Upgrading from a previous version of the application

You can upgrade the following application versions to Kaspersky Security for Virtualization 6.0 Agentless:

• Kaspersky Security for Virtualization 5.0 Agentless
• Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless
• Kaspersky Security for Virtualization 4.0 Service Pack 1 Agentless
• Kaspersky Security for Virtualization 4.0 Agentless

Before starting the application update, you need to do the following:

• Download all SVM image files from the Kaspersky website. About validating the SVM image in the application page in the Knowledge Base.
• Place all SVM image files in the same folder on a network resource that is accessible over the HTTP or HTTPS protocol. For example, you can publish SVM images on the Kaspersky Security Center Web Server.
• Make sure that the ports that are required for operation of the application are open in the settings of the network equipment or software used for monitoring traffic.
• Make sure that you have configured the settings of the accounts that are required for installation and operation of the application.
• If you are planning to use network data storage for SVMs, create a network folder for hosting the network data storage and a user account for connecting SVMs. Network data storage is used for storing backup copies of files that have been moved to Backups on SVMs. The amount of space necessary for the network data storage can be estimated based on the following formula: (N+1) GB, where N is the number of SVMs that connect to the network data storage.

The application upgrade procedure depends on the type of infrastructure in which the previous version of the application was installed. The following application upgrade options are available:

• Upgrading the application installed in an infrastructure managed by a VMware vCenter Server and VMware NSX Manager
• Upgrading the application installed in an infrastructure managed by a VMware vCenter Server and VMware vShield Manager, with migration to the VMware NSX platform

Upgrading the application installed in an infrastructure managed by a VMware vCenter server and VMware NSX Manager

Before beginning an upgrade of the application, you are advised to make sure that the VMware virtual infrastructure meets the Kaspersky Security software requirements. If the VMware clusters protected by Kaspersky Security include VMware ESXi 5.5 hypervisors, prior to beginning the application upgrade the following actions must be performed:

1. For all VMware clusters that include one or more VMware ESXi 5.5 hypervisors, remove the deployed Kaspersky Security services. Removal is performed in the VMware vSphere Web Client console (in the Networking & Security → Installation and Upgrade section on the Service Deployments tab).
2. Upgrade all VMware ESXi 5.5 hypervisors for compliance with the Kaspersky Security software requirements or remove all VMware ESXi 5.5 hypervisors from the VMware clusters that you want to protect using Kaspersky Security.

An upgrade consists of the following steps:

1. Updating Kaspersky Security Center For proper functioning of Kaspersky Security for Virtualization 6.0 Agentless, you must upgrade Kaspersky Security Center to one of the supported versions:

   If you want to use Kaspersky Security in a multitenanсy mode, you need to upgrade Kaspersky Security Center to version 11, 12 or 13.1.

   For Kaspersky Security Center update instructions, see the Kaspersky Security Center documentation.

2. Installing the new version of the Kaspersky Security administration plug-in, Integration Server, and Integration Server Console.

   If you want to use the application in multitenancy mode, you need to also install Kaspersky Security administration plug-in for tenants.

3. Updating SVMs with Kaspersky Security components in the virtual infrastructure.

   If you want to use the application in multitenancy mode, you need to configure the settings for connecting the Integration Server to the VMware vCloud Director Server before updating SVMs.

   When an SVM with the File Threat Protection component is updated, the copies of files that were placed in Backup are automatically deleted.

4. Converting policies and tasks from the previous version of the application. If you are upgrading Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless or older, you need to use the Master for conversion.

   If you are upgrading Kaspersky Security for Virtualization 5.0 Agentless, policies and tasks are automatically converted to policies and tasks of Kaspersky Security for Virtualization 6.0 Agentless after policy protection settings and task scan settings are edited and saved for the first time.

After an upgrade is complete, you are advised to make sure that the application is prepared for operation on new SVMs.

If you want to use the application in multitenancy mode, you need to configure protection of tenant organizations after the application is installed.

Upgrading the application installed in an infrastructure managed by a VMware vCenter Server and VMware vShield Manager, with migration to the VMware NSX platform

An upgrade consists of the following steps:

1. Removing the File Threat Protection and Network Threat Protection components of the previous version of the application. The component removal procedure can be found in the documentation for Kaspersky Security for Virtualization 4.0 Service Pack 1 Agentless or Kaspersky Security for Virtualization 4.0 Agentless.

   When an SVM with the File Threat Protection component is removed, the copies of files that were placed in Backup are automatically deleted.

