Protection status

Information on virtual infrastructure protection status is displayed in Kaspersky Security Center using on of the following methods:

• By the client device status (OK, Critical, Warning). In the case of Kaspersky Security for Virtualization 6.0 Agentless, a client device of Kaspersky Security Center is an SVM. Protected virtual machines are not considered client devices from the perspective of Kaspersky Security Center because the Kaspersky Security Center Network Agent is not installed on them. When problems are detected in the Kaspersky Security application operation or in the protection of virtual machines, the status of the SVM that protects those virtual machines changes.

  The Kaspersky Security Center client device status may change to Critical or Warning for the following reasons:

  • The status changes according to the rules defined in Kaspersky Security Center. For example, the status changes if a security application is not installed on the device, a virus scan has not been performed in a long time, anti-virus databases are out of date, or the license has expired. For more details about the reasons for status changes and configuring status assignment conditions, please refer to the Kaspersky Security Center documentation.
  • Kaspersky Security Center receives the device status from the managed application, i.e. Kaspersky Security.

    Kaspersky Security Center must be configured to receive the device status from the managed application. To ensure that this function is enabled, in the properties of the Managed devices folder, in the Device status section, make sure that the Defined by the application check boxes are selected in the lists of conditions for the Critical and Warning statuses.

    Kaspersky Security may change the SVM status to Critical or Warning in the following cases:

    • The application is not activated or problems associated with the key or license are detected (for example, the key is blacklisted).
    • The SVM is not connected to the Integration Server or there were problems receiving information about the protected virtual infrastructure.
    • Problems and limitations have been detected in KSN operation (an error occurred when connecting to KSN, temporary restriction on use of KSN is enabled, KSN settings in the policy do not match the KSN settings in the properties of the Kaspersky Security Center Administration Server).
    • Application databases are missing or an error occurred when downloading them.
    • Errors were detected in application components (for example, a virus scan is not being performed, errors were detected in Network Attack Blocker functionality or suspicious network activity was detected, web addresses scan is not being performed).
    • Problems were detected in the interaction between an SVM and network data storage (if the use of network data storage is configured for the SVM).

  For details on client device statuses, see the Kaspersky Security Center documentation. Information on the client device (SVM) statuses can be viewed in the device list of the Kaspersky Security Center Administration Console and in the protection status report.

• By the virtual machines protection status. Information on the virtual machines protection status can be viewed in protection status report.

  Protected virtual machines are not considered as client devices of Kaspersky Security Center, and cannot be assigned the client device status. The report shows the protection status, assigned to the virtual machine by Kaspersky Security Center based on the information received from the SVM, protecting this virtual machine.

  Virtual machine protection status can be changed to Critical or Warning, if the following information is received from the SVM:

  • The virtual machine has "not protected" status. Information on the virtual machine status (protected, not protected, powered off) can be viewed in the list of virtual machines within the KSC cluster protected infrastructure.
  • A virus scan has not been performed in a long time on the virtual machine.
  • The application databases have not been updated for a long time on the SVM, protecting the virtual machine.

About security tags

Kaspersky Security can assign the following security tags to a protected virtual machine:

• ANTI_VIRUS.VirusFound.threat=high. The tag is assigned to a virtual machine on which viruses or other malware were detected.
• IDS_IPS.threat=high. The tag is assigned to a virtual machine whose traffic displayed activity typical of network attacks or activity that may be a sign of an intrusion into the protected infrastructure.

You can view the security tags assigned to a virtual machine by viewing the virtual machine properties in the VMware vSphere Web Client console (in the Hosts and Clusters section on the Summary tab).

The ANTI_VIRUS.VirusFound.threat=high security tag is automatically removed if no viruses or other malware are detected when a scan task is completed on the virtual machine. The IDS_IPS.threat=high security tag can be manually removed.

You can manually assign or remove security tags.

Viewing information about virtual machines within the KSC cluster protected infrastructure

To view the list of virtual machines within the KSC cluster protected infrastructure:

1. In the Kaspersky Security Center Administration Console, in the Managed devices folder, select the administration group containing the KSC cluster and then select the Clusters and server arrays subfolder.
2. In the workspace, select the KSC cluster and double-click the Properties: <KSC cluster name> window to open it.
3. In the KSC cluster properties window, select the List of virtual machines section.

   The right part of the window displays a list of all virtual machines that are part of the protected infrastructure of this KSC cluster.

   The list does not show virtual machine templates and SVMs.

