click a link in this window to view the details of the certificate received. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

   To continue connecting to the Integration Server, click the Consider certificate to be trusted button in the Certificate verification window. The certificate that has been received is installed as a trusted certificate. The certificate is saved in the registry of the operating system on the computer hosting the Integration Server Console.

The Integration Server Console opens.

[Topic 90434]

Configuring the settings for connecting the Integration Server to the virtual infrastructure administration server

Depending on the virtual infrastructure that you want to protect using Kaspersky Security, you need to configure a connection to the following virtual infrastructure administration servers:

• To protect a virtual infrastructure managed by one or multiple VMware vCenter Servers, you need to configure the connection of the Integration Server to each of these VMware vCenter Servers.
• To protect a virtual infrastructure managed by VMware vCenter Servers connected to the VMware vCloud Director Server, you need to configure connection of the Integration Server to each of these VMware vCenter Servers, and to the VMware vCloud Director Server.

The connection to each virtual infrastructure administration server is established separately.

In an infrastructure managed by VMware vCloud Director, you can connect the Integration Server to VMware vCenter Servers and VMware vCloud Director Servers in any order. The Integration Server automatically determines whether each added VMware vCenter Server is a standalone server or if it is connected to a VMware vCloud Director Server.

To configure the settings for connecting the Integration Server to the virtual infrastructure administration server:

1. Start the Integration Server Console.
2. In the Virtual infrastructure protection section, click the Add button.
3. In the opened Connection to virtual infrastructure window, select the type of virtual infrastructure administration server to which you need to configure a connection, and click Next.
4. Specify the following settings:
   • IP address in IPv4 format or fully qualified domain name (FQDN) of the virtual infrastructure administration server to which the Integration Server connects.
   • Name and password of the account that the Integration Server uses to connect to the virtual infrastructure administration server.

   The entered connection settings (except the password) are saved in the registry of the operating system in encrypted form.

5. Click the Validate button. The Integration Server checks the specified connection settings and the SSL certificate received from the virtual infrastructure administration server. If a connection could not be established or certificate errors are detected during the connection, the window displays an error message.

   If a connection error occurs because the certificate received from the virtual infrastructure administration server is not trusted for the Integration Server, the Certificate validation window opens. If the received certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and establish the connection. To do so, click the Install certificate button in the opened window. The received certificate is saved as a trusted certificate for the Integration Server.

   Certificates that are trusted in the operating system in which the Integration Server is installed are also considered to be trusted for the Integration Server.

   If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

6. After establishing a connection with the virtual infrastructure administration server, click OK in the Connection to virtual infrastructure window.

   The entered address or name of the virtual infrastructure administration server is displayed in the table in the Virtual infrastructure protection section.

   If you configured a connection to the VMware vCloud Director Server and to the VMware vCenter Servers connected to it, the rows containing information about these VMware vCenter Servers are automatically grouped into a list located above the row of this VMware vCloud Director.

For each virtual infrastructure administration server, the table displays a list of actions that you can perform when configuring a connection to this server and for subsequent deployment of virtual infrastructure protection. You can expand or collapse the list of possible actions by clicking on the address or name of the virtual infrastructure administration server in the Address column.

If necessary, you can change or delete previously enter settings for connecting the Integration Server to the virtual infrastructure administration server.

To change the settings for connecting the Integration Server to the virtual infrastructure administration server:

1. Expand the list of possible actions for the selected virtual infrastructure administration server by clicking on the address or name of the virtual infrastructure administration server in the Address column.
2. Depending on the type of virtual infrastructure administration server, select Change VMware vCenter Server connection settings or Change VMware vCloud Director connection settings. The Connection to virtual infrastructure window opens.
3. Enter the new connection settings and verify the capability to connect, as described in the procedure for configuring the settings for connecting the Integration Server to the virtual infrastructure administration server (see items 4–6 of the previous instructions).

To delete the settings for connecting the Integration Server to the virtual infrastructure administration server:

1. Expand the list of possible actions for the selected virtual infrastructure administration server by clicking on the address or name of the virtual infrastructure administration server in the Address column.
2. Depending on the type of virtual infrastructure administration server, select Remove VMware vCenter Server from list or Remove VMware vCloud Director from list.
3. Confirm the deletion in the window that opens.

   In an infrastructure managed by a VMware vCenter Server and VMware NSX Manager, removal of a VMware vCenter Server from the list is possible only if Kaspersky Security services are not registered in VMware NSX Manager.

After configuring the connection between the Integration Server and one or several VMware vCenter Servers, you can proceed to deploying protection in the VMware virtual infrastructure.

[Topic 82510]

Changing passwords of Integration Server accounts

If necessary, in the Integration Server user accounts section you can change passwords for Integration Server user accounts:

• Password of the Integration Server administrator account (admin).
• Password of the account used for connecting SVMs to the Integration Server (svm).

  Svm account password is required in order to configure the connection between the SVM with the File Threat Protection component and the Integration Server that will support interaction between the VMware vCenter Server and the SVM.

• Account password for interaction between VMware NSX Manager and the Integration Server (NSX_220E116B-B6D5-42).

Account names cannot be edited.

To change the password of the Integration Server account:

1. Start the Integration Server Console.
2. In the list on the left, select the Integration Server user accounts section.
3. In the table, select the name of the account whose password you want to change.
4. Click the Change the account password link to open the Account password window and enter the new password in the Password and Confirm password fields.

   A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

5. In the Account password window, click OK.

[Topic 176239]

Viewing Integration Server settings

To view Integration Server settings:

1. Start the Integration Server Console.
2. In the list on the left, select the Integration Server settings section.

The right part of the Console shows the following settings of the Integration Server to which the connection has been established:

• Integration Server version.
• Name of the user account that was used to establish the connection to the Integration Server.
• Type of authentication used when connecting to the Integration Server.
• New IP address in IPv4 format or the fully qualified domain name (FQDN) of the Integration Server.

If you enabled the logging of information to the Integration Server trace file, you can view this file by clicking the View trace file link. The trace file can be viewed with the Notepad text editor.

[Topic 90476]

Registration of Kaspersky Security services

After configuring the connection between the Integration Server and the VMware vCenter Server, you must start the Kaspersky Security service registration process and enter the settings required for completing the following steps of application installation:

• Registration of Kaspersky Security services in VMware NSX Manager: the file system protection service (Kaspersky File Antimalware Protection) and the network protection service (Kaspersky Network Protection)
• Deployment of Kaspersky Security services
• Initial configuration of new SVMs after deployment of Kaspersky Security services

Registration of Kaspersky Security services in VMware NSX Manager and configuration of new SVMs is performed by the Integration Server.

To enter the settings required for registration and deployment of Kaspersky Security services:

1. Start the Integration Server Console.

   The Virtual infrastructure protection section opens.

2. In the list, select the VMware vCenter Server and expand the list of available actions by clicking the address or name of the VMware vCenter Server in the Address column.
3. In the Manage protection section, select Register Kaspersky Security services.

This starts the Registration of Kaspersky Security Services Wizard. Follow the wizard instructions.

[Topic 94564]

Connecting to VMware NSX Manager

At this step, specify the settings for connecting the Integration Server to VMware NSX Manager:

• IP address in IPv4 format or the fully qualified domain name (FQDN) of VMware NSX Manager.
• Name and password of the user account used to connect to VMware NSX Manager. The Enterprise Administrator role must be assigned to this user account.

At this step, you can also configure the settings used by VMware NSX Manager to transmit information to the Integration Server. The settings that the Integration Server Console used for connecting to the Integration Server are set by default. The Address field contains the fully qualified domain name (FQDN) of the computer on which the Integration Server is installed (if the computer is in a domain), the name of the computer in a Windows workgroup (if the computer is not in a domain), or the computer IP address.

Make sure that VMware NSX Manager can connect to the Integration Server using the default settings or change those settings. To change the settings, select the Specify the settings for connecting VMware NSX Manager to Integration Server check box, and specify the IP address or fully qualified domain name of the computer on which the Integration Server is installed and the connection port.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to VMware NSX Manager and to the Integration Server using the specified settings.

When establishing the connection to VMware NSX Manager, the Wizard verifies the SSL certificate received from VMware NSX Manager. If the received certificate contains an error, the Wizard displays an error message. Click the View certificate link to view information about the received certificate.

If a connection error occurs because the certificate received from VMware NSX Manager is not trusted for the Integration Server but the received certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and establish a connection. To do so, click the Install certificate button. The received certificate is saved as a trusted certificate for the Integration Server.

Certificates that are trusted in the operating system in which the Integration Server is installed are also considered to be trusted for the Integration Server.

If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

If checking the Integration Server connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

[Topic 59759]

Selecting an SVM image for the file system protection service

If you want to install the File Threat Protection component, at this step you must specify the SVM image with the installed File Threat Protection component. The Integration Server registers the file system protection service (Kaspersky File Antimalware Protection) in VMware NSX Manager. After registration finishes, you can deploy the file system protection service on VMware clusters. As a result, SVMs with the File Threat Protection component will be deployed on the hypervisors.

The application distribution kit includes several SVM images with the File Threat Protection component installed that you can use to deploy SVMs with the necessary configuration (according to the number of processors and RAM allocated for an SVM).

All files of the SVM image with the installed File Threat Protection component must be located in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol.

To specify the SVM image, perform the following actions:

1. In the field, specify the address of the SVM images description file (XML file) or the address of the SVM image OVF file corresponding to the necessary SVM configuration.
2. Click the Validate button.

   The Wizard validates the SVM image. If the image is corrupted or the image version is not supported, the Wizard displays an error message.

   If the SVM image validation is successful, the following details of the selected SVM image will appear in the lower part of the window:

   • SVM configuration. The number of processors and RAM allocated for the SVM.

     If you specified the address of the SVM image description file (XML file), you can select the necessary SVM configuration in the drop-down list in the SVM configuration field.

   • Application name. Name of the application that is installed on the SVM.
   • SVM version. Number of the SVM version.
   • Vendor. Vendor of the application that is installed on the SVM.
   • Description. Brief description of the application.
   • Required disk space. Amount of disk space required for deployment of the SVM in the data storage.

If you do not want to install the File Threat Protection component, clear the Register the file system protection service check box.

Proceed to the next step of the wizard.

[Topic 187213]

Selecting an SVM image for the network protection service

If you wish to install the Network Threat Protection component, you must specify the SVM image with the installed Network Threat Protection component at this stage. The Integration Server registers the network protection service (Kaspersky Network Protection) in VMware NSX Manager. After registration finishes, you can deploy the network protection service on VMware clusters. As a result, SVMs with the Network Threat Protection component will be deployed on the hypervisors.

The application distribution kit includes several SVM images with the Network Threat Protection component installed that you can use to deploy SVMs with the necessary configuration (according to the number of processors and RAM allocated for an SVM).

All files of the SVM image with the installed Network Threat Protection component must be located in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol.

To specify the SVM image, perform the following actions:

1. In the field, specify the address of the SVM images description file (XML file) or the address of the SVM image OVF file corresponding to the necessary SVM configuration.
2. Click the Validate button.

   The Wizard validates the SVM image. If the image is corrupted or the image version is not supported, the Wizard displays an error message.

   If the SVM image validation is successful, the following details of the selected SVM image will appear in the lower part of the window:

   • SVM configuration. The number of processors and RAM allocated for the SVM.

     If you specified the address of the SVM image description file (XML file), you can select the necessary SVM configuration in the drop-down list in the SVM configuration field.

   • Application name. Name of the application that is installed on the SVM.
   • SVM version. Number of the SVM version.
   • Vendor. Vendor of the application that is installed on the SVM.
   • Description. Brief description of the application.
   • Required disk space. Amount of disk space required for deployment of the SVM in the data storage.

If you do not want to install the Network Threat Protection component, clear the Register the network protection service check box.

Proceed to the next step of the wizard.

[Topic 90287]

Selecting the traffic processing mode for the Network Threat Protection component

If you specified an SVM image with the installed Network Threat Protection component at the previous step, at this step you need to select the traffic processing mode for the Network Threat Protection component. The traffic processing mode determines the settings of the application installed on an SVM with the Network Threat Protection component.

You can select one of the following traffic processing modes:

• Standard mode. If this mode is selected, the virtual filter (VMware DVFilter) intercepts the traffic of virtual machines and sends it to Kaspersky Security to be scanned. When Kaspersky Security detects signs of intrusions or attempts to access dangerous or undesirable web addresses, it performs the action that is specified in policy settings and relays information about events to the Kaspersky Security Center Administration Server.

  This option is selected by default.

• Monitoring mode. If this mode is selected, Kaspersky Security receives a copy of traffic of virtual machines. When signs of intrusions or attempts to access dangerous or undesirable web addresses are detected, Kaspersky Security does not take any actions to prevent the threats but only relays information about the events to the Kaspersky Security Center Administration Server.

After network protection service registration and SVM deployment, the traffic processing mode cannot be changed. To select a different traffic processing mode, you will have to remove the SVMs, unregister the network protection service, and then re-register the network protection service with the new traffic processing mode and deploy new SVMs.

Proceed to the next step of the wizard.

[Topic 90520]

Configuring the connection settings for an SVM

At this step, specify the IP address of the Kaspersky Security Center Administration Server and SSL port that the SVM will use to connect to Kaspersky Security Center.

At this step, you can also configure the settings for connecting an SVM to the Integration Server. The settings that the Integration Server Console used for connecting to the Integration Server are set by default. The Address field contains the fully qualified domain name (FQDN) of the computer on which the Integration Server is installed (if the computer is in a domain), the name of the computer in a Windows workgroup (if the computer is not in a domain), or the computer IP address.

Make sure that SVM can connect to the Integration Server using the default settings or change those settings. To change the settings, select the Specify the settings for connecting SVMs to Integration Server check box, and specify the IP address or fully qualified domain name of the computer on which the Integration Server is installed, and the connection port.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to the Kaspersky Security Center and to the Integration Server using the specified settings.

If checking the connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

[Topic 90413]

Creating passwords for accounts on SVMs

At this step, create a password for the klconfig user account (configuration password) and a password for the root user account on SVMs. The configuration password is required for SVM reconfiguration. The root account is used for accessing the operating system on SVMs and for accessing SVM trace files.

Enter a password for each user account in the Password and Confirm password fields.

The passwords should be up to 60 characters long. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

To prevent unauthorized access to an SVM after SVM deployment, it is recommended to change the configuration password regularly. You can change the configuration password by using the Kaspersky Security reconfiguration procedure.

Proceed to the next step of the wizard.

[Topic 66919]

Selecting the time zone for SVMs

At this step, you can select the time zone that will be used on all SVMs. By default, the time zone for SVMs corresponds to the time zone that has been set on the computer on which the Integration Server Console is installed.

If you need to change the time zone for SVMs, select a value from the drop-down list.

Proceed to the next step of the wizard.

[Topic 96372]

Configuring the settings for connecting to network data storage

At this step, you can configure the following settings for using network data storage:

• Allow or block the use of network data storage for SVMs.
• Specify the settings for connecting SVMs to network data storage.

Network data storage can be used for storing backup copies of files that have been moved to Backups on SVMs. By default, SVMs do not use network data storage.

If you want to allow the use of network data storage for SVMs, select the Use network data storage option and define the following settings for connecting to storage:

• Network data storage address in UNC format.

  The defined address cannot be localhost or 127.0.0.1.

• Account used by SVMs to connect to the network data storage, in the format <domain>\<user name>.
• Connection account password.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to the network data storage using the specified settings.

If checking the connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

[Topic 127622]

Confirming Kaspersky Security settings

At this step, check the entered settings of Kaspersky Security.

Proceed to the next step of the wizard to start registration of Kaspersky Security services.

[Topic 90487]

Registration of Kaspersky Security services

This step displays information about operations that are performed by the Integration Server in order to register Kaspersky Security services and prepare the configuration settings that will be distributed to new SVMs after they are deployed.

If an error occurred during such operations, the Wizard displays the relevant information. The Wizard performs rollback of changes.

After all operations have been completed, proceed to the next step of the Wizard.

[Topic 67106]

Exiting the wizard

This step displays information about the result of Kaspersky Security service registration.

If the services were registered successfully, exit the Wizard.

If registration of services ended with an error, the Wizard displays information about the error. If this is the case, exit the Wizard, eliminate the cause of the error, and restart the procedure. For detailed information about errors, you can view the Integration Server trace files (if you enabled the logging of information to Integration Server trace files).

[Topic 58521]

Viewing registered services in the VMware vSphere Web Client console

Registration of Kaspersky Security services in VMware NSX Manager is performed by the Integration Server.

You can view the list of registered services in the VMware vSphere Web Client console in the Networking & Security → Service Definitions section on the Services tab.

The Integration Server is registered as Kaspersky Service Manager in VMware NSX Manager.

You can view the list of registered Service Managers in the VMware vSphere Web Client console in the Networking & Security → Service Definitions section on the Service Managers tab.

For more details about viewing registered services and Service Managers, please refer to the Knowledge Base.

[Topic 90477]

Deploying SVMs with the File Threat Protection and Network Threat Protection components

To deploy SVMs with Kaspersky Security components on VMware ESXi hypervisors, you need to deploy Kaspersky Security services on VMware clusters. Deployment of Kaspersky Security services is performed in the VMware vSphere Web Client console.

To deploy SVMs with Kaspersky Security components:

1. In the VMware vSphere Web Client console, start the Deployment Wizard for network services and protection services for virtual machines (the Networking & Security → Installation and Upgrade section on the Service Deployments tab).
2. Use the Wizard to specify the following settings:
   1. In the table, select the service that you need to deploy:
      • Kaspersky File Antimalware Protection service, if you want to deploy an SVM with the File Threat Protection component
      • Kaspersky Network Protection service, if you want to deploy an SVM with the Network Threat Protection component

      You can select both Kaspersky Security services if you need to deploy an SVM with the File Threat Protection component and an SVM with the Network Threat Protection component on the same hypervisors and assign the same settings to them. If the SVM settings or the hypervisors on which the SVMs will be deployed must be different, you need to separately deploy the Kaspersky Security services.

   2. Select one or more VMware clusters on which you want to deploy SVMs with Kaspersky Security components.
   3. If required, change the default settings for all SVMs that will be deployed on hypervisors within every selected VMware cluster:
      • Network that will be used by SVMs.
      • Storage for SVM deployment.
      • Method of assigning IP addresses. By default, SVMs receive network settings via the DHCP protocol. You can configure a static pool of IP addresses that will be used for assigning IP addresses to the SVMs.
3. Finish the Wizard and wait for deployment of Kaspersky Security services to complete.

SVMs with the File Threat Protection component and SVMs with the Network Threat Protection component will be deployed on each hypervisor within each VMware cluster that you selected.

For more details about the procedure for deploying SVMs with Kaspersky Security components, please refer to the Knowledge Base.

[Topic 90832]

Configuring NSX Security Groups

NSX Security Groups are configured in the VMware vSphere Web Client console. You must include all virtual machines that you want to protect with Kaspersky Security into one or multiple NSX Security Groups.

To configure an NSX Security Group:

1. In the VMware vSphere Web Client console, start the NSX Security Group Wizard in the Networking & Security → Service Composer section on the Security Groups tab.
2. Using the Wizard, enter the name of the new NSX Security Group (for example, "Kaspersky Security Group" or "Protected by Kaspersky") and configure the rules for including virtual machines into the group.

   Virtual machines can be included into an NSX Security Group using the following methods:

   • Dynamic inclusion of virtual machines into the NSX Security Group. The group includes all virtual machines that meet these criteria.
   • Inclusion of specified VMware virtual infrastructure objects into the NSX Security Group. You can select objects to be included in the group, such as a Datacenter object, VMware cluster, resource pool, or individual virtual machines. By default, the group includes all child objects of the specified object. You can also specify individual virtual infrastructure objects to be excluded from the NSX Security Group.

   You can combine these methods when configuring rules for including virtual machines into the NSX Security Group. For example, you can configure dynamic inclusion of virtual machines into the group based on specific criteria, and specify VMware inventory objects that must be excluded from the group.

For more details on configuring NSX security groups, please refer to the Knowledge Base.

[Topic 56691]

Configuring and applying NSX Security Policies

NSX Security Policies are configured in the VMware vSphere Web Client console. The configured NSX Security Policies must be assigned for previously created NSX Security Groups.

You must configure the use of Kaspersky Security services in each NSX Security Policy:

• File system protection service (Kaspersky File Antimalware Protection), if you want to protect virtual machines from file threats.
• Network protection service (Kaspersky Network Protection), if you want to protect virtual machines from network threats.

To configure and apply an NSX security policy:

1. In the VMware vSphere Web Client console, start the NSX Security Policy Wizard in the Networking & Security → Service Composer section on the Security Policies tab.
2. If you want to protect virtual machines against file threats, at the Guest Introspection Services step of the Wizard, add the Kaspersky File Antimalware Protection service with a user-defined name and the default action (Apply).
3. If you want to scan outbound traffic of virtual machines, at the Network Introspection Services step of the Wizard, add the Kaspersky Network Protection service and specify the following values for its settings:
   • User-defined name
   • Redirection of traffic to the network protection service (Kaspersky Network Protection) is enabled (Redirect to service setting)
   • Source – Policy's Security Groups (selected by default)
   • Destination – Any (selected by default)
4. If you want to scan inbound traffic of virtual machines, at the Network Introspection Services step of the Wizard, add the Kaspersky Network Protection service and specify the following values for its settings:
   • User-defined name
   • Redirection of traffic to the network protection service (Kaspersky Network Protection) is enabled (Redirect to service setting)
   • Source – Any
   • Destination – Policy's Security Groups
5. Finish the NSX Security Policy Wizard.
6. In the list of NSX security policies on the Security Policies tab, apply the policy (Apply) to the NSX Security Group that includes the protected virtual machines.

For more details about configuring NSX security policies, please refer to the Knowledge Base.

[Topic 58068]

Configuring protection of tenant organizations

The actions described in this section must be performed only if you are using the application in multitenancy mode.

To configure protection of tenant organizations, you need to do the following after installing the application:

1. In the Kaspersky Security Center Administration Console, for each tenant whose virtual machines need to be protected, create a virtual Administration Server and account that will be used by the tenant administrator to connect to the virtual Administration Server.
2. In the Kaspersky Security Center Administration Console, create the account that the Integration Server will use to connect to the Kaspersky Security Center Administration Server. This connection is required for obtaining information about virtual Administration Servers created in Kaspersky Security Center, and for configuring mappings between virtual Administration Servers and vCloud Director organizations that contain virtual machines of tenants.
3. In the Integration Server Console, connect the Integration Server to the Kaspersky Security Center Administration Server and configure the list of mappings of vCloud Director organizations to virtual Administration Servers of Kaspersky Security Center.

   If a vCloud Director organization is not mapped to a virtual Administration Server, Kaspersky Security does not protect the virtual machines that are part of this vCloud Director organization.

4. Provide the following information to the tenant administrator:
   • Integration Server address.
   • Address of the virtual Administration Server configured for this tenant.
   • Name and password of the account used to connect to the virtual Administration Server.
5. Make sure that the application is prepared for operation and that policies are configured for the protection of the virtual infrastructure of each tenant:
   • For File Threat Protection, a tenant policy must be configured on each virtual Administration Server of Kaspersky Security Center corresponding to the tenant organization.
   • For Network Threat Protection, there must be a configured main policy whose scope includes the virtual machines of the tenant.

[Topic 58070]

Creating a virtual Administration Server for a tenant

The actions described in this section must be performed only if you are using the application in multitenancy mode.

A virtual Administration Server is required for managing the protection of virtual machines that are part of a vCloud Director organization.

The virtual Administration Server needs to be created in the Administration Servers subfolder within the administration group that contains the "VMware vCloud Director Agentless" cluster. A cluster must correspond to the VMware vCloud Director Server managed by the vCloud Director organization containing the virtual machines of the tenant.

To create a virtual Administration Server of Kaspersky Security Center:

1. In the Kaspersky Security Center Administration Console, in the Managed devices folder, select the administration group containing the "VMware vCloud Director Agentless" cluster and then select the Administration Servers subfolder.
2. In the workspace of the Administration Servers folder, click the Add virtual Administration Server link.

   The New Virtual Administration Server Wizard starts.

3. At the first step of the Wizard, specify the name of the created virtual Administration Server.

   The name of a virtual Administration Server cannot contain more than 255 characters or the following special characters: " * < > ? \ : |.

   Proceed to the next step of the wizard.

4. Please specify the Kaspersky Security Center Administration Server address on which the virtual administration server is created, and proceed to the next step of the Wizard.
5. Specify the account that the tenant administrator will use to connect to the virtual Administration Server. You can specify a previously created account of an internal user of Kaspersky Security Center or create an account by using the Create button.

   Proceed to the next step of the wizard.

6. Start the creation of the virtual Administration Server by clicking Next.
7. At the next step, clear the All packages check box (installation packages are not required for application operation), proceed to the next step, and finish the Wizard.

A node named Administration Server – <Virtual Server name> will be created in the console tree.

For more details about working with virtual Administration Servers, please refer to the Kaspersky Security Center documentation.

[Topic 188083]

Connecting the Integration Server to the Kaspersky Security Center Administration Server

The actions described in this section must be performed only if you are using the application in multitenancy mode.

The Integration Server must be connected to the Kaspersky Security Center Administration Server to receive information about virtual Administration Servers created in Kaspersky Security Center.

To connect the Integration Server to the Kaspersky Security Center Administration Server:

1. Start the Integration Server Console.
2. In the list on the left, select the Manage protection of tenant organizations section.
3. In the Settings for connecting to Kaspersky Security Center section, specify the connection settings:
   • IP address in IPv4 format or fully qualified domain name (FQDN) of the Kaspersky Security Center Administration Server.
   • Name and password of the account used by the Integration Server to connect to the Kaspersky Security Center Administration Server.
4. Click the Connect button. The status of the connection between the Integration Server and the Kaspersky Security Center Administration Server is displayed in the Kaspersky Security Center connection status in the upper part of the window.

After connecting the Integration Server to the Kaspersky Security Center Administration Server, you can map virtual Administration Servers to vCloud Director organizations containing virtual machines of tenants.

