Scanning virtual machines

In this section, SVM refers to an SVM with the File Threat Protection component installed.

An SVM with the File Threat Protection component installed lets you run a virus scan on files of virtual machines on the VMware ESXi hypervisor. Virtual machine files need to be scanned regularly with new anti-virus databases to prevent the spread of malicious objects.

The settings that SVMs apply while scanning virtual machines are defined by using scan tasks. Kaspersky Security uses the following scan tasks:

• Full Scan. This task lets you run a virus scan on the files of all virtual machines within the task scope. The scope of a task depends on where the task is located within the hierarchy of administration groups of Kaspersky Security Center, and depends on the Kaspersky Security administration plug-in that you use to create the task.

  A Full Scan task is automatically created after installing the Kaspersky Security main administration plug-in in the Managed devices folder of the main Administration Server of Kaspersky Security Center. This task lets you perform a virus scan on all virtual machines that are protected by all SVMs and are not part of a vCloud Director organization. You can manually run this task.

• Custom Scan. This task lets you run a virus scan on files of specified virtual machines from the task scope. The scope of a task depends on where the task is located within the hierarchy of administration groups of Kaspersky Security Center, and depends on the Kaspersky Security administration plug-in that you use to create the task. In the selected scope, you need to indicate the virtual machines that need to be scanned. You can specify individual virtual machines, VMware virtual infrastructure objects of a higher level of the hierarchy, or NSX Security Groups that include the relevant virtual machines.

You can start scan tasks manually, define a scan task run schedule, and view information about the progress and results of tasks.

Kaspersky Security scans only virtual machines that meet all the conditions for scanning virtual machines.

If viruses or other malware are detected in a file during scanning of virtual machine files, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.

The Signature analysis and machine learning scan method is used when scanning virtual machines. Scanning while using signature analysis ensures the minimum acceptable security level. Kaspersky Security uses application databases containing information about known threats and about the methods to neutralize them. Based on the recommendations of Kaspersky experts, the Signature analysis and machine learning scan method is always enabled.

When scanning virtual machines, Heuristic analysis is used. This is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.

The deep heuristic analysis level is always used during virtual machine scanning irrespective of the selected security level. Heuristic Analyzer performs the maximum number of instructions in executable file, which raises the probability of threat detection.

If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from the scan scope.

Special considerations for scanning virtual machines:

• When performing scan tasks, Kaspersky Security can scan powered-off virtual machines that have the following file systems: NTFS, FAT32, EXT2, EXT3, EXT4, XFS, BTRFS.
• When performing scan tasks, Kaspersky Security can scan virtual machine templates.
• When scanning virtual machines running Windows operating systems, Kaspersky Security does not scan files in network folders. Kaspersky Security is able to scan files in network folders only when the user or an application accesses those files. If you want to regularly scan files in network folders, you must configure a scan task for virtual machines that have open network access to files and folders, and include those files and folders into the task scan scope.

  When scanning virtual machines running Linux operating systems, Kaspersky Security scans files in CIFS network file systems if the directories in which the CIFS network file systems are mounted are included in the task scan scope. Scanning files in NFS network file systems is not supported.

• During execution of a scan task, one SVM with the File Threat Protection component simultaneously scans the files of no more than four virtual machines.

Information on the scan results and on events that occurred during scan tasks execution is logged in a report.

After a scan task finishes, you are advised to view the list of files that are blocked as a result of the scan task and manage them manually. For example, you can save file copies in a location that is inaccessible for a virtual machine user or delete the files. You must first exclude the blocked files from protection in the settings of the protection profile assigned to the virtual machines, or temporarily disable protection of the virtual machines on which these files were blocked. You can view the details of blocked files in the threats report or by filtering events by the File blocked event (please refer to the Kaspersky Security Center documentation).

