Virtual machine file threat protection

In this section, SVM refers to an SVM with the File Threat Protection component installed.

An SVM with the File Threat Protection component installed protects virtual machines on the VMware ESXi hypervisor. The settings that SVMs apply for virtual machine file threat protection are defined by using policies. Kaspersky Security starts protecting virtual machines only after you have enabled protection by using a policy.

File Threat Protection is enabled for virtual machines if a protection profile is assigned to these virtual machines. You can assign the main protection profile that is generated automatically when a policy is created, or create and assign additional protection profiles if you want to use different protection settings for different virtual infrastructure objects.

You can assign protection profiles directly to virtual machines and other virtual infrastructure objects. In a virtual infrastructure managed by a standalone VMware vCenter Server, you can also assign different protection profiles to virtual machines that are part of NSX Security Groups that are within the scope of different NSX Profile Configurations.

If the application is not activated or the application databases are missing on SVMs, Kaspersky Security does not protect the virtual machines.

Kaspersky Security protects only powered-on virtual machines that meet all the conditions for virtual machine protection.

When a user or program attempts to access a virtual machine file, Kaspersky Security scans this file.

• If no viruses or other malware are detected in the file, Kaspersky Security grants access to this file.
• If viruses or other malware is detected in a file, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.

  Kaspersky Security then performs the action that is specified in the protection profile of the virtual machine; for example, it disinfects or blocks the file.

If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from protection. The list of exclusions is configured in the protection profile settings.

The Signature analysis and machine learning scan method is used for protection of virtual machines. Protection that uses signature analysis provides a minimally acceptable security level. Kaspersky Security uses application databases containing information about known threats and about the methods to neutralize them. Based on the recommendations of Kaspersky experts, the Signature analysis and machine learning scan method is always enabled.

Additionally, during virtual machines protection, the Heuristic analysis is used. This is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.

The heuristic analysis level depends on the selected security level:

• If the security level is set to Low, the superficial heuristic analysis level is applied. Heuristic Analyzer does not perform all instructions in executable files while scanning executable files for malicious code. At this heuristic analysis level, the probability of detecting a threat is lower than at the medium heuristic analysis level. Scanning is faster and consumes less resources of the SVM.
• If the security level is set to Recommended, High, or Custom, the medium heuristic analysis level is applied. While scanning files for malicious code, Heuristic Analyzer performs the number of instructions in executable files that is recommended by Kaspersky experts.

Information about all events that occur during protection of virtual machines is logged in a report.

You are advised to regularly view the list of files blocked in the course of virtual machine protection and manage them. For example, you can save file copies to a location that is inaccessible to a virtual machine user or delete the files. You can view the details of blocked files in the threats report or by filtering events by the File blocked event (please refer to the Kaspersky Security Center documentation).

To gain access to files that were blocked as a result of virtual machine protection, you must exclude these files from protection in the settings of the protection profile assigned to the virtual machines, or temporarily disable the protection of these virtual machines.

Conditions for protection of virtual machines against file threats

Kaspersky Security protects virtual machines that meet the following conditions:

• The virtual machine is not powered off or paused.

  When performing scan tasks, Kaspersky Security can scan powered-off virtual machines that have the following file systems: NTFS, FAT32, EXT2, EXT3, EXT4, XFS, BTRFS.

• The Guest Introspection driver (NSX File Introspection Driver) has been installed and is running on the virtual machine.
• The virtual machine is part of an NSX Security Group configured in the VMware vSphere Web Client console. This group must be assigned an NSX Security Policy in which the use of the file system protection service (Kaspersky File Antimalware Protection) is configured.
• A protection profile is being applied to the virtual machine.

If even one of the listed conditions is not fulfilled, Kaspersky Security does not protect the virtual machine.

Configuring main protection profile settings

The main protection profile is automatically generated during creation of the main policy and tenant policy. You can configure the settings of the main protection profile while creating a policy (during the Configure main protection profile settings step) or in the properties of the policy after it is created (in the Main protection profile subsection in the File Threat Protection section).