If a connection was already established and you want to change the connection settings, you can disconnect the current connection by using the Disconnect button located in the Kaspersky Security Center connection status section and then connect with the new settings.

If the Kaspersky Security Center Administration Server includes one or multiple virtual Administration Servers that are mapped to vCloud Director organizations, a warning is displayed when there is a disconnection attempt. If there is no connection, you cannot set new mappings between virtual Administration Servers and vCloud Director organizations. The previously set mappings are retained.

[Topic 188228]

Configuring a list of mappings of vCloud Director organizations to virtual Administration Servers

The actions described in this section must be performed only if you are using the application in multitenancy mode.

The list of mappings of vCloud Director organizations to virtual Administration Servers is configured in the Integration Server Console. In the list of mappings, you can do the following:

• Map vCloud Director organizations to virtual Kaspersky Security Center Administration Servers.
• View the list of mappings.
• Cancel mapping.

To open the list of mappings of vCloud Director organizations to virtual Administration Servers:

1. Start the Integration Server Console.
2. In the list on the left, select the Manage protection of tenant organizations section and make sure that the Integration Server is connected to the Kaspersky Security Center Administration Server. Connect if a connection is not already established.

   If the Integration Server is not connected to the Kaspersky Security Center Administration Server, you cannot set new mappings between virtual Administration Servers and vCloud Director organizations. Previously set mappings are retained, but you can cancel them.

3. Open the list of mappings of vCloud Director organizations to virtual Administration Servers by using one of the following methods:
   • In the Virtual infrastructure protection section, expand the list of available actions for a VMware vCloud Director Server that manages a vCloud Director organization, and click the Map vCloud Director organizations link. This opens the list of mappings for vCloud Director organizations that are managed by one VMware vCloud Director Server.
   • In the Manage protection of tenant organizations section, click the Open list button located in the vCloud Director organizations to virtual administration Servers mapping list section. This opens the list of mappings for vCloud Director organizations that are managed by all VMware vCloud Director servers.

   The vCloud Director organizations to virtual administration Servers mapping list window opens.

The list of mappings is displayed as a table. Each row of the table contains the following data:

• Virtual Server – name of the virtual Administration Server mapped to an organization from the vCloud Director organization column. If no mapping to a vCloud Director organization is set for this virtual Administration Server, the column displays the value none.
• vCloud Director organization is the name of the vCloud Director organization mapped to the virtual Administration Server from the Virtual Server column. If no mapping to a virtual Administration Server is set for this vCloud Director organization, the column displays the value none.
• VMware vCloud Director – IP address or name of the VMware vCloud Director Server that manages the organization from the vCloud Director organization column. If a vCloud Director organization is not indicated in this row of the table, the column displays the value none.

When viewing the list of mappings, you can use the following capabilities:

• Filter. To apply a filter, you can use the following links located above the table:
  • All – show all rows in the table. This value is selected by default.
  • Mapped – show only rows displaying the name of a vCloud Director organization and the name of the virtual Administration Server that is mapped to it.
  • Not mapped – show only rows displaying the name of a vCloud Director organization or the name of a virtual Administration Server that is not mapped.
• Search any column of the table. You can enter a search criterion in the search bar located above the table to find a vCloud Director organization, virtual Administration Server, or VMware vCloud Director Server. The search starts as you enter characters. The table displays all rows that contain a value that satisfies the search criteria. To reset the search results, delete the contents of the search field.

[Topic 126929]

Mapping a vCloud Director organization to a virtual Administration Server

The actions described in this section must be performed only if you are using the application in multitenancy mode.

To map a vCloud Director organization to a virtual Administration Server:

1. Start the Integration Server Console.
2. Select the Manage protection of tenant organizations section and make sure that the Integration Server is connected to the Kaspersky Security Center Administration Server. Connect if a connection is not already established.
3. Open the list of mappings of vCloud Director organizations to virtual Administration Servers.
4. Do one of the following:
   • If you want to set mapping for a vCloud Director organization, in the table find the row that contains the name of the vCloud Director organization, and click the link located in the Virtual Server column. The Select a virtual Administration Server window opens. The window displays a list of all virtual Administration Servers that have not yet been mapped to a vCloud Director organization.
   • If you want to set mapping for a virtual Administration Server, in the table find the link that contains the name of the virtual Administration Server, and click the link located in the vCloud Director organization column. The Select a vCloud Director organization window opens. The window displays a list of all vCloud Director organizations that have not yet been mapped to a virtual Administration Server. The list of vCloud Director organizations is grouped by VMware vCloud Director servers.

   To search for the relevant row in the table, you can use the filter or search bar.

5. In the opened window, select the virtual Administration Server or vCloud Director organization and click OK.

   The selection window closes, the new mapping appears in the vCloud Director organizations to virtual administration Servers mapping list window.

Page top

[Topic 188211]

Unmapping a vCloud Director organization from a virtual Administration Server

The actions described in this section must be performed only if you are using the application in multitenancy mode.

If a vCloud Director organization was removed from VMware vCloud Director or if the virtual machines that are part of a vCloud Director organization no longer need to be protected, you can cancel a previously set mapping between a vCloud Director organization and a virtual Administration Server.

To cancel mapping between a vCloud Director organization and a virtual Administration Server:

1. Start the Integration Server Console.
2. Open the list of mappings of vCloud Director organizations to virtual Administration Servers.
3. In the table, find the row containing the vCloud Director organization and virtual Administration Server whose mapping you want to cancel.

   To search for the relevant row in the table, you can use the filter or search bar.

4. Click the icon located in the row, and confirm the unmapping in the opened window.
5. Close the vCloud Director organizations to virtual administration Servers mapping list window.

If a vCloud Director organization is not mapped to a virtual Administration Server, Kaspersky Security does not protect the virtual machines that are part of this vCloud Director organization.

Page top

[Topic 90415]

Preparing the application for operation and initial configuration

After the application is installed, you must prepare the application for operation. To do so, perform the following actions:

• Activate the application on all new SVMs.
• Update the application databases on all new SVMs.
• Enable protection of virtual machines against file threats and network threats. By default, Kaspersky Security does not protect virtual machines.

[Topic 60882]

Activating the application on new SVMs

To activate the application, you must add a license key to all SVMs. It is recommended to configure an activation task that will be automatically started on all new SVMs immediately after they are deployed.

If you are using a licensing scheme that is based on the number of protected virtual machines, you need to create two activation tasks for protection of virtual machines running desktop operating systems and running server operating systems: a task for adding a server key to SVMs and a task for adding a desktop key to SVMs.

To configure an activation task:

1. Add a license key to Kaspersky Security Center key storage.
2. In the tree of the Kaspersky Security Center Administration Console, select the Managed devices folder. In the workspace, select the Tasks tab and click the New task button. The New Task Wizard starts.
3. Specify the application for which the task is being created, and the type of task. To do so, in the Kaspersky Security for Virtualization 6.0 Agentless list, select Application activation.

   Proceed to the next step of the wizard.

4. Click the Select button. The Select a key window opens. Select a key from the Kaspersky Security Center key storage and click the OK button.

   Proceed to the next step of the wizard.

5. Configure the task run schedule settings:
   • In the Scheduled start drop-down list, select the Once mode. In the Start date and Start time fields, leave the default settings.
   • Select the Run skipped tasks check box.

   Proceed to the next step of the wizard.

6. Enter the name of the task and proceed to the next step of the wizard.
7. Finish the wizard.

According to the configured schedule settings, the task will start on all new SVMs immediately after they are deployed. You can view information on the results of a task in the Kaspersky Security Center Administration Console.

[Topic 58822]

Updating application databases on new SVMs

After installing the Kaspersky Security administration plug-in, the application database update task is automatically created. This task is started each time an update package is downloaded to the storage of Kaspersky Security Center Administration Server, and it lets you update the application databases on all SVMs. You can use the automatically created database update task. If necessary, you can change the settings of this task or delete it, and configure the application database update task for SVMs of one or several KSC clusters belonging to one administration group.

To update the application databases after the application is installed or upgraded:

1. Make sure that a download updates to the storage task has been created in Kaspersky Security Center. If the download updates to the storage task does not exist, create it (see the Kaspersky Security Center documentation).
2. Manually start the download updates to the storage task or wait for a scheduled task to start automatically. Make sure that the download updates to the storage task has been completed successfully (see Kaspersky Security Center documentation for details).
3. Make sure that an application database update task has been created in Kaspersky Security Center.

   The application database update task that was automatically created after installation of the Kaspersky Security administration plug-in is located on the Tasks tab in the Managed devices folder.

   If the application database update task has not been created, create it.

4. Wait for the application database update task to start according to the schedule or manually start the task.
5. Make sure that the application database update task has been completed successfully.

After the application has been installed or upgraded, SVMs relay information to Kaspersky Security Center regarding the type of application databases required for the operation of Kaspersky Security. If Kaspersky Security Center has not yet downloaded the necessary databases to the storage when the database update task is started, the task could end with an error. If this is the case, you can manually start the download updates to the storage task, wait for it to complete, and then manually start the application database update task.

Kaspersky Security checks the integrity of application databases during updates. If this check is unsuccessful, the application database update task ends with an error and Kaspersky Security continues to use the previous set of application databases. If the application database update task ends with an error on new SVMs, you are advised to contact Technical Support. If application databases are missing from SVMs, Kaspersky Security will not protect the virtual machines.

[Topic 57660]

Enabling protection of virtual machines

By default, Kaspersky Security does not protect virtual machines. After installing Kaspersky Security, you must enable protection of virtual machines by using a policy.

For File Threat Protection of virtual machines that are not part of vCloud Director organizations, you can use the default main policy, or create a main policy.

If the application is operating in multitenancy mode, protection of the virtual infrastructure of tenants against file threats requires that you create a tenant policy on each virtual Administration Server of Kaspersky Security Center corresponding to the tenant organization. A tenant policy can be created by the provider's administrator or the tenant's administrator. The settings for protecting the virtual infrastructure of tenants against network threats are determined by the main policy whose scope includes the virtual machines of the tenant.

File Threat Protection

To protect a virtual machine against file threats, you need to assign a protection profile to the virtual machine. A virtual machine that has no assigned protection profile is excluded from protection.

A protection profile can be assigned directly to virtual infrastructure objects (including virtual machines) or by mapping a protection profile to an NSX Profile Configuration that is applied to virtual machines.

You can assign the main protection profile that is generated automatically when a policy is created, or create and assign additional protection profiles if you want to use different protection settings for different virtual infrastructure objects. Profiles are assigned in policy properties.

Kaspersky Security protects only those virtual machines that meet all the conditions for virtual machine protection from file threats.

Network Threat Protection

To protect a virtual machine against network threats, you need to configure the settings for Intrusion Prevention and/or Web Addresses Scan in the properties of the policy whose scope includes the virtual machine.

Kaspersky Security protects only those virtual machines that meet all the conditions for virtual machine protection from network threats.

If the application is not activated or the application databases are missing on SVMs, Kaspersky Security does not protect the virtual machines.

[Topic 83454]

Creating a main policy

The main policy determines the File Threat Protection settings for virtual machines that are not part of vCloud Director organizations, the Network Threat Protection settings for virtual machines, and the application operating settings.

To create the main policy:

1. In the Kaspersky Security Center Administration Console, start the New Policy Wizard:
   1. In the console tree, select the folder or administration group in which you want to create a policy.
   2. In the workspace, select the Policies tab and click the New policy button.
2. At the first step of the New Policy Wizard, select Kaspersky Security for Virtualization 6.0 Agentless from the list and proceed to the next step of the Wizard.
3. Enter the name of the new policy and proceed to the next step of the wizard.
4. The Wizard establishes a connection to the Integration Server to receive information about the VMware virtual infrastructure.

   If the computer hosting the Administration Console of Kaspersky Security Center belongs to a domain or your domain user account belongs to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, your domain user account is used by default to connect to the Integration Server. The Use domain account check box is selected by default. You can also use the Integration Server administrator account (admin). To do so, clear the Use domain account check box and enter the administrator password in the Password field.

   If the computer hosting the Kaspersky Security Center Administration Console does not belong to a domain, or the computer belongs to a domain but your domain account does not belong to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, you can use only the account of the Integration Server administrator (admin) to connect to the Integration Server. Enter the administrator password in the Password field.

   If the connection to the Integration Server is established using the Integration Server administrator account (admin), you can save the administrator password. To do so, select the Save password check box. The saved administrator password will be used the next time a connection is established with this Integration Server. If you clear the check box selected during the previous connection to the Integration Server, Kaspersky Security removes the previously saved password of the Integration Server administrator.

   The Save password check box may be unavailable if Windows updates KB 2992611 and/or KB 3000850 have been installed on the computer hosting the Kaspersky Security Center Administration Console. To restore the capability to save the administrator password, you can uninstall these Windows updates or modify the operating system registry as described in the Knowledge Base.

   Proceed to the next step of the Policy Wizard.

   The wizard checks the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

   After the connection is established, the Choice of protected infrastructure window opens. Select one of the following options:

   • If you are creating a policy in an administration group that contains the "VMware vCenter Agentless" cluster, select the One VMware vCenter Server option. Then select the listed VMware vCenter Server corresponding to this KSC cluster.

     If the selected VMware vCenter Server does not correspond to the administration group that contains the policy, Kaspersky Security does not protect virtual machines.

   • If you are creating a policy located in any other folder or administration group, select the Entire protected infrastructure option.

   Click OK in the Choice of protected infrastructure window.

5. At this step, you can change the default settings of the main protection profile.

   If a policy is being created in a group that contains the "VMware vCenter Agentless" cluster, the main protection profile is assigned to the VMware vCenter Server by default and is inherited by all child objects of the virtual infrastructure.

   Proceed to the next step of the wizard.

6. At this step, you can enable SNMP monitoring of the SVM status.

   To prevent unauthorized access to the SNMP service, you can create a list of IP addresses to which the SNMP Agent must relay SVM status information.

   Proceed to the next step of the wizard.

7. Decide on whether or not to participate in Kaspersky Security Network. To do so, carefully read the Kaspersky Security Network Statement, then perform one of the following actions:
   • If you want the application to use KSN in its operations and you agree to all the terms of the Statement, select I have read, understand, and accept the terms of this Kaspersky Security Network Statement.
   • If you do not want to participate in KSN, select the I do not accept the terms of this Kaspersky Security Network Statement option and confirm your decision in the window that opens.

   If you want the application to use Private KSN in its operations, select the Use Private KSN check box.

   If you want Kaspersky Security to use the KSN, please make sure the required KSN type is configured in Kaspersky Security Center. To use Global KSN, the KSN proxy server service must be enabled in Kaspersky Security Center. To use Private KSN, it must be enabled and configured in Kaspersky Security Center. See Kaspersky Security Center documentation for more information.

   If necessary, you will be able to change the settings for KSN usage in the application at a later time.

   Proceed to the next step of the wizard.

8. Exit the Policy Wizard.

The created policy will be displayed in the list of policies of the administration group on the Policies tab and in the Policies folder of the console tree.

After creating a policy, you can assign protection profiles to virtual machines that you want to protect.

In a policy located in an administration group that contains the "VMware vCenter Agentless" cluster, file protection is enabled by default (the main protection profile is used). In policies located in the Managed devices folder or in the administration group that contains the "VMware vCloud Director Agentless" cluster, file protection is disabled by default.

Network protection is disabled by default in all policies. You can configure Network Threat Protection settings in policy properties.

The policy will be applied to SVMs after the Kaspersky Security Center Administration Server relays the information to Kaspersky Security at the next SVM connection. Kaspersky Security will start protecting virtual machines according to the policy settings.

If no license key has been added on an SVM or the application databases are missing, the SVM does not protect the virtual machines.

[Topic 179542]

Creating a tenant policy

A tenant policy is used only if the application is operating in multitenancy mode. A tenant policy lets you configure the File Threat Protection settings for virtual machines that are part of vCloud Director organizations.

To create a tenant policy:

1. In the Kaspersky Security Center Administration Console, start the New Policy Wizard:
   1. In the console tree, select the folder or administration group in which you want to create a policy.
   2. In the workspace, select the Policies tab and click the New policy button.
2. At the first step of the Wizard, select Kaspersky Security for Virtualization 6.0 Agentless (for tenants) from the list and proceed to the next step of the Wizard.
3. Enter the name of the new policy and proceed to the next step of the wizard.
4. Specify the Integration Server address and proceed to the next step of the Wizard.

   The Wizard establishes a connection to the Integration Server to receive information about the VMware virtual infrastructure.

   The wizard checks the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

5. At this step, you can change the default settings of the main protection profile.

   In the policy located in the Managed devices folder of the virtual Administration Server, the main protection profile is assigned by default to all virtual machines within the protected infrastructure of the tenant.

   Proceed to the next step of the wizard.

6. Decide on whether or not to participate in Kaspersky Security Network. To do so, carefully read the Kaspersky Security Network Statement, then perform one of the following actions:
   • If you want the application to use KSN in its operations and you agree to all the terms of the Statement, select I have read, understand, and accept the terms of this Kaspersky Security Network Statement.
   • If you do not want to participate in KSN, select the I do not accept the terms of this Kaspersky Security Network Statement option and confirm your decision in the window that opens.

   You will be able to change your decision later if necessary.

   KSN usage settings (KSN mode and type) are determined by the main policy whose scope includes the virtual machines of the tenant.

   Proceed to the next step of the wizard.

7. Exit the Policy Wizard.

The created tenant policy will be displayed in the list of policies of the administration group on the Policies tab and in the Policies folder of the console tree.

In a tenant policy that is located in the Managed devices folder of the virtual Administration Server, file protection is enabled by default (the main protection profile is used). If you want to configure different file protection settings for different virtual machines within the protected infrastructure, you need to create and assign additional protection profiles in the policy properties.

In a tenant policy that is located in the Managed devices folder of the main Administration Server or in the administration group that contains the VMware vCloud Director Agentless cluster, file protection is disabled by default.

The policy will be applied to SVMs after the Kaspersky Security Center Administration Server relays the information to Kaspersky Security at the next SVM connection. Kaspersky Security will start protecting virtual machines according to the policy settings.

[Topic 67104]

Upgrading from a previous version of the application

You can upgrade the following application versions to Kaspersky Security for Virtualization 6.0 Agentless:

• Kaspersky Security for Virtualization 5.0 Agentless
• Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless
• Kaspersky Security for Virtualization 4.0 Service Pack 1 Agentless
• Kaspersky Security for Virtualization 4.0 Agentless

Before starting the application update, you need to do the following:

• Download all SVM image files from the Kaspersky website. About validating the SVM image in the application page in the Knowledge Base.
• Place all SVM image files in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol. For example, you can publish SVM images on the Kaspersky Security Center Web Server.
• Make sure that the ports that are required for operation of the application are open in the settings of the network equipment or software used for monitoring traffic.
• Make sure that you have configured the settings of the accounts that are required for installation and operation of the application.
• If you are planning to use network data storage for SVMs, create a network folder for hosting the network data storage and a user account for connecting SVMs. Network data storage is used for storing backup copies of files that have been moved to Backups on SVMs. The amount of space necessary for the network data storage can be estimated based on the following formula: (N+1) GB, where N is the number of SVMs that connect to the network data storage.

The application upgrade procedure depends on the type of infrastructure in which the previous version of the application was installed. The following application upgrade options are available:

• Upgrading the application installed in an infrastructure managed by a VMware vCenter Server and VMware NSX Manager
• Upgrading the application installed in an infrastructure managed by a VMware vCenter Server and VMware vShield Manager, with migration to the VMware NSX platform

[Topic 127447]

Upgrading the application installed in an infrastructure managed by a VMware vCenter server and VMware NSX Manager

Before beginning an upgrade of the application, you are advised to make sure that the VMware virtual infrastructure meets the Kaspersky Security software requirements. If the VMware clusters protected by Kaspersky Security include VMware ESXi 5.5 hypervisors, prior to beginning the application upgrade the following actions must be performed:

1. For all VMware clusters that include one or more VMware ESXi 5.5 hypervisors, remove the deployed Kaspersky Security services. Removal is performed in the VMware vSphere Web Client console (in the Networking & Security → Installation and Upgrade section on the Service Deployments tab).
2. Upgrade all VMware ESXi 5.5 hypervisors for compliance with the Kaspersky Security software requirements or remove all VMware ESXi 5.5 hypervisors from the VMware clusters that you want to protect using Kaspersky Security.

An upgrade consists of the following steps:

1. Updating Kaspersky Security Center For proper functioning of Kaspersky Security for Virtualization 6.0 Agentless, you must upgrade Kaspersky Security Center to one of the supported versions:

   If you want to use Kaspersky Security in a multitenanсy mode, you need to upgrade Kaspersky Security Center to version 11, 12 or 13.1.

   For Kaspersky Security Center update instructions, see the Kaspersky Security Center documentation.

2. Installing the new version of the Kaspersky Security administration plug-in, Integration Server, and Integration Server Console.

   If you want to use the application in multitenancy mode, you need to also install Kaspersky Security administration plug-in for tenants.

3. Updating SVMs with Kaspersky Security components in the virtual infrastructure.

   If you want to use the application in multitenancy mode, you need to configure the settings for connecting the Integration Server to the VMware vCloud Director Server before updating SVMs.

   When an SVM with the File Threat Protection component is updated, the copies of files that were placed in Backup are automatically deleted.

4. Converting policies and tasks from the previous version of the application. If you are upgrading Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless or older, you need to use the Master for conversion.

   If you are upgrading Kaspersky Security for Virtualization 5.0 Agentless, policies and tasks are automatically converted to policies and tasks of Kaspersky Security for Virtualization 6.0 Agentless after policy protection settings and task scan settings are edited and saved for the first time.

After an upgrade is complete, you are advised to make sure that the application is prepared for operation on new SVMs.

If you want to use the application in multitenancy mode, you need to configure protection of tenant organizations after the application is installed.

[Topic 58475]

Upgrading the application installed in an infrastructure managed by a VMware vCenter Server and VMware vShield Manager, with migration to the VMware NSX platform

An upgrade consists of the following steps:

1. Removing the File Threat Protection and Network Threat Protection components of the previous version of the application. The component removal procedure can be found in the documentation for Kaspersky Security for Virtualization 4.0 Service Pack 1 Agentless or Kaspersky Security for Virtualization 4.0 Agentless.

   When an SVM with the File Threat Protection component is removed, the copies of files that were placed in Backup are automatically deleted.

2. Upgrading the VMware virtual infrastructure for compliance with Kaspersky Security software requirements. In the virtual infrastructure, you must remove VMware vShield Manager and deploy VMware NSX for vSphere 6.3.7 or VMware NSX for vSphere 6.4.6. Components of Kaspersky Security for Virtualization 6.0 Agentless cannot operate in an infrastructure managed by a VMware vCenter Server and VMware vShield Manager.
3. Preparing the virtual infrastructure for installation of Kaspersky Security components.
4. Updating Kaspersky Security Center For proper functioning of Kaspersky Security for Virtualization 6.0 Agentless, you must upgrade Kaspersky Security Center to one of the supported versions:

   If you want to use Kaspersky Security in a multitenanсy mode, you need to upgrade Kaspersky Security Center to version 11, 12 or 13.1.

   For Kaspersky Security Center update instructions, see the Kaspersky Security Center documentation.

5. Installing the new version of the Kaspersky Security administration plug-in, Integration Server, and Integration Server Console.

   If you want to use the application in multitenancy mode, you need to also install Kaspersky Security administration plug-in for tenants.

6. Configuring the settings for connecting the Integration Server to one or more virtual infrastructure administration servers.
7. Registering Kaspersky Security services in VMware NSX Manager.

   If you want to install the File Threat Protection component, you need to register the file system protection service (Kaspersky File Antimalware Protection).

   If you want to install the Network Threat Protection component, you need to register the network protection service (Kaspersky Network Protection).

   The settings required for registration and deployment of Kaspersky Security services are entered through a Wizard that is started from the Integration Server Console. When you have finished entering the settings, Integration Server registers the Kaspersky Security services in VMware NSX Manager.

   In the VMware vSphere Web Client console, you can verify that registration of Kaspersky Security services completed successfully.

8. Deploying SVMs with the File Threat Protection component and SVMs with the Network Threat Protection component on VMware ESXi hypervisors. Deployment of SVMs is performed in the VMware vSphere Web Client console.

   After SVMs are deployed, the Integration Server sends each new SVM the configuration settings that you specified when you registered Kaspersky Security services.

   Deployed SVMs are combined into KSC clusters.

   If you upgrade Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless, Kaspersky Security for Virtualization 4.0 Service Pack 1 Agentless, or Kaspersky Security for Virtualization 4.0 Agentless, the Kaspersky Security Center Administration Console also displays the administration groups that were created for KSC clusters of the previous version of Kaspersky Security.

   The KSC cluster for the SVM of the previous version of the application and the administration group created for it are named VMware vCenter "<name>" (<IP address>), where:

   • <name> is the name of the VMware vCenter Server corresponding to the KSC cluster for the previous version of the application. If the name of the VMware vCenter Server is not defined or matches its IP address, the name is omitted.
   • <IP address> is the IP address of the VMware vCenter Server corresponding to the KSC cluster for the previous version of the application.
9. Configuration of NSX Security Groups and NSX Security Policies.

   To protect virtual machines, you need to do the following in the VMware vSphere Web Client console:

   1. Include virtual machines into one or multiple NSX Security Groups.
   2. Configure one or multiple NSX Security Policies and apply the security policies to the NSX Security Groups.
10. Converting policies and tasks from the previous version of the application. If you are upgrading Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless or older, you need to use the Master for conversion.

    If you are upgrading Kaspersky Security for Virtualization 5.0 Agentless, policies and tasks are automatically converted to policies and tasks of Kaspersky Security for Virtualization 6.0 Agentless after policy protection settings and task scan settings are edited and saved for the first time.

11. Preparing the application for operation on all SVMs.

If you want to use the application in multitenancy mode, you need to configure protection of tenant organizations after the application is updated.

[Topic 90399]

About installing a new version of the Kaspersky Security administration plug-in and Integration Server

Regardless of the selected application usage option, you need to install the Kaspersky Security main administration plug-in, Integration Server, and Integration Server Console.

