Instructions on managing the application for a tenant organization administrator

This section is intended for an administrator of a virtual infrastructure that belongs to a tenant organization and is protected by Kaspersky Security installed within the infrastructure of the anti-virus protection provider.

This section contains the information necessary for a tenant administrator to manage the protection of the tenant's virtual infrastructure.

Management of Kaspersky Security requires experience working with a virtual infrastructure on the VMware vSphere platform and working with Kaspersky Security Center, the system designed for remote centralized management of Kaspersky applications.

About Kaspersky Security for Virtualization 6.0 Agentless

Kaspersky Security for Virtualization 6.0 Agentless (hereinafter also "Kaspersky Security") is an integrated solution that protects virtual machines on a VMware ESXi hypervisor against viruses and other malware, as well as network threats.

Kaspersky Security lets you protect virtual machines running Windows guest operating systems, including those running server operating systems, and virtual machines running Linux guest operating systems.

Kaspersky Security includes the following components:

• File Threat Protection. Protects the file system objects of a virtual machine against infection. The component is launched at the startup of Kaspersky Security. It protects virtual machines and scans the file system of virtual machines.
• Network Threat Protection. This component lets you detect and block activity that is typical of network attacks and other suspicious network activity, and lets you scan web addressed requested by a user or application, and block access to web addresses if a threat is detected.
• Integration Server. The component facilitates interaction between Kaspersky Security components and a VMware virtual infrastructure.

The File Threat Protection and Network Threat Protection components are installed on SVMs that are deployed on VMware ESXi hypervisors within the infrastructure of the anti-virus protection provider.

Kaspersky Security features:

• Protection. Kaspersky Security scans all files that the user or an application opens, saves, or launches on a virtual machine.
  • If the file is free of malware, Kaspersky Security will grant access to the file.
  • If malware is detected in the file, Kaspersky Security will perform the action that is specified in its settings. For example, it will delete the file or block access to the file.

  Kaspersky Security can protect only powered-on virtual machines.

• Scan. The application lets you perform a virus scan on files of virtual machines. Virtual machine files must be scanned regularly with new anti-virus databases to prevent the spread of malicious objects. You can perform an on-demand scan or specify a scan schedule.

  Kaspersky Security can scan powered-on virtual machines, virtual machine templates, and powered-off virtual machines that have the following file systems: NTFS, FAT32, EXT2, EXT3, EXT4, XFS, BTRFS.

• Intrusion Prevention. Kaspersky Security lets you analyze network traffic of protected virtual machines and detect network attacks and suspicious network activity that may be a sign of an intrusion into the protected infrastructure. When it detects an attempted network attack on a virtual machine or suspicious network activity, Kaspersky Security can terminate the connection and block traffic from the IP address from which the network attack or suspicious network activity originated.

  Intrusion prevention settings are defined by the anti-virus protection provider.

• Web addresses scan. Kaspersky Security lets you scan web addresses that are requested over the HTTP protocol by a user or application installed on the virtual machine. If Kaspersky Security detects a web address from one of the web address categories selected for detection, the application can block access to the web address. By default, Kaspersky Security scans web addresses to check if they are malicious or phishing web addresses.

  Web address scan settings are defined by the anti-virus protection provider.

• Storing backup copies of files. The application allows storing backup copies of files that have been deleted or modified during disinfection. If a disinfected file contained information that became partially or completely inaccessible after disinfection, the file can be restored from its backup copy.

  All actions taken on backup copies of files are performed by the anti-virus protection provider.

About managing the application

Kaspersky Security is administered by Kaspersky Security Center, the remote centralized Kaspersky application administration system.

The Kaspersky Security administration plug-in for tenants provides the interface for managing the Kaspersky Security application through Kaspersky Security Center. The administration plug-in must be installed on the computer where the Kaspersky Security Center Administration Console is installed.

Kaspersky Security is managed through policies and tasks.

A policy is a group of settings used by SVMs to protect virtual machines within the protected infrastructure. Each policy contains one or multiple protection profiles. Protection profiles let you configure the settings for file protection of virtual machines.

Tasks are run on SVMs and let you scan virtual machines.

Kaspersky Security sends the Kaspersky Security Center Administration Server information about all events that occur during anti-virus protection and scanning of virtual machines, as well as information about events that occur when preventing intrusions and scanning web addresses. You can receive notifications about events and view them in Kaspersky Security Center.

For detailed information about working with events, policies and tasks, please refer to the Kaspersky Security Center documentation.

About Kaspersky Security policies

A policy lets you use protection profiles to configure the settings for virtual machine file protection, and configure the settings for using Kaspersky Security Network.

Policies are created by using the Wizard, which is started by clicking the New policy button located in the workspace of the Managed devices folder on the Policies tab.

You can create multiple policies, but only one of them can be active. When you create a new active policy, the previous active policy becomes inactive.

You can change the settings of a policy after its creation in the policy properties window.

To open the policy properties window:

1. In the Kaspersky Security Center Administration Console, select the Managed devices folder.
2. In the workspace, select the Policies tab.
3. In the list of policies, select the policy and open the Properties: <Policy name> window by double-clicking on the policy or by selecting Properties in the context menu.

For more information about managing policies, see Kaspersky Security Center documentation.

About protection profiles

The following protection profiles are provided in Kaspersky Security policies:

• The main protection profile is automatically created when a policy is created. Although the main protection profile cannot be deleted, you can edit its settings.
• You can create additional protection profiles after creating a policy. Additional protection profiles let you flexibly configure different protection settings for different virtual machines within the protected infrastructure. A policy can contain multiple additional protection profiles.

You can configure the following settings in protection profiles:

• Security level. You can select one of the preset security levels (High, Recommended, Low) or configure your own security level (Custom). The security level defines the following scan settings:
  • Scanning of archives, self-unpacking archives, embedded OLE objects, and compound files
  • Restriction on file scan duration
  • List of objects to detect
• Action that Kaspersky Security performs after detecting infected files.
• Protection scope (scanning of network drives during protection of virtual machines).
• Exclusions from protection (by name, by file extension or path, by file mask or path to the folder containing files to be skipped).

A protection profile can be assigned to an individual VMware virtual infrastructure object or to the root element of the protected infrastructure, which can include a vCloud Director organization. By default, a protection profile assigned to the root element of a protected infrastructure is inherited by all child elements of the protected infrastructure (virtual machines and their combinations).

Protection profiles are also inherited according to the hierarchy of VMware virtual infrastructure objects: the protection profile assigned to a virtual infrastructure object is inherited by all of its child objects, including virtual machines, unless the child object/virtual machine has been assigned its own protection profile or unless the child object/virtual machine has been excluded from protection. This means that you can either assign a specific protection profile to a virtual machine, or let it inherit the protection profile that is used by its parent object.

Only one protection profile may be assigned to a single virtual infrastructure object. Kaspersky Security protects virtual machines according to the settings that are specified in the protection profile assigned to these virtual machines.

Virtual infrastructure objects that have no assigned protection profile are excluded from protection.

If you exclude a virtual infrastructure object from protection, all child objects that inherited the protection profile from the parent object are also excluded from protection. You can exclude from protection all child objects that have their own protection profile assigned, or leave them under the protection of the application.

Protection profile inheritance makes it possible to assign identical protection settings to multiple virtual machines simultaneously. For example, you can assign identical protection profiles to all virtual machines that are part of a virtual Datacenter.

About tasks

The following tasks are available for Kaspersky Security:

• Full Scan task for virtual machines. This task lets you run a virus scan on the files of all virtual machines in your virtual infrastructure.
• Custom Scan task for virtual machines. This task lets you run a virus scan on the files of those virtual machines that you specified in the task settings. You can specify individual virtual machines or VMware virtual infrastructure objects of a higher level of the hierarchy.