To configure main protection profile settings:

1. In the Security level section, select the security level at which Kaspersky Security scans virtual machines:
   • If you want to install one of the pre-installed security levels (High, Recommended, or Low), use the slider to select one.
   • To change the security level to Recommended, click the Default button.
   • If you want to configure the security level on your own, click the Settings button. In the Security level settings window that opens:
   1. In the Scanning archives and compound files section, specify the values of the following settings:
      • Scan archives

        

        Enable / disable scanning of archives.

        This check box is cleared by default.

      • Delete archives if disinfection fails

        

        Enable / disable the feature of deleting archives that could not be disinfected.

        If this check box is selected, Kaspersky Security deletes archives that could not be disinfected.

        If this check box is cleared, the application does not delete archives that could not be disinfected. Kaspersky Security relays information that the infected file has not been deleted to the Administration Server of Kaspersky Security Center.

        This check box is available when the Scan archives check box is selected.

        This check box is cleared by default.

      • Scan self-extracting archives

        

        Enables / disables the scanning of self-extracting archives.

        By default, this check box is cleared for protection profiles and selected for scan tasks.

      • Scan embedded OLE-objects

        

        Enables/disables the scanning of objects that are embedded inside a file.

        This check box is set by default.

      • Do not unpack large compound files

        

        If this check box is set, Kaspersky Security does not scan compound files whose size exceeds the value that is specified in the Maximum size of a scanned compound file is N MB field.

        If this check box is cleared, Kaspersky Security scans compound files of all sizes.

        Kaspersky Security scans large files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.

        This check box is set by default.

      • Maximum size of a scanned compound file N MB

        

        Maximum size of compound files that are subject to scanning (in megabytes). Kaspersky Security does not unpack and scan objects whose size is larger than the specified value.

        This setting can be edited if the Do not unpack large compound files check box is selected.

        You can specify a value in the range of 1 to 999999 in this field. The default value is 8 MB.

   2. In the Performance section, specify the values of the following settings:
      • Limit file scan time

        

        Enables / disables the file scan time limit.

        If this check box is selected, Kaspersky Security stops scanning a file when the scan duration reaches the value that is specified in the Scan files for no longer than N second(s) field and skips this file.

        If this check box is cleared, Kaspersky Security does not limit the duration of file scanning.

        By default, this check box is selected for protection profiles and cleared for scan tasks.

      • Scan files for no longer than N second(s)

        

        Maximum duration of file scanning (in seconds). Kaspersky Security stops scanning a file if scanning takes longer than the time value specified.

        This setting can be edited if the Limit file scan time check box is selected.

        You can specify a value in the range of 1 to 3600 in this field. The default value is 60 seconds.

   3. In the Objects to detect section, click the Settings button. In the Objects to detect window that opens, specify the values of the following settings:
      • Malicious tools

        

        Enables/disables protection against malicious tools.

        Malicious tools do not perform their actions right after they are started. Instead, they can be stealthily stored and run on the virtual machine. Intruders often use the features of malicious tools to create viruses, worms, and Trojans, perpetrate network attacks on remote servers, or perform other malicious actions.

        If this check box is set, protection against malicious tools is enabled.

        If this check box is cleared, protection against malicious tools is disabled.

        This check box is set by default.

      • Auto-dialers

        

        Enables/disables protection against auto-dialers.

        If this check box is selected, protection against auto-dialers is enabled.

        If this check box is cleared, protection against auto-dialers is disabled.

        This check box is set by default.

      • Adware

        

        Enables/disables protection against adware.

        The function of adware is to display advertising information to the user. For example, it displays banner ads in the interfaces of other programs and redirects search queries to advertising websites. Some varieties of adware collect marketing information about the user and send it to the developer: this information may include the names of the websites that are visited by the user or the content of the user's search queries. Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's permission.

        If this check box is set, protection against adware is enabled.

        If this check box is cleared, protection against adware is disabled.

        This check box is set by default.

