Events, notifications, and reports

You can receive information about Kaspersky Security operation in the Kaspersky Security Center by using the following resources:

• Reports
• Notifications about events
• Statistics

SVMs send service messages (events) containing information about Kaspersky Security operation to the Kaspersky Security Center Administration Server. Information about events is saved in the Administration Server database.

Event importance levels are of the following types:

• Critical event. A critical event indicates the occurrence of a critical problem that may lead to data loss, an operational malfunction, or a critical error. It may indicate problems in the operation of Kaspersky Security or vulnerabilities in the protection of virtual machines.
• Error. This event indicates the occurrence of a serious problem, error or malfunction that occurred during operation of the application or while performing a procedure.
• Warning. This event requires attention because it emphasizes important situations in the operation of Kaspersky Security and may indicate a possible issue in the future.
• Info. This event informs about successful completion of an operation, proper functioning of the application, or completion of a procedure.

A notification is a message containing information about an event that occurred on an SVM. Notifications keep the user informed about application events in a timely manner. Kaspersky Security Center lets you select the event notification method and configure the settings of event notifications in the policy properties.

For detailed information on events and notifications, see the Kaspersky Security Center documentation.

Kaspersky Security Center uses events to generate different types of reports. You can use reports to obtain the details of infected files, changes to protection settings, and usage of license keys and databases. You can view reports in the Kaspersky Security Center Administration Console.

The virtual machine name displayed in reports and events of Kaspersky Security Center can be the name of the virtual machine or the path to it in the virtual infrastructure.

Configuring notification settings

To configure notifications about events:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy that determines the SVM operation settings:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, select the Event configuration section.
3. Select the tab with the name of the level of importance of events for which you want to receive notifications:
   • Critical event.
   • Error.
   • Warning.
   • Info.
4. Select the event types for which you want to receive notifications:
   • Use the SHIFT and CTRL keys if you want to select multiple event types.
   • Click the Select all button if you want to select all event types.
5. Click the Properties button.

   The Properties of <N events> window opens, where N is the number of event types selected.

6. In the Event registration section, select the On Administration Server for (days): check box. Kaspersky Security sends the events of the selected types to the Administration Server of Kaspersky Security Center.

   In the text box, specify the number of days for which you want to store events on the Administration Server. Kaspersky Security Center deletes events after this time has elapsed.

7. In the Event notifications section, select the method of notification:
   • Notify by email

     

     If the check box is set, notifications are sent via the mail server.

     This check box is cleared by default.

   • Notify by SMS

     

     If the check box is set, notifications are sent via SMS.

     This check box is cleared by default.

   • Notify by running executable or script

     

     If the check box is set, the specified application or executable file is started when the event occurs.

     This check box is cleared by default.

   • Notify by SNMP

     

     If the check box is set, the notification is sent over the network (TCP/IP) through the SNMP management protocol.

     This check box is cleared by default.

8. In the Properties <N events> window, click OK.
9. In the Properties: <Policy name> window, click OK.

Report types

You can use reports to obtain information about the operation of Kaspersky Security, such as details on protection deployment, protection status, performance of started tasks, and detected threats.

Kaspersky Security Center offers a selection of reports that contain information on the operation of Kaspersky Security:

• Kaspersky application versions report. Details of application versions installed on client devices (SVMs and the computer on which the Administration Server and the Kaspersky Security Center Administration Console are installed).
• Protection deployment report. Contains details on the deployment of application components.
• Most infected devices report. Contains information about virtual machines that are found to contain the largest number of infected files.
• Threats report. Contains information about viruses and malware that were detected on virtual machines, and information about operations performed by the Kaspersky Security on the files in which the threats were detected.
• Key usage report. Contains information about license keys added to the application.
• Errors report. Contains information about errors that occurred during application operation.
• Anti-virus database usage report. Contains information on the versions and status of application databases used on SVMs.
• Network attack report. Contains information about registered network attacks on virtual machines and suspicious network activity in the traffic of protected virtual machines that have been detected by the Network Threat Protection component.
• Web Control report. Contains information about requests by users or applications to access dangerous or undesirable web addresses registered by the Network Threat Protection component.
• Protection status report. Contains information about the protection status of virtual machines.