Tasks are created by using the Wizard, which is started by clicking the New task button located in the workspace of the Managed devices folder on the Tasks tab.

You can change the settings of a task after its creation in the task properties window.

To open the task properties window:

1. In the Kaspersky Security Center Administration Console, select the Managed devices folder.
2. In the workspace, select the Tasks tab.
3. In the list of tasks, select the task and open the Properties: <Task name> window by double-clicking on the task or by selecting Properties in the context menu.

Regardless of the selected task run mode, you can start or stop the task at any time.

To start or stop a task:

1. In the Kaspersky Security Center Administration Console, select the Managed devices folder.
2. In the workspace, select the Tasks tab.
3. In the list of tasks, select the task that you want to start or stop.
4. Click the Start or Stop button. The buttons are located to the right of the task list.

Information about the progress and results of the task can be viewed in the Kaspersky Security Center Administration Console in one of the following ways:

• In the Task results window. To open the window, click the View results link on the right of the task list displayed on the Tasks tab in the workspace of the Managed devices folder.
• In the event list that is displayed on the Events tab in the workspace of the Administration Server node.

You can also perform the following actions with tasks:

• Copy tasks from one folder or administration group into another.
• Export tasks to a file and import tasks from a file.
• Convert tasks from the previous version of the application.
• Delete tasks.

For more information about managing tasks, see Kaspersky Security Center documentation.

Deploying protection of the virtual infrastructure of a tenant organization

Deploying protection for the virtual infrastructure of a tenant organization consists of the following steps:

1. Installation and configuration of all Kaspersky Security components in the virtual infrastructure of the anti-virus protection provider. All actions at this step are performed by the provider's administrator.
2. Installation of the Kaspersky Security Center Administration Console on the tenant organization administrator's workstation. You can use the Kaspersky Security Center Administration Console to manage the file protection settings and the settings for scanning your virtual machines, and receive information about events that occur during the protection of your virtual infrastructure. For details on installing the Administration Console, please refer to the Kaspersky Security Center documentation.
3. Installation of the Kaspersky Security administration plug-in for tenants on the tenant organization administrator's workstation.
4. Connection to the virtual Administration Server of Kaspersky Security Center. You need to start the Kaspersky Security Center Administration Console and specify the settings for connecting to the virtual Administration Server given by the provider: address, user name, and account password.
5. Configuration of virtual machine file threat protection using a policy.

   You can also create and configure scan tasks to periodically scan files of virtual machines using new anti-virus databases.

Installation of the Kaspersky Security administration plug-in for tenants

Prior to beginning installation of the Kaspersky Security administration plug-in for tenants, it is recommended to close the Kaspersky Security Center Administration Console.

The administration plug-in for tenants should be installed using an account that has software installation privileges (for example, an account from the group of local administrators).

The Kaspersky Security administration plug-in for tenants must be installed on the same computer on which the Kaspersky Security Center Administration Console is installed.

To install the Kaspersky Security administration plug-in for tenants:

1. On the computer where the Kaspersky Security Center Administration Console is installed, start the file named ksv-t-components_6.0.0.XXX_mlg.exe (6.0.0.ХХХ represents the application version number).

   The Installation Wizard starts for the Kaspersky Security administration plug-in for tenants.

2. Select the localization language of the Wizard and the Kaspersky Security administration plug-in for tenants and proceed to the next step of the Wizard.

   By default, the window uses the localization language of the operating system installed on the computer where the Wizard was started.

3. Read the End User License Agreement concluded between you and Kaspersky, and the Privacy Policy describing the handling and transmission of data.

   To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy. To confirm, select both check boxes in the window of the Wizard.

   Proceed to the next step of the wizard.

4. Review the information about the actions that the Wizard will perform and click Next to begin performing the listed actions.
5. Wait for the wizard to finish.

   If an error occurs during wizard operation, the wizard rolls back the changes made.

6. Click Finish to close the Wizard window.

Page top

Creating a policy

To create a tenant policy:

1. In the Kaspersky Security Center Administration Console, select the Managed devices folder.
2. In the workspace, select the Policies tab and click the New policy button.

   The New Policy Wizard starts.

3. At the first step of the Wizard, select Kaspersky Security for Virtualization 6.0 Agentless (for tenants) from the list and proceed to the next step of the Wizard.
4. Enter the name of the new policy and proceed to the next step of the wizard.
5. Specify the Integration Server address and proceed to the next step of the Wizard.

   The Wizard establishes a connection to the Integration Server to receive information about the VMware virtual infrastructure.

   The wizard checks the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

6. At this step, you can change the default settings of the main protection profile.

   The main protection profile is assigned by default to all virtual machines within the protected infrastructure.

   Proceed to the next step of the wizard.

7. Decide on whether or not to participate in Kaspersky Security Network. To do so, carefully read the Kaspersky Security Network Statement, then perform one of the following actions:
   • If you want the application to use KSN in its operations and you agree to all the terms of the Statement, select I have read, understand, and accept the terms of this Kaspersky Security Network Statement.
   • If you do not want to participate in KSN, select the I do not accept the terms of this Kaspersky Security Network Statement option and confirm your decision in the window that opens.

   You will be able to change your decision later if necessary.

   KSN usage settings (KSN mode and type) are determined by the provider's policy whose scope includes the virtual machines of the tenant.

   Proceed to the next step of the wizard.

8. Exit the Policy Wizard.

The created policy is displayed in the list of policies in the Managed devices folder on the Policies tab.

If you want to configure different file protection settings for different virtual machines within the protected infrastructure, you need to create and assign additional protection profiles in the policy properties.

Managing File Threat Protection

The settings that Kaspersky Security applies for protection of virtual machines are defined using policies.

Kaspersky Security protects only powered-on virtual machines that have been assigned a protection profile.

When a user or program attempts to access a virtual machine file, Kaspersky Security scans this file.

• If no viruses or other malware are detected in the file, Kaspersky Security grants access to this file.
• If viruses or other malware is detected in a file, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.

  Kaspersky Security then performs the action that is specified in the protection profile of the virtual machine; for example, it disinfects or blocks the file.

If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from protection. The list of exclusions is configured in the protection profile settings.

The Signature analysis and machine learning scan method is used for protection of virtual machines. Protection that uses signature analysis provides a minimally acceptable security level. Kaspersky Security uses application databases containing information about known threats and about the methods to neutralize them. Based on the recommendations of Kaspersky experts, the Signature analysis and machine learning scan method is always enabled.

Additionally, during virtual machines protection, the Heuristic analysis is used. This is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.

The heuristic analysis level depends on the selected security level:

• If the security level is set to Low, the superficial heuristic analysis level is applied. Heuristic Analyzer does not perform all instructions in executable files while scanning executable files for malicious code. At this heuristic analysis level, the probability of detecting a threat is lower than at the medium heuristic analysis level. Scanning is faster and consumes less resources of the SVM.
• If the security level is set to Recommended, High, or Custom, the medium heuristic analysis level is applied. While scanning files for malicious code, Heuristic Analyzer performs the number of instructions in executable files that is recommended by Kaspersky experts.

Information about all events that occur during protection of virtual machines is sent to the Kaspersky Security Center Administration Server.

You are advised to regularly view the list of files blocked in the course of virtual machine protection and manage them. For example, you can save file copies to a location that is inaccessible to a virtual machine user or delete the files. You can view the details of blocked files by filtering events by the File blocked event (for more details on events, please refer to the Kaspersky Security Center documentation).