      • Other

        

        Enables / disables protection against legitimate software that could be exploited by criminals to harm a virtual machine or user data.

        Most of these programs are useful, so many users run them. These programs include IRC clients, file downloaders, remote administration programs, user activity monitoring programs, password utilities, and Internet servers for FTP, HTTP, and Telnet. However, if criminals gain access to these programs, some program features could be used to harm a virtual machine or user data.

        Selecting this check box enables protection against legitimate software that could be used by criminals to harm a virtual machine or user data.

        If this check box is cleared, protection against such software is disabled.

        This check box is cleared by default.

      • Multi-packed files

        

        Enables/disables scanning of files that have been packed using one or several packers three or more times.

        If a file was packed by one or several packers three or more times, the file probably contains malware or legitimate software that can be used by criminals to damage your computer or personal data.

        If this check box is selected, protection against multi-packed files is enabled, and the scanning of such files is allowed.

        If this check box is cleared, protection against multi-packed files is disabled.

        This check box is set by default.

        Kaspersky Security always scans virtual machine files for viruses, worms, and Trojans. That is why the Viruses and worms and Trojans settings in the Malware section cannot be changed.

   4. In the Objects to detect window, click OK.
   5. In the Security level settings window, click OK.

      If you have changed security level settings, the application creates a custom security level. The name of the security level in the Security level section changes to Custom.

2. In the Action on threat detection section, select an action
   in the drop-down list

   

   This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files:

   • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
   • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

     This action is selected by default.

     Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

   • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
   • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.
   .
3. If you do not want Kaspersky Security to scan files on network drives when protecting virtual machines running Windows operating systems, clear the Scan network drives check box in the Protection scope section. By default, when protecting virtual machines running Windows operating systems, the application scans all files that have not been excluded from protection on network drives.

   When protecting virtual machines running Linux operating systems, Kaspersky Security always scans files of supported network file systems (NFS and CIFS). If you want to exclude files of network file systems from the protection scope, you must configure a protection exclusion for the directory in which the network file system is mounted.

   Kaspersky Security always scans files on removable and hard drives. For this reason the Scan all removable drives and hard drives setting in the Protection scope section cannot be edited.

4. To exclude certain files of virtual machines from protection, in the Exclusions from protection section, click the Settings button.

   In the Exclusions from protection window that opens, specify the following settings:

   1. In the File extensions section, choose one of the following options:
      • Scan all except files with the following extensions. In the text box, specify a list of extensions of files to not scan when a virtual machine is being protected. Kaspersky Security ignores the case of characters in the extensions of files that are to be excluded from the protection scope.
      • Scan files with the following extensions only. In the text box, specify a list of extensions of files to scan when the virtual machine is being protected. When protecting virtual machines running Linux operating systems, Kaspersky Security is case sensitive regarding the characters in the extensions of files that are to be included in the protection scope. When protecting virtual machines running Windows operating systems, the application ignores the cases of characters in file extensions.

      You can type file extensions in the field by separating them with a blank space, or by typing each extension in a new line. File extensions may contain any characters except . * | \ : " < > ? /. If an extension includes a blank space, the extension should be typed inside quotation marks: "doc x".

      If you have selected Scan files with the following extensions only in the drop-down list but have not specified the extensions of files to scan, Kaspersky Security scans all files.

   2. In the Files and folders table, use the Add, Change, and Delete buttons to create the list of objects to be excluded from protection.

      By default, the list of exclusions includes the objects recommended by Microsoft (please refer to the list of recommended exclusions on the Microsoft website). Kaspersky Security excludes these objects from protection on all virtual machines to which the main protection profile has been assigned. You can view and edit the list of these objects in the Files and folders table.

      You can exclude objects of the following types from protection:

      • Folders. Files stored in folders at the specified path are excluded from protection. For each folder, you can specify whether to apply the exclusion from protection to subfolders.
      • Files by mask. Files with the specified name, files located at the specified path, or files matching the specified mask are excluded from protection.

        You can use the * and ? symbols to specify a file mask.