Kaspersky Security does not provide a report on hardware registry. You can look up information on the hardware of SVMs in the VMware vSphere Web Client console.

Each report consists of a summary table and a table with detailed information. You can configure the content of fields shown in each table.

This Guide describes how to work with reports of Kaspersky Security Center 11.

For details on managing reports, see the Kaspersky Security Center documentation.

Kaspersky application versions report

The Kaspersky application versions report contains information about the versions of Kaspersky Security components that are installed on SVMs and versions of Kaspersky Security Center components that are installed on client devices (SVMs and the devices on which the Kaspersky Security Center Administration Server and/or the Kaspersky Security Center Network Agent are installed).

It contains the following consolidated information:

• Application. Name of the installed Kaspersky Security component or Kaspersky Security Center component. For Kaspersky Security components, the field shows Kaspersky Security for Virtualization 6.0 Agentless or Kaspersky Security for Virtualization 6.0 Agentless (for tenants).
• Version number. Version number of the installed Kaspersky Security component or Kaspersky Security Center component.
• Devices. For Kaspersky Security components, the number of SVMs on which Kaspersky Security components are installed is displayed; for Kaspersky Security Center, the number of devices on which the Kaspersky Security Center Network Agent and/or Administration Server are installed is displayed.
• Groups number. For Kaspersky Security components, the number of administration groups that include the SVMs is displayed; for Kaspersky Security Center, this field displays the number of administration groups that include devices on which the Kaspersky Security Center Network Agent and/or Administration Server are installed.

  The row below contains the following consolidated information:

  • Total applications. The total number of different versions of Kaspersky Security components and Kaspersky Security Center components installed on client devices.
  • Installations. The total number of installations of these components on the client devices.
  • Devices. The total number of client devices on which Kaspersky Security components and Kaspersky Security Center components are installed.
  • Groups number. The total number of administration groups that include these client devices.

The report contains the following detailed information:

• Application. Name of the installed Kaspersky Security component or Kaspersky Security Center component. For Kaspersky Security components, the field shows Kaspersky Security for Virtualization 6.0 Agentless or Kaspersky Security for Virtualization 6.0 Agentless (for tenants).
• Version number. Version number of the installed Kaspersky Security component or Kaspersky Security Center component.
• Group. For Kaspersky Security components, the name of the administration group that includes the SVM with the installed Kaspersky Security component is displayed; for Kaspersky Security Center, the name of the administration group that includes the device on which the Kaspersky Security Center Network Agent and/or Administration Server are installed is displayed.
• Device. For Kaspersky Security components, the name of the SVM on which the component is installed is displayed; for Kaspersky Security Center components, the name of the device on which the Kaspersky Security Center Network Agent and/or Administration Server are installed is displayed.
• Installed. The date and time of installation of the Kaspersky Security component or the Kaspersky Security Center component on the client device.
• Last visible. The date and time when the client device was last visible on the enterprise LAN.
• Previous connection to Administration Server. The date and time of the client device's last connection to the Kaspersky Security Center Administration Server.
• IP address. For Kaspersky Security components, the IP address of the SVM on which the component is installed is displayed; for Kaspersky Security Center components, the IP address of the device on which the Kaspersky Security Center Network Agent and/or Administration Server are installed is displayed.
• DNS name. For Kaspersky Security components, the domain name of the SVM on which the component is installed is displayed; for Kaspersky Security Center components, the name of the device on which the Kaspersky Security Center Network Agent and/or Administration Server are installed is displayed.

Protection deployment report

The protection deployment report contains information on the Kaspersky protection components installed on the Kaspersky Security Center client devices (on SVMs and the computer on which the Kaspersky Security Center Network Agent is installed).

It contains the following consolidated information:

• Protection components. Possible options for installing Kaspersky applications and components on client devices:
  • Network Agent and anti-virus protection are installed
  • Network Agent only is installed
  • Network Agent and anti-virus protection are not installed
• Devices. The number of SVMs and computers on which the specified components and applications are installed.

  In the row below, the Devices field shows the total number of SVMs and computers on which Kaspersky protection components are installed.