To gain access to files that were blocked as a result of virtual machine protection, you must exclude these files from protection in the settings of the protection profile assigned to the virtual machines, or temporarily disable the protection of these virtual machines.

Configuring main protection profile settings

You can configure the settings of the main protection profile while creating a policy (during the Configure main protection profile settings step) or in the properties of the policy after it is created (in the Main protection profile subsection in the File Threat Protection section).

To configure main protection profile settings:

1. In the Security level section, select the security level at which Kaspersky Security scans virtual machines:
   • If you want to install one of the pre-installed security levels (High, Recommended, or Low), use the slider to select one.
   • To change the security level to Recommended, click the Default button.
   • If you want to configure the security level on your own, click the Settings button. In the Security level settings window that opens:
   1. In the Scanning archives and compound files section, specify the values of the following settings:
      • Scan archives

        

        Enable / disable scanning of archives.

        This check box is cleared by default.

        

        Enable / disable scanning of archives.

        This check box is cleared by default.

      • Delete archives if disinfection fails

        

        Enable / disable the feature of deleting archives that could not be disinfected.

        If this check box is selected, Kaspersky Security deletes archives that could not be disinfected.

        If this check box is cleared, the application does not delete archives that could not be disinfected. Kaspersky Security relays information that the infected file has not been deleted to the Administration Server of Kaspersky Security Center.

        This check box is available when the Scan archives check box is selected.

        This check box is cleared by default.

        

        Enable / disable the feature of deleting archives that could not be disinfected.

        If this check box is selected, Kaspersky Security deletes archives that could not be disinfected.

        If this check box is cleared, the application does not delete archives that could not be disinfected. Kaspersky Security relays information that the infected file has not been deleted to the Administration Server of Kaspersky Security Center.

        This check box is available when the Scan archives check box is selected.

        This check box is cleared by default.

      • Scan self-extracting archives

        

        Enables / disables the scanning of self-extracting archives.

        By default, this check box is cleared for protection profiles and selected for scan tasks.

        

        Enables / disables the scanning of self-extracting archives.

        By default, this check box is cleared for protection profiles and selected for scan tasks.

      • Scan embedded OLE-objects

        

        Enables/disables the scanning of objects that are embedded inside a file.

        This check box is set by default.

        

        Enables/disables the scanning of objects that are embedded inside a file.

        This check box is set by default.

      • Do not unpack large compound files

        

        If this check box is set, Kaspersky Security does not scan compound files whose size exceeds the value that is specified in the Maximum size of a scanned compound file is N MB field.

        If this check box is cleared, Kaspersky Security scans compound files of all sizes.

        Kaspersky Security scans large files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.

        This check box is set by default.

        

        If this check box is set, Kaspersky Security does not scan compound files whose size exceeds the value that is specified in the Maximum size of a scanned compound file is N MB field.

        If this check box is cleared, Kaspersky Security scans compound files of all sizes.

        Kaspersky Security scans large files that are extracted from archives, regardless of whether the Do not unpack large compound files check box is selected.

        This check box is set by default.

      • Maximum size of a scanned compound file N MB

        

        Maximum size of compound files that are subject to scanning (in megabytes). Kaspersky Security does not unpack and scan objects whose size is larger than the specified value.

        This setting can be edited if the Do not unpack large compound files check box is selected.

        You can specify a value in the range of 1 to 999999 in this field. The default value is 8 MB.

        

        Maximum size of compound files that are subject to scanning (in megabytes). Kaspersky Security does not unpack and scan objects whose size is larger than the specified value.

        This setting can be edited if the Do not unpack large compound files check box is selected.

        You can specify a value in the range of 1 to 999999 in this field. The default value is 8 MB.

   2. In the Performance section, specify the values of the following settings:
      • Limit file scan time

        

        Enables / disables the file scan time limit.

        If this check box is selected, Kaspersky Security stops scanning a file when the scan duration reaches the value that is specified in the Scan files for no longer than N second(s) field and skips this file.

        If this check box is cleared, Kaspersky Security does not limit the duration of file scanning.

        By default, this check box is selected for protection profiles and cleared for scan tasks.

        

        Enables / disables the file scan time limit.

        If this check box is selected, Kaspersky Security stops scanning a file when the scan duration reaches the value that is specified in the Scan files for no longer than N second(s) field and skips this file.

        If this check box is cleared, Kaspersky Security does not limit the duration of file scanning.

        By default, this check box is selected for protection profiles and cleared for scan tasks.

      • Scan files for no longer than N second(s)

        

        Maximum duration of file scanning (in seconds). Kaspersky Security stops scanning a file if scanning takes longer than the time value specified.

        This setting can be edited if the Limit file scan time check box is selected.

        You can specify a value in the range of 1 to 3600 in this field. The default value is 60 seconds.

        

        Maximum duration of file scanning (in seconds). Kaspersky Security stops scanning a file if scanning takes longer than the time value specified.

        This setting can be edited if the Limit file scan time check box is selected.

        You can specify a value in the range of 1 to 3600 in this field. The default value is 60 seconds.

   3. In the Objects to detect section, click the Settings button. In the Objects to detect window that opens, specify the values of the following settings:
      • Malicious tools

        

        Enables/disables protection against malicious tools.

        Malicious tools do not perform their actions right after they are started. Instead, they can be stealthily stored and run on the virtual machine. Intruders often use the features of malicious tools to create viruses, worms, and Trojans, perpetrate network attacks on remote servers, or perform other malicious actions.

        If this check box is set, protection against malicious tools is enabled.

        If this check box is cleared, protection against malicious tools is disabled.

        This check box is set by default.

        

        Enables/disables protection against malicious tools.

        Malicious tools do not perform their actions right after they are started. Instead, they can be stealthily stored and run on the virtual machine. Intruders often use the features of malicious tools to create viruses, worms, and Trojans, perpetrate network attacks on remote servers, or perform other malicious actions.

        If this check box is set, protection against malicious tools is enabled.

        If this check box is cleared, protection against malicious tools is disabled.

        This check box is set by default.

      • Auto-dialers

        

        Enables/disables protection against auto-dialers.

        If this check box is selected, protection against auto-dialers is enabled.

        If this check box is cleared, protection against auto-dialers is disabled.

        This check box is set by default.

        

        Enables/disables protection against auto-dialers.

        If this check box is selected, protection against auto-dialers is enabled.

        If this check box is cleared, protection against auto-dialers is disabled.

        This check box is set by default.

      • Adware

        

        Enables/disables protection against adware.

        The function of adware is to display advertising information to the user. For example, it displays banner ads in the interfaces of other programs and redirects search queries to advertising websites. Some varieties of adware collect marketing information about the user and send it to the developer: this information may include the names of the websites that are visited by the user or the content of the user's search queries. Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's permission.

        If this check box is set, protection against adware is enabled.

        If this check box is cleared, protection against adware is disabled.

        This check box is set by default.

        

        Enables/disables protection against adware.

        The function of adware is to display advertising information to the user. For example, it displays banner ads in the interfaces of other programs and redirects search queries to advertising websites. Some varieties of adware collect marketing information about the user and send it to the developer: this information may include the names of the websites that are visited by the user or the content of the user's search queries. Unlike Trojan-Spy–type programs, adware sends this information to the developer with the user's permission.

        If this check box is set, protection against adware is enabled.

        If this check box is cleared, protection against adware is disabled.

        This check box is set by default.

      • Other

        

        Enables / disables protection against legitimate software that could be exploited by criminals to harm a virtual machine or user data.

