Kaspersky Security for Virtualization 6.2 Light Agent

Contents

[Topic 254002]

About Kaspersky Security for Virtualization 6.2 Light Agent

Kaspersky Security for Virtualization 6.2 Light Agent, hereinafter also referred to as "Kaspersky Security", is an integrated solution that provides comprehensive protection of virtual machines with Linux guest operating systems and Windows guest operating systems against various types of information threats, network attacks and fraud.

Kaspersky Security protects virtual machines on the following virtualization platforms:

  • VMware vSphere.
  • XenServer.
  • Microsoft Hyper-V.
  • KVM (Kernel-based Virtual Machine).
  • Proxmox VE.
  • Basis.
  • Skala-R.
  • HUAWEI FusionSphere.
  • Nutanix Acropolis.
  • Enterprise Cloud Platform VeiL.
  • SharxBase.
  • TIONIX Cloud Platform.
  • OpenStack.
  • ALT Virtualization Server.
  • "Brest" Virtualization Tools software package.
  • zVirt virtualization environment.
  • ROSA Virtualization Environment Management System.
  • RED Virtualization.
  • Astra Linux.
  • SpaceVM Cloud Platform.
  • Basis.DynamiX Cloud Platform.
  • VMmanager Infrastructure.
  • Numa vServer.
  • VK Cloud platform.
  • R-Virtualization server virtualization system.
  • Yandex Cloud Platform.
  • Gorizont-VS virtualization management platform.
  • HOSTVM Virtualization platform.

Some limitations apply to the installation and operation of the solution in virtual infrastructures running on the Enterprise Cloud Platform VeiL, SharxBase, "Brest" Virtualization Tools software package, zVirt Virtualization System, ROSA Virtualization, RED Virtualization, VMmanager Infrastructure, SpaceVM Cloud Platform, Basis.DynamiX Cloud Platform, R-Virtualization server virtualization system, and Yandex Cloud Platform, Gorizont-VS virtualization management platform, and HOSTVM Virtualization platform. Please refer to the Knowledge Base for details.

The Kaspersky Security solution is optimized to support maximum performance of the virtual machines that are protected by the solution.

The solution protects virtual machines running guest server operating systems and guest desktop operating systems.

The Kaspersky Security solution can be used in multitenancy mode. This mode of using the solution allows you to protect isolated virtual infrastructures in the tenant organization or units within a single organization (hereinafter also referred to as "tenants").

The solution includes the following components:

  • Kaspersky Security Protection Server (hereinafter also "Protection Server"). The component is a service installed on a special virtual machine known as an SVM (secure virtual machine). SVMs must be deployed on hypervisors in the virtual infrastructure during installation of the Kaspersky Security solution.
  • Kaspersky Security Light Agent (hereinafter also "Light Agent"). The component is an application designed to be installed on virtual machines. Light Agent must be installed on each virtual machine that you want to protect with Kaspersky Security.

    The Kaspersky Security solution uses Kaspersky Endpoint Security for Linux as the Light Agent for Linux.

    The Kaspersky Security solution uses Kaspersky Endpoint Security for Windows as the Light Agent for Windows.

  • Kaspersky Security for Virtualization Light Agent Integration Server (hereinafter also "Integration Server"). The component is an application designed to be installed on a Linux device or a Windows device in your infrastructure. The Integration Server facilitates interaction between the Kaspersky Security solution components and the virtual infrastructure.

To install and manage Kaspersky Security, you need Kaspersky Security Center, Kaspersky's remote centralized application management system. You can use Kaspersky Security Center Windows or Kaspersky Security Center Linux.

In this Help section

Solution functions

Distribution kit

Hardware and software requirements

Page top

[Topic 254027]

Solution functions

The basic functions of protecting and monitoring virtual machines are provided by the functional components and tasks of the Light Agent for Linux and Light Agent for Windows.

The Kaspersky Security solution uses Kaspersky Endpoint Security for Linux as the Light Agent for Linux. The Kaspersky Security solution uses Kaspersky Endpoint Security for Windows as the Light Agent for Windows. For a description of the Light Agent functionality, please refer to the Online Help of the corresponding application.

Kaspersky Endpoint Security for Linux and Kaspersky Endpoint Security for Windows operating in Light Agent mode have the following features:

  • The application is activated on the Protection Server.
  • Updates of application databases and modules are managed on the Protection Server. The application gets updates from a folder on the SVM. You cannot select a different update source.
  • The use of cloud databases is not supported.
  • The application interacts with KSN servers using a KSN proxy server. Direct interaction with KSN is not supported.
  • The use of the application's proxy server is not supported when connecting to the Integration Server, SVMs, and KSN servers.
  • Managing the application using Kaspersky Security Center Cloud Console is not available.
  • For the Kaspersky Endpoint Security for Linux application only: the application cannot be managed using the graphical user interface.
  • For the Kaspersky Endpoint Security for Windows application only:
    • Data encryption components and Adaptive Anomaly Control cannot be installed.
    • The built-in EDR Expert agent does not work in Light Agent mode.

To keep the components of Kaspersky Security up-to-date and to expand the solution's capabilities, it provides the following additional functions:

  • Activation. Using the solution under a commercial license ensures the full functionality of solution components and access to updates of the solution's databases and application modules.
  • Updating databases and application modules. Updating the solution's databases and application modules ensures up-to-date protection of virtual machines against viruses and other applications that pose a threat.
  • Using Kaspersky Security Network in the operation of solution components. Using Kaspersky's cloud knowledge base about the reputation of files, Internet resources, and software makes it possible to improve protection of virtual machines and user data, ensure faster response times to various threats, and reduce the number of false positives.
  • Reports and notifications. Various types of events occur during the operation of solution components. You can receive notifications about events and generate reports based on events.

The update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality may not be available in the solution in the territory of the USA.

Page top

[Topic 254025]

Distribution kit

For information about purchasing the solution, please visit the Kaspersky website at https://www.kaspersky.com or contact our partners.

The solution's distribution kit includes the following files:

On the Kaspersky website, you can download the files that are included in the Kaspersky Security distribution kit as well as the files necessary for installing Kaspersky Security Center.

The contents of the solution's distribution kit can vary from region to region.

Information required to activate the solution is sent by email after payment.

Page top

[Topic 254036]

Requirements for Kaspersky Security Center components

To install and manage the Kaspersky Security solution, you need Kaspersky Security Center Windows or Kaspersky Security Center Linux.

Kaspersky Security Center Linux includes a version of Administration Server intended for installation on a device running the Linux operating system. Kaspersky Security Center Linux interacts with Administration Server through Kaspersky Security Center Web Console. For more information on Kaspersky Security Center Linux, please refer to the Kaspersky Security Center Linux Help.

You can use one of the following versions of the Kaspersky Security Center application:

  • Kaspersky Security Center Linux:
    • Kaspersky Security Center 15.2 Linux. Components of the Kaspersky Security solution can be managed through Kaspersky Security Center Web Console using the management web plug-in.
    • Kaspersky Security Center 15.1 Linux. Components of the Kaspersky Security solution can be administered through Kaspersky Security Center Web Console using the management web plug-in.
    • Kaspersky Security Center 15 Linux. Components of the Kaspersky Security solution can be administered through Kaspersky Security Center Web Console using the management web plug-in.
  • Kaspersky Security Center Windows:
    • Kaspersky Security Center 15.1 Windows. Components of the Kaspersky Security solution can be managed through Administration Console using the management MMC plug-in and through Kaspersky Security Center Web Console using the management web plug-in.
    • Kaspersky Security Center 14.2 Windows. Components of the Kaspersky Security solution can be managed through Administration Console using the management MMC plug-in and through Kaspersky Security Center Web Console using the management web plug-in.

The operation of Kaspersky Security requires the following Kaspersky Security Center components:

  • Administration Server.

    The following services must be configured on Administration Server:

    • The proxy activation service is used when activating the Kaspersky Security solution. The activation proxy service is configured in the properties of the Kaspersky Security Center Administration Server. If the activation proxy service is disabled, the solution cannot be activated using an activation code.
    • The KSN Proxy service facilitates data exchange between Kaspersky Security solution components and Kaspersky Security Network. The KSN Proxy service is configured in the properties of the Kaspersky Security Center Administration Server.

    For more detailed information about the activation proxy service and KSN Proxy service, please refer to the Kaspersky Security Center help.

  • Network Agent. Network Agent facilitates interaction between Administration Server and virtual machines on which Kaspersky Security solution components are installed.

    Network Agent must be installed on all virtual machines that you want to protect:

    The Network Agent does not need to be installed on SVMs because this component is included in the SVM images.

  • Kaspersky Security Center Administration Console. Regardless of the version of Kaspersky Security Center, you can use Kaspersky Security Center Web Console (hereinafter also referred to as "Web Console"). To interact with Kaspersky Security Center Windows, you can also use the MMC-based Administration Console (hereinafter also referred to as "Administration Console").

For information on installing Kaspersky Security Center components, please refer to the Kaspersky Security Center help.

Page top

[Topic 292218]

Requirements for installing a Windows-based Integration Server

To install and operate the Windows-based Integration Server and Integration Server Console, one of the following operating systems must be installed on the device:

  • Windows Server 2022 Standard/Datacenter/Essentials
  • Windows Server 2019 Standard/Datacenter/Essentials
  • Windows Server 2016 Standard/Datacenter
  • Windows Server 2012 R2 Standard/Datacenter/Essentials
  • Windows Server 2012 Standard/Datacenter/Essentials

On the device where you want to install the Integration Server Console, the operating system must be installed in the Desktop Experience mode.

Microsoft .NET Framework 4.6.2, 4.7, or 4.8 is required to install the Windows-based Integration Server and to install and run the Integration Server Console. You can install the Microsoft .NET Framework in advance, or if you have Internet access, the Kaspersky Security Component Installation Wizard will offer to install it during the installation of the Integration Server and Integration Server Console.

The device must meet the following minimum hardware requirements to allow installing and running the Windows-based Integration Server and Integration Server Console:

  • Quad-core 2 GHz virtual processor
  • Available disk space:
    • 4 GB for the Integration Server Console
    • 4 GB for the Integration Server
  • Available RAM:
    • 4 GB for the Integration Server Console
    • 4 GB for the Integration Server

The required volume of RAM and free disk space may change depending on the size of the virtual infrastructure. To improve the performance of the Integration Server, 10 GB of free disk space is recommended.

Page top

[Topic 292219]

Requirements for installing a Linux-based Integration Server

To install and operate the Linux-based Integration Server, one of the following 64-bit operating systems must be installed on the device:

  • Ubuntu 22.04 LTS.
  • Astra Linux Special Edition RUSB.10015-01 (operational update 1.7).
  • Astra Linux Special Edition RUSB.10015-01 (operational update 1.8).

The following packages must be installed on the device:

  • regardless of the installed operating system:
    • libc6
    • libgssapi-krb5-2
    • zlib1g
  • in the Ubuntu 22.04 LTS operating system:
    • ca-certificates
    • libssl3
    • libunwind8
  • in the Astra Linux Special Edition operating system RUSB.10015-01 (operational update 1.7): libssl1.1
  • in the operating system Astra Linux Special Edition RUSB.10015-01 (operational update 1.8): libssl3

The device must meet the following minimum hardware requirements to support the installation and operation of the Linux-based Integration Server:

  • Quad-core 2500 MHz virtual processor
  • 4 GB available disk space
  • 8 GB available RAM

Hardware requirements may vary depending on the size of the virtual infrastructure. To improve the performance of the Integration Server, 10 GB of free disk space, and 12 GB RAM is recommended.

Page top

[Topic 254038]

Requirements for the virtual infrastructure

Installation and operation of the Kaspersky Security solution is supported on the following virtualization platforms:

  • Microsoft Hyper-V platform.

    One of the following hypervisors must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    • Microsoft Windows Server 2022 Hyper-V (Desktop experience/Core) hypervisor
    • Microsoft Windows Server 2019 Hyper-V (Desktop experience/Core) hypervisor
    • Microsoft Windows Server 2016 Hyper-V (Desktop experience/Core) hypervisor with all available updates

    The solution can be installed and run on Microsoft Windows Server (Hyper-V) hypervisors that are part of a hypervisor cluster managed by the Windows Failover Clustering service. Cluster Shared Volumes technology must be enabled on cluster nodes.

    If you use Integration Server Console to manage the Integration Server, when deploying SVMs on Microsoft Windows Server (Hyper-V) hypervisors, you can use one of the following versions of the Microsoft System Center Virtual Machine Manager (hereinafter referred to as "Microsoft SCVMM") virtual infrastructure management server:

    • Microsoft SCVMM 2022 with the latest updates.
    • Microsoft SCVMM 2019 with the latest updates.
    • Microsoft SCVMM 2016 with the latest updates.

    If you use Integration Server Web Console or REST API to manage the Integration Server. Connecting to Microsoft SCVMM is not supported.

    For the Linux-based Integration Server, connecting to virtual infrastructure based on Microsoft Hyper-V is not supported. Use the Windows-based Integration Server.

  • XenServer platform

    A XenServer 8 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    In a virtual infrastructure on the XenServer platform, you cannot deploy an SVM with a static IP address specified. Use dynamic IP addressing.

  • VMware vSphere platform.

    One of the following hypervisors must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    • VMware ESXi 8.0 hypervisor with the latest updates.
    • VMware ESXi 7.0 hypervisor with the latest updates.

    A VMware vCenter Server 8.0 or 7.0 virtual infrastructure administration server with all available updates must be installed in virtual infrastructure. There is support for the installation and operation of the solution in an infrastructure managed by standalone VMware vCenter servers and by a group of VMware vCenter servers running in Linked mode.

    If you are using VMware NSX Manager in an infrastructure running the VMware vSphere platform, Kaspersky Security can assign security tags to the protected virtual machines. Kaspersky Security is compatible with VMware NSX Manager, which is included in the following packages:

    • VMware NSX 4.0.1
    • VMware NSX-T Data Center 3.2

    If you use Integration Server Console to manage the Integration Server, when deploying SVMs on VMware ESXi hypervisors, you can use one of the following versions of the Microsoft SCVMM virtual infrastructure management server:

    • Microsoft SCVMM 2022 with the latest updates.
    • Microsoft SCVMM 2019 with the latest updates.
    • Microsoft SCVMM 2016 with the latest updates.

    If you use Integration Server Web Console or REST API to manage the Integration Server. Connecting to Microsoft SCVMM is not supported.

  • KVM (Kernel-based Virtual Machine) platform.

    A KVM hypervisor based on one of the following operating systems must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    • Debian GNU/Linux 12.0.
    • Debian GNU/Linux 11.0.
    • Ubuntu 22.04 LTS.
    • Red Hat Enterprise Linux Server 8.0.
    • CentOS Stream 9.

    To deploy an SVM on KVM hypervisors running the CentOS operating system, you must delete or comment out the "Defaults requiretty" line in the /etc/sudoers configuration file of the hypervisor’s operating system.

  • Proxmox VE platform.

    A Proxmox VE 8 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    Only KVM-based Proxmox VE is supported. Operation of the solution on a Proxmox VE hypervisor using LXC (Linux Containers) is not supported.

  • Basis platform.

    An R-Virtualization 7.0.13 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    A Basis.vControl 2.2.1 virtual infrastructure administration server must be installed in the virtual infrastructure to support deployment and operation of an SVM on R-Virtualization hypervisors.

  • Skala-R platform.

    An R-Virtualization 7.0.13 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    A Skala-R Management 1.98 virtual infrastructure administration server must be installed in the virtual infrastructure to support deployment and operation of an SVM on R-Virtualization hypervisors.

  • HUAWEI FusionSphere platform.

    A HUAWEI FusionCompute CNA 8.0 or later hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    HUAWEI FusionCompute VRM 8.0 and later virtual infrastructure administration server must be installed in the virtual infrastructure to support deployment and operation of an SVM on HUAWEI FusionCompute CNA hypervisors.

  • Nutanix Acropolis platform.

    A Nutanix AHV 6.5.1.5 or 6.10.1 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    Nutanix Prism 6.5.1.5 or 6.10.1 and later virtual infrastructure administration server must be installed in the virtual infrastructure to support deployment and operation of an SVM on Nutanix AHV hypervisors.

  • Enterprise Cloud Platform VeiL platform.

    A VeiL Node 5.1.2 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    There are some limitations on the installation and operation of the solution in a virtual infrastructure running on the Enterprise Cloud Platform VeiL platform. Please refer to the Knowledge Base for details.

  • SharxBase platform.

    A SharxBase 5.10.x hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    There are some limitations on the installation and operation of the solution in a SharxBase virtual infrastructure. Please refer to the Knowledge Base for details.

  • TIONIX Cloud Platform.

    For the Kaspersky Security solution to install and run, TIONIX Cloud Platform 2.9 or 3.0 must be installed.

    The following microservices must be installed as part of the TIONIX Cloud Platform:

    • Keystone – authentication microservice.
    • Compute (Nova) – microservice used for creating virtual machine and operations with infrastructure.
    • Cinder – microservice used for operations with storages.
    • Glance – microservice used for operations with virtual machine images.
    • Neutron – microservice used for operations with networks.

    A KVM hypervisor must be installed in the virtual infrastructure.

  • OpenStack platform.

    For the Kaspersky Security solution to install and run, one of the following OpenStack platform releases must be installed: Havana, Stein, Newton, Victoria, Zed, Antelope, Bobcat.

    The following microservices must be installed as part of the OpenStack platform:

    • Keystone – authentication microservice.
    • Compute (Nova) – microservice used for creating virtual machine and operations with infrastructure.
    • Cinder – microservice used for operations with storages.
    • Glance – microservice used for operations with virtual machine images.
    • Neutron – microservice used for operations with networks.

    A KVM hypervisor must be installed in the virtual infrastructure.

  • ALT Virtualization Server.

    The ALT Virtualization Server version 10.0 platform is required for installation and operation of the Kaspersky Security solution.

    A basic hypervisor of the ALT Virtualization Server 10.0 platform (KVM-based hypervisor) must be installed as part of the platform.

  • Brest Virtualization Software Platform.

    The Brest Virtualization Software 3.2 or 3.3 platform is required to install and run the Kaspersky Security solution.

    A KVM hypervisor must be installed in the virtual infrastructure.

    There are some limitations on the installation and operation of the solution in a virtual infrastructure running on the "Brest" Virtualization Tools software package. Please refer to the Knowledge Base for details.

  • zVirt virtualization environment.

    A zVirt Node 3.x, 4.x, or zVirt Max hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

    There are some limitations on the installation and operation of the solution in a virtual infrastructure running the zVirt Virtualization Environment. Please refer to the Knowledge Base for details.

  • ROSA Virtualization platform.

    ROSA Virtualization Environment Management System Platform version 2.1 or 3.0 is required for installation and operation of the Kaspersky Security solution.

    A KVM hypervisor must be installed in the virtual infrastructure.

    There are some limitations on the installation and operation of the solution in a virtual infrastructure running on the ROSA Virtualization platform. Please refer to the Knowledge Base for details.

    You can remove the limitations related to use of the Integration Server in a virtual infrastructure running on the ROSA Virtualization platform. If you want Light Agents to use the advanced SVM discovery functionality (use of the Integration Server and the extended SVM selection algorithm), you can manually add infrastructure information to the Integration Server. Please refer to the Knowledge Base for details.

  • RED Virtualization platform.

    RED Virtualization platform 7.3 is required for installation and operation of the Kaspersky Security solution.

    A KVM hypervisor must be installed in the virtual infrastructure.

    There are some limitations when installing and operating the solution in a virtual infrastructure running the RED Virtualization platform. Please refer to the Knowledge Base for details.

  • Astra Linux Platform.

    To install and run the Kaspersky Security solution, Astra Linux Special Edition RUSB.10015-01 (regular update 1.7) must be installed along with Update 2022-1221SE17MD (operational update 1.7.3.UU.1).

    A KVM hypervisor must be installed in the virtual infrastructure.

  • SpaceVM Cloud Platform.

    SpaceVM Cloud Platform 6.2 is required to install and run Kaspersky Security in a virtual infrastructure.

    There are some limitations on the installation and operation of the solution in a virtual infrastructure on the SpaceVM Cloud platform. Please refer to the Knowledge Base for details.

  • Basis.DynamiX Cloud Platform.

    Basis.DynamiX Cloud Platform 3.8.5, 3.8.8, or 4.0.0 is required to install and run Kaspersky Security in a virtual infrastructure.

    There are some limitations on the installation and operation of the solution in a virtual infrastructure on the Basis.DynamiX Cloud platform. Please refer to the Knowledge Base for details.

  • VMmanager Infrastructure platform.

    VMmanager Infrastructure 2023.11.1-1 is required for installation and operation of the Kaspersky Security solution.

    A KVM hypervisor must be installed in the virtual infrastructure.

    There are some limitations when installing and operating the solution in a virtual infrastructure running VMmanager Infrastructure. Please refer to the Knowledge Base for details.

  • Numa vServer platform

    A Numa vServer 1.1 or later hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.

  • VK Cloud platform

    To install and run the Kaspersky Security solution, you need one of the following OpenStack platform releases: Havana, Stein, Newton, Victoria, Zed, Antelope, Bobcat.

    The following microservices must be installed as part of the VK Cloud platform:

    • Keystone – authentication microservice.
    • Compute (Nova) – microservice used for creating virtual machine and operations with infrastructure.
    • Cinder – microservice used for operations with storages.
    • Glance – microservice used for operations with virtual machine images.
    • Neutron – microservice used for operations with networks.

    A KVM hypervisor must be installed in the virtual infrastructure.

  • R-Virtualization server virtualization system.

    R-Virtualization hypervisor 7.0.13 or later must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security application.

    Some limitations apply to the installation and operation of the application in a virtual infrastructure based on the ROSA Virtualization platform. Please refer to the Knowledge Base for details.

  • Yandex Cloud Platform.

    Yandex Cloud Platform is required to install and run Kaspersky Security.

    There are some limitations on the installation and operation of the solution in a virtual infrastructure on the Yandex Cloud Platform. Please refer to the Knowledge Base for details.

  • Gorizont-VS virtualization management platform.

    The Gorizont-VS virtualization management platform version core_3.х, core_4.x, or Gorizont-VS-FSTEC is required to install and operate the Kaspersky Security solution.

    The virtual infrastructure must have the "Gorizon-VS Server Virtualization subsystem" hypervisor and the "Gorizon-VS Multimanagement system" virtual infrastructure administration server (hereinafter also "Horizon-VS-SGU") installed.

    Some limitations apply to installing and operating the solution on the Gorizont-VS virtualization management platform. Please refer to the Knowledge Base for details.

  • HOSTVM Virtualization platform.

    HOSTVM Virtualization platform is required to install and run Kaspersky Security.

    The HOSTVM Node hypervisor must be installed in the virtual infrastructure.

    Some limitations apply to installing and operating the solution on the HOSTVM virtualization management platform. Please refer to the Knowledge Base for details.

Kaspersky Security can protect virtual machines as part of an infrastructure that uses the following virtualization solutions:

  • VMware Horizon 8.x.
  • Huawei FusionAccess 8 (Windows guest operating system only).
  • Citrix Virtual Apps and Desktops 7 2402 LTSR with the latest updates installed.
  • Citrix Provisioning Services 7.
  • Citrix XenApp and XenDesktop 7.15.
  • Citrix App Layering 2009 (only virtual machines with a Windows guest operating system).
  • Termidesk VDI 3.3.
  • Basis.WorkPlace 1.98.2.
  • Remote Desktop Host Services based on Microsoft and Citrix.

Some limitations apply to the operation of the solution in a VDI based on Termidesk and Basis.WorkPlace.

Page top

[Topic 254039]

Requirements for SVM resources

To run the solution on an SVM, the following minimum system resources are required:

  • Dual-core virtual processor
  • 30 GB available disk space
  • 2 GB available RAM
  • Virtualized network interface with bandwidth of 100 Mbit/s
Page top

[Topic 99618]

Virtual machine requirements for installing Light Agent

Requirements for Light Agent for Linux

On virtual machines running Linux operating systems, Kaspersky Endpoint Security for Linux installed in Light Agent mode is used as the Light Agent.

For the minimum hardware requirements and a list of supported operating systems for Kaspersky Endpoint Security for Linux in Light Agent mode, see the Kaspersky Endpoint Security for Linux Help of the relevant version.

There are limitations when Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments. Using Kaspersky Endpoint Security for Linux in Light Agent mode is not supported:

  • On devices running operating systems for the Arm architecture.
  • On devices running Astra Linux operating systems in mandatory access control and closed software environment modes.

Requirements for Light Agent for Windows

On virtual machines running Windows operating systems, Kaspersky Endpoint Security for Windows installed in Light Agent mode is used as the Light Agent.

For the minimum hardware requirements and a list of supported operating systems for Kaspersky Endpoint Security for Windows in Light Agent mode, see the Kaspersky Endpoint Security for Windows Help of the relevant version.

General requirements for Light Agent

Before installing Light Agent on virtual machines, the following packages must be installed, depending on the virtual infrastructure:

  • In a Microsoft Hyper-V infrastructure, the Integration Services package must be installed on the virtual machines.
  • In a VMware vSphere infrastructure, the VMware Tools package must be installed on the virtual machines.
  • In a XenServer infrastructure, XenTools must be installed on the virtual machines.
  • In a HUAWEI FusionSphere infrastructure, the HUAWEI Tools package must be installed on the virtual machines.
  • In an infrastructure based on KVM, OpenStack, VK Cloud platform, TIONIX Cloud Platform, Astra Linux, or ALT Virtualization Server, QEMU Guest Agent must be installed on virtual machines.
Page top

[Topic 197597]

Supported versions of applications in Light Agent mode

The following applications are used as part of Kaspersky Security for Virtualization 6.2 Light Agent:

Other components of the Kaspersky Security solution are compatible only with the specified application versions.

Page top

[Topic 254028]

What’s new

Kaspersky Security for Virtualization 6.2 Light Agent has the following new features:

  • The Kaspersky Security solution includes a new version of the Integration Server designed to be installed on a device with the Linux operating system (hereinafter also referred to as the "Linux-based Integration Server"). Now you can use the Windows-based Integration Server or the Linux-based Integration Server, depending on your infrastructure.
  • In the new version of Kaspersky Security, you can use Integration Server Web Console to manage the Integration Server. The web console is available in Kaspersky Security Center Web Console after installing the Integration Server web plug-in. Web Console and Integration Server Console implement the same functions for managing the Integration Server. Using Integration Server Web Console, you can:
    • configure the list of virtual infrastructures to which the Integration Server connects
    • deploy, remove, or reconfigure SVMs
    • view information about SVMs that are connected to the Integration Server
    • change passwords of accounts that are used to connect to the Integration Server
    • view the list of tenants registered in the Integration Server database and configure the connection settings required for interaction between the Integration Server REST API and Kaspersky Security Center Administration Server

    Integration Server Web Console lets you manage the Windows-based Integration Server and the Linux-based Integration Server.