      Kaspersky Security ignores the case of characters in paths to files and folders that are excluded from protection.

      You can save a configured list of exclusions to a file using the Export button or load a previously saved list of exclusions from a file using the Import button. To import or export a list of exclusions, you can use a file in XML format. You can also import a list of exclusions from a file in DAT format. Using a file in DAT format, you can import a list of exclusions that was generated in other Kaspersky applications.

   If your exclusions list uses an environment variable that has multiple values depending on the bit rate of the application that uses it, in 64-bit Windows operating systems, objects corresponding to all values of the variable are excluded from protection. For example, if you are using the variable %ProgramFiles%, objects located in the folder C:\Program files and in the folder C:\Program files (х86) are excluded from protection.

5. In the Exclusions from protection window, click OK.
6. Save the changes by clicking Next (in the New Policy Wizard) or Apply (in the policy properties).

The new protection profile settings are applied after data is synchronized between Kaspersky Security Center and the SVMs.

Managing additional protection profiles

You can manage additional protection profiles in the properties of a policy in the list of additional protection profiles.

To open the list of additional protection profiles in the policy properties:

1. In the Kaspersky Security Center Administration Console, open the policy properties:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the File Threat Protection section, select the additional protection profiles subsection.

   A list of additional protection profiles will appear in the right part of the window. If you have not yet created additional protection profiles in this policy, the list of protection profiles is empty.

In the list of additional protection profiles, you can do the following:

• Create additional protection profiles.
• Change the name of an additional protection profile by clicking the Rename button.
• Edit the settings of an additional protection profile by clicking the Change button. The settings are edited in the Protection settings window. The additional protection profile settings are identical to the main protection profile settings. The new protection profile settings are applied after data is synchronized between Kaspersky Security Center and the SVMs.
• Export the settings of an additional protection profile to a file by clicking the Export button. To save the settings of an additional protection profile, you need to specify the path to a file in JSON format. You can use previously saved settings when creating a new additional protection profile.
• Delete an additional protection profile by clicking the Delete button. If this protection profile was used for virtual machine protection, the application will protect these virtual machines using the settings of the protection profile that was assigned to their parent object in the virtual infrastructure. If the parent object has been excluded from protection, the application does not protect such virtual machines.

  If file protection settings were defined using NSX Profile Configurations, deletion of a protection profile will result in the unmapping of the deleted protection profile from the NSX Profile Configuration. The application will use the settings of the default protection profile to protect the virtual machines within the scope of this NSX Profile Configuration.

Creating an additional protection profile

To create an additional protection profile:

1. In the Kaspersky Security Center Administration Console, open the list of additional protection profiles in the properties of the policy for which you want to create an additional protection profile.
2. Click the Add button.

   The Protection profile window opens.

3. In the window that opens, enter the name of the new protection profile.

   A protection profile name cannot contain more than 255 characters.

4. If you want to use previously saved protection profile settings when creating a new protection profile, select the Import settings from file check box and specify the path to the file in JSON format.
5. In the Protection profile window, click OK.

   The Protection settings window opens. In this window, you can configure the settings of the new protection profile or change protection profile settings that were imported from a file.

   The additional protection profile settings are identical to the main protection profile settings, with the exception of the default list of exclusions.

   By default, the list of exclusions does not include objects recommended by Microsoft Corporation (please refer to the list of exclusions recommended by Microsoft on the Microsoft website). If you want the objects recommended by Microsoft to be excluded from protection on all virtual machines that have been assigned this protection profile, you need to import the microsoft_file_exclusions.xml file into the protection profile exclusions. The microsoft_file_exclusions.xml file is included in the application distribution kit and is located in the setup folder of the Kaspersky Security administration plug-in on the computer on which the Kaspersky Security Center Administration Console is installed. After importing the file, you can view and edit the list of these objects in the Files and folders table in the Exclusions from protection window.

6. After configuring all settings of the protection profile, click OK in the Protection settings window.

   In the Properties: <Policy name> window, a new protection profile appears in the list of additional protection profiles.