   The list of virtual machines is displayed as a table containing the following columns:

   • Status

     

     Virtual machine status. The following icons signify the virtual machine status:

     •  – the virtual machine is protected. A virtual machine is considered to be protected only if file protection is applied to it, which means that it is under the protection of an SVM with the File Threat Protection component installed. The presence of network protection does not affect the virtual machine status.
     •  – the virtual machine is not protected. A virtual machine is considered to be unprotected if file protection is not applied to it. The presence of network protection does not affect the virtual machine status.
     •  – the virtual machine is powered off or paused.

     Information about network protection of a virtual machine is displayed in the detailed list of virtual machines.

   • VM name

     

     Virtual machine name within the KSC cluster protected infrastructure.

   • Path to VM

     

     Virtual infrastructure path to the virtual machine within the KSC cluster protected infrastructure.

4. To view additional information about virtual machines within the KSC cluster protected infrastructure, click the Detailed information button. A table containing a detailed list of virtual machines opens in a separate window.

   The table displays information about the status of protection indicated in the Protection type field located above the table. You can select one of the following values:

   • File system protection. Select this option if you want to view information on the status of virtual machine file threat protection. This option is selected by default.
   • Network protection. Select this option if you want to view information on the status of network protection of virtual machines.

   The table columns show the following additional details of each virtual machine:

   • Status

     

     Virtual machine status.

     If File system protection is selected in the Protection type field, the status is designated as follows:

     •  – the virtual machine is under the protection of an SVM that has the File Threat Protection component installed.
     •  – file protection is not applied to the virtual machine.
     •  – the virtual machine is powered off or paused.

     If Network protection is selected in the Protection type field, the status is designated as follows:

     •  – the virtual machine is under the protection of an SVM that has the Network Threat Protection component installed.
     •  – the virtual machine is not protected against network threats.
     •  – the virtual machine is powered off or paused.

     The virtual machine status does not depend on traffic processing mode used by the Network Threat Protection component.

   • Tenant

     

     If a virtual machine belongs to a tenant organization, the column contains the name of the virtual Administration Server of Kaspersky Security Center that is used for managing the protection of this tenant organization. If the virtual machine does not belong to any tenant organization, No is displayed in the column.

     The column is displayed only if File system protection is selected in the Protection type field.

   • NSX security policy

     

     If File system protection is selected in the Protection type field, the column contains information about whether or not the virtual machine has an applied NSX Security Policy that is configured to use the file system protection service (Kaspersky File Antimalware Protection).

     If Network protection is selected in the Protection type field, the column contains information about whether or not the virtual machine has an applied NSX Security Policy that is configured to use the network protection service (Kaspersky Network Protection) and to redirect traffic to the network protection service (the Redirect to service parameter is enabled).

     If an NSX Security Policy is not applied on a virtual machine, Kaspersky Security does not protect this virtual machine.

   • Available protection functions

     

     If File system protection is selected in the Protection type field, the column contains information about file protection functions available for a virtual machine.

     Possible values:

     • Protection and Scan – Kaspersky Security can protect a virtual machine, and can scan a virtual machine while performing scan tasks.
     • Scan only – Kaspersky Security can scan a virtual machine while performing a scan task that is configured to scan powered-off virtual machines.
     • Not available – the virtual machine is not protected; the File Threat Protection component is not receiving information about the virtual machine from the Guest Introspection service.
     • Unknown – there is no available information on the virtual machine protection status. Possibly, the hypervisor on which the virtual machine is operating has no SVM with the File Threat Protection component.

     If Network protection is selected in the Protection type field, the column contains information about network threat protection functions available for a virtual machine.

     Possible values:

     • Standard mode protection – virtual machine network protection is operating in standard mode.
     • Monitoring mode protection – virtual machine network protection is operating in monitoring mode (Kaspersky Security is not taking actions to prevent threats).
     • Not available – the virtual machine is not protected; the Network Threat Protection component is not receiving information about the virtual machine from the virtual filter (VMware DVFilter).
     • Unknown – there is no available information on the virtual machine protection status. Possibly, the hypervisor on which the virtual machine is operating has no SVM with the Network Threat Protection component.
   • OS type

     

     Type of operating system installed on the virtual machine. Possible values:

     • Server – if a server operating system is installed on the virtual machine.
     • Desktop – if a desktop operating system is installed on the virtual machine.
     • Not defined – if the virtual machine is powered off, an operating system is not installed on the virtual machine, or the Guest Introspection driver (NSX File Introspection Driver) is not installed.

     The column is displayed only if File system protection is selected in the Protection type field.