  • You can now select the versions of Light Agents for which the Protection Server will receive updates of application databases and modules. You can reduce traffic by downloading updates to SVMs only for those versions of Light Agents that work in your infrastructure.
  • For virtual infrastructure on the VK Cloud platform, you can now use the Integration Server while deploying and operating the Kaspersky Security solution. You can configure a connection to this infrastructure and manage SVMs through Integration Server Console or Integration Server Web Console. You can use the Integration Server to detect SVMs using Light Agents.
  • You can now protect virtual infrastructures based on the Basis platform.
  • You can now protect virtual infrastructures on the R-Virtualization server virtualization system.

    Some limitations apply to the installation and operation of the application in a virtual infrastructure based on the ROSA Virtualization platform. Please refer to the Knowledge Base for details.

  • As its Light Agent for Windows, the solution uses Kaspersky Endpoint Security for Windows 12.8 or 12.9, which provides expanded functionality for protecting virtual machines with Windows guest operating systems (compared to Light Agent for Windows 5.2). The following functions are now available in the solution:
    • BadUSB Attack Prevention.
    • Log Inspection.
    • Intrusion Prevention (instead of Application Control functionality).
    • Behavior Detection, Exploit Prevention and Remediation Engine (instead of System Monitoring functionality).
    • Ability to integrate with the following Kaspersky solutions:
      • Kaspersky Managed Detection and Response The solution automatically detects and analyzes security incidents in your infrastructure and sends incident data to Kaspersky experts. These experts can then handle the incident themselves or provide recommendations for handling the incident.
      • Kaspersky Endpoint Detection and Response Optimum The solution is designed to protect an organization's IT infrastructure from advanced threats.
      • Components of the Kaspersky Anti Targeted Attack Platform solution (Endpoint Detection and Response (KATA), Network Detection and Response (KATA), KATA Sandbox) The solution is designed for early detection of complex threats, such as targeted attacks, advanced persistent threats (APT), zero-day attacks and others.
      • Kaspersky Sandbox The solution analyzes the behavior of objects to identify malicious activity and signs of targeted attacks on the organization's IT infrastructure, and automatically blocks advanced threats on devices.
      • Kaspersky Unified Monitoring and Analysis Platform (KUMA) A SIEM solution for managing security information and security events in an organization's IT infrastructure. KUMA lets you detect, analyze and eliminate security threats before they can harm your organization.

    Kaspersky Endpoint Security for Windows 12.9 has a new tool, Temporary password monitoring. A temporary password lets you grant access to Kaspersky Endpoint Security for Windows application with Password protection enabled for an individual device. Temporary password monitoring lets you save password history (up to 30 days), monitor the status of the temporary password (Active, Expired, Revoked), and revoke temporary passwords.

    For a full description of the application's features, see the Kaspersky Endpoint Security for Windows Help of the relevant version.

    The following limitations exist running Kaspersky Endpoint Security for Windows in Light Agent mode:

    • Data encryption components and Adaptive Anomaly Control are not available.
    • The built-in EDR Expert agent does not work in Light Agent mode.
  • The solution uses Kaspersky Endpoint Security for Linux 12.2 as the Light Agent for Linux. The new version of the application implements the ability to integrate with Kaspersky Unified Monitoring and Analysis Platform and with components of the Kaspersky Anti Targeted Attack Platform solution: Kaspersky Network Detection and Response (KATA) and KATA Sandbox. For the full list of improvements relative to the previous version of the application, see the Kaspersky Endpoint Security for Linux Help of the relevant version.
  • We added support for new licenses under which you can use the Kaspersky Security solution.
  • We expanded the list of guest operating systems that can be protected by Kaspersky Security. For a list of supported Linux operating systems, see the Kaspersky Endpoint Security for Linux Help of the relevant version. For a list of supported Windows operating systems, see the Kaspersky Endpoint Security for Windows Help of the relevant version.
Page top

[Topic 254032]

Solution architecture

Protection Server component

Kaspersky Security Protection Server (hereinafter also referred to as the "Protection Server") is a scanserver service installed on a special virtual machine called an SVM (secure virtual machine). An SVM is included in the Kaspersky Security distribution kit as a virtual machine image. During installation of the solution, you need to deploy SVMs from an image on hypervisors in the virtual infrastructure.

Protection Server performs the following functions:

  • Scans the fragments of files sent by Light Agents installed on virtual machines for viruses and other malware. The SharedCache technology is used for scan. It optimizes the speed of file scan by excluding files that have been already scanned on another virtual machine. The Protection Server stores information about scanned files in a cache on the SVM in order to not scan them again.
  • This ensures that the application receives an update package from the Kaspersky Security Center Administration Server repository, which contains the database and application module updates necessary for operation of the solution.
  • Manages license keys and licensing restrictions.

Light Agent component

Kaspersky Security Light Agent (hereinafter also referred to as "Light Agent") is an application installed on each virtual machine that needs to be protected using the Kaspersky Security solution. A virtual machine with the Light Agent component installed is called protected virtual machine.

If Kaspersky Security is used to protect VDI, Light Agent is installed on virtual machine templates from which persistent or non-persistent virtual machines are created.

The Kaspersky Security solution includes:

  • The Light Agent for Linux component is designed to protect virtual machines with Linux operating systems.

    The Kaspersky Security solution uses Kaspersky Endpoint Security for Linux in Light Agent mode as the Light Agent for Linux. The application protects virtual machines running Linux operating systems from various types of threats, network attacks and fraud. For more information about the capabilities of Kaspersky Endpoint Security for Linux commands, see the application help of the relevant version.

  • The Light Agent for Windows component is designed to protect virtual machines with Windows operating systems.

    The Kaspersky Security solution uses Kaspersky Endpoint Security for Windows in Light Agent mode as the Light Agent for Windows. The application protects virtual machines running Windows operating systems from various types of threats, network attacks and fraud. For more information about the capabilities of Kaspersky Endpoint Security for Windows commands, see the application help of the relevant version.

When launched, the Light Agent establishes and maintains a connection to the SVM in order to interact with the Protection Server component.

Integration Server component

Kaspersky Security for Virtualization Light Agent Integration Server (hereinafter also referred to as the "Integration Server") is an application designed to be installed on a device running the Linux operating system or on a device running a Windows operating system in your infrastructure. The Integration Server facilitates interaction between the Kaspersky Security solution components and the virtual infrastructure.

The Integration Server is used for performing the following tasks:

  • Deploying, removing, and reconfiguring SVMs with Protection Servers.
  • Receiving information about the protected infrastructure from the virtual infrastructure and sending it to Protection Servers. The Integration Server can connect to hypervisors, virtual infrastructure administration servers, or cloud infrastructure microservices to acquire this information (depending on the type of virtual infrastructure).
  • Receipt by Light Agents of a list of SVMs available for connection and information about them. This information is necessary for interaction between Light Agents and Protection Servers on the SVMs.
  • Deploying and using the Kaspersky Security solution in multi-tenancy mode.

The Kaspersky Security solution includes:

  • An Integration Server designed to be installed on a device with a Windows operating system (hereinafter also referred to as the "Windows-based Integration Server").
  • An Integration Server designed to be installed on a device with a Linux operating system (hereinafter also referred to as the "Linux-based Integration Server").

You can use the Integration Server that corresponds to your infrastructure.

To manage the Windows-based Integration Server, you can use the following management consoles:

To manage the Linux-based Integration Server, you can use Integration Server Web Console.

We do not recommend using Integration Server Console to manage the Linux-based Integration Server.

You can also manage the Integration Server using the Integration Server REST API without using management consoles (open a description of REST API requests).

To use the Integration Server in the operation of Light Agents and Protection Servers, you need to configure the settings for connecting SVMs and Light Agents to the Integration Server.

After configuring the settings for connecting SVM to the Integration Server, SVM transmits the following information to the Integration Server every 5 minutes:

  • IP address and number of ports for connecting to the SVM.
  • Information about the SVM path in the virtual infrastructure.
  • Information about the license used to activate the solution on the SVM.
  • Information about the average load of the Protection Server on the SVM.

A Light Agent attempts to connect to the Integration Server once every 30 seconds if the Light Agent has no information about any SVM and the last attempt to connect to the Integration Server failed. After a Light Agent receives information about SVMs from the Integration Server, the connection interval increases to 5 minutes.

During its operation, the Integration Server saves the following information:

  • Internal Integration Server accounts. These accounts are used to connect management consoles, SVMs and Light Agents to the Integration Server.
  • Settings for connecting the Integration Server to the virtual infrastructure and the Kaspersky Security Center Administration Server.
  • If the solution is used in multi-tenancy mode: a list of registered tenants and information about the time that virtual machines were protected by the solution.
  • SVM service data.

All data is stored in encrypted form. Information is stored on the device on which Integration Server is installed and is not sent to Kaspersky.

Management plug-ins and Network Agent

The interface for managing Kaspersky Security solution components using Kaspersky Security Center is provided by Kaspersky Security management plug-ins.

Network Agent, a component of Kaspersky Security Center, facilitates interaction between the Kaspersky Security solution and Kaspersky Security Center, and also provides the ability to manage Kaspersky Security solution components via Kaspersky Security Center.

Network Agent must be installed on each virtual machine that needs to be protected using the Kaspersky Security solution. Network Agent does not need to be installed on SVMs because this component is included in the SVM images.

In this Help section

SVM deployment options

Connecting Light Agent to SVM

About data processing

Page top

[Topic 101574]

SVM deployment options

VMware vSphere platform

The following options are available for deploying SVMs on VMware virtual infrastructure:

  • Deployment on a standalone VMware ESXi hypervisor managed by a VMware vCenter Server.
  • Deployment on VMware ESXi hypervisors that are part of a cluster managed by a VMware vCenter Server.

    After deployment, the SVM is automatically assigned to the hypervisor, i.e. it does not migrate to other VMware ESXi hypervisors within the cluster.

  • Deployment on VMware ESXi hypervisors managed by VMware vCenter servers in Linked mode.

If you use Integration Server Console to manage the Integration Server, when deploying SVMs on VMware ESXi hypervisors, you can use the Microsoft SCVMM virtual infrastructure management server. If you use Integration Server Web Console or REST API to manage the Integration Server. Connecting to Microsoft SCVMM is not supported.

XenServer platform

The following SVM deployment options are available on a XenServer virtual infrastructure:

  • Deployment on a standalone XenServer hypervisor
  • Deployment on a hypervisor that is part of a XenServer hypervisor pool.

    An SVM can be deployed in the local storage of the hypervisor or in the shared storage of a XenServer hypervisor pool.

    After startup, an SVM deployed in shared storage is run on the hypervisor within the XenServer hypervisor pool that has the most resources and/or is under the least load. If a key with a limitation on the number of processor cores key has been installed on an SVM, the number of processor cores on the hypervisor the SVMs are running on is considered when checking the license restrictions.

Microsoft Hyper-V platform

The following options are available for deploying SVMs on Microsoft Hyper-V virtual infrastructure:

  • Deployment on a standalone Microsoft Windows Server (Hyper-V) hypervisor.
  • Deployment on Microsoft Windows Server (Hyper-V) hypervisors that are part of a hypervisor cluster managed by the Windows Failover Clustering service.

During deployment of an SVM on a Microsoft Windows Server (Hyper-V) hypervisor, all files required for operation of the SVM are stored in a separate folder. This folder is assigned the same name as the SVM.

If you use Integration Server Console to manage the Integration Server, when deploying SVMs on Microsoft Windows Server (Hyper-V) hypervisors, you can use the Microsoft SCVMM virtual infrastructure management server. If you use Integration Server Web Console or REST API to manage the Integration Server. Connecting to Microsoft SCVMM is not supported.

KVM platform

SVM deployment on a standalone KVM hypervisor is supported.

Proxmox VE platform

SVM deployment on a standalone Proxmox VE hypervisor is supported.

Basis platform

SVM deployment on R-Virtualization hypervisors included in a hypervisor cluster managed by a Basis.vControl server is supported.

Skala-R platform

SVM deployment on R-Virtualization hypervisors that are part of a hypervisor cluster managed by a Skala-R Management server is supported.

HUAWEI FusionSphere platform

The following options are available for deploying SVMs on HUAWEI virtual infrastructure:

  • Deployment on a standalone HUAWEI FusionCompute CNA hypervisor managed by a HUAWEI FusionCompute VRM server.
  • Deployment on HUAWEI FusionCompute CNA hypervisors that are part of a cluster managed by a HUAWEI FusionCompute VRM server.

Nutanix Acropolis platform

The following options are available for deploying SVMs on Nutanix Acropolis virtual infrastructure:

  • Deployment on Nutanix AHV hypervisors that are a part of a hypervisor cluster managed by a Nutanix Prism Element server.
  • Deployment on Nutanix AHV hypervisors that are a part of a hypervisor cluster managed by a Nutanix Prism Element server that is managed by Nutanix Prism Central.

OpenStack platform, VK Cloud platform, and TIONIX Cloud Platform

SVMs are deployed on hypervisors used within

.

ALT Virtualization Server platform

An SVM can be deployed on a standalone hypervisor of the ALT Virtualization Server platform.

Astra Linux Platform

SVM deployment on a standalone KVM hypervisor running on the Astra Linux Platform is supported.

Numa vServer platform

SVM deployment on a standalone Numa vServer hypervisor is supported.

Page top

[Topic 254867]

Connecting Light Agent to SVM

For the Kaspersky Security solution to function, constant interaction between the Light Agent and the Protection Server is required. If there is no connection to the Protection Server, the Light Agent cannot transfer file fragments to the Protection Server for scanning, and scanning is not performed. If Light Agent loses a connection to the Protection Server for more than 5 minutes while running scan tasks, the scan tasks stop and return an error.

To interact with the Protection Server, the Light Agent establishes and maintains a connection to the SVM on which this Protection Server is installed.

Light Agent can only connect to an SVM whose version is compatible with the Light Agent version.

To connect to an SVM, Light Agent must receive information about the SVMs to which a connection can be made. Light Agent selects an available SVM that is optimal for connection according to the SVM selection algorithm.

Regardless of the algorithm used in selecting SVMs, Light Agents also take into account the following parameters:

  • Availability of a valid license (a license key that is not in the denylist is added to the SVM, and the license associated with the key has not expired). Light Agent first connects to the SVM on which the solution is activated (the key is added).
  • Type of the license key added to the SVM. If you use a licensing scheme based on the number of virtual machines protected by the solution (server keys and desktop keys), the Light Agent first connects to the SVM on which the key type matches the operating system installed on the virtual machine with the Light Agent.
  • Protecting the connection between the Light Agent and the Protection Server. A Light Agent for which connection protection is enabled can only connect to SVMs for which encryption of the data channel between the Light Agent and the Protection Server is enabled. A Light Agent for which connection protection is disabled can only connect to SVMs for which channel encryption is disabled or an unsecure connection between the Light Agent and the Protection Server is allowed.
  • SVM connection tags. If a tag is assigned to a Light Agent, the Light Agent can only connect to SVMs that are configured to use that connection tag.

The ability to connect the Light Agent to the SVM also depends on the settings for downloading updates to the SVM, which are specified in the policy for the Protection Server. Only Light Agents for which database updates are downloaded to this SVM can connect to the SVM.

Keep in mind that the scope of functionality available on the Light Agent depends on the license under which the solution is activated on the SVM:

  • If you want to use the Light Agent functionality included in the Enterprise license, you need to connect the Light Agent to a SVM on which the solution is activated under the Enterprise license. When connecting to an SVM on which the solution is activated under a Standard license, less functionality is available on the Light Agent.
  • If you want to use additional Light Agent functionality (for example, integration the Kaspersky Detection and Response solution or integration with Kaspersky Unified Monitoring and Analysis Platform), you need to connect the Light Agent to an SVM on which the solution is activated under a license that includes this additional functionality, or to an SVM for which a separate license key for activating the additional functionality has been added. When a Light Agent is disconnected from the current SVM and connects to an SVM on which additional functionality has not been activated, the functionality becomes unavailable on the Light Agent.

To prevent Light Agents from switching between SVMs with different license types, you can use connection tags or a list of SVMs available for connection to limit the number of SVMs available to a Light Agent.

You can get information about the status of the Light Agent's connection to the SVM in the following ways:

The lack of a connection between Light Agent and an SVM is communicated in Kaspersky Security Center through the status of the host device: if the connection to an SVM is not established, the status of the protected virtual machine changes to Critical. Information about the loss and restoration of the connection of the Light Agent and SVM is saved as events in Kaspersky Security Center.

We do not recommend using live snapshots of virtual machines taken on a running guest OS for SVMs and virtual machines with Light Agent for Linux installed. Restoring from such snapshots results in loss of the connection between Light Agents and the SVMs and degrades the performance of the virtual infrastructure. You can use virtual machine snapshots taken on a running guest OS only if the "Notify only" mode is enabled in the Light Agent settings. For details, see the Kaspersky Endpoint Security for Linux Help of the relevant version.

In this section:

About SVM discovery

About the SVM selection algorithms

Page top

[Topic 254868]

About SVM discovery

Light Agent can discover SVMs running on the network in one of the following ways:

  • Using the Integration Server. SVMs relay information about themselves to the Integration Server. The Integration Server compiles a list of SVMs available for connection, and sends this list to Light Agents.

    In a large-sized virtual infrastructure running the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, you can limit the size of the list of SVMs available for connection that the Integration Server relays to Light Agents. The Integration Server can transfer information only about the limited number of available SVMs, which you specified in the Integration Server configuration file.

    To use this method of SVM discovery, you must connect SVMs and Light Agents to the Integration Server.

  • With the use of the list of SVM addresses. You can specify a list of SVM addresses to which Light Agents can connect.

If the extended SVM selection algorithm is used for the Light Agent, and large infrastructure protection mode is enabled on the SVMs, it is recommended to select the Integration Server as the method for Light Agents to discover SVMs.

Each Light Agent can only use one of two possible SVM detection methods.

You can configure SVM detection settings for Light Agents in the following ways:

Page top

[Topic 254869]

About the SVM selection algorithms

Light Agents can apply one of the following SVM selection algorithms for connection:

  • A standard SVM selection algorithm

    If this algorithm is applied, after installing and running on a virtual machine, the Light Agent selects an SVM to connect to that is local to Light Agent.

    SVM locality relative to Light Agent is determined depending on the type of virtual infrastructure:

    • In a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer, the SVM that is considered to be local to a Light Agent is the SVM that is deployed on the same hypervisor as the virtual machine with the Light Agent installed.
    • In a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, you can specify how SVM locality relative to the Light Agent is determined using the StandardAlgorithmSvmLocality parameter in the HypervisorSpecificSettings:Openstack section in the Integration Server configuration file appsettings.json. Depending on the version of the Integration Server, the file is located at one of the following paths:
      • /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
      • %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.

      The StandardAlgorithmSvmLocality parameter can take the following values:

      • ServerGroup – if this value is selected, SVM is considered local for Light Agent if it is located within the same server group as the virtual machine where Light Agent is installed. This value is used by default.
      • Project – if this value is selected, SVM is considered as local for Light Agent if it is deployed within the same OpenStack project as the virtual machine with the installed Light Agent.
      • AvailabilityZone – if this value is selected, SVM is considered as local for Light Agent if it is located within the same availability zone as the virtual machine with the installed Light Agent.

    If there are no local SVMs for connection, Light Agent selects a SVM with the lowest number of Light Agent connections regardless of SVM path in the virtual infrastructure.

    The application does not determine whether the SVM is local relative to the Light Agent if large infrastructure protection mode is enabled for the Protection Server on the SVM. In this case, it is recommended to use the extended SVM selection algorithm and select the Integration Server as the SVM discovery method.

  • An extended SVM selection algorithm

    If this algorithm is applied, you can define the following SVM selection settings:

    • whether to consider or ignore the SVM location in the infrastructure when choosing SVMs for connection
    • if the SVM location is considered, how to determine the locality of SVMs relative to the Light Agent.

    If Light Agents ignore the location of SVMs in the infrastructure, Light Agents will be able to connect to any SVMs available for connection.

    If Light Agents must consider the location of SVMs in the infrastructure, you need to select the SVM path type that will be considered when determining the SVM locality relative to the Light Agent. SVM locality relative to Light Agent is determined differently depending on the virtual infrastructure.

    In a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer, an SVM can be considered local for the Light Agent in any one of the following cases:

    • The SVM is deployed on the same hypervisor as the virtual machine with the installed Light Agent.
    • The SVM is deployed on the same hypervisor cluster as the virtual machine with the installed Light Agent.
    • SVM is deployed in the same data center as the virtual machine with the installed Light Agent.

    In a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, an SVM can be considered as local for Light Agent in one of the following cases:

    • The SVM is located in the same server group as the virtual machine with the installed Light Agent.
    • The SVM is deployed within the same OpenStack project as the virtual machine with the installed Light Agent.
    • The SVM is located in the same availability zone as the virtual machine with the installed Light Agent.

    If Light Agents consider the location of SVMs in the infrastructure when choosing which SVM to connect to, Light Agents can only connect to SVMs that are local.

    For example, if you specify hypervisor cluster as SVM path type, all SVMs deployed on this hypervisor cluster will be considered as local for Light Agent, and Light Agent can connect only to one of this SVMs. If there are no SVMs available for connection in the same cluster in which the Light Agent is running, the Light Agent does not connect to an SVM.

    When selecting SVMs, Light Agents also consider the number of connected Light Agents to ensure that Light Agents are evenly distributed among SVMs available for connection.

    If a Light Agent uses the extended SVM selection algorithm, a list of SVM addresses is selected as the SVM discovery method, and large infrastructure protection mode is enabled on an SVM, then connecting a Light Agent to this SVM is only possible if the SVM path is ignored.

You can specify which SVM selection algorithm the Light Agents will use, and configure the settings for using the extended SVM selection algorithm.

Page top

[Topic 254033]

About data processing

During their operation, Kaspersky Security solution components may save and send to other solution components and to other Kaspersky applications the following information that may contain personal and confidential data:

  • While deploying the SVM and editing SVM settings, the SVM Management Wizard or the Integration Server (also when using the Integration Server REST API) send the root and klconfig passwords configured by the user to the SVM.
  • To make the installation and operation of the solution possible, the SVM Management Wizard and the Integration Server (also when using the Integration Server REST API) receive information about the virtual infrastructure, save it, and transmit it between each other and to the Protection Server. The transmitted data can contain names of the virtual machines, IP-addresses or names of the hypervisors, virtual infrastructure administration servers, or cloud infrastructure microservices, as well as account settings for connecting to virtual infrastructure.
  • The Protection Server sends the Kaspersky Security Center Administration Server a list of Light Agents connected to the SVM. The transmitted information may include the name of the protected virtual machine, the BIOS ID of the protected virtual machine, and the path to it in the virtual infrastructure.
  • The Integration Server Console sends the Integration Server the data necessary for configuring the solution's operating settings. The transmitted data can contain addresses of hypervisors, virtual infrastructure administration servers, or cloud infrastructure microservices, as well as account settings for connecting to virtual infrastructure. If the solution is installed in an infrastructure managed by a VMware vCenter Server and VMware NSX Manager, the address and settings of the accounts used to connect to VMware NSX Manager may also be sent.
  • Light Agent sends the following data to the Protection Server:
    • To activate the Light Agent: the validity term of the license key status confirmation; the ID (BIOS ID) of the protected virtual machine; information about the license that the Light Agent needs to work.
    • To update the Light Agent databases: software identifier obtained from the license; full version of the software; software license identifier; software installation identifier (PCID); processed web address; license type; identifier of the update start.
    • To provide protection, while scan tasks are running: information that is necessary for scanning objects. The transmitted information may include the names of files and paths to them in the file system, the checksums of files, web addresses, and the scanned objects or their fragments.
    • To obtain statistics: OS version of the protected virtual machine; localization of the Light Agent; names of the active Light Agent components; ID (BIOS ID) of the protected virtual machine.
  • To get information that is used when selecting an SVM for connection, the Light Agent sends the identifier of the protected virtual machine to the Integration Server and the Protection Server.
  • In an infrastructure managed by a VMware vCenter Server and VMware NSX Manager, Light Agents and the Protection Server may send the Integration Server information about security tags that are assigned to a protected virtual machine upon detection of viruses, malware, or activity that is typical of network attacks. The IDs of protected virtual machines are also sent.
  • The Protection Server and Light Agent receive the operating settings specified using policies from the Kaspersky Security Center Administration Server. The transmitted information may include the paths to files and registry keys, web addresses, IP addresses of the Integration Server and SVMs, settings for connecting SVMs and Light Agents to the Integration Server, public and private keys of SVMs, and the public key of the Integration Server.
  • When using the solution in multitenancy mode, the Integration Server receives information about tenants and their virtual machines via the Integration Server REST API and stores it in the database. The following data may be sent: tenant name, identifier, and description, and other information about the tenant specified by the service provider's administrator; identifier of a tenant's virtual machine; account settings for connecting to a virtual Kaspersky Security Center Administration Server configured for the tenant; identifier of virtual Kaspersky Security Center Administration Server. The Integration Server may send information stored in the database about tenants and tenant virtual machines to the Integration Server Console for display or upon request to the Integration Server REST API.
  • When using the solution in multitenancy mode, the information necessary for generating tenant protection reports may be sent to the Protection Server from Light Agents, and from the Protection Server to the Integration Server. The following may be transmitted: IDs of the SVM and the protected virtual machine, time periods when the Light Agent was connected to the SVM.
  • When using the application in multitenancy mode, the Integration Server sends to Kaspersky Security Center Administration Server the information required to create a tenant protection infrastructure: tenant name, account settings for connecting to the virtual Kaspersky Security Center Administration Server, and operating settings specified using policies, including IP addresses of the Integration Server and SVMs.
  • During the execution of tasks, the Protection Server and Light Agent send information about the task settings and results to the Kaspersky Security Center Administration Server. The transmitted information may include the user name and password indicated in the task settings for the user account used to run the task.
  • To generate reports and events, the Protection Server and Light Agents send information about the operation of the solution to Kaspersky Security Center Administration Server. The transmitted information may include user names, names of processed files and paths to them in the file system, and processed web addresses.
  • While activating the solution, the Protection Server receives from the Kaspersky Security Center Administration Server and saves license information, including information about the client to which the license was issued, and the number of the license specified in the license certificate. After activation, the Protection Server sends to the Kaspersky Security Center Administration Server information about the license that was used to activate the solution; this is done to keep track of license limits and generate a report about license key usage. The Protection Server also sends information about the license that was used to activate the solution to the Light Agent, this is done to activate the Light Agent.

For a description of the data that applications running in Light Agent mode can transmit to other Kaspersky applications, see the Help for the relevant application.