Conditions for anti-virus scan of virtual machines

Kaspersky Security scans virtual machines that meet the following conditions:

• For powered-off virtual machines: NTFS, FAT32, EXT2, EXT3, EXT4, XFS or BTRFS file system is used on the virtual machine.
• For powered-on virtual machines:
  • The Guest Introspection driver (NSX File Introspection Driver) has been installed and is running on the virtual machine.
  • The virtual machine is part of an NSX Security Group configured in the VMware vSphere Web Client console. This group must be assigned an NSX Security Policy in which the use of the file system protection service (Kaspersky File Antimalware Protection) is configured.

    Kaspersky Security can scan powered off virtual machines with an NTFS, FAT32, EXT2, EXT3, EXT4, XFS, or BTRFS file system according to the scan settings, regardless of whether or not those virtual machines are included in an NSX Security Group.

If even one of the listed conditions is not fulfilled, Kaspersky Security does not scan the virtual machine.

Kaspersky Security also does not scan a virtual machine when one of the following conditions is met:

• You have added the virtual machine to the list of virtual infrastructure objects (Inventory) in the VMware vSphere Web Client console or created the virtual machine on the VMware ESXi hypervisor after the scan task was started.
• You have removed the virtual machine from the list of virtual infrastructure objects (Inventory) in the VMware vSphere Web Client console before the scan of this virtual machine started.
• The virtual machine included in the scope of a running scan task migrates to the VMware ESXi hypervisor on which the scan task was not started.

Creating a full scan task

To create a full scan task:

1. In the Kaspersky Security Center Administration Console, select the folder or administration group in which you want to create the task.

   If you selected the Managed devices folder or an administration group containing a KSC cluster, select the Tasks tab in the workspace.

2. Click the New task button to start the New Task Wizard.
3. At the first step of the Wizard, select the type of task.
   • If you want to create a task for scanning virtual machines that are not part of a vCloud Director organization, select Kaspersky Security for Virtualization 6.0 Agentless → Full Scan.
   • If you want to create a task for scanning virtual machines of tenants, select Kaspersky Security for Virtualization 6.0 Agentless (for tenants) → Full Scan.

   Proceed to the next step of the New Task Wizard.

4. Configure the settings for scanning virtual machines.

   Proceed to the next step of the New Task Wizard.

5. If necessary, specify the scan scope of the task: indicate the locations and extensions of the files of virtual machines that need to be scanned or excluded from scanning during a scan task.

   Proceed to the next step of the New Task Wizard.

6. If you started the New Task Wizard from the Tasks folder, specify the method for selecting the SVMs on which the task must be run:
   • Click the Select network devices detected by Administration Server button if you want to select SVMs from the list of devices detected by Administration Server while polling the local area network.
   • Click the Specify device addresses manually or import from list button if you want to specify the addresses of SVMs manually or import the list of SVMs from a file. Addresses are imported from a TXT file with a list of addresses of SVMs, with each address in a separate row.

     If you import a list of addresses from file or specify the addresses manually and the SVMs are identified by name, the list of SVMs for which the task is being created can be supplemented only with those SVMs whose details have already been included in the Administration Server database upon connection of SVMs or following a poll of the local area network.

   • Click the Assign task to a device selection button if the task must be run on all SVMs that are part of a selection based on a predefined criterion. For details on creating a selection of devices, please refer to the Kaspersky Security Center documentation.
   • Click the Assign task to an administration group button if the task must be run on all SVMs within an administration group.

     Depending on the specified method of SVM selection, perform one of the following operations in the window that opens:

     • In the list of detected devices, specify the SVMs on which the task will be run. To do so, select check boxes in the list on the left of the name of the relevant SVMs.
     • Click the Add or Add IP range button and specify the addresses of SVMs.
     • Click the Import button, and in the window that opens select the TXT file containing the list of SVM addresses.
     • Click the Browse button and in the opened window specify the name of the selection containing the SVMs on which the task will be run.
     • Click the Browse button and select an administration group or manually enter the name of an administration group.