        Most of these programs are useful, so many users run them. These programs include IRC clients, file downloaders, remote administration programs, user activity monitoring programs, password utilities, and Internet servers for FTP, HTTP, and Telnet. However, if criminals gain access to these programs, some program features could be used to harm a virtual machine or user data.

        Selecting this check box enables protection against legitimate software that could be used by criminals to harm a virtual machine or user data.

        If this check box is cleared, protection against such software is disabled.

        This check box is cleared by default.

        

        Enables / disables protection against legitimate software that could be exploited by criminals to harm a virtual machine or user data.

        Most of these programs are useful, so many users run them. These programs include IRC clients, file downloaders, remote administration programs, user activity monitoring programs, password utilities, and Internet servers for FTP, HTTP, and Telnet. However, if criminals gain access to these programs, some program features could be used to harm a virtual machine or user data.

        Selecting this check box enables protection against legitimate software that could be used by criminals to harm a virtual machine or user data.

        If this check box is cleared, protection against such software is disabled.

        This check box is cleared by default.

      • Multi-packed files

        

        Enables/disables scanning of files that have been packed using one or several packers three or more times.

        If a file was packed by one or several packers three or more times, the file probably contains malware or legitimate software that can be used by criminals to damage your computer or personal data.

        If this check box is selected, protection against multi-packed files is enabled, and the scanning of such files is allowed.

        If this check box is cleared, protection against multi-packed files is disabled.

        This check box is set by default.

        

        Enables/disables scanning of files that have been packed using one or several packers three or more times.

        If a file was packed by one or several packers three or more times, the file probably contains malware or legitimate software that can be used by criminals to damage your computer or personal data.

        If this check box is selected, protection against multi-packed files is enabled, and the scanning of such files is allowed.

        If this check box is cleared, protection against multi-packed files is disabled.

        This check box is set by default.

        Kaspersky Security always scans virtual machine files for viruses, worms, and Trojans. That is why the Viruses and worms and Trojans settings in the Malware section cannot be changed.

   4. In the Objects to detect window, click OK.
   5. In the Security level settings window, click OK.

      If you have changed security level settings, the application creates a custom security level. The name of the security level in the Security level section changes to Custom.

2. In the Action on threat detection section, select an action
   in the drop-down list

   

   This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files:

   • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
   • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

     This action is selected by default.

     Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

   • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
   • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.
   .
3. If you do not want Kaspersky Security to scan files on network drives when protecting virtual machines running Windows operating systems, clear the Scan network drives check box in the Protection scope section. By default, when protecting virtual machines running Windows operating systems, the application scans all files that have not been excluded from protection on network drives.

   When protecting virtual machines running Linux operating systems, Kaspersky Security always scans files of supported network file systems (NFS and CIFS). If you want to exclude files of network file systems from the protection scope, you must configure a protection exclusion for the directory in which the network file system is mounted.

   Kaspersky Security always scans files on removable and hard drives. For this reason the Scan all removable drives and hard drives setting in the Protection scope section cannot be edited.

4. To exclude certain files of virtual machines from protection, in the Exclusions from protection section, click the Settings button.

   In the Exclusions from protection window that opens, specify the following settings:

   1. In the File extensions section, choose one of the following options:
      • Scan all except files with the following extensions. In the text box, specify a list of extensions of files to not scan when a virtual machine is being protected. Kaspersky Security ignores the case of characters in the extensions of files that are to be excluded from the protection scope.
      • Scan files with the following extensions only. In the text box, specify a list of extensions of files to scan when the virtual machine is being protected. When protecting virtual machines running Linux operating systems, Kaspersky Security is case sensitive regarding the characters in the extensions of files that are to be included in the protection scope. When protecting virtual machines running Windows operating systems, the application ignores the cases of characters in file extensions.

      You can type file extensions in the field by separating them with a blank space, or by typing each extension in a new line. File extensions may contain any characters except . * | \ : " < > ? /. If an extension includes a blank space, the extension should be typed inside quotation marks: "doc x".

      If you have selected Scan files with the following extensions only in the drop-down list but have not specified the extensions of files to scan, Kaspersky Security scans all files.

   2. In the Files and folders table, use the Add, Change, and Delete buttons to create the list of objects to be excluded from protection.

      By default, the list of exclusions includes the objects recommended by Microsoft (please refer to the list of recommended exclusions on the Microsoft website). Kaspersky Security excludes these objects from protection on all virtual machines to which the main protection profile has been assigned. You can view and edit the list of these objects in the Files and folders table.

      You can exclude objects of the following types from protection:

      • Folders. Files stored in folders at the specified path are excluded from protection. For each folder, you can specify whether to apply the exclusion from protection to subfolders.
      • Files by mask. Files with the specified name, files located at the specified path, or files matching the specified mask are excluded from protection.

        You can use the * and ? symbols to specify a file mask.

      Kaspersky Security ignores the case of characters in paths to files and folders that are excluded from protection.

      You can save a configured list of exclusions to a file using the Export button or load a previously saved list of exclusions from a file using the Import button. To import or export a list of exclusions, you can use a file in XML format. You can also import a list of exclusions from a file in DAT format. Using a file in DAT format, you can import a list of exclusions that was generated in other Kaspersky applications.

   If your exclusions list uses an environment variable that has multiple values depending on the bit rate of the application that uses it, in 64-bit Windows operating systems, objects corresponding to all values of the variable are excluded from protection. For example, if you are using the variable %ProgramFiles%, objects located in the folder C:\Program files and in the folder C:\Program files (х86) are excluded from protection.

5. In the Exclusions from protection window, click OK.
6. Save the changes by clicking Next (in the New Policy Wizard) or Apply (in the policy properties).

The new protection profile settings are applied after data is synchronized between Kaspersky Security Center and the SVMs.

Managing additional protection profiles

You can manage additional protection profiles in the properties of a policy in the list of additional protection profiles.

To open the list of additional protection profiles in the policy properties:

1. In the tree of the Kaspersky Security Center Administration Console, select the Managed devices folder.
2. In the workspace, select the Policies tab.
3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
4. In the policy properties window, in the File Threat Protection section, select the additional protection profiles subsection.

   A list of additional protection profiles will appear in the right part of the window. If you have not yet created additional protection profiles in this policy, the list of protection profiles is empty.

In the list of additional protection profiles, you can do the following:

• Create additional protection profiles.
• Change the name of an additional protection profile by clicking the Rename button.
• Edit the settings of additional protection profiles by clicking the Change button. The settings are edited in the Protection settings window. The additional protection profile settings are identical to the main protection profile settings.
• Export the settings of an additional protection profile to a file by clicking the Export button. To save the settings of an additional protection profile, you need to specify the path to a file in JSON format. You can use previously saved settings when creating a new additional protection profile.
• Delete additional protection profiles by clicking the Delete button. If this protection profile was used for virtual machine protection, the application will protect these virtual machines using the settings of the protection profile that was assigned to their parent object in the virtual infrastructure. If the parent object has been excluded from protection, the application does not protect such virtual machines.

Creating an additional protection profile

To create an additional protection profile:

1. In the Kaspersky Security Center Administration Console, open the list of additional protection profiles in the properties of the policy for which you want to create an additional protection profile.
2. Click the Add button.

   The Protection profile window opens.

3. In the window that opens, enter the name of the new protection profile.

   A protection profile name cannot contain more than 255 characters.

4. If you want to use previously saved protection profile settings when creating a new protection profile, select the Import settings from file check box and specify the path to the file in JSON format.
5. In the Protection profile window, click OK.

   The Protection settings window opens. In this window, you can configure the settings of the new protection profile or change protection profile settings that were imported from a file.