If you want to use the application in multitenancy mode, you need to also install Kaspersky Security administration plug-in for tenants.

When the Kaspersky Security Center Administration Console starts for the first time after the Kaspersky Security administration plug-ins are installed, the Quick Start Wizard for the managed application is automatically started. The Wizard lets you create default policies and tasks.

If the Quick Start Wizard for the managed application was not started automatically, it is recommended to start it manually. Default policies let you register events and display protected virtual machines in the Kaspersky Security Center Administration Console immediately after installing the application.

The administration plug-in of the previous version of the application does not need to be manually removed because it is removed automatically.

[Topic 60445]

SVM Update

If you want to use the application in multitenancy mode, it is recommended to configure the settings for connecting the Integration Server to the VMware vCloud Director Server before updating SVMs. If you connect the Integration Server to VMware vCloud Director after updating SVMs, to ensure correct operation of the application you need to perform the additional steps described in the Knowledge Base.

To update SVMs with Kaspersky Security components in the virtual infrastructure:

1. Perform the change settings of Kaspersky Security procedure for each VMware vCenter Server that manages the operation of SVMs with the previous version of the application. During the procedure, specify the addresses of SVM images with the new version of Kaspersky Security components.

   After the Reconfiguration Wizard completes, the Integration Server re-registers the Kaspersky Security services with the new settings.

2. In the VMware vSphere Web Client console, perform one of the following actions:
   • If the VMware cluster included VMware ESXi 5.5 hypervisors and you removed deployed Kaspersky Security services prior to starting the update of the application, deploy Kaspersky Security services on the cluster.
   • If the VMware cluster did not include VMware ESXi 5.5 hypervisors, update the Kaspersky Security services deployed on the cluster (Networking & Security → Installation and Upgrade section, Service Deployments tab, Upgrade action).

If you upgrade Kaspersky Security for Virtualization 5.0 Agentless, new SVMs are put in the same "VMware vCenter Agentless" clusters that contained SVMs with the previous version of the application.

If you upgrade Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless, Kaspersky Security for Virtualization 4.0 Service Pack 1 Agentless, or Kaspersky Security for Virtualization 4.0 Agentless, Kaspersky Security Center creates new "VMware vCenter Agentless" clusters for new SVMs. The Kaspersky Security Center Administration Console also displays the administration groups that were created for KSC clusters of the previous version of Kaspersky Security.

The KSC cluster for the SVM of the previous version of the application and the administration group created for it are named VMware vCenter "<name>" (<IP address>), where:

• <name> is the name of the VMware vCenter Server corresponding to the KSC cluster for the previous version of the application. If the name of the VMware vCenter Server is not defined or matches its IP address, the name is omitted.
• <IP address> is the IP address of the VMware vCenter Server corresponding to the KSC cluster for the previous version of the application.

[Topic 84556]

Converting policies and tasks

After upgrading the application, you can use the configured policies and tasks of the previous version of Kaspersky Security.

If you upgraded Kaspersky Security for Virtualization 5.0 Agentless, policies and tasks are automatically converted to policies and tasks of Kaspersky Security for Virtualization 6.0 Agentless after policy protection settings and task scan settings are edited and saved for the first time.

If you upgraded Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless or older, you need to do the following:

1. Convert policies and tasks using the Policies and Tasks Batch Conversion Wizard of Kaspersky Security Center.

   You can convert policies and tasks that were configured in one of the following versions of the application:

   • Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless
   • Kaspersky Security for Virtualization 4.0 Service Pack 1 Agentless
   • Kaspersky Security for Virtualization 4.0 Agentless

   Converted policies and tasks are named as follows: "<name of original policy or task> (converted)".

2. Copy all converted policies and tasks from the administration group containing the KSC cluster for SVMs of the previous version of the application into the administration group containing the new cluster "VMware vCenter Agentless".

   The administration group containing the KSC cluster for SVMs of the previous version of the application is named as follows: VMware vCenter "<name of the VMware vCenter Server, if it is defined>" (<IP address of the VMware vCenter Server>).

   The administration group containing the new "VMware vCenter Agentless" cluster is named as follows: VMware vCenter Server '<name of the VMware vCenter Server, if one is defined>' (<IP address or domain name of the VMware vCenter Server>) Agentless.

   For more detailed information about copying policies and tasks, please refer to the Kaspersky Security Center documentation.

   After completing an application upgrade, you can delete policies and tasks that were created for the previous version of the application, and delete the administration group containing the KSC cluster for the previous version of the application.

If you upgraded Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless or older, you can also use the New Policy Wizard to create new policies based on the existing policies. To do so, at the Entering the group policy name step, you must select the Use settings from policy for previous application version check box (for more details, please refer to the Kaspersky Security Center documentation).

[Topic 166320]

Procedure for converting Kaspersky Security policies and tasks

To convert Kaspersky Security policies and tasks from a previous version:

1. In the Kaspersky Security Center Administration Console, select the Administration Server node.
2. In the context menu of the node, select All Tasks → Policies and Tasks Batch Conversion Wizard.

   The Policies and Tasks Batch Conversion Wizard starts.

3. At the first step of the Wizard, in the Application name list, select Kaspersky Security for Virtualization 6.0 Agentless.

   Proceed to the next step of the wizard.

4. Select the policies to convert. To do so, select the check box on the left of the relevant policy name.

   Proceed to the next step of the Policies and Tasks Conversion Wizard.

   The Kaspersky Security Network window opens. You can read the Kaspersky Security Network Statement in this window.

   To continue the procedure for converting policies and tasks, carefully read the Kaspersky Security Network Statement, then perform one of the following actions:

   • If you accept all the terms of the Statement and want the application to use KSN, select the I have read, understand, and accept the terms of this Kaspersky Security Network Statement option.
   • If you do not want to participate in KSN, select the I do not accept the terms of this Kaspersky Security Network Statement option and confirm your decision in the window that opens.

   If necessary, you will be able to change your decision later.

5. Select the tasks to convert. To do so, select the check box on the left of the relevant task name.

   Proceed to the next step of the Policies and Tasks Conversion Wizard.

6. Exit the Policies and Tasks Conversion Wizard.

The converted policies are named "<original policy name> (converted)". The converted tasks are named "<original task name> (converted)".

[Topic 83767]

Special considerations when converting policies and tasks if the application is upgraded

The converted policies and tasks use the values from the settings of policies and tasks of the previous version of Kaspersky Security. Settings that were absent from the policies and tasks of the previous version of the application take the default values.

Selecting the protected infrastructure for a policy

Policies are converted as follows depending on the protected infrastructure selected in the policy of the previous version of the application:

• If a protected infrastructure was selected and protection profiles were assigned to virtual infrastructure objects, conversion will result in the creation of a policy for one VMware vCenter Server. The protected infrastructure selected in the policy and the assignment of protection profiles to virtual infrastructure objects are retained.
• If the protected infrastructure was not selected, the conversion will result in the creation of a policy for entire protected infrastructure. The main protection profile is assigned to all objects of the virtual infrastructure.

  It is recommended to change the protected infrastructure or the location of this policy within the structure of administration groups so that the protected infrastructure selected for the policy matches the location of the policy:

  • If the policy is located in the group that contains the "VMware vCenter Agentless" cluster, the VMware vCenter Server corresponding to this cluster must be selected as the protected infrastructure for the policy.
  • If the policy is located in the Managed devices folder or in the group that contains the "VMware vCloud Director Agentless" cluster, the entire protected infrastructure must be selected as the protected infrastructure for the policy.

Select action automatically option

The Select action automatically option is absent from converted policies and tasks. If this option was selected in a policy or task of the previous version of the application, the following action is selected in the converted policy or task:

• Action on threat detection when protecting virtual machines (policy): Disinfect. Delete if disinfection fails.
• Action on threat detection when scanning virtual machines (task):
  • For powered on virtual machines: Disinfect. Delete if disinfection fails.
  • For powered off virtual machines and virtual machine templates: Block.
• Action on network attack detection (policy): Terminate connection and block traffic from sender's IP address.
• Action on suspicious network activity detection (policy): Terminate connection.
• Action on detection of a dangerous or undesirable web address (policy): Block.

Web Addresses Scan

If Web Addresses Scan was enabled in a policy of the previous version of the application, the Web Addresses Scan settings in the converted policy take the following values:

• Analysis by using the database of malicious web addresses – enabled.
• Analysis by using the database of phishing web addresses – enabled, if it was enabled in the policy of the previous version of the application.
• Scanning web addresses to check if they belong to the category of web addresses that are used for showing advertisements or are associated with the distribution of adware – enabled, if analysis by using the database of malicious web addresses was enabled in the policy of the previous version of the application.
• Scanning web addresses to check if they belong to the category of web addresses associated with the distribution of legitimate applications that could be exploited to harm a virtual machine or user data – disabled.

If Web Addresses Scan was disabled in a policy of the previous version of the application, it is also disabled in the converted policy.

Case of characters in file extensions

The Network paths are case sensitive parameter is missing from converted policies. When protecting virtual machines running Windows operating systems, Kaspersky Security is not case sensitive regarding the characters in the extensions of files that are to be included in the protection scope.

Main protection profile

In converted policies, the protection profile that is generated automatically when a policy is created is called the "main protection profile". It was called the "root protection profile" in policies of Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless or earlier versions.

Special considerations when converting tasks

Converted custom scan tasks use the task scope that was specified in tasks of the previous version of the application.

Converted tasks use the run schedule that was specified in tasks of the previous version of the application.

[Topic 60177]

Changing settings of Kaspersky Security

You can use the procedure for changing settings of the Kaspersky Security to perform the following actions:

• Change the settings for connecting the Integration Server to VMware NSX Manager in which the Integration Server registers Kaspersky Security services.
• Change the address and port used by VMware NSX Manager to transmit information to the Integration Server.
• Change the SVM images that were specified during registration of Kaspersky Security services. If you changed the location of the SVM image or selected a different SVM configuration, the Integration Server re-registers the service with the new settings. After the Reconfiguration Wizard finishes, you can update the deployed service in the VMware vSphere Web Client console (Networking & Security → Installation and Upgrade section, Service Deployments tab, Upgrade action). As a result, the new SVMs will be deployed in the virtual infrastructure.
• If you registered only one of the two services when performing the Kaspersky Security service registration procedure, specify the SVM image for registration of the Kaspersky Security service that was not registered. After the Reconfiguration Wizard finishes, you can perform the procedure for deploying the Kaspersky Security service on VMware clusters to deploy SVMs.
• Change the following SVM configuration settings:
  • IP address of the Kaspersky Security Center Administration Server and SSL port that the SVM will use to connect to Kaspersky Security Center.
  • Address and port used for connecting SVMs to Integration Server.
  • Configuration password and root account password on the SVM.
  • Time zone that is used on all SVMs.
  • Settings for connecting SVMs to network data storage.

  The listed settings are applied for configuration of new SVMs that you deploy after the Wizard finishes, and for reconfiguration of previously deployed SVMs with installed components of Kaspersky Security for Virtualization 6.0 Agentless.

  If the localization language of previously deployed SVMs differs from the localization language of the Integration Server Console in which you start the Kaspersky Security reconfiguration procedure, the localization language of SVMs changes as a result of this procedure. The localization language of the Integration Server Console is applied on SVMs.

  If you want to reconfigure SVMs that have installed components of the previous version of Kaspersky Security, you need a separately installed Kaspersky Security Center Administration Console and administration plug-in of the previous version of the application. For information on the SVM reconfiguration procedure for the previous version of the application, please refer to the documentation of the previous version of Kaspersky Security.

To change settings of Kaspersky Security:

1. Start the Integration Server Console.

   The Virtual infrastructure protection section opens.

2. In the list, select the VMware vCenter Server and expand the list of available actions by clicking the address or name of the VMware vCenter Server in the Address column.
3. In the Manage protection section, select Change settings of Kaspersky Security.

This starts the Reconfiguration Wizard. Follow the wizard instructions.

[Topic 58441]

Changing the connection settings for interaction between the Integration Server and VMware NSX Manager

At this step, you can edit the following settings:

• The settings for connecting the Integration Server to VMware NSX Manager in which the Integration Server registers Kaspersky Security services.
• Address and port used by VMware NSX Manager to transmit information to the Integration Server.

If you want to change the settings for connecting the Integration Server to VMware NSX Manager:

1. Select the Change VMware NSX Manager connection settings check box.
2. Specify the following connection settings:
   • IP address in IPv4 format or the fully qualified domain name (FQDN) of VMware NSX Manager.
   • Name and password of the user account used to connect to VMware NSX Manager. The Enterprise Administrator role must be assigned to this user account.

If you want to change the address and port used for connecting VMware NSX Manager to Integration Server:

1. Select the Change settings for connecting VMware NSX Manager to Integration Server check box.
2. Specify the new IP address or fully qualified domain name (FQDN) of the computer on which the Integration Server is installed, and the connection port.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to VMware NSX Manager and to the Integration Server using the specified settings.

When establishing the connection to VMware NSX Manager, the Integration Server verifies the SSL certificate received from VMware NSX Manager. If the received certificate contains an error, the Wizard displays an error message. Click the View certificate link to view information about the received certificate.

If a connection error occurs because the certificate received from VMware NSX Manager is not trusted for the Integration Server but the received certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and establish a connection. To do so, click the Install certificate button. The received certificate is saved as a trusted certificate for the Integration Server.

Certificates that are trusted in the operating system in which the Integration Server is installed are also considered to be trusted for the Integration Server.

If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

If checking the Integration Server connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

[Topic 58907]

Changing the SVM image for the file system protection service

At this step, you can select the SVM image with the File Threat Protection component. If the selected SVM image differs from the image specified when the file system protection service (Kaspersky File Antimalware Protection) was registered, the Integration Server re-registers the file system protection service in VMware NSX Manager. After the Reconfiguration Wizard finishes, you can update the deployed file system protection service on VMware clusters. As a result, SVMs from the new image will be deployed on hypervisors.

If the file system protection service was not previously registered, the Integration Server registers the file system protection service in VMware NSX Manager. After the Reconfiguration Wizard finishes, you can deploy the file system protection service on VMware clusters. As a result, SVMs with the File Threat Protection component will be deployed on the hypervisors.

The application distribution kit includes several SVM images with the File Threat Protection component installed that you can use to deploy SVMs with the necessary configuration (according to the number of processors and RAM allocated for an SVM).

All files of the SVM image with the installed File Threat Protection component must be located in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol.

In order to indicate or edit the path to the SVM image, follow these steps:

1. Select the Specify or change the SVM image for the file system protection service check box.
2. In the field, specify the address of the SVM images description file (XML file) or the address of the SVM image OVF file corresponding to the necessary SVM configuration.
3. Click the Validate button.

   The Wizard validates the SVM image. If the image is corrupted or the image version is not supported, the Wizard displays an error message.

   If the SVM image validation is successful, the following details of the selected SVM image will appear in the lower part of the window:

   • SVM configuration. The number of processors and RAM allocated for the SVM.

     If you specified the address of the SVM image description file (XML file), you can select the necessary SVM configuration in the drop-down list in the SVM configuration field.

   • Application name. Name of the application that is installed on the SVM.
   • SVM version. Number of the SVM version.
   • Vendor. Vendor of the application that is installed on the SVM.
   • Description. Brief description of the application.
   • Required disk space. Amount of disk space required for deployment of the SVM in the data storage.

Proceed to the next step of the wizard.

[Topic 187214]

Changing the SVM image for the network protection service

At this step, you can select the SVM image with the Network Threat Protection component. If the selected SVM image differs from the image specified when the network protection service (Kaspersky Network Protection) was registered, the Integration Server re-registers the network protection service in VMware NSX Manager. After the Reconfiguration Wizard finishes, you can update the deployed network protection service on VMware clusters. As a result, SVMs from the new image will be deployed on hypervisors.

If the network protection service was not previously registered, the Integration Server registers the network protection service in VMware NSX Manager. After the Reconfiguration Wizard finishes, you can deploy the network protection service on VMware clusters. As a result, SVMs with the Network Threat Protection component will be deployed on the hypervisors.

The application distribution kit includes several SVM images with the Network Threat Protection component installed that you can use to deploy SVMs with the necessary configuration (according to the number of processors and RAM allocated for an SVM).

All files of the SVM image with the installed Network Threat Protection component must be located in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol.

In order to indicate or edit the path to the SVM image, follow these steps:

1. Select the Specify or change the SVM image for the network protection service check box.
2. In the field, specify the address of the SVM images description file (XML file) or the address of the SVM image OVF file corresponding to the necessary SVM configuration.
3. Click the Validate button.

   The Wizard validates the SVM image. If the image is corrupted or the image version is not supported, the Wizard displays an error message.

   If the SVM image validation is successful, the following details of the selected SVM image will appear in the lower part of the window:

   • SVM configuration. The number of processors and RAM allocated for the SVM.

     If you specified the address of the SVM image description file (XML file), you can select the necessary SVM configuration in the drop-down list in the SVM configuration field.

   • Application name. Name of the application that is installed on the SVM.
   • SVM version. Number of the SVM version.
   • Vendor. Vendor of the application that is installed on the SVM.
   • Description. Brief description of the application.
   • Required disk space. Amount of disk space required for deployment of the SVM in the data storage.

Proceed to the next step of the wizard.

[Topic 58902]

Viewing information about the traffic processing mode for the Network Threat Protection component

This step displays information about the traffic processing mode that was selected during registration of the network protection service:

• Standard mode. If this mode is selected, the virtual filter (VMware DVFilter) intercepts the traffic of virtual machines and sends it to Kaspersky Security to be scanned. When Kaspersky Security detects signs of intrusions or attempts to access dangerous or undesirable web addresses, it performs the action that is specified in policy settings and relays information about events to the Kaspersky Security Center Administration Server.
• Monitoring mode. If this mode is selected, Kaspersky Security receives a copy of traffic of virtual machines. When signs of intrusions or attempts to access dangerous or undesirable web addresses are detected, Kaspersky Security does not take any actions to prevent the threats but only relays information about the events to the Kaspersky Security Center Administration Server.

You cannot change the traffic processing mode for a Network Threat Protection component installed on already deployed SVMs. To select a different traffic processing mode, you will have to remove the SVMs, unregister the network protection service, and then re-register the network protection service with the new traffic processing mode and deploy new SVMs.

Proceed to the next step of the wizard.

[Topic 58900]

Changing the connection settings for an SVM

At this step, you can edit the following connection settings for SVMs:

• IP address of the Kaspersky Security Center Administration Server and SSL port that the SVM will use to connect to Kaspersky Security Center.
• Address and port used for connecting SVMs to Integration Server.

If you want to change the IP address and port used for connecting SVMs to the Kaspersky Security Center Administration Server:

1. Select the Change settings for connecting SVMs to Kaspersky Security Center check box.
2. Specify the new IP address of the Kaspersky Security Center Administration Server and SSL port that the SVM will use to connect to Kaspersky Security Center.

If you want to change the address and port used for connecting SVMs to the Integration Server:

1. Select the Change settings for connecting SVMs to Integration Server check box.
2. Specify the new IP address or fully qualified domain name (FQDN) of the computer on which the Integration Server is installed, and the connection port.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to the Kaspersky Security Center and to the Integration Server using the specified settings.

If checking the connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

[Topic 58908]

Changing passwords for accounts on SVMs

At this step you can change the password for the klconfig user account (configuration password) and the root account password. The specified passwords will be used on all SVMs that you deploy after re-registration of Kaspersky Security services, and on previously deployed SVMs. The configuration password is required for SVM reconfiguration. The root account is used for accessing the operating system on SVMs and for accessing SVM trace files.

If you want to change the configuration password:

1. Select the Change the klconfig account password (configuration password) check box.
2. Enter a new password in the Password and Confirm password fields.

If you want to change the root user account password:

1. Select the Change the root account password check box.
2. Enter a new password in the Password and Confirm password fields.

The passwords should be up to 60 characters long. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

Proceed to the next step of the wizard.

[Topic 159794]

Changing the time zone for SVMs

At this step, you can change the time zone used on SVMs. The specified time zone will be used on all SVMs that you deploy after re-registration of Kaspersky Security services, and on previously deployed SVMs.

To change the time zone on SVMs, select the Change the time zone for SVMs check box and select a value from the drop-down list.

Proceed to the next step of the wizard.

[Topic 96371]

Changing settings for connecting to network data storage

At this step, you can configure the following settings for using network data storage:

• Allow or block the use of network data storage for SVMs.
• Define or change previously specified settings for connecting SVMs to network data storage.

Network data storage can be used for storing backup copies of files that have been moved to Backups on SVMs.

If you want to configure the settings for using network data storage:

1. Select the Change settings for connecting to network data storage check box.
2. If SVMs must not use network data storage, select the Do not use network data storage option.
3. If you want to allow the use of network data storage for SVMs, select the Use network data storage option and define the following settings for connecting to storage:
   • Network data storage address in UNC format.

     The defined address cannot be localhost or 127.0.0.1.

   • Account used by SVMs to connect to the network data storage, in the format <domain>\<user name>.
   • Connection account password.

Proceed to the next step of the wizard.

The Wizard checks whether it can connect to the network data storage using the specified settings.

If checking the connection settings ends with an error, the Wizard window displays an error message and you cannot proceed to the next step of the Wizard. If you want to correct the entered settings, click Cancel. If the settings have been entered correctly, you can ignore the error message. If this is the case, click Continue to proceed to the next step of the Wizard.

[Topic 58967]

Starting Kaspersky Security reconfiguration

At this step, you can view information about the settings that will be changed as a result of the procedure.

The list of modified settings shows the SVM localization language if the localization language of the Integration Server Console in which you are starting the Kaspersky Security reconfiguration procedure differs from the localization language of previously deployed SVMs. The localization language of the Integration Server Console will be used on all SVMs.

Proceed to the next step of the Wizard to start changing the parameters.

[Topic 58966]

Kaspersky Security reconfiguration process

This step displays information about operations that are performed by the Integration Server to apply new settings.

If an error occurred during such operations, the Wizard displays the relevant information. The Wizard performs rollback of changes.

After all operations have been completed, proceed to the next step of the Wizard.

[Topic 58909]

Exiting the wizard

This step displays information about the results of the changed settings of Kaspersky Security.

If the settings were successfully changed, exit the Wizard.

If reconfiguration ended with an error, the Wizard displays information about the error. If this is the case, exit the Wizard, eliminate the cause of the error, and restart the procedure. For detailed information about errors, you can view the Integration Server trace files (if you enabled the logging of information to Integration Server trace files).

[Topic 66792]

Removing the application

You can remove Kaspersky Security fully or remove just one of the application components (File Threat Protection or Network Threat Protection).

If you want to fully remove Kaspersky Security, you must perform the following actions:

1. Remove both Kaspersky Security components (File Threat Protection and Network Threat Protection) from the virtual infrastructure.
2. Unregister both Kaspersky Security services in VMware NSX Manager.

   Kaspersky Security services can be unregistered in the Integration Server Console. The Integration Server (Kaspersky Service Manager) will also be unregistered in VMware NSX Manager.

3. Remove the Kaspersky Security administration plug-in and Integration Server.
4. If you are using the application in multitenancy mode, you need to also remove the Kaspersky Security administration plug-in for tenants and virtual Administration Servers of Kaspersky Security Center that were created to manage the protection of virtual machines of tenants.

   For details on removing virtual Administration Servers, please refer to the Kaspersky Security Center documentation.

If you want to remove one of the Kaspersky Security components, you must perform the following actions:

1. Remove the Kaspersky Security component (File Threat Protection or Network Threat Protection) from the virtual infrastructure.
2. In VMware NSX Manager, unregister the Kaspersky Security service corresponding to the removed component (Kaspersky File Antimalware Protection or Kaspersky Network Protection).

When an SVM with the File Threat Protection component is removed, the copies of files that were placed in Backup on the SVM are automatically deleted. If the use of network data storage was enabled for an SVM, backup copies of files from this SVM are saved in a separate folder in the network data storage.

After removal of the File Threat Protection and Network Threat Protection components, SVMs continue to be displayed in the Kaspersky Security Center Administration Console. When the period specified in the Kaspersky Security Center settings elapses (see the Kaspersky Security Center documentation), the SVMs are automatically removed from the Administration Console. You can manually remove SVMs from the Kaspersky Security Center Administration Console right after the completion of the application removal procedure.

Until SVMs have been removed from the Kaspersky Security Center Administration Console, the events generated by these SVMs are saved in Kaspersky Security Center and displayed in the Kaspersky Security Center reports and event log.

The list of backup copies of files placed in Backup on SVMs with the File Threat Protection component is also saved in Kaspersky Security Center, but no operations can be performed on the backup copies of files.

[Topic 83446]

Removing the Kaspersky Security components in VMware virtual infrastructure

To remove the File Threat Protection component in a VMware virtual infrastructure, you must perform the following actions:

1. Remove all SVMs with the File Threat Protection component on VMware clusters.

   SVMs are removed by removing the file system protection service (Kaspersky File Antimalware Protection) deployed on VMware clusters.

   Removal is performed in the VMware vSphere Web Client console (in the Networking & Security → Installation and Upgrade section on the Service Deployments tab). In the list of deployed network services and protection services for virtual machines, you must remove the Kaspersky File Antimalware Protection service deployed on the clusters from which you want to remove the SVMs (for details, please refer to the Knowledge Base).

2. Remove the NSX Security Policy that is configured to use the file system protection service (Kaspersky File Antimalware Protection).

   Deletion of an NSX Security Policy is performed in the VMware vSphere Web Client console (in the Networking & Security → Service Composer section on the Security Policies tab). You must perform the following action for the selected policy: Actions → Delete.

   You can also delete the NSX Security Group that includes the protected virtual machines.

   Deletion of an NSX Security Group is performed in the VMware vSphere Web Client console (in the Networking & Security → Service Composer section on the Security Groups tab).

   For details about deleting an NSX Security Policy or NSX Security Group, please refer to the Knowledge Base.

To remove the Network Threat Protection component in a VMware virtual infrastructure, you must perform the following actions:

1. Remove all SVMs with the Network Threat Protection component on VMware clusters.

   SVMs are removed by removing the network protection service (Kaspersky Network Protection) deployed on VMware clusters.

