- Kaspersky Security for Virtualization 6.2 Light Agent Help
- About Kaspersky Security for Virtualization 6.2 Light Agent
- Solution functions
- Distribution kit
- Hardware and software requirements
- Requirements for Kaspersky Security Center components
- Requirements for installing a Windows-based Integration Server
- Requirements for installing a Linux-based Integration Server
- Requirements for the virtual infrastructure
- Requirements for SVM resources
- Virtual machine requirements for installing Light Agent
- Supported versions of applications in Light Agent mode
- What’s new
- Solution architecture
- Preparing to install the solution
- Files required for installing the solution
- Downloading SVM images using the wizard
- Configuring the ports to use
- Accounts for installing and using the solution
- Configuring the use of secure cryptographic algorithms, ciphers, and protocols
- Configuring rules for moving virtual machines to administration groups
- Installing the Kaspersky Security solution
- Installing a Windows-based Integration Server
- Installing the Linux-based Integration Server
- Installing Kaspersky Security web plug-ins
- Installing Kaspersky Security MMC plug-ins
- SVM deployment using the Integration Server Web Console
- Connecting the Integration Server and the virtual infrastructure
- Creating and running an SVM deployment task
- Selecting infrastructure for SVM deployment
- Selecting the SVM image
- Selecting the number of SVMs for deployment (infrastructures based on OpenStack)
- Specifying SVM settings
- Specifying SVM settings (infrastructures based on OpenStack)
- Configuring SVM network settings (infrastructures based on OpenStack)
- Configuring IP address settings for SVM
- Specifying Kaspersky Security Center connection settings
- Creating the configuration password and the root account password
- Start task for SVM deployment
- Starting an SVM deployment task (OpenStack-based infrastructure)
- Viewing information about task execution
- Deploying SVMs using the Integration Server Console
- Selecting an action
- Selecting infrastructure for SVM deployment
- Selecting the SVM image
- Selecting the number of SVMs for deployment (infrastructures based on OpenStack)
- Specifying SVM settings
- Specifying SVM settings (infrastructures based on OpenStack)
- Configuring SVM network settings (infrastructures based on OpenStack)
- Configuring IP address settings for SVM
- Specifying Kaspersky Security Center connection settings
- Creating the configuration password and the root account password
- Starting SVM deployment
- Starting SVM deployment (infrastructures based on OpenStack)
- SVM deployment
- Finishing SVM deployment
- Automatically creating tasks and a default policy for the Protection Server
- Preparing the Protection Server for operation
- Installing Light Agents and Network Agent
- About installing Kaspersky Security Center Network Agent on virtual machines
- About installing Light Agent for Linux
- About installing Light Agent for Windows
- Installing Light Agent on a template for non-persistent virtual machines
- Compatibility of Light Agent for Windows with virtualization solutions
- Preparing Light Agents for operation
- Displaying virtual machines and SVMs in Kaspersky Security Center
- Viewing the list of SVMs connected to the Integration Server
- Updating Kaspersky Security from the previous version
- Removing the Kaspersky Security solution
- Application management framework
- About managing the solution using Kaspersky Security Center
- About Kaspersky Security management plug-ins
- Starting and closing Kaspersky Security Center Web Console
- Managing the solution using Kaspersky Security Center policies
- Managing the solution using tasks
- About access rights to the settings of policies and tasks in Kaspersky Security Center
- About Integration Server Console
- Connecting to the Integration Server via Integration Server Console
- About the Integration Server Web Console
- Connecting to the Integration Server via Integration Server Web Console
- Licensing Kaspersky Security for Virtualization 6.2 Light Agent
- About the End User License Agreement
- About data provision
- About the license
- About the License Certificate
- About license key
- About the activation code
- About the key file
- About subscription
- License-specific solution functionality
- About activating Kaspersky Security for Virtualization 6.2 Light Agent
- Procedure for activating the solution
- Renewing a license
- Renewing subscription
- Viewing information about the license keys used in Kaspersky Security Center
- View information about the license on a secure virtual machine
- Starting and stopping Kaspersky Security
- Virtual machine protection status
- Connecting SVMs and Light Agents to the Integration Server
- Connecting Light Agents to SVMs
- Protecting large infrastructures
- Updating Kaspersky Security databases and application modules
- Using Kaspersky Security Network
- Additional Protection Server settings