2. Upgrading the VMware virtual infrastructure for compliance with Kaspersky Security software requirements. In the virtual infrastructure, you must remove VMware vShield Manager and deploy VMware NSX for vSphere 6.3.7 or VMware NSX for vSphere 6.4.6. Components of Kaspersky Security for Virtualization 6.0 Agentless cannot operate in an infrastructure managed by a VMware vCenter Server and VMware vShield Manager.
3. Preparing the virtual infrastructure for installation of Kaspersky Security components.
4. Updating Kaspersky Security Center For proper functioning of Kaspersky Security for Virtualization 6.0 Agentless, you must upgrade Kaspersky Security Center to one of the supported versions:

   If you want to use Kaspersky Security in a multitenanсy mode, you need to upgrade Kaspersky Security Center to version 11, 12 or 13.1.

   For Kaspersky Security Center update instructions, see the Kaspersky Security Center documentation.

5. Installing the new version of the Kaspersky Security administration plug-in, Integration Server, and Integration Server Console.

   If you want to use the application in multitenancy mode, you need to also install Kaspersky Security administration plug-in for tenants.

6. Configuring the settings for connecting the Integration Server to one or more virtual infrastructure administration servers.
7. Registering Kaspersky Security services in VMware NSX Manager.

   If you want to install the File Threat Protection component, you need to register the file system protection service (Kaspersky File Antimalware Protection).

   If you want to install the Network Threat Protection component, you need to register the network protection service (Kaspersky Network Protection).

   The settings required for registration and deployment of Kaspersky Security services are entered through a Wizard that is started from the Integration Server Console. When you have finished entering the settings, Integration Server registers the Kaspersky Security services in VMware NSX Manager.

   In the VMware vSphere Web Client console, you can verify that registration of Kaspersky Security services completed successfully.

8. Deploying SVMs with the File Threat Protection component and SVMs with the Network Threat Protection component on VMware ESXi hypervisors. Deployment of SVMs is performed in the VMware vSphere Web Client console.

   After SVMs are deployed, the Integration Server sends each new SVM the configuration settings that you specified when you registered Kaspersky Security services.

   Deployed SVMs are combined into KSC clusters.

   If you upgrade Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless, Kaspersky Security for Virtualization 4.0 Service Pack 1 Agentless, or Kaspersky Security for Virtualization 4.0 Agentless, the Kaspersky Security Center Administration Console also displays the administration groups that were created for KSC clusters of the previous version of Kaspersky Security.

   The KSC cluster for the SVM of the previous version of the application and the administration group created for it are named VMware vCenter "<name>" (<IP address>), where:

   • <name> is the name of the VMware vCenter Server corresponding to the KSC cluster for the previous version of the application. If the name of the VMware vCenter Server is not defined or matches its IP address, the name is omitted.
   • <IP address> is the IP address of the VMware vCenter Server corresponding to the KSC cluster for the previous version of the application.
9. Configuration of NSX Security Groups and NSX Security Policies.

   To protect virtual machines, you need to do the following in the VMware vSphere Web Client console:

   1. Include virtual machines into one or multiple NSX Security Groups.
   2. Configure one or multiple NSX Security Policies and apply the security policies to the NSX Security Groups.
10. Converting policies and tasks from the previous version of the application. If you are upgrading Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless or older, you need to use the Master for conversion.

    If you are upgrading Kaspersky Security for Virtualization 5.0 Agentless, policies and tasks are automatically converted to policies and tasks of Kaspersky Security for Virtualization 6.0 Agentless after policy protection settings and task scan settings are edited and saved for the first time.

11. Preparing the application for operation on all SVMs.

If you want to use the application in multitenancy mode, you need to configure protection of tenant organizations after the application is updated.

About installing a new version of the Kaspersky Security administration plug-in and Integration Server

Regardless of the selected application usage option, you need to install the Kaspersky Security main administration plug-in, Integration Server, and Integration Server Console.

If you want to use the application in multitenancy mode, you need to also install Kaspersky Security administration plug-in for tenants.

When the Kaspersky Security Center Administration Console starts for the first time after the Kaspersky Security administration plug-ins are installed, the Quick Start Wizard for the managed application is automatically started. The Wizard lets you create default policies and tasks.

If the Quick Start Wizard for the managed application was not started automatically, it is recommended to start it manually. Default policies let you register events and display protected virtual machines in the Kaspersky Security Center Administration Console immediately after installing the application.

The administration plug-in of the previous version of the application does not need to be manually removed because it is removed automatically.