The report contains the following detailed information:

• Group. The name of the administration group that includes the SVM with the installed Kaspersky Security component, or the name of the administration group that includes the computer on which the Kaspersky Security Center Network Agent is installed.
• Device. The name of the SVM with the installed Kaspersky Security component or the name of the computer on which the Kaspersky Security Center Network Agent is installed.
• Network Agent version. The version of Kaspersky Security Center Network Agent installed on the client device.
• Security application name. The name of the installed application providing anti-virus protection. For Kaspersky Security, the field shows Kaspersky Security for Virtualization 6.0 Agentless.
• Security application version. The version of the installed application providing anti-virus protection.

Most infected devices report

The most infected devices report contains information about the protected virtual machines that are found to contain the largest number of infected files during scanning.

The Period field displays the period of time covered by the data included in the report. By default, the report contains for the last 30 days, including the report generation date.

It contains the following consolidated information:

• Device. The name of the protected virtual machine on which the object was detected, and the path to the virtual machine in the virtual infrastructure.
• Objects infected. The total number of objects detected on the protected virtual machine in the reporting period.
• Different objects. The number of different objects that have been detected on the protected virtual machine in the reporting period.
• First attempted run blocked. The date and time of the first detection of the object on the protected virtual machine.
• Last attempted run blocked. The date and time of the last detection of the object on the protected virtual machine.
• Last visible. The date and time of the last event associated with the protected virtual machine on which the object was detected.
• IP address. The IP address of the protected virtual machine on which the object was detected.
• NetBIOS name, DNS name. The name of the protected virtual machine on which the object was detected, and the path to the virtual machine in the virtual infrastructure.

  In the line below, the Devices infected field specifies the number of protected virtual machines found to contain the largest number of infected files during scanning. The Groups infected field always displays a 0, because protected virtual machines cannot belong to Kaspersky Security Center administration groups.

The report contains detailed information about each instance of detection:

• Device. The name of the protected virtual machine on which the object was detected, and the path to the virtual machine in the virtual infrastructure.
• Detected object. The name of the object that has been detected on the protected virtual machine.
• Detected at. The date and time of object detection on the protected virtual machine.
• Path to file. The path to the protected virtual machine file in which the object has been detected.
• Object type. The type of object detected.
• Action. The result of the action taken by Kaspersky Security on the detected object.
• Application. The name of the application providing anti-virus protection. For Kaspersky Security, the field shows Kaspersky Security for Virtualization 6.0 Agentless or Kaspersky Security for Virtualization 6.0 Agentless (for tenants).
• Version number. The version number of the application providing anti-virus protection.
• Last visible. The date and time of the last event associated with the protected virtual machine on which the object was detected.
• IP address. The IP address of the protected virtual machine on which the object was detected.
• NetBIOS name, DNS name. The name of the protected virtual machine on which the object was detected, and the path to the virtual machine in the virtual infrastructure.
• Component. The name of the component that detected the threat. Possible values: Scan task, File Threat Protection.
• Detection technology. The technology used for detecting the threat. Possible values: Expert analysis, Automatic analysis, Cloud analysis.

Threats report

The threats report contains information on viruses and other malware detected on protected virtual machines, as well as the details of the results of the actions performed on the files in which the threats were detected.

The Period field displays the period of time covered by the data included in the report. By default, the report contains for the last 30 days, including the report generation date.

It contains the following consolidated information:

• Detected object. The name of the object that has been detected on protected virtual machines.
• Object type. The type of object detected.
• Objects infected. The total number of the specified objects detected on all protected virtual machines during the reporting period.
• As rated by KSN. The number of objects detected with KSN.
• Different files. The number of files containing the detected object.
• Devices infected. The number of protected virtual machines on which the specified objects have been detected.
• First attempted run blocked. The date and time of the first detection of the object on the protected virtual machines.
• Last attempted run blocked. The date and time of the last detection of the object on the protected virtual machines.

  The row below contains the following consolidated information:

  • Different objects. The total number of different objects detected on all protected virtual machines during the reporting period.
  • Different files. The total number of files containing detected objects on all protected virtual machines.
  • Devices infected. The total number of protected virtual machines on which the objects were detected in the reporting period.
  • Groups infected. The total number of Kaspersky Security Center administration groups that include the devices on which the objects were detected. This field always displays a 0, because protected virtual machines cannot belong to Kaspersky Security Center administration groups.