   Proceed to the next step of the New Task Wizard.

7. Configure the task run schedule and proceed to the next step of the Wizard.
8. In the Name field, enter the task name and proceed to the next step of the Wizard.
9. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.

   Finish the wizard.

The created custom scan task appears in the list of tasks. If you configured a task start schedule in the Task start schedule settings window, the task is started according to this schedule. You can also run the task manually at any time.

Creating a custom scan task by using the main plug-in

A Custom Scan task created using the Kaspersky Security main administration plug-in lets you scan virtual machines that are managed by one VMware vCenter Server and that are not part of a vCloud Director organization.

To create a Custom Scan task for virtual machines that are not part of a vCloud Director organization:

1. In the Kaspersky Security Center Administration Console, select the administration group in which you want to create the task.

   Due to the specifics of configuring the scope of a Custom Scan task, it is recommended to create Custom Scan tasks in administration groups that contain KSC clusters, which means group tasks. If a Custom Scan task is configured for one or more SVMs (meaning a local or global task), correct configuration of the task scope cannot be guaranteed.

2. In the workspace, select the Tasks tab and click the New task button to start the New Task Wizard.
3. At the first step of the Wizard, select the following type of task: Kaspersky Security for Virtualization 6.0 Agentless → Custom Scan.

   Proceed to the next step of the New Task Wizard.

4. The Wizard establishes a connection to the Integration Server to receive information about the VMware virtual infrastructure.

   If the computer hosting the Administration Console of Kaspersky Security Center belongs to a domain or your domain user account belongs to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, your domain user account is used by default to connect to the Integration Server. The Use domain account check box is selected by default.

   If you want to use the account of an Integration Server administrator (admin), clear the Use domain account check box and enter the administrator password in the Password field.

   If the computer hosting the Kaspersky Security Center Administration Console does not belong to a domain, or the computer belongs to a domain but your domain account does not belong to the KLAdmins group or to the group of local administrators on the computer hosting the Integration Server, you can use only the account of the Integration Server administrator (admin) to connect to the Integration Server. Enter the administrator password in the Password field.

   If the connection to the Integration Server is established using the Integration Server administrator account (admin), you can save the administrator password. To do so, select the Save password check box. The saved administrator password will be used the next time a connection is established with this Integration Server. If you clear the check box selected during the previous connection to the Integration Server, Kaspersky Security removes the previously saved password of the Integration Server administrator.

   The Save password check box may be unavailable if Windows updates KB 2992611 and/or KB 3000850 have been installed on the computer hosting the Kaspersky Security Center Administration Console. To restore the capability to save the administrator password, you can uninstall these Windows updates or modify the operating system registry as described in the Knowledge Base.

   Proceed to the next step of the New Task Wizard.

   The Task Wizard verifies the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

   After the connection is established, the List of VMware vCenter Servers window opens. Select the VMware vCenter Server that manages the virtual machines that you want to scan, and click OK.

5. At this step of the Wizard, select the task scope.

   Proceed to the next step of the New Task Wizard.

6. Configure the settings for scanning virtual machines.

   Proceed to the next step of the New Task Wizard.

7. If necessary, specify the scan scope of the task: indicate the locations and extensions of the files of virtual machines that need to be scanned or excluded from scanning during a scan task.

   Proceed to the next step of the New Task Wizard.

8. Configure the task run schedule and proceed to the next step of the New Task Wizard.
9. In the Name field, enter the task name and proceed to the next step of the New Task Wizard.
10. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.

    Finish the wizard.

The created custom scan task appears in the list of tasks. If you configured a task start schedule in the Task start schedule settings window, the task is started according to this schedule. You can also run the task manually at any time.

If a VMware vCenter Server is replaced or reinstalled, all previously created custom scan tasks will no longer work. If you want to use a previously created custom scan task, you must reconnect to the VMware vCenter Server in the properties of this task.