SVM Update

If you want to use the application in multitenancy mode, it is recommended to configure the settings for connecting the Integration Server to the VMware vCloud Director Server before updating SVMs. If you connect the Integration Server to VMware vCloud Director after updating SVMs, to ensure correct operation of the application you need to perform the additional steps described in the Knowledge Base.

To update SVMs with Kaspersky Security components in the virtual infrastructure:

1. Perform the change settings of Kaspersky Security procedure for each VMware vCenter Server that manages the operation of SVMs with the previous version of the application. During the procedure, specify the addresses of SVM images with the new version of Kaspersky Security components.

   After the Reconfiguration Wizard completes, the Integration Server re-registers the Kaspersky Security services with the new settings.

2. In the VMware vSphere Web Client console, perform one of the following actions:
   • If the VMware cluster included VMware ESXi 5.5 hypervisors and you removed deployed Kaspersky Security services prior to starting the update of the application, deploy Kaspersky Security services on the cluster.
   • If the VMware cluster did not include VMware ESXi 5.5 hypervisors, update the Kaspersky Security services deployed on the cluster (Networking & Security → Installation and Upgrade section, Service Deployments tab, Upgrade action).

If you upgrade Kaspersky Security for Virtualization 5.0 Agentless, new SVMs are put in the same "VMware vCenter Agentless" clusters that contained SVMs with the previous version of the application.

If you upgrade Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless, Kaspersky Security for Virtualization 4.0 Service Pack 1 Agentless, or Kaspersky Security for Virtualization 4.0 Agentless, Kaspersky Security Center creates new "VMware vCenter Agentless" clusters for new SVMs. The Kaspersky Security Center Administration Console also displays the administration groups that were created for KSC clusters of the previous version of Kaspersky Security.

The KSC cluster for the SVM of the previous version of the application and the administration group created for it are named VMware vCenter "<name>" (<IP address>), where:

• <name> is the name of the VMware vCenter Server corresponding to the KSC cluster for the previous version of the application. If the name of the VMware vCenter Server is not defined or matches its IP address, the name is omitted.
• <IP address> is the IP address of the VMware vCenter Server corresponding to the KSC cluster for the previous version of the application.

Converting policies and tasks

After upgrading the application, you can use the configured policies and tasks of the previous version of Kaspersky Security.

If you upgraded Kaspersky Security for Virtualization 5.0 Agentless, policies and tasks are automatically converted to policies and tasks of Kaspersky Security for Virtualization 6.0 Agentless after policy protection settings and task scan settings are edited and saved for the first time.

If you upgraded Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless or older, you need to do the following:

1. Convert policies and tasks using the Policies and Tasks Batch Conversion Wizard of Kaspersky Security Center.

   You can convert policies and tasks that were configured in one of the following versions of the application:

   • Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless
   • Kaspersky Security for Virtualization 4.0 Service Pack 1 Agentless
   • Kaspersky Security for Virtualization 4.0 Agentless

   Converted policies and tasks are named as follows: "<name of original policy or task> (converted)".

2. Copy all converted policies and tasks from the administration group containing the KSC cluster for SVMs of the previous version of the application into the administration group containing the new cluster "VMware vCenter Agentless".

   The administration group containing the KSC cluster for SVMs of the previous version of the application is named as follows: VMware vCenter "<name of the VMware vCenter Server, if it is defined>" (<IP address of the VMware vCenter Server>).

   The administration group containing the new "VMware vCenter Agentless" cluster is named as follows: VMware vCenter Server '<name of the VMware vCenter Server, if one is defined>' (<IP address or domain name of the VMware vCenter Server>) Agentless.

   For more detailed information about copying policies and tasks, please refer to the Kaspersky Security Center documentation.

   After completing an application upgrade, you can delete policies and tasks that were created for the previous version of the application, and delete the administration group containing the KSC cluster for the previous version of the application.

If you upgraded Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless or older, you can also use the New Policy Wizard to create new policies based on the existing policies. To do so, at the Entering the group policy name step, you must select the Use settings from policy for previous application version check box (for more details, please refer to the Kaspersky Security Center documentation).

Procedure for converting Kaspersky Security policies and tasks

To convert Kaspersky Security policies and tasks from a previous version:

1. In the Kaspersky Security Center Administration Console, select the Administration Server node.
2. In the context menu of the node, select All Tasks → Policies and Tasks Batch Conversion Wizard.

   The Policies and Tasks Batch Conversion Wizard starts.

3. At the first step of the Wizard, in the Application name list, select Kaspersky Security for Virtualization 6.0 Agentless.