The report contains the following detailed information about each instance of threat detection:

• Device. The name of the protected virtual machine on which the object was detected, and the path to the virtual machine in the virtual infrastructure.
• Detected object. The name of the object that has been detected on the protected virtual machine.
• Detected at. The date and time of object detection on the protected virtual machine.
• File path. The path to the file containing the detected object on the protected virtual machine.
• Object type. The type of object detected.
• Action. The result of the action taken by Kaspersky Security on the detected object.
• Application. The application that detected the object.
• Version number. The version number of the application that detected the object.
• Last visible. The date and time of the last event associated with the protected virtual machine on which the object was detected.
• IP address. The IP address of the protected virtual machine on which the object was detected.
• NetBIOS name, DNS name. The name of the protected virtual machine on which the object was detected, and the path to the virtual machine in the virtual infrastructure.
• Component. The name of the component that detected the threat. Possible values: Scan task, File Threat Protection.
• Detection technology. The technology used for detecting the threat. Possible values: Expert analysis, Automatic analysis, Cloud analysis.

Errors report

The errors report contains information about errors that occurred in application operation.

The Period field displays the period of time covered by the data included in the report. By default, the report contains for the last 30 days, including the report generation date.

It contains the following consolidated information:

• Error type. The type of error detected in the operation of the application. For example: Task ended with an error.
• Number of errors. The number of registered errors of the specified type.
• Number of products. The number of applications in which the error of this type has been detected.
• Devices. The number of SVMs on which the specified type of error was registered, or the number of protected virtual machines on which the specified type of error was registered during a scan or protection.
• Groups number. The number of administration groups that include the SVMs on which the specified type of error was detected. For errors detected during a scan or protection of the virtual machines, 0 is displayed, because protected virtual machines cannot belong to Kaspersky Security Center administration groups.
• First detection time. The date and time of the first detection of the error.
• Last detection time. The date and time of the last detection of the error.

  The row below contains the following consolidated information:

  • Total errors. The total number of errors detected in the reporting period.
  • Error types. The total number of error types detected in the reporting period.
  • Devices. The total number of SVMs on which the errors were registered and number of protected virtual machines where the errors were registered during a scan or protection.
  • Groups number. The total number of administration groups that include SVMs on which the errors were detected. The errors detected during a scan or protection of the virtual machines, are not considered when counting the number of groups, because protected virtual machines cannot belong to Kaspersky Security Center administration groups.

The report contains the following detailed information about each error:

• Group. The name of the administration group that includes the SVM on which the error was registered. For errors detected during a scan or protection of the virtual machines, N/A is displayed, because protected virtual machines cannot belong to Kaspersky Security Center administration groups.
• Device. The name of the SVM on which the error was registered, or the name of the protected virtual machine on which the error was detected during a scan or protection.
• Application. The name of the application in which the error was registered.
• Error type. Error type. For example: Task ended with an error.
• Error description. Detailed error description.
• Detected. The date and time when the error occurred.
• Task. The task during which the error was registered. If the error is not related to task execution, N/A is displayed.
• IP address. The IP address of the SVM on which the error was registered, or the IP address of the protected virtual machine on which the error was registered during a scan or protection.
• Last visible. The date and time when the SVM was last visible on the enterprise LAN, or the date and time of the last event associated with the protected virtual machine.
• Last connection to Administration Server. The date and time of the last connection between the SVM on which the error was registered and the Kaspersky Security Center Administration Server.
• NetBIOS name. The name of the protected virtual machine on which the error was registered during a scan or protection.
• DNS name. The domain name of the SVM on which the error was registered, or the name of the protected virtual machine on which the error was registered during a scan or protection, and the path to it in the virtual infrastructure.

Anti-virus database usage report

The anti-virus database usage report contains information about the versions and status of the application databases that are used on SVMs.

It contains the following consolidated information:

• Created. The date and time of creation of the application databases that are used on SVMs.
• Number of records. The number of records in the databases.
• Devices. The number of SVMs on which these databases are used.
• Groups number. The number of administration groups that include the SVMs with the utilized application databases.
• Anti-virus database status. Information on whether the application databases used on SVMs are considered up-to-date. The databases on SVMs are considered up-to-date, if the date and time of their release matches the date and time of release of the databases in the storage of Kaspersky Security Center Administration Server.