Creating a custom scan task by using the tenant plug-in

A Custom Scan task for virtual machines of tenants is used only if the application is operating in multitenancy mode. A Custom Scan task for virtual machines of tenants can be created only on a virtual Administration Server of Kaspersky Security Center.

To create a Custom Scan task for virtual machines of tenants:

1. In the Kaspersky Security Center Administration Console, select the Managed devices folder of the virtual Administration Server corresponding to the tenant.
2. In the workspace, select the Tasks tab and click the New task button to start the New Task Wizard.
3. At the first step of the Wizard, select the following type of task: Kaspersky Security for Virtualization 6.0 Agentless (for tenants) → Custom Scan.

   Proceed to the next step of the New Task Wizard.

4. Specify the Integration Server address and proceed to the next step of the New Task Wizard.

   The Task Wizard verifies the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

5. Select the task scope: select the check boxes for those virtual machines that you want to scan as part of the scan task being created. You can specify individual virtual machines or their combinations.

   If the virtual infrastructure contains two or more virtual machines with the same ID (vmID), only one virtual machine appears in the object tree. If this virtual machine is selected to be scanned using the custom scan task, the task will be performed on all virtual machines that have the same ID (vmID).

   Proceed to the next step of the New Task Wizard.

6. Configure the settings for scanning virtual machines.

   Proceed to the next step of the New Task Wizard.

7. If necessary, specify the scan scope of the task: indicate the locations and extensions of the files of virtual machines that need to be scanned or excluded from scanning during a scan task.

   Proceed to the next step of the New Task Wizard.

8. Configure the task run schedule and proceed to the next step of the New Task Wizard.
9. In the Name field, enter the task name and proceed to the next step of the New Task Wizard.
10. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.

    Finish the wizard.

The created custom scan task appears in the list of tasks. If you configured a task start schedule in the Task start schedule settings window, the task is started according to this schedule. You can also run the task manually at any time.

Configuring virtual machine scan settings in a scan task

You can configure the virtual machine scan settings while creating the task (the Configure scan settings step) or in the task properties after its creation (the Scan settings section).

To configure the virtual machine scan settings:

1. Select the security level at which Kaspersky Security scans virtual machines. To do so, in the Security level section, perform one of the following actions:
   • If you want to install one of the pre-installed security levels (High, Recommended, or Low), use the slider to select one.
   • To change the security level to Recommended, click the Default button.
   • If you want to configure the security level on your own, click the Settings button. In the Security level settings window that opens:
   1. In the Scanning archives and compound files section, specify the values of the following settings:
      • Scan archives

        

        Enable / disable scanning of archives.

        This check box is cleared by default.

      • Delete archives if disinfection fails

        

        Enable / disable the feature of deleting archives that could not be disinfected.

        If this check box is selected, Kaspersky Security deletes archives that could not be disinfected.

        If this check box is cleared, the application does not delete archives that could not be disinfected. Kaspersky Security relays information that the infected file has not been deleted to the Administration Server of Kaspersky Security Center.

        This check box is available when the Scan archives check box is selected.

        This check box is cleared by default.

      • Scan self-extracting archives

        

        Enables / disables the scanning of self-extracting archives.

        By default, this check box is cleared for protection profiles and selected for scan tasks.

      • Scan embedded OLE-objects

        

        Enables/disables the scanning of objects that are embedded inside a file.

        This check box is set by default.

      • Do not unpack large compound files

        

        If this check box is set, Kaspersky Security does not scan compound files whose size exceeds the value that is specified in the Maximum size of a scanned compound file is N MB field.

        If this check box is cleared, Kaspersky Security scans compound files of all sizes.

        Kaspersky Security scans large files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.

        This check box is set by default.

      • Maximum size of a scanned compound file N MB

        

        Maximum size of compound files that are subject to scanning (in megabytes). Kaspersky Security does not unpack and scan objects whose size is larger than the specified value.

        This setting can be edited if the Do not unpack large compound files check box is selected.