   Removal is performed in the VMware vSphere Web Client console (in the Networking & Security → Installation and Upgrade section on the Service Deployments tab). In the list of deployed network services and protection services for virtual machines, you must remove the Kaspersky Network Protection service deployed on the clusters from which you want to remove the SVMs (for details, please refer to the Knowledge Base).

2. Remove the NSX Security Policy that is configured to use the network protection service (Kaspersky Network Protection).

   Deletion of an NSX Security Policy is performed in the VMware vSphere Web Client console (in the Networking & Security → Service Composer section on the Security Policies tab). You must perform the following action for the selected policy: Actions → Delete.

   You can also delete the NSX Security Group that includes the protected virtual machines.

   Deletion of an NSX Security Group is performed in the VMware vSphere Web Client console (in the Networking & Security → Service Composer section on the Security Groups tab).

   For details about deleting an NSX Security Policy or NSX Security Group, please refer to the Knowledge Base.

[Topic 155529]

Unregistering Kaspersky Security services and the Integration Server

You can unregister a Kaspersky Security service only if all SVMs have been removed from the VMware clusters and the service is not being used in NSX Security Policies.

To unregister Kaspersky Security services in VMware NSX Manager:

1. Start the Integration Server Console.

   The Virtual infrastructure protection section opens.

2. In the list, select the VMware vCenter Server and expand the list of available actions by clicking the address or name of the VMware vCenter Server in the Address column.
3. In the Manage protection section, select Unregister Kaspersky Security services.
4. In the window that opens, do one of the following:
   • If you remove the File Threat Protection component, select the Kaspersky File Antimalware Protection check box.
   • If you remove the Network Threat Protection component, select the Kaspersky Network Protection check box.
   • If you fully remove the application, select both check boxes. In VMware NSX Manager, both Kaspersky Security services will be unregistered as well as the Integration Server (Kaspersky Service Manager).

   If one of the Kaspersky Security services has already been unregistered, the check box is unavailable.

5. Click OK.

If unregistration of Kaspersky Security services and Integration Server ends with an error, you can manually unregister services and Integration Server in the VMware vSphere Web Client console (for details, please refer to the Knowledge Base).

[Topic 90417]

Removing the Kaspersky Security main administration plug-in and Integration Server

You can remove the Kaspersky Security main administration plug-in, Integration Server, and the Integration Server Console by using one of the following methods:

• In interactive mode using the operating system's standard tools for removing programs. In the applications list, select Kaspersky Security for Virtualization 6.0 Agentless – management components for removal. The wizard is used to perform removal.
• In silent mode via the command line. You must type the following command in the command line:

  ksv-components_6.0.0.XXX_mlg.exe -q -uninstall

  where 6.0.0.XXX is the number of the application version.

While removing Integration Server using the wizard, you can save the following data used in the operation of the Integration Server:

• The SSL certificate used to establish a secure connection to the Integration Server
• Data saved by the Integration Server during operation
• Trace files of the Integration Server and Integration Server Console

If you want to save the specified data, click the Save button in the window prompting you to save data. The saved data and settings are automatically used when you install the Integration Server again.

[Topic 188079]

Removing the Kaspersky Security administration plug-in for tenants

You can remove the Kaspersky Security administration plug-in for tenants in one of the following ways:

• In interactive mode using the operating system's standard tools for removing programs.

  In the applications list, select Kaspersky Security for Virtualization 6.0 Agentless (for tenants) – administration plug-in for removal. The wizard is used to perform removal.

• In silent mode via the command line. You must type the following command in the command line:

  ksv-t-components_6.0.0.XXX_mlg.exe -q -uninstall

  where 6.0.0.XXX is the number of the application version.

[Topic 69238]

Application licensing

This section provides license information.

[Topic 58482]

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the application.

Read through the terms of the End User License Agreement carefully before you start using the application.

You can review the terms of the End User License Agreement in the following ways:

• During installation of the Kaspersky Security administration plug-in and Integration Server.
• By reading the license.txt document. This file is included in the application's distribution kit.

After the application is installed, you can read the text of the End User License Agreement and Privacy Policy describing the handling and transmission of data in the following ways:

• In a file on the computer where the Kaspersky Security administration plug-in, Integration Server, and/or Integration Server Console are installed:

  %ProgramFiles(x86)%\Kaspersky Lab\KSV\Kaspersky Security for Virtualization 6.0 Agentless\EULA\license_<Language ID>.txt,

  where <language ID> is the ID of the localization language of installed Kaspersky Security components.

• In the settings window of the deployed SVM on the vApp tab in the VMware vSphere Client or VMware vSphere Web Client console.

You accept the terms of the End User License Agreement when you confirm your consent to the End User License Agreement during installation of the application. If you do not accept the terms of the End User License Agreement, you must abort application installation and must not use the application.

[Topic 172642]

About data provision

By accepting the terms of the End User License Agreement, you agree to automatically send to Kaspersky the following information:

• When updating Kaspersky Security databases:
  • ID of Kaspersky Security
  • ID of the active license
  • Unique ID of the Kaspersky Security installation
  • Unique ID of the update task start
  • Full version of Kaspersky Security
• When following links from the Kaspersky Security interface:
  • Kaspersky Security application type
  • Kaspersky Security version
  • Kaspersky Security interface language
  • ID of the web page being accessed
• If an activation code is being applied to activate Kaspersky Security:
  • ID, version and localization of Kaspersky Security, and IDs of compatible applications
  • SVM ID and unique ID of the Kaspersky Security installation
  • Activation code and time when the application was activated
  • Type, version, and bit rate of the operating system, and the name of the virtual environment in which Kaspersky Security is installed
  • Information about the packaging of regularly transmitted confirmations of the license key status

  Information is transmitted periodically for the purpose of verifying that the application is being used appropriately.

  You also agree to transmit the following information:

  • Type, version, and localization of Kaspersky Security
  • Type and version of the hypervisor on which the SVM is deployed, and the type, version and bit rate of the operating system on the protected virtual machine and the approximate number of virtual machines on which this operating system is installed
  • Universal unique SVM ID
  • License type, license order number, and licensing scheme type
  • Number of licensing units for which the key can be used and the number of licensing units for which the key is already in use

  Kaspersky may use this information to generate statistical information about the distribution and use of Kaspersky software.

  By using an activation code, you agree to automatically send to Kaspersky the data listed above. If you do not agree to send this information, you should use a key file to activate Kaspersky Security.

The received information is protected by Kaspersky in accordance with the requirements established by the law and the current Kaspersky rules. Data is transmitted via encrypted communication channels.

For more detailed information about processing, storage, and destruction of information obtained during the use of the application and transmitted to Kaspersky, please refer to the Privacy Policy on Kaspersky website.

[Topic 58489]

About the license

A license is a time-limited right to use the application, granted under the End User License Agreement.

The License includes the right to:

• Use the application in accordance with the terms and conditions of the End User License Agreement to protect virtual machines on VMware ESXi hypervisors.
• Receive technical support.

The scope of services and validity period depend on the type of license under which the application was activated.

The following license types are provided:

• Trial. A free license for users to get to know the application.

  Trial licenses have a short validity period. On expiry of a trial license, all the functions of Kaspersky Security become unavailable. To continue using the application, you need to purchase the commercial license. You can activate the application under the trial license only once.

• Commercial. A paid license offered upon purchase of the application.

  When the commercial license expires, the application continues to work in limited functionality mode. You can still protect and scan virtual machines, but only using application databases that were installed before the license expiration date. To continue using all the features of Kaspersky Security, you must renew your commercial license. To ensure full protection against computer security threats, we recommend that you renew the license before its expiration.

Application functionality that is available under a commercial license depends on the license edition. The following license editions are available for Kaspersky Security application:

• standard license
• enterprise license

The suspicious network activity detection functionality is available only if you are using the application under an enterprise license.

The following licensing schemes are available for Kaspersky Security:

• Licensing by number of virtual machines protected using the application. This licensing scheme employs server or desktop keys (depending on the type of operating system of the protected virtual machines). According to licensing limitations, the application protects a certain number of virtual machines.
• Licensing by the number of physical processor cores used on all hypervisors on which SVMs are installed. The licensing scheme employs keys with a limitation on the number of processor cores. In accordance with the licensing restrictions, the application is used to protect all virtual machines deployed on hypervisors that use a certain number of kernels in their physical processors.
• Licensing by the number of processors used on the hypervisors on which protected virtual machines are running. The licensing scheme employs keys with a limitation on the number of processors. In accordance with the licensing restrictions, the application is used to protect all virtual machines deployed on hypervisors that use a certain number of processors.

You may use only server keys or keys with a limitation on the number of processor cores or processors to protect virtual machines running Linux guest operating systems.

If you are using a licensing scheme that is based on the number of virtual machines, the license restriction count includes all virtual machines that were under the protection of the application over the last 30 days, even if those virtual machines are currently powered off.

If you do not want a virtual machine to be included in the license restriction count, you can exclude the virtual machine from the protected virtual machines by using one of the following methods:

• Disable protection of the virtual machine.
• Exclude the virtual machine from the NSX Security Group with the assigned NSX Security Policy in which the use of the file system protection service (Kaspersky File Antimalware Protection) is configured.
• Move the virtual machine to a hypervisor on which an SVM is not deployed.

You can use only one of the available licensing schemes within a single VMware vCenter Server.

[Topic 181545]

About the License Certificate

The License Certificate is a document provided together with the key file or activation code.

If you use the application under subscription, no license certificate is issued.

A license certificate contains the following information about the license provided:

• Information about the license user
• Information about the application that can be activated by the license
• Restrictions on the number of license units (for example, devices on which the application can be used under the license)
• License start date
• License expiration date or validity period
• Type of license

[Topic 72186]

About the license key

A license key (hereinafter also referred to as simply "key") is a sequence of bits with which you can activate and subsequently use the application in accordance with the terms of the End User License Agreement. A key is generated by Kaspersky specialists.

You can add the license key to the application in one of the following ways:

• Apply a key file
• Enter the activation code

After you add a license key to the application, the license key is displayed in the application interface as a unique alphanumeric sequence.

After adding keys, you can replace them with other keys.

Kaspersky can black-list a key over violations of the End User License Agreement. If the license key has been blocked, you need to add another one if you want to use the application.

Kaspersky Security uses the following types of license keys:

• Server key. An application key that is used to protect virtual machines running server operating systems.
• Desktop key. An application key that is used to protect virtual machines running desktop operating systems.
• Key with a limitation on the number of processor cores. An application key for protecting virtual machines regardless of the operating system installed on them. In accordance with the licensing restrictions, the application is used to protect virtual machines running on hypervisors that use a certain number of physical processor cores.
• Key with a limitation on the number of processors. An application key for protecting virtual machines regardless of the operating system installed on them. In accordance with the licensing restriction, the application is used to protect all virtual machines running on hypervisors that use a certain number of processors.

A license key may be active or additional.

An active key is a key currently in use to run the application. A trial license key, commercial license key (commercial key), or subscription key can be added as the active key. No more than one active key of each type (server key, desktop key, key with a limitation on the number of processor cores, key with a limitation on the number of processors) can be added on each SVM. If an SVM is used in a virtual infrastructure for the protection of virtual machines running server operating systems and desktop operating systems, you need to add two keys to the SVM: a server key and a desktop key.

An additional key is a key that confirms the right to use the application, but is not currently in use. An additional key automatically becomes active when the license associated with the current active key expires.

An additional key can be added only if the active key of the same type is available. The active key and the additional key must match the same type of license.

A trial license key or a subscription key can be added only as the active key. A trial license key or a subscription key cannot be added as an additional key. A trial license key cannot replace the active commercial key.

[Topic 58490]

About the key file

A key file is a file with the .key extension that you receive from Kaspersky. Key files are designed to activate the application by adding a key.

You receive a key file at the email address that you provided when you bought Kaspersky Security or ordered the trial version of Kaspersky Security.

You do not need to connect to Kaspersky activation servers in order to activate the application with a key file.

You can restore a key file if it has been accidentally deleted. You may need a key file to register a Kaspersky CompanyAccount, for example.

To restore a key file, contact the license seller.

[Topic 190512]

About the activation code

An activation code is a unique sequence of twenty Latin letters and numerals. You have to enter an activation code in order to add a license key that activates Kaspersky Security. You receive the activation code at the email address that you provided when you bought Kaspersky Security or ordered the trial version of Kaspersky Security.

To activate the application using the activation code, Internet access is required to connect to Kaspersky 's activation servers.

If you lost your activation code after activating the application, contact the Kaspersky partner from whom you purchased the license.

[Topic 89133]

About subscription

A subscription for Kaspersky Security is a purchase order for the application with specific parameters (subscription expiration date, number of devices protected). You can order a subscription for Kaspersky Security from your service provider (such as your ISP).

You can pause and resume subscription, renew it automatically, or opt out of your subscription. To manage your subscription, you need to contact the vendor from which you purchased Kaspersky Security.

The possible subscription management options may vary with each vendor.

Subscription can be limited (for one year, for example) or unlimited (without an expiration date). To continue using Kaspersky Security after a limited subscription expires, you must renew it. Unlimited subscription is renewed automatically if the vendor's services have been prepaid on time.

If your subscription is paused, you may be offered a subscription renewal grace period during which the application retains its functionality. The vendor decides whether or not to grant a grace period and, if so, determines the duration of the grace period.

After the subscription or the grace period (if any) for subscription renewal expires, Kaspersky Security continues to work but stops updating the application databases and stops using Kaspersky Security Network.

Depending on the service provider, application functionality may be restricted as follows after the subscription or grace period expires: Kaspersky Security stops updating application databases, using Kaspersky Security Network, and protecting and scanning virtual machines. For details on application functionality restrictions that apply upon expiration of a subscription and grace period, contact the service provider that sold you Kaspersky Security.

To use Kaspersky Security under a subscription, you have to apply the activation code received from the service provider. After the activation code is applied, a subscription key is added to the application – the active key corresponding to the subscription license for the application.

A subscription key can be added only as the active key. A subscription key cannot be added as an additional key.

[Topic 56692]

About application activation

Application Activation is the procedure to activate the license and receive the right to use the fully-functional version of the application during the course of the license validity period.

To activate the application, a license key must be added to all SVMs. The application activation task is used to add a key to SVMs.

When the application activation task is created, a key from the Kaspersky Security Center key storage is used.

You can add a key to the Kaspersky Security Center key storage in one of the following ways:

• using the key file
• using the activation code

You can add a key to the Kaspersky Security Center key storage while creating an application activation task for SVMs or in advance.

[Topic 101189]

Conditions for activating the application using the activation code

Adding a key using an activation code requires a connection to Kaspersky activation servers. The Key Storage Wizard sends data to Kaspersky activation servers to validate the activation code that was entered. The activation proxy service establishes a connection to the activation servers. If the activation proxy service is disabled, the key cannot be added to the storage by using an activation code. If Internet access is provided via a proxy server, the proxy server settings must be configured in the properties of the Kaspersky Security Center Administration Server.

For more details on the activation proxy service, please refer to the Kaspersky Security Center documentation.

[Topic 101191]

Special considerations when adding license keys

When adding license keys, you should take the following into consideration:

• Simultaneous use of several license keys of the same type on an SVM is not supported. If you add a key on the SVM with a previously added key of the same type, the new key replaces the previous key.
• If you are using a licensing scheme based on the number of protected virtual machines, the type of key that you use to activate the application must match the guest operating system type of the virtual machines:
  • For the protection of virtual machines running server operating systems, you need to add a server key to SVMs.
  • For the protection of virtual machines running desktop operating systems, you need to add a desktop key to SVMs.
  • For the protection of virtual machines running server operating systems and desktop operating systems, you need to add two keys to SVMs: a server key and a desktop key.

  If you are using a licensing scheme based on the number of processor cores or based on the number of processors, you need one key (with a limitation on the number of processor cores or with a limitation on the number of processors), irrespective of the type of operating system installed on the virtual machines.

  To protect virtual machines running Linux guest operating systems, you can use only server keys, keys with a limitation on the number of processor cores, and keys with a limitation on the number of processors.

• Simultaneous use of keys corresponding to different licensing schemes on SVMs is not supported. After activation of the application, if you add a key that corresponds to a different licensing scheme, the previously added key is removed from the SVM. For example, if you add a key with a limitation on the number of processor cores, and a desktop key and/or server key was previously added to the SVM, the active and (if available) additional desktop and/or server keys are deleted when the task is completed. They are replaced by the key with a limitation on the number of processor cores as the active key.

  On an SVM, only keys corresponding to the same licensing scheme can be simultaneously used, for example, a desktop key and a server key (a licensing scheme based on the number of protected virtual machines).

  A key that was removed from one SVM can be added to another SVM if the term of the license bound to the key has not expired.

• Simultaneous use of commercial keys and subscription keys on an SVM is not supported.

  For example, if you add a commercial key on an SVM with a previously added subscription key, the subscription key is removed from the SVM. The commercial key is added in its place.

• Simultaneous use of keys matching different types of licenses (standard license or enterprise license) on an SVM is not supported.

  For example, if you are adding a key that corresponds to an enterprise license but the application was previously used with a standard license, all active and (if available) additional keys that correspond to the standard license are removed from the SVM. A key that corresponds to an enterprise license is added instead of them.

[Topic 57676]

Application activation procedure

To activate the application:

1. Create an application activation task. You can create the Application Activation task for all SVMs, for the SVMs of one KSC cluster, or for an individual SVM.

   When the application activation task is created, a key from the Kaspersky Security Center key storage is used. You can add a key to the Kaspersky Security Center key storage in advance or while creating an application activation task.

   If the application is being used based on a subscription, you cannot create an activation task during the grace period. You can use a previously created application activation task to add a key.

2. Start the application activation task.

The task activates the application on those SVMs on which an active key was missing. On SVMs on which the application has already been activated, the task replaces the old key with the new one.

If both a server key and a desktop key have been added on your SVM, the application usage period is the longer of the following two periods: the period of application use with the server key or the period of application use with the desktop key.

If the number of licensing units for which the key is being used exceeds the number specified in the License Certificate, Kaspersky Security sends the Kaspersky Security Center Administration Server an event containing information about the violation of the license restrictions (please refer to the Kaspersky Security Center documentation).

[Topic 58089]

Adding a key to the key storage of Kaspersky Security Center

To add a key to the key storage of Kaspersky Security Center:

1. In the Kaspersky Security Center Administration Console, run the Key Storage Wizard:
   1. In the console tree, select the Kaspersky Licenses folder.
   2. In the workspace, click the Add activation code or key button.
2. In the Select application activation method window of the Wizard, select the method used to add the key to storage:
   • Click the Activate application with activation code button if you want to add the key using an activation code.
   • Click the Activate application with key file button if you want to add the key using a key file.
3. Depending on your selected add key method:
   • Enter the activation code.
   • Specify the path to the key file. To do so, click Browse and in the window that opens select the file (with the .key extension).
4. Clear the Automatically deploy key to managed devices check box (the capability to automatically deploy keys to managed devices is not supported for Kaspersky Security for Virtualization 6.0 Agentless). Proceed to the next step of the wizard.
5. Finish the Key Storage Wizard.

The added key will appear in the list of keys in the Kaspersky licenses folder of the console tree.

Keys added to Kaspersky Security Center key storage can be used when creating an application activation task for SVMs.

[Topic 58470]

Creating an application activation task

To create an application activation task:

1. In the Kaspersky Security Center Administration Console, select the relevant folder or administration group:
   • If you want to activate the application on all SVMs, select the Managed devices folder of the main Administration Server of Kaspersky Security Center. In the workspace, select the Tasks tab and click the New task button to start the New Task Wizard.
   • If you want to activate the application on SVMs of one KSC cluster, in the Managed devices folder of the console tree select the administration group containing this KSC cluster. In the workspace, select the Tasks tab and click the New task button to start the New Task Wizard.
   • If you want to activate the application on one or multiple SVMs, perform one of the following actions:
     • In the console tree, open the Tasks folder. Click the New task button to start the New Task Wizard.
     • In the console tree, select the Kaspersky Licenses folder. Click the Deploy key to managed devices button to start the New Task Wizard.
2. At the first step of the Wizard, select the type of task.
   • If you started the New Task Wizard from the Managed devices folder or from the Tasks folder, select the following type of task: Kaspersky Security for Virtualization 6.0 Agentless → Application activation.
   • If you started the New Task Wizard from the Kaspersky licenses folder, specify the application for which the task is being created: Kaspersky Security for Virtualization 6.0 Agentless.

   Proceed to the next step of the New Task Wizard.

3. To select a key from the Kaspersky Security Center key storage, click the Select button. The Select a license key window opens.

   If you added a key to the Kaspersky Security Center key storage in advance, select the key and click OK.

   If the relevant key is not in the key storage, add it as follows:

   1. Click the Add button located in the upper part of the Select a license key window. This starts the Key Storage Wizard that adds a key to the key storage of Kaspersky Security Center.
   2. Follow the instructions of the Wizard to add a key to key storage.
   3. Finish the Key Storage Wizard.

   After the Wizard finishes, select the added key in the Select a license key window and click OK.

   Information about the selected key appears in the lower part of the window.

   If you want to use the added key as an additional key, select the Use the license key as an additional check box.

   The check box is not available when adding a key for a trial license or a subscription key. A trial license key or a subscription key cannot be added as an additional key.

   Proceed to the next step of the New Task Wizard.

4. If you started the New Task Wizard from the Tasks folder or from the Kaspersky licenses folder, specify the method for selecting the SVMs on which the task must run:
   • Click the Select network devices detected by Administration Server button if you want to select SVMs from the list of devices detected by Administration Server while polling the local area network.
   • Click the Specify device addresses manually or import from list button if you want to specify the addresses of SVMs manually or import the list of SVMs from a file. Addresses are imported from a TXT file with a list of addresses of SVMs, with each address in a separate row.

     If you import a list of addresses from file or specify the addresses manually and the SVMs are identified by name, the list of SVMs for which the task is being created can be supplemented only with those SVMs whose details have already been included in the Administration Server database upon connection of SVMs or following a poll of the local area network.

   • Click the Assign task to a device selection button if the task must be run on all SVMs that are part of a selection based on a predefined criterion. For details on creating a selection of devices, please refer to the Kaspersky Security Center documentation.
   • Click the Assign task to an administration group button if the task must be run on all SVMs within an administration group.

     Depending on the specified method of SVM selection, perform one of the following operations in the window that opens:

     • In the list of detected devices, specify the SVMs on which the task will be run. To do so, select check boxes in the list on the left of the name of the relevant SVMs.
     • Click the Add or Add IP range button and specify the addresses of SVMs.
     • Click the Import button, and in the window that opens select the TXT file containing the list of SVM addresses.
     • Click the Browse button and in the opened window specify the name of the selection containing the SVMs on which the task will be run.
     • Click the Browse button and select an administration group or manually enter the name of an administration group.

   Proceed to the next step of the New Task Wizard.

5. Configure the task run schedule.
   • Scheduled start. Choose the task run mode in the drop-down list. The settings displayed in the window depend on the task run mode chosen.
   • Run skipped tasks. If this check box is selected, an attempt to start the task is made the next time the application is started on the SVM. In the Manually and Once modes, the task is started as soon as an SVM appears on the network.

     If this check box is cleared, the task is started on an SVM by schedule only, and in Manually and Once modes it is started only on the SVMs that are visible on the network.

   • Use automatically randomized delay for task starts. By default, the time of task start on SVMs is randomized with the scope of a certain time period. This period is calculated automatically depending on the number of SVMs covered by the task:
     • 0–200 SVMs – task start is not randomized
     • 200-500 SVMs – task start is randomized within the scope of 5 minutes
     • 500-1000 SVMs – task start is randomized within the scope of 10 minutes
     • 1000-2000 SVMs – task start is randomized within the scope of 15 minutes
     • 2000-5000 SVMs – task start is randomized within the scope of 20 minutes
     • 5000-10000 SVMs – task start is randomized within the scope of 30 minutes
     • 10000–20000 SVMs – task start is randomized within the scope of 1 hour
     • 20000–50000 SVMs – task start is randomized within the scope of 2 hours
     • over 50000 SVMs – task start is randomized within the scope of 3 hours

     If you do not need to randomize the time of task starts within an automatically calculated time period, clear the Use automatically randomized delay for task starts check box. This check box is set by default.

   • Use randomized delay for task starts within an interval of (min): If you want the task to start at a random time within a specified period of time after the scheduled task start, select this check box. In the text box, enter the maximum task start delay. In this case, the task starts at a random time within the specified period of time after the scheduled start. This check box can be changed if the Use automatically randomized delay for task starts check box is cleared.

     Randomized task start times help prevent situations in which a large number of SVMs contact the Kaspersky Security Center Administration Server at the same time.

   Proceed to the next step of the New Task Wizard.

6. In the Name field, enter the task name and proceed to the next step of the New Task Wizard.
7. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.

   Finish the wizard.

The created custom scan task appears in the list of tasks. If you configured a task start schedule in the Task start schedule settings window, the task is started according to this schedule. You can also run the application activation task manually at any time.

[Topic 57658]

Renewing a license

When your license approaches expiration, you can renew it by adding an additional key. This prevents the impairment of application functionality after the current license expires and before you activate the application under a new license.

The application activation task is used to add an additional key on an SVM.

An additional key cannot be added if you are using the application under subscription.

The type of additional key should match the type of the previously added active key.

If you are using a licensing scheme that is based on the number of protected virtual machines, the type of additional key must match the type of the guest operating system of the virtual machines: an additional server key is intended for virtual machines with server operating systems; an additional desktop key is intended for virtual machines that have desktop operating systems.

If an SVM is used in a virtual infrastructure for the protection of virtual machines running server operating systems and desktop operating systems, it is recommended to add two additional keys to the SVM: a server key and a desktop key.

If you are using a licensing scheme based on the number of processors or processor cores, you need one additional key with a limitation on the number of processors or processor cores, irrespective of the type of operating system installed on the virtual machines.

The additional key must match the same license edition as the active key (standard license or enterprise license).