  The row below contains the following consolidated information:

  • Total number of database sets used. The total number of the application database sets used on SVMs.
  • Up to date. The number of application databases with “up-to-date” status used on SVMs.
  • Updated during last 24 hours. The total number of the databases updated on SVMs over the last 24 hours.
  • Updated during last 3 days. The total number of the databases updated on SVMs over the last 3 days.
  • Updated during last 7 days. The total number of the databases updated on SVMs over the last 7 days.
  • Updated more than a week ago. The total number of the databases updated on SVMs more than 7 days ago.

The report contains the following detailed information:

• Group. The name of the administration group that includes the SVMs with the utilized databases.
• Device. The name of the SVM.
• Application. The name of the application installed on the SVM.
• Version number. The number of the application version installed on the SVM.
• Created. The date and time of creation of the application databases that are used on SVMs.
• Number of records. The number of records in the databases.
• IP address. The IP address of the SVM.
• DNS name. The domain name of the SVM containing the utilized databases.
• Last visible. The date and time when an SVM was last visible on the corporate LAN.
• Last connection to Administration Server. The date and time of the last connection between the SVM and the Kaspersky Security Center Administration Server.
• Anti-virus database status. Information on whether the application databases used on SVMs are considered up-to-date. The databases on SVMs are considered up-to-date, if the date and time of their release matches the date and time of release of the databases in the storage of Kaspersky Security Center Administration Server.
• Network Agent version. The version of Kaspersky Security Center Network Agent installed on the SVM containing the utilized databases.

Network attack report

The network attack report contains information about registered network attacks targeting the protected virtual machines and about suspicious network activity detection that may be a sign of an intrusion into the protected infrastructure.

By default, the template of the network attack report is not included in the list of report templates on the Reports tab. Use the Report Template Wizard to add a network attack report template to the list of templates (see the Kaspersky Security Center documentation for details). After the Wizard finishes, the newly created report template will be added to the list on the Reports tab.

The Period field displays the period of time covered by the data included in the report.

It contains the following consolidated information:

• Attack. The type of network attack or suspicious network activity.
• Attacks count. The number of registered network attacks or suspicious network activities of this type.
• Attacking addresses. The number of IP addresses from which network attacks have been registered or which showed the suspicious network activity of this type.
• Devices attacked. The number of protected virtual machines whose traffic displayed activity typical of network attacks or suspicious network activity of this type.
• Groups attacked. Kaspersky Security always displays 1 in this field, because all protected virtual machines are assigned to one "pseudohosts" conditional group. The "pseudohosts" group does not belong to administration groups and is not displayed in the Kaspersky Security Center Administration Console. Protected virtual machines cannot belong to administration groups, because they are not considered as client devices of Kaspersky Security Center.
• First attempted run blocked. The date and time of the first detection of the activity typical of network attacks or suspicious network activity of this type.
• Last attempted run blocked. The date and time of the last detection of the activity typical of network attacks or suspicious network activity of this type.

  The row below contains the following consolidated information:

  • Attacks count. The number of registered network attacks or suspicious network activities of all types.
  • Various attacks. The number of types of registered network attacks or suspicious network activities.
  • Attack IPs. The total number of IP addresses from which network attacks have been registered or which showed the suspicious network activity.
  • Devices attacked. The total number of protected virtual machines whose traffic displayed activity typical of network attacks or suspicious network activity.
  • Groups attacked. Kaspersky Security always displays 1 in this field, because all protected virtual machines are assigned to one "pseudohosts" conditional group. The "pseudohosts" group does not belong to administration groups and is not displayed in the Kaspersky Security Center Administration Console. Protected virtual machines cannot belong to administration groups, because they are not considered as client devices of Kaspersky Security Center.
  • First attempted run blocked. The date and time of the first detection of the activity typical of network attacks or suspicious network activity of all types.
  • Last attempted run blocked. The date and time of the last detection of the activity typical of network attacks or suspicious network activity of all types.