        You can specify a value in the range of 1 to 999999 in this field. The default value is 8 MB.

   2. In the Performance section, specify the values of the following settings:
      • Limit file scan time

        

        Enables / disables the file scan time limit.

        If this check box is selected, Kaspersky Security stops scanning a file when the scan duration reaches the value that is specified in the Scan files for no longer than N second(s) field and skips this file.

        If this check box is cleared, Kaspersky Security does not limit the duration of file scanning.

        By default, this check box is selected for protection profiles and cleared for scan tasks.

      • Scan files for no longer than N second(s)

        

        Maximum duration of file scanning (in seconds). Kaspersky Security stops scanning a file if scanning takes longer than the time value specified.

        This setting can be edited if the Limit file scan time check box is selected.

        You can specify a value in the range of 1 to 3600 in this field. The default value is 60 seconds.

   3. In the Objects to detect section, click the Settings button. In the Objects to detect window that opens, specify the values of the following settings:
      • Malicious tools

        

        Enables/disables protection against malicious tools.

        Malicious tools do not perform their actions right after they are started. Instead, they can be stealthily stored and run on the virtual machine. Intruders often use the features of malicious tools to create viruses, worms, and Trojans, perpetrate network attacks on remote servers, or perform other malicious actions.

        If this check box is set, protection against malicious tools is enabled.

        If this check box is cleared, protection against malicious tools is disabled.

        This check box is set by default.

      • Auto-dialers

        

        Enables/disables protection against auto-dialers.

        If this check box is selected, protection against auto-dialers is enabled.

        If this check box is cleared, protection against auto-dialers is disabled.

        This check box is set by default.

      • Adware

        

        Enables/disables protection against adware.

        The function of adware is to display advertising information to the user. For example, it displays banner ads in the interfaces of other programs and redirects search queries to advertising websites. Some varieties of adware collect marketing information about the user and send it to the developer: this information may include the names of the websites that are visited by the user or the content of the user's search queries. Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's permission.

        If this check box is set, protection against adware is enabled.

        If this check box is cleared, protection against adware is disabled.

        This check box is set by default.

      • Other

        

        Enables / disables protection against legitimate software that could be exploited by criminals to harm a virtual machine or user data.

        Most of these programs are useful, so many users run them. These programs include IRC clients, file downloaders, remote administration programs, user activity monitoring programs, password utilities, and Internet servers for FTP, HTTP, and Telnet. However, if criminals gain access to these programs, some program features could be used to harm a virtual machine or user data.

        Selecting this check box enables protection against legitimate software that could be used by criminals to harm a virtual machine or user data.

        If this check box is cleared, protection against such software is disabled.

        This check box is cleared by default.

      • Multi-packed files

        

        Enables/disables scanning of files that have been packed using one or several packers three or more times.

        If a file was packed by one or several packers three or more times, the file probably contains malware or legitimate software that can be used by criminals to damage your computer or personal data.

        If this check box is selected, protection against multi-packed files is enabled, and the scanning of such files is allowed.

        If this check box is cleared, protection against multi-packed files is disabled.

        This check box is set by default.

      Kaspersky Security always scans virtual machine files for viruses, worms, and Trojans. That is why the Viruses and worms and Trojans settings in the Malware section cannot be changed.

   4. In the Objects to detect window, click OK.
   5. In the Security level settings window, click OK.

      If you have changed security level settings, the application creates a custom security level. The name of the security level in the Security level section changes to Custom.

2. In the Scan powered-on virtual machines section, configure the settings for scanning virtual machines that are powered on while a task is running:
   • Action on threat detection

     

     This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files on powered-on virtual machines:

     • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
     • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

       This action is selected by default.

       Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

     • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
     • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.
   • Scan optical drives

     

     Enables / disables scanning of optical drives.

     If the check box is selected, Kaspersky Security scans files on optical drives (CD, DVD, Blu-Ray) while performing the scan task on virtual machines running Windows operating systems.