You can assign created additional profiles to virtual machines or other VMware virtual infrastructure objects, and map protection profiles to NSX Profile Configurations.

Viewing the protected infrastructure in a policy

In policy properties, you can view the protected infrastructure selected for the policy, and information about the use of protection profiles.

To view information about the protected infrastructure in a policy:

1. In the Kaspersky Security Center Administration Console, open the policy properties:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the File threat protection section, select the Protected infrastructure subsection.
3. The Kaspersky Security administration plug-in attempts to automatically connect to the Integration Server. If the connection fails, the Connection to Integration Server window opens.

   If the computer hosting the Administration Console of Kaspersky Security Center belongs to a domain or your domain user account belongs to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, your domain user account is used by default to connect to the Integration Server. The Use domain account check box is selected by default. You can also use the Integration Server administrator account (admin). To do so, clear the Use domain account check box and enter the administrator password in the Password field.

   If the computer hosting the Kaspersky Security Center Administration Console does not belong to a domain, or the computer belongs to a domain but your domain account does not belong to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, you can use only the account of the Integration Server administrator (admin) to connect to the Integration Server. Enter the administrator password in the Password field.

   If the connection to the Integration Server is established using the Integration Server administrator account (admin), you can save the administrator password. To do so, select the Save password check box. The saved administrator password will be used the next time a connection is established with this Integration Server. If you clear the check box selected during the previous connection to the Integration Server, Kaspersky Security removes the previously saved password of the Integration Server administrator.

   The Save password check box may be unavailable if Windows updates KB 2992611 and/or KB 3000850 have been installed on the computer hosting the Kaspersky Security Center Administration Console. To restore the capability to save the administrator password, you can uninstall these Windows updates or modify the operating system registry as described in the Knowledge Base.

   In the Connection to Integration Server window, specify the connection settings and click OK.

4. The Kaspersky Security administration plug-in verifies the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

After connecting to the Integration Server, the right part of the window displays information about the protected infrastructure and the use of protection profiles.

In the properties of the main policy, which determines the protection settings for a virtual infrastructure managed by one VMware vCenter Server, you can select the method for assigning file protection settings in the drop-down list located in the upper part of the window:

• Use virtual infrastructure tree. If this option is selected, the table displays a tree of objects of the VMware virtual infrastructure and the protection profiles assigned to objects of the virtual infrastructure.
• Use NSX Profile Configurations. If this option is selected, the table displays the NSX Profile Configurations that are available for the selected VMware vCenter Server, and the protection profiles corresponding to them.

If the entire protected infrastructure is selected as the protected infrastructure for a policy, you cannot use NSX Profile Configurations to assign file protection settings. Use virtual infrastructure tree option is selected in the drop-down list.

Information about the assignment of file protection settings using the virtual infrastructure tree

If the Use virtual infrastructure tree option is selected in the drop-down list located in the upper part of the window, the Protected infrastructure section displays a tree of objects of the VMware virtual infrastructure and the protection profiles assigned to objects of the virtual infrastructure.

The protected infrastructure is displayed as a tree of items:

• In the properties of a policy for one VMware vCenter Server, you will see the protected infrastructure of the "VMware vCenter Agentless" cluster: the root element is the VMware vCenter Server, and under it you will see Datacenter objects, VMware clusters, resource pools, vApp objects, and virtual machines.
• In the properties of a policy for the entire protected infrastructure, the root element is the Integration Server, and under it you will see all VMware vCenter Servers, each containing the protected infrastructure of the "VMware vCenter Agentless" cluster corresponding to this VMware vCenter Server.
• In the properties of the tenant policy located in the Managed devices folder of the virtual Administration Server, the root element is the "vCloud Director organization" object that combines all virtual Datacenters of the tenant. Under this object are all virtual machines within the vCloud Director organization that corresponds to this virtual Administration Server.

If the virtual infrastructure contains two or more virtual machines with the same ID (vmID), only one virtual machine appears in the object tree. If this virtual machine has been assigned a protection profile, the settings of this protection profile are applied to all virtual machines that have the same ID (vmID).