The report contains the following detailed information on each detection of the activity typical of network attacks or suspicious network activity:

• Group. Kaspersky Security always displays pseudohosts in this field, because all protected virtual machines are assigned to one "pseudohosts" conditional group. Protected virtual machines cannot belong to administration groups, because they are not considered as client devices of Kaspersky Security Center.
• Device. The name of the protected virtual machine in whose traffic the network attack or suspicious network activity was registered.
• Attacking address. The number of the IP address from which the network attack have been registered or which showed the suspicious network activity.
• Attack time. The date and time of the network attack or suspicious network activity detection.
• Attack. The type of network attack or suspicious network activity.
• Protocol. Connection protocol, in which network attack or suspicious network activity was detected.
• Port. The number of the port targeted by the network attack or which showed the suspicious network activity.
• Last visible. The date and time of the last event associated with the protected virtual machine in whose traffic the network attack or suspicious network activity was registered.
• IP address. The IP address of the protected virtual machine in whose traffic the network attack or suspicious network activity was registered.
• NetBIOS name, DNS name. The name of the protected virtual machine in whose traffic the network attack or suspicious network activity was registered, and the path to the virtual machine in the virtual infrastructure.
• Version number. The version number of the Network Threat Protection component of Kaspersky Security.
• Attacked interface address. The IP address on which the network attack was attempted.

Web Control report

The Web Control report contains information about attempts by users or applications installed on protected virtual machines to access dangerous or inadvisable web addresses that belong to the web address categories selected for detection.

The Period field displays the period of time covered by the data included in the report. By default, the report contains for the last 30 days, including the report generation date.

It contains the following consolidated information:

• Result. The result of the action taken by Kaspersky Security when it detects an attempt to access a dangerous or undesirable web address.
• Rule. The network rule applied by the application when it takes action in response to a detected attempt to access a dangerous or undesirable web address. Possible values for Kaspersky Security:
  • Kaspersky Security for Virtualization Agentless: Attempt to access a malicious web address
  • Kaspersky Security for Virtualization Agentless: Attempt to access a phishing web address
  • Kaspersky Security for Virtualization Agentless: Attempt to access an advertising web address
  • Kaspersky Security for Virtualization Agentless: Attempt to access a web address from the "Other" category
• Attempts. Number of attempts to access a dangerous or undesirable web address.
• User accounts. The number of protected virtual machines from which attempts were made to access a dangerous or undesirable web address.
• Web address. The number of dangerous or undesirable web addresses for which access attempts were detected.
• Devices. The number of protected virtual machines from which attempts were made to access a dangerous or undesirable web address.
• Administration groups. Kaspersky Security always displays 1 in this field, because all protected virtual machines are assigned to one "pseudohosts" conditional group. The "pseudohosts" group does not belong to administration groups and is not displayed in the Kaspersky Security Center Administration Console. Protected virtual machines cannot belong to administration groups, because they are not considered as client devices of Kaspersky Security Center.
• First attempt. The date and time of the first attempt to access a dangerous or undesirable web address.
• Last attempt. The date and time of the last attempt to access a dangerous or undesirable web address.

  The row below contains the following consolidated information:

  • Rules. The number of network rules that determine which action the application takes when it detects an attempt to access a dangerous or undesirable web address. For Kaspersky Security, the value in this field is: 4.
  • Blocked attempts. The number of attempts to access dangerous or undesirable web addresses blocked by Kaspersky Security.
  • Warnings. The number of attempts to access dangerous or undesirable web addresses that were allowed according to the application settings.
  • Blocked web addresses. The number of dangerous or undesirable web addresses that were blocked by Kaspersky Security.
  • Web addresses with warnings. The number of dangerous or undesirable web addresses that were allowed to be accessed according to the application settings.
  • Blocked users. The number of protected virtual machines from which attempts were made to access blocked web addresses.
  • Warned users. The number of protected virtual machines for which Kaspersky Security allowed access to dangerous or undesirable web addresses.
  • First blocked attempt. The date and time of the first attempt to access a dangerous or undesirable web address that was blocked by Kaspersky Security.
  • Last blocked attempt. The date and time of the last attempt to access a dangerous or undesirable web address that was blocked by Kaspersky Security.
  • First warning. The date and time of the first attempt to access a dangerous or undesirable web address that was allowed according to the application settings.
  • Last warning. The date and time of the last attempt to access a dangerous or undesirable web address that was allowed according to the application settings.