The specified information is transmitted over encrypted data channels (except for the information necessary for scanning objects, and the information that is used when selecting SVMs). The connection between Light Agents and Protection Servers is not encrypted by default. You can enable encryption of the data channel between the Light Agents and the Protection Servers in the solution settings.

Page top

[Topic 255438]

Preparing to install the solution

Before installing the Kaspersky Security, you need to do the following.

General preparations

Preparing to install Light Agent for Linux on virtual machines

Before you start installing Light Agent for Linux, you need to do the following:

Preparing to install Light Agent for Windows on virtual machines

Before you start installing Light Agent for Windows, you need to do the following:

Additional steps for Microsoft Hyper-V platform

In a virtual infrastructure on the Microsoft Hyper-V platform, you also need to perform the following steps before installing the Kaspersky Security solution:

  • Ensure that the Integration Services package is installed on virtual machines that you want to protect.
  • Ensure that the ADMIN$ shared network resource is enabled on the hypervisor. To enable the ADMIN$ shared network resource on Microsoft Windows Server 2012 R2 Hyper-V hypervisors, a File Server role must be assigned in advance using the server configuration wizard.
  • Ensure that the drive where the ADMIN$ shared network resource is located has enough space for the SVM image. During installation of the Protection Server component, the SVM image is copied to the ADMIN$ shared network resource and then moved to the folder specified during SVM deployment.
  • Ensure that hypervisors that are not included in Active Directory domain have Windows Remote Management (WinRM) Ver. 3.0 installed. Windows Remote Management (WinRM) version 3.0 is included in the Windows Management Framework 3.0 installation package that can be downloaded from the Microsoft website.
  • If you want to use a domain account to connect the Integration Server to the hypervisor, make sure that the following conditions are met:
    • Integration Server is able to determine the hypervisor address using the domain name service (DNS) of the domain of the hypervisor on which the SVM is deployed.
    • The DNS server has forward and reverse records for the Integration Server.
    • Zones containing records about the Integration Server and the hypervisor on which the SVM is deployed are integrated with Active Directory.
    • The device from which SVM deployment is performed is able to resolve the names of hypervisors on which the SVM is deployed.
  • If you want the hypervisor user name and password, which were specified during installation of the SVM, to be encrypted when transmitted, you can use an SSL certificate to configure a secure connection between the hypervisor on which the SVM will be deployed and the device where the Kaspersky Security Center Administration Console is installed.

Additional Steps for VMware vSphere platform

In a virtual infrastructure on the VMware vSphere platform, you also need to perform the following steps before installing the Kaspersky Security solution:

  • Make sure that the VMware Tools kit is installed on the virtual machines that you want to protect.
  • If a proxy server is used to connect the device hosting the Kaspersky Security Center Administration Console to the VMware vCenter Server, make sure that the virtual machines are available via the proxy server.

Additional steps for the XenServer platform

In the virtual infrastructure on the XenServer platform, before installing the Kaspersky Security solution, make sure that the XenTools package is installed on the virtual machines that you want to protect.

Additional steps for Proxmox VE platform

In a virtual infrastructure on the Proxmox VE platform, make sure that there is at least 30 GB of free space in the /var/tmp directory before installing the Kaspersky Security solution.

Additional steps for HUAWEI FusionSphere platform

In the virtual infrastructure on the HUAWEI FusionSphere platform, before installing the Kaspersky Security solution, make sure that HUAWEI Tools is installed on the virtual machines that you want to protect.

While deploying an SVM in a virtual infrastructure based on the HUAWEI FusionSphere platform, the SVM Management Wizard installs the HUAWEI Tools package on the SVM. To receive this package, the Wizard queries the HUAWEI FusionCompute hypervisor. The HUAWEI Tools package is not included in the Kaspersky Security solution's distribution kit. It is recommended to make sure that the HUAWEI Tools package is available on the HUAWEI FusionCompute hypervisor.

Additional steps for Astra Linux Platform

Prior to starting installation of the solution in a virtual infrastructure running on the Astra Linux Platform, you need to configure the account that will be used for SVM deployment, removal, and reconfiguration as follows:

  1. Run the following command:

    $ sudo usermod -a -G kvm,libvirt,libvirt-qemu,libvirt-admin <user_name>

  2. Open the sudoers configuration file by running the following command:

    sudo visudo

  3. Specify the following in the file:

    <user name> ALL = (ALL) NOPASSWD: ALL

    <user name> refers to the name of the user account that will be used to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration.

  4. Save the sudoers file and then close it.

In this Help section

Files required for installing the solution

Downloading SVM images using the wizard

Configuring the ports to use

Accounts for installing and using the solution

Configuring the use of secure cryptographic algorithms, ciphers, and protocols

Configuring rules for moving virtual machines to administration groups

Page top

[Topic 255403]

Files required for installing the solution

Before you begin installing the Kaspersky Security solution, you need to download the files necessary for the installation and operation of the solution.

Kaspersky Security components installation wizard and the Windows-based Integration Server

The Kaspersky Security Components Installation Wizard is required for the following tasks:

  • installing, updating and removing the Windows-based Integration Server and Integration Server Console
  • downloading from the Kaspersky website the SVM images required for installing the Protection Server.

To start the Kaspersky Security components installation wizard, you will need the ksvla-components_<solution version number>_mlg.exe file. You can download this file from the Kaspersky website in the Kaspersky Security for Virtualization | Light Agent section (Build → Kaspersky Security Components Installation Wizard).

Linux-based Integration Server

Installation requires the ksvla-viis_<version number>-<build number>_amd64.deb package. You can download this file from the Kaspersky website in the Kaspersky Security for Virtualization | Light Agent section.

SVM images

To install the Protection Server, you need an SVM image file and an image description file (a file in XML format). The Kaspersky Security distribution kit includes the following archives for installing the Protection Server in virtual infrastructures of various types:

  • The ksvla-svm_microsoft-hyper-v_<solution version number>_mlg.zip file is used to install the Protection Server in a Microsoft Hyper-V infrastructure; the archive contains an SVM image in VHDX format and an image description file, ksvla-svm_manifest_<solution version number>.xml.
  • The ksvla-svm_xenserver_numa-vserver_<solution version number>_mlg.zip file is used to install the Protection Server in XenServer and Numa vServer infrastructures; the archive contains an SVM image in XVA format and an image description file, ksvla-svm_manifest_<solution version number>.xml.
  • The ksvla-svm_vmware-vsphere_<solution version number>_mlg.zip file is used to install the Protection Server in a VMware vSphere infrastructure; the archive contains an SVM image in OVA format and an image description file, ksvla-svm_manifest_<solution version number>.xml.
  • The archive ksvla-svm_kvm_based_<solution version number>_mlg.zip is used to install the Protection Server in the infrastructures based on KVM (Kernel-based Virtual Machine), OpenStack, VK Cloud platform, TIONIX Cloud Platform, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server and Astra Linux. The archive contains an SVM image in QCOW2 format and an image description file, ksvla-svm_manifest_<solution version number>.xml.

You can download archives containing SVM images and SVM image description files using the Kaspersky Security Components Installation Wizard. The archives are also available on the Kaspersky website in the Kaspersky Security for Virtualization | Light Agent section.

The required placement of the resulting SVM image file and image description file (XML file) depends on the SVM deployment method that you plan to use:

  • If you plan to deploy using Integration Server Web Console, the SVM image file and image description file must be placed on the device where the Integration Server is installed, into a single folder that the Integration Server has read access to.
  • If you plan to deploy using Integration Server Console, the SVM image file and image description file must be placed into the same folder on the device where the Kaspersky Security Center Administration Console is installed, or into the same folder on a network resource to which the user account performing the installation has read access.

Light Agent for Linux

You can download the files required to install Kaspersky Endpoint Security for Linux from the Kaspersky website in the Kaspersky Endpoint Security for Linux section. For more information about the distribution kit of Kaspersky Endpoint Security for Linux, see the application help of the relevant version.

Light Agent for Windows

You can download the files required to install Kaspersky Endpoint Security for Windows from the Kaspersky website in the Kaspersky Endpoint Security for Windows section. For more information about the distribution kit of Kaspersky Endpoint Security for Windows, see the application help of the relevant version.

Kaspersky Security Center and Kaspersky Security Center Network Agent

To install and manage the operation of the Kaspersky Security solution, you need to install Kaspersky Security Center.

For Light Agent components installed on virtual machines to interact with Kaspersky Security Center, you must install Network Agent on the virtual machines where Light Agent will be installed.

You can download the files required to install Kaspersky Security Center and Network Agent on the Kaspersky website in the Kaspersky Security Center section. For more information on installing Kaspersky Security Center, please refer to the Kaspersky Security Center Help.

Management MMC plug-ins

To manage solution components through Kaspersky Security Center Administration Console, you need to install management MMC plug-ins on the device where Kaspersky Security Center Administration Console is installed.

You can download MMC plug-in installation files from the Kaspersky website:

  • You can find the klcfginst.msi installation file of the Kaspersky Security for Virtualization 6.2 Light Agent – ​​Protection Server MMC plug-in in the Kaspersky Security for Virtualization | Light Agent section.
  • You can find the installation file of the Kaspersky Endpoint Security for Linux MMC plug-in in the Kaspersky Endpoint Security for Linux section.
  • You can find the installation file of the Kaspersky Endpoint Security for Windows MMC plug-in in the Kaspersky Endpoint Security for Windows section.

To install and update MMC plug-ins, you can also use the list of Kaspersky applications in the Administration Console (AdditionalRemote installationInstallation packagesAdditional actionsView current versions of Kaspersky applications).

Management web plug-ins

To manage solution components via Kaspersky Security Center Web Console, you need to install management web plug-ins on the device where Kaspersky Security Center Web Console is installed.

To install web plug-ins, you can use the list of available plug-ins in the Web Console (SettingsWeb plug-insAdd) or download archives for installing management web plug-ins from the Kaspersky website:

  • The ksvla-web_plugin_svm_<version number>_mlg.zip archive for installing the Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server web plug-in.
  • The ksvla-web_plugin_viis_<version number>_mlg.zip archive for installing the Kaspersky Security for Virtualization 6.2 Light Agent – Integration Server web plug-in.
  • Archives for installing the Kaspersky Endpoint Security for Linux web plug-in and the Kaspersky Endpoint Security for Windows web plug-in.
Page top

[Topic 255441]

Downloading SVM images using the wizard

The Kaspersky Security Components Installation Wizard can download from the Kaspersky website the images necessary for deploying SVMs on hypervisors.

To download the SVM images:

  1. On the device where Administration Console and Kaspersky Security Center Administration Server are installed, run the ksvla-components_<solution version number>_mlg.exe file. This file is included in the distribution kit.

    Kaspersky Security components installation Wizard starts.

  2. Select the localization language of the Wizard and of the Kaspersky Security components and proceed to the next step of the Wizard.

    By default, the localization language of the operating system installed on the device where the Wizard was started is used.

  3. Select the Download SVM images option and proceed to the next step of the wizard.
  4. Select the type of hypervisor on which you want to deploy SVMs.

    The archive containing the SVM image and SVM image description file (in XML format) will begin downloading in a window of the default browser.

  5. After the download completes, close the wizard (using the Cancel button) or return to the step for selecting the action taken by the Kaspersky Security Components Installation Wizard (using the Back button).

Information about the work of the Wizard is written to trace files of the Kaspersky Security Components Installation Wizard. If the wizard completed with an error, you can use these files when contacting Technical Support.

Page top

[Topic 255444]

Configuring the ports to use

To install and operate the solution components, in the settings of the network equipment or software used to control traffic between virtual machines, you need to open the ports described in the table below.

Ports used by solution components

Port and protocol

Direction

Purpose and description

All platforms

7271 TCP

From the

to the .

For sending settings for connecting to the virtual infrastructure to the Integration Server.

7271 TCP

From the device, from which the requests are made to the Integration Server REST API, to the Integration Server.

For automating deployment and operation of the solution in multitenancy mode using the Integration Server REST API.

22 TCP

From the SVM Management Wizard to an

.

For SVM reconfiguration.

7271 TCP

From the SVM to Integration Server.

For interaction between the Protection Server and Integration Server.

7271 TCP

From the

to the Integration Server.

For interaction between Light Agent and Integration Server.

8000 UDP

From an SVM to the Light Agent.

For sending information about available SVMs to Light Agents using a list of SVM addresses.

8000 UDP

From Light Agent to SVM.

To provide Light Agent with information about the status of SVM.

11111 TCP

From Light Agent to SVM.

For transmitting service requests (for example, to obtain license information) from the Light Agent to the Protection Server when the connection is unprotected.

11112 TCP

From Light Agent to SVM.

For transmitting service requests (for example, to obtain license information) from the Light Agent to the Protection Server when the connection is protected.

9876 TCP

From Light Agent to SVM.

For forwarding file scan requests from the Light Agent to the Protection Server when the connection is unprotected.

9877 TCP

From Light Agent to SVM.

For transmitting file scan requests from the Light Agent to the Protection Server when the connection is protected.

80 TCP

From Light Agent to SVM.

For updating databases and application modules of the solution on the Light Agent.

15000 UDP

From Kaspersky Security Center to SVM.

For managing the Protection Server via Kaspersky Security Center.

13000 TCP

From SVM to Kaspersky Security Center.

For managing the Protection Server via Kaspersky Security Center when the connection is protected.

14000 TCP

From SVM to Kaspersky Security Center.

For managing the Protection Server via Kaspersky Security Center when the connection is unprotected.

15000 UDP

From Kaspersky Security Center to Light Agents.

For managing the Light Agent via Kaspersky Security Center.

13000 TCP

From Light Agent to Kaspersky Security Center.

For managing the Light Agent via Kaspersky Security Center when the connection is protected.

14000 TCP

From Light Agent to Kaspersky Security Center.

For managing Light Agent via Kaspersky Security Center when the connection is unprotected.

13111 TCP

From the SVM to the Kaspersky Security Center Administration Server.

For interaction between the Protection Server and KSN proxy server.

17000 TCP

From the SVM to the Kaspersky Security Center Administration Server.

For interaction between the Protection Server and Kaspersky activation servers.

123 UDP

From the SVM to NTP servers obtained via DHCP or specified manually.

Synchronizing time on the SVM with a time server.

VMware vSphere platform

80 TCP

443 TCP

From the SVM Management Wizard to VMware vCenter Server.

To deploy the SVM on a VMware ESXi hypervisor using a VMware vCenter Server.

443 TCP

From the SVM Management Wizard to an ESXi hypervisor.

To deploy the SVM on a VMware ESXi hypervisor using a VMware vCenter Server.

80 TCP

443 TCP

From the Integration Server to the VMware vCenter Server.

For interaction between the Integration Server and the VMware ESXi hypervisor using the VMware vCenter Server.

Microsoft Hyper-V platform

135 TCP/UDP

445 TCP/UDP

From the SVM Management Wizard to a Microsoft Windows Server (Hyper-V) hypervisor.

To deploy an SVM on a Microsoft Windows Server (Hyper-V) hypervisor.

135 TCP/UDP

445 TCP/UDP

5985 TCP

5986 TCP

From the Integration Server to the Microsoft Windows Server (Hyper-V) hypervisor.

For interaction between the Integration Server and the Microsoft Windows Server (Hyper-V) hypervisor.

XenServer platform

80 TCP

443 TCP

From the SVM Management Wizard to the XenServer hypervisor.

To deploy the SVM on a XenServer hypervisor.

80 TCP

443 TCP

From the Integration Server to the XenServer hypervisor.

For interaction between the Integration Server and the XenServer hypervisor.

KVM platform

22 TCP

From the SVM Management Wizard to a KVM hypervisor.

To deploy the SVM on a KVM hypervisor.

22 TCP

From the Integration Server to the KVM hypervisor.

For interaction between the Integration Server and the KVM hypervisor.

Proxmox VE platform

22 TCP

8006 TCP

From the SVM Management Wizard to a Proxmox VE hypervisor.

To deploy the SVM on a Proxmox VE hypervisor.

8006 TCP

From the Integration Server to the Proxmox VE hypervisor.

For interaction between the Integration Server and the Proxmox VE hypervisor.

Basis platform

443 TCP

From the SVM Management Wizard to Basis.vControl.

To deploy the SVM on an R-Virtualization hypervisor using Basis.vControl.

22 TCP

From the SVM Management Wizard to an R-Virtualization hypervisor.

To deploy the SVM on an R-Virtualization hypervisor using Basis.vControl.

22 TCP

From the SVM Management Wizard to Basis.vControl.

To deploy the SVM on an R-Virtualization hypervisor using Basis.vControl.

443 TCP

From the Integration Server to Basis.vControl.

For the Integration Server’s interaction with an R-Virtualization hypervisor using Basis.vControl.

Skala-R platform

443 TCP

From the SVM Management Wizard to Skala-R Management.

To deploy an SVM on the R-Virtualization hypervisor using Skala-R Management.

22 TCP

From the SVM Management Wizard to an R-Virtualization hypervisor.

To deploy an SVM on the R-Virtualization hypervisor using Skala-R Management.

22 TCP

From the SVM Management Wizard to Skala-R Management.

To deploy an SVM on the R-Virtualization hypervisor using Skala-R Management.

443 TCP

From the Integration Server to Skala-R Management.

For the Integration Server’s interaction with an R-Virtualization hypervisor using Skala-R Management.

HUAWEI FusionSphere platform

7443 TCP

From the SVM Management Wizard to the HUAWEI FusionCompute VRM.

To deploy an SVM on a HUAWEI FusionCompute CNA hypervisor using the HUAWEI FusionCompute VRM.

8779 TCP

From the SVM Management Wizard to a HUAWEI FusionCompute CNA hypervisor.

To deploy an SVM on a HUAWEI FusionCompute CNA hypervisor using the HUAWEI FusionCompute VRM.

7443 TCP

From the Integration Server to the HUAWEI FusionCompute VRM.

For interaction between the Integration Server and a HUAWEI FusionCompute CNA hypervisor using the HUAWEI FusionCompute VRM.

Nutanix Acropolis platform

9440 TCP

From the SVM Management Wizard to Nutanix Prism Central.

To deploy the SVMs on Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Central.

9440 TCP

From the SVM Management Wizard to Nutanix Prism Element.

To deploy the SVMs on Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Element.

9440 TCP

From the Integration Server to Nutanix Prism Central.

For interaction between the Integration Server and Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Central.

9440 TCP

From the Integration Server to Nutanix Prism Element.

For interaction between the Integration Server and Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Element.

OpenStack platform

5000 TCP

From the SVM Management Wizard to the Keystone microservice.

To deploy the SVM on a KVM hypervisor running on the OpenStack platform.

8774 TCP

From the SVM Management Wizard to the Compute (Nova) microservice.

To deploy the SVM on a KVM hypervisor running on the OpenStack platform.

8776 TCP

From the SVM Management Wizard to the Cinder microservice.

To deploy the SVM on a KVM hypervisor running on the OpenStack platform.

9292 TCP

From the SVM Management Wizard to the Glance microservice.

To deploy the SVM on a KVM hypervisor running on the OpenStack platform.

9696 TCP

From the SVM Management Wizard to the Neutron microservice.

To deploy the SVM on a KVM hypervisor running on the OpenStack platform.

5000 TCP

From the Integration Server to the Keystone microservice.

For the Integration Server’s interaction with the OpenStack platform.

8774 TCP

From the Integration Server to the Compute (Nova) microservice.

For the Integration Server’s interaction with the OpenStack platform.

VK Cloud platform

5000 TCP

From the SVM Management Wizard to the Keystone microservice.

To deploy the SVM on a KVM hypervisor running on the VK Cloud platform.

8774 TCP

From the SVM Management Wizard to the Compute (Nova) microservice.

To deploy the SVM on a KVM hypervisor running on the VK Cloud platform.

8776 TCP

From the SVM Management Wizard to the Cinder microservice.

To deploy the SVM on a KVM hypervisor running on the VK Cloud platform.

9292 TCP

From the SVM Management Wizard to the Glance microservice.

To deploy the SVM on a KVM hypervisor running on the VK Cloud platform.

9696 TCP

From the SVM Management Wizard to the Neutron microservice.

To deploy the SVM on a KVM hypervisor running on the VK Cloud platform.

5000 TCP

From the Integration Server to the Keystone microservice.

For interaction of the Integration Server with the VK Cloud platform.

8774 TCP

From the Integration Server to the Compute (Nova) microservice.

For interaction of the Integration Server with the VK Cloud platform.

TIONIX Cloud Platform

5000 TCP

From the SVM Management Wizard to the Keystone microservice.

To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform.

8774 TCP

From the SVM Management Wizard to the Compute (Nova) microservice.

To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform.

8776 TCP

From the SVM Management Wizard to the Cinder microservice.

To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform.

9292 TCP

From the SVM Management Wizard to the Glance microservice.

To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform.

9696 TCP

From the SVM Management Wizard to the Neutron microservice.

To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform.

5000 TCP

From the Integration Server to the Keystone microservice.

For interaction of the Integration Server with TIONIX Cloud Platform.

8774 TCP

From the Integration Server to the Compute (Nova) microservice.

For interaction of the Integration Server with TIONIX Cloud Platform.

ALT Virtualization Server platform

22 TCP

From the SVM Management Wizard to a hypervisor.

To deploy the SVM on a basic hypervisor of the ALT Virtualization Server platform.

22 TCP

From the Integration Server to a hypervisor.

For the Integration Server to interact with a basic hypervisor of the ALT Virtualization Server platform.

Astra Linux Platform

22 TCP

From the SVM Management Wizard to a hypervisor.

To deploy the SVM on a KVM hypervisor running on the Astra Linux platform.

22 TCP

From the Integration Server to a hypervisor.

For interaction between the Integration Server and a KVM hypervisor running on the Astra Linux platform.

Numa vServer platform

80 TCP

443 TCP

From the SVM Management Wizard to the Numa vServer hypervisor.

To deploy the SVM on a Numa vServer hypervisor.

80 TCP

443 TCP

From the Integration Server to the Numa vServer hypervisor.

For interaction between the Integration Server and the Numa vServer hypervisor.

If you use the XenServer Hypervisor or VMware ESXi hypervisor, and promiscuous mode is enabled on the network adapter of the guest operating system of the virtual machine, the guest operating system receives all Ethernet frames passing through the virtual switch, if this is allowed by the VLAN policy. This mode may be used to monitor and analyze traffic in the network segment that the SVM and protected virtual machines are operating in. If you have not configured a secure connection between the SVM and the protected virtual machines, traffic between the SVM and the protected virtual machines is not encrypted and is transmitted as plaintext. For security purposes, it is not recommended to use promiscuous mode in network segments that have a running SVM. If you need to use this mode (for example, for monitoring traffic using external virtual machines to detect attempts at unauthorized network access or to correct network failures), you need to configure the appropriate restrictions to protect traffic between the SVM and the protected virtual machines from unauthorized access.

Page top

[Topic 255445]

Accounts for installing and using the solution

General account requirements

To install the Kaspersky Security management MMC plug-ins and the Integration Server, an account that belongs to the local administrator group on the device where installation is being performed must be used.

The following accounts can be used to start the Integration Server Console:

  • If you plan to use Kaspersky Security Center Administration Console to manage the Kaspersky Security solution and the device hosting Kaspersky Security Center Administration Console belongs to the Microsoft Windows domain, you can use an account that belongs to the local or domain KLAdmins group or an account that belongs to the local administrator group to start the Integration Server Console. You can also use the Integration Server administrator account created when installing the Integration Server.
  • If you plan to use Kaspersky Security Center Web Console to manage the Kaspersky Security solution, or the device on which Kaspersky Security Center Administration Console is installed is not a member of a Microsoft Windows domain or your account is not a member of the local or domain KLAdmins group or the local administrator group, you can only start the Integration Server Console using the Integration Server administrator account that was created when installing the Integration Server.

VMware vSphere platform

The following accounts are required to install and operate the solution on a VMware vSphere infrastructure:

  • An administrator account with the following rights is required to deploy, delete, or reconfigure an SVM:
    • Datastore.Allocate space
    • Datastore.Low level file operations
    • Datastore.Remove file
    • Global.Cancel task
    • Global.Licenses
    • Host.Config.Virtual machine autostart configuration
    • Host.Inventory.Modify cluster
    • Network.Assign network
    • Tasks.Create task
    • vApp.Import
    • Virtual machine.Change configuration.Add new disk (only for VMware vCenter Server 7.0)
    • VirtualMachine.Config.Memory
    • Virtual machine.Interaction.Power Off
    • Virtual machine.Interaction.Power On
  • To connect the Integration Server to the VMware vCenter Server, it is recommended to use an account that has been assigned the preset system role ReadOnly.
  • Connection of the Integration Server to VMware NSX Manager requires a VMware NSX Manager account that has been assigned the Enterprise Administrator role.

Roles should be assigned to accounts at the top level of the hierarchy of VMware inventory objects, that is, at the level of VMware vCenter Server.

Microsoft Hyper-V platform

To deploy, remove, or reconfigure an SVM on a Microsoft Windows Server (Hyper-V) hypervisor, a built-in local administrator account or domain account that belongs to the Hyper-V Administrators group is required. For a domain account, you must also grant permissions for remote connection and use of the following WMI namespaces:

  • root\cimv2
  • root\MSCluster
  • root\virtualization
  • root\virtualization\v2 (for versions of Microsoft Windows server operating systems, beginning with Windows Server 2012 R2)

A built-in local administrator account or domain account that belongs to the Hyper-V Administrators group and has the permissions listed above is also used to connect the Integration Server to a Microsoft Windows Server (Hyper-V) hypervisor.

XenServer platform

The following accounts are required for installation and operation of the solution in a XenServer infrastructure:

  • To deploy, remove, or reconfigure an SVM, an account with Pool Admin rights is required.
  • To connect the Integration Server to the XenServer hypervisor, we recommend using an account with the Read Only role.

KVM platform

The following accounts are required for installation and operation of the solution in a KVM infrastructure:

  • Deploying, removing, or reconfiguring an SVM requires a root account or an account that has permission to perform actions as the root account.
  • To connect the Integration Server to the KVM hypervisor, it is recommended to use an unprivileged user account with access to the "read only" Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).

Proxmox VE platform

The following accounts are required for installation and operation of the solution in a Proxmox VE infrastructure:

  • To deploy, remove, or reconfigure an SVM, the root account is required.
  • To connect the Integration Server to the Proxmox VE hypervisor, it is recommended to use an account that has been granted access with the PVEAuditor role to the root directory (/) and all child directories.

Basis platform, Skala-R platform

To install and operate the solution in Basis and Skala-R infrastructures, the following accounts are required:

  • To deploy, remove, or reconfigure an SVM, an account with the "Main Administrator" role is required.
  • To connect the Integration Server to the virtual infrastructure management server (Basis.vControl / Skala-R Management), we recommend using an account with the "Infrastructure Monitoring" role.

