Contents
Light Agent for Windows policy
You can use a Light Agent for Windows policy to configure the following application settings:
- Automatically starting the application on a virtual machine.
- Settings of the following control components:
- General anti-virus protection settings.
- Settings of the following protection components:
- Settings for connecting Light Agents to SVMs and the Integration Server:
- SVM discovery settings for SVMs running in the network, and settings for receiving information about them.
- Settings for connecting Light Agents to the Integration Server. You must configure a connection if you are using the Integration Server to receive information about SVMs running in the network, and if you are using tags for connecting Light Agents to SVMs.
- Using tags for connecting to SVMs.
- Settings for encrypting the connection between Light Agents and SVM.
- Algorithm used by Light Agents when selecting SVMs.
All settings for connecting Light Agents to SVMs and to the Integration Server, except SVM discovery settings, cannot be configured when creating a policy for Light Agent for Windows. You can configure these settings in the policy properties window.
- Other settings of the application:
- Network traffic monitoring settings.
- Application Self-Defense settings.
- Settings for managing local and group tasks (except for the custom scan task) through the local interface.
- Scan mode when the virtual machine is idle.
- Settings for scanning removable drives on the virtual machine.
- Settings for reports and Backup.
- Settings for interaction between the Light Agent local interface and the user.
- Settings for protecting access to application features and settings in the local interface.
- Notification settings in the local interface regarding events occurring during Light Agent operation.
For information about configuring general policy settings and event settings, please refer to the Kaspersky Security Center help.
The user of a protected virtual machine can also configure the settings of the Light Agent for Windows policy in the local interface of the application, if this is not blocked by the policy.
The capability to locally edit an application setting on a protected virtual machine is determined by the "lock" status:
- When a setting is "locked" (
), the user cannot edit the setting locally, and the policy-defined setting is applied to all protected virtual machines within the administration group.
- When a setting is "unlocked" (
), the user can edit the setting locally on each protected virtual machine within the administration group.
You can create and modify the Light Agent for Windows policy settings using the Administration Console and using the Web Console.
Creating Light Agent for Windows policy in the Administration Console
To create a Light Agent for Windows policy in the Administration Console:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, select the folder with the name of the administration group for whose protected virtual machines you want to create a policy.
On the Devices tab of the folder with the name of the administration group, you can view a list of protected virtual machines that belong to this administration group.
- In the workspace, select the Policies tab.
- Click the New policy button to start the New Policy Wizard.
You can also start the wizard using the New → Policy option in the context menu of the policy list.
- At the first step of the Wizard, select Kaspersky Security for Virtualization 5.2 Light Agent for Windows from the list.
Proceed to the next step of the wizard.
- Enter a name for the new policy.
- If you want to migrate the settings from a Light Agent for Windows policy of a previous version of Kaspersky Security into the policy being created, select the Use settings from policy for previous application version check box.
You can migrate the settings from a policy that was created in Kaspersky Security for Virtualization 4.0 Light Agent or a later version of the application.
Proceed to the next step of the wizard.
- At this step, you can import Light Agent for Windows settings previously saved on a protected virtual machine into the policy you are creating. Settings are imported using a configuration file in CFG format that you can create in the local interface of Light Agent.
To import settings, click the Select button and, in the Please select a configuration file window that opens, select a file with the .cfg extension. The path to the configuration file is shown in the Configuration file field.
You can use a configuration file created only by Kaspersky Security for Virtualization 5.2 Light Agent application version.
You can edit these settings imported from the configuration file at subsequent steps of the Policy Wizard.
Proceed to the next step of the wizard.
- Configure the virtual machine control settings. The Wizard window shows a list of control components.
You can perform the following actions:
- Enable or disable the control component by using the check box to the left of the component name in the list. By default, the Application Startup Control and System Integrity Monitoring components are disabled.
- Configure the settings of each control component. To do so, select the control component in the list and click the Edit button located above the list of control components. In the window that opens, configure the settings of the selected component and click OK.
- Block or allow editing of the settings of each control component through the local interface of Light Agent for Windows. By default, editing of all control settings through the local interface is blocked.
If you want to allow editing of control component settings through the local interface, select this component in the list and click the Open button located above the list of components, or click the lock icon to the left of the component name.
If the editing of component settings via the local interface is blocked, Kaspersky Security uses the policy-configured component operation settings on all protected virtual machines. If editing of component settings through the local interface is allowed, Kaspersky Security uses the local component settings instead of the settings configured in the policy.
Proceed to the next step of the wizard.
- Configure the virtual machine protection settings. The Wizard window shows a list of protection components.
You can perform the following actions:
- Enable or disable automatic startup of the application on a virtual machine and configure the general anti-virus protection settings. To do so, select General protection settings in the list and click the Edit button located above the list of protection components. In the window that opens, configure the settings and click OK.