To renew a license:

1. Create an application activation task for the SVMs on which you want to add an additional key. You can create a task for all SVMs, for the SVMs of one KSC cluster, or for an individual SVM.
2. Select the Use the license key as an additional check box at Step 2 of the task wizard.
3. Start the application activation task.

The task adds the additional key on those SVMs in the KSC cluster on which the active key has already been added. The additional key is automatically used as the active key after the Kaspersky Security license expires.

If you use an activation code for application activations, at the expiry of the license the application automatically connects to Kaspersky activation servers in order to replace the active key that has expired. If the automatic connection of the application to Kaspersky activation servers ends with an error, you have to manually start the application activation task in order to renew the license to use Kaspersky Security.

The application activation task on an SVM returns an error and the additional key is not added when one of the following conditions is met:

• There is no active key on the SVM.
• A subscription key has been added as the active key.
• The type of additional key being added does not match the type of the previously added active key.

If an SVM has an active key and an additional key and you choose to replace the active key, Kaspersky Security checks the expiry date of the additional key. If the additional key expires before the previously renewed license term, Kaspersky Security automatically removes the additional key. In this case, you can add a different additional key after adding the active key.

[Topic 89136]

Renewing subscription

When you use the application under subscription, Kaspersky Security contacts Kaspersky activation servers at specific intervals until your subscription expires.

If you use the application under unlimited subscription, Kaspersky Security checks Kaspersky activation servers for a renewed key in background mode and, if it is available, adds it by replacing the previous key. In this way, unlimited subscription for Kaspersky Security is renewed without user involvement.

If you use the application under limited subscription, on the day when subscription (or the grace period after subscription expiry during which subscription renewal is available) expires, Kaspersky Security sends the relevant information to the Administration Server of Kaspersky Security Center and stops attempting to renew subscription automatically. Kaspersky Security stops updating the application databases and stops using the Kaspersky Security Network.

You can renew your subscription by contacting the vendor that sold you Kaspersky Security.

After renewing subscription, you have to restart the key addition task that you created to add a subscription key.

[Topic 61238]

Viewing information about keys in use

Information about the keys being used can be viewed in the Kaspersky Security Center Administration Console:

• In the Kaspersky licenses folder in the console tree
• In the properties of the application installed on the SVM
• In the properties of the application activation task
• In the key usage report

[Topic 61239]

Viewing details of the key in the Kaspersky licenses folder

To view details of the key in the Kaspersky licenses folder:

1. In the Kaspersky Security Center Administration Console, select the Kaspersky licenses folder.

   The workspace shows a list of keys added to the Kaspersky Security Center key storage.

2. In the list of keys, select a key whose details you wish to view.

On the right of the key list, the following key details appear:

• <Unique alphanumeric sequence> (key).
• Application. The name of the application for which the key is intended, and license information.
• Type. License type. Possible options: trial, commercial or subscription.
• License term (days). The number of days during which you may use the application activated by adding this key (for example, 365 days). If you are using the application under subscription, the field value is <Unavailable>.
• Expiration date. Key expiration date. You can activate the application by adding this key and use it only before this expiration date. If you are using the application under unlimited subscription, the field value is Unlimited.
• License expiration date. The date when your right to use the application activated with the current key expires. If you are using the application under unlimited subscription, the field value is Unlimited.
• Restriction – depending on the key type:
  • For a server key – the maximum number of virtual machines running a server operating system that you can protect.
  • For a desktop key – the maximum number of virtual machines running a desktop operating system that you can protect.

    For server and desktop keys, the license restriction count includes all virtual machines that were under the protection of the application over the last 30 days, even if those virtual machines are currently powered off. If you do not want a virtual machine to be included in the license restriction count, you can exclude the virtual machine from the protected virtual machines.

  • For a key with a limitation on the number of processor cores – the maximum number of physical processor cores used on all hypervisors whose virtual machines you can protect.
  • For a key with a limitation on the number of processors – the maximum number of physical processors used on all hypervisors whose virtual machines you can protect.
• Devices on which the key is active – the number of SVMs on which the key has been added as an active key.
• Devices on which the key is additional – the number of SVMs on which the key has been added as an additional key.

If you have selected a subscription key in the list, the following information is also displayed to the right of the list:

• Type of validity period restriction – if the application is being used under an unlimited subscription, Unlimited is displayed in the field. If the subscription is limited, the field is not displayed.
• Grace period. The number of days after subscription suspension during which the application retains its functionality.
• Subscription provider's web address – web address of the service provider with whom the subscription is registered.
• Subscription status. The current status of the subscription. Possible values: active, paused, expired, canceled, grace period activated.

Subscription details are also displayed in the subscription key properties window in the About subscription section.

If both a server key and a desktop key have been added on an SVM, the Kaspersky licenses folder of Kaspersky Security Center shows information on these keys and the following information about the combination of the server key and desktop key:

• <Unique alphanumeric sequence> is the combination of a server key and a desktop key.
• Validity period – the longer of the following two application usage periods: the period of application usage under the server key, or the period of application usage under the desktop key.
• Expiration date – the later of the following two dates of key expiration: server key expiration date or desktop key expiration date.
• License expiration date – the later of the following two dates: the end date of application usage under the server key, or the end date of application usage under the desktop key.
• Restriction – the sum of the following values: the maximum number of virtual machines with desktop operating systems plus the maximum number of virtual machines with server operating systems that you can protect with the application.
• Grace period – only for subscription keys: the longer of the following two grace periods: the grace period corresponding to the server key or the grace period corresponding to the desktop key.
• Subscription status – only for subscription keys: the field shows the Active status if a subscription corresponding to at least one of the keys (server or desktop) has the active status. If both subscriptions are inactive, the field displays the better status (for example, if one subscription has Not active status and the other one has Grace period activated status, the field displays the Grace period activated status).

[Topic 61240]

Viewing key details in the properties of the application

To view information about a key in the properties of the application installed on an SVM:

1. In the Kaspersky Security Center Administration Console, open the properties window of the SVM for which you want to view key details:
   1. Select the administration group containing the KSC cluster that includes the relevant SVM.
   2. In the workspace, select the Devices tab.
   3. In the list, select the SVM and open the SVM properties window by double-clicking or by selecting Properties in the context menu.

   The Properties: <SVM name> window opens.

2. In the SVM properties window in the list on the left, select the Applications section.

   A list of applications that are installed on this SVM appears in the right part of the window.

3. Select Kaspersky Security for Virtualization 6.0 Agentless and open the application settings window by double-clicking or by selecting Properties in the context menu.

   The Kaspersky Security for Virtualization 6.0 Agentless settings window opens.

4. In the application settings window, in the list on the left, select the Keys section.

The details of the key added to the SVM appear in the right part of the window. The Active key section shows the details of the active key. The Additional key section shows the details of the additional key. If no additional key has been added, the Additional key section shows the <Not added> string.

The following key details appear in the Active key section:

• <Unique alphanumeric sequence> (key).
• License type. Type of license. Possible options: trial, commercial or subscription.
• Activation date – the date when the application was activated with this key.
• License expiration date. The date when your right to use the application activated with the current key expires. If you are using the application under unlimited subscription, the field value is Unlimited.
• License term. The number of days during which you may use the application activated by adding this key (for example, 365 days). If you are using the application under subscription, the field value is <Unavailable>.
• Restriction – depending on the key type:
  • For a server key – the maximum number of virtual machines running a server operating system that you can protect.
  • For a desktop key – the maximum number of virtual machines running a desktop operating system that you can protect.

    For server and desktop keys, the license restriction count includes all virtual machines that were under the protection of the application over the last 30 days, even if those virtual machines are currently powered off. If you do not want a virtual machine to be included in the license restriction count, you can exclude the virtual machine from the protected virtual machines.

  • For a key with a limitation on the number of processor cores – the maximum number of physical processor cores used on all hypervisors whose virtual machines you can protect.
  • For a key with a limitation on the number of processors – the maximum number of physical processors used on all hypervisors whose virtual machines you can protect.

The following key details appear in the Additional key section:

• <Unique alphanumeric sequence> (key).
• License type. License type: commercial.
• License term. The number of days during which you may use the application activated by adding this key (for example, 365 days).
• Restriction – depending on the key type:
  • For a server key – the maximum number of virtual machines running a server operating system that you can protect.
  • For a desktop key – the maximum number of virtual machines running a desktop operating system that you can protect.

    For server and desktop keys, the license restriction count includes all virtual machines that were under the protection of the application over the last 30 days, even if those virtual machines are currently powered off. If you do not want a virtual machine to be included in the license restriction count, you can exclude the virtual machine from the protected virtual machines.

  • For a key with a limitation on the number of processor cores – the maximum number of physical processor cores used on all hypervisors whose virtual machines you can protect.
  • For a key with a limitation on the number of processors – the maximum number of physical processors used on all hypervisors whose virtual machines you can protect.

If both a server key and a desktop key have been added on an SVM, the Kaspersky Security Center properties window shows the following information about the combination of the server key and desktop key:

• <Unique alphanumeric sequence> is the combination of a server key and a desktop key.
• License expiration date – the later of the following two dates: the end date of application usage under the server key, or the end date of application usage under the desktop key.
• Validity period – the longer of the following two application usage periods: the period of application usage under the server key, or the period of application usage under the desktop key.
• Restriction – the sum of the following values: the maximum number of virtual machines with desktop operating systems plus the maximum number of virtual machines with server operating systems that you can protect with the application.

[Topic 61241]

Viewing key details in the properties of the application activation task

To view key details in the properties of the application activation task:

1. In the Kaspersky Security Center Administration Console, perform one of the following actions:
   • If you want to view the properties of an activation task that activates the application on all SVMs, select the Managed devices folder of the console tree. In the workspace, select the Tasks tab.
   • If you want to view the properties of an activation task that activates the application on SVMs of one KSC cluster, in the Managed devices folder of the console tree select the administration group containing this KSC cluster. In the workspace, select the Tasks tab.
   • If you want to view the properties of an activation task that activates the application on one or multiple SVMs, select the Tasks folder of the console tree.
2. In the list of tasks, select the activation task whose properties you want to view, and open the task properties window by double-clicking or by selecting Properties in the task context menu.

   The Properties: <Task name> window opens.

3. In the task properties window, select the Adding a license key section.

In the right part of the window, the details of the key that this task is adding on SVMs appear:

• License Key – a unique alphanumeric sequence.
• License type – the following options are available: trial, commercial, or commercial (subscription).
• Restriction – depending on the key type:
  • For a server key – the maximum number of virtual machines running a server operating system that you can protect.
  • For a desktop key – the maximum number of virtual machines running a desktop operating system that you can protect.

    For server and desktop keys, the license restriction count includes all virtual machines that were under the protection of the application over the last 30 days, even if those virtual machines are currently powered off. If you do not want a virtual machine to be included in the license restriction count, you can exclude the virtual machine from the protected virtual machines.

  • For a key with a limitation on the number of processor cores – the maximum number of physical processor cores used on all hypervisors whose virtual machines you can protect.
  • For a key with a limitation on the number of processors – the maximum number of physical processors used on all hypervisors whose virtual machines you can protect.
• License term. The application usage period specified in the License Certificate (for example, 365 days). This field is not displayed if you are using the application under a subscription.
• Expiration date. Key expiration date. You can activate the application by adding this key and use it only before this expiration date. If you are using the application under an unlimited subscription, the field's value is Unlimited.
• Grace period. The number of days after subscription suspension during which the application retains its functionality. The field is displayed if you are using the application under subscription and the service provider with which you registered your subscription offers a grace period for renewing your subscription.
• Functionality. The list of application components and features whose availability depends on the license edition associated with the selected key:
  • The application components and features that are available when using the application under the license corresponding to the selected key are marked with the icon in the list.
  • The application components and features that are not available when using the application under the license corresponding to the selected key are marked with the icon in the list.

[Topic 58851]

Viewing the key usage report

To view the key usage report:

1. In the Kaspersky Security Center Administration Console, select the Administration Server node.
2. In the workspace of the node, go to the Reports tab.
3. In the list of report templates, select the Key usage report template and open the report window by double-clicking or by selecting Show report from the context menu.

   This opens a window containing the report that was generated from the Key usage report template.

The chart in the upper part of the window, shows the following key usage details for each key:

• Number of licensing units on which the key is already in use
• Number of licensing units on which the key can be used according to the licensing restrictions
• Number of licensing units by which the licensing restrictions for the key are exceeded

The key usage report consists of two tables:

• The summary table contains information about the keys in use
• The detailed information table contains information about SVMs on which keys have been added, or about virtual machines for whose protection the key is used

You can configure the content of fields shown in each table. See Kaspersky Security Center documentation on how to add or remove fields in the report tables.

The summary table contains information about the keys in use:

• Key is the unique alphanumeric sequence.
• Total keys used as active. Depending on the key type:
  • For a server or desktop key, this is the number of virtual machines for whose protection the key is used.
  • For a key with a limitation on the number of processor cores – the number of physical processor cores used on all VMware ESXi hypervisors on which SVMs are deployed.
  • For a key with a limitation on the number of processors – the number of physical processors used on all hypervisors whose virtual machines you can protect.
• Total keys used as active for workstations – the number of virtual machines with a desktop operating system for whose protection the key is used.
• Total keys used as active for servers – the number of virtual machines with a server operating system for whose protection the key is used.
• Total keys used as additional. The number of SVMs on which the key has been added as an additional key.
• Restriction – depending on the key type:
  • For a server key – the maximum number of virtual machines running a server operating system that you can protect.
  • For a desktop key – the maximum number of virtual machines running a desktop operating system that you can protect.

    For server and desktop keys, the license restriction count includes all virtual machines that were under the protection of the application over the last 30 days, even if those virtual machines are currently powered off. If you do not want a virtual machine to be included in the license restriction count, you can exclude the virtual machine from the protected virtual machines.

  • For a key with a limitation on the number of processor cores – the maximum number of physical processor cores used on all hypervisors whose virtual machines you can protect.
  • For a key with a limitation on the number of processors – the maximum number of physical processors used on all hypervisors whose virtual machines you can protect.
• The license expiration date. The date when your right to use the application activated with your current key expires.
• Use key until. The key's expiration date.
• Additional properties – additional key properties.
• Service info. Service information relating to the key and license.

  The row below contains the following consolidated information:

  • Keys. Total number of keys in use.
  • Keys are more than 90% used. Total number of keys that have been used up by more than 90% of the usage time available under the licensing restriction. For example, the restriction is set at 100 virtual machines. A key is used on two SVMs: the first one protects 42 virtual machines and the second one protects 53 virtual machines. The key is therefore 95% used and is included in the number of keys specified in this field.
  • Keys with exceeded limit. Total number of keys that have exceeded the license limit, for example, imposed on the number of protected virtual machines with server or desktop operating systems, or on the number of physical processor cores used on all hypervisors (depending on the key type).

The detailed information table shows information about the SVM on which the key has been added (for keys of all types) and information about the protected virtual machine for which the key is being used (for a server or desktop key):

• Group. The administration group that includes the SVM with the added key.
• Device name. The name of the SVM for which the key was added or the name of the protected virtual machine for which the key is used.
• Application. The name of the application that was activated by adding this key on the SVM.
• Version number. The version number of the application that was activated by adding this key on the SVM.
• Active key. The key that was added as an active key on the SVM or that is used for protection of the virtual machine.
• Additional key. The key that was added as the additional key on the SVM.
• License valid until. The expiration date for using the application with this key.
• Use key until. The key's expiration date.
• IP address. The IP address of the SVM on which the key was added or the IP address of the protected virtual machine.
• Last visible on the network. The date and time when the SVM or virtual machine was last visible on the corporate LAN.
• Last connection to Administration Server. The date and time of the last connection between the SVM and the Kaspersky Security Center Administration Server.
• NetBIOS name. The name of the protected virtual machine and the path to it in the virtual infrastructure.
• DNS name. The domain name of the SVM or the name of the protected virtual machine and the path to it in the virtual infrastructure.
• Used. Depending on the type of key:
  • For a server key and desktop key – the number of virtual machines with a server operating system or desktop operating system that are protected by the application.
  • For a key with a limitation on the number of processor cores – the maximum number of physical processor cores used on all hypervisors on which SVMs are deployed.
  • For a key with a limitation on the number of processors – the number of physical processors used on all hypervisors on which SVMs are deployed.
• Used for workstations – the number of virtual machines with a desktop operating system that are under the protection of the application.
• Used for servers – the number of virtual machines with a server operating system that are under the protection of the application.

If both a server key and a desktop key have been added on an SVM, the Kaspersky Security Center key usage report shows the following information about the combination of the server key and desktop key:

• Key, Active key, Additional key – unique combination of a server key and a desktop key.
• Earliest date of key expiration – the later of the following two dates: the end date of application usage under the server key, or the end date of application usage under the desktop key.
• Use key until – the later of the following two dates of key expiration: server key expiration date or desktop key expiration date.
• Total keys used as active – the total number of virtual machines with server operating systems and desktop operating systems for whose protection the key is used.
• Restriction – the sum of the following values: the maximum number of protected virtual machines with desktop operating systems plus the maximum number of protected virtual machines with server operating systems.
• Used – the total number of virtual machines with server operating systems and desktop operating systems that are protected by the application.

[Topic 57659]

Starting and stopping the application

Kaspersky Security starts automatically when the operating system on an SVM is started.

The virtual machine file threat protection function is enabled automatically at startup of Kaspersky Security if you activated the application and enabled protection in the policy.

Kaspersky Security protects virtual machines against network threats only if the policy applied to SVMs is configured for Intrusion Prevention and Web Addresses Scan.

The application does not protect virtual machines if the application databases are missing from the SVMs.

The virtual machine scan task starts according to its schedule.

Kaspersky Security stops automatically when the operating system is shut down on an SVM.

[Topic 90492]

Protection status

Information on virtual infrastructure protection status is displayed in Kaspersky Security Center using on of the following methods:

• By the client device status (OK, Critical, Warning). In the case of Kaspersky Security for Virtualization 6.0 Agentless, a client device of Kaspersky Security Center is an SVM. Protected virtual machines are not considered client devices from the perspective of Kaspersky Security Center because the Kaspersky Security Center Network Agent is not installed on them. When problems are detected in the Kaspersky Security application operation or in the protection of virtual machines, the status of the SVM that protects those virtual machines changes.

  The Kaspersky Security Center client device status may change to Critical or Warning for the following reasons:

  • The status changes according to the rules defined in Kaspersky Security Center. For example, the status changes if a security application is not installed on the device, a virus scan has not been performed in a long time, anti-virus databases are out of date, or the license has expired. For more details about the reasons for status changes and configuring status assignment conditions, please refer to the Kaspersky Security Center documentation.
  • Kaspersky Security Center receives the device status from the managed application, i.e. Kaspersky Security.

    Kaspersky Security Center must be configured to receive the device status from the managed application. To ensure that this function is enabled, in the properties of the Managed devices folder, in the Device status section, make sure that the Defined by the application check boxes are selected in the lists of conditions for the Critical and Warning statuses.

    Kaspersky Security may change the SVM status to Critical or Warning in the following cases:

    • The application is not activated or problems associated with the key or license are detected (for example, the key is blacklisted).
    • The SVM is not connected to the Integration Server or there were problems receiving information about the protected virtual infrastructure.
    • Problems and limitations have been detected in KSN operation (an error occurred when connecting to KSN, temporary restriction on use of KSN is enabled, KSN settings in the policy do not match the KSN settings in the properties of the Kaspersky Security Center Administration Server).
    • Application databases are missing or an error occurred when downloading them.
    • Errors were detected in application components (for example, a virus scan is not being performed, errors were detected in Network Attack Blocker functionality or suspicious network activity was detected, web addresses scan is not being performed).
    • Problems were detected in the interaction between an SVM and network data storage (if the use of network data storage is configured for the SVM).

  For details on client device statuses, see the Kaspersky Security Center documentation. Information on the client device (SVM) statuses can be viewed in the device list of the Kaspersky Security Center Administration Console and in the protection status report.

• By the virtual machines protection status. Information on the virtual machines protection status can be viewed in protection status report.

  Protected virtual machines are not considered as client devices of Kaspersky Security Center, and cannot be assigned the client device status. The report shows the protection status, assigned to the virtual machine by Kaspersky Security Center based on the information received from the SVM, protecting this virtual machine.

  Virtual machine protection status can be changed to Critical or Warning, if the following information is received from the SVM:

  • The virtual machine has "not protected" status. Information on the virtual machine status (protected, not protected, powered off) can be viewed in the list of virtual machines within the KSC cluster protected infrastructure.
  • A virus scan has not been performed in a long time on the virtual machine.
  • The application databases have not been updated for a long time on the SVM, protecting the virtual machine.

[Topic 83475]

About security tags

Kaspersky Security can assign the following security tags to a protected virtual machine:

• ANTI_VIRUS.VirusFound.threat=high. The tag is assigned to a virtual machine on which viruses or other malware were detected.
• IDS_IPS.threat=high. The tag is assigned to a virtual machine whose traffic displayed activity typical of network attacks or activity that may be a sign of an intrusion into the protected infrastructure.

You can view the security tags assigned to a virtual machine by viewing the virtual machine properties in the VMware vSphere Web Client console (in the Hosts and Clusters section on the Summary tab).

The ANTI_VIRUS.VirusFound.threat=high security tag is automatically removed if no viruses or other malware are detected when a scan task is completed on the virtual machine. The IDS_IPS.threat=high security tag can be manually removed.

You can manually assign or remove security tags.

[Topic 57661]

Viewing information about virtual machines within the KSC cluster protected infrastructure

To view the list of virtual machines within the KSC cluster protected infrastructure:

1. In the Kaspersky Security Center Administration Console, in the Managed devices folder, select the administration group containing the KSC cluster and then select the Clusters and server arrays subfolder.
2. In the workspace, select the KSC cluster and double-click the Properties: <KSC cluster name> window to open it.
3. In the KSC cluster properties window, select the List of virtual machines section.

   The right part of the window displays a list of all virtual machines that are part of the protected infrastructure of this KSC cluster.

   The list does not show virtual machine templates and SVMs.

   The list of virtual machines is displayed as a table containing the following columns:

   • Status

     

     Virtual machine status. The following icons signify the virtual machine status:

     •  – the virtual machine is protected. A virtual machine is considered to be protected only if file protection is applied to it, which means that it is under the protection of an SVM with the File Threat Protection component installed. The presence of network protection does not affect the virtual machine status.
     •  – the virtual machine is not protected. A virtual machine is considered to be unprotected if file protection is not applied to it. The presence of network protection does not affect the virtual machine status.
     •  – the virtual machine is powered off or paused.

     Information about network protection of a virtual machine is displayed in the detailed list of virtual machines.

   • VM name

     

     Virtual machine name within the KSC cluster protected infrastructure.

   • Path to VM

     

     Virtual infrastructure path to the virtual machine within the KSC cluster protected infrastructure.

4. To view additional information about virtual machines within the KSC cluster protected infrastructure, click the Detailed information button. A table containing a detailed list of virtual machines opens in a separate window.

   The table displays information about the status of protection indicated in the Protection type field located above the table. You can select one of the following values:

   • File system protection. Select this option if you want to view information on the status of virtual machine file threat protection. This option is selected by default.
   • Network protection. Select this option if you want to view information on the status of network protection of virtual machines.

   The table columns show the following additional details of each virtual machine:

   • Status

     

     Virtual machine status.

     If File system protection is selected in the Protection type field, the status is designated as follows:

     •  – the virtual machine is under the protection of an SVM that has the File Threat Protection component installed.
     •  – file protection is not applied to the virtual machine.
     •  – the virtual machine is powered off or paused.

     If Network protection is selected in the Protection type field, the status is designated as follows:

     •  – the virtual machine is under the protection of an SVM that has the Network Threat Protection component installed.
     •  – the virtual machine is not protected against network threats.
     •  – the virtual machine is powered off or paused.

     The virtual machine status does not depend on traffic processing mode used by the Network Threat Protection component.

   • Tenant

     

     If a virtual machine belongs to a tenant organization, the column contains the name of the virtual Administration Server of Kaspersky Security Center that is used for managing the protection of this tenant organization. If the virtual machine does not belong to any tenant organization, No is displayed in the column.

     The column is displayed only if File system protection is selected in the Protection type field.

   • NSX security policy

     

     If File system protection is selected in the Protection type field, the column contains information about whether or not the virtual machine has an applied NSX Security Policy that is configured to use the file system protection service (Kaspersky File Antimalware Protection).

     If Network protection is selected in the Protection type field, the column contains information about whether or not the virtual machine has an applied NSX Security Policy that is configured to use the network protection service (Kaspersky Network Protection) and to redirect traffic to the network protection service (the Redirect to service parameter is enabled).

     If an NSX Security Policy is not applied on a virtual machine, Kaspersky Security does not protect this virtual machine.

   • Available protection functions

     

     If File system protection is selected in the Protection type field, the column contains information about file protection functions available for a virtual machine.

     Possible values:

     • Protection and Scan – Kaspersky Security can protect a virtual machine, and can scan a virtual machine while performing scan tasks.
     • Scan only – Kaspersky Security can scan a virtual machine while performing a scan task that is configured to scan powered-off virtual machines.
     • Not available – the virtual machine is not protected; the File Threat Protection component is not receiving information about the virtual machine from the Guest Introspection service.
     • Unknown – there is no available information on the virtual machine protection status. Possibly, the hypervisor on which the virtual machine is operating has no SVM with the File Threat Protection component.

     If Network protection is selected in the Protection type field, the column contains information about network threat protection functions available for a virtual machine.

     Possible values:

     • Standard mode protection – virtual machine network protection is operating in standard mode.
     • Monitoring mode protection – virtual machine network protection is operating in monitoring mode (Kaspersky Security is not taking actions to prevent threats).
     • Not available – the virtual machine is not protected; the Network Threat Protection component is not receiving information about the virtual machine from the virtual filter (VMware DVFilter).
     • Unknown – there is no available information on the virtual machine protection status. Possibly, the hypervisor on which the virtual machine is operating has no SVM with the Network Threat Protection component.
   • OS type

     

     Type of operating system installed on the virtual machine. Possible values:

     • Server – if a server operating system is installed on the virtual machine.
     • Desktop – if a desktop operating system is installed on the virtual machine.
     • Not defined – if the virtual machine is powered off, an operating system is not installed on the virtual machine, or the Guest Introspection driver (NSX File Introspection Driver) is not installed.