   The additional protection profile settings are identical to the main protection profile settings, with the exception of the default list of exclusions.

   By default, the list of exclusions does not include objects recommended by Microsoft Corporation (please refer to the list of exclusions recommended by Microsoft on the Microsoft website). If you want the objects recommended by Microsoft to be excluded from protection on all virtual machines that have been assigned this protection profile, you need to import the microsoft_file_exclusions.xml file into the protection profile exclusions. The microsoft_file_exclusions.xml file is included in the application distribution kit and is located in the setup folder of the Kaspersky Security administration plug-in on the computer on which the Kaspersky Security Center Administration Console is installed. After importing the file, you can view and edit the list of these objects in the Files and folders table in the Exclusions from protection window.

6. After configuring all settings of the protection profile, click OK in the Protection settings window.

   In the Properties: <Policy name> window, a new protection profile appears in the list of additional protection profiles.

You can assign the created protection profile to virtual machines.

Viewing the protected infrastructure in a policy

In policy properties, you can view the protected infrastructure selected for the policy, and information about the use of protection profiles.

To view information about the protected infrastructure in a policy:

1. In the Kaspersky Security Center Administration Console, open the policy properties:
   1. In the console tree, select the Managed devices folder.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the File threat protection section, select the Protected infrastructure subsection.

   The Kaspersky Security administration plug-in attempts to automatically connect to the Integration Server. If the connection fails, the Connection to Integration Server window opens. In the Connection to Integration Server window, specify the Integration Server address and click OK.

3. The Kaspersky Security administration plug-in verifies the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

After connecting to the Integration Server, the right part of the window displays information about the protected infrastructure and the use of protection profiles.

Information about the protected infrastructure

The protected infrastructure is displayed as a tree of items. The root element is the "vCloud Director organization" object, which combines all virtual Datacenters of your virtual infrastructure.

If the virtual infrastructure contains two or more virtual machines with the same ID (vmID), only one virtual machine appears in the object tree. If this virtual machine has been assigned a protection profile, the settings of this protection profile are applied to all virtual machines that have the same ID (vmID).

Information about the assignment of protection profiles to virtual infrastructure objects

The Protection profile column displays information about the assignment of protection profiles to objects of the protected infrastructure. Kaspersky Security uses the settings of assigned protection profiles when protecting virtual machines.

The information is displayed as follows:

• The name of an expressly assigned protection profile is highlighted in black.
• The name of a protection profile inherited from a parent object is highlighted in gray. The name is formed as follows: "inherited: <N>", where N represents the name of the protection profile that was inherited from a parent object.
• If no protection profile has been assigned to an object of the protected infrastructure (the object has been excluded from protection), the Protection profile column displays the value (Not assigned).

By default, the main protection profile is assigned to the root element "vCloud Director organization" and is inherited by all objects of the virtual infrastructure.

Assigning protection profile to virtual machines

To assign a protection profile to a virtual machine:

1. In the policy properties, select the Protected infrastructure subsection.
2. In the table, select one or more virtual machines.

   If you want to assign the same protection profile to all virtual machines that are child objects of a single virtual Datacenter, select this Datacenter in the table. You can simultaneously select multiple virtual machines or other virtual infrastructure objects in the table by holding down the CTRL key.

3. Click the Select protection profile button.

   The Selecting protection profile window opens.

4. Select one of the following options:
   • Inherit parent protection profile: <name>. Select this option if you want to assign the protection profile of the parent object to a virtual machine or other virtual infrastructure object.
   • Use protection profile. Select this option and indicate the protection profile name in the drop-down list to assign this protection profile to a virtual machine or other virtual infrastructure object. The list contains the main protection profile and all additional protection profiles that you configured in this policy.
5. If the selected virtual infrastructure object has child objects, the protection profile is assigned to the object and to all of its child objects, including objects that have been assigned their own protection profile or that have been excluded from protection. If you want to assign the protection profile only to the selected virtual infrastructure object and to its child objects that inherit the protection profile and that have not been excluded from protection, clear the Apply to all child objects check box.
6. Click OK.

   The Selecting protection profile window will close, and the assigned protection profile will be displayed in the table in the Protected infrastructure subsection.

7. In the Properties: <Policy name> window, click OK.

Disabling file threat protection for virtual machines

To disable virtual machine protection:

1. In the policy properties, select the Protected infrastructure subsection.
2. If you want to disable protection for one or multiple virtual machines:
   1. In the table, select one or more virtual machines.

      If you want to disable protection for all virtual machines that are child objects of a single virtual Datacenter, select this Datacenter in the table. You can simultaneously select multiple virtual machines or other virtual infrastructure objects in the table by holding down the CTRL key.

   2. Click the Select protection profile button.

      The Selecting protection profile window opens.

   3. Select the Do not use protection profile option.
   4. If you selected a Datacenter, protection will be disabled by default for all virtual machines within it, including virtual machines that have been assigned their own protection profile. If you want to disable protection only for those virtual machines that inherit the protection profile from the parent object, clear the Apply to all child objects check box.
   5. Click OK.

      The Selecting protection profile window closes. In the table in the Protected infrastructure subsection, the value shown in the Protection profile column for virtual machines that have been excluded from protection is (Not assigned).

3. If you want to disable protection for all virtual machines in your virtual infrastructure, clear the Use File Threat Protection check box located in the upper part of the window.
4. In the Properties: <Policy name> window, click OK.

Scanning virtual machines

Kaspersky Security lets you run a virus scan on the files of virtual machines on a VMware ESXi hypervisor. Virtual machine files need to be scanned regularly with new anti-virus databases to prevent the spread of malicious objects.

The settings that Kaspersky Security applies while scanning virtual machines are defined by using scan tasks. Kaspersky Security uses the following scan tasks:

• Full Scan. This task lets you run a virus scan on the files of all virtual machines in your virtual infrastructure.
• Custom Scan. This task lets you run a virus scan on the files of those virtual machines that you specified in the task settings. You can specify individual virtual machines or VMware virtual infrastructure objects of a higher level of the hierarchy.

You can set a schedule for running scan tasks, manually run a scan task, and view information about the progress and results of tasks.

If viruses or other malware are detected in a file during scanning of virtual machine files, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.

The Signature analysis and machine learning scan method is used when scanning virtual machines. Scanning while using signature analysis ensures the minimum acceptable security level. Kaspersky Security uses application databases containing information about known threats and about the methods to neutralize them. Based on the recommendations of Kaspersky experts, the Signature analysis and machine learning scan method is always enabled.

When scanning virtual machines, Heuristic analysis is used. This is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.

The deep heuristic analysis level is always used during virtual machine scanning irrespective of the selected security level. Heuristic Analyzer performs the maximum number of instructions in executable file, which raises the probability of threat detection.

If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from the scan scope.

Special considerations for scanning virtual machines:

• When performing scan tasks, Kaspersky Security can scan powered-off virtual machines that have the following file systems: NTFS, FAT32, EXT2, EXT3, EXT4, XFS, BTRFS.
• When performing scan tasks, Kaspersky Security can scan virtual machine templates.
• When scanning virtual machines running Windows operating systems, Kaspersky Security does not scan files in network folders. Kaspersky Security is able to scan files in network folders only when the user or an application accesses those files. If you want to regularly scan files in network folders, you must configure a scan task for virtual machines that have open network access to files and folders, and include those files and folders into the task scan scope.

  When scanning virtual machines running Linux operating systems, Kaspersky Security scans files in CIFS network file systems if the directories in which the CIFS network file systems are mounted are included in the task scan scope. Scanning files in NFS network file systems is not supported.