- Reports and notifications
- SVM reconfiguration
- Reconfiguring SVMs using Integration Server Web Console
- Selecting SVM for reconfiguration
- Entering the configuration password
- Editing SVM network settings
- Changing SVM IP settings
- Changing Kaspersky Security Center connection settings
- Changing the configuration password and root account settings
- Start task for SVM reconfiguration
- Start task for SVM reconfiguration (OpenStack)
- SVM reconfiguration using the Integration Server Console
- Selecting an action
- Selecting SVM for reconfiguration
- Entering the configuration password
- Editing SVM network settings
- Editing SVM network settings (infrastructures based on OpenStack)
- Changing SVM IP settings
- Changing Kaspersky Security Center connection settings
- Changing the configuration password and root account settings
- Starting SVM reconfiguration
- Starting SVM reconfiguration (infrastructures based on OpenStack)
- SVM reconfiguration
- Finishing SVM reconfiguration
- Reconfiguring SVMs using Integration Server Web Console
- Configuring Integration Server settings
- Changing passwords of Integration Server accounts
- Changing the settings for connecting to the virtual infrastructure in the Integration Server Web Console
- Changing the settings for connecting to the virtual infrastructure in the Integration Server Console
- Deleting the settings for connection of the Integration Server to the virtual infrastructure
- Replacing the Integration Server and SVM certificates
- Using a backup copy of the database and the Integration Server settings
- SNMP monitoring of SVM status
- Checking the integrity of solution components
- Using Kaspersky Security for Virtualization 6.2 Light Agent in multitenancy mode
- Deploying a tenant protection infrastructure
- Configuring the Integration Server connection settings to the Kaspersky Security Center Administration Server
- Creating a tenant and virtual Administration Server
- Configuring SVM location and Protection Server settings
- Configuring settings for SVM discovery by Light Agents and general tenant protection settings
- Installing a Light Agent on tenant virtual machines
- Registering tenant virtual machines
- Activating a tenant
- Registering existing tenants and their virtual machines
- Enabling and disabling tenant protection
- Getting information about tenants
- Getting tenant protection reports
- Removing virtual machines from the protected infrastructure
- Removing tenants
- Using Integration Server REST API in multi-tenancy scenarios
- Deploying a tenant protection infrastructure
- Contacting Technical Support
- How to get technical support
- Technical Support via Kaspersky CompanyAccount
- Getting information for Technical Support
- Protection Server and Light Agent dump files
- Trace files of the Kaspersky Security Components Installation Wizard
- Trace files of the Integration Server and Integration Server Console
- Trace files of the tool for managing Integration Server and SVM certificates
- Trace files of SVMs, Light Agents and Kaspersky Security management plug-ins
- The SVM Management Wizard log
- Using the utilities and scripts from the Kaspersky Security distribution kit
- Appendices
- Using the klconfig script API to define SVM configuration settings
- Executing configuration commands
- Using the SVM first startup script
- Configuring SVM configuration settings
- Description of commands
- accept_eula_and_privacypolicy
- apiversion
- checkconfig
- connectorlang
- dhcp
- dhcprenew
- dns
- dnslookup
- dnssearch
- dnsshow
- getdnshostname
- gethypervisordetails
- hostname
- listpatches
- manageservices
- nagent
- network
- ntp
- passwd
- permitrootlogin
- productinstall
- reboot
- resetnetwork
- rollbackpatch
- setsshkey
- settracelevel
- test
- timezone
- version
- Settings in the ScanServer.conf file
- Object ID values for SNMP
- How to remove duplicate virtual machines from the list of managed devices in Kaspersky Security Center
- Using the klconfig script API to define SVM configuration settings
- Sources of information about the solution
- Glossary
- Activation code
- Active key
- Administration Server
- Application activation
- Backup
- Backup copy of a file
- Compound file
- Database of malicious web addresses
- Database of phishing web addresses
- Desktop key
- End User License Agreement
- Heuristic Analysis
- Integration Server
- Kaspersky CompanyAccount
- Kaspersky Security databases
- Kaspersky Security Network (KSN)
- Key file
- Key with a limitation on the number of processor cores
- Key with a limitation on the number of processors
- Keylogger
- License
- License certificate
- License key (key)
- Light Agent
- OLE object
- Phishing
- Protected virtual machine
- Reserve key
- Server key
- Signature Analysis
- Startup objects
- SVM
- SVM Management Wizard
- Update source
- Information about third-party code
- Trademark notices
Creating a Protection Server policy
You can create a Protection Server policy using the Web Console as well as the Administration Console.