     The column is displayed only if File system protection is selected in the Protection type field.

   • Protection profile

     

     The protection profile assigned to the virtual machine. Possible values:

     • <protection profile name> – if an additional protection profile is assigned to the virtual machine.
     • Main – if the main protection profile is assigned to the virtual machine.
     • Not assigned – if a protection profile is not assigned to the virtual machine.
     • No – if the virtual machine is powered off or not protected.
     • Protection is disabled – if protection of all objects of the protected infrastructure is disabled in the policy that determines this virtual machine's protection settings.

     The column is displayed only if File system protection is selected in the Protection type field.

   • Key type

     

     Information about the key added to the SVM that protects the virtual machine.

     Possible values:

     • For servers, For desktops, With a limitation on the number of processor cores, With a limitation on the number of processors – depending the type of key added to the SVM.
     • No – if the virtual machine is not protected or is powered off.

     The column is displayed only if File system protection is selected in the Protection type field.

   • Database update

     

     The amount of time since the release of anti-virus databases installed on the SVM that protects the virtual machine. If the databases have not been updated, the virtual machine is powered off or not protected, No is displayed in the column.

     The column is displayed only if File system protection is selected in the Protection type field.

   • Scan date

     

     Date and time when any scan task for the virtual machine was last started. If a scan has not been performed on the virtual machine, Never started is displayed in the column.

     The column is displayed only if File system protection is selected in the Protection type field.

In the main and detailed lists of virtual machines, you can perform the following operations:

• Sort the list by any column of the table.
• Filter the list by protection status.
• Search for a virtual machine in the list.
• Export the list of virtual machines to a file in XML or CSV format.

The main and detailed lists of virtual machines are automatically refreshed every 5 minutes. If required, you can refresh the list at any time by clicking the Refresh list button.

To filter the list of virtual machines by protection status,

click one of the following buttons:

• – show protected virtual machines
• – show unprotected virtual machines
• – show turned off and paused virtual machines

You can combine filtering conditions by pressing several buttons.

To cancel filtering of the list of virtual machines, click the button.

To search for a virtual machine in the list,

Enter a virtual machine search condition in the search field.

In the main list of virtual machines, you can perform a search based on the value of any column except the Status column. In the detailed list of virtual machines, you can perform a search based on the value of any column except the Status, Scan date and Database update columns.

To export the list of virtual machines to a file in XML or CSV format,

Click the Export list button. In the window that opens, specify the name and format of the file.

Information about virtual machines within the protected infrastructure of this KSC cluster will be saved to a file in the selected format.

If you pre-filtered the list of virtual machines or performed a search for a virtual machine, only information that matches the filter conditions or the search conditions is saved to the file.

[Topic 159780]

Viewing information about virtual machines protected by an SVM

In the properties of the application installed on each SVM, you can view information about virtual machines that are protected by this SVM.

The virtual machine is under the protection of an SVM if the NSX File Introspection Driver installed on the virtual machine is connected to the SVM. In this case, the virtual machine can still be unprotected. The SVM with the File Threat Protection component protects only those virtual machines that meet all conditions for protection of virtual machines from file threats. The SVM with the Network Threat Protection component protects only those virtual machines that meet all conditions for protection of virtual machines from network threats.

To view information about the virtual machines protected by an SVM:

1. In the Kaspersky Security Center Administration Console, open the SVM properties window as follows:
   1. Select the administration group containing the KSC cluster that includes the relevant SVM.
   2. In the workspace, select the Devices tab.
   3. In the list, select the SVM and open the SVM properties window by double-clicking or by selecting Properties in the context menu.

   The Properties: <SVM name> window opens.

2. In the SVM properties window in the list on the left, select the Applications section.

   A list of applications that are installed on this SVM appears in the right part of the window.

3. Select Kaspersky Security for Virtualization 6.0 Agentless and open the application settings window by double-clicking or by selecting Properties in the context menu.

   The Kaspersky Security for Virtualization 6.0 Agentless settings window opens.

4. In the application settings window in the list on the left, select the List of protected virtual machines section.

The right part of the window displays a table containing information about the virtual machines protected by the SVM.

The table displays the following information for each virtual machine:

• Virtual machine name.
• Name of the virtual Administration Server of Kaspersky Security Center that is used to manage the protection of the tenant organization that owns the virtual machine. If the virtual machine does not belong to any tenant organization, No is displayed in the column.
• IP address of the virtual machine.
• Version of the operating system installed on the virtual machine.
• Type of operating system installed on the virtual machine: server operating system or desktop operating system.
• ID of the virtual machine (vmID).
• Path to the virtual machine within the virtual infrastructure.

In the table containing a list of virtual machines, you can do the following:

• Sort the list by any column of the table.
• Search for a virtual machine in the list.
• Update information about virtual machines by clicking the Refresh button.

[Topic 57662]

Virtual machine file threat protection

In this section, SVM refers to an SVM with the File Threat Protection component installed.

An SVM with the File Threat Protection component installed protects virtual machines on the VMware ESXi hypervisor. The settings that SVMs apply for virtual machine file threat protection are defined by using policies. Kaspersky Security starts protecting virtual machines only after you have enabled protection by using a policy.

File Threat Protection is enabled for virtual machines if a protection profile is assigned to these virtual machines. You can assign the main protection profile that is generated automatically when a policy is created, or create and assign additional protection profiles if you want to use different protection settings for different virtual infrastructure objects.

You can assign protection profiles directly to virtual machines and other virtual infrastructure objects. In a virtual infrastructure managed by a standalone VMware vCenter Server, you can also assign different protection profiles to virtual machines that are part of NSX Security Groups that are within the scope of different NSX Profile Configurations.

If the application is not activated or the application databases are missing on SVMs, Kaspersky Security does not protect the virtual machines.

Kaspersky Security protects only powered-on virtual machines that meet all the conditions for virtual machine protection.

When a user or program attempts to access a virtual machine file, Kaspersky Security scans this file.

• If no viruses or other malware are detected in the file, Kaspersky Security grants access to this file.
• If viruses or other malware is detected in a file, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.

  Kaspersky Security then performs the action that is specified in the protection profile of the virtual machine; for example, it disinfects or blocks the file.

If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from protection. The list of exclusions is configured in the protection profile settings.

The Signature analysis and machine learning scan method is used for protection of virtual machines. Protection that uses signature analysis provides a minimally acceptable security level. Kaspersky Security uses application databases containing information about known threats and about the methods to neutralize them. Based on the recommendations of Kaspersky experts, the Signature analysis and machine learning scan method is always enabled.

Additionally, during virtual machines protection, the Heuristic analysis is used. This is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.

The heuristic analysis level depends on the selected security level:

• If the security level is set to Low, the superficial heuristic analysis level is applied. Heuristic Analyzer does not perform all instructions in executable files while scanning executable files for malicious code. At this heuristic analysis level, the probability of detecting a threat is lower than at the medium heuristic analysis level. Scanning is faster and consumes less resources of the SVM.
• If the security level is set to Recommended, High, or Custom, the medium heuristic analysis level is applied. While scanning files for malicious code, Heuristic Analyzer performs the number of instructions in executable files that is recommended by Kaspersky experts.

Information about all events that occur during protection of virtual machines is logged in a report.

You are advised to regularly view the list of files blocked in the course of virtual machine protection and manage them. For example, you can save file copies to a location that is inaccessible to a virtual machine user or delete the files. You can view the details of blocked files in the threats report or by filtering events by the File blocked event (please refer to the Kaspersky Security Center documentation).

To gain access to files that were blocked as a result of virtual machine protection, you must exclude these files from protection in the settings of the protection profile assigned to the virtual machines, or temporarily disable the protection of these virtual machines.

[Topic 59624]

Conditions for protection of virtual machines against file threats

Kaspersky Security protects virtual machines that meet the following conditions:

• The virtual machine is not powered off or paused.

  When performing scan tasks, Kaspersky Security can scan powered-off virtual machines that have the following file systems: NTFS, FAT32, EXT2, EXT3, EXT4, XFS, BTRFS.

• The Guest Introspection driver (NSX File Introspection Driver) has been installed and is running on the virtual machine.
• The virtual machine is part of an NSX Security Group configured in the VMware vSphere Web Client console. This group must be assigned an NSX Security Policy in which the use of the file system protection service (Kaspersky File Antimalware Protection) is configured.
• A protection profile is being applied to the virtual machine.

If even one of the listed conditions is not fulfilled, Kaspersky Security does not protect the virtual machine.

[Topic 59329]

Configuring main protection profile settings

The main protection profile is automatically generated during creation of the main policy and tenant policy. You can configure the settings of the main protection profile while creating a policy (during the Configure main protection profile settings step) or in the properties of the policy after it is created (in the Main protection profile subsection in the File Threat Protection section).

To configure main protection profile settings:

1. In the Security level section, select the security level at which Kaspersky Security scans virtual machines:
   • If you want to install one of the pre-installed security levels (High, Recommended, or Low), use the slider to select one.
   • To change the security level to Recommended, click the Default button.
   • If you want to configure the security level on your own, click the Settings button. In the Security level settings window that opens:
   1. In the Scanning archives and compound files section, specify the values of the following settings:
      • Scan archives

        

        Enable / disable scanning of archives.

        This check box is cleared by default.

        

        Enable / disable scanning of archives.

        This check box is cleared by default.

        

        Enable / disable scanning of archives.

        This check box is cleared by default.

        

        Enable / disable scanning of archives.

        This check box is cleared by default.

      • Delete archives if disinfection fails

        

        Enable / disable the feature of deleting archives that could not be disinfected.

        If this check box is selected, Kaspersky Security deletes archives that could not be disinfected.

        If this check box is cleared, the application does not delete archives that could not be disinfected. Kaspersky Security relays information that the infected file has not been deleted to the Administration Server of Kaspersky Security Center.

        This check box is available when the Scan archives check box is selected.

        This check box is cleared by default.

        

        Enable / disable the feature of deleting archives that could not be disinfected.

        If this check box is selected, Kaspersky Security deletes archives that could not be disinfected.

        If this check box is cleared, the application does not delete archives that could not be disinfected. Kaspersky Security relays information that the infected file has not been deleted to the Administration Server of Kaspersky Security Center.

        This check box is available when the Scan archives check box is selected.

        This check box is cleared by default.

        

        Enable / disable the feature of deleting archives that could not be disinfected.

        If this check box is selected, Kaspersky Security deletes archives that could not be disinfected.

        If this check box is cleared, the application does not delete archives that could not be disinfected. Kaspersky Security relays information that the infected file has not been deleted to the Administration Server of Kaspersky Security Center.

        This check box is available when the Scan archives check box is selected.

        This check box is cleared by default.

        

        Enable / disable the feature of deleting archives that could not be disinfected.

        If this check box is selected, Kaspersky Security deletes archives that could not be disinfected.

        If this check box is cleared, the application does not delete archives that could not be disinfected. Kaspersky Security relays information that the infected file has not been deleted to the Administration Server of Kaspersky Security Center.

        This check box is available when the Scan archives check box is selected.

        This check box is cleared by default.

      • Scan self-extracting archives

        

        Enables / disables the scanning of self-extracting archives.

        By default, this check box is cleared for protection profiles and selected for scan tasks.

        

        Enables / disables the scanning of self-extracting archives.

        By default, this check box is cleared for protection profiles and selected for scan tasks.

        

        Enables / disables the scanning of self-extracting archives.

        By default, this check box is cleared for protection profiles and selected for scan tasks.

        

        Enables / disables the scanning of self-extracting archives.

        By default, this check box is cleared for protection profiles and selected for scan tasks.

      • Scan embedded OLE-objects

        

        Enables/disables the scanning of objects that are embedded inside a file.

        This check box is set by default.

        

        Enables/disables the scanning of objects that are embedded inside a file.

        This check box is set by default.

        

        Enables/disables the scanning of objects that are embedded inside a file.

        This check box is set by default.

        

        Enables/disables the scanning of objects that are embedded inside a file.

        This check box is set by default.

      • Do not unpack large compound files

        

        If this check box is set, Kaspersky Security does not scan compound files whose size exceeds the value that is specified in the Maximum size of a scanned compound file is N MB field.

        If this check box is cleared, Kaspersky Security scans compound files of all sizes.

        Kaspersky Security scans large files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.

        This check box is set by default.

        

        If this check box is set, Kaspersky Security does not scan compound files whose size exceeds the value that is specified in the Maximum size of a scanned compound file is N MB field.

        If this check box is cleared, Kaspersky Security scans compound files of all sizes.

        Kaspersky Security scans large files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.

        This check box is set by default.

        

        If this check box is set, Kaspersky Security does not scan compound files whose size exceeds the value that is specified in the Maximum size of a scanned compound file is N MB field.

        If this check box is cleared, Kaspersky Security scans compound files of all sizes.

        Kaspersky Security scans large files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.

        This check box is set by default.

        

        If this check box is set, Kaspersky Security does not scan compound files whose size exceeds the value that is specified in the Maximum size of a scanned compound file is N MB field.

        If this check box is cleared, Kaspersky Security scans compound files of all sizes.

        Kaspersky Security scans large files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.

        This check box is set by default.

      • Maximum size of a scanned compound file N MB

        

        Maximum size of compound files that are subject to scanning (in megabytes). Kaspersky Security does not unpack and scan objects whose size is larger than the specified value.

        This setting can be edited if the Do not unpack large compound files check box is selected.

        You can specify a value in the range of 1 to 999999 in this field. The default value is 8 MB.

        

        Maximum size of compound files that are subject to scanning (in megabytes). Kaspersky Security does not unpack and scan objects whose size is larger than the specified value.

        This setting can be edited if the Do not unpack large compound files check box is selected.

        You can specify a value in the range of 1 to 999999 in this field. The default value is 8 MB.

        

        Maximum size of compound files that are subject to scanning (in megabytes). Kaspersky Security does not unpack and scan objects whose size is larger than the specified value.

        This setting can be edited if the Do not unpack large compound files check box is selected.

        You can specify a value in the range of 1 to 999999 in this field. The default value is 8 MB.

        

        Maximum size of compound files that are subject to scanning (in megabytes). Kaspersky Security does not unpack and scan objects whose size is larger than the specified value.

        This setting can be edited if the Do not unpack large compound files check box is selected.

        You can specify a value in the range of 1 to 999999 in this field. The default value is 8 MB.

   2. In the Performance section, specify the values of the following settings:
      • Limit file scan time

        

        Enables / disables the file scan time limit.

        If this check box is selected, Kaspersky Security stops scanning a file when the scan duration reaches the value that is specified in the Scan files for no longer than N second(s) field and skips this file.

        If this check box is cleared, Kaspersky Security does not limit the duration of file scanning.

        By default, this check box is selected for protection profiles and cleared for scan tasks.

        

        Enables / disables the file scan time limit.

        If this check box is selected, Kaspersky Security stops scanning a file when the scan duration reaches the value that is specified in the Scan files for no longer than N second(s) field and skips this file.

        If this check box is cleared, Kaspersky Security does not limit the duration of file scanning.

        By default, this check box is selected for protection profiles and cleared for scan tasks.

        

        Enables / disables the file scan time limit.

        If this check box is selected, Kaspersky Security stops scanning a file when the scan duration reaches the value that is specified in the Scan files for no longer than N second(s) field and skips this file.

        If this check box is cleared, Kaspersky Security does not limit the duration of file scanning.

        By default, this check box is selected for protection profiles and cleared for scan tasks.

        

        Enables / disables the file scan time limit.

        If this check box is selected, Kaspersky Security stops scanning a file when the scan duration reaches the value that is specified in the Scan files for no longer than N second(s) field and skips this file.

        If this check box is cleared, Kaspersky Security does not limit the duration of file scanning.

        By default, this check box is selected for protection profiles and cleared for scan tasks.

      • Scan files for no longer than N second(s)

        

        Maximum duration of file scanning (in seconds). Kaspersky Security stops scanning a file if scanning takes longer than the time value specified.

        This setting can be edited if the Limit file scan time check box is selected.

        You can specify a value in the range of 1 to 3600 in this field. The default value is 60 seconds.

        

        Maximum duration of file scanning (in seconds). Kaspersky Security stops scanning a file if scanning takes longer than the time value specified.

        This setting can be edited if the Limit file scan time check box is selected.

        You can specify a value in the range of 1 to 3600 in this field. The default value is 60 seconds.

        

        Maximum duration of file scanning (in seconds). Kaspersky Security stops scanning a file if scanning takes longer than the time value specified.

        This setting can be edited if the Limit file scan time check box is selected.

        You can specify a value in the range of 1 to 3600 in this field. The default value is 60 seconds.

        

        Maximum duration of file scanning (in seconds). Kaspersky Security stops scanning a file if scanning takes longer than the time value specified.

        This setting can be edited if the Limit file scan time check box is selected.

        You can specify a value in the range of 1 to 3600 in this field. The default value is 60 seconds.

   3. In the Objects to detect section, click the Settings button. In the Objects to detect window that opens, specify the values of the following settings:
      • Malicious tools

        

        Enables/disables protection against malicious tools.

        Malicious tools do not perform their actions right after they are started. Instead, they can be stealthily stored and run on the virtual machine. Intruders often use the features of malicious tools to create viruses, worms, and Trojans, perpetrate network attacks on remote servers, or perform other malicious actions.

        If this check box is set, protection against malicious tools is enabled.

        If this check box is cleared, protection against malicious tools is disabled.

        This check box is set by default.

        

        Enables/disables protection against malicious tools.

        Malicious tools do not perform their actions right after they are started. Instead, they can be stealthily stored and run on the virtual machine. Intruders often use the features of malicious tools to create viruses, worms, and Trojans, perpetrate network attacks on remote servers, or perform other malicious actions.

        If this check box is set, protection against malicious tools is enabled.

        If this check box is cleared, protection against malicious tools is disabled.

        This check box is set by default.

        

        Enables/disables protection against malicious tools.

        Malicious tools do not perform their actions right after they are started. Instead, they can be stealthily stored and run on the virtual machine. Intruders often use the features of malicious tools to create viruses, worms, and Trojans, perpetrate network attacks on remote servers, or perform other malicious actions.

        If this check box is set, protection against malicious tools is enabled.

        If this check box is cleared, protection against malicious tools is disabled.

        This check box is set by default.

        

        Enables/disables protection against malicious tools.

        Malicious tools do not perform their actions right after they are started. Instead, they can be stealthily stored and run on the virtual machine. Intruders often use the features of malicious tools to create viruses, worms, and Trojans, perpetrate network attacks on remote servers, or perform other malicious actions.

        If this check box is set, protection against malicious tools is enabled.

        If this check box is cleared, protection against malicious tools is disabled.

        This check box is set by default.

      • Auto-dialers

        

        Enables/disables protection against auto-dialers.

        If this check box is selected, protection against auto-dialers is enabled.

        If this check box is cleared, protection against auto-dialers is disabled.

        This check box is set by default.

        

        Enables/disables protection against auto-dialers.

        If this check box is selected, protection against auto-dialers is enabled.

        If this check box is cleared, protection against auto-dialers is disabled.

        This check box is set by default.

        

        Enables/disables protection against auto-dialers.

        If this check box is selected, protection against auto-dialers is enabled.

        If this check box is cleared, protection against auto-dialers is disabled.

        This check box is set by default.

        

        Enables/disables protection against auto-dialers.

        If this check box is selected, protection against auto-dialers is enabled.

        If this check box is cleared, protection against auto-dialers is disabled.

        This check box is set by default.

      • Adware

        

        Enables/disables protection against adware.

        The function of adware is to display advertising information to the user. For example, it displays banner ads in the interfaces of other programs and redirects search queries to advertising websites. Some varieties of adware collect marketing information about the user and send it to the developer: this information may include the names of the websites that are visited by the user or the content of the user's search queries. Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's permission.

        If this check box is set, protection against adware is enabled.

        If this check box is cleared, protection against adware is disabled.

        This check box is set by default.

        

        Enables/disables protection against adware.

        The function of adware is to display advertising information to the user. For example, it displays banner ads in the interfaces of other programs and redirects search queries to advertising websites. Some varieties of adware collect marketing information about the user and send it to the developer: this information may include the names of the websites that are visited by the user or the content of the user's search queries. Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's permission.

        If this check box is set, protection against adware is enabled.

        If this check box is cleared, protection against adware is disabled.

        This check box is set by default.

        

        Enables/disables protection against adware.

        The function of adware is to display advertising information to the user. For example, it displays banner ads in the interfaces of other programs and redirects search queries to advertising websites. Some varieties of adware collect marketing information about the user and send it to the developer: this information may include the names of the websites that are visited by the user or the content of the user's search queries. Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's permission.

        If this check box is set, protection against adware is enabled.

        If this check box is cleared, protection against adware is disabled.

        This check box is set by default.

        

        Enables/disables protection against adware.

        The function of adware is to display advertising information to the user. For example, it displays banner ads in the interfaces of other programs and redirects search queries to advertising websites. Some varieties of adware collect marketing information about the user and send it to the developer: this information may include the names of the websites that are visited by the user or the content of the user's search queries. Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's permission.

        If this check box is set, protection against adware is enabled.

        If this check box is cleared, protection against adware is disabled.

        This check box is set by default.

      • Other

        

        Enables / disables protection against legitimate software that could be exploited by criminals to harm a virtual machine or user data.

        Most of these programs are useful, so many users run them. These programs include IRC clients, file downloaders, remote administration programs, user activity monitoring programs, password utilities, and Internet servers for FTP, HTTP, and Telnet. However, if criminals gain access to these programs, some program features could be used to harm a virtual machine or user data.

        Selecting this check box enables protection against legitimate software that could be used by criminals to harm a virtual machine or user data.

        If this check box is cleared, protection against such software is disabled.

        This check box is cleared by default.

        

        Enables / disables protection against legitimate software that could be exploited by criminals to harm a virtual machine or user data.

        Most of these programs are useful, so many users run them. These programs include IRC clients, file downloaders, remote administration programs, user activity monitoring programs, password utilities, and Internet servers for FTP, HTTP, and Telnet. However, if criminals gain access to these programs, some program features could be used to harm a virtual machine or user data.

        Selecting this check box enables protection against legitimate software that could be used by criminals to harm a virtual machine or user data.

        If this check box is cleared, protection against such software is disabled.

        This check box is cleared by default.

        

        Enables / disables protection against legitimate software that could be exploited by criminals to harm a virtual machine or user data.

        Most of these programs are useful, so many users run them. These programs include IRC clients, file downloaders, remote administration programs, user activity monitoring programs, password utilities, and Internet servers for FTP, HTTP, and Telnet. However, if criminals gain access to these programs, some program features could be used to harm a virtual machine or user data.

        Selecting this check box enables protection against legitimate software that could be used by criminals to harm a virtual machine or user data.

        If this check box is cleared, protection against such software is disabled.

        This check box is cleared by default.

        

        Enables / disables protection against legitimate software that could be exploited by criminals to harm a virtual machine or user data.

        Most of these programs are useful, so many users run them. These programs include IRC clients, file downloaders, remote administration programs, user activity monitoring programs, password utilities, and Internet servers for FTP, HTTP, and Telnet. However, if criminals gain access to these programs, some program features could be used to harm a virtual machine or user data.

        Selecting this check box enables protection against legitimate software that could be used by criminals to harm a virtual machine or user data.

        If this check box is cleared, protection against such software is disabled.

        This check box is cleared by default.

      • Multi-packed files

        

        Enables/disables scanning of files that have been packed using one or several packers three or more times.

        If a file was packed by one or several packers three or more times, the file probably contains malware or legitimate software that can be used by criminals to damage your computer or personal data.

        If this check box is selected, protection against multi-packed files is enabled, and the scanning of such files is allowed.

        If this check box is cleared, protection against multi-packed files is disabled.

        This check box is set by default.

        

        Enables/disables scanning of files that have been packed using one or several packers three or more times.

        If a file was packed by one or several packers three or more times, the file probably contains malware or legitimate software that can be used by criminals to damage your computer or personal data.

        If this check box is selected, protection against multi-packed files is enabled, and the scanning of such files is allowed.

        If this check box is cleared, protection against multi-packed files is disabled.

        This check box is set by default.

        

        Enables/disables scanning of files that have been packed using one or several packers three or more times.

        If a file was packed by one or several packers three or more times, the file probably contains malware or legitimate software that can be used by criminals to damage your computer or personal data.

        If this check box is selected, protection against multi-packed files is enabled, and the scanning of such files is allowed.

        If this check box is cleared, protection against multi-packed files is disabled.

        This check box is set by default.

        

        Enables/disables scanning of files that have been packed using one or several packers three or more times.

        If a file was packed by one or several packers three or more times, the file probably contains malware or legitimate software that can be used by criminals to damage your computer or personal data.

        If this check box is selected, protection against multi-packed files is enabled, and the scanning of such files is allowed.

        If this check box is cleared, protection against multi-packed files is disabled.

        This check box is set by default.

        Kaspersky Security always scans virtual machine files for viruses, worms, and Trojans. That is why the Viruses and worms and Trojans settings in the Malware section cannot be changed.

   4. In the Objects to detect window, click OK.
   5. In the Security level settings window, click OK.

      If you have changed security level settings, the application creates a custom security level. The name of the security level in the Security level section changes to Custom.

2. In the Action on threat detection section, select an action
   in the drop-down list

   

   This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files:

   • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
   • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

     This action is selected by default.

     Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

   • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
   • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.

   

   This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files:

   • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
   • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

     This action is selected by default.

     Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

   • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
   • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.
   .
3. If you do not want Kaspersky Security to scan files on network drives when protecting virtual machines running Windows operating systems, clear the Scan network drives check box in the Protection scope section. By default, when protecting virtual machines running Windows operating systems, the application scans all files that have not been excluded from protection on network drives.

   When protecting virtual machines running Linux operating systems, Kaspersky Security always scans files of supported network file systems (NFS and CIFS). If you want to exclude files of network file systems from the protection scope, you must configure a protection exclusion for the directory in which the network file system is mounted.