   • Protection profile

     

     The protection profile assigned to the virtual machine. Possible values:

     • <protection profile name> – if an additional protection profile is assigned to the virtual machine.
     • Main – if the main protection profile is assigned to the virtual machine.
     • Not assigned – if a protection profile is not assigned to the virtual machine.
     • No – if the virtual machine is powered off or not protected.
     • Protection is disabled – if protection of all objects of the protected infrastructure is disabled in the policy that determines this virtual machine's protection settings.

     The column is displayed only if File system protection is selected in the Protection type field.

   • Key type

     

     Information about the key added to the SVM that protects the virtual machine.

     Possible values:

     • For servers, For desktops, With a limitation on the number of processor cores, With a limitation on the number of processors – depending the type of key added to the SVM.
     • No – if the virtual machine is not protected or is powered off.

     The column is displayed only if File system protection is selected in the Protection type field.

   • Database update

     

     The amount of time since the release of anti-virus databases installed on the SVM that protects the virtual machine. If the databases have not been updated, the virtual machine is powered off or not protected, No is displayed in the column.

     The column is displayed only if File system protection is selected in the Protection type field.

   • Scan date

     

     Date and time when any scan task for the virtual machine was last started. If a scan has not been performed on the virtual machine, Never started is displayed in the column.

     The column is displayed only if File system protection is selected in the Protection type field.

In the main and detailed lists of virtual machines, you can perform the following operations:

• Sort the list by any column of the table.
• Filter the list by protection status.
• Search for a virtual machine in the list.
• Export the list of virtual machines to a file in XML or CSV format.

The main and detailed lists of virtual machines are automatically refreshed every 5 minutes. If required, you can refresh the list at any time by clicking the Refresh list button.

To filter the list of virtual machines by protection status,

click one of the following buttons:

• – show protected virtual machines
• – show unprotected virtual machines
• – show turned off and paused virtual machines

You can combine filtering conditions by pressing several buttons.

To cancel filtering of the list of virtual machines, click the button.

To search for a virtual machine in the list,

Enter a virtual machine search condition in the search field.

In the main list of virtual machines, you can perform a search based on the value of any column except the Status column. In the detailed list of virtual machines, you can perform a search based on the value of any column except the Status, Scan date and Database update columns.

To export the list of virtual machines to a file in XML or CSV format,

Click the Export list button. In the window that opens, specify the name and format of the file.

Information about virtual machines within the protected infrastructure of this KSC cluster will be saved to a file in the selected format.

If you pre-filtered the list of virtual machines or performed a search for a virtual machine, only information that matches the filter conditions or the search conditions is saved to the file.

Viewing information about virtual machines protected by an SVM

In the properties of the application installed on each SVM, you can view information about virtual machines that are protected by this SVM.

The virtual machine is under the protection of an SVM if the NSX File Introspection Driver installed on the virtual machine is connected to the SVM. In this case, the virtual machine can still be unprotected. The SVM with the File Threat Protection component protects only those virtual machines that meet all conditions for protection of virtual machines from file threats. The SVM with the Network Threat Protection component protects only those virtual machines that meet all conditions for protection of virtual machines from network threats.

To view information about the virtual machines protected by an SVM:

1. In the Kaspersky Security Center Administration Console, open the SVM properties window as follows:
   1. Select the administration group containing the KSC cluster that includes the relevant SVM.
   2. In the workspace, select the Devices tab.
   3. In the list, select the SVM and open the SVM properties window by double-clicking or by selecting Properties in the context menu.

   The Properties: <SVM name> window opens.

2. In the SVM properties window in the list on the left, select the Applications section.

   A list of applications that are installed on this SVM appears in the right part of the window.

3. Select Kaspersky Security for Virtualization 6.0 Agentless and open the application settings window by double-clicking or by selecting Properties in the context menu.

   The Kaspersky Security for Virtualization 6.0 Agentless settings window opens.

4. In the application settings window in the list on the left, select the List of protected virtual machines section.

The right part of the window displays a table containing information about the virtual machines protected by the SVM.

The table displays the following information for each virtual machine:

• Virtual machine name.
• Name of the virtual Administration Server of Kaspersky Security Center that is used to manage the protection of the tenant organization that owns the virtual machine. If the virtual machine does not belong to any tenant organization, No is displayed in the column.
• IP address of the virtual machine.
• Version of the operating system installed on the virtual machine.
• Type of operating system installed on the virtual machine: server operating system or desktop operating system.
• ID of the virtual machine (vmID).
• Path to the virtual machine within the virtual infrastructure.

In the table containing a list of virtual machines, you can do the following:

• Sort the list by any column of the table.
• Search for a virtual machine in the list.
• Update information about virtual machines by clicking the Refresh button.