How to create a Protection Server policy in Kaspersky Security Center Web Console
To create a Protection Server policy:
- In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Policies and policy profiles.
A list of policies and policy profiles opens.
- Select the administration group containing the SVMs to which the policy should be applied. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens. The new policy will determine the operating settings of Protection Servers installed on SVMs in the selected administration group.
- Click the Add button located above the list of policies and profiles.
The New Policy Wizard starts.
- At the first step of the wizard, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server from the list.
Proceed to the next step of the wizard.
- Decide whether you want to use Kaspersky Security Network (KSN) in the operation of the Protection Server. To do so, carefully read the Kaspersky Security Network Statement. Then select one of the following options:
- I confirm that I have fully read, understand, and accept the terms and conditions of the Kaspersky Security Network Statement
If you select this option, you agree to the terms and conditions set forth in the Kaspersky Security Network Statement. If the KSN Proxy service is enabled in the properties of the Kaspersky Security Center Administration Server, the use of KSN in the operation of the Protection Server will be enabled. KSN services are used when protecting virtual machines and when running scan tasks on virtual machines.
The Kaspersky Security Center Administration Server properties are where the KSN infrastructure type (KSN or KPSN) is selected and the use of KPSN is configured. See Kaspersky Security Center help for more information.
By default, KSN is used in extended mode. If needed, you can disable the use of extended KSN in the Protection Server policy properties.
- I do not accept the terms and conditions of the Kaspersky Security Network Statement
If this option is selected, you decline to use Kaspersky Security Network.
KSN services will not be used in the operation of the Protection Server.
If necessary, you can later change the decision to use KSN and configure the KSN mode in the Protection Server policy properties.
If you want to use KSN in the operation of the Protection Server, make sure that the KSN settings are configured in the properties of the Kaspersky Security Center Administration Server (in the KSN proxy server settings section). The KSN infrastructure type (KSN or KPSN), KSN proxy server settings, and KPSN settings are defined in the Administration Server properties. See Kaspersky Security Center help for more information.
KSN settings configured for the Protection Server do not affect the use of KSN in the operation of Light Agents. For information on configuring KSN for Light Agents, see the Help of the applications that you are using Light Agent mode. We recommend specifying the same KSN usage settings for the Protection Server and the Light Agent that interacts with the Protection Server.
Proceed to the next step of the wizard.
- I confirm that I have fully read, understand, and accept the terms and conditions of the Kaspersky Security Network Statement
- Configure the connection of SVMs to the Integration Server:
- Click the Settings button.
- In the Connection to the Integration Server window that opens, enter the following settings:
- Address
IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.
If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.
- Port
Port for connecting to the Integration Server.
By default, port number 7271 is specified.
- Address
- Click the Validate button.
The New Policy Wizard checks the SSL certificate received from the Integration Server. If the certificate contains errors or is not trusted, a corresponding message is displayed in the Connection to the Integration Server window. Click View the received certificate to view information about the received certificate. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.
- To save the received certificate and continue connecting to the Integration Server, in the Select an action block, select the Ignore option.
- Specify the password of the Integration Server administrator (password of the
adminaccount) and click the Validate button.The New Policy Wizard connects to the Integration Server. If the connection fails, an error message appears in the window. If the connection succeeds, the Connection to the Integration Server window closes, and the Connection to the Integration Server field of the New Policy Wizard window shows the Connected status.
Proceed to the next step of the wizard.
- On the General tab, specify the name of the new policy, define its status (Active or Inactive) and configure inheritance settings. For details, please refer to the Kaspersky Security Center help.
- If necessary, modify the default policy settings on the Application settings tab.
- Click Save to complete the policy creation.
The created policy will be displayed in the list of policies on the Policies and policy profiles tab.
The policy will be propagated to the SVM and will begin to be applied in the operation of the Protection Server on this SVM after the Kaspersky Security Center Administration Server sends information to the Protection Server the next time the SVM connects.
If Network Agent is not running on the SVM, the created policy is not applied on it.
If on the General tab you specified the Inactive policy status, the created policy is not applied to the SVMs.
How to create a Protection Server policy in Kaspersky Security Center Administration Console
To create a Protection Server policy:
- In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVMs on which the policy should be applied. The policy will determine the operating settings of the Protection Servers installed on these SVMs.
On the Devices tab of the folder with the name of the administration group, you can view a list of SVMs that belong to this administration group.
- In the workspace, select the Policies tab.
- Click the New policy button to start the New Policy Wizard.