HUAWEI FusionSphere platform

The following accounts are required to install and operate the solution on a HUAWEI FusionSphere infrastructure:

  • To deploy, remove, or reconfigure an SVM, an account with the VMManager role is required.
  • To connect the Integration Server to a HUAWEI FusionCompute VRM, it is recommended to use an account with the Auditor role.

Nutanix Acropolis platform

The following accounts are required to install and operate the solution on a Nutanix Acropolis infrastructure:

  • To deploy, remove, or reconfigure an SVM, an account with Cluster Admin role is required.
  • To connect the Integration Server to Nutanix Prism virtual infrastructure administration server, it is recommended to use an account with the Viewer role. In the infrastructure managed by Nutanix Prism Central, an account with the Viewer role is required on the Nutanix Prism Central server and on the Nutanix Prism Element servers.

OpenStack platform, VK Cloud platform, and TIONIX Cloud Platform

The following accounts are required to install and operate the solution in an infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform:

  • An account with the following permissions is required to deploy, delete, or reconfigure an SVM:

    Permissions for infrastructure object operations.

    Permissions for sending requests to OpenStack microservices API

    Keystone

    Authentication.

    Querying the state of authentication token for the current user.

    auth/tokens (POST/GET)

    Getting a list of all OpenStack domains.

    domains (GET)

    Getting a list of available OpenStack projects for the current user.

    auth/projects (GET)

    Compute (Nova)

    Getting a list of virtual machines.

    servers/detail (GET)

    Getting virtual machine information.

    servers/{server_id} (GET)

    Getting a list of virtual machine types (instance types).

    flavors/detail (GET)

    Getting information about available OpenStack project resources.

    limits (GET)

    Getting a list of server groups.

    os-server-groups (GET)

    Getting a list of availability zones.

    os-availability-zone (GET)

    Getting a list of network interface of the virtual machine.

    servers/{server_id}/os-interface (GET)

    Creating a network interface for the virtual machine.

    servers/{server_id}/os-interface (POST)

    Creating the virtual machine.

    servers (POST)

    Starting/stopping the virtual machine.

    servers/{server_id}/action (POST)

    Removing network interface of the virtual machine.

    servers/{server_id}/os-interface/{port_id} (DELETE)

    Removing the virtual machine.

    servers/{server_id} (DELETE)

    Cinder

    Getting a list of volume types.

    {project_id}/types (GET)

    Getting disk information.

    {project_id}/volumes/{volume_id} (GET)

    Creating the disk.

    {project_id}/volumes (POST)

    Removing the disk that was created by the current user.

    {project_id}/volumes/{volume_id} (DELETE)

    Glance

    Getting image information.

    images/{image_id} (GET)

    Creating the image.

    images (POST)

    Downloading the image.

    images/{image_id}/file (PUT)

    Removing the image that was created by the current user.

    images/{image_id} (DELETE)

    Neutron

    Getting a list of networks.

    networks (GET)

    Getting a list of security groups.

    security-groups (GET)

    Creating a network port

    ports (POST)

    Deleting a network port

    ports/{port_id} (DELETE)

    Getting the ID of a network port

    ports/{port_id} (GET)

  • An account with the following permissions is required to connect the Integration Server to the virtual infrastructure:

    Permissions for infrastructure object operations.

    Permissions for sending requests to OpenStack microservices API

    Keystone

    Authentication.

    Querying the state of authentication token for the current user.

    auth/tokens (POST/GET)

    Getting a list of available OpenStack projects for the current user.

    auth/projects (GET)

    Compute (Nova)

    Getting a list of virtual machines.

    servers/detail (GET)

    Getting virtual machine information.

    servers/{server_id} (GET)

    Getting a list of server groups.

    os-server-groups (GET)

    Getting a list of availability zones.

    os-availability-zone (GET)

    Getting a list of hypervisors.

    This permission is required only if you intend to apply licensing scheme that uses number of processors or number of processor cores on hypervisors, on which the protected virtual machines operate.

    /os-hypervisors/detail (GET)

ALT Virtualization Server platform

The following accounts are required to install and operate the solution on an ALT Virtualization Server infrastructure:

  • Deploying, removing, or reconfiguring an SVM requires a root account or an account that has permission to perform actions as the root account.
  • To connect the Integration Server to a basic hypervisor of the ALT Virtualization Server platform, it is recommended to use an unprivileged user account with access to the "read-only" Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).

Astra Linux Platform

The following accounts are required for installation and operation of the solution on a KVM hypervisor running on the Astra Linux platform:

  • Deploying, removing, or reconfiguring an SVM requires a root account or an account that has permission to perform actions as the root account.

    Prior to starting installation of the solution, you need to configure the account that will be used for SVM deployment, removal, and reconfiguration.

  • To connect the Integration Server to a KVM hypervisor running on the Astra Linux platform, it is recommended to use an unprivileged user account with access to the read-only Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).

Numa vServer platform

The following accounts are required for installation and operation of the solution in a Numa vServer infrastructure:

  • To deploy, remove, or reconfigure an SVM, an account with Pool Admin rights is required.
  • To connect the Integration Server to the Numa vServer hypervisor, we recommend using an account with the Read Only role.

Page top

[Topic 197657]

Configuring the use of secure cryptographic algorithms, ciphers, and protocols

If you are using a Windows-based Integration Server, to ensure the security of network connections between the Integration Server and the virtual infrastructure, we recommend configuring encryption algorithms, ciphers, and protocols listed in this section. If you are using a Linux-based Integration Server, you do not need to configure network connection security.

On devices that host the Integration Server and virtual infrastructure objects to which the Integration Server connects, we recommend using the following encryption algorithms, cipher suites, and protocols:

  • Encryption algorithms: AES 256.
  • Hashing algorithms:
    • SHA256.
    • SHA384.
    • SHA512.
  • Key exchange algorithms:
    • Diffie-Hellman (ServerMinKeyBitLength=2048, ClientMinKeyBitLength=2048).
    • ECDH (key length at least 256, recommended elliptic curves: prime256v1, secp384r1, secp521r1, x25519).
  • Protocols:
    • TLS 1.2.
    • TLS 1.3.
  • Cipher suites:
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
    • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.
    • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256.
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384.
    • TLS_AES_128_GCM_SHA256.
    • TLS_AES_256_GCM_SHA384.
    • TLS_CHACHA20_POLY1305_SHA256.
    • TLS_AES_128_CCM_SHA256.

If you do not have the latest versions of operating systems and hypervisors installed, problems may occur in the Integration Server's interactions with the virtual infrastructure due to incompatible cipher suites. In this case, we recommend to contact Technical Support.

Page top

[Topic 255446]

Configuring rules for moving virtual machines to administration groups

To manage the operation of Kaspersky Security solution components via Kaspersky Security Center, you need to place devices with installed Kaspersky Security components (SVMs and protected virtual machines) into administration groups.

An administration group is a set of virtual machines combined according to some criterion for the purpose of controlling the virtual machines in the group as a unified whole.

Before starting installation of the Kaspersky Security solution, you can create administration groups in Kaspersky Security Center for the SVMs and virtual machines with Light Agents, and configure rules to automatically move managed devices to these administration groups.

If rules for moving devices to administration groups are not configured, after installing the solution components, Kaspersky Security Center places devices with installed Kaspersky Security components detected on the network in the Unassigned devices list. In this case, you need to manually move SVMs and virtual machines with Light Agents into administration groups.

You can configure the rules for moving virtual machines to administration groups using the Kaspersky Security Center Administration Console or using Kaspersky Security Center Web Console (for more details, see the Kaspersky Security Center Help).

You can use tags when creating rules for moving SVMs and virtual machines with Light Agents to administration groups. SVMs and protected virtual machines on which Kaspersky Security Center Network Agent is installed automatically relay information about tags to Kaspersky Security Center.

Page top

[Topic 255919]

Installing the Kaspersky Security solution

Installation of Kaspersky Security for Virtualization 6.2 Light Agent in the virtual infrastructure consists of the following stages:

  1. Installing the Integration Server

    Depending on your infrastructure, you need to install the Windows-based Integration Server or the Linux-based Integration Server.

    For the Linux-based Integration Server, connecting to virtual infrastructure based on Microsoft Hyper-V is not supported. Use the Windows-based Integration Server to install and run Kaspersky Security in an infrastructure based on the Microsoft Hyper-V platform.

    If you want to use the Integration Server Console to manage the Windows-based Integration Server, you also need to install Integration Server Console on the device where Kaspersky Security Center Administration Console is installed, or on another device with a Windows operating system.

    If you want to use Integration Server Web Console to manage the Integration Server, you need to install the Integration Server web plug-in. After it is installed, Integration Server Web Console will be available in Kaspersky Security Center Web Console.

  2. Installing Kaspersky Security management plug-ins

    If you want to manage components of the Kaspersky Security solution via Kaspersky Security Center Web Console and use Integration Server Web Console, you need to install management web plug-ins on the device where Kaspersky Security Center Web Console is installed.

    If you want to manage solution components via Kaspersky Security using Kaspersky Security Center Administration Console, you need to install management MMC plug-ins on the device where Kaspersky Security Center Administration Console is installed.

    If you are using Kaspersky Security Center Linux, you need to install the management web plug-ins. The Kaspersky Security Center Administration Console and management MMC plug-ins are not supported.

    After installing the Protection Server management plug-in, it is recommended to run the Download updates to the Administration Server storage task in Kaspersky Security Center and make sure that the task completes successfully. For details, please refer to the Kaspersky Security Center help.

    After installing the management plug-ins, you can create a default policy and an Update databases and solution modules task for the Protection Server using the Kaspersky Security Center Initial Configuration Wizard.

  3. Installing Kaspersky Security Protection Servers

    The Protection Server is installed as a result of deploying SVMs on a hypervisor in a virtual infrastructure.

    You can deploy SVMs in the following ways:

    • Using the Integration Server Web Console. In the Web Console, you must first configure the connection of the Integration Server to the virtual infrastructure. Then you create a task for the Integration Server, in which you specify all the necessary SVM deployment settings, and start the task. The Integration Server runs the SVM deployment task. You can monitor the task progress in Integration Server Web Console.
    • Using the Integration Server Console. In Integration Server Console, you launch the SVM Management Wizard. Following the instructions in the wizard, you configure the wizard's connection to the virtual infrastructure, enter all the necessary SVM deployment settings, and start the deployment. The Integration Server deploys the SVMs. You can monitor the deployment progress in the wizard.
    • Without using the Integration Server management consoles, using the Integration Server REST API (open a description of REST API requests).

    If none of the above methods are suitable, you can deploy SVMs using the tools of the virtual infrastructure and then configure the SVM using the klconfig script API manually or using automation tools.

    In an infrastructure managed by VMware vCenter Server and VMware NSX Manager, if you use Integration Server Console for SVM deployment, then after the SVM deployment is complete, you need to configure the Integration Server's connection to VMware NSX Manager. If you use Integration Server Web Console for SVM deployment, you can configure a connection to VMware NSX Manager when configuring the Integration Server's connection to the virtual infrastructure or later, using the procedure for changing connection settings.

  4. Preparing the Protection Servers for operation

    You must follow the steps to prepare the deployed SVMs and Protection Servers for operation.

  5. Installing Light Agents and Kaspersky Security Center Network Agent

    On each virtual machine that needs to be protected using the Kaspersky Security solution, you need to install the following:

    To protect your VDI, you need to install Light Agent and Network Agent on your virtual machine templates.

  6. Preparing Light Agents for operation

    You must follow the steps to prepare the installed Light Agents for operation.

In this Help section

Installing a Windows-based Integration Server

Installing a Linux-based Integration Server

Installing Kaspersky Security web plug-ins

Installing Kaspersky Security MMC plug-ins

SVM deployment using the Integration Server Web Console

Deploying SVMs using the Integration Server Console

Automatically creating tasks and a default policy for the Protection Server

Preparing the Protection Server for operation

Installing Light Agents and Network Agent

Preparing Light Agents for operation

Displaying virtual machines and SVMs in Kaspersky Security Center

Viewing the list of SVMs connected to the Integration Server

Page top

[Topic 98668]

Installing a Windows-based Integration Server

The procedure for installing the Windows-based Integration Server depends on which version of Kaspersky Security Center you plan to use to manage the Kaspersky Security solution:

  • If you want to use the Kaspersky Security Center Windows to manage the Kaspersky Security solution, you can use the Kaspersky Security components installation wizard. The wizard lets you install the Windows-based Integration Server and Integration Server Console.

    The Integration Server must be installed on the device on which the Administration Server of Kaspersky Security Center is installed. The Integration Server Console must be installed on the device where the Kaspersky Security Center Administration Console is installed.

  • If you want to use Kaspersky Security Center Linux to manage the Kaspersky Security solution, do not use the Kaspersky Security Components Installation Wizard. The Windows-based Integration Server must be installed on a device with a Windows operating system, regardless of the location of the Kaspersky Security Center components. You can also install the Integration Server Console on a Windows device. Installation is performed manually.

The Integration Server and Integration Server Console must be installed under an account that belongs to the local administrator group.

Installation requires at least 4 GB of free space on the drive containing the %ProgramData% folder.

For successful installation of the Integration Server, in the settings of network equipment or traffic monitoring software you need to allow connections through the port that will be used by SVMs and Light Agents to connect to the Integration Server. By default, port number 7271 (TCP) is used.

In this section:

Installing the Integration Server and Integration Server Console using the wizard

Installing manually

Page top

[Topic 255958]

Installing the Integration Server and Integration Server Console using the wizard

You can install the Integration Server and Integration Server Console by using the Kaspersky Security Components installation wizard in interactive mode or in silent mode.

The Microsoft .NET Framework 4.6.2, 4.7, or 4.8 is required for the Kaspersky Security Components Installation Wizard. You can install the Microsoft .NET Framework platform in advance, or the Kaspersky Security Component Installation Wizard will suggest installing it during the installation of Kaspersky Security solution components. Internet access is required to install Microsoft .NET Framework. If there are any problems with the installation of Microsoft .NET Framework, make sure that Windows updates KB2919442 and KB2919355 have been installed on the device.

Depending on the availability of Kaspersky Security Center components installed on the device, the following operations are performed once installation is started:

  • If only Kaspersky Security Center Administration Console is installed on the device, the Integration Server Console is installed.
  • If the Kaspersky Security Center Administration Server and Kaspersky Security Center Administration Console are installed on the device, the Integration Server and Integration Server Console are installed.

When you install the Integration Server, the data kept while removing the previous version of the Integration Server can be used.

After installation of the Integration Server Console is complete, in Kaspersky Security Center Administration Console, in the workspace of the Administration Server <server name> node on the Monitoring tab, the Deployment section displays a Manage Kaspersky Security for Virtualization <version number> Light Agent link (where <version number> is the number of the installed version of the Kaspersky Security solution). This link is used to start the Integration Server Console.

The procedure for installing the Integration Server as part of Kaspersky Security solution update differs from the "clean" installation procedure described in this section.

In this section:

Installing in interactive mode using the wizard

Installing in silent mode using the wizard

Page top

[Topic 255959]

Installing in interactive mode using the wizard

To install the Integration Server and Integration Server Console in interactive mode using the wizard:

  1. On the device where Administration Console and Kaspersky Security Center Administration Server are installed, run the ksvla-components_<solution version number>_mlg.exe file. This file is included in the distribution kit.

    Kaspersky Security components installation Wizard starts.

  2. Select the localization language of the Wizard and of the Kaspersky Security components and proceed to the next step of the Wizard.

    By default, the localization language of the operating system installed on the device where the Wizard was started is used.

  3. Make sure that the Install management components option is selected and proceed to the next step of the Wizard.

    The Wizard checks the amount of free space on the drive that contains the %ProgramData% folder. If there is less than 4 GB of free space on the drive, the Wizard displays an error message and you cannot proceed to the next step of the Wizard. If this is the case, close the Wizard, free up space on the drive, and restart the Kaspersky Security Components Installation Wizard.

  4. In the next step, read the Kaspersky Security End User License Agreement, which is concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transmission of data.

    To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy. To confirm, select both check boxes in the window of the Wizard.

    Proceed to the next step of the wizard.

  5. Create the password of the Integration Server administrator (admin) account. The admin account is used for the following purposes:

    Enter a password in the Password and Confirm password fields. The account name cannot be edited.

    A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

    Proceed to the next step of the wizard.

  6. If port 7271, which is the default port for connecting to the Integration Server, is occupied on the device where the wizard is running, the wizard will prompt you to specify a port number for connecting to the Integration Server.

    In the Port field, specify a port number in the range of 1025–65535 and proceed to the next step of the Wizard.

  7. Review the information about the actions that the wizard will perform and click the Install button to begin performing the listed actions.
  8. Wait for the wizard to finish.

    If an error occurs during wizard operation, the wizard rolls back the changes made.

  9. Click Finish to close the Wizard window.

Information about the work of the Wizard is written to trace files of the Kaspersky Security Components Installation Wizard. If the wizard completed with an error, you can use these files when contacting Technical Support.

Page top

[Topic 255960]

Installing in silent mode using the wizard

Before starting installation of the Integration Server and Integration Server Console, it is recommended to close the Kaspersky Security Center Administration Console.

To install the Integration Server and Integration Server Console in silent mode using the wizard:

ksvla-components_<solution version number>_mlg.exe -q --lang=<language ID> --accept-EulaAndPrivacyPolicy=yes --viisPass=<password> [--log-path=<file path>] [--viisPort=<port number>]

where:

  • <solution version number> is the version number of the solution in X.X.X.X format.
  • -q is an option specifying that the installation is performed in silent mode. If you want to run the installation interactively from the command line, do not specify this option.
  • --lang=<language ID> is the identifier of the language of the components to install.

    The language ID must be indicated in the following format: ru, en, de, fr, zh-Hans, zh-Hant, ja. It is case-sensitive.

  • --accept-EulaAndPrivacyPolicy=yes means that you accept the terms of the Kaspersky Security End User License Agreement, concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transmission of data. By setting this parameter to yes, you confirm the following:
    • You have fully read, understood and accept the terms and conditions of the Kaspersky Security End User License Agreement.
    • You have fully read and understood the Privacy Policy, you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.

    The text of the End User License Agreement and Privacy Policy is included in the solution's distribution kit. Accepting the terms of the End User License Agreement and Privacy Policy is a prerequisite for installing Integration Server and Integration Server Console.

    You can read the text of the End User License Agreement and the Privacy Policy by executing the following command:

    ksvla-components_<solution version number>_mlg.exe --lang=<language ID> --show-EulaAndPrivacyPolicy

    The text of the End User License Agreement and the Privacy Policy is output to the license_<language ID>.txt file in the tmp folder.

  • --viisPass=<password> is the password of the Integration Server administrator account (admin). The admin account is used for the following purposes:

    A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

  • --log-path=<path to file> is the path to the file where information about installation results is saved.

    Optional parameter. By default, the installation results are logged in trace files saved at %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleInitialInstall_logs_<date and time>.zip, where:

    • <version number> refers to the number of the installed version of the Kaspersky Security solution;
    • <date and time> refers to the date and time when the installation was completed in the dd_MM_yyyy_HH_mm_ss format.
  • --viisPort=<port number> is the port for connecting to the Integration Server.

    Optional parameter. Port number 7271 is used by default for connecting to the Integration Server. Specify this parameter if you want to use a different port to connect to the Integration Server.

To view a description of all available command line parameters for installing and updating Kaspersky Security components, use the --help parameter.

Installing the Integration Server and Integration Server Console takes some time. Information about the work of the Wizard is written to trace files of the Kaspersky Security Components Installation Wizard. If the wizard completed with an error, you can use these files when contacting Technical Support.

Page top

[Topic 100568]

Installing manually

To remove the Integration Server and Integration Server Console manually:

  1. Place the ksvla-components_<solution version number>_mlg.exe file (where <version number> is the version number of the solution in X.X.X.X format) on the Windows device. This file is included in the distribution kit.
  2. Extract files required for installing Integration Server and Integration Server Console by running:

    ksvla-components_<solution version>_mlg.exe -layout <folder> --accept-EulaAndPrivacyPolicy=yes

    where:

    • <solution version> is the version number of the solution in X.X.X.X format.
    • <folder> is the path to the folder to extract the Integration Server and Integration Server Console installation files into. If you do not specify a folder path, the files are extracted into the 'data' subfolder inside the folder containing the ksvla-components_<solution version number>_mlg.exe file.
    • accept-EulaAndPrivacyPolicy=yes means that you accept the terms of the Kaspersky Security End User License Agreement between you and Kaspersky and the Privacy Policy that describes processing and transmission of data. By setting this parameter to yes, you confirm the following:
      • You have fully read, understood and accept the terms and conditions of the Kaspersky Security End User License Agreement.
      • You have fully read and understood the Privacy Policy, you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.

      Accepting the terms of the End User License Agreement and Privacy Policy is a prerequisite for installing Integration Server and Integration Server Console. You can read the text of the End User License Agreement and the Privacy Policy by executing the following command:

      ksvla-components_<solution version>_mlg.exe --lang=<language ID> --show-EulaAndPrivacyPolicy

      The text of the End User License Agreement and the Privacy Policy is output to the license_<language ID>.txt file in the tmp folder.

    Running the command creates two subfolders with files inside the specified folder. The AttachedContainer subfolder includes the following files, among others:

    • viis_service.msi – file required to install the Integration Server
    • viis_console.msi – file required to install Integration Server Console
  3. Start the Integration Server installation process by running:

    viis_service.msi ADMIN_VIIS_PASSWORD=<password>

    where:

    • <password> is the password of the Integration Server administrator account (admin). The admin account is used for connecting Integration Server Console to Integration Server.

      A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

  4. Launch the Integration Server Console installation process by running:

    viis_console.msi

After installation is complete, you can start the Integration Server Console using the executable file located in the Integration Server Console installation folder.

Page top

[Topic 58143]

Installing a Linux-based Integration Server

To install the Linux-based Integration Server, you need to install the Integration Server package on a device with the Linux operating system and perform the initial configuration of the Integration Server.

To install the Linux-based Integration Server package, run the command:

sudo apt-get install ./ksvla-viis_<build number>-<build number>_amd64.deb

If the device does not have the required packages, they may be installed automatically during installation of the Integration Server, or a warning will be displayed about the need to install them.

After completing the installation of the Integration Server, you need to perform the initial configuration of the Integration Server.

To perform the initial configuration of the Integration Server:

  1. Run the following command:

    sudo /opt/kaspersky/viis/bin/viis-setup.sh

    The initial configuration script starts.

  2. When prompted by the script, do the following:
    1. Select the locale that will be used to display the End User License Agreement and Privacy Policy.
    2. Please read the text of the End User License Agreement, which is concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transfer of data. To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy.

      Files with the text of the End User License Agreement and Privacy Policy are located in the directory /opt/kaspersky/viis/doc/EULA/<language identifier>/license.txt.

    3. Specify the port number to connect to the Integration Server.
    4. Create the password of the Integration Server administrator (admin) account.

When the script ends and the console is no longer busy, the initial configuration process is complete. After the initial configuration is complete, the Integration Server starts and is ready to work.

Integration Server Web Console is used to manage the Linux-based Integration Server. The Integration Server Web Console becomes available in Kaspersky Security Center Web Console after installing the Integration Server web plug-in.

You can view the installation results and the installed version of the Linux-based Integration Server by running the command:

# apt show ksvla-viis

Page top

[Topic 255975]

Installing Kaspersky Security web plug-ins

To manage Kaspersky Security solution components via Kaspersky Security Center Web Console, you need to install:

  • Management web plug-in for the Protection Server (Kaspersky Security for Virtualization <version number> Light Agent – Protection Server)
  • Management web plug-in for Light Agent for Linux (Kaspersky Endpoint Security for Linux running in Light Agent mode) and/or management web plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode)
  • Management web plug-in for the Integration Server (Kaspersky Security for Virtualization <version number> Light Agent – Integration Server), if you want to use Integration Server Web Console to manage the Integration Server

To install a web plug-in:

  1. In the Kaspersky Security Center Web Console main window, select Settings → Web plug-ins.

    The list of installed web plug-ins opens.

  2. Start installation of the Kaspersky Security web plug-in in one of the following ways:
    • Installing from a list of Kaspersky web plug-ins:
      1. Click the Add button.

        A list of all available Kaspersky web plug-ins opens. The list is updated automatically as new web plug-in versions are released.

      2. Find the required web plug-in in the list and click the plug-in name.
      3. In the web plug-in description window that opens, click Install plug-in.
      4. Wait for the installation process to finish and click OK in the information window.
    • Installing a web plug-in from a third-party source. The solution distribution kit includes archives required for installing web plug-ins.
      1. Click the Add from file button.
      2. In the window that opens, download the ZIP archive with the web plug-in distribution and the file with the signature in TXT format. ZIP archives with web plug-in distributions and signed files are located in the archives with web plug-ins that are included in the solution distribution kit.
      3. Click the Add button.
      4. Wait for the installation process to finish and click OK in the information window.

Newly installed plug-ins are displayed in the list of installed web plug-ins.

Page top

[Topic 255961]

Installing Kaspersky Security MMC plug-ins

To manage Kaspersky Security solution components via Kaspersky Security Center Administration Console, you need to install:

  • Management MMC plug-in for the Protection Server (Kaspersky Security for Virtualization <version number> Light Agent – Protection Server)
  • Management MMC plug-in for Light Agent for Linux (Kaspersky Endpoint Security for Linux running in Light Agent mode) and/or management MMC plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode)

We recommend closing the Kaspersky Security Center Administration Console before starting the installation of the MMC plug-ins.

To install the MMC plug-in,

on the device where Kaspersky Security Center Administration Console is installed, run the klcfginst.msi file.

The files required for installing MMC plug-ins are included in the Kaspersky Security solution distribution kit.

After installation, the MMC plug-ins appear in the list of installed management MMC plug-ins in the properties of the Kaspersky Security Center Administration Server.

To view the list of installed management MMC plug-ins:

  1. In the Kaspersky Security Center Administration Console tree, select the Administration Server: <server name> node, and open the Administration Server properties window in one of the following ways:
    • Using the Properties command in the context menu of the Administration Server <server name> node.
    • Using the Administration Server properties link in the workspace of the Administration Server <server name> node in the Administration Server section.
  2. In the list on the left, in the Additional section, select the Information about the installed application management plug-ins section.
Page top

[Topic 256288]

SVM deployment using the Integration Server Web Console

Before deployment, you need to download the SVM images and SVM image description files.

To deploy an SVM using Integration Server Web Console, you need to do the following:

  1. Configure the connection of the Integration Server to the virtual infrastructure in which you want to deploy the SVM.
  2. Create and run an SVM deployment task for the Integration Server in the selected infrastructure.

After it starts, the task appears in the task list in Integration Server Web Console, in the SVM management section, and is added to the task queue on the Integration Server. You can view information about each task and its execution status.

Upon successful completion of the task, the SVM is deployed to the selected infrastructure.