After a scan task finishes, you are advised to view the list of files that are blocked as a result of the scan task and manage them manually. For example, you can save file copies in a location that is inaccessible for a virtual machine user or delete the files. You must first exclude the blocked files from protection in the settings of the protection profile assigned to the virtual machines, or temporarily disable protection of the virtual machines on which these files were blocked. You can view the details of blocked files by filtering events by the File blocked event (for more details, please refer to the Kaspersky Security Center documentation).

Creating a full scan task

To create a full scan task:

1. In the Kaspersky Security Center Administration Console, select the Managed devices folder.
2. In the workspace, select the Tasks tab and click the New task button to start the New Task Wizard.
3. At the first step of the Wizard, select Kaspersky Security for Virtualization 6.0 Agentless (for tenants) → Full Scan.

   Proceed to the next step of the New Task Wizard.

4. Configure the settings for scanning virtual machines.

   Proceed to the next step of the New Task Wizard.

5. If necessary, specify the scan scope of the task: indicate the locations and extensions of the files of virtual machines that need to be scanned or excluded from scanning during a scan task.

   Proceed to the next step of the New Task Wizard.

6. To configure the task run schedule, please define the values of the following settings:
   • Scheduled start. Choose the task run mode in the drop-down list. The settings displayed in the window depend on the task run mode chosen.
   • Run skipped tasks. If this check box is selected, an attempt to start the task is made the next time the application is started on the SVM. In the Manually and Once modes, the task is started as soon as an SVM appears on the network.

     If this check box is cleared, the task is started on an SVM by schedule only, and in Manually and Once modes it is started only on the SVMs that are visible on the network.

   • Use automatically randomized delay for task starts. By default, the time of task start on SVMs is randomized with the scope of a certain time period. This period is calculated automatically depending on the number of SVMs covered by the task:
     • 0–200 SVMs – task start is not randomized
     • 200-500 SVMs – task start is randomized within the scope of 5 minutes
     • 500-1000 SVMs – task start is randomized within the scope of 10 minutes
     • 1000-2000 SVMs – task start is randomized within the scope of 15 minutes
     • 2000-5000 SVMs – task start is randomized within the scope of 20 minutes
     • 5000-10000 SVMs – task start is randomized within the scope of 30 minutes
     • 10000–20000 SVMs – task start is randomized within the scope of 1 hour
     • 20000–50000 SVMs – task start is randomized within the scope of 2 hours
     • over 50000 SVMs – task start is randomized within the scope of 3 hours

     If you do not need to randomize the time of task starts within an automatically calculated time period, clear the Use automatically randomized delay for task starts check box. This check box is set by default.

   • Use randomized delay for task starts within an interval of (min): If you want the task to start at a random time within a specified period of time after the scheduled task start, select this check box. In the text box, enter the maximum task start delay. In this case, the task starts at a random time within the specified period of time after the scheduled start. This check box can be changed if the Use automatically randomized delay for task starts check box is cleared.

     Randomized task start times help prevent situations in which a large number of SVMs contact the Kaspersky Security Center Administration Server at the same time.

   Proceed to the next step of the New Task Wizard.

7. In the Name field, enter the task name and proceed to the next step of the New Task Wizard.
8. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.

   Finish the wizard.

The created custom scan task appears in the list of tasks. If you configured a task start schedule in the Task start schedule settings window, the task is started according to this schedule. You can also run the task manually at any time.

Creating a custom scan task

To create a Custom Scan task for virtual machines of tenants:

1. In the Kaspersky Security Center Administration Console, select the Managed devices folder of the virtual Administration Server corresponding to the tenant.
2. In the workspace, select the Tasks tab and click the New task button to start the New Task Wizard.
3. At the first step of the Wizard, select Kaspersky Security for Virtualization 6.0 Agentless (for tenants) → Custom Scan.

   Proceed to the next step of the New Task Wizard.

4. Specify the Integration Server address and proceed to the next step of the New Task Wizard.

   The Task Wizard verifies the SSL certificate received from the Integration Server. If the received certificate contains an error, the Certificate verification window containing the error message opens. The SSL certificate is used to establish a secure connection to the Integration Server. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To view information on the received certificate, click the View the received certificate button in the window containing the error message. You can install the certificate you received as a trusted certificate to avoid receiving a certificate error message at the next connection to the Integration Server. To do so, select the Install received certificate and stop showing warnings for <Integration Server address> check box.

   To continue connecting, click the Continue button in the Certificate verification window. If you selected the Install received certificate and stop showing warnings for <Integration Server address> check box, the received certificate is saved in the operating system registry on the computer where the Kaspersky Security Center Administration Console is installed. The application also checks the previously installed trusted certificate for the Integration Server. If the received certificate does not match the previously installed certificate, a window opens to confirm replacement of the previously installed certificate. To replace the previously installed certificate with the certificate received from the Integration Server and continue connecting, click the Yes button in this window.

5. Select the task scope: select the check boxes for those virtual machines that you want to scan as part of the scan task being created. You can specify individual virtual machines or their combinations.

   If the virtual infrastructure contains two or more virtual machines with the same ID (vmID), only one virtual machine appears in the object tree. If this virtual machine is selected to be scanned using the custom scan task, the task will be performed on all virtual machines that have the same ID (vmID).

   Proceed to the next step of the New Task Wizard.

6. Configure the settings for scanning virtual machines.

   Proceed to the next step of the New Task Wizard.

7. If necessary, specify the scan scope of the task: indicate the locations and extensions of the files of virtual machines that need to be scanned or excluded from scanning during a scan task.

   Proceed to the next step of the New Task Wizard.

8. To configure the task run schedule, please define the values of the following settings:
   • Scheduled start. Choose the task run mode in the drop-down list. The settings displayed in the window depend on the task run mode chosen.
   • Run skipped tasks. If this check box is selected, an attempt to start the task is made the next time the application is started on the SVM. In the Manually and Once modes, the task is started as soon as an SVM appears on the network.

     If this check box is cleared, the task is started on an SVM by schedule only, and in Manually and Once modes it is started only on the SVMs that are visible on the network.

   • Use automatically randomized delay for task starts. By default, the time of task start on SVMs is randomized with the scope of a certain time period. This period is calculated automatically depending on the number of SVMs covered by the task:
     • 0–200 SVMs – task start is not randomized
     • 200-500 SVMs – task start is randomized within the scope of 5 minutes
     • 500-1000 SVMs – task start is randomized within the scope of 10 minutes
     • 1000-2000 SVMs – task start is randomized within the scope of 15 minutes
     • 2000-5000 SVMs – task start is randomized within the scope of 20 minutes
     • 5000-10000 SVMs – task start is randomized within the scope of 30 minutes
     • 10000–20000 SVMs – task start is randomized within the scope of 1 hour
     • 20000–50000 SVMs – task start is randomized within the scope of 2 hours
     • over 50000 SVMs – task start is randomized within the scope of 3 hours

     If you do not need to randomize the time of task starts within an automatically calculated time period, clear the Use automatically randomized delay for task starts check box. This check box is set by default.

   • Use randomized delay for task starts within an interval of (min): If you want the task to start at a random time within a specified period of time after the scheduled task start, select this check box. In the text box, enter the maximum task start delay. In this case, the task starts at a random time within the specified period of time after the scheduled start. This check box can be changed if the Use automatically randomized delay for task starts check box is cleared.

     Randomized task start times help prevent situations in which a large number of SVMs contact the Kaspersky Security Center Administration Server at the same time.

   Proceed to the next step of the New Task Wizard.