You can also start the wizard using the New → Policy option in the context menu of the policy list.
- At the first step of the wizard, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server from the list.
Proceed to the next step of the wizard.
- Enter a name for the new policy.
- To use the settings from the policy for the Protection Server of the previous version of Kaspersky Security in the policy being created, select the Use policy settings for the earlier application version check box.
Proceed to the next step of the wizard.
- Decide whether you want to use Kaspersky Security Network (KSN) in the operation of the Protection Server. To do so, carefully read the Kaspersky Security Network Statement. Then select one of the following options:
- I confirm that I have fully read, understand, and accept the terms and conditions of the Kaspersky Security Network Statement
If you select this option, you agree to the terms and conditions set forth in the Kaspersky Security Network Statement. If the KSN Proxy service is enabled in the properties of the Kaspersky Security Center Administration Server, the use of KSN in the operation of the Protection Server will be enabled. KSN services are used when protecting virtual machines and when running scan tasks on virtual machines.
The Kaspersky Security Center Administration Server properties are where the KSN infrastructure type (KSN or KPSN) is selected and the use of KPSN is configured. See Kaspersky Security Center help for more information.
By default, KSN is used in extended mode. If needed, you can disable the use of extended KSN in the Protection Server policy properties.
- I do not accept the terms and conditions of the Kaspersky Security Network Statement
If this option is selected, you decline to use Kaspersky Security Network.
KSN services will not be used in the operation of the Protection Server.
If necessary, you can later change the decision to use KSN and configure the KSN mode in the Protection Server policy properties.
If you want to use KSN in the operation of the Protection Server, make sure that the KSN settings are configured in the properties of the Kaspersky Security Center Administration Server (in the KSN proxy server section). The KSN infrastructure type (KSN or KPSN), KSN proxy server settings, and KPSN settings are defined in the Administration Server properties. See Kaspersky Security Center help for more information.
KSN settings configured for the Protection Server do not affect the use of KSN in the operation of Light Agents. For information on configuring KSN for Light Agents, see the Help of the applications that you are using Light Agent mode. We recommend specifying the same KSN usage settings for the Protection Server and the Light Agent that interacts with the Protection Server.
Proceed to the next step of the wizard.
- I confirm that I have fully read, understand, and accept the terms and conditions of the Kaspersky Security Network Statement
- Configure settings for downloading updates of databases and application modules to SVMs:
- If you want to receive updates of the solution's application modules together with the solution database update package, select the Update solution modulescheck box.
Enables/disables receiving updates for Kaspersky Security application modules along with updates to the solution databases.
If the check box is selected, the Protection Server receives updates of application modules for Kaspersky Security components along with database updates from the Kaspersky Security Center Administration Server storage.
This check box is cleared by default.
If you edit a setting, the new value is applied the next time the database update task on the Protection Server runs.
- If necessary, use the check boxes to configure the list of versions of Light Agents for which the Protection Server will receive updates. At least one version must be selected.
The list contains the supported versions of Light Agents. If the version of the Light Agent you want to receive updates for is not listed, click the Refresh button.
Proceed to the next step of the wizard.
- If you want to receive updates of the solution's application modules together with the solution database update package, select the Update solution modules
- If you want to get SVM status using a network management system that uses the SNMP protocol, select the Enable SNMP monitoring of SVM statuscheck box.
Enabling / disabling SNMP monitoring of SVM status.
If the check box is selected, the SNMP agent installed on an SVM relays information about the status of the SVM to the network management system of your organization.
If the check box is cleared, no information about SVM state is sent.
This check box is cleared by default.
Proceed to the next step of the wizard.
- If you have enabled display of additional Protection Server policy settings, configure the additional Protection Server settings.
- Maximum number of simultaneous scan requests
Maximum number of scan requests from Light Agents simultaneously processed by the Protection Server. Light Agents generate scan requests during protection of virtual machines and while running scan tasks.
By default, the Protection Server can process 75 scan requests simultaneously.
- Maximum number of scan tasks started by schedule
Maximum number of simultaneous scan tasks running on the Protection Server that have been started according to the Light Agent schedule. These scan tasks are low-priority tasks for the Protection Server.
By default, five low-priority scan tasks are performed simultaneously.
- Maximum number of scan tasks started manually
Maximum number of simultaneous scan tasks running on the Protection Server that were started manually. These scan tasks are high-priority tasks for the Protection Server.
By default, five high-priority scan tasks are performed simultaneously.