     If the check box is cleared, Kaspersky Security does not scan files on optical drives.

     If the check box is selected but the scan task has a defined scan scope that does not include a path to the optical drive, Kaspersky Security does not scan files on the optical drive.

     Kaspersky Security does not scan files on optical drives when scanning powered-off virtual machines, virtual machine templates, or virtual machines running Linux operating systems.

     This check box is cleared by default.

3. In the Scan powered-off virtual machines and virtual machine templates section, configure the settings for scanning virtual machines that are powered off or paused while a task is running, as well as for scanning virtual machine templates:
   • Scan powered-off virtual machines

     

     Enables / disables scanning of powered-off virtual machines.

     If the check box is selected, when performing a scan task Kaspersky Security scans files on powered-off virtual machines (with an NTFS, FAT32, EXT2, EXT3, EXT4, XFS, or BTRFS file system) that are within the task scope. Files on powered-off virtual machines with other file systems are not scanned.

     While a powered off virtual machine is being scanned, it is impossible to turn on or migrate the virtual machine.

     If this check box is cleared, Kaspersky Security does not scan files on the powered-off virtual machines.

     This check box is cleared by default.

   • Scan virtual machine templates

     

     Enables / disables scanning of virtual machine templates.

     If the check box is selected, when Kaspersky Security performs a scan task it scans files on virtual machine templates that are within the task scope.

     If this check box is cleared, Kaspersky Security does not scan files on virtual machine templates.

     This check box is cleared by default.

     The check box is available if the Scan powered-off virtual machines check box is selected.

   • Action on threat detection

     

     This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files on powered-off virtual machines or virtual machine templates:

     • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
     • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

       Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

     • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
     • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.

       This action is selected by default.

     You can select an action if the Scan powered-off virtual machines check box is selected.

4. In the Stop scan section, choose one of the following options:
   • After N minute(s) since task launch

     

     Maximum scan task duration (in minutes). When the specified time limit is reached, the scan task is interrupted even if it has not been completed.

     This option is selected by default.

     You can specify a value in the range of 1 to 4320 in this field. The default value is set to 120 minutes.

   • After completing scan of files on all protected virtual machines

     

     The scan task is performed until files on all protected virtual machines that are within the task scope have been scanned.

5. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).

Configuring the scan scope in a scan task

The scan scope refers to the locations and extensions of files of virtual machines that are scanned by Kaspersky Security when it performs a scan task.

If a scan scope has not been configured, Kaspersky Security scans all files of virtual machines.

When scanning virtual machines running Windows operating systems, Kaspersky Security does not scan files in network folders. Kaspersky Security is able to scan files in network folders only when the user or an application accesses those files. If you want to scan files in network folders regularly, you must create a task for scanning virtual machines that have shared files and folders, and include those files and folders into the scan task scope.

When scanning virtual machines running Linux operating systems, Kaspersky Security scans files in CIFS network file systems if the directories in which the CIFS network file systems are mounted are included in the task scan scope. Scanning files in NFS network file systems is not supported.

You can define the scan scope of a task while creating the task (the Defining the scan scope step) or in the task properties after it is created (the Scan scope section).

To configure the scan scope of the task:

1. Select one of the following options:
   • Scan all files and folders except for those specified
   • Scan specified files and folders only
2. If you selected the Scan all files and folders except for those specified option, you can create a list of objects that must be excluded from the scan scope by using the Add, Change and Delete buttons.

   You can exclude objects of the following types from the scan scope:

   • Folders. Files stored in folders at the specified path are excluded from the scan scope. For each folder, you can specify whether to apply the exclusion to subfolders.
   • Files by mask. Files with the specified name, files located at the specified path, or files matching the specified mask are excluded from the scan scope.

     You can use the * and ? symbols to specify a file mask.

     Kaspersky Security ignores the case of characters in the paths to files and folders, names and masks of files that are to be excluded from the scan scope.