9. In the Name field, enter the task name and proceed to the next step of the New Task Wizard.
10. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.

    Finish the wizard.

The created custom scan task appears in the list of tasks. If you configured a task start schedule in the Task start schedule settings window, the task is started according to this schedule. You can also run the task manually at any time.

Configuring virtual machine scan settings in a scan task

You can configure the virtual machine scan settings while creating the task (the Configure scan settings step) or in the task properties after its creation (the Scan settings section).

To configure the virtual machine scan settings:

1. Select the security level at which Kaspersky Security scans virtual machines. To do so, in the Security level section, perform one of the following actions:
   • If you want to install one of the pre-installed security levels (High, Recommended, or Low), use the slider to select one.
   • To change the security level to Recommended, click the Default button.
   • If you want to configure the security level on your own, click the Settings button. In the Security level settings window that opens:
   1. In the Scanning archives and compound files section, specify the values of the following settings:
      • Scan archives
      • Delete archives if disinfection fails
      • Scan self-extracting archives
      • Scan embedded OLE-objects
      • Do not unpack large compound files
      • Maximum size of a scanned compound file N MB
   2. In the Performance section, specify the values of the following settings:
      • Limit file scan time
      • Scan files for no longer than N second(s)
   3. In the Objects to detect section, click the Settings button. In the Objects to detect window that opens, specify the values of the following settings:
      • Malicious tools
      • Auto-dialers
      • Adware
      • Other
      • Multi-packed files

      Kaspersky Security always scans virtual machine files for viruses, worms, and Trojans. That is why the Viruses and worms and Trojans settings in the Malware section cannot be changed.

   4. In the Objects to detect window, click OK.
   5. In the Security level settings window, click OK.

      If you have changed security level settings, the application creates a custom security level. The name of the security level in the Security level section changes to Custom.

2. In the Scan powered-on virtual machines section, configure the settings for scanning virtual machines that are powered on while a task is running:
   • Action on threat detection

     

     This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files on powered-on virtual machines:

     • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
     • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

       This action is selected by default.

       Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

     • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
     • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.
   • Scan optical drives

     

     Enables / disables scanning of optical drives.

     If the check box is selected, Kaspersky Security scans files on optical drives (CD, DVD, Blu-Ray) while performing the scan task on virtual machines running Windows operating systems.

     If the check box is cleared, Kaspersky Security does not scan files on optical drives.

     If the check box is selected but the scan task has a defined scan scope that does not include a path to the optical drive, Kaspersky Security does not scan files on the optical drive.

     Kaspersky Security does not scan files on optical drives when scanning powered-off virtual machines, virtual machine templates, or virtual machines running Linux operating systems.

     This check box is cleared by default.

3. In the Scan powered-off virtual machines and virtual machine templates section, configure the settings for scanning virtual machines that are powered off or paused while a task is running, as well as for scanning virtual machine templates:
   • Scan powered-off virtual machines

     

     Enables / disables scanning of powered-off virtual machines.

     If the check box is selected, when performing a scan task Kaspersky Security scans files on powered-off virtual machines (with an NTFS, FAT32, EXT2, EXT3, EXT4, XFS, or BTRFS file system) that are within the task scope. Files on powered-off virtual machines with other file systems are not scanned.

     While a powered off virtual machine is being scanned, it is impossible to turn on or migrate the virtual machine.

     If this check box is cleared, Kaspersky Security does not scan files on the powered-off virtual machines.

     This check box is cleared by default.

   • Scan virtual machine templates

     

     Enables / disables scanning of virtual machine templates.

     If the check box is selected, when Kaspersky Security performs a scan task it scans files on virtual machine templates that are within the task scope.

     If this check box is cleared, Kaspersky Security does not scan files on virtual machine templates.

     This check box is cleared by default.

     The check box is available if the Scan powered-off virtual machines check box is selected.

   • Action on threat detection

     

     This drop-down list contains the actions that can be taken by Kaspersky Security when it detects infected files on powered-off virtual machines or virtual machine templates:

     • Disinfect. Block if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, Kaspersky Security blocks such files.
     • Disinfect. Delete if disinfection fails. Kaspersky Security automatically attempts to disinfect infected files. If disinfection fails, the application deletes such files. If deletion fails, Kaspersky Security blocks the infected files.

       Kaspersky Security deletes infected archives that could not be disinfected only if the Delete archives if disinfection fails check box is selected in the security level settings.

     • Delete. Block if deletion fails. Kaspersky Security automatically deletes infected files without attempting to disinfect them. If deletion fails, Kaspersky Security blocks such files.
     • Block. Kaspersky Security automatically blocks infected files without attempting to disinfect them.

       This action is selected by default.

     You can select an action if the Scan powered-off virtual machines check box is selected.

4. In the Stop scan section, choose one of the following options:
   • After N minute(s) since task launch

     

     Maximum scan task duration (in minutes). When the specified time limit is reached, the scan task is interrupted even if it has not been completed.

     This option is selected by default.

     You can specify a value in the range of 1 to 4320 in this field. The default value is set to 120 minutes.

   • After completing scan of files on all protected virtual machines

     

     The scan task is performed until files on all protected virtual machines that are within the task scope have been scanned.

5. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).

Configuring the scan scope in a scan task

The scan scope refers to the locations and extensions of files of virtual machines that are scanned by Kaspersky Security when it performs a scan task.

If a scan scope has not been configured, Kaspersky Security scans all files of virtual machines.

When scanning virtual machines running Windows operating systems, Kaspersky Security does not scan files in network folders. Kaspersky Security is able to scan files in network folders only when the user or an application accesses those files. If you want to scan files in network folders regularly, you must create a task for scanning virtual machines that have shared files and folders, and include those files and folders into the scan task scope.

When scanning virtual machines running Linux operating systems, Kaspersky Security scans files in CIFS network file systems if the directories in which the CIFS network file systems are mounted are included in the task scan scope. Scanning files in NFS network file systems is not supported.

You can define the scan scope of a task while creating the task (the Defining the scan scope step) or in the task properties after it is created (the Scan scope section).

To configure the scan scope of the task:

1. Select one of the following options:
   • Scan all files and folders except for those specified
   • Scan specified files and folders only
2. If you selected the Scan all files and folders except for those specified option, you can create a list of objects that must be excluded from the scan scope by using the Add, Change and Delete buttons.

   You can exclude objects of the following types from the scan scope:

   • Folders. Files stored in folders at the specified path are excluded from the scan scope. For each folder, you can specify whether to apply the exclusion to subfolders.
   • Files by mask. Files with the specified name, files located at the specified path, or files matching the specified mask are excluded from the scan scope.

     You can use the * and ? symbols to specify a file mask.

     Kaspersky Security ignores the case of characters in the paths to files and folders, names and masks of files that are to be excluded from the scan scope.

   You can save a configured list of exclusions to file using the Export button or load a previously saved list of exclusions from file using the Import button. To import or export a list of exclusions, you can use a file in XML format. You can also import a list of exclusions from a file in DAT format. Using a file in DAT format, you can import a list of exclusions that was generated in other Kaspersky applications.

   The application distribution kit includes the microsoft_file_exclusions.xml file with the list of exclusions recommended by Microsoft Corporation (see the Microsoft website for the list of exclusions recommended by Microsoft). The microsoft_file_exclusions.xml file is located in the setup folder of the Kaspersky Security administration plug-in on the computer on which the Kaspersky Security Center Administration Console is installed. You can import this file into exclusions of the scan task. After the import is completed, Kaspersky Security does not scan the objects recommended by Microsoft when it performs a scan task. You can view and edit the list of these objects in the Files and folders table.