- Trace level
Drop-down list where you can select the trace level for the Protection Server (
scanserverservice on the SVM). The trace levels are arranged so that each level includes all of the levels below it.The following items are available from the drop-down list:
- Default value. Default value.
- Tracing is disabled (0). Creation of trace files is disabled.
- Starting and stopping components (100). Informational messages about starting and stopping the Protection Server.
- Critical errors (200). Messages about critical errors in the operation of the Protection Server.
- Errors (300). Messages about errors and critical errors in the operation of the Protection Server.
- Critical warnings (400). Critical warnings and messages about ordinary and critical errors.
- Warnings (500). All warnings and messages about ordinary and critical errors.
- Important messages (600). Important messages, all warnings and messages about ordinary and critical errors.
- Informational messages (700). Informational messages, important messages and all warnings and messages about ordinary and critical errors.
- Debugging messages (800). Debugging messages and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
- Detailed debugging messages (900). Debugging messages with more detailed information and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
- All messages (1000). All possible messages and warnings.
- Restore default settings
Restores the default settings.
Proceed to the next step of the wizard.
- Maximum number of simultaneous scan requests
- Configure the connection of SVMs to the Integration Server.
- Address
IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.
If the device on which Kaspersky Security Center Administration Console is installed is part of a domain, the field indicates the domain name of this device by default.
If the device on which the Kaspersky Security Center Administration Console is installed is not part of a domain or the Integration Server is installed on another device, the field must be filled in manually.
If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.
- Port
Port for connecting to the Integration Server.
By default, port number 7271 is specified.
Proceed to the next step of the wizard.
If the device hosting the Kaspersky Security Center Administration Console does not belong to a domain or your account does not belong to the KLAdmins local or domain group or to the local administrator group, in the Connection to the Integration Server window that opens, specify the Integration Server administrator password (password of the
adminaccount).The New Policy Wizard checks the SSL certificate received from the Integration Server. If the certificate contains an error or is not trusted, the Verify Integration Server certificate window opens. You can view the details of the certificate received. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To continue connecting to the Integration Server, click the Ignore button. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed.
- Address
- If required, enable the use of encryption to protect the connection between Light Agents and Protection Servers.
- Encrypt data channel between Light Agent and the Protection Server
Encrypt the connection between Light Agents and Protection Servers.
If the check box is selected, a secure connection is established between the Light Agent and the policy-controlled Protection Server after the Light Agent connects to the SVM with this Protection Server. A Light Agent can connect to an SVM that has connection protection enabled only if the Light Agent also has connection protection enabled or the SVM allows unsecure connections.
If the check box is cleared, an unsecure connection is established between the Light Agent and the Protection Server after the Light Agent connects to the SVM with this Protection Server.
This check box is cleared by default.
- Allow nonsecure connection if secure connection cannot be established
Allow an unsecure connection between Light Agents and Protection Servers.
If the check box is selected, an unsecure connection may be established between Light Agents and policy-controlled Protection Servers if a secure connection cannot be established.
If the check box is cleared, only a secure connection can be established between Light Agents and policy-controlled Protection Servers. A Light Agent will not be able to connect to the SVM if a secure connection cannot be established to the Protection Server on this SVM.
This check box is cleared by default.
Proceed to the next step of the wizard.
- Encrypt data channel between Light Agent and the Protection Server
- If you want to control Light Agents' connection to SVMs using connection tags, configure the settings for using connection tags:
- Allow connection of Light Agents with specified tags
Allow SVM connections only for Light Agents that are assigned the tags specified in the field below.
If the check box is selected, only Light Agents with the specified tags can connect to the SVM.
If the check box is cleared, only Light Agents that do not have tags assigned to them can connect to the SVM.
The check box is cleared by default.
- Tag list
Only Light Agents that are assigned the tags specified in this field can connect to the SVM.
You can specify one or more tags separated by semicolons.
- Allow connection of Light Agents with specified tags
- If required, Enable optimization for protection of large infrastructures.
Proceed to the next step of the wizard.
- Exit the Policy Wizard.
The created policy will be displayed in the list of policies of the administration group on the Policies tab and in the Policies folder of the console tree.
The policy will be propagated to the SVM and will begin to be applied in the operation of the Protection Server on this SVM after the Kaspersky Security Center Administration Server sends information to the Protection Server the next time the SVM connects.
If Network Agent is not running on the SVM, the created policy is not applied on it.
If you selected the Inactive policy option during the previous step of the New Policy Wizard, the newly created policy is not applied on the SVM.