   Kaspersky Security always scans files on removable and hard drives. For this reason the Scan all removable drives and hard drives setting in the Protection scope section cannot be edited.

4. To exclude certain files of virtual machines from protection, in the Exclusions from protection section, click the Settings button.

   In the Exclusions from protection window that opens, specify the following settings:

   1. In the File extensions section, choose one of the following options:
      • Scan all except files with the following extensions. In the text box, specify a list of extensions of files to not scan when a virtual machine is being protected. Kaspersky Security ignores the case of characters in the extensions of files that are to be excluded from the protection scope.
      • Scan files with the following extensions only. In the text box, specify a list of extensions of files to scan when the virtual machine is being protected. When protecting virtual machines running Linux operating systems, Kaspersky Security is case sensitive regarding the characters in the extensions of files that are to be included in the protection scope. When protecting virtual machines running Windows operating systems, the application ignores the cases of characters in file extensions.

      You can type file extensions in the field by separating them with a blank space, or by typing each extension in a new line. File extensions may contain any characters except . * | \ : " < > ? /. If an extension includes a blank space, the extension should be typed inside quotation marks: "doc x".

      If you have selected Scan files with the following extensions only in the drop-down list but have not specified the extensions of files to scan, Kaspersky Security scans all files.

   2. In the Files and folders table, use the Add, Change, and Delete buttons to create the list of objects to be excluded from protection.

      By default, the list of exclusions includes the objects recommended by Microsoft (please refer to the list of recommended exclusions on the Microsoft website). Kaspersky Security excludes these objects from protection on all virtual machines to which the main protection profile has been assigned. You can view and edit the list of these objects in the Files and folders table.

      You can exclude objects of the following types from protection:

      • Folders. Files stored in folders at the specified path are excluded from protection. For each folder, you can specify whether to apply the exclusion from protection to subfolders.
      • Files by mask. Files with the specified name, files located at the specified path, or files matching the specified mask are excluded from protection.

        You can use the * and ? symbols to specify a file mask.

      Kaspersky Security ignores the case of characters in paths to files and folders that are excluded from protection.

      You can save a configured list of exclusions to a file using the Export button or load a previously saved list of exclusions from a file using the Import button. To import or export a list of exclusions, you can use a file in XML format. You can also import a list of exclusions from a file in DAT format. Using a file in DAT format, you can import a list of exclusions that was generated in other Kaspersky applications.

   If your exclusions list uses an environment variable that has multiple values depending on the bit rate of the application that uses it, in 64-bit Windows operating systems, objects corresponding to all values of the variable are excluded from protection. For example, if you are using the variable %ProgramFiles%, objects located in the folder C:\Program files and in the folder C:\Program files (х86) are excluded from protection.

5. In the Exclusions from protection window, click OK.
6. Save the changes by clicking Next (in the New Policy Wizard) or Apply (in the policy properties).

The new protection profile settings are applied after data is synchronized between Kaspersky Security Center and the SVMs.

[Topic 57665]

Managing additional protection profiles

You can manage additional protection profiles in the properties of a policy in the list of additional protection profiles.

To open the list of additional protection profiles in the policy properties:

1. In the Kaspersky Security Center Administration Console, open the policy properties:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the File Threat Protection section, select the additional protection profiles subsection.

   A list of additional protection profiles will appear in the right part of the window. If you have not yet created additional protection profiles in this policy, the list of protection profiles is empty.

In the list of additional protection profiles, you can do the following:

• Create additional protection profiles.
• Change the name of an additional protection profile by clicking the Rename button.
• Edit the settings of an additional protection profile by clicking the Change button. The settings are edited in the Protection settings window. The additional protection profile settings are identical to the main protection profile settings. The new protection profile settings are applied after data is synchronized between Kaspersky Security Center and the SVMs.
• Export the settings of an additional protection profile to a file by clicking the Export button. To save the settings of an additional protection profile, you need to specify the path to a file in JSON format. You can use previously saved settings when creating a new additional protection profile.
• Delete an additional protection profile by clicking the Delete button. If this protection profile was used for virtual machine protection, the application will protect these virtual machines using the settings of the protection profile that was assigned to their parent object in the virtual infrastructure. If the parent object has been excluded from protection, the application does not protect such virtual machines.

  If file protection settings were defined using NSX Profile Configurations, deletion of a protection profile will result in the unmapping of the deleted protection profile from the NSX Profile Configuration. The application will use the settings of the default protection profile to protect the virtual machines within the scope of this NSX Profile Configuration.

[Topic 83459]

Creating an additional protection profile

To create an additional protection profile:

1. In the Kaspersky Security Center Administration Console, open the list of additional protection profiles in the properties of the policy for which you want to create an additional protection profile.
2. Click the Add button.

   The Protection profile window opens.

3. In the window that opens, enter the name of the new protection profile.

   A protection profile name cannot contain more than 255 characters.

4. If you want to use previously saved protection profile settings when creating a new protection profile, select the Import settings from file check box and specify the path to the file in JSON format.
5. In the Protection profile window, click OK.

   The Protection settings window opens. In this window, you can configure the settings of the new protection profile or change protection profile settings that were imported from a file.

   The additional protection profile settings are identical to the main protection profile settings, with the exception of the default list of exclusions.

   By default, the list of exclusions does not include objects recommended by Microsoft Corporation (please refer to the list of exclusions recommended by Microsoft on the Microsoft website). If you want the objects recommended by Microsoft to be excluded from protection on all virtual machines that have been assigned this protection profile, you need to import the microsoft_file_exclusions.xml file into the protection profile exclusions. The microsoft_file_exclusions.xml file is included in the application distribution kit and is located in the setup folder of the Kaspersky Security administration plug-in on the computer on which the Kaspersky Security Center Administration Console is installed. After importing the file, you can view and edit the list of these objects in the Files and folders table in the Exclusions from protection window.

6. After configuring all settings of the protection profile, click OK in the Protection settings window.

   In the Properties: <Policy name> window, a new protection profile appears in the list of additional protection profiles.

You can assign created additional profiles to virtual machines or other VMware virtual infrastructure objects, and map protection profiles to NSX Profile Configurations.

[Topic 83492]

Viewing the protected infrastructure in a policy

In policy properties, you can view the protected infrastructure selected for the policy, and information about the use of protection profiles.

To view information about the protected infrastructure in a policy:

1. In the Kaspersky Security Center Administration Console, open the policy properties:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the File threat protection section, select the Protected infrastructure subsection.
3. The Kaspersky Security administration plug-in attempts to automatically connect to the Integration Server. If the connection fails, the Connection to Integration Server window opens.

   If the computer hosting the Administration Console of Kaspersky Security Center belongs to a domain or your domain user account belongs to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, your domain user account is used by default to connect to the Integration Server. The Use domain account check box is selected by default. You can also use the Integration Server administrator account (admin). To do so, clear the Use domain account check box and enter the administrator password in the Password field.

   If the computer hosting the Kaspersky Security Center Administration Console does not belong to a domain, or the computer belongs to a domain but your domain account does not belong to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, you can use only the account of the Integration Server administrator (admin) to connect to the Integration Server. Enter the administrator password in the Password field.

   If the connection to the Integration Server is established using the Integration Server administrator account (admin), you can save the administrator password. To do so, select the Save password check box. The saved administrator password will be used the next time a connection is established with this Integration Server. If you clear the check box selected during the previous connection to the Integration Server, Kaspersky Security removes the previously saved password of the Integration Server administrator.

   The Save password check box may be unavailable if Windows updates KB 2992611 and/or KB 3000850 have been installed on the computer hosting the Kaspersky Security Center Administration Console. To restore the capability to save the administrator password, you can uninstall these Windows updates or modify the operating system registry as described in the Knowledge Base.

   In the Connection to Integration Server window, specify the connection settings and click OK.

4. The Kaspersky Security administration plug-in verifies the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

After connecting to the Integration Server, the right part of the window displays information about the protected infrastructure and the use of protection profiles.

In the properties of the main policy, which determines the protection settings for a virtual infrastructure managed by one VMware vCenter Server, you can select the method for assigning file protection settings in the drop-down list located in the upper part of the window:

• Use virtual infrastructure tree. If this option is selected, the table displays a tree of objects of the VMware virtual infrastructure and the protection profiles assigned to objects of the virtual infrastructure.
• Use NSX Profile Configurations. If this option is selected, the table displays the NSX Profile Configurations that are available for the selected VMware vCenter Server, and the protection profiles corresponding to them.

If the entire protected infrastructure is selected as the protected infrastructure for a policy, you cannot use NSX Profile Configurations to assign file protection settings. Use virtual infrastructure tree option is selected in the drop-down list.

Information about the assignment of file protection settings using the virtual infrastructure tree

If the Use virtual infrastructure tree option is selected in the drop-down list located in the upper part of the window, the Protected infrastructure section displays a tree of objects of the VMware virtual infrastructure and the protection profiles assigned to objects of the virtual infrastructure.

The protected infrastructure is displayed as a tree of items:

• In the properties of a policy for one VMware vCenter Server, you will see the protected infrastructure of the "VMware vCenter Agentless" cluster: the root element is the VMware vCenter Server, and under it you will see Datacenter objects, VMware clusters, resource pools, vApp objects, and virtual machines.
• In the properties of a policy for the entire protected infrastructure, the root element is the Integration Server, and under it you will see all VMware vCenter Servers, each containing the protected infrastructure of the "VMware vCenter Agentless" cluster corresponding to this VMware vCenter Server.
• In the properties of the tenant policy located in the Managed devices folder of the virtual Administration Server, the root element is the "vCloud Director organization" object that combines all virtual Datacenters of the tenant. Under this object are all virtual machines within the vCloud Director organization that corresponds to this virtual Administration Server.

If the virtual infrastructure contains two or more virtual machines with the same ID (vmID), only one virtual machine appears in the object tree. If this virtual machine has been assigned a protection profile, the settings of this protection profile are applied to all virtual machines that have the same ID (vmID).

The Protection profile column displays information about the assignment of protection profiles to objects of the protected infrastructure. Kaspersky Security uses the settings of assigned protection profiles when protecting virtual machines.

The Protection profile field may contain the following values:

• Name of the protection profile that is assigned to a virtual machine or to a VMware virtual infrastructure object.
• Protection profile name, inherited from the parent object and displayed as "inherited: <N>", where <N> – is the name of the inherited protection profile.
• (Not assigned) or inherited: (Not assigned) – if the protection profile was not assigned or its assignment has been canceled (the Do not use protection profile value was selected). Virtual machines or virtual infrastructure objects that have no assigned protection profile are excluded from protection.

Information about the assignment of file protection settings using NSX Profile Configurations

If the Use NSX Profile Configurations option is selected in the drop-down list located in the upper part of the window, the Protected infrastructure section displays the following information:

• Name of the default protection profile. This protection profile is assigned for those NSX Profile Configurations, for which the mapping to protection profile has not been set yet, or has been canceled as a result of deleting a protection profile.

  Main protection profile is set as the default protection profile. If you canceled the use of default protection profile, the Do not use protection profile value is displayed.

• Table of mappings between protection profiles and the NSX Profile Configurations available for the selected VMware vCenter Server.

The table shows the following information:

• The NSX Profile Configuration column contains the name of the NSX Profile Configuration. If several NSX Profile Configurations with the same Configuration ID were created in the virtual infrastructure, their names will be separated by comma. Kaspersky Security processes the NSX Profile Configurations with the same ID as one NSX Configuration Profile.
• If a protection profile is mapped to an NSX Profile Configuration, the Protection profile column displays the name of the protection profile. Kaspersky Security uses the settings of the specified protection profile to protect virtual machines that are within the scope of this NSX Profile Configuration.
• If the mapping was canceled, the value shown in the Protection profile column is (Not assigned). If no protection profile is mapped to an NSX Profile Configuration, the virtual machines that are within the scope of this NSX Profile Configuration are excluded from protection.

[Topic 58476]

Assigning protection profiles to virtual infrastructure objects

To assign a protection profile to a virtual machine or to another VMware virtual infrastructure object:

1. In the properties of the policy whose scope includes the relevant virtual machines or other VMware virtual infrastructure objects, select the Protected infrastructure subsection.
2. If you are configuring a policy for one VMware vCenter Server, make sure that the Use virtual infrastructure tree option is selected in the drop-down list located in the upper part of the window. This value is selected by default.
3. Select one or multiple objects of the virtual infrastructure in the table.

   If you want to assign the same protection profile to multiple virtual machines that are child objects of a single virtual infrastructure object, select this object in the table. You can simultaneously select multiple virtual machines or other virtual infrastructure objects in the table by holding down the CTRL key.

4. Click the Select protection profile button.

   The Selecting protection profile window opens.

5. Select one of the following options:
   • Inherit parent protection profile: <name>. Select this option if you want to assign the protection profile of the parent object to a virtual machine or other virtual infrastructure object.
   • Use protection profile. Select this option and indicate the protection profile name in the drop-down list to assign this protection profile to a virtual machine or other virtual infrastructure object. The list contains the main protection profile and all additional protection profiles that you configured in this policy.
6. If the selected virtual infrastructure object has child objects, the protection profile is assigned to the object and to all of its child objects, including objects that have been assigned their own protection profile or that have been excluded from protection. If you want to assign the protection profile only to the selected virtual infrastructure object and to its child objects that have not been assigned their own protection profile and that have not been excluded from protection, clear the Apply to all child objects check box.
7. Click OK.

   The Selecting protection profile window will close, and the assigned protection profile will be displayed in the table in the Protected infrastructure subsection.

8. In the Properties: <Policy name> window, click OK.

[Topic 58473]

Assigning protection profiles by using NSX Profile Configurations

In a virtual infrastructure managed by a standalone VMware vCenter Server, Kaspersky Security lets you define the file protection settings at the level of NSX Security Groups. You can assign the same file protection settings to all virtual machines that are within the same NSX Security Group. To do so, you need to allocate virtual machines into NSX Security Groups and do the following for each security group:

1. In the VMware vSphere Web Client console:
   1. Create an NSX Profile Configuration. To start the NSX Profile Configuration Wizard, you need to open the properties of the Kaspersky File Antimalware Protection service (in the Networking & Security → Service Definitions section, Services tab, Edit Settings action) and go to the Manage → Profile Configurations tab.
   2. Indicate this NSX Profile Configuration or the NSX Service Profile that was created based on this NSX Profile Configuration in the NSX Security Policy.
   3. Assign an NSX Security Policy to an NSX Security Group.
2. In the Kaspersky Security Center Administration Console, in the Kaspersky Security policy properties, set mapping between the NSX Profile Configuration and the protection profile.

   The protection profile settings will be used for the protection of virtual machines from the NSX Security Group to which the NSX Security Policy was applied.

To map an NSX Profile Configuration to a protection profile:

1. In the policy properties for one VMware vCenter Server, select the Protected infrastructure subsection.
2. In the drop-down list located in the upper part of the window, select the Use NSX Profile Configurations option.
3. In the table, select the NSX Profile Configuration for which you want to set mapping and double-click to open the Selecting Protection profile window.
4. In the opened window, select the Use protection profile option. In the drop-down list, indicate the name of the protection profile that should be mapped to the NSX Profile Configuration. The list contains the main protection profile and all additional protection profiles that you configured in this policy.
5. Click OK.

   The Selecting protection profile window will close, and the assigned mapping will be displayed in the table in the Protected infrastructure subsection.

6. In the Properties: <Policy name> window, click OK.

The default protection profile is automatically assigned to NSX Profile Configurations that have not yet been mapped to a protection profile or whose mapping was canceled due to the deletion of the protection profile. You can change the default protection profile or cancel use of the default protection profile.

To change the default protection profile:

1. In the policy properties for one VMware vCenter Server, select the Protected infrastructure subsection.
2. In the drop-down list located in the upper part of the window, select the Use NSX Profile Configurations option.
3. Click the Change button located on the right of the default protection profile name.

   The Selecting protection profile window opens.

4. If you want to change the default protection profile, select the Use protection profile option and indicate the name of the protection profile in the drop-down list. The list contains the main protection profile and all additional protection profiles that you configured in this policy.

   The specified protection profile will be mapped to those NSX Profile Configurations that have not yet been mapped to a protection profile or whose mapping was canceled due to the deletion of the protection profile.

5. If you want to cancel use of the default protection profile, select the Do not use protection profile option. By default, no protection profile will be mapped to NSX Profile Configurations that have not yet been mapped to a protection profile or whose mapping was canceled due to the deletion of the protection profile. Virtual machines that are within the scope of these NSX Profile Configurations will be excluded from protection.
6. Click OK.

   The Selecting protection profile window will close, and the name of the selected protection profile will be displayed in the Protected infrastructure subsection in the upper part of the window.

7. In the Properties: <Policy name> window, click OK.

[Topic 58086]

Changing the protected infrastructure for a policy

You can change the protected infrastructure selected for a policy. This may be required, for example, if you want to copy the policy from one administration group to another. In this case, you need to change the protected infrastructure for the copied policy so that the protected infrastructure matches the location of the policy:

• If the policy is located in the group that contains the "VMware vCenter Agentless" cluster, the VMware vCenter Server corresponding to this cluster must be selected as the protected infrastructure for the policy.
• If the policy is located in the Managed devices folder or in the group that contains the "VMware vCloud Director Agentless" cluster, the entire protected infrastructure must be selected as the protected infrastructure for the policy.

To change the protected infrastructure selected for a policy:

1. In the properties of the policy whose protected infrastructure you want to change, select the Protected infrastructure subsection.
2. In the right part of the window, click the Change button.

   The Connection to Integration Server window opens. The window displays the settings for connecting to the Integration Server whose address is indicated in the lower part of the window in the Protected infrastructure subsection.

3. If required, edit the connection settings and click OK.
4. After the connection is established, the Choice of protected infrastructure window opens. Select one of the following options:
   • If you are configuring a policy located in an administration group that contains the "VMware vCenter Agentless" cluster, select the One VMware vCenter Server option. Then select the listed VMware vCenter Server corresponding to this "VMware vCenter Agentless" cluster.

     If the selected VMware vCenter Server does not correspond to the "VMware vCenter Agentless" cluster whose group contains the policy, Kaspersky Security does not protect virtual machines.

   • If you are configuring a policy located in any other folder or administration group, select the Entire protected infrastructure option.
5. Click OK in the Choice of protected infrastructure window and, in the opened window, confirm the change to the protected infrastructure.
6. In the Properties: <Policy name> window, click OK.

[Topic 57774]

Disabling file threat protection for virtual infrastructure objects

You can disable file threat protection for virtual infrastructure objects in the following ways:

• If the file protection settings were defined by assigning protection profiles to virtual infrastructure objects, you can cancel assignment of the protection profile to a virtual machine or other virtual infrastructure object. Virtual machines that have no assigned protection profile are excluded from protection.
• If file protection settings were defined using NSX Profile Configurations, you can cancel mapping of a protection profile to an NSX Profile Configuration that is applied to virtual machines. If no protection profile is mapped to an NSX Profile Configuration, the virtual machines that are within the scope of this NSX Profile Configuration are excluded from protection.
• You can disable protection for all virtual machines that are within the policy scope.

If the file protection settings were defined by assigning protection profiles to virtual infrastructure objects, you can disable protection for one or more virtual machines by doing the following:

1. In the properties of the policy whose scope includes the relevant virtual machines, select the Protected infrastructure subsection.
2. If you are configuring a policy for one VMware vCenter Server, make sure that the Use virtual infrastructure tree option is selected in the drop-down list located in the upper part of the window.
3. Select one or multiple objects of the virtual infrastructure in the Name column.

   To disable protection for multiple virtual machines that are child objects of a single virtual infrastructure object, select that object. You can simultaneously select multiple virtual machines or other virtual infrastructure objects in the table by holding down the CTRL key.

4. Click the Select protection profile button.

   The Selecting protection profile window opens.

5. Select the Do not use protection profile option.
6. If the selected virtual infrastructure object has child objects, by default protection will be disabled for the selected object and for all its child objects, including objects that have been assigned their own protection profile. If you want to disable protection only for the selected virtual infrastructure object and for those of its child objects that inherit the protection profile, clear the Apply to all child objects check box.

   Protection will be removed from the parent object and from those of its child objects that inherited their protection profile from the parent object. The application will continue protecting the child objects that have been assigned their own protection profile.

7. Click OK.

   The Selecting protection profile window closes. In the table in the Protected infrastructure subsection, the value shown in the Protection profile column for objects that have been excluded from protection is (Not assigned).

8. In the Properties: <Policy name> window, click OK.

If the file protection settings were defined using NSX Profile Configurations, you can disable virtual machine protection by doing the following:

1. In the properties of the policy whose scope includes the relevant virtual machines, select the Protected infrastructure subsection.
2. In the drop-down list located in the upper part of the window, select the Use NSX Profile Configurations option.
3. In the table, select the NSX Profile Configuration whose scope includes the relevant virtual machines, and double-click to open the Selecting Protection profile window.
4. In the opened window, select the Do not use protection profile option.
5. Click OK.

   The Selecting Protection profile window closes. In the table in the Protected infrastructure subsection, the value shown in the Protection profile column for the selected NSX Profile Configuration is (Not assigned).

6. In the Properties: <Policy name> window, click OK.

To disable protection for all virtual machines that are within the policy scope:

1. In the properties of the policy whose scope includes the relevant virtual machines, select the Protected infrastructure subsection.
2. Clear the Use File Threat Protection check box located in the upper part of the window.
3. In the Properties: <Policy name> window, click OK.

[Topic 57666]

Scanning virtual machines

In this section, SVM refers to an SVM with the File Threat Protection component installed.

An SVM with the File Threat Protection component installed lets you run a virus scan on files of virtual machines on the VMware ESXi hypervisor. Virtual machine files need to be scanned regularly with new anti-virus databases to prevent the spread of malicious objects.

The settings that SVMs apply while scanning virtual machines are defined by using scan tasks. Kaspersky Security uses the following scan tasks:

• Full Scan. This task lets you run a virus scan on the files of all virtual machines within the task scope. The scope of a task depends on where the task is located within the hierarchy of administration groups of Kaspersky Security Center, and depends on the Kaspersky Security administration plug-in that you use to create the task.

  A Full Scan task is automatically created after installing the Kaspersky Security main administration plug-in in the Managed devices folder of the main Administration Server of Kaspersky Security Center. This task lets you perform a virus scan on all virtual machines that are protected by all SVMs and are not part of a vCloud Director organization. You can manually run this task.

• Custom Scan. This task lets you run a virus scan on files of specified virtual machines from the task scope. The scope of a task depends on where the task is located within the hierarchy of administration groups of Kaspersky Security Center, and depends on the Kaspersky Security administration plug-in that you use to create the task. In the selected scope, you need to indicate the virtual machines that need to be scanned. You can specify individual virtual machines, VMware virtual infrastructure objects of a higher level of the hierarchy, or NSX Security Groups that include the relevant virtual machines.

You can start scan tasks manually, define a scan task run schedule, and view information about the progress and results of tasks.

Kaspersky Security scans only virtual machines that meet all the conditions for scanning virtual machines.

If viruses or other malware are detected in a file during scanning of virtual machine files, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.

The Signature analysis and machine learning scan method is used when scanning virtual machines. Scanning while using signature analysis ensures the minimum acceptable security level. Kaspersky Security uses application databases containing information about known threats and about the methods to neutralize them. Based on the recommendations of Kaspersky experts, the Signature analysis and machine learning scan method is always enabled.

When scanning virtual machines, Heuristic analysis is used. This is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.

The deep heuristic analysis level is always used during virtual machine scanning irrespective of the selected security level. Heuristic Analyzer performs the maximum number of instructions in executable file, which raises the probability of threat detection.

If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from the scan scope.

Special considerations for scanning virtual machines:

• When performing scan tasks, Kaspersky Security can scan powered-off virtual machines that have the following file systems: NTFS, FAT32, EXT2, EXT3, EXT4, XFS, BTRFS.
• When performing scan tasks, Kaspersky Security can scan virtual machine templates.
• When scanning virtual machines running Windows operating systems, Kaspersky Security does not scan files in network folders. Kaspersky Security is able to scan files in network folders only when the user or an application accesses those files. If you want to regularly scan files in network folders, you must configure a scan task for virtual machines that have open network access to files and folders, and include those files and folders into the task scan scope.

  When scanning virtual machines running Linux operating systems, Kaspersky Security scans files in CIFS network file systems if the directories in which the CIFS network file systems are mounted are included in the task scan scope. Scanning files in NFS network file systems is not supported.

• During execution of a scan task, one SVM with the File Threat Protection component simultaneously scans the files of no more than four virtual machines.

Information on the scan results and on events that occurred during scan tasks execution is logged in a report.

After a scan task finishes, you are advised to view the list of files that are blocked as a result of the scan task and manage them manually. For example, you can save file copies in a location that is inaccessible for a virtual machine user or delete the files. You must first exclude the blocked files from protection in the settings of the protection profile assigned to the virtual machines, or temporarily disable protection of the virtual machines on which these files were blocked. You can view the details of blocked files in the threats report or by filtering events by the File blocked event (please refer to the Kaspersky Security Center documentation).

[Topic 59625]

Conditions for anti-virus scan of virtual machines

Kaspersky Security scans virtual machines that meet the following conditions:

• For powered-off virtual machines: NTFS, FAT32, EXT2, EXT3, EXT4, XFS or BTRFS file system is used on the virtual machine.
• For powered-on virtual machines:
  • The Guest Introspection driver (NSX File Introspection Driver) has been installed and is running on the virtual machine.
  • The virtual machine is part of an NSX Security Group configured in the VMware vSphere Web Client console. This group must be assigned an NSX Security Policy in which the use of the file system protection service (Kaspersky File Antimalware Protection) is configured.

    Kaspersky Security can scan powered off virtual machines with an NTFS, FAT32, EXT2, EXT3, EXT4, XFS, or BTRFS file system according to the scan settings, regardless of whether or not those virtual machines are included in an NSX Security Group.

If even one of the listed conditions is not fulfilled, Kaspersky Security does not scan the virtual machine.