   You can save a configured list of exclusions to file using the Export button or load a previously saved list of exclusions from file using the Import button. To import or export a list of exclusions, you can use a file in XML format. You can also import a list of exclusions from a file in DAT format. Using a file in DAT format, you can import a list of exclusions that was generated in other Kaspersky applications.

   The application distribution kit includes the microsoft_file_exclusions.xml file with the list of exclusions recommended by Microsoft Corporation (see the Microsoft website for the list of exclusions recommended by Microsoft). The microsoft_file_exclusions.xml file is located in the setup folder of the Kaspersky Security administration plug-in on the computer on which the Kaspersky Security Center Administration Console is installed. You can import this file into exclusions of the scan task. After the import is completed, Kaspersky Security does not scan the objects recommended by Microsoft when it performs a scan task. You can view and edit the list of these objects in the Files and folders table.

   If your exclusions list uses an environment variable that has multiple values depending on the bit rate of the application that uses it, in 64-bit Windows operating systems, objects corresponding to all values of the variable are excluded from the scan scope. For example, if you are using the variable %ProgramFiles%, objects located in the folder C:\Program files and in the folder C:\Program files (х86) are excluded from the scan scope.

3. If you selected the Scan all files and folders except for those specified option, in the File extensions section you can specify the extensions of files that should be included in the scan scope or excluded from the scan scope.

   To do so, select one of the options below:

   • Scan all except files with the following extensions. In the text box, specify a list of extensions of files to not scan during a scan task. Kaspersky Security ignores the case of characters in the extensions of files that are to be excluded from the scan scope.
   • Scan files with the following extensions only. In the text box, specify a list of extensions of files to scan during a scan task. When scanning virtual machines running Linux operating systems, Kaspersky Security is case sensitive regarding the characters in the extensions of files to be included in the scan scope. When scanning virtual machines running Windows operating systems, the application ignores the cases of characters in file extensions.

     You can type file extensions in the field by separating them with a blank space, or by typing each extension in a new line. File extensions may contain any characters except . * | \ : " < > ? /. If an extension includes a blank space, the extension should be typed inside quotation marks: "doc x".

     If you have selected Scan files with the following extensions only in the drop-down list but have not specified the extensions of files to scan, Kaspersky Security scans all files.

   Folders excluded from the scan have a higher priority than file extensions that are included in the scan scope. If a file is located in a folder that is excluded from the scan, the application skips this file even if its extension is included in the scan scope.

4. If you selected the Scan specified files and folders only option, use the Add, Change, and Delete buttons to create a list of virtual machine files and folders to scan during the scan task.

   When scanning virtual machines running Linux operating systems, Kaspersky Security is case sensitive regarding the characters in paths to files and directories included in the scan scope. When scanning virtual machines running Windows operating systems, paths to files and folders are not case sensitive.

   If your list of objects requiring scanning uses an environment variable that has multiple values depending on the bit rate of the application that uses it, in 64-bit Windows operating systems, objects corresponding to all values of the variable are included in the scan scope. For example, if you are using the variable %ProgramFiles%, objects located in the folder C:\Program files and in the folder C:\Program files (х86) are included in the scan scope.

5. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).

Configuring the Custom Scan task scope

You can configure the scope of a Custom Scan task while creating the task (the Configuring the task scope step) or in the task properties after it is created (the Task scope section).

Custom Scan task created using the main administration plug-in

For a Custom Scan task that was created using the Kaspersky Security main administration plug-in, you can configure the task scope in one of the following ways:

• Specify the virtual machines and/or virtual machine templates whose files you want to scan.
• Specify one or multiple NSX Security Groups that include the virtual machines. Kaspersky Security will scan the files of all virtual machines that are included in the specified NSX Security Groups.