In this section:

Connecting the Integration Server and the virtual infrastructure

Creating and running an SVM deployment task

Viewing information about task execution

Page top

[Topic 74376]

Connecting the Integration Server and the virtual infrastructure

To configure the Integration Server's connection to the virtual infrastructure:

  1. Open Integration Server Web Console and connect to the Integration Server.
  2. Go to the List of virtual infrastructures section.
  3. Click the Add button.
  4. In the Add virtual infrastructure window that opens, specify the following required settings:
    • Infrastructure object type

      Type of the virtual infrastructure object that the Integration Server will connect to.

      Depending on the type of virtual infrastructure, select a hypervisor, virtual infrastructure administration server, or Keystone microservice.

    • Protocol

      Protocol used to connect the Integration Server to the virtual infrastructure. By default, HTTPS protocol is used.

      The Protocol field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

    • Infrastructure object address

      Address of the virtual infrastructure object that the Integration Server will connect to. Depending on the type of virtual infrastructure, you need to specify the hypervisor address or the address of the virtual infrastructure administration server. To connect to an OpenStack-based infrastructure, you need to specify the address of the Keystone microservice.

      The address can be specified as the IP address in IPv4 format or the fully qualified domain name (FQDN).

      In this field, you can also specify the port used to connect to the virtual infrastructure object in the format <IP address>:<port>.

      If you are configuring a connection to Microsoft Windows Server (Hyper-V) hypervisors that are part of a hypervisor cluster managed by the Windows Failover Clustering service, you can specify the address of the cluster. All hypervisors that are part of the cluster will be added to the list.

      If you are using the Linux-based Integration Server, SVM deployment in a virtual infrastructure based on Microsoft Hyper-V is not supported.

      If you are configuring a connection to VMware ESXi hypervisors managed by VMware vCenter Servers running in Linked mode, you can specify the address of any of these VMware vCenter Servers. All the hypervisors running on VMware vCenter servers in Linked mode will be added to the list.

      If you are configuring a connection to an infrastructure managed by Nutanix Prism Element, you need to specify the Nutanix Prism Element address. If the infrastructure is managed by Nutanix Prism Central, specify the Nutanix Prism Central address. All Nutanix Prism Element servers managed by Nutanix Prism Central will be added to the list.

    • Account settings for connecting to the infrastructure with administrator rights:
      • OpenStack domain

        Name of the OpenStack domain that contains an account used to connect the Integration Server to the virtual infrastructure.

        The OpenStack domain field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

      • User name

        Name of the user account that the Integration Server uses to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration. This account must have privileges that are sufficient for SVM deployment, removal and reconfiguration.

      • Password

        Password of the user account that the Integration Server uses to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration.

  5. In a virtual infrastructure based on XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, OpenStack, Alt Virtualization Server, Astra Linux, Numa vServer, VK Cloud platform, or TIONIX Cloud Platform, we also recommend specifying an account that has limited rights to perform actions in the virtual infrastructure. Under this account, the Integration Server will connect to the virtual infrastructure while Kaspersky Security is running in order to get information about SVMs available for connection and to distribute Light Agents between SVMs.

    To set restricted permissions for a user account:

    1. Click Add an account with restricted permissions in the Account with restricted permissions section.
    2. In the window that opens, specify the account name and password.
    3. Click the Save button.

    If an account with restricted permissions is not configured the Integration Server uses the same user account that is used for SVM deployment, removal and reconfiguration, to connect to the virtual infrastructure while Kaspersky Security is running.

    In a virtual infrastructure running on the Microsoft Hyper-V platform, you can connect to the virtual infrastructure during Kaspersky Security operation only by using the same user account that is used for SVM deployment, removal and reconfiguration.

  6. In a virtual infrastructure based on the VMware vSphere platform, you can configure the use of VMware NSX Manager by the Kaspersky Security solution:
    1. Click the Specify VMware NSX Manager connection settings button in the VMware NSX Manager block.
    2. This opens a window; in that window, specify the following settings:
      • Address

        New IP address in IPv4 format or the fully qualified domain name (FQDN) of the VMware NSX Manager.

        If your VMware NSX Manager virtual infrastructure is clustered, specify the virtual IP address of the cluster. First, you need to assign a virtual IP address and certificate to the cluster (for more information on configuring a VMware NSX Manager cluster, see the VMware documentation).

      • User name

        Name of the account that the Integration Server uses to connect to VMware NSX Manager. A VMware NSX Manager account that has been assigned the Enterprise Administrator role is required.

      • Password

        Password of the account that the Integration Server uses to connect to VMware NSX Manager.

    3. Click the Save button in the VMware NSX Manager settings window.
  7. Click the Save button in the Add virtual infrastructure window.

    The Integration Server adds the selected virtual infrastructure objects to the list and attempts to establish a connection.

    The Integration Server verifies the authenticity of all virtual infrastructure objects with which the connection is established.

    Authenticity is not verified for a Microsoft Windows Server (Hyper-V) hypervisor.

    For Keystone microservices, authenticity is verified only when using the HTTPS protocol to connect the Integration Server to the virtual infrastructure.

    To verify authenticity, the Integration Server receives an SSL certificate or fingerprint of the public key from each virtual infrastructure object and verifies them.

    If the authenticity of the received certificate(s) cannot be established, the Verify certificate window opens with a message about this. Click the link in this window to view the details of the received certificate. If the certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and continue connecting to the virtual infrastructure object. The received certificate will be installed as a trusted certificate on the device where the Integration Server is installed. If you do not consider this certificate to be authentic, click the Cancel connection button in the Verify certificate window to disconnect, and replace the certificate with a new one.

    If the authenticity of the open key could not be established, the Verify public key fingerprint window opens with a message about this. You can confirm the authenticity of the open key and continue the connection. The public key fingerprint will be saved on the device where the Integration Server is installed. If you do not consider this open key to be authentic, click the Cancel connection button in the Verify public key fingerprint window to terminate the connection.

    If a connection to a virtual infrastructure object could not be established, information about connection errors is displayed in the list of infrastructures in the Status column.

Using the buttons above the table, you can:

  • refresh the list of virtual infrastructures
  • sort and search the list
  • edit the settings for connecting the Integration Server to virtual infrastructures
  • delete settings for connecting to virtual infrastructures
  • export the list in CSV format
Page top

[Topic 99492]

Selecting infrastructure for SVM deployment

At this step, the table displays information about the virtual infrastructures to which connections are configured for the Integration Server. If SVMs are already deployed in the virtual infrastructure, the table also contains information about them. Each row of the table displays the following information about the virtual infrastructure:

  • Name/Address

    This column contains the IP addresses or fully qualified domain names (FQDN) of the virtual infrastructure objects to which the Integration Server connects, and the names of the SVMs deployed on the hypervisors.

    Depending on the type of virtual infrastructure, the column may display:

    • IP address or the fully qualified domain name (FQDN) of the virtual infrastructure administration server
    • IP address or the fully qualified domain name of the hypervisor
    • IP address or the fully qualified domain name of the Keystone microservice
    • OpenStack project and domain name.
  • Status

    This column contains information about the status of the Integration Server's connection to the virtual infrastructure, the state of the infrastructure objects to which the connection is made, and the state of the SVMs deployed in the infrastructure.

    If the Integration Server is not connected to the virtual infrastructure object, the column displays an error message.

  • Infrastructure object type

    The column contains the type of the virtual infrastructure object that the Integration Server will connect to.

  • SVM version

    This column contains the SVM version number.

You can search the list of virtual infrastructure objects based on the Name/Address column. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the search field.

You can update the list of virtual infrastructure objects using the Refresh button above the table. When updating a list, the Integration Server verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.

To select infrastructure for SVM deployment:

  1. Depending on the type of the virtual infrastructure, select checkboxes in the table to the left of the names of the hypervisors on which you want to deploy an SVM, or the OpenStack projects in which you want to deploy an SVM. You can select hypervisors or OpenStack projects to which the Integration Server has successfully connected.

    If SVMs are being deployed in an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous SVM deployment in different infrastructures is not supported. You can deploy SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.

    The simultaneous deployment of SVMs within OpenStack projects, which are running on different Keystone microservices, is not supported. You can simultaneously deploy SVMs only in OpenStack projects that are running on the same Keystone microservice.

    Simultaneous deployment of SVMs to hypervisors of different types (for example, to a VMware ESXi hypervisor and a KVM hypervisor) is not supported.

  2. If you want to allow parallel deployment of multiple SVMs, select the Allow parallel deployment of N SVMs check box and specify the number of SVMs that should be deployed in parallel.

Proceed to the next step of the wizard.

Page top

[Topic 99493]

Selecting the SVM image

At this step, select the file of the SVM image for deployment. The SVM image file and SVM image description file (in XML format) must be placed on the device where the Integration Server is installed, into a single folder that the Integration Server has read access to.

To specify the SVM image, in the field, enter the path to the SVM image description file (in XML format) relative to the file system of the device on which the Integration Server is installed, and click the Select button.

The Wizard automatically selects the required SVM image file:

  • An XVA file for deployment on a XenServer hypervisor or on a Numa vServer hypervisor.
  • An OVA file for deployment on a VMware ESXi hypervisor.
  • A QCOW2 file for deployment on a KVM hypervisor (including on a KVM hypervisor running on OpenStack platform, Astra Linux, VK Cloud Platform or TIONIX Cloud Platform), on a Proxmox VE hypervisor, on a R-Virtualization hypervisor, on a HUAWEI FusionCompute CNA hypervisor, on a Nutanix AHV hypervisor, or on an ALT Virtualization Server platform basic hypervisor.

The window displays the following information about the selected image:

  • Vendor is the name of the vendor of the solution that the SVM is part of.
  • Publisher is the name of the publisher of the solution that the SVM is part of. If the image is authentic, the Publisher field displays the value AO Kaspersky Lab.

    If the authenticity of the image has not been verified, an error message is displayed at the top of the window, and Unknown is displayed in the Publisher field.

    If the authenticity of the image has not been verified, it is recommended to use a different image for SVM deployment. To do this, you need to re-download the archive with the files necessary for SVM deployment.

  • Solution name is the name of the solution that the SVM is part of.
  • SVM version is the SVM version number.
  • Description is a brief description of the SVM image.
  • Virtual drive size is the amount of disk space required to deploy the SVM.

It is recommended to validate the SVM image. To do so, click the Validate button in the SVM image integrity check section. The verification results are displayed in the window as follows:

  • If the image file integrity check is successful, the Completed successfully message is displayed.
  • If the image file gets modified or corrupted while being transmitted from the publisher to the end user or if the image format is not supported, the upper part of the window shows an error message and the SVM image integrity check section displays information about the detected problem.

If an SVM image file integrity check ended with an error, it is recommended to use a different image for SVM deployment. To do this, you need to re-download the archive with the files necessary for SVM deployment.

If the authenticity of an image has been verified and the image file integrity check completed successfully, proceed to the next step of the Wizard.

If the authenticity of an image has not been verified or an image file integrity check has not been performed or ended with an error but you accept the risk and want to use the selected SVM image, to proceed to the next step of the Wizard you need to select the check box located in the lower part of the window.

Page top

[Topic 99494]

Selecting the number of SVMs for deployment (infrastructures based on OpenStack)

This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

For this step, you must specify the number of SVMs to be deployed on the hypervisors within each selected OpenStack project. The OpenStack project name column displays the name of the project that the SVM will be deployed in, as well as the project path in the infrastructure.

In the Number of SVMs column, specify the number of SVMs to be deployed on the hypervisors within the OpenStack project.

Proceed to the next step of the wizard.

Page top

[Topic 99495]

Specifying SVM settings

This step is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

At this step, you need to specify the name of the SVM and select the storage on the hypervisor where the SVM will be deployed. The Hypervisor address column displays the IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM will be deployed.

Specify the following settings:

  • SVM name

    An arbitrary name for new SVM.

  • Storage

    Data storage for SVM image.

    The drop-down list displays the storage repositories available for SVM deployment.

    If you are deploying SVMs on a Microsoft Windows Server (Hyper-V) hypervisor that is part of a cluster, only shared repositories can be selected in the list.

    If you are deploying SVMs on a Microsoft Windows Server (Hyper-V) hypervisor that is not part of a cluster, you can manually enter the path to the repository.

Proceed to the next step of the wizard.

Page top

[Topic 99496]

Specifying SVM settings (infrastructures based on OpenStack)

This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

On this step, you must specify deployment settings for each SVM that is to be deployed within the selected OpenStack projects. The OpenStack project name column displays the name of the project that the SVM will be deployed in, as well as the project path in the infrastructure.

Specify the following settings required for SVM deployment:

  • SVM name

    An arbitrary name for new SVM.

  • Virtual machine type

    Virtual machine type (instance type) determines RAM volume, disk size, number of CPU cores, and other settings of created virtual machine.

    Select appropriate virtual machine type for SVM deployment from available types for OpenStack project. Virtual machine type must match recommendations of Kaspersky experts concerning the resource allocation for SVMs.

    If there is no virtual machine of the suitable type in the list, use the virtual infrastructure to create the required virtual machine type. After that, to refresh the list of available virtual machine types, you can go back to the infrastructure selection step and select the Refresh button or restart the SVM deployment procedure.

You can also specify the following settings:

  • Volume type

    Volume type determines which data storage will be used for disk creation during the SVM deployment. Select a volume type from available types for OpenStack project.

  • Availability zone

    A logical collection of hypervisors used to provide fault tolerance in infrastructures based on OpenStack. Select an availability zone into which the SVM will be located.

  • Server group

    Grouping of virtual machines according to the policy that determines the hypervisors on which virtual machines will be started. Select a Server group, into which the SVM will be located.

Proceed to the next step of the wizard.

Page top

[Topic 101165]

Configuring SVM network settings (infrastructures based on OpenStack)

For this step, you must specify network settings for each SVM to be deployed.

The window displays the following information:

  • Hypervisor address

    IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM will be deployed.

    The Hypervisor address column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

  • OpenStack project name

    Name of the OpenStack project selected for SVM deployment, as well as project path in the infrastructure.

    The OpenStack project name column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

    • SVM name

      The name that was defined when specifying SVM settings.

For each SVM, specify one or more virtual networks in the Network name column.

The name of the virtual network that the SVM will use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

You can specify one or more virtual networks. To add a field for selecting virtual networks, use the button located next to the network selection field.

If you intend to use dynamic IP addressing (DHCP) for all SVMs, the network settings will be received from the DHCP server via the first virtual network in the list of networks specified for each SVM. Make sure that the Wizard can connect to the SVM with the network settings of the first virtual network received from the DHCP server.

If the virtual infrastructure uses the VMware Distributed Virtual Switch component, you can specify a Distributed Virtual Port Group to which the SVM will be connected.

You can also specify the following settings:

  • VLAN ID

    The ID of the virtual local area network (VLAN) that the SVM will use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    If VLAN is not used, the column shows No.

    The VLAN ID column is displayed if you are deploying the SVM in a virtual infrastructure based on Microsoft Hyper-V platform or in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

  • Security group

    Set of network traffic filtering rules that are created in the virtual infrastructure and applied in the virtual network.

    The drop-down list displays all available security groups. You can specify one or more security groups for each selected virtual network. To select a security group, select the check box to the left of its name. The names of the selected security groups are displayed in the field.

    The Security group column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

Proceed to the next step of the wizard.

Page top

[Topic 101197]

Configuring IP address settings for SVM

For this step, you must specify IP addressing settings for all SVMs. You can use dynamic or static IP addressing.

If you want to specify all network settings of the SVM manually, select:

  1. Select Static IP addressing. This opens a table containing the following information:
    • Hypervisor address

      IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM will be deployed.

      The Hypervisor address column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

    • OpenStack project name

      Name of the OpenStack project selected for SVM deployment, as well as project path in the infrastructure.

      The OpenStack project name column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

    • SVM name

      The name that was defined when specifying SVM settings.

    • Network name

      The name of the virtual network that the SVM uses to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

  2. Specify the following IP addressing settings for each SVM:
    • DNS server
    • alternative DNS server
    • SVM IP address
    • Subnet mask
    • gateway

    If you specified several virtual networks for the SVM at the previous step, specify the settings for each virtual network.

If you want to use DHCP network settings for all SVMs:

  1. Select Dynamic IP addressing (DHCP).

    By default, the IP address of the DNS server and the IP address of the alternative DNS server received over the DHCP protocol are used for each SVM (the Use list of DNS servers received via DHCP check box is selected). If you specified several virtual networks for the SVM at the previous step, by default the network settings for the SVM are received from the DHCP server of the first virtual network in the list of the specified virtual networks.

  2. If you want to manually specify the IP address of the DNS server and alternative DNS server, clear the Use list of DNS servers received via DHCP check box. This opens a table containing the following information:
    • Hypervisor address

      IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM will be deployed.

      The Hypervisor address column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

    • OpenStack project name

      Name of the OpenStack project selected for SVM deployment, as well as project path in the infrastructure.

      The OpenStack project name column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

    • SVM name

      The name that was defined when specifying SVM settings.

    Specify the IP addresses of DNS servers in the DNS server and Alternative DNS server table columns.

Proceed to the next step of the wizard.

Page top

[Topic 101200]

Specifying Kaspersky Security Center connection settings

At this step, you must specify the settings of SVM connection to the Kaspersky Security Center Administration Server.

Specify the following settings:

  • Address

    Address of the device hosting the Kaspersky Security Center Administration Server. You can specify the IP address in IPv4 format or the fully qualified domain name (FQDN) of the device.

  • Port

    Number of the port for connecting the SVM to the Kaspersky Security Center Administration Server.

  • SSL port

    Number of the port for connecting an SVM to the Kaspersky Security Center Administration Server using an SSL certificate.

Proceed to the next step of the wizard.

Page top

[Topic 101201]

Creating the configuration password and the root account password

At this step, you need to create a klconfig account password (configuration password) and a root account password on the SVM.

The configuration password is required for SVM reconfiguration. The root user account is used for access to the operating system on SVMs.

Enter passwords for each account into the Password and Confirm password fields.

Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

If you want to configure access to SVMs over SSH under the root account, select the Allow remote access to SVM for the root account via SSH check box.

Proceed to the next step of the wizard.

Page top

[Topic 101202]

Start task for SVM deployment

This step is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

This step displays all the settings of the created SVM deployment task for the Integration Server:

  • The task name is generated automatically and contains the task type. You can use this name to find the task in the list in Integration Server Web Console, in the SVM management section.
  • The list at the top of the window contains general settings for all SVMs that will be deployed by the task:
    • SVM image description file

      The full path and name of the SVM image description file (in XML format) that you specified at the SVM image selection step.

    • SVM IP settings

      Method of configuring IP addressing settings.

      Possible values: Dynamic IP addressing using the list of DNS servers received via DHCP, Dynamic IP addressing using the list of manually defined DNS servers, Static IP addressing.

    • SSH-based remote access to the SVM for the root account

      Remote access to the SVM over SSH for the root user account.

      Possible values: Allowed, Blocked.

    • Kaspersky Security Center connection settings

      IP address in IPv4 format or fully qualified domain name (FQDN) of the device hosting the Kaspersky Security Center Administration Server, and port numbers for connecting the SVM to the Kaspersky Security Center Administration Server.

    • Parallel deployment

      The number of SVMs to be deployed concurrently.

  • The table at the bottom of the window contains individual settings for each SVM:
    • Hypervisor address

      IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM will be deployed.

    • SVM name

      The name that was defined when specifying SVM settings.

    • Storage

      Data storage for SVM image.

    • Network name

      The name of the virtual network that the SVM uses to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    • VLAN ID

      The ID of the virtual local area network (VLAN) that the SVM uses to connect to virtual machines, the Integration Server and the Kaspersky Security Center Administration Server.

      The VLAN ID is displayed if you are deploying the SVM in the virtual infrastructure running on Microsoft Hyper-V platform.

    • All IP addressing settings that you provided for the SVM.

To start the SVM deployment task, click the Start button.

You can monitor the task progress in Integration Server Web Console, in the SVM management section.

Page top

[Topic 274163]

Starting an SVM deployment task (OpenStack-based infrastructure)

This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

This step displays all the settings of the created SVM deployment task for the Integration Server:

  • The task name is generated automatically and contains the task type. You can use this name to find the task in the list in Integration Server Web Console, in the SVM management section.
  • The list at the top of the window contains general settings for all SVMs that will be deployed by the task:
    • Keystone microservice address

      IP address or fully qualified domain name (FQDN) of the Keystone microservice that manages the OpenStack project in which the SVMs are being deployed.

    • SVM image description file

      The full path and name of the SVM image description file (in XML format) that you specified at the SVM image selection step.

    • SVM IP settings

      Method of configuring IP addressing settings.

      Possible values: Dynamic IP addressing using the list of DNS servers received via DHCP, Dynamic IP addressing using the list of manually defined DNS servers, Static IP addressing.

    • SSH-based remote access to the SVM for the root account

      Remote access to the SVM over SSH for the root user account.

      Possible values: Allowed, Blocked.

    • Kaspersky Security Center connection settings

      IP address in IPv4 format or fully qualified domain name (FQDN) of the device hosting the Kaspersky Security Center Administration Server, and port numbers for connecting the SVM to the Kaspersky Security Center Administration Server.

    • Parallel deployment

      The number of SVMs to be deployed concurrently.

  • The table at the bottom of the window contains individual settings for each SVM:
    • OpenStack project name

      Name of the OpenStack project selected for SVM deployment, as well as project path in the infrastructure.

    • SVM name

      The name that was defined when specifying SVM settings.

    • Virtual machine type

      Type of virtual machine (instance type) selected for SVM.

    • Volume type

      Volume type to be used during SVM deployment.

    • Availability zone

      Logical collection of hypervisors where the SVM will be located.

    • Server group

      Group of virtual machines in which the SVM will be located.

    • Network name

      The name of the virtual network that the SVM uses to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    • VLAN ID

      The ID of the virtual local area network (VLAN) that the SVM uses to connect to virtual machines, the Integration Server and the Kaspersky Security Center Administration Server.

    • Security group

      Security group selected for the virtual network.

    • All IP addressing settings that you provided for the SVM.

    To start the SVM deployment task, click the Start button.

You can monitor the task progress in Integration Server Web Console, in the SVM management section.

Page top

[Topic 274211]

Viewing information about task execution

You can monitor the progress of tasks in Integration Server Web Console, in the SVM management section.

To view information about a task for the Integration Server:

  1. Open Integration Server Web Console and connect to the Integration Server.
  2. Go to the SVM management section.

    In the window that opens, a list of tasks for the Integration Server is displayed as a table. The list contains the Integration Server tasks that you created and ran using the wizard (SVM deployment, reconfiguration, and removal tasks), as well as SVM image verification tasks that are created automatically when you run an SVM image file integrity check while creating SVM deployment tasks. The task is placed in the list immediately after its creation and is automatically deleted from the list some time after the task has been completed (successfully or with an error) or canceled. By default, completed or canceled tasks are listed for 60 minutes.

    If necessary, you can cancel tasks that have not yet been completed. To do this, select the task in the list and click the Cancel button located above the table.

    For tasks that are running, their progress is displayed. If a task completes with an error, an error message is displayed.

  3. To view detailed information about a task, click on the task name.

    The window that opens displays the following information about the selected task:

    • Task name
    • Task type
    • Time when the task was created
    • Time when the task transitioned from the current status
    • Current task status and an error message if the task was completed with an error
    • List of all SVMs on which the task is running, and the progress of the task on each SVM Each row in the list contains the following information:
      • SVM name
      • IP address of the SVM in IPv4 format
      • Task status on the SVM, and an error message if the task was completed with an error
      • Location of the SVM in the virtual infrastructure (address and type of hypervisor or the OpenStack project name, address and type of infrastructure)
  4. For Deployment or Reconfiguration tasks, you can view information about the execution of stages of a task on the selected SVM. To open the list of stages, click on the SVM name in the list.

    In the window that opens, information about the execution of each stage of the task on an individual SVM is displayed in the form of a table:

    • Stage name
    • Stage start time
    • Stage execution status and error message if an error occurred at this stage
    • Stage end time
Page top

[Topic 256012]

Deploying SVMs using the Integration Server Console

If you use the Integration Server Console, SVMs are deployed using the SVM Management Wizard, which is launched from the Integration Server Console.

Following the instructions of the SVM Management Wizard, you need to configure the wizard's connection to the virtual infrastructure, specify all the SVM deployment settings, and start the deployment.

Information about SVM deployment results is displayed in the last step of the wizard.

Before deployment, you need to download the SVM images and SVM image description files.

To deploy SVMs using the Integration Server Console:

  1. Open Integration Server Console and connect to the Integration Server.
  2. In the SVM management section, click the SVM management button to start the SVM Management Wizard.
  3. Follow the wizard instructions.
Page top

[Topic 74370]

Selecting an action

At this step, choose the SVM deployment option.

Proceed to the next step of the wizard.

Page top

[Topic 265505]

Selecting infrastructure for SVM deployment

At this step, you need to select the virtual infrastructure in which you want to deploy the SVM. If SVM deployment was not previously performed in this virtual infrastructure, you need to configure the connection of the SVM Management Wizard to the virtual infrastructure. Then select the hypervisors or OpenStack projects for SVM deployment depending on the type of virtual infrastructure.

To configure the connection of SVM Management Wizard to the virtual infrastructure:

  1. Click the Add button.
  2. In the Virtual infrastructure connection settings window that opens, specify the following settings:
    • Type

      Type of virtual infrastructure object that SVM Management Wizard will connect to.

      Depending on the type of virtual infrastructure, select a hypervisor, virtual infrastructure administration server, or Keystone microservice.

    • Protocol

      Protocol used to connect SVM Management Wizard to the virtual infrastructure. By default, the HTTPS protocol is used.

      The Protocol field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

    • Addresses

      Addresses of the virtual infrastructure objects that SVM Management Wizard will connect to.

      Depending on the type of virtual infrastructure, you need to specify the hypervisor address or the address of the virtual infrastructure administration server. To connect to an OpenStack-based infrastructure, you need to specify the address of the Keystone microservice.

      The address can be specified as the IP address in IPv4 format or the fully qualified domain name (FQDN).

      You can specify multiple addresses by separating them with a semicolon, a space, or a new line. The number of correctly recognized addresses is shown under the list of addresses.

      In this field, you can also specify the port used to connect to the virtual infrastructure object in the format <IP address>:<port>.

      If you are configuring a connection to Microsoft Windows Server (Hyper-V) hypervisors that are part of a hypervisor cluster managed by the Windows Failover Clustering service, you can specify the address of the cluster. All hypervisors that are part of the cluster will be added to the list.

      If you are configuring a connection to VMware ESXi hypervisors managed by VMware vCenter Servers running in Linked mode, you can specify the address of any of these VMware vCenter Servers. All the hypervisors running on VMware vCenter servers in Linked mode will be added to the list.