The Protection profile column displays information about the assignment of protection profiles to objects of the protected infrastructure. Kaspersky Security uses the settings of assigned protection profiles when protecting virtual machines.

The Protection profile field may contain the following values:

• Name of the protection profile that is assigned to a virtual machine or to a VMware virtual infrastructure object.
• Protection profile name, inherited from the parent object and displayed as "inherited: <N>", where <N> – is the name of the inherited protection profile.
• (Not assigned) or inherited: (Not assigned) – if the protection profile was not assigned or its assignment has been canceled (the Do not use protection profile value was selected). Virtual machines or virtual infrastructure objects that have no assigned protection profile are excluded from protection.

Information about the assignment of file protection settings using NSX Profile Configurations

If the Use NSX Profile Configurations option is selected in the drop-down list located in the upper part of the window, the Protected infrastructure section displays the following information:

• Name of the default protection profile. This protection profile is assigned for those NSX Profile Configurations, for which the mapping to protection profile has not been set yet, or has been canceled as a result of deleting a protection profile.

  Main protection profile is set as the default protection profile. If you canceled the use of default protection profile, the Do not use protection profile value is displayed.

• Table of mappings between protection profiles and the NSX Profile Configurations available for the selected VMware vCenter Server.

The table shows the following information:

• The NSX Profile Configuration column contains the name of the NSX Profile Configuration. If several NSX Profile Configurations with the same Configuration ID were created in the virtual infrastructure, their names will be separated by comma. Kaspersky Security processes the NSX Profile Configurations with the same ID as one NSX Configuration Profile.
• If a protection profile is mapped to an NSX Profile Configuration, the Protection profile column displays the name of the protection profile. Kaspersky Security uses the settings of the specified protection profile to protect virtual machines that are within the scope of this NSX Profile Configuration.
• If the mapping was canceled, the value shown in the Protection profile column is (Not assigned). If no protection profile is mapped to an NSX Profile Configuration, the virtual machines that are within the scope of this NSX Profile Configuration are excluded from protection.

Assigning protection profiles to virtual infrastructure objects

To assign a protection profile to a virtual machine or to another VMware virtual infrastructure object:

1. In the properties of the policy whose scope includes the relevant virtual machines or other VMware virtual infrastructure objects, select the Protected infrastructure subsection.
2. If you are configuring a policy for one VMware vCenter Server, make sure that the Use virtual infrastructure tree option is selected in the drop-down list located in the upper part of the window. This value is selected by default.
3. Select one or multiple objects of the virtual infrastructure in the table.

   If you want to assign the same protection profile to multiple virtual machines that are child objects of a single virtual infrastructure object, select this object in the table. You can simultaneously select multiple virtual machines or other virtual infrastructure objects in the table by holding down the CTRL key.

4. Click the Select protection profile button.

   The Selecting protection profile window opens.

5. Select one of the following options:
   • Inherit parent protection profile: <name>. Select this option if you want to assign the protection profile of the parent object to a virtual machine or other virtual infrastructure object.
   • Use protection profile. Select this option and indicate the protection profile name in the drop-down list to assign this protection profile to a virtual machine or other virtual infrastructure object. The list contains the main protection profile and all additional protection profiles that you configured in this policy.
6. If the selected virtual infrastructure object has child objects, the protection profile is assigned to the object and to all of its child objects, including objects that have been assigned their own protection profile or that have been excluded from protection. If you want to assign the protection profile only to the selected virtual infrastructure object and to its child objects that have not been assigned their own protection profile and that have not been excluded from protection, clear the Apply to all child objects check box.
7. Click OK.

   The Selecting protection profile window will close, and the assigned protection profile will be displayed in the table in the Protected infrastructure subsection.