To configure the scope of a Custom Scan task that was created using the main administration plug-in:

1. If you want to include virtual machines and/or virtual machine templates into the task scope, in the drop-down list in the upper part of the window, select the Virtual infrastructure objects option (this option is selected by default). The window displays the VMware virtual infrastructure managed by one VMware vCenter Server in the form of an object tree: VMware vCenter Server, Datacenter objects, VMware clusters, resource pools, vApp objects and virtual machines.

   Select check boxes opposite those virtual machines that you want to scan as part of the scan task being created. You can specify individual virtual machines or their combinations.

   If the virtual infrastructure contains two or more virtual machines with the same ID (vmID), only one virtual machine appears in the object tree. If this virtual machine is selected to be scanned using the custom scan task, the task will be performed on all virtual machines that have the same ID (vmID).

2. If you want to include all virtual machines within one or multiple NSX Security Groups into the task scope, in the drop-down list in the upper part of the window, select the NSX Security Groups option.

   Select the check boxes for NSX Security Groups whose virtual machines you want to scan as part of the task being created.

   If one or several NSX Security Groups make up the task scope, when running this task Kaspersky Security does not scan virtual machine templates even if the Scan virtual machine templates check box is selected in the scan settings.

3. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).

Custom Scan task created using the administration plug-in for tenants

For a Custom Scan task that was created using the Kaspersky Security administration plug-in for tenants, you cannot use NSX Security Groups to define the task scope. You can include individual virtual machines or their combinations in the scope of tasks.

To configure the scope of a Custom Scan task that was created using the administration plug-in for tenants:

1. Select check boxes opposite those virtual machines that you want to scan as part of the scan task being created. You can specify individual virtual machines or their combinations.

   If the virtual infrastructure contains two or more virtual machines with the same ID (vmID), only one virtual machine appears in the object tree. If this virtual machine is selected to be scanned using the custom scan task, the task will be performed on all virtual machines that have the same ID (vmID).

2. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).

Configuring the scan task run schedule

You can configure a schedule for running a scan task while creating the task (the Configuring the task run schedule step) or in the task properties after its creation (the Schedule section).

To configure the task run schedule:

1. Define the values of the following settings:
   • Scheduled start. Choose the task run mode in the drop-down list. The settings displayed in the window depend on the task run mode chosen.
   • Run skipped tasks. If this check box is selected, an attempt to start the task is made the next time the application is started on the SVM. In the Manually and Once modes, the task is started as soon as an SVM appears on the network.

     If this check box is cleared, the task is started on an SVM by schedule only, and in Manually and Once modes it is started only on the SVMs that are visible on the network.

   • Use automatically randomized delay for task starts. By default, the time of task start on SVMs is randomized with the scope of a certain time period. This period is calculated automatically depending on the number of SVMs covered by the task:
     • 0–200 SVMs – task start is not randomized
     • 200-500 SVMs – task start is randomized within the scope of 5 minutes
     • 500-1000 SVMs – task start is randomized within the scope of 10 minutes
     • 1000-2000 SVMs – task start is randomized within the scope of 15 minutes
     • 2000-5000 SVMs – task start is randomized within the scope of 20 minutes
     • 5000-10000 SVMs – task start is randomized within the scope of 30 minutes
     • 10000–20000 SVMs – task start is randomized within the scope of 1 hour
     • 20000–50000 SVMs – task start is randomized within the scope of 2 hours
     • over 50000 SVMs – task start is randomized within the scope of 3 hours

     If you do not need to randomize the time of task starts within an automatically calculated time period, clear the Use automatically randomized delay for task starts check box. This check box is set by default.

   • Use randomized delay for task starts within an interval of (min): If you want the task to start at a random time within a specified period of time after the scheduled task start, select this check box. In the text box, enter the maximum task start delay. In this case, the task starts at a random time within the specified period of time after the scheduled start. This check box can be changed if the Use automatically randomized delay for task starts check box is cleared.

     Randomized task start times help prevent situations in which a large number of SVMs contact the Kaspersky Security Center Administration Server at the same time.

2. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).