      If you are configuring a connection to hypervisors that are managed by Microsoft SCVMM, you can specify the settings for connecting to Microsoft SCVMM. All hypervisors that are managed by Microsoft SCVMM will be added to the list.

      If you are configuring a connection to an infrastructure managed by Nutanix Prism Element, you need to specify the Nutanix Prism Element address. If the infrastructure is managed by Nutanix Prism Central, specify the Nutanix Prism Central address. All Nutanix Prism Element servers managed by Nutanix Prism Central will be added to the list.

    • OpenStack domain

      Name of the

      that contains an account used to connect SVM Management Wizard to the virtual infrastructure object.

      The OpenStack domain field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

    • User name

      Name of the user account that the SVM Management Wizard uses to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration. This account must have privileges that are sufficient for SVM deployment, removal and reconfiguration.

      If you use a domain account to connect to a virtual infrastructure object, you can specify the account name in the <domain>\<user name> or <user name>@<domain> format.

    • Password

      Password of the user account that the SVM Management Wizard uses to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration.

  3. If you are deploying SVMs in a virtual infrastructure based on XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, OpenStack, Alt Virtualization Server, Astra Linux, Numa vServer, VK Cloud platform, or TIONIX Cloud Platform, to connect the Integration Server to the virtual infrastructure while Kaspersky Security is running, we recommend using an account that has limited rights to perform actions in the virtual infrastructure. Select the Account with restricted permissions check box and specify the settings of the user account that the Integration Server will use to connect to the virtual infrastructure during operation of Kaspersky Security.

    If the check box is cleared, during Kaspersky Security operation the Integration Server will connect to the virtual infrastructure using the same user account that is used for SVM deployment, removal and reconfiguration.

    In a virtual infrastructure running on the Microsoft Hyper-V platform, you can connect to the virtual infrastructure during Kaspersky Security operation only by using the same user account that is used for SVM deployment, removal and reconfiguration.

  4. Click the Connect button.

    The Virtual infrastructure connection settings window closes. The Wizard adds the selected virtual infrastructure objects to the list and attempts to establish a connection.

    The Wizard verifies the authenticity of all virtual infrastructure objects with which the connection is established.

    Authenticity is not verified for a Microsoft Windows Server (Hyper-V) hypervisor.

    For Keystone microservices, authenticity is verified only when using the HTTPS protocol to connect the SVM Management Wizard to the virtual infrastructure.

    To verify authenticity, the Wizard receives the SSL certificate or fingerprint of the public key from each virtual infrastructure object and verifies them.

    If the authenticity of the received certificate(s) cannot be established, the Verify certificate window opens with a message about this. Click the link in this window to view the details of the received certificate. If the certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and continue connecting to the virtual infrastructure object. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this certificate to be authentic, click the Cancel button in the Verify certificate window to disconnect, and replace the certificate with a new one.

    If the authenticity of the open key could not be established, the Verify public key fingerprint window opens with a message about this. You can confirm the authenticity of the open key and continue the connection. The open key fingerprint will be saved on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this open key to be authentic, click the Cancel button in the Verify public key fingerprint window to terminate the connection.

    If a connection cannot be established with a virtual infrastructure object, information about the connection errors is displayed in the table.

The table displays information about the virtual infrastructures to which connections are configured in the SVM Management Wizard. If SVMs are already deployed in the virtual infrastructure, the table also contains information about them. Each row of the table displays a hierarchical list of virtual infrastructure objects and the following information:

  • Name/Address

    Depending on the type of virtual infrastructure, the column may contain the following:

    • IP address or the fully qualified domain name (FQDN) of the virtual infrastructure administration server
    • IP address or the fully qualified domain name of the hypervisor
    • IP address or the fully qualified domain name of the Keystone microservice
    • Name of the OpenStack domain
    • Name of the OpenStack project
    • Name of the SVM deployed on the hypervisor

    If SVM deployment is restricted, or if a connection with the virtual infrastructure cannot be established, the warning icon is displayed. A description of the restriction or connection error is shown in the table and in the tooltip of the warning sign.

  • State

    This column contains information on the state of the virtual infrastructure object or the SVM.

    For the hypervisor, one of the following values is specified: Enabled or Disabled. If a connection to the hypervisor cannot be established, the column shows Disconnected.

    For the Keystone microservice, the OpenStack project, and the OpenStack domain, one of the following values is specified: Enabled or Disconnected.

    One of the following values is specified for an SVM: Enabled, Disabled.

  • Protection

    This column contains the SVM version number.

  • Type

    This column contains the type of virtual infrastructure object that the SVM Management Wizard will connect to.

You can search the list of virtual infrastructure objects based on the Name/Address column. The search starts as you type in the Search field. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the Search field.

You can update the list of virtual infrastructure objects using the Refresh button above the table. When updating a list, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.

You can use buttons in the Name/Address column to:

  • Remove selected virtual infrastructure from the list.

    The Integration Server continues to connect to the virtual infrastructure removed from this list, and to receive the information required for SVM operation.

  • If you cannot connect to the virtual infrastructure, open the Virtual infrastructure connection settings window to change the settings of the account used to make the connection.

    After the settings are modified, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.

To select infrastructure for SVM deployment:

  1. Depending on the type of the virtual infrastructure, select check boxes in the table to the left of the names of the hypervisors on which you want to deploy an SVM, or the OpenStack projects in which you want to deploy an SVM.

    You can select hypervisors or OpenStack projects that are not subject to SVM deployment restrictions.

    If SVMs are being deployed in an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous SVM deployment in different infrastructures is not supported. You can deploy SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.

    The simultaneous deployment of SVMs within OpenStack projects, which are running on different Keystone microservices, is not supported. You can simultaneously deploy SVMs only in OpenStack projects that are running on the same Keystone microservice.

  2. If you want to allow concurrent deployment of multiple SVMs, select the Allow parallel deployment on N hypervisors or Allow parallel deployment on N SVMs check box (depending on the type of virtual infrastructure) and specify the number of SVMs to be deployed concurrently.

Proceed to the next step of the wizard.

Page top

[Topic 256123]

Selecting the SVM image

At this step, select the file of the SVM image for deployment on the hypervisor. The SVM image file and SVM image description file (in XML format) must be placed in the same folder on the device where the Kaspersky Security Center Administration Console is installed, or in the same folder on a network resource to which the user account performing the installation has read access. If you are installing the Protection Server on different types of hypervisors, the SVM image files for each type of hypervisor and the SVM image description file must be located in the same folder.

To specify the SVM image, click Browse and in the window that opens select the SVM image description file (in XML format).

After a file has been selected, the field to the left of the button displays the full path to the file and its name. The Wizard automatically selects the required SVM image file:

  • A VHDX file for deployment on a Microsoft Windows Server (Hyper-V) hypervisor.
  • An XVA file for deployment on a XenServer hypervisor or on a Numa vServer hypervisor.
  • An OVA file for deployment on a VMware ESXi hypervisor.
  • A QCOW2 file for deployment on a KVM hypervisor (including on a KVM hypervisor running on OpenStack platform, Astra Linux, VK Cloud Platform or TIONIX Cloud Platform), on a Proxmox VE hypervisor, on a R-Virtualization hypervisor, on a HUAWEI FusionCompute CNA hypervisor, on a Nutanix AHV hypervisor, or on an ALT Virtualization Server platform basic hypervisor.

The window displays the following information about the selected image:

  • Vendor is the name of the vendor of the solution that the SVM is part of.
  • Publisher is the name of the publisher of the solution that the SVM is part of.
  • Solution name is the name of the solution that the SVM is part of.
  • SVM version is the version number of the SVM image.
  • Description is a brief description of the SVM image.
  • Virtual drive size is the amount of disk space required to deploy the SVM.

The Wizard verifies the authenticity of the image. The verification results are displayed in the window as follows:

  • If the image is authentic, the Publisher field displays the value AO Kaspersky Lab.
  • If the authenticity of the image has not been verified, an error message is displayed at the top of the window, and Unknown is displayed in the Publisher field.

If the authenticity of the image has not been verified, it is recommended to use a different image for SVM deployment. To do this, you need to re-download the archive with the files necessary for SVM deployment using the Kaspersky Security Components Installation Wizard or on the Kaspersky website.

The SVM image integrity check section displays information about the results of SVM image file integrity check for each type of hypervisor. If integrity check was not performed, the Validation not performed message is displayed.

It is recommended to validate the SVM image. To do so, click the Validate button in the SVM image integrity check section. The verification results are displayed in the window as follows:

  • If the image file successfully passed the integrity check, the Valid message is displayed.
  • If the image file gets modified or corrupted while being transmitted from the publisher to the end user or if the image format is not supported, the upper part of the window shows an error message and the SVM image integrity check section displays information about the detected problem.

If an SVM image file integrity check ended with an error, it is recommended to use a different image for SVM deployment. To do this, you need to re-download the archive with the files necessary for SVM deployment using the Kaspersky Security Components Installation Wizard or on the Kaspersky website.

If the authenticity of an image has been verified and the image file integrity check completed successfully, proceed to the next step of the Wizard.

If the authenticity of an image has not been verified or an image file integrity check has not been performed or ended with an error but you accept the risk and want to use the selected SVM image, to proceed to the next step of the Wizard you need to select the check box located in the lower part of the window.

Page top

[Topic 77368]

Selecting the number of SVMs for deployment (infrastructures based on OpenStack)

This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

For this step, you must specify the number of SVMs to be deployed on the hypervisors within each selected OpenStack project. The OpenStack project column displays the name of the project that the SVM will be deployed in, as well as the project path in the infrastructure.

In the Number of SVMs column, specify the number of SVMs to be deployed on the hypervisors within the OpenStack project.

Proceed to the next step of the wizard.

Page top

[Topic 274239]

Specifying SVM settings

This step is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

For this step, you must specify deployment options for each SVM to be deployed on the selected hypervisors. The Hypervisor column displays the IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM will be deployed.

Specify the following settings required for SVM deployment:

  • SVM name

    An arbitrary name for new SVM.

  • Storage

    Data storage for SVM image.

    The drop-down list displays the storage repositories available for SVM deployment.

    If you are deploying SVMs on a Microsoft Windows Server (Hyper-V) hypervisor that is part of a cluster, only shared repositories can be selected in the list.

    If you are deploying SVMs on a Microsoft Windows Server (Hyper-V) hypervisor that is not part of a cluster, you can manually enter the path to the repository.

  • Network name

    The name of the virtual network that the SVM will use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    You can specify one or more virtual networks available on the hypervisor. To add or remove a field for selecting virtual networks, use the buttons next to the network selection field.

    If you intend to use dynamic IP addressing (DHCP) for all SVMs, the network settings will be received from the DHCP server via the first virtual network in the list of networks specified for each SVM. Make sure that the Wizard can connect to the SVM with the network settings of the first virtual network received from the DHCP server.

    If the virtual infrastructure uses the VMware Distributed Virtual Switch component, you can specify a Distributed Virtual Port Group to which the SVM will be connected.

If you are deploying an SVM in a virtual infrastructure running the Microsoft Hyper-V platform, you can also specify the VLAN ID.

The ID of the virtual local area network (VLAN) that the SVM will use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

If VLAN is not used, the column shows No.

Proceed to the next step of the wizard.

Page top

[Topic 74377]

Specifying SVM settings (infrastructures based on OpenStack)

This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

On this step, you must specify deployment settings for each SVM that is to be deployed within the selected OpenStack projects. The OpenStack project column displays the name of the project that the SVM will be deployed in, as well as the project path in the infrastructure.

Specify the following settings required for SVM deployment:

  • SVM name

    An arbitrary name for new SVM.

  • Virtual machine type

    Virtual machine type (instance type) determines RAM volume, disk size, number of CPU cores, and other settings of created virtual machine.

    Select appropriate virtual machine type for SVM deployment from available types for OpenStack project. Virtual machine type must match recommendations of Kaspersky experts concerning the resource allocation for SVMs.

    If there is no virtual machine of the suitable type in the list, use the virtual infrastructure to create the required virtual machine type. After that, to refresh the list of available virtual machine types, you can go back to the infrastructure selection step and select the Refresh button or restart the SVM deployment procedure.

You can also specify the following settings:

  • Volume type

    Volume type determines which data storage will be used for disk creation during the SVM deployment. Select a volume type from available types for OpenStack project.

  • Availability zone

    A logical collection of hypervisors used to provide fault tolerance in infrastructures based on OpenStack. Select an availability zone into which the SVM will be located.

  • Server group

    Grouping of virtual machines according to the policy that determines the hypervisors on which virtual machines will be started. Select a Server group, into which the SVM will be located.

Proceed to the next step of the wizard.

Page top

[Topic 213310]

Configuring SVM network settings (infrastructures based on OpenStack)

This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

For this step, you must specify network settings for each SVM to be deployed within the selected OpenStack projects. The OpenStack project column displays the name of the project that the SVM will be deployed in, as well as the project path in the infrastructure.

For each SVM, specify one or more virtual networks in the Network name column.

The name of the virtual network that the SVM will use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

You can specify one or more virtual networks available within the OpenStack project. To add or remove a field for selecting virtual networks, use the buttons next to the network selection field.

If you intend to use dynamic IP addressing (DHCP) for all SVMs, the network settings will be received from the DHCP server via the first virtual network in the list of networks specified for each SVM. Make sure that the Wizard can connect to the SVM with the network settings of the first virtual network received from the DHCP server.

You can also specify the following settings:

  • VLAN ID

    The ID of the virtual local area network (VLAN) that the SVM will use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    If a VLAN is not used, the column shows No.

  • Security group

    Set of network traffic filtering rules that are created in the virtual infrastructure and applied in the virtual network.

    You can specify one or more security groups for each selected virtual network. To add or remove a field for selecting security groups, use the buttons next to the Security groups selection field.

Proceed to the next step of the wizard.

Page top

[Topic 274240]

Configuring IP address settings for SVM

For this step, you must specify IP addressing settings for all SVMs. You can use dynamic or static IP addressing.

If you want to use DHCP network settings for all SVMs:

  1. Select Dynamic IP addressing (DHCP).

    By default, the IP address of the DNS server and the IP address of the alternative DNS server received over the DHCP protocol are used for each SVM (the Use list of DNS servers received via DHCP check box is selected). If you specified several virtual networks for the SVM at the previous step, by default the network settings for the SVM are received from the DHCP server of the first virtual network in the list of the specified virtual networks.

  2. If you want to manually specify the IP address of the DNS server and alternative DNS server, clear the Use list of DNS servers received via DHCP check box. This opens a table containing the following information:
    • Hypervisor

      IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM will be deployed.

      The Hypervisor column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

    • OpenStack project

      Name of the OpenStack project selected for SVM deployment, as well as project path in the infrastructure.

      The OpenStack project column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

    • SVM name

      The name that was defined when specifying SVM settings.

    Specify the IP addresses of DNS servers in the DNS server and Alternative DNS server table columns.

If you want to specify all network settings of the SVM manually, select:

  1. Select Static IP addressing. This opens a table containing the following information:
    • Hypervisor

      IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM will be deployed.

      The Hypervisor column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

    • OpenStack project

      Name of the OpenStack project selected for SVM deployment, as well as project path in the infrastructure.

      The OpenStack project column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

    • SVM name

      The name that was defined when specifying SVM settings.

    • Network name

      The name of the virtual network that the SVM uses to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

  2. Specify the following IP addressing settings for each SVM:
    • SVM IP address
    • Subnet mask
    • Gateway
    • DNS server
    • Alternative DNS

    If you specified several virtual networks for the SVM at the previous step, specify the settings for each virtual network.

Proceed to the next step of the wizard.

Page top

[Topic 84172]

Specifying Kaspersky Security Center connection settings

This step is performed if the wizard cannot automatically determine the settings for connecting to Kaspersky Security Center.

At this step, you must specify the settings of SVM connection to the Kaspersky Security Center Administration Server.

Specify the following settings:

  • Address

    Address of the device hosting the Kaspersky Security Center Administration Server. You can specify the IP address in IPv4 format or the fully qualified domain name (FQDN) of the device.

  • Port

    Number of the port for connecting the SVM to the Kaspersky Security Center Administration Server.

  • SSL port

    Number of the port for connecting an SVM to the Kaspersky Security Center Administration Server using an SSL certificate.

Proceed to the next step of the wizard.

Page top

[Topic 274241]

Creating the configuration password and the root account password

At this step, you need to create a klconfig account password (configuration password) and a root account password on the SVM.

The configuration password is required for SVM reconfiguration. The root user account is used for access to the operating system on SVMs.

Enter passwords for each account into the Password and Confirm password fields.

Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

If you want to configure access to SVMs over SSH under the root account, select the Allow remote access to SVM for the root account via SSH check box.

Proceed to the next step of the wizard.

Page top

[Topic 274242]

Starting SVM deployment

This step is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

For this step, the wizard window displays all previously entered settings required for deploying the SVM:

General settings for all SVMs:

Individual settings for each SVM:

  • Hypervisor

    IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM will be deployed.

  • SVM name

    The name that was defined when specifying SVM settings.

  • Storage

    Data storage for SVM image.

  • Network name

    The name of the virtual network that the SVM uses to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

  • VLAN ID

    The ID of the virtual local area network (VLAN) that the SVM uses to connect to virtual machines, the Integration Server and the Kaspersky Security Center Administration Server.

    The VLAN ID is displayed if you are deploying the SVM in the virtual infrastructure running on Microsoft Hyper-V platform.

  • All IP addressing settings that you provided for the SVM.

To start deploying SVMs, go to the next step of the wizard.

Page top

[Topic 274243]

Starting SVM deployment (infrastructures based on OpenStack)

This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

For this step, the wizard window displays all previously entered settings required for deploying the SVM:

General settings for all SVMs:

  • Keystone microservice address

    IP address or fully qualified domain name (FQDN) of the Keystone microservice that manages the OpenStack project in which the SVMs are being deployed.

  • SVM image description file

    The full path and name of the SVM image description file (in XML format) that you specified at the SVM image selection step.

  • SVM IP settings

    Method of configuring IP addressing settings.

    Possible values: Dynamic IP addressing (DHCP), Static IP addressing.

  • SSH-based remote access to the SVM for the root account

    Remote access to the SVM over SSH for the root user account.

    Possible values: Allowed, Blocked.

  • Kaspersky Security Center connection settings

    IP address in IPv4 format or fully qualified domain name (FQDN) of the device hosting the Kaspersky Security Center Administration Server, and port numbers for connecting the SVM to the Kaspersky Security Center Administration Server.

  • Parallel deployment

    The number of SVMs to be deployed concurrently.

Individual settings for each SVM:

  • OpenStack project

    Name of the OpenStack project selected for SVM deployment, as well as project path in the infrastructure.

  • SVM name

    The name that was defined when specifying SVM settings.

  • Virtual machine type

    Type of virtual machine (instance type) selected for SVM.

  • Volume type

    Volume type to be used during SVM deployment.

  • Availability zone

    Logical collection of hypervisors where the SVM will be located.

  • Server group

    Group of virtual machines in which the SVM will be located.

  • Network name

    The name of the virtual network that the SVM uses to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

  • VLAN ID

    The ID of the virtual local area network (VLAN) that the SVM uses to connect to virtual machines, the Integration Server and the Kaspersky Security Center Administration Server.

  • Security group

    Security group selected for the virtual network.

  • All IP addressing settings that you provided for the SVM.

To start deploying SVMs, go to the next step of the wizard.

Page top

[Topic 110000]

SVM deployment

At this step, SVMs are deployed on hypervisors. The process takes some time. Please wait until deployment is complete.

The window shows, one row at a time, the stages of deployment of each SVM with the status of each stage: Processing N%, Pending, Skipped, Completed, Error.

After SVM deployment is complete, you are advised to make sure that the Integration Server is running and can be accessed by the SVM over the network.

If an error occurs on a hypervisor during the SVM deployment process, the Wizard rolls back the changes on this hypervisor. Deployment continues on the other hypervisors.

When deployment is completed, SVM is turned on automatically.

Proceed to the next step of the wizard.

Page top

[Topic 93537]

Finishing SVM deployment

This step displays information about the SVM deployment results in the virtual infrastructure.

You can use the links to open a brief report and the SVM Management Wizard log.

You can view the following information in the brief report:

  • Addresses of the hypervisors on which SVMs were deployed, or OpenStack projects, within which SVMs were deployed (depending on the type of virtual infrastructure).
  • Names of deployed SVMs.
  • Brief description of the completed stages of deployment of each SVM, including the start and end times of each stage. If an error occurred during a particular stage, the relevant information is reflected in the report.

The brief report is saved in a temporary file. To be able to use information from the report later, save the log file in a permanent storage location.

The SVM Management Wizard log saves information specified by you at every step of the wizard. If the SVM deployment process ends in an error, you can use the wizard log when contacting Technical Support.

The SVM Management Wizard log is saved on the device where the wizard was launched, in the file %LOCALAPPDATA%\Kaspersky Lab\Kaspersky VIISLA Console\logs\KasperskyDeployWizard_<file creation date and time>.log and does not contain account passwords. A new log file is created each time the wizard starts.

Finish the wizard.

If your virtual infrastructure uses a Microsoft Windows Server (Hyper-V) hypervisor, after SVM deployment the event log may contain an event indicating the need to update the Integration Services package on the SVM. You can ignore this notification because the Integration Services do not need to be updated to operate the SVM.

Page top

[Topic 254203]

Automatically creating tasks and a default policy for the Protection Server

The Kaspersky Security Center Initial Configuration Wizard lets you automatically create a default Protection Server policy and an Update databases and solution modules task for the Protection Server. The Initial Configuration Wizard is available in Kaspersky Security Center Administration Console and in Kaspersky Security Center Web Console.

If you use Kaspersky Security Center Web Console, the Initial Configuration Wizard starts the first time you launch Kaspersky Security Center Web Console.

You can also run the Initial Configuration Wizard manually.

How to run the Initial Configuration Wizard in Kaspersky Security Center Web Console

To start the Initial Configuration Wizard:

In the main window of the Kaspersky Security Center Web Console, select Discovery & deployment → Deployment & assignment → Initial Configuration Wizard.

After installing the Protection Server web plug-in, the wizard will prompt you to create a default Protection Server policy and an Update databases and solution modules task for the Protection Server.

If you use Kaspersky Security Center Administration Console, the Initial Configuration Wizard starts automatically the first time you launch Administration Console after installing the management MMC plug-in for the Protection Server.

If the Initial Configuration Wizard for the managed application was not started automatically, you can manually start it.

How to run the Initial Configuration Wizard in Kaspersky Security Center Administration Console

To start the Initial Configuration Wizard:

  1. In the Kaspersky Security Center Administration Console tree, select the Administration Server <server name> node, open the context menu of the node and select All tasksManaged applications Initial Configuration Wizard.
  2. In the welcome window, click the Next button, and in the next step select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server as the managed application.

Follow the instructions of the Initial Configuration Wizard.

Creating an Update databases and solution modules task for the Protection Server

An Update Solution Databases and Modules task is created for the Managed devices administration group and lets you download an update package for the databases and application modules of the Kaspersky Security solution to all SVMs that will be moved to the Managed devices administration group or to any nested administration group. The task is started every time an update package is downloaded to the Kaspersky Security Center Administration Server repository.

Creating default policy for Protection Server

A default Protection Server policy is created for the Managed devices administration group with the name Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server and is applied on all SVMs that will be moved to the Managed devices administration group or to any nested administration group.

When creating a default Protection Server policy, the wizard prompts you to configure the following settings:

  1. Decide whether you want to use Kaspersky Security Network in the operation of the Protection Server.
  2. Configure settings for connecting SVMs to the Integration Server.

The other policy settings take the default values. You can configure them later.

If you have not configured the settings for connecting SVMs to the Integration Server or cannot connect with the specified settings, the policy is created with the Inactive policy status. Later you can configure the settings of this policy and activate it.

Page top

[Topic 256136]

Preparing the Protection Server for operation

After completing the SVM deployment procedure, it is recommended to use virtual infrastructure tools to check the system date on the SVM. A discrepancy between the system dates on Kaspersky Security Center Administration Server and the SVM may result in an error when connecting the SVM to Kaspersky Security Center as well as incorrect operation of Kaspersky Security solution components.

After deploying the SVM on a hypervisor, you can modify the resources allocated to the SVM, for example, to match those recommended by Kaspersky experts. You can regulate the performance of the SVM using the resources assigned to it.

To prepare the Protection Server for operation, you must perform the following actions:

  1. Make sure that new SVMs are connected to the Integration Server. You can view the list of connected SVMs in the Integration Server Console or in the Integration Server Web Console.
  2. Activate the solution on all new SVMs.

    To activate the solution on SVMs, you must add a license key to the SVMs by using the Solution activation task. After installing the Light Agent component on virtual machines and connecting the Light Agents to the SVMs, the Protection Server component sends license information to the Light Agents.

  3. Update the databases of the solution on all new SVMs and download database updates for Light Agents to the SVMs. By default, database updates required for the operation of the Protection Server, Light Agent for Linux, and Light Agent for Windows are downloaded to the SVMs from the Administration Server repository.

    If the current version of the solution supports more than one version of Light Agent for Linux or Light Agent for Windows, you need to make sure you are downloading database updates for the correct version of Light Agent. If you have different versions of Light Agent installed on protected devices, updates for all installed versions must be downloaded to the SVM.

    To configure the downloading of updates for the correct versions of Light Agent:

    1. In the Protection Server policy, specify the versions of Light Agents for which the Protection Server must receive updates.

      The Administration Server needs some time to download database updates for Light Agents. We recommend starting the database update process after completing the synchronization of the Network Agent on the SVM with the Administration Server (by default, the synchronization period is 15 minutes after changing the policy settings).

    2. Manually run the Download updates to the repository task.
    3. Download the update packages to the SVM. To download update packages to the SVM, you can use an automatically created Protection Server task, Updating databases and solution modules.
Page top

[Topic 286616]

Installing Light Agents and Network Agent

On each virtual machine that needs to be protected using the Kaspersky Security solution, you need to install Light Agent and Kaspersky Security Center Network Agent.

Installed on protected virtual machines, Kaspersky Security Center Network Agent facilitates interaction between a Light Agent installed on a virtual machine and the Kaspersky Security Center Administration Server, and lets you use Kaspersky Security Center to manage the operation of the Light Agent.

You can install Light Agent on a virtual machine template that will be used to create persistent and non-persistent virtual machines. When installing on a non-persistent virtual machine template, we recommend configuring additional installation settings for Light Agents and Network Agent.

You can install Light Agent on virtual machines as part of an infrastructure that uses VDI-based solutions for creating virtual desktops. For Light Agent for Windows to be compatible with some virtualization solutions, additional steps are required during installation.

In this section:

About installing Kaspersky Security Center Network Agent on virtual machines

About installing Light Agent for Linux

About installing Light Agent for Windows

Installing Light Agent on a template for non-persistent virtual machines

Compatibility of Light Agent for Windows with virtualization solutions

Page top

[Topic 256137]

About installing Kaspersky Security Center Network Agent on virtual machines

Before or during the installation of Kaspersky Endpoint Security for Linux in Light Agent mode, you need to install Network Agent for Linux on each virtual machine.