8. In the Properties: <Policy name> window, click OK.

Assigning protection profiles by using NSX Profile Configurations

In a virtual infrastructure managed by a standalone VMware vCenter Server, Kaspersky Security lets you define the file protection settings at the level of NSX Security Groups. You can assign the same file protection settings to all virtual machines that are within the same NSX Security Group. To do so, you need to allocate virtual machines into NSX Security Groups and do the following for each security group:

1. In the VMware vSphere Web Client console:
   1. Create an NSX Profile Configuration. To start the NSX Profile Configuration Wizard, you need to open the properties of the Kaspersky File Antimalware Protection service (in the Networking & Security → Service Definitions section, Services tab, Edit Settings action) and go to the Manage → Profile Configurations tab.
   2. Indicate this NSX Profile Configuration or the NSX Service Profile that was created based on this NSX Profile Configuration in the NSX Security Policy.
   3. Assign an NSX Security Policy to an NSX Security Group.
2. In the Kaspersky Security Center Administration Console, in the Kaspersky Security policy properties, set mapping between the NSX Profile Configuration and the protection profile.

   The protection profile settings will be used for the protection of virtual machines from the NSX Security Group to which the NSX Security Policy was applied.

To map an NSX Profile Configuration to a protection profile:

1. In the policy properties for one VMware vCenter Server, select the Protected infrastructure subsection.
2. In the drop-down list located in the upper part of the window, select the Use NSX Profile Configurations option.
3. In the table, select the NSX Profile Configuration for which you want to set mapping and double-click to open the Selecting Protection profile window.
4. In the opened window, select the Use protection profile option. In the drop-down list, indicate the name of the protection profile that should be mapped to the NSX Profile Configuration. The list contains the main protection profile and all additional protection profiles that you configured in this policy.
5. Click OK.

   The Selecting protection profile window will close, and the assigned mapping will be displayed in the table in the Protected infrastructure subsection.

6. In the Properties: <Policy name> window, click OK.

The default protection profile is automatically assigned to NSX Profile Configurations that have not yet been mapped to a protection profile or whose mapping was canceled due to the deletion of the protection profile. You can change the default protection profile or cancel use of the default protection profile.

To change the default protection profile:

1. In the policy properties for one VMware vCenter Server, select the Protected infrastructure subsection.
2. In the drop-down list located in the upper part of the window, select the Use NSX Profile Configurations option.
3. Click the Change button located on the right of the default protection profile name.

   The Selecting protection profile window opens.

4. If you want to change the default protection profile, select the Use protection profile option and indicate the name of the protection profile in the drop-down list. The list contains the main protection profile and all additional protection profiles that you configured in this policy.

   The specified protection profile will be mapped to those NSX Profile Configurations that have not yet been mapped to a protection profile or whose mapping was canceled due to the deletion of the protection profile.

5. If you want to cancel use of the default protection profile, select the Do not use protection profile option. By default, no protection profile will be mapped to NSX Profile Configurations that have not yet been mapped to a protection profile or whose mapping was canceled due to the deletion of the protection profile. Virtual machines that are within the scope of these NSX Profile Configurations will be excluded from protection.
6. Click OK.

   The Selecting protection profile window will close, and the name of the selected protection profile will be displayed in the Protected infrastructure subsection in the upper part of the window.

7. In the Properties: <Policy name> window, click OK.

Changing the protected infrastructure for a policy

You can change the protected infrastructure selected for a policy. This may be required, for example, if you want to copy the policy from one administration group to another. In this case, you need to change the protected infrastructure for the copied policy so that the protected infrastructure matches the location of the policy:

• If the policy is located in the group that contains the "VMware vCenter Agentless" cluster, the VMware vCenter Server corresponding to this cluster must be selected as the protected infrastructure for the policy.
• If the policy is located in the Managed devices folder or in the group that contains the "VMware vCloud Director Agentless" cluster, the entire protected infrastructure must be selected as the protected infrastructure for the policy.

To change the protected infrastructure selected for a policy:

1. In the properties of the policy whose protected infrastructure you want to change, select the Protected infrastructure subsection.
2. In the right part of the window, click the Change button.

   The Connection to Integration Server window opens. The window displays the settings for connecting to the Integration Server whose address is indicated in the lower part of the window in the Protected infrastructure subsection.