The report contains the following detailed information for each attempt to access a dangerous or undesirable web address:

• Result. The result of the action taken by Kaspersky Security when it detects an attempt to access a dangerous or undesirable web address.
• Rule. The network rule applied by the application when it takes action in response to a detected attempt to access a dangerous or undesirable web address. Possible values for Kaspersky Security:
  • Kaspersky Security for Virtualization Agentless: Attempt to access a malicious web address
  • Kaspersky Security for Virtualization Agentless: Attempt to access a phishing web address
  • Kaspersky Security for Virtualization Agentless: Attempt to access an advertising web address
  • Kaspersky Security for Virtualization Agentless: Attempt to access a web address from the "Other" category
• User account. The IP address of the protected virtual machine from which an attempt was made to access a dangerous or undesirable web address.
• Web address. The dangerous or undesirable web address for which an access attempt was detected.
• Time. The date and time when an attempt to access a dangerous or undesirable web address was detected.
• Group. Kaspersky Security always displays pseudohosts in this field, because all protected virtual machines are assigned to one "pseudohosts" conditional group. The "pseudohosts" group does not belong to administration groups and is not displayed in the Kaspersky Security Center Administration Console. Protected virtual machines cannot belong to administration groups, because they are not considered as client devices of Kaspersky Security Center.
• Device. The name of the protected virtual machine from which an attempt was made to access a dangerous or undesirable web address, and the path to the virtual machine in the virtual infrastructure.
• Version number. The version number of the Kaspersky Security Network Threat Protection component that detected the attempt to access a dangerous or undesirable web address.
• Last visible on the network. The date and time of the last event associated with the protected virtual machine from which an attempt was made to access a dangerous or undesirable web address.
• IP address. The IP address of the protected virtual machine from which an attempt was made to access a dangerous or undesirable web address.
• NetBIOS name, DNS name. The name of the protected virtual machine from which an attempt was made to access a dangerous or undesirable web address, and the path to the virtual machine in the virtual infrastructure.
• As rated by KSN. The information about whether the attempt to access a dangerous or undesirable web address was detected using KSN. Possible values: Yes or No.

Protection status report

Protection status report contains details on the security application status (Kaspersky Security) installed on the client devices of Kaspersky Security Center (SVM) and details on the protection status of the virtual machines.

You can use a protection status report to obtain information about problems in virtual infrastructure protection. By default, the report displays devices with Critical and Warning statuses. If necessary, you can configure the report to include the information on devices with OK status in the report properties window of the Settings section.

It contains the following consolidated information:

• Status. The status of the client device (SVM) or virtual machine protection status.
• Reason. The reason(s) why the current status was assigned.
• Unprotected devices. The number of SVMs and virtual machines that have the specified reason for being assigned the status.
• Group number. The number of administration groups that include the SVMs that have the specified reason for being assigned the client device status. The number of administration groups that include the SVMs protecting the virtual machines is shown for virtual machines that have the specified reason for being assigned the protection status.

  In the row below, the Unprotected devices field indicates the total number of SVMs and virtual machines added to the report. The Group number field displays the number of administration groups that include the SVMs added to the report, and SVMs protecting the virtual machines added to the report.

The report contains the following detailed information on SVMs and on virtual machines added to the report:

• Status. The status of the client device (SVM) or virtual machine protection status.
• Group. The name of the administration group that includes the SVM, for SVMs added to the report. The name of the administration group that includes the SVM protecting the virtual machine, for virtual machines added to the report.
• Device. The name of the SVM or name of the virtual machine.
• Last connection to Administration Server. The date and time of the last connection between the SVM and the Kaspersky Security Center Administration Server, for SVMs added to the report. For virtual machine, added to the report, N/A is displayed.
• Reason. Reason why the current client device status was assigned for the SVM or why the protection status was assigned for virtual machine.
• Device status defined by application. The reason for assignment of the status, if Kaspersky Security Center received the device status from a managed application, meaning from Kaspersky Security.
• IP address. The IP address of the SVM or of the virtual machine. If the IP address could not be determined (for example, when the virtual machine is powered off), the report shows 0.0.0.0.
• Last visible. The date and time of the SVM's last connection to the Kaspersky Security Center Administration Server or the date and time of the last event related to the virtual machine.
• NetBIOS name. The name of the virtual machine and the path to it in the virtual infrastructure.
• DNS name. The domain name of the SVM or the name of the virtual machine and the path to it in the virtual infrastructure.
• Operating system. Operating system installed on the SVM or on the virtual machine.
• Anti-virus database release date. The date and time of the release of the application databases currently installed on the SVM, for SVMs added to the report. The date and time of the release of the application databases currently installed on the SVM protecting the virtual machine, for virtual machines added to the report.
• Last full scan. Date and time when the last Full Scan task was finished.