Before or during installation of Kaspersky Endpoint Security for Windows in Light Agent mode, you need to install Network Agent for Windows on each virtual machine.

The files required for installing Network Agent are included in the Kaspersky Security Center distribution kit. For more information on installing Network Agent, please refer to the Kaspersky Security Center Help.

Page top

[Topic 256139]

About installing Light Agent for Linux

Kaspersky Endpoint Security for Linux in Light Agent mode for protection of virtual environments is installed in one of the following ways:

  • Remotely from the administrator's workstation using Kaspersky Security Center.

    To use Kaspersky Endpoint Security for Linux as a Light Agent for Linux, you select the Light Agent mode in one of the following ways:

    • In the properties of the installation package of the Kaspersky Endpoint Security for Linux application, on the Settings tab.
    • Using the autoinstall.ini configuration file, which is included in the application installation package (KSVLA_MODE=yes).
  • Using the command line.

    To use Kaspersky Endpoint Security for Linux as a Light Agent for Linux, after the installation is complete, you need to run the initial application configuration and select the Light Agent mode in one of the following ways:

    • Enter yes in the Specifying the application usage step of the initial configuration script.
    • Specify the KSVLA_MODE=yes setting in the initial setup configuration file.

When installing on a non-persistent virtual machine template, we recommend configuring additional installation settings for Light Agent and Network Agent.

For more information about installing Kaspersky Endpoint Security for Linux in Light Agent mode, see the application Help of the relevant version.

Page top

[Topic 109889]

About installing Light Agent for Windows

Kaspersky Endpoint Security for Windows in Light Agent mode for protection of virtual environments is installed in one of the following ways:

  • Remotely from the administrator's workstation using Kaspersky Security Center.

    To use Kaspersky Endpoint Security for Windows as a Light Agent for Windows, you need to select the Light Agent configuration in the properties of the Kaspersky Endpoint Security for Windows installation package on the Settings tab.

  • Locally on a virtual machine using the installation wizard.

    To use Kaspersky Endpoint Security for Windows as a Light Agent for Windows, you need to select the Light Agent for protecting virtual environments configuration at the configuration selection step.

  • Using the command line.

    To use Kaspersky Endpoint Security for Windows as a Light Agent for Windows, you select the Light Agent mode in one of the following ways:

    • Run the installation command with LIGHTAGENTMODE=1.
    • Perform a silent installation using a setup.ini file with KSVLAMode=1.

To optimize the performance of Kaspersky Endpoint Security for Windows in Light Agent mode, we recommend using predefined groups of exclusions and trusted applications for various virtualization solutions. You can include recommended scan exclusions and trusted applications in the trusted zone during local installation using the wizard or when creating an installation package in interactive mode.

When installing on a non-persistent virtual machine template, we recommend configuring additional installation settings for Light Agent and Network Agent.

For more information about installing Kaspersky Endpoint Security for Windows in Light Agent mode, see the application Help of the relevant version.

Page top

[Topic 98763]

Installing Light Agent on a template for non-persistent virtual machines

If you are installing on a virtual machine template that will be used to create non-persistent virtual machines, we recommend that you configure settings that optimize the operation of Light Agent on the non-persistent virtual machines.

If these settings are configured, the operation of non-persistent virtual machines created from the template will be optimized as follows:

  • Kaspersky Security Center functionality that is not required for non-persistent virtual machines will be disabled, namely the receiving of information about software, hardware, vulnerabilities, and necessary updates.
  • Updates that require restarting the protected virtual machine will not be installed on virtual machines created from the template. When receiving updates that require a restart, the Light Agent installed on the virtual machine sends a message to Kaspersky Security Center about the need to update the virtual machine template.
  • Non-persistent virtual machines running Windows operating systems will not use the active infection disinfection technology regardless of the configured settings of Light Agent for Windows. If it is necessary to perform the disinfection procedure for an active infection, the Light Agent installed on the virtual machine will send a message to Kaspersky Security Center about the need to perform this procedure on the virtual machine template.

Kaspersky Security Center Network Agent settings

If you are installing Network Agent using Kaspersky Security Center, in the properties window of the Network Agent installation package, you need to specify the following settings in the Advanced section:

  • Enable dynamic mode for VDI.
  • Optimize the settings for VDI.

If you are installing Network Agent using the command line, you need to use a response file (in TXT format) with the following settings:

  • KLNAGENT_VM_VDI=1
  • KLNAGENT_VM_OPTIMIZE=1

For more information on installing Network Agent, please refer to the Kaspersky Security Center Help.

Light Agent for Linux settings

If you are installing Kaspersky Endpoint Security for Linux in Light Agent mode using Kaspersky Security Center, you need to include the autoinstall.ini configuration file in the installation package with the following settings:

  • KSVLA_MODE=yes
  • VDI_MODE=yes

If you create an installation package in Kaspersky Security Center Web Console, you can specify these settings using the following check boxes in the installation package properties on the Settings tab:

  • Use the application in Light Agent mode
  • Enable VDI protection mode.

If you are installing Kaspersky Endpoint Security for Linux in Light Agent mode using the command line, after the installation is complete, you need to configure the settings as follows, depending on the initial configuration mode:

  • Run the initial configuration script and enter yes in the Specifying the application usage mode and Enabling VDI protection mode steps.
  • Run the initial configuration in automatic mode by specifying the following settings in the initial configuration file:
    • KSVLA_MODE=yes
    • VDI_MODE=yes

For more information about installing Kaspersky Endpoint Security for Linux in Light Agent mode, see the application Help of the relevant version.

Light Agent for Windows settings

If you are installing Kaspersky Endpoint Security for Windows in Light Agent mode using Kaspersky Security Center, you need to configure the following settings in the properties of the Kaspersky Endpoint Security for Windows installation package on the Settings tab:

  • select the Light Agent configuration
  • select the Protect VDI check box

If you are installing Kaspersky Endpoint Security for Windows in Light Agent mode using the Installation Wizard, you need to configure the following settings at the configuration selection step:

  • select the Light Agent for protecting virtual environments configuration
  • select the Protect VDI check box

If you are installing Kaspersky Endpoint Security for Windows in Light Agent mode using the command line, you need to do one of the following:

  • Run the installation command with LIGHTAGENTMODE=1 and VDI=1.
  • Perform installation in silent mode using a setup.ini file with KSVLAMode=1 and InstallOnVDI=1.

For more information about installing Kaspersky Endpoint Security for Windows in Light Agent mode, see the application Help of the relevant version.

Page top

[Topic 65891]

Compatibility of Light Agent for Windows with virtualization solutions

You need to take additional steps when installing Light Agent for Windows on virtual infrastructures that use the following virtualization solutions:

  • Citrix App Layering
  • Citrix Provisioning (Citrix Provisioning Services)
  • VMware App Volumes

Expand all | Collapse all

Compatibility with Citrix App Layering technology

If you plan to use the Full User Layer to save the state of non-persistent virtual machines, you must do the following before installing the Light Agent on a virtual machine template:

  1. Create the file C:\Program Files\Unidesk\Uniservice\UserExclusions\KESLA.txt and add the following exclusions to it:
    • C:\ProgramData\KasperskyLab\
    • C:\ProgramData\Kaspersky Lab\
    • C:\Program Files (x86)\Kaspersky Lab\
  2. Make the following changes to the operating system registry:
    1. In the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Unifltr registry key, create a new DWORD key with the name MiniFilterBypass and the value 1.
    2. In the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Unirsd registry key, create a new MULTI_SZ key with the name ExcludeKey and the value \Registry\Machine\SOFTWARE\WOW6432Node\KasperskyLab.
  3. Restart the virtual machine.

To install on virtual machines in an infrastructure that uses Citrix App Layering technology, you need to do the following:

  1. Install Kaspersky Security Center Network Agent and Light Agent for Windows on a virtual machine template on the Application Layer.
  2. Create a multi-layer virtual machine image.
  3. Deploy the created image to hypervisors that support Citrix App Layering.
  4. Configure creation of non-persistent virtual machines from the created image.

For more information on installing antivirus software with Citrix App Layering, refer to Citrix App Layering documentation.

Compatibility with Citrix Provisioning (Citrix Provisioning Services) technology

To ensure that Light Agent for Windows is compatible with Citrix Provisioning technology (Citrix Provisioning Services), you must perform the following steps:

  1. If Citrix Provisioning Target Device software is installed on the virtual machine, it must be removed before you begin installing Light Agent. After completing the installation of Light Agent, you need to install the Citrix Provisioning Target Device.
  2. Light Agent for Windows must be installed in one of the following ways:
    • Using the installation wizard Select the Ensure compatibility with Citrix PVS check box in the Advanced settings step.
    • Remotely via Kaspersky Security Center. Select the Ensure compatibility with Citrix PVS check box in the installation package settings.

Compatibility with VMware App Volumes technology

Before installing on a virtual machine template, you need to create the file %SVAgent%\Config\Custom\snapvol.cfg and add the following exceptions to it:

  • exclude_path=\ProgramData\Kaspersky Lab
  • exclude_path=\ProgramData\KasperskyLab
  • exclude_path=\Program Files\Kaspersky Lab
  • exclude_path=\Program Files\Common Files\Kaspersky Lab
  • exclude_path=\Program Files\Kaspersky Lab
  • exclude_path=\Program Files (x86)\Kaspersky Lab
  • exclude_path=\Program Files (x86)\Common Files\Kaspersky Lab
  • exclude_process_path=\Program Files (x86)\Kaspersky Lab
  • exclude_process_path=\Program Files (x86)\Common Files\Kaspersky Lab
  • exclude_process_path=\Program Files\Common Files\Kaspersky Lab
  • exclude_process_path=\Program Files\Kaspersky Lab
  • exclude_process_name=avp.exe
  • exclude_process_name=klnagent.exe
  • exclude_registry=\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\KasperskyLab
  • exclude_registry=\REGISTRY\MACHINE\SOFTWARE\KasperskyLab
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\klupd_klif_arkmon
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\klupd_klif_klark
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\klupd_klif_klbg
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\klupd_klif_mark
  • exclude_registry=\REGISTRY\MACHINE\SYSTEM\CurrentControlSet\Services\klupd_klif_swmon

For details, please refer to the VMware documentation.

Page top

[Topic 256140]

Preparing Light Agents for operation

To prepare Light Agents for operation, you must perform the following actions:

  1. Configure the settings required for SVM discovery and connection of Light Agents to SVMs.

    To configure the settings for Light Agent for Linux, you need to create a policy for Kaspersky Endpoint Security for Linux running in Light Agent mode.

    To configure the settings for Light Agent for Windows, you need to create a policy for Kaspersky Endpoint Security for Windows running in Light Agent mode.

    Following the instructions in the New Policy Wizard, you need to select the SVM discovery method and, depending on the selected method, configure the settings for connecting to the Integration Server or specify a list of SVM addresses.

  2. Make sure that Light Agents connect to SVMs and to the Integration Server.
  3. Make sure that Light Agents have received information about the license used to activate Kaspersky Security for Virtualization Light Agent.

    After activating the solution on SVMs and connecting Light Agents to the SVMs, the Protection Server component sends license information to Light Agents. You can view information about the license that Light Agent uses. You can view it on a protected virtual machine with Light Agent.

  4. Make sure that the database updates required for Light Agent are installed on the protected virtual machines.

    Databases on protected virtual machines are updated using a special Update task, in which a folder on the SVM is specified as the update source. The update task is started automatically.

    You can check how up-to-date the databases are on a protected virtual machine with Light Agent:

    • For Light Agent for Linux: using the command kesl-control --app-info.
    • For Light Agent for Windows: in the local interface of Kaspersky Endpoint Security for Windows.

For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.

Page top

[Topic 145545]

Displaying virtual machines and SVMs in Kaspersky Security Center

After installation of Kaspersky Security in the virtual infrastructure, the SVMs and protected virtual machines on which Network Agent is installed will forward information about themselves to Kaspersky Security Center. By default, Kaspersky Security Center adds devices on which Kaspersky Security components are installed to the Unassigned devices folder.

In the Kaspersky Security Center Administration Console, an SVM is displayed under the name that you specified during deployment of this SVM. The name of the protected virtual machine matches the network name of the virtual machine (hostname). If a virtual machine with the same name is already registered on the Kaspersky Security Center Administration Server, a sequence number is added to the name of the new virtual machine, for example: <Name>~1, <Name>~2.

If you configured rules for moving virtual machines to administration groups prior to installing the solution, Kaspersky Security Center moves the devices on which Kaspersky Security components are installed to the specified administration groups in accordance with the configured rules for moving devices.

After installing the solution components, the SVMs and protected virtual machines send tags to Kaspersky Security Center. You can use these tags when creating rules for moving SVMs and protected virtual machines to administration groups.

The SVM sends the following tag to Kaspersky Security Center:

%VmType%=SVM – indicates that the virtual machine is an SVM.

A protected virtual machine with Kaspersky Security Center Network Agent installed sends the following tag to Kaspersky Security Center:

  • %VmType%=<Persistent / Nonpersistent> – indicates whether this virtual machine is non-persistent or persistent virtual machine:
    • %VmType%=Persistent – persistent virtual machine;
    • %VmType%=Nonpersistent – non-persistent virtual machine.
  • %KsvlaMode%=<Yes / No> – a flag that determines the operating mode of the Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Windows application on a virtual machine:
    • %KsvlaMode%=Yes – the application is being used in Light Agent mode to protect virtual environments;
    • %KsvlaMode%=No – the application is being used in standard mode.

You can manually move SVMs to the Managed devices administration group or nested administration groups (for more information about moving virtual machines to administration groups, see the Kaspersky Security Center Help).

Page top

[Topic 256141]

Viewing the list of SVMs connected to the Integration Server

You can view a list of all SVMs that are connected to the Integration Server in the Integration Server Web Console or the Integration Server Console.

How to view information about SVMs connected to the Integration Server in the Integration Server Web Console

To view information about SVMs connected to the Integration Server:

  1. Open Integration Server Web Console and connect to the Integration Server.
  2. Go to the List of connected SVMs section.

    In the window that opens, a list of SVMs connected to the Integration Server is displayed as a table. The table contains the following information about each SVM:

    • SVM IP address.
    • SVM path. Depending on the type of protected virtual infrastructure:
      • IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.
      • IP address in the IPv4 format or the fully qualified domain name (FQDN) of the Keystone microservice that controls the OpenStack project within which the SVM is deployed.

    You can sort the list by the SVM IP address column, search the list, and export the list in CSV format using the button located above the table.

  3. To view detailed information about an SVM, click on the IP address of the selected SVM in the list.

    This opens a window with the following information about the selected SVM:

    • SVM ID.
    • SVM IP address.
    • SVM path. Depending on the type of protected virtual infrastructure:
      • IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.
      • IP address in the IPv4 format or the fully qualified domain name (FQDN) of the Keystone microservice that controls the OpenStack project within which the SVM is deployed.
    • Information about whether the data transfer channel from Light Agents is encrypted.
    • SVM port used for sending scan requests from Light Agents to the Protection Server over a secure connection.
    • SVM port used for sending scan requests from Light Agents to the Protection Server over an unsecure connection.
    • SVM port used for sending service requests from Light Agents to the Protection Server over a secure connection.
    • SVM port used for sending service requests from Light Agents to the Protection Server over an unsecure connection.

How to view information about SVMs connected to the Integration Server in the Integration Server Console

To view information about SVMs connected to the Integration Server:

  1. Open Integration Server Console and connect to the Integration Server.
  2. In the list on the left, select the List of connected SVMs section.

    The table on the right side of the window displays the following information about all SVMs connected to the Integration Server:

    • SVM IP address.
    • SVM path. Depending on the type of protected virtual infrastructure:
      • IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.
      • IP address in the IPv4 format or the fully qualified domain name (FQDN) of the Keystone microservice that controls the OpenStack project within which the SVM is deployed.
  3. To view detailed information, select an SVM in the table and open the Information about SVM window by double-clicking or by clicking the Detailed information link above the table.

    The window displays the following information about the selected SVM:

    • Unique identifier of the SVM.
    • SVM IP address.
    • SVM path. Depending on the type of protected virtual infrastructure:
      • IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.
      • IP address in the IPv4 format or the fully qualified domain name (FQDN) of the Keystone microservice that controls the OpenStack project within which the SVM is deployed.
    • SVM port used for sending scan requests from Light Agents to the Protection Server over a secure connection.
    • SVM port used for sending scan requests from Light Agents to the Protection Server over an unsecure connection.
    • SVM port used for sending service requests from Light Agents to the Protection Server over a secure connection.
    • SVM port used for sending service requests from Light Agents to the Protection Server over an unsecure connection.
    • Information about whether the data transfer channel from Light Agents is encrypted.
Page top

[Topic 259223]

Updating Kaspersky Security from the previous version

Upgrading the solution

You can upgrade Kaspersky Security for Virtualization 6.1 Light Agent to Kaspersky Security for Virtualization 6.2 Light Agent.

Upgrading of earlier Kaspersky Security versions to version 6.2 is not provided.

Before you begin the upgrade, you need to prepare the files required to install the solution and complete the steps necessary to prepare the virtual infrastructure for installation of the solution.

Updating the version of the solution to Kaspersky Security to Kaspersky Security for Virtualization 6.2 Light Agent involves the following steps:

  1. Updating the Integration Server

    When upgrading the solution, you can switch to the Linux-based Integration Server or continue using the Windows-based Integration Server.

    If you want to continue using the Windows-based Integration Server, you need to update the Integration Server and Integration Server Console. The procedure for updating the Windows-based Integration Server depends on which version of Kaspersky Security Center you are using to manage the Kaspersky Security solution (Kaspersky Security Center Windows or Kaspersky Security Center Linux).

  2. Updating Kaspersky Security management plug-ins
  3. Updating the Protection Servers

    Deploy SVMs with the new version of the Protection Server on your hypervisors.

  4. Preparing the Protection Servers for operation

    You must follow the steps to prepare the updated SVMs and Protection Servers for operation.

  5. Updating Light Agent for Linux and Network Agent for Linux

    To protect virtual machines with Linux guest operating systems, you need to update Light Agent for Linux (Kaspersky Endpoint Security for Linux running in Light Agent mode) and Network Agent on virtual machines and virtual machine templates with Linux guest operating systems.

    For a description of the process of updating Kaspersky Endpoint Security for Linux and Network Agent for Linux, see the Kaspersky Endpoint Security for Linux Help of the relevant version.

  6. Installing/updating Light Agent for Windows and Network Agent for Windows

    To protect virtual machines with Windows guest operating systems, you need to install Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode) and Network Agent on virtual machines and virtual machine templates with Windows guest operating systems.

    You can use the following versions of Light Agent for Windows: Kaspersky Endpoint Security for Windows 12.8 or Kaspersky Endpoint Security for Windows 12.9.

    Make sure you are downloading database updates for the correct version of Light Agent to the SVM. If you have different versions of Light Agent for Windows installed on protected devices, updates for all installed versions must be downloaded to the SVM.

    If you were using the Light Agent for Windows component included in Kaspersky Security for Virtualization 5.2 Light Agent, you need to switch to using the Light Agent for Windows that is part of the Kaspersky Security for Virtualization 6.2 Light Agent solution.

  7. Preparing Light Agents for operation

    You need to perform the actions required to prepare Light Agents for operation.

Upgrading Light Agent for Windows

Kaspersky Security 6.2 supports two versions of Light Agent for Windows: Kaspersky Endpoint Security for Windows 12.8 and Kaspersky Endpoint Security for Windows 12.9. If you have Kaspersky Security 6.2 and Kaspersky Endpoint Security for Windows 12.8 in Light Agent mode installed, you can upgrade the Light Agent version for Windows as follows:

  1. Upgrade Kaspersky Endpoint Security for Windows 12.8 to version 12.9. For a description of the update process of the Kaspersky Endpoint Security for Windows application, see the application Help of the relevant version.
  2. Specify the new version of Light Agent for Windows in the update settings in your Protection Server policy.

    The Administration Server needs some time to download database updates for Light Agents. We recommend starting the database update process after completing the synchronization of the Network Agent on the SVM with the Administration Server (by default, the synchronization period is 15 minutes after changing the policy settings).

  3. Manually run the Download updates to the repository task.
  4. Download the update packages to the SVM. To download update packages to the SVM, you can use an automatically created Protection Server task, Updating databases and solution modules. As a result of the update task, the Protection Server gets database updates for the specified version of Light Agent.
  5. Upgrade the management web plug-in or MMC management plug-in of the previous version of Light Agent for Windows.

In this Help section

Migrating from the Windows-based Integration Server to the Linux-based Integration Server

Updating the Windows-based Integration Server and Integration Server Console

About updating management plug-ins

About the upgrade of the Protection Server

About updating Light Agent for Windows 5.2

Page top

[Topic 197587]

Migrating from the Windows-based Integration Server to the Linux-based Integration Server

If you previously had the Windows-based Integration Server installed in your virtual infrastructure, you need to do the following to switch to using the Linux-based Integration Server:

  1. Install the Linux-based Integration Server.
  2. Install the Integration Server Web Console.
  3. In Integration Server Web Console, configure the settings for connecting to the virtual infrastructures to which the Windows-based Integration Server connected.
  4. Update the Integration Server address in all configured Protection Server polices and Light Agent policies.
  5. Make sure that the SVMs are connected to the Linux-based Integration Server.
  6. Ensure that Light Agents are connected to the Linux-based Integration Server and to the SVMs.
  7. Uninstall the Windows-based Integration Server (see the solution help for the corresponding version for more details).

    Uninstalling the Integration Server will delete the data used in the operation of the Integration Server, including the list of registered tenants and information about the time that virtual machines have been protected by the solution. If necessary, save tenant protection reports.

If you are using Kaspersky Security in multi-tenancy mode, after completing the procedure for switching to using the Linux-based Integration Server, you need to redeploy the tenant protection structure or register existing tenants and their virtual machines (depending on the scenario for using Kaspersky Security in multi-tenancy mode).

Page top

[Topic 259189]

Updating the Windows-based Integration Server and Integration Server Console

The Windows-based Integration Server and Integration Server Console must be updated under an account that belongs to local administrator group.

Close the Integration Server Console before starting the update.

The procedure for installing the Windows-based Integration Server depends on which version of Kaspersky Security Center you are using to manage the Kaspersky Security solution:

  • If you use Kaspersky Security Center Windows to manage Kaspersky Security, and in accordance with the recommendations of Kaspersky specialists, you used the Kaspersky Security Components Installation Wizard to install the Integration Server and Integration Server Console, we recommend to also perform the update using the wizard.

    You can update the Integration Server and Integration Server Console by using the Kaspersky Security Components Installation Wizard in interactive mode or in silent mode.

    The update is performed by installing the new version of the Integration Server and the Integration Server Console.

    During the upgrade, you can save a backup copy of the database, settings, and certificate of the previous version of the Integration Server. If errors occur in the operation of the Integration Server after an update, you can use the backup copy to restore the previous version of the Integration Server.

    If you want to save a backup copy of the database and settings of the Integration Server of the previous version, the upgrade requires additional space on the drive containing the %ProgramData% folder.

  • If you use Kaspersky Security Center Linux to manage Kaspersky Security, the Kaspersky Security Components Installation Wizard cannot be used to update the Integration Server and Integration Server Console. The update is performed by manually installing the new version of the Integration Server and the Integration Server Console.

Updating requires at least 4 GB of free space on the drive containing the %ProgramData% folder on the device where the previous version of the Integration Server and Integration Server Console are installed.

After upgrading the Integration Server, we recommend to replace the self-signed SSL certificate of the Integration Server with a more secure certificate. You can create a new certificate and install it using the certificate management tool included with the solution.

In this section:

Updating in interactive mode using the wizard

Updating from the command line

Page top

[Topic 263790]

Updating in interactive mode using the wizard

To update the Integration Server and Integration Server Console in interactive mode using the wizard:

  1. On the device where Administration Console and Kaspersky Security Center Administration Server are installed, run the ksvla-components_<solution version number>_mlg.exe file. This file is included in the distribution kit.

    Kaspersky Security components installation Wizard starts.

  2. Select the localization language of the Wizard and of the Kaspersky Security components and proceed to the next step of the Wizard.

    By default, the localization language of the operating system installed on the device where the Wizard was started is used.

  3. Make sure that the Install management components option is selected and proceed to the next step of the Wizard.
  4. If you want to save a backup copy of the database and settings and certificate of a previously installed Integration Server, select the Create a backup copy of the Integration Server database, settings, and certificate check box. The default path is %ProgramData%\Kaspersky Lab\VIISLA_Backup\VIISData(1). The number in the folder name is incremented with each subsequent update attempt.

    The Wizard checks the amount of free space on the drive that contains the %ProgramData% folder. If there is insufficient free space on the drive, the Wizard displays an error message and you cannot proceed to the next step of the Wizard. If this is the case, close the Wizard, free up space on the drive, and restart the Kaspersky Security Components Installation Wizard.

  5. In the next step, read the Kaspersky Security End User License Agreement, which is concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transmission of data.

    To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy. To confirm, select both check boxes in the window of the Wizard.

    Proceed to the next step of the wizard.

  6. Create the password of the Integration Server administrator (admin) account. The admin account is used for the following purposes:

    Enter a password in the Password and Confirm password fields. The account name cannot be edited.

    A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

    Proceed to the next step of the wizard.

  7. Review the information about the actions that the wizard will perform and click the Install button to begin performing the listed actions.
  8. Wait for the wizard to finish.

    If an error occurs during wizard operation, the wizard rolls back the changes made.

  9. Click Finish to close the Wizard window.

Information about the work of the Wizard is written to trace files of the Kaspersky Security Components Installation Wizard. If the wizard completed with an error, you can use these files when contacting Technical Support.

Page top

[Topic 263791]

Updating from the command line

To update the Integration Server and Integration Server Console from the command line,

Run the following command:

ksvla-components_<solution version numbe>_mlg.exe -q --lang=<language ID> --accept-EulaAndPrivacyPolicy=yes --viisPass=<password> [--log-path=<file path>] [--createBackup] [--backupFolder=<folder path>]

where:

  • <solution version number> is the version number of the solution in X.X.X.X format.
  • -q is an option specifying that the update is performed in silent mode. If you want to run the update interactively from the command line, do not specify this option.
  • --lang=<language ID> is the identifier of the language of the components to install.

    The language ID must be indicated in the following format: ru, en, de, fr, zh-Hans, zh-Hant, ja. It is case-sensitive.

  • --accept-EulaAndPrivacyPolicy=yes means that you accept the terms of the Kaspersky Security End User License Agreement, concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transmission of data. By setting this parameter to yes, you confirm the following:
    • You have fully read, understood and accept the terms and conditions of the Kaspersky Security End User License Agreement.
    • You have fully read and understood the Privacy Policy, you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.