3. If required, edit the connection settings and click OK.
4. After the connection is established, the Choice of protected infrastructure window opens. Select one of the following options:
   • If you are configuring a policy located in an administration group that contains the "VMware vCenter Agentless" cluster, select the One VMware vCenter Server option. Then select the listed VMware vCenter Server corresponding to this "VMware vCenter Agentless" cluster.

     If the selected VMware vCenter Server does not correspond to the "VMware vCenter Agentless" cluster whose group contains the policy, Kaspersky Security does not protect virtual machines.

   • If you are configuring a policy located in any other folder or administration group, select the Entire protected infrastructure option.
5. Click OK in the Choice of protected infrastructure window and, in the opened window, confirm the change to the protected infrastructure.
6. In the Properties: <Policy name> window, click OK.

Disabling file threat protection for virtual infrastructure objects

You can disable file threat protection for virtual infrastructure objects in the following ways:

• If the file protection settings were defined by assigning protection profiles to virtual infrastructure objects, you can cancel assignment of the protection profile to a virtual machine or other virtual infrastructure object. Virtual machines that have no assigned protection profile are excluded from protection.
• If file protection settings were defined using NSX Profile Configurations, you can cancel mapping of a protection profile to an NSX Profile Configuration that is applied to virtual machines. If no protection profile is mapped to an NSX Profile Configuration, the virtual machines that are within the scope of this NSX Profile Configuration are excluded from protection.
• You can disable protection for all virtual machines that are within the policy scope.

If the file protection settings were defined by assigning protection profiles to virtual infrastructure objects, you can disable protection for one or more virtual machines by doing the following:

1. In the properties of the policy whose scope includes the relevant virtual machines, select the Protected infrastructure subsection.
2. If you are configuring a policy for one VMware vCenter Server, make sure that the Use virtual infrastructure tree option is selected in the drop-down list located in the upper part of the window.
3. Select one or multiple objects of the virtual infrastructure in the Name column.

   To disable protection for multiple virtual machines that are child objects of a single virtual infrastructure object, select that object. You can simultaneously select multiple virtual machines or other virtual infrastructure objects in the table by holding down the CTRL key.

4. Click the Select protection profile button.

   The Selecting protection profile window opens.

5. Select the Do not use protection profile option.
6. If the selected virtual infrastructure object has child objects, by default protection will be disabled for the selected object and for all its child objects, including objects that have been assigned their own protection profile. If you want to disable protection only for the selected virtual infrastructure object and for those of its child objects that inherit the protection profile, clear the Apply to all child objects check box.

   Protection will be removed from the parent object and from those of its child objects that inherited their protection profile from the parent object. The application will continue protecting the child objects that have been assigned their own protection profile.

7. Click OK.

   The Selecting protection profile window closes. In the table in the Protected infrastructure subsection, the value shown in the Protection profile column for objects that have been excluded from protection is (Not assigned).

8. In the Properties: <Policy name> window, click OK.

If the file protection settings were defined using NSX Profile Configurations, you can disable virtual machine protection by doing the following:

1. In the properties of the policy whose scope includes the relevant virtual machines, select the Protected infrastructure subsection.
2. In the drop-down list located in the upper part of the window, select the Use NSX Profile Configurations option.
3. In the table, select the NSX Profile Configuration whose scope includes the relevant virtual machines, and double-click to open the Selecting Protection profile window.
4. In the opened window, select the Do not use protection profile option.
5. Click OK.

   The Selecting Protection profile window closes. In the table in the Protected infrastructure subsection, the value shown in the Protection profile column for the selected NSX Profile Configuration is (Not assigned).

6. In the Properties: <Policy name> window, click OK.

To disable protection for all virtual machines that are within the policy scope:

1. In the properties of the policy whose scope includes the relevant virtual machines, select the Protected infrastructure subsection.
2. Clear the Use File Threat Protection check box located in the upper part of the window.
3. In the Properties: <Policy name> window, click OK.