Kaspersky Security also does not scan a virtual machine when one of the following conditions is met:

• You have added the virtual machine to the list of virtual infrastructure objects (Inventory) in the VMware vSphere Web Client console or created the virtual machine on the VMware ESXi hypervisor after the scan task was started.
• You have removed the virtual machine from the list of virtual infrastructure objects (Inventory) in the VMware vSphere Web Client console before the scan of this virtual machine started.
• The virtual machine included in the scope of a running scan task migrates to the VMware ESXi hypervisor on which the scan task was not started.

[Topic 57668]

Creating a full scan task

To create a full scan task:

1. In the Kaspersky Security Center Administration Console, select the folder or administration group in which you want to create the task.

   If you selected the Managed devices folder or an administration group containing a KSC cluster, select the Tasks tab in the workspace.

2. Click the New task button to start the New Task Wizard.
3. At the first step of the Wizard, select the type of task.
   • If you want to create a task for scanning virtual machines that are not part of a vCloud Director organization, select Kaspersky Security for Virtualization 6.0 Agentless → Full Scan.
   • If you want to create a task for scanning virtual machines of tenants, select Kaspersky Security for Virtualization 6.0 Agentless (for tenants) → Full Scan.

   Proceed to the next step of the New Task Wizard.

4. Configure the settings for scanning virtual machines.

   Proceed to the next step of the New Task Wizard.

5. If necessary, specify the scan scope of the task: indicate the locations and extensions of the files of virtual machines that need to be scanned or excluded from scanning during a scan task.

   Proceed to the next step of the New Task Wizard.

6. If you started the New Task Wizard from the Tasks folder, specify the method for selecting the SVMs on which the task must be run:
   • Click the Select network devices detected by Administration Server button if you want to select SVMs from the list of devices detected by Administration Server while polling the local area network.
   • Click the Specify device addresses manually or import from list button if you want to specify the addresses of SVMs manually or import the list of SVMs from a file. Addresses are imported from a TXT file with a list of addresses of SVMs, with each address in a separate row.

     If you import a list of addresses from file or specify the addresses manually and the SVMs are identified by name, the list of SVMs for which the task is being created can be supplemented only with those SVMs whose details have already been included in the Administration Server database upon connection of SVMs or following a poll of the local area network.

   • Click the Assign task to a device selection button if the task must be run on all SVMs that are part of a selection based on a predefined criterion. For details on creating a selection of devices, please refer to the Kaspersky Security Center documentation.
   • Click the Assign task to an administration group button if the task must be run on all SVMs within an administration group.

     Depending on the specified method of SVM selection, perform one of the following operations in the window that opens:

     • In the list of detected devices, specify the SVMs on which the task will be run. To do so, select check boxes in the list on the left of the name of the relevant SVMs.
     • Click the Add or Add IP range button and specify the addresses of SVMs.
     • Click the Import button, and in the window that opens select the TXT file containing the list of SVM addresses.
     • Click the Browse button and in the opened window specify the name of the selection containing the SVMs on which the task will be run.
     • Click the Browse button and select an administration group or manually enter the name of an administration group.

   Proceed to the next step of the New Task Wizard.

7. Configure the task run schedule and proceed to the next step of the Wizard.
8. In the Name field, enter the task name and proceed to the next step of the Wizard.
9. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.

   Finish the wizard.

The created custom scan task appears in the list of tasks. If you configured a task start schedule in the Task start schedule settings window, the task is started according to this schedule. You can also run the task manually at any time.

[Topic 58066]

Creating a custom scan task by using the main plug-in

A Custom Scan task created using the Kaspersky Security main administration plug-in lets you scan virtual machines that are managed by one VMware vCenter Server and that are not part of a vCloud Director organization.

To create a Custom Scan task for virtual machines that are not part of a vCloud Director organization:

1. In the Kaspersky Security Center Administration Console, select the administration group in which you want to create the task.

   Due to the specifics of configuring the scope of a Custom Scan task, it is recommended to create Custom Scan tasks in administration groups that contain KSC clusters, which means group tasks. If a Custom Scan task is configured for one or more SVMs (meaning a local or global task), correct configuration of the task scope cannot be guaranteed.

2. In the workspace, select the Tasks tab and click the New task button to start the New Task Wizard.
3. At the first step of the Wizard, select the following type of task: Kaspersky Security for Virtualization 6.0 Agentless → Custom Scan.

   Proceed to the next step of the New Task Wizard.

4. The Wizard establishes a connection to the Integration Server to receive information about the VMware virtual infrastructure.

   If the computer hosting the Administration Console of Kaspersky Security Center belongs to a domain or your domain user account belongs to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, your domain user account is used by default to connect to the Integration Server. The Use domain account check box is selected by default.

   If you want to use the account of an Integration Server administrator (admin), clear the Use domain account check box and enter the administrator password in the Password field.

   If the computer hosting the Kaspersky Security Center Administration Console does not belong to a domain, or the computer belongs to a domain but your domain account does not belong to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, you can use only the account of the Integration Server administrator (admin) to connect to the Integration Server. Enter the administrator password in the Password field.

   If the connection to the Integration Server is established using the Integration Server administrator account (admin), you can save the administrator password. To do so, select the Save password check box. The saved administrator password will be used the next time a connection is established with this Integration Server. If you clear the check box selected during the previous connection to the Integration Server, Kaspersky Security removes the previously saved password of the Integration Server administrator.

   The Save password check box may be unavailable if Windows updates KB 2992611 and/or KB 3000850 have been installed on the computer hosting the Kaspersky Security Center Administration Console. To restore the capability to save the administrator password, you can uninstall these Windows updates or modify the operating system registry as described in the Knowledge Base.

   Proceed to the next step of the New Task Wizard.

   The Task Wizard verifies the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

   After the connection is established, the List of VMware vCenter Servers window opens. Select the VMware vCenter Server that manages the virtual machines that you want to scan, and click OK.

5. At this step of the Wizard, select the task scope.

   Proceed to the next step of the New Task Wizard.

6. Configure the settings for scanning virtual machines.

   Proceed to the next step of the New Task Wizard.

7. If necessary, specify the scan scope of the task: indicate the locations and extensions of the files of virtual machines that need to be scanned or excluded from scanning during a scan task.

   Proceed to the next step of the New Task Wizard.

8. Configure the task run schedule and proceed to the next step of the New Task Wizard.
9. In the Name field, enter the task name and proceed to the next step of the New Task Wizard.
10. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.

    Finish the wizard.

The created custom scan task appears in the list of tasks. If you configured a task start schedule in the Task start schedule settings window, the task is started according to this schedule. You can also run the task manually at any time.

If a VMware vCenter Server is replaced or reinstalled, all previously created custom scan tasks will no longer work. If you want to use a previously created custom scan task, you must reconnect to the VMware vCenter Server in the properties of this task.

[Topic 59044]

Creating a custom scan task by using the tenant plug-in

A Custom Scan task for virtual machines of tenants is used only if the application is operating in multitenancy mode. A Custom Scan task for virtual machines of tenants can be created only on a virtual Administration Server of Kaspersky Security Center.

To create a Custom Scan task for virtual machines of tenants:

1. In the Kaspersky Security Center Administration Console, select the Managed devices folder of the virtual Administration Server corresponding to the tenant.
2. In the workspace, select the Tasks tab and click the New task button to start the New Task Wizard.
3. At the first step of the Wizard, select the following type of task: Kaspersky Security for Virtualization 6.0 Agentless (for tenants) → Custom Scan.

   Proceed to the next step of the New Task Wizard.

4. Specify the Integration Server address and proceed to the next step of the New Task Wizard.

   The Task Wizard verifies the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

5. Select the task scope: select the check boxes for those virtual machines that you want to scan as part of the scan task being created. You can specify individual virtual machines or their combinations.

   If the virtual infrastructure contains two or more virtual machines with the same ID (vmID), only one virtual machine appears in the object tree. If this virtual machine is selected to be scanned using the custom scan task, the task will be performed on all virtual machines that have the same ID (vmID).

   Proceed to the next step of the New Task Wizard.

6. Configure the settings for scanning virtual machines.

   Proceed to the next step of the New Task Wizard.

7. If necessary, specify the scan scope of the task: indicate the locations and extensions of the files of virtual machines that need to be scanned or excluded from scanning during a scan task.

   Proceed to the next step of the New Task Wizard.

8. Configure the task run schedule and proceed to the next step of the New Task Wizard.
9. In the Name field, enter the task name and proceed to the next step of the New Task Wizard.
10. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.

    Finish the wizard.

The created custom scan task appears in the list of tasks. If you configured a task start schedule in the Task start schedule settings window, the task is started according to this schedule. You can also run the task manually at any time.

[Topic 83460]

Configuring virtual machine scan settings in a scan task

You can configure the virtual machine scan settings while creating the task (the Configure scan settings step) or in the task properties after its creation (the Scan settings section).

To configure the virtual machine scan settings:

1. Select the security level at which Kaspersky Security scans virtual machines. To do so, in the Security level section, perform one of the following actions:
   • If you want to install one of the pre-installed security levels (High, Recommended, or Low), use the slider to select one.
   • To change the security level to Recommended, click the Default button.
   • If you want to configure the security level on your own, click the Settings button. In the Security level settings window that opens:
   1. In the Scanning archives and compound files section, specify the values of the following settings:
      • Scan archives
      • Delete archives if disinfection fails
      • Scan self-extracting archives
      • Scan embedded OLE-objects
      • Do not unpack large compound files
      • Maximum size of a scanned compound file N MB
   2. In the Performance section, specify the values of the following settings:
      • Limit file scan time
      • Scan files for no longer than N second(s)
   3. In the Objects to detect section, click the Settings button. In the Objects to detect window that opens, specify the values of the following settings:
      • Malicious tools
      • Auto-dialers
      • Adware
      • Other
      • Multi-packed files

      Kaspersky Security always scans virtual machine files for viruses, worms, and Trojans. That is why the Viruses and worms and Trojans settings in the Malware section cannot be changed.

   4. In the Objects to detect window, click OK.
   5. In the Security level settings window, click OK.

      If you have changed security level settings, the application creates a custom security level. The name of the security level in the Security level section changes to Custom.

2. In the Scan powered-on virtual machines section, configure the settings for scanning virtual machines that are powered on while a task is running:
   • Action on threat detection

     

     This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files on powered-on virtual machines:

     • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
     • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

       This action is selected by default.

       Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

     • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
     • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.

     

     This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files on powered-on virtual machines:

     • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
     • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

       This action is selected by default.

       Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

     • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
     • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.
   • Scan optical drives

     

     Enables / disables scanning of optical drives.

     If the check box is selected, Kaspersky Security scans files on optical drives (CD, DVD, Blu-Ray) while performing the scan task on virtual machines running Windows operating systems.

     If the check box is cleared, Kaspersky Security does not scan files on optical drives.

     If the check box is selected but the scan task has a defined scan scope that does not include a path to the optical drive, Kaspersky Security does not scan files on the optical drive.

     Kaspersky Security does not scan files on optical drives when scanning powered-off virtual machines, virtual machine templates, or virtual machines running Linux operating systems.

     This check box is cleared by default.

     

     Enables / disables scanning of optical drives.

     If the check box is selected, Kaspersky Security scans files on optical drives (CD, DVD, Blu-Ray) while performing the scan task on virtual machines running Windows operating systems.

     If the check box is cleared, Kaspersky Security does not scan files on optical drives.

     If the check box is selected but the scan task has a defined scan scope that does not include a path to the optical drive, Kaspersky Security does not scan files on the optical drive.

     Kaspersky Security does not scan files on optical drives when scanning powered-off virtual machines, virtual machine templates, or virtual machines running Linux operating systems.

     This check box is cleared by default.

3. In the Scan powered-off virtual machines and virtual machine templates section, configure the settings for scanning virtual machines that are powered off or paused while a task is running, as well as for scanning virtual machine templates:
   • Scan powered-off virtual machines

     

     Enables / disables scanning of powered-off virtual machines.

     If the check box is selected, when performing a scan task Kaspersky Security scans files on powered-off virtual machines (with an NTFS, FAT32, EXT2, EXT3, EXT4, XFS, or BTRFS file system) that are within the task scope. Files on powered-off virtual machines with other file systems are not scanned.

     While a powered off virtual machine is being scanned, it is impossible to turn on or migrate the virtual machine.

     If this check box is cleared, Kaspersky Security does not scan files on the powered-off virtual machines.

     This check box is cleared by default.

     

     Enables / disables scanning of powered-off virtual machines.

     If the check box is selected, when performing a scan task Kaspersky Security scans files on powered-off virtual machines (with an NTFS, FAT32, EXT2, EXT3, EXT4, XFS, or BTRFS file system) that are within the task scope. Files on powered-off virtual machines with other file systems are not scanned.

     While a powered off virtual machine is being scanned, it is impossible to turn on or migrate the virtual machine.

     If this check box is cleared, Kaspersky Security does not scan files on the powered-off virtual machines.

     This check box is cleared by default.

   • Scan virtual machine templates

     

     Enables / disables scanning of virtual machine templates.

     If the check box is selected, when Kaspersky Security performs a scan task it scans files on virtual machine templates that are within the task scope.

     If this check box is cleared, Kaspersky Security does not scan files on virtual machine templates.

     This check box is cleared by default.

     The check box is available if the Scan powered-off virtual machines check box is selected.

     

     Enables / disables scanning of virtual machine templates.

     If the check box is selected, when Kaspersky Security performs a scan task it scans files on virtual machine templates that are within the task scope.

     If this check box is cleared, Kaspersky Security does not scan files on virtual machine templates.

     This check box is cleared by default.

     The check box is available if the Scan powered-off virtual machines check box is selected.

   • Action on threat detection

     

     This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files on powered-off virtual machines or virtual machine templates:

     • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
     • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

       Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

     • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
     • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.

       This action is selected by default.

     You can select an action if the Scan powered-off virtual machines check box is selected.

     

     This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files on powered-off virtual machines or virtual machine templates:

     • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
     • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

       Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

     • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
     • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.

       This action is selected by default.

     You can select an action if the Scan powered-off virtual machines check box is selected.

4. In the Stop scan section, choose one of the following options:
   • After N minute(s) since task launch

     

     Maximum scan task duration (in minutes). When the specified time limit is reached, the scan task is interrupted even if it has not been completed.

     This option is selected by default.

     You can specify a value in the range of 1 to 4320 in this field. The default value is set to 120 minutes.

     

     Maximum scan task duration (in minutes). When the specified time limit is reached, the scan task is interrupted even if it has not been completed.

     This option is selected by default.

     You can specify a value in the range of 1 to 4320 in this field. The default value is set to 120 minutes.

   • After completing scan of files on all protected virtual machines

     

     The scan task is performed until files on all protected virtual machines that are within the task scope have been scanned.

     

     The scan task is performed until files on all protected virtual machines that are within the task scope have been scanned.

5. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).

[Topic 58144]

Configuring the scan scope in a scan task

The scan scope refers to the locations and extensions of files of virtual machines that are scanned by Kaspersky Security when it performs a scan task.

If a scan scope has not been configured, Kaspersky Security scans all files of virtual machines.

When scanning virtual machines running Windows operating systems, Kaspersky Security does not scan files in network folders. Kaspersky Security is able to scan files in network folders only when the user or an application accesses those files. If you want to scan files in network folders regularly, you must create a task for scanning virtual machines that have shared files and folders, and include those files and folders into the scan task scope.

When scanning virtual machines running Linux operating systems, Kaspersky Security scans files in CIFS network file systems if the directories in which the CIFS network file systems are mounted are included in the task scan scope. Scanning files in NFS network file systems is not supported.

You can define the scan scope of a task while creating the task (the Defining the scan scope step) or in the task properties after it is created (the Scan scope section).

To configure the scan scope of the task:

1. Select one of the following options:
   • Scan all files and folders except for those specified
   • Scan specified files and folders only
2. If you selected the Scan all files and folders except for those specified option, you can create a list of objects that must be excluded from the scan scope by using the Add, Change and Delete buttons.

   You can exclude objects of the following types from the scan scope:

   • Folders. Files stored in folders at the specified path are excluded from the scan scope. For each folder, you can specify whether to apply the exclusion to subfolders.
   • Files by mask. Files with the specified name, files located at the specified path, or files matching the specified mask are excluded from the scan scope.

     You can use the * and ? symbols to specify a file mask.

     Kaspersky Security ignores the case of characters in the paths to files and folders, names and masks of files that are to be excluded from the scan scope.

   You can save a configured list of exclusions to file using the Export button or load a previously saved list of exclusions from file using the Import button. To import or export a list of exclusions, you can use a file in XML format. You can also import a list of exclusions from a file in DAT format. Using a file in DAT format, you can import a list of exclusions that was generated in other Kaspersky applications.

   The application distribution kit includes the microsoft_file_exclusions.xml file with the list of exclusions recommended by Microsoft Corporation (see the Microsoft website for the list of exclusions recommended by Microsoft). The microsoft_file_exclusions.xml file is located in the setup folder of the Kaspersky Security administration plug-in on the computer on which the Kaspersky Security Center Administration Console is installed. You can import this file into exclusions of the scan task. After the import is completed, Kaspersky Security does not scan the objects recommended by Microsoft when it performs a scan task. You can view and edit the list of these objects in the Files and folders table.

   If your exclusions list uses an environment variable that has multiple values depending on the bit rate of the application that uses it, in 64-bit Windows operating systems, objects corresponding to all values of the variable are excluded from the scan scope. For example, if you are using the variable %ProgramFiles%, objects located in the folder C:\Program files and in the folder C:\Program files (х86) are excluded from the scan scope.

3. If you selected the Scan all files and folders except for those specified option, in the File extensions section you can specify the extensions of files that should be included in the scan scope or excluded from the scan scope.

   To do so, select one of the options below:

   • Scan all except files with the following extensions. In the text box, specify a list of extensions of files to not scan during a scan task. Kaspersky Security ignores the case of characters in the extensions of files that are to be excluded from the scan scope.
   • Scan files with the following extensions only. In the text box, specify a list of extensions of files to scan during a scan task. When scanning virtual machines running Linux operating systems, Kaspersky Security is case sensitive regarding the characters in the extensions of files to be included in the scan scope. When scanning virtual machines running Windows operating systems, the application ignores the cases of characters in file extensions.

     You can type file extensions in the field by separating them with a blank space, or by typing each extension in a new line. File extensions may contain any characters except . * | \ : " < > ? /. If an extension includes a blank space, the extension should be typed inside quotation marks: "doc x".

     If you have selected Scan files with the following extensions only in the drop-down list but have not specified the extensions of files to scan, Kaspersky Security scans all files.

   Folders excluded from the scan have a higher priority than file extensions that are included in the scan scope. If a file is located in a folder that is excluded from the scan, the application skips this file even if its extension is included in the scan scope.

4. If you selected the Scan specified files and folders only option, use the Add, Change, and Delete buttons to create a list of virtual machine files and folders to scan during the scan task.

   When scanning virtual machines running Linux operating systems, Kaspersky Security is case sensitive regarding the characters in paths to files and directories included in the scan scope. When scanning virtual machines running Windows operating systems, paths to files and folders are not case sensitive.

   If your list of objects requiring scanning uses an environment variable that has multiple values depending on the bit rate of the application that uses it, in 64-bit Windows operating systems, objects corresponding to all values of the variable are included in the scan scope. For example, if you are using the variable %ProgramFiles%, objects located in the folder C:\Program files and in the folder C:\Program files (х86) are included in the scan scope.

5. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).

[Topic 58251]

Configuring the Custom Scan task scope

You can configure the scope of a Custom Scan task while creating the task (the Configuring the task scope step) or in the task properties after it is created (the Task scope section).

Custom Scan task created using the main administration plug-in

For a Custom Scan task that was created using the Kaspersky Security main administration plug-in, you can configure the task scope in one of the following ways:

• Specify the virtual machines and/or virtual machine templates whose files you want to scan.
• Specify one or multiple NSX Security Groups that include the virtual machines. Kaspersky Security will scan the files of all virtual machines that are included in the specified NSX Security Groups.

To configure the scope of a Custom Scan task that was created using the main administration plug-in:

1. If you want to include virtual machines and/or virtual machine templates into the task scope, in the drop-down list in the upper part of the window, select the Virtual infrastructure objects option (this option is selected by default). The window displays the VMware virtual infrastructure managed by one VMware vCenter Server in the form of an object tree: VMware vCenter Server, Datacenter objects, VMware clusters, resource pools, vApp objects and virtual machines.

   Select check boxes opposite those virtual machines that you want to scan as part of the scan task being created. You can specify individual virtual machines or their combinations.

   If the virtual infrastructure contains two or more virtual machines with the same ID (vmID), only one virtual machine appears in the object tree. If this virtual machine is selected to be scanned using the custom scan task, the task will be performed on all virtual machines that have the same ID (vmID).

2. If you want to include all virtual machines within one or multiple NSX Security Groups into the task scope, in the drop-down list in the upper part of the window, select the NSX Security Groups option.

   Select the check boxes for NSX Security Groups whose virtual machines you want to scan as part of the task being created.

   If one or several NSX Security Groups make up the task scope, when running this task Kaspersky Security does not scan virtual machine templates even if the Scan virtual machine templates check box is selected in the scan settings.

3. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).

Custom Scan task created using the administration plug-in for tenants

For a Custom Scan task that was created using the Kaspersky Security administration plug-in for tenants, you cannot use NSX Security Groups to define the task scope. You can include individual virtual machines or their combinations in the scope of tasks.

To configure the scope of a Custom Scan task that was created using the administration plug-in for tenants:

1. Select check boxes opposite those virtual machines that you want to scan as part of the scan task being created. You can specify individual virtual machines or their combinations.

   If the virtual infrastructure contains two or more virtual machines with the same ID (vmID), only one virtual machine appears in the object tree. If this virtual machine is selected to be scanned using the custom scan task, the task will be performed on all virtual machines that have the same ID (vmID).

2. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).

[Topic 96670]

Configuring the scan task run schedule

You can configure a schedule for running a scan task while creating the task (the Configuring the task run schedule step) or in the task properties after its creation (the Schedule section).

To configure the task run schedule:

1. Define the values of the following settings:
   • Scheduled start. Choose the task run mode in the drop-down list. The settings displayed in the window depend on the task run mode chosen.
   • Run skipped tasks. If this check box is selected, an attempt to start the task is made the next time the application is started on the SVM. In the Manually and Once modes, the task is started as soon as an SVM appears on the network.

     If this check box is cleared, the task is started on an SVM by schedule only, and in Manually and Once modes it is started only on the SVMs that are visible on the network.

   • Use automatically randomized delay for task starts. By default, the time of task start on SVMs is randomized with the scope of a certain time period. This period is calculated automatically depending on the number of SVMs covered by the task:
     • 0–200 SVMs – task start is not randomized
     • 200-500 SVMs – task start is randomized within the scope of 5 minutes
     • 500-1000 SVMs – task start is randomized within the scope of 10 minutes
     • 1000-2000 SVMs – task start is randomized within the scope of 15 minutes
     • 2000-5000 SVMs – task start is randomized within the scope of 20 minutes
     • 5000-10000 SVMs – task start is randomized within the scope of 30 minutes
     • 10000–20000 SVMs – task start is randomized within the scope of 1 hour
     • 20000–50000 SVMs – task start is randomized within the scope of 2 hours
     • over 50000 SVMs – task start is randomized within the scope of 3 hours

     If you do not need to randomize the time of task starts within an automatically calculated time period, clear the Use automatically randomized delay for task starts check box. This check box is set by default.

   • Use randomized delay for task starts within an interval of (min): If you want the task to start at a random time within a specified period of time after the scheduled task start, select this check box. In the text box, enter the maximum task start delay. In this case, the task starts at a random time within the specified period of time after the scheduled start. This check box can be changed if the Use automatically randomized delay for task starts check box is cleared.

     Randomized task start times help prevent situations in which a large number of SVMs contact the Kaspersky Security Center Administration Server at the same time.

2. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).

[Topic 66794]

Network Threat Protection

In this section, SVM refers to an SVM with the Network Threat Protection component installed.

An SVM with the File Threat Protection component installed protects virtual machines on the VMware ESXi hypervisor. The settings that SVMs apply for virtual machine network threat protection are defined by using policies. Kaspersky Security starts protecting virtual machines only after you have configured network threat protection settings in the active policy.

Kaspersky Security protects only virtual machines that meet all the conditions for virtual machine protection against network threats.

The Network Threat Protection component of Kaspersky Security performs the following functions:

• Intrusion Prevention. Kaspersky Security can scan the traffic of protected virtual machines to detect and block activity typical of network attacks and suspicious network activity that may be a sign of an intrusion into the protected infrastructure.

  Kaspersky Security can scan traffic from IP addresses in IPv4 and IPv6 format.

• Web Addresses Scan. Kaspersky Security lets you scan web addresses that are requested by a user or application, and block access to web addresses if a threat is detected.

The Network Threat Protection component settings depend on the traffic processing mode selected during registration of the network protection service:

• If you selected Standard mode, when Kaspersky Security detects signs of intrusions or attempts to access dangerous or undesirable web addresses, it performs the action that is specified in policy settings and relays information about events to the Kaspersky Security Center Administration Server.
• If you selected Monitoring mode and signs of intrusions or attempts to access dangerous or undesirable web addresses are detected, Kaspersky Security does not take any actions to prevent the threats but only relays information about the events to the Kaspersky Security Center Administration Server.

You can select the traffic processing mode only when registering the network protection service (Kaspersky Network Protection).

You can configure exclusions from Network Threat Protection as follows:

• Exclude from scanning inbound or outbound traffic of all virtual machines that have been assigned an NSX Security Policy. You can specify which traffic should be scanned in the NSX Security Policy in which the use of the network protection service (Kaspersky Network Protection) is configured. An NSX Security Policy configuration is performed in the VMware vSphere Web Client console.
• Create network threat protection exclusion rules that Kaspersky Security can use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.

Information about events that occur during protection of virtual machines against network threats is transmitted to the Kaspersky Security Center Administration Server and logged in a report.

Descriptions of currently known types of network attacks, signs of intrusions, and the databases of malicious and phishing web addresses are included in the application databases and are updated during application database updates.