View reports

To view a report:

1. In the Kaspersky Security Center Administration Console, select the Administration Server node.
2. In the workspace of the node, go to the Reports tab and select the report template that you want to view.

   A report generated from the selected template is displayed in the workspace.

By default, the template of the network attack report is not included in the list of report templates on the Reports tab. Use the Report Template Wizard to add a network attack report template to the list of templates (see the Kaspersky Security Center documentation for details). After the Wizard finishes, the newly created report template will be added to the list on the Reports tab.

The report shows the following information:

• Report type and name, brief report description and reporting period, and details of the group for which the report has been generated
• Chart that illustrates the most representative report data
• Consolidated table with calculated report indicators
• Table with detailed report data

For more information on managing reports, see the Kaspersky Security Center documentation.

Viewing application operation statistics

You can view statistics on the operation of Kaspersky Security on each SVM in the Kaspersky Security Center Administration Console.

To view statistics of application operation on SVMs:

1. In the Kaspersky Security Center Administration Console, open the SVM properties window:
   1. Select the administration group containing the KSC cluster that includes the relevant SVM.
   2. In the workspace, select the Devices tab.
   3. In the list, select the SVM and open the SVM properties window by double-clicking or by selecting Properties in the context menu.

   The Properties: <SVM name> window opens.

2. In the SVM properties window in the list on the left, select the Applications section.

   A list of applications that are installed on this SVM appears in the right part of the window.

3. Select Kaspersky Security for Virtualization 6.0 Agentless and click the Statistics button located under the applications list.

   The Statistics window opens.

If you have selected an SVM with the File Threat Protection component, the following information is displayed in the Statistics window:

• Information on application databases. The date and time of release of application databases, or information stating that the application databases are corrupted.

  This information is displayed only if the application databases have been installed.

• Version info. The version of the EPSEC library installed on the SVM.
• License info. The number of days remaining until license expiration, or information stating that the license has expired or the license key has been blocked. If you are using the application under unlimited subscription, the value is Not installed.
• General statistics. The number of objects scanned on the SVM during protection of virtual machines and during scan tasks since the application was installed.
• Most scanned files. The 20 most frequently scanned files over the past 24 hours.
• Statistics for the past 24 hours. The number of objects scanned on the SVM over the past 24 hours during protection of virtual machines and during scan tasks.
• Statistics for the past 30 days. The number of objects scanned on the SVM over the past 30 days during protection of virtual machines and during scan tasks.
• Statistics for the past 7 days. The number of objects scanned on the SVM over the past 7 days during protection of virtual machines and during scan tasks.

If you have selected an SVM with the Network Threat Protection component, the following information is displayed in the Statistics window:

• Information on application databases. The date and time of release of application databases, or information stating that the application databases are corrupted.

  This information is displayed only if the application databases have been installed.

• License info. The number of days remaining until license expiration, or information stating that the license has expired or the license key has been blocked. If you are using the application under unlimited subscription, the value is Not installed.
• General statistics. The number of network packets processed on the SVM during protection of virtual machines since the application was installed.
• Statistics for the past 24 hours. The number of network packets processed on the SVM over the past 24 hours.
• Statistics for the past 30 days. The number of network packets processed on the SVM over the past 30 days.
• Statistics for the past 7 days. The number of network packets processed on the SVM over the past seven days.

Information in the Statistics window is refreshed when the window is opened, or by clicking the Refresh button located in the upper part of the window. Information is not updated in real time.