   If your exclusions list uses an environment variable that has multiple values depending on the bit rate of the application that uses it, in 64-bit Windows operating systems, objects corresponding to all values of the variable are excluded from the scan scope. For example, if you are using the variable %ProgramFiles%, objects located in the folder C:\Program files and in the folder C:\Program files (х86) are excluded from the scan scope.

3. If you selected the Scan all files and folders except for those specified option, in the File extensions section you can specify the extensions of files that should be included in the scan scope or excluded from the scan scope.

   To do so, select one of the options below:

   • Scan all except files with the following extensions. In the text box, specify a list of extensions of files to not scan during a scan task. Kaspersky Security ignores the case of characters in the extensions of files that are to be excluded from the scan scope.
   • Scan files with the following extensions only. In the text box, specify a list of extensions of files to scan during a scan task. When scanning virtual machines running Linux operating systems, Kaspersky Security is case sensitive regarding the characters in the extensions of files to be included in the scan scope. When scanning virtual machines running Windows operating systems, the application ignores the cases of characters in file extensions.

     You can type file extensions in the field by separating them with a blank space, or by typing each extension in a new line. File extensions may contain any characters except . * | \ : " < > ? /. If an extension includes a blank space, the extension should be typed inside quotation marks: "doc x".

     If you have selected Scan files with the following extensions only in the drop-down list but have not specified the extensions of files to scan, Kaspersky Security scans all files.

   Folders excluded from the scan have a higher priority than file extensions that are included in the scan scope. If a file is located in a folder that is excluded from the scan, the application skips this file even if its extension is included in the scan scope.

4. If you selected the Scan specified files and folders only option, use the Add, Change, and Delete buttons to create a list of virtual machine files and folders to scan during the scan task.

   When scanning virtual machines running Linux operating systems, Kaspersky Security is case sensitive regarding the characters in paths to files and directories included in the scan scope. When scanning virtual machines running Windows operating systems, paths to files and folders are not case sensitive.

   If your list of objects requiring scanning uses an environment variable that has multiple values depending on the bit rate of the application that uses it, in 64-bit Windows operating systems, objects corresponding to all values of the variable are included in the scan scope. For example, if you are using the variable %ProgramFiles%, objects located in the folder C:\Program files and in the folder C:\Program files (х86) are included in the scan scope.

5. Save the changes by clicking Next (in the New Task Wizard) or Apply (in the task properties).

Participating in Kaspersky Security Network

To enhance the protection of virtual machines, Kaspersky Security can use data received from Kaspersky users all over the world. Kaspersky Security Network is designed to collect such data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to Kaspersky online knowledge base with information about the reputation of files, web resources, and software. Data from Kaspersky Security Network ensures faster response by Kaspersky Security to unknown threats, improves the performance of some protection components, and reduces the risk of false positive.

If you are participating in Kaspersky Security Network, KSN services provide Kaspersky Security with information about the category and reputation of scanned files.

The following types of KSN are differentiated depending on the location of the infrastructure:

• Global KSN – the infrastructure is hosted by Kaspersky servers.
• Private KSN. This infrastructure is located within the corporate network or hosted by third-party servers of the service provider, such as on the Internet service provider's network.

The KSN mode (standard KSN or extended KSN) affects the amount of data that is automatically transmitted to Kaspersky when KSN is being used. Kaspersky Security automatically sends Kaspersky information about the use of KSN, and may send other information depending on the KSN usage mode. If KSN is being used in extended mode, you agree to automatically send Kaspersky all the data listed in the Kaspersky Security Network Statement. Files (or parts thereof) that could be exploited by hackers to harm the virtual machine or data stored in its operating system may also be sent to Kaspersky for analysis.

You can view the text of the Kaspersky Security Network Statement in the policy properties in the KSN settings section.

For information about the storage, protection and destruction of statistical information that is obtained during the use of KSN and transmitted to Kaspersky, please refer to the Privacy Policy on the Kaspersky website.

Information about which KSN mode and type are being used by Kaspersky Security can be obtained from the anti-virus protection provider. KSN usage settings are determined by the policy of the provider.

Participation in Kaspersky Security Network is voluntary. The decision to participate in Kaspersky Security Network is made during the creation of a Kaspersky Security policy, and this decision can be changed at any time.

KSN is used by Kaspersky Security only if you have accepted the terms of the Kaspersky Security Network Statement and the anti-virus protection provider has enabled the use of KSN.

Viewing the Kaspersky Security Network Statement

To view the Kaspersky Security Network Statement:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy that determines the protection settings for your virtual infrastructure:
   1. In the console tree, select the Managed devices folder.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, select the KSN settings section.
3. Click the link to open the Kaspersky Security Network Statement.

The text of the Kaspersky Security Network Statement opens in a separate window.

Enabling and disabling use of Kaspersky Security Network

The use of KSN by Kaspersky Security is enabled or disabled in a policy. If KSN usage is enabled in the active policy and the anti-virus protection provider has enabled the use of KSN, KSN services are used in the operation of Kaspersky Security during virtual machine protection and when executing virtual machine scan tasks.

If the policy configured for KSN usage is inactive or KSN usage is disabled in the policy of the provider, KSN services are not used in the operation of Kaspersky Security.

To enable or disable the use of KSN by Kaspersky Security:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy that determines the protection settings for your virtual infrastructure:
   1. In the console tree, select the Managed devices folder.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, select the KSN settings section.
3. If you want to enable use of KSN by the application:
   1. Select the Use KSN check box.
   2. In the opened window, read the Kaspersky Security Network Statement.
   3. If you agree with all the terms of the Statement, select I have read, understand, and accept the terms of this Kaspersky Security Network Statement and click OK.
4. If you want to disable the use of KSN, clear the Use KSN check box.
5. In the Properties: <Policy name> window, click OK.

Obtaining protection status information

Kaspersky Security components installed on SVMs relay service messages (events) containing information about application operation to the Kaspersky Security Center Administration Server. Information about events is saved in the Administration Server database.

Event importance levels are of the following types:

• Critical event. A critical event indicates the occurrence of a critical problem that may lead to data loss, an operational malfunction, or a critical error. It may indicate problems in the operation of Kaspersky Security or vulnerabilities in the protection of virtual machines.
• Error. This event indicates the occurrence of a serious problem, error or malfunction that occurred during operation of the application or while performing a procedure.
• Warning. This event requires attention because it emphasizes important situations in the operation of Kaspersky Security and may indicate a possible issue in the future.
• Info. This event informs about successful completion of an operation, proper functioning of the application, or completion of a procedure.

You can view information from the Administration Server database in the workspace of the Administration Server node on the Events tab.

Information on the Events tab is presented as a list of event selections. Each selection includes only events of a specific type. For example, the "Device status is Critical" selection contains only records about changes of device statuses to "Critical". The Events tab contains a number of standard event selections. You can create additional (custom) event selections and export event information to a file. For more information about event filtering, see Kaspersky Security Center documentation.

A notification is a message containing information about an event. Notifications keep the user informed about application events in a timely manner. To select the method used for notifications about events and to configure other event notification settings, you need to contact your anti-virus protection provider.

For detailed information on events and notifications, see the Kaspersky Security Center documentation.

Removing the Kaspersky Security administration plug-in for tenants

You can remove the Kaspersky Security administration plug-in for tenants in interactive mode by using the standard application removal tools in the operating system.

To do so, in the list of applications installed in the operating system, select Kaspersky Security for Virtualization 6.0 Agentless (for tenants) – administration plug-in for removal.

The wizard is used to perform removal.