   Proceed to the next step of the wizard.

4. Select the policies to convert. To do so, select the check box on the left of the relevant policy name.

   Proceed to the next step of the Policies and Tasks Conversion Wizard.

   The Kaspersky Security Network window opens. You can read the Kaspersky Security Network Statement in this window.

   To continue the procedure for converting policies and tasks, carefully read the Kaspersky Security Network Statement, then perform one of the following actions:

   • If you accept all the terms of the Statement and want the application to use KSN, select the I have read, understand, and accept the terms of this Kaspersky Security Network Statement option.
   • If you do not want to participate in KSN, select the I do not accept the terms of this Kaspersky Security Network Statement option and confirm your decision in the window that opens.

   If necessary, you will be able to change your decision later.

5. Select the tasks to convert. To do so, select the check box on the left of the relevant task name.

   Proceed to the next step of the Policies and Tasks Conversion Wizard.

6. Exit the Policies and Tasks Conversion Wizard.

The converted policies are named "<original policy name> (converted)". The converted tasks are named "<original task name> (converted)".

Special considerations when converting policies and tasks if the application is upgraded

The converted policies and tasks use the values from the settings of policies and tasks of the previous version of Kaspersky Security. Settings that were absent from the policies and tasks of the previous version of the application take the default values.

Selecting the protected infrastructure for a policy

Policies are converted as follows depending on the protected infrastructure selected in the policy of the previous version of the application:

• If a protected infrastructure was selected and protection profiles were assigned to virtual infrastructure objects, conversion will result in the creation of a policy for one VMware vCenter Server. The protected infrastructure selected in the policy and the assignment of protection profiles to virtual infrastructure objects are retained.
• If the protected infrastructure was not selected, the conversion will result in the creation of a policy for entire protected infrastructure. The main protection profile is assigned to all objects of the virtual infrastructure.

  It is recommended to change the protected infrastructure or the location of this policy within the structure of administration groups so that the protected infrastructure selected for the policy matches the location of the policy:

  • If the policy is located in the group that contains the "VMware vCenter Agentless" cluster, the VMware vCenter Server corresponding to this cluster must be selected as the protected infrastructure for the policy.
  • If the policy is located in the Managed devices folder or in the group that contains the "VMware vCloud Director Agentless" cluster, the entire protected infrastructure must be selected as the protected infrastructure for the policy.

Select action automatically option

The Select action automatically option is absent from converted policies and tasks. If this option was selected in a policy or task of the previous version of the application, the following action is selected in the converted policy or task:

• Action on threat detection when protecting virtual machines (policy): Disinfect. Delete if disinfection fails.
• Action on threat detection when scanning virtual machines (task):
  • For powered on virtual machines: Disinfect. Delete if disinfection fails.
  • For powered off virtual machines and virtual machine templates: Block.
• Action on network attack detection (policy): Terminate connection and block traffic from sender's IP address.
• Action on suspicious network activity detection (policy): Terminate connection.
• Action on detection of a dangerous or undesirable web address (policy): Block.

Web Addresses Scan

If Web Addresses Scan was enabled in a policy of the previous version of the application, the Web Addresses Scan settings in the converted policy take the following values:

• Analysis by using the database of malicious web addresses – enabled.
• Analysis by using the database of phishing web addresses – enabled, if it was enabled in the policy of the previous version of the application.
• Scanning web addresses to check if they belong to the category of web addresses that are used for showing advertisements or are associated with the distribution of adware – enabled, if analysis by using the database of malicious web addresses was enabled in the policy of the previous version of the application.
• Scanning web addresses to check if they belong to the category of web addresses associated with the distribution of legitimate applications that could be exploited to harm a virtual machine or user data – disabled.

If Web Addresses Scan was disabled in a policy of the previous version of the application, it is also disabled in the converted policy.

Case of characters in file extensions

The Network paths are case sensitive parameter is missing from converted policies. When protecting virtual machines running Windows operating systems, Kaspersky Security is not case sensitive regarding the characters in the extensions of files that are to be included in the protection scope.

Main protection profile

In converted policies, the protection profile that is generated automatically when a policy is created is called the "main protection profile". It was called the "root protection profile" in policies of Kaspersky Security for Virtualization 4.0 Service Pack 1 Maintenance Release 1 Agentless or earlier versions.

Special considerations when converting tasks

Converted custom scan tasks use the task scope that was specified in tasks of the previous version of the application.

Converted tasks use the run schedule that was specified in tasks of the previous version of the application.