- Enable or disable the protection component by using the check box to the left of the component name in the list. All protection components are enabled by default.
- Configure the settings of each protection component. To do so, select the protection component in the list and click the Edit button located above the list of protection components. In the window that opens, configure the settings of the selected component and click OK.
- Block or allow the editing of settings of each protection component via the local interface of Light Agent for Windows. By default, editing of all protection settings through the local interface is blocked.
If you want to allow editing of protection component settings through the local interface, select this component in the list and click the Open button located above the list of components, or click the lock icon to the left of the component name.
If the editing of component settings via the local interface is blocked, Kaspersky Security uses the policy-configured component operation settings on all protected virtual machines. If editing of component settings through the local interface is allowed, Kaspersky Security uses the local component settings instead of the settings configured in the policy.
Proceed to the next step of the wizard.
- Configure SVM discovery settings for Light Agents:
- If you want to use the Integration Server, check the address and port used for connecting SVMs to the Integration Server. The fields show the default port (7271) and the domain name of the device on which the Kaspersky Security Center Administration Console is installed. You can change the port and specify the IP address in IPv4 format or the fully qualified domain name (FQDN) of the device on which the Integration Server is installed.
If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.
If the device hosting Kaspersky Security Center Administration Console does not belong to a domain or your account does not belong to the local or domain KLAdmins group or to the group of local administrators, when proceeding to the next step of the wizard specify the Integration Server administrator password (password of the admin account) in the window that opens.
The New Policy Wizard checks the SSL certificate received from the Integration Server. If the certificate contains an error or is not trusted, the Verify Integration Server certificate window opens. You can view the details of the certificate received. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To continue connecting to the Integration Server, click the Ignore button. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed.
- If you want to use a list of SVM addresses, use the Add button to enter one or several addresses.
If you selected the Use a custom list of SVM addresses option and the extended SVM selection algorithm is used, the value of the SVM path parameter in the SVM selection algorithm section must be set to Ignore SVM path. If any other value is set, the Light Agents will not be available to connect to SVM.
Proceed to the next step of the wizard.
- If you want to use the Integration Server, check the address and port used for connecting SVMs to the Integration Server. The fields show the default port (7271) and the domain name of the device on which the Kaspersky Security Center Administration Console is installed. You can change the port and specify the IP address in IPv4 format or the fully qualified domain name (FQDN) of the device on which the Integration Server is installed.
- If required, configure the trusted zone for the Light Agent for Windows component. The Exclusions list contains the names of applications or names of application vendors that you can include in the trusted zone or exclude from it. Use the check boxes in the list to specify the applications or application vendors to be included in the trusted zone.
If the check box is selected, files, folders, and processes recommended for these applications are included in the trusted zone, and the executable files of these applications are automatically added to the list of trusted applications.
Proceed to the next step of the wizard.
- If necessary, configure the settings for interaction between a user and the local interface of Light Agent, and the settings of notifications about events that occur during Light Agent operation.
To ensure that Kaspersky Security can operate on a virtual machine that uses Windows Terminal Services technology, you must clear the Start the local application interface check box.
If you use Light Agent in a virtual desktop infrastructure (VDI) with Microsoft Windows desktop operating system, you are advised to clear the Start the local application interface check box to improve virtual infrastructure performance.
Proceed to the next step of the wizard.
- If required, configure the settings for protecting access to Light Agent functions and settings. To do this, perform the following actions:
- Select the Enable password protection check box.
- Specify the name and password of the user account that is allowed to access application settings in the local interface of Light Agent.
- Click the Settings button and, in the opened window, select the Light Agent operations that will be protected with a password.
Proceed to the next step of the wizard.
- Exit the Policy Wizard.
The created policy will be displayed in the list of policies of the administration group on the Policies tab and in the Policies folder of the console tree.
The policy will be applied to protected virtual machines after the Kaspersky Security Center Administration Server relays the information to Kaspersky Security. Kaspersky Security starts protecting virtual machines according to the policy settings.
If Network Agent is not running on a protected virtual machine, the created policy is not applied on this protected virtual machine.
If you chose the Inactive policy option during the previous step of the New Policy Wizard, the created policy is not applied on the protected virtual machines.
Editing Light Agent for Windows policy settings in the Administration Console
To edit Light Agent for Windows policy settings in the Administration Console:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, select the folder with the name of the administration group for whose protected virtual machines you want to edit policy properties.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
You can also open the policy properties window using the Settings item of the policy context menu or by clicking the Configure policy settings link located to the right of the list of policies in the policy settings section.
- Edit the policy settings.
The General and Event notification sections of the Settings: <Policy name> window are the standard sections of Kaspersky Security Center. For descriptions of the standard sections, please refer to the Kaspersky Security Center help.
- Click OK in the Properties: <Policy name> window.