    The text of the End User License Agreement and Privacy Policy is included in the solution's distribution kit. Accepting the terms of the End User License Agreement and Privacy Policy is a prerequisite for updating the Integration Server and Integration Server Console.

    You can read the text of the End User License Agreement and the Privacy Policy by executing the following command:

    ksvla-components_<solution version number>_mlg.exe --lang=<language ID> --show-EulaAndPrivacyPolicy

    The text of the End User License Agreement and the Privacy Policy is output to the license_<language ID>.txt file in the tmp folder.

  • --viisPass=<password> is the password of the Integration Server administrator account (admin). The admin account is used for the following purposes:

    A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

  • --log-path=<path to file> is the path to the file where information about update results is saved.

    Optional parameter. By default, update results are logged to trace files saved at %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleInitialInstall_logs_<date and time>.zip, where:

    • <version number> refers to the number of the installed version of the Kaspersky Security solution;
    • <date and time> refers to the date and time when the update was completed, in the dd_MM_yyyy_HH_mm_ss format.
  • --createBackup

    Optional parameter. Indicates that it is necessary to save a backup copy of the database and settings and the certificate of the previously installed Integration Server. By default, the data is saved in the %ProgramData%\Kaspersky Lab\VIISLA_Backup\VIISData(1) folder. The number in the folder name is incremented each time an update is done. You can select the path for saving this data using the --backupFolder option:

  • --backupFolder=<path to folder> is the path to the folder where the backup copy of the database and settings and certificate of the previously installed Integration Server will be saved.

    Optional parameter. If this option is not specified, the data will be saved to the default folder.

To view a description of all available command line parameters for installing and updating Kaspersky Security components, use the --help parameter.

Updating the Integration Server and Integration Server Console takes some time.

Page top

[Topic 265506]

About updating management plug-ins

The Protection Server management plug-in is updated by installing a new version of the management plug-in. After installing the Protection Server management plug-in, it is recommended to run the Download updates to the repository task in Kaspersky Security Center and make sure that the task completes successfully. For details, please refer to the Kaspersky Security Center help.

Policies and tasks configured in Kaspersky Security Center for the previous version of Kaspersky Security components are not compatible with the updated version of the solution. If you use the Kaspersky Security Center Administration Console to manage solution components, after updating the management MMC plug-ins, you can migrate previously configured policy and task settings to the policies and tasks for the updated version of solution components. Settings are migrated using the Kaspersky Security Center Policies and Tasks Batch Conversion Wizard (for more details, see the Kaspersky Security Center Help).

The converted policies and tasks use the settings of policies and tasks of the previous version of Kaspersky Security components. The settings that were not configured in the policies and tasks of the previous version take default values in the converted policies and tasks. The converted policies and tasks have names "<Original policy/task name> (converted)".

The policy and task conversion procedure is not available in Kaspersky Security Center Web Console. If you are using the Web Console to manage solution components, you must create new policies and tasks for the updated solution components.

Management plug-ins of the previous version continue to operate after installation of the new version of the Kaspersky Security management plug-ins. You can use them to manage SVMs and Light Agents of the previous version of Kaspersky Security.

After all the application components are updated, you can remove the management plug-ins of the previous version.

Page top

[Topic 256291]

About the upgrade of the Protection Server

The Protection Server is updated by deploying SVMs with the new version of the Protection Server in the virtual infrastructure. You can deploy SVMs in the following ways:

You can also deploy SVMs using the virtual infrastructure tools and then configure SVM settings using the klconfig script API manually or using automation tools.

If you are using a licensing scheme based on the number of cores in physical processors on the hypervisors, then after the solution is activated on a new SVM, Kaspersky Security may send Kaspersky Security Center an event indicating that the license restriction has been exceeded. You can ignore this event.

SVMs with the previous version of the Protection Server continue to work on hypervisors. They allow legacy Light Agents to run on virtual machines that have not yet been updated.

If you have updated all Light Agents, you can remove the SVM with the previous version of Protection Server.

SVMs that have been removed continue to be displayed in the Administration Console of Kaspersky Security Center. When the period specified in Kaspersky Security Center settings elapses (see Kaspersky Security Center help for details), the SVMs are automatically removed from the Administration Console.

You can manually remove SVMs with the previous version of the Protection Server from the Administration Console of Kaspersky Security Center as soon as the upgrade process has been completed.

Page top

[Topic 129595]

About updating Light Agent for Windows 5.2

If you were using the Light Agent for Windows component included in Kaspersky Security for Virtualization 5.2 Light Agent, you need to switch to using the Light Agent for Windows that is part of the Kaspersky Security for Virtualization 6.2 Light Agent solution. To do so:

  1. Remove Light Agent for Windows 5.2 from virtual machines and virtual machine templates (for details, see the Kaspersky Security for Virtualization 5.2 Light Agent Help).
  2. Install the Kaspersky Endpoint Security for Windows application in Light Agent mode, and Network Agent on virtual machines and virtual machine templates.
  3. If you use Kaspersky Security Center Administration Console to manage solution components, you can convert policies and virus scan tasks configured for Light Agent for Windows 5.2. Settings are converted using the Kaspersky Security Center Policies and Tasks Batch Conversion Wizard (for more details, see the Kaspersky Security Center Help).

    Converted policies and tasks use the settings of the policies and tasks for Light Agent for Windows 5.2. Settings not present in policies and tasks in version 5.2 take default values in the converted policies and tasks. The converted policies and tasks have names "<Original policy/task name> (converted)".

    To use a converted policy, change its status to Active.

  4. Remove the policies for the Protection Server and Light Agent for Windows 5.2 along with the remaining Kaspersky Security for Virtualization 5.2 Light Agent application components:
    • components for managing Kaspersky Security for Virtualization 5.2 Light Agent
    • SVMs included in Kaspersky Security 5.2

    For more information on removing the components of version 5.2, see the Kaspersky Security for Virtualization 5.2 Light Agent Help.

For more information about migrating from Light Agent for Windows version 5.2 to Kaspersky Endpoint Security for Windows in Light Agent mode, see Kaspersky Endpoint Security for Windows Help of the relevant version.

Page top

[Topic 246435]

Removing the Kaspersky Security solution

Virtual machines and user data will no longer be protected if the Kaspersky Security solution is uninstalled.

The procedure to uninstall the Kaspersky Security solution from the virtual infrastructure consists of the following stages:

  1. Removing Protection Servers

    To remove the Protection Server component, remove the deployed SVM from the virtual infrastructure.

    If you completely uninstall the Kaspersky Security solution, you need to remove all SVMs. If necessary, you can remove only some of the SVMs.

    After removal of SVM, protected virtual machines that were connected to it, can connect to another SVM that operates in the virtual infrastructure.

  2. Removing Light Agents and Kaspersky Security Center Network Agent

    You need to remove the following from virtual machines and virtual machine templates:

    • Light Agent (Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Windows installed in Light Agent mode)
    • Kaspersky Security Center Network Agent
  3. Removing the Integration Server

    Depending on the version of Integration Server you were using, you need to remove the Windows-based Integration Server and Integration Server Console or the Linux-based Integration Server.

  4. Removing Kaspersky Security management plug-ins

    You need to remove the management web plug-ins on the device where Kaspersky Security Center Web Console is installed, or the management MMC plug-ins on the device where the Kaspersky Security Center Administration Console is installed.

After the Protection Server and Light Agent components are removed, the SVMs and virtual machines on which Light Agents were installed are still displayed in the Kaspersky Security Center Administration Console. After the expiration of the period specified in the Kaspersky Security Center settings (see the Kaspersky Security Center help), information about the SVMs and virtual machines is automatically deleted. You can remove this information from Kaspersky Security Center Administration Console manually after uninstalling the solution.

In this Help section

Removing the Protection Server

Removing Light Agents and Network Agent

Removing the Windows-based Integration Server and Integration Server Console

Removing the Linux-based Integration Server

Removing Kaspersky Security management plug-ins

Page top

[Topic 256296]

Removing the Protection Server

You can remove an SVM from the virtual infrastructure in the following ways:

You can also remove SVMs manually using virtual infrastructure tools.

If you have removed all SVMs from a virtual infrastructure, we recommend deleting the connection settings for that virtual infrastructure from the list of virtual infrastructures to which the Integration Server connects to get information about the protected infrastructure. If you are using the Integration Server Console, we also recommend deleting the connection settings of that virtual infrastructure from the list of virtual infrastructure objects to which the SVM Management Wizard connects (see, for example, the "Selecting SVMs to remove" step in the SVM removal procedure).

In this section:

SVM removal using the Integration Server Web Console

Removing SVMs using the Integration Server Console

Page top

[Topic 256290]

SVM removal using the Integration Server Web Console

To remove an SVM using Integration Server Web Console, you need to create and run an SVM removal task for the Integration Server to remove the selected SVM.

After it starts, the task appears in the task list in Integration Server Web Console, in the SVM management section, and is added to the task queue on the Integration Server. You can view information about each task and its execution status.

When the task completes successfully, the selected SVM is removed.

To create and run an SVM removal task for the Integration Server:

  1. Open Integration Server Web Console and connect to the Integration Server.
  2. Go to the SVM management section.
  3. Click the New task button and select SVM removal from the drop-down list.

    The Integration Server New Task Wizard will start.

  4. Follow the wizard instructions.
Page top

[Topic 274313]

Selecting SVMs to remove

In this step, you need to select one or more SVMs that you want to remove.

The table displays information about the virtual infrastructures to which connections are configured for the Integration Server. The table also contains information about deployed SVMs. Each row of the table displays the following information about the virtual infrastructure object:

  • Name/Address

    This column contains the IP addresses or fully qualified domain names (FQDN) of the virtual infrastructure objects to which the Integration Server connects, and the names of the SVMs deployed on the hypervisors.

    Depending on the type of virtual infrastructure, the column may display:

    • IP address or the fully qualified domain name (FQDN) of the virtual infrastructure administration server
    • IP address or the fully qualified domain name of the hypervisor
    • IP address or the fully qualified domain name of the Keystone microservice
    • OpenStack project and domain name.
  • Status

    This column contains information about the status of the Integration Server's connection to the virtual infrastructure, the state of the infrastructure objects to which the connection is made, and the state of the SVMs deployed in the infrastructure.

    If the Integration Server is not connected to the virtual infrastructure object, the column displays an error message.

  • SVM version

    This column contains the SVM version number.

  • Infrastructure object type

    The column contains the type of the virtual infrastructure object that the Integration Server will connect to.

You can search the list of virtual infrastructure objects based on the Name/Address column. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the search field.

You can update the list of virtual infrastructure objects using the Refresh button above the table. When updating a list, the Integration Server verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.

If the virtual infrastructure from which you want to remove the SVM is not in the list, you need to configure a connection from the Integration Server to this virtual infrastructure.

To select the SVMs to remove:

In the table, select the check boxes on the left of the SVMs that you want to remove.

If SVMs are being removed from an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous reconfiguration of SVMs deployed in different infrastructures is not supported. You can remove SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.

The simultaneous removal of SVMs within OpenStack projects, which are running on different Keystone microservices, is not supported. You can simultaneously remove SVMs deployed within OpenStack projects that are running on the same Keystone microservice.

Proceed to the next step of the wizard.

Page top

[Topic 274249]

Start an SVM removal task

This step displays information about the SVMs that will be removed by the task.

To start the SVM removal task, click the Start button.

You can monitor the task progress in Integration Server Web Console, in the SVM management section.

Page top

[Topic 256283]

Removing SVMs using the Integration Server Console

You can remove SVMs using the SVM Management Wizard, which is launched in the Integration Server Console.

To remove SVMs using the SVM Management Wizard:

  1. Open Integration Server Console and connect to the Integration Server.
  2. In the SVM management section, click the SVM management button to start the SVM Management Wizard.
  3. Follow the wizard instructions.

In this section

Selecting an action

Selecting SVMs to remove

Starting SVM removal

SVM removal

Finishing SVM removal

Page top

[Topic 151247]

Selecting an action

At this step, select the SVM removal option.

Proceed to the next step of the wizard.

Page top

[Topic 265507]

Selecting SVMs to remove

At this step, select the SVMs that you want to remove.

The table displays information about virtual infrastructures, to which the connection is configured for SVM Management Wizard, as well as information about the deployed SVMs:

  • Name/Address

    Depending on the type of virtual infrastructure, the column may contain the following:

    • IP address or the fully qualified domain name (FQDN) of the virtual infrastructure administration server
    • IP address or the fully qualified domain name of the hypervisor
    • IP address or the fully qualified domain name of the Keystone microservice
    • Name of the OpenStack domain
    • Name of the OpenStack project
    • Name of the SVM deployed on the hypervisor

    If the connection with the virtual infrastructure could not be established, the warning icon is displayed against this connection in the column. A description of the connection error is shown in the table and in the tooltip of the warning icon.

  • State

    This column contains information on the state of the virtual infrastructure object or the SVM.

    For the hypervisor, one of the following values is specified: Enabled or Disabled. If a connection to the hypervisor cannot be established, the column shows Disconnected.

    For the Keystone microservice, the OpenStack project, and the OpenStack domain, one of the following values is specified: Enabled or Disconnected.

    One of the following values is specified for an SVM: Enabled, Disabled.

  • Protection

    This column contains the SVM version number.

  • Type

    This column contains the type of virtual infrastructure object that the SVM Management Wizard will connect to.

You can search the list of virtual infrastructure objects. The search is performed based on the value of the Name/Address. The search starts as you type in the Search field. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the Search field.

To select the SVMs to remove:

In the table, select the check boxes on the left of the SVMs that you want to remove.

If SVMs are being removed in an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous removal of SVMs deployed in different infrastructures is not supported. You can remove SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.

The simultaneous removal of SVMs within OpenStack projects, which are running on different Keystone microservices, is not supported. You can simultaneously remove SVMs deployed within OpenStack projects that are running on the same Keystone microservice.

If the list contains no virtual infrastructure, from which you want to remove the SVM, you must configure SVM Management Wizard connection to this infrastructure.

To configure the connection of SVM Management Wizard to the virtual infrastructure:

  1. Click the Add button.
  2. In the Virtual infrastructure connection settings window that opens, specify the following settings:
    • Type

      Type of virtual infrastructure object that SVM Management Wizard will connect to.

      Depending on the type of virtual infrastructure, select a hypervisor, virtual infrastructure administration server, or Keystone microservice.

    • Protocol

      Protocol used to connect SVM Management Wizard to the virtual infrastructure. By default, the HTTPS protocol is used.

      The Protocol field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

    • Addresses

      Addresses of the virtual infrastructure objects that SVM Management Wizard will connect to.

      Depending on the type of virtual infrastructure, you need to specify the hypervisor address or the address of the virtual infrastructure administration server. To connect to an OpenStack-based infrastructure, you need to specify the address of the Keystone microservice.

      The address can be specified as the IP address in IPv4 format or the fully qualified domain name (FQDN).

      You can specify multiple addresses by separating them with a semicolon, a space, or a new line. The number of correctly recognized addresses is shown under the list of addresses.

      In this field, you can also specify the port used to connect to the virtual infrastructure object in the format <IP address>:<port>.

      If you are configuring a connection to Microsoft Windows Server (Hyper-V) hypervisors that are part of a hypervisor cluster managed by the Windows Failover Clustering service, you can specify the address of the cluster. All hypervisors that are part of the cluster will be added to the list.

      If you are configuring a connection to VMware ESXi hypervisors managed by VMware vCenter Servers running in Linked mode, you can specify the address of any of these VMware vCenter Servers. All the hypervisors running on VMware vCenter servers in Linked mode will be added to the list.

      If you are configuring a connection to hypervisors that are managed by Microsoft SCVMM, you can specify the settings for connecting to Microsoft SCVMM. All hypervisors that are managed by Microsoft SCVMM will be added to the list.

      If you are configuring a connection to an infrastructure managed by Nutanix Prism Element, you need to specify the Nutanix Prism Element address. If the infrastructure is managed by Nutanix Prism Central, specify the Nutanix Prism Central address. All Nutanix Prism Element servers managed by Nutanix Prism Central will be added to the list.

    • OpenStack domain

      Name of the OpenStack domain that contains an account used to connect SVM Management Wizard to the virtual infrastructure object.

      The OpenStack domain field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

    • User name

      Name of the user account that the SVM Management Wizard uses to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration. This account must have privileges that are sufficient for SVM deployment, removal and reconfiguration.

      If you use a domain account to connect to a virtual infrastructure object, you can specify the account name in the <domain>\<user name> or <user name>@<domain> format.

    • Password

      Password of the user account that the SVM Management Wizard uses to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration.

  3. Click the Connect button.

    The Virtual infrastructure connection settings window closes. The Wizard adds the selected virtual infrastructure objects to the list and attempts to establish a connection.

    The Wizard verifies the authenticity of all virtual infrastructure objects with which the connection is established.

    Authenticity is not verified for a Microsoft Windows Server (Hyper-V) hypervisor.

    For Keystone microservices, authenticity is verified only when using the HTTPS protocol to connect the SVM Management Wizard to the virtual infrastructure.

    To verify authenticity, the Wizard receives the SSL certificate or fingerprint of the public key from each virtual infrastructure object and verifies them.

    If the authenticity of the received certificate(s) cannot be established, the Verify certificate window opens with a message about this. Click the link in this window to view the details of the received certificate. If the certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and continue connecting to the virtual infrastructure object. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this certificate to be authentic, click the Cancel button in the Verify certificate window to disconnect, and replace the certificate with a new one.

    If the authenticity of the open key could not be established, the Verify public key fingerprint window opens with a message about this. You can confirm the authenticity of the open key and continue the connection. The open key fingerprint will be saved on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this open key to be authentic, click the Cancel button in the Verify public key fingerprint window to terminate the connection.

    If a connection cannot be established with a virtual infrastructure object, information about the connection errors is displayed in the table.

You can update the list of virtual infrastructure objects using the Refresh button above the table. When updating a list, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.

You can use buttons in the Name/Address column to:

  • Remove selected virtual infrastructure from the list.

    The Integration Server continues to connect to the virtual infrastructure removed from this list, and to receive the information required for SVM operation.

  • If you cannot connect to the virtual infrastructure, open the Virtual infrastructure connection settings window to change the settings of the account used to make the connection.

    After the settings are modified, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.

Proceed to the next step of the wizard.

Page top

[Topic 151249]

Starting SVM removal

At this step, the Wizard window shows the number of SVMs selected for removal.

To start removing SVMs, proceed to the next step of the wizard.

Page top

[Topic 151250]

SVM removal

At this step, SVMs are removed from hypervisors. The process takes some time. Please wait until the process is complete.

The window displays information about the removal of each SVM, including the status of its progress, one row at a time: Processing N%, Pending, Skipped, Completed, Error.

Proceed to the next step of the wizard.

Page top

[Topic 151251]

Finishing SVM removal

This step displays information about the SVM removal results in the virtual infrastructure.

The wizard displays links that you can use to open a brief report and the SVM Management Wizard log.

You can view the following information in the brief report:

  • Addresses of the hypervisors from which SVMs were removed, or names of the OpenStack projects within which SVMs were removed (depending on type of the virtual infrastructure).
  • Names of removed SVMs.
  • Brief description of the completed stages of removal of each SVM, including the start and end times of each stage. If an error occurred during a particular stage, the relevant information is reflected in the report.

The brief report is saved in a temporary file. To be able to use information from the report later, save the log file in a permanent storage location.

If the SVM removal process ends with an error, you can use the SVM Management Wizard log when contacting Technical Support.

The SVM Management Wizard log is saved on the device where the wizard was launched, in the file %LOCALAPPDATA%\Kaspersky Lab\Kaspersky VIISLA Console\logs\KasperskyDeployWizard_<file creation date and time>.log and does not contain account passwords. A new log file is created each time the wizard starts.

Finish the wizard.

Page top

[Topic 197237]

Removing Light Agents and Network Agent

You can remove Light Agent and Kaspersky Security Center Network Agent from a virtual machine using Kaspersky Security Center. Uninstallation is performed using a Remote Application Removal task in the Kaspersky Security Center Administration Console or in the Kaspersky Security Center Web Console. For details, please refer to the Kaspersky Security Center help.

For other removal methods, see the Help of the application that you are using in Light Agent mode.

Page top

[Topic 256348]

Removing the Windows-based Integration Server and Integration Server Console

The procedure for removing the Windows-based Integration Server depends on which version of Kaspersky Security Center you are using to manage the Kaspersky Security solution:

  • If you are using Kaspersky Security Center Windows, and in accordance with the recommendations of Kaspersky experts, you used the Kaspersky Security components installation wizard to install the Integration Server and Integration Server Console, we recommend removing using the wizard as well.

    You can remove the Integration Server and Integration Server Console by using the Kaspersky Security Components Installation Wizard in interactive mode or in silent mode.

  • If you are using Kaspersky Security Center Linux, the Kaspersky Security Components Installation Wizard cannot be used to remove the Integration Server and Integration Server Console. Removal is performed manually.

You can remove the Integration Server without preserving the data used by the Integration Server.

If you remove the Integration Server and preserve its data, the following data of the Integration Server will be saved:

  • The SSL certificate used to establish a secure connection to the Integration Server.
  • Internal accounts of the Integration Server, which are used to connect management consoles, SVMs, and Light Agents to the Integration Server.
  • Settings for connecting the Integration Server to hypervisors, virtual infrastructure administration servers, NSX Manager, Kaspersky Security Center Administration Server.
  • if the Kaspersky Security solution is used in multi-tenancy mode: a list of registered tenants and information about the time that virtual machines were protected by the solution.
  • SVM service data.
  • Trace files of the Integration Server and Integration Server Console.

A backup copy of the Integration Server data from the previous version of Kaspersky Security can also be saved if you saved a backup copy of the database and settings and the certificate of the Integration Server in the default folder (%ProgramData%\Kaspersky Lab\VIISLA\Backup\) when upgrading the solution to Kaspersky Security for Virtualization 6.2 Light Agent.

The saved data and settings are automatically used when you install the Integration Server again.

If you remove the Integration Server without preserving its data, all data used in the operation of the Integration Server, as well as the backup copy of the Integration Server data from the previous version of Kaspersky Security, are removed along with the Integration Server if the backup copy is located in the default folder.

If, when saving a backup copy of the Integration Server data from the previous version of Kaspersky Security, you specified a different folder than the default folder, then when you remove the Integration Server, the backup copy of the data is not deleted automatically. You can delete a backup copy of Integration Server data manually.

In this section:

Removing using the Kaspersky Security Components Installation Wizard

Removing manually

Page top

[Topic 265901]

Removing using the Kaspersky Security Components Installation Wizard

If you want to save the data used in the operation of the Integration Server, you need to remove the Integration Server using the Kaspersky Security Components Installation Wizard in interactive mode.

To remove the Integration Server and Integration Server Console in interactive mode,

  1. in the list of applications installed on the operating system, select to remove Kaspersky Security for Virtualization <version number> Light Agent – management components.
  2. If you want to save the Integration Server data, click the Save button in the window prompting you to save data.

To remove the Integration Server and Integration Server Console in silent mode,

in the command line, enter the following:

ksvla-components_<version number>_mlg.exe -q -uninstall

where <version number> is the version number of the solution in X.X.X.X format.

Page top

[Topic 146913]

Removing manually

To remove the Integration Server Console, run the following command:

msiexec.exe /X {87C1E11A-03CA-45F7-8693-117909354B43} /qn

To remove the Integration Server while preserving the data used by the Integration Server, run the following command:

msiexec.exe /X {4239BB9B-1D87-427D-9C5D-26D8444BE585} SAVE_SETTINGS="1" /qn

To remove the Integration Server without preserving the data used by the Integration Server, run the following command:

msiexec.exe /X {4239BB9B-1D87-427D-9C5D-26D8444BE585} SAVE_SETTINGS="0" /qn

Page top

[Topic 197227]

Removing the Linux-based Integration Server

Removing the Integration Server will delete the SSL certificate used to establish a secure connection with the Integration Server, and all data used in the operation of the Integration Server: accounts, settings for connecting to infrastructures, information about tenants, and trace files. The data will be permanently deleted. If required, before starting the removal, create a backup copy of the database and Integration Server settings.

To remove the Linux-based Integration Server:

  1. Run the following command:

    sudo apt-get purge ksvla-viis

  2. When prompted, confirm the removal of the Integration Server.
Page top

[Topic 197230]

Removing Kaspersky Security management plug-ins

Removing web plug-ins

The web plug-ins can be removed in the Kaspersky Security Center Web Console in the list of installed plug-ins (Settings → Web plug-ins).

Removing MMC plug-ins

We recommend closing the Kaspersky Security Center Administration Console before starting the removal of the management MMC plug-ins.

The MMC plug-in for Protection Server and the MMC plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode) is are removed using the standard tools for uninstalling applications on the operating system on the device where the Kaspersky Security Center Administration Console is installed.

To remove the MMC plug-in for managing Light Agent for Linux (Kaspersky Endpoint Security for Linux running in Light Agent mode):

  1. On the device where the Kaspersky Security Center Administration Console is installed, open the Windows registry editor and go to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\28\Plugins key.

    This key contains the data of all management plug-ins installed in the Administration Console. The name of the managed application is specified in the DisplayName value.

  2. Select the key that corresponds to the plug-in of the Kaspersky Endpoint Security for Linux of the relevant version.
  3. Open the UninstallString value and copy it.
  4. Open the command line prompt as administrator, paste the copied value and press Enter.
Page top

[Topic 254323]

Application management framework

You can control the operation of solution components using the following tools:

In this Help section

About managing the solution using Kaspersky Security Center

About Kaspersky Security management plug-ins

Starting and closing Kaspersky Security Center Web Console

Managing the solution using Kaspersky Security Center policies

Managing the solution using tasks

About access rights to the settings of policies and tasks in Kaspersky Security Center

About Integration Server Console

Connecting to the Integration Server via Integration Server Console

About the Integration Server Web Console

Connecting to the Integration Server via Integration Server Web Console

Page top

[Topic 254324]

About managing the solution using Kaspersky Security Center

Kaspersky Security Center lets you remotely manage the operation of Kaspersky Security solution components installed on client devices. In the case of the Kaspersky Security solution, the client devices of Kaspersky Security Center are SVMs with Protection Servers and virtual machines on which Light Agents are installed.

You can use Kaspersky Security Center to:

  • Install and remove solution components in the virtual infrastructure.
  • Start and stop Light Agents on protected virtual machines.
  • Centrally manage the protection of virtual machines using policies and tasks.
  • Manage license keys for the solution.
  • Update the solution's databases and software modules.
  • Generate reports about events that occur during the operation of the solution components.

To manage the Kaspersky Security solution via Kaspersky Security Center, you can use the following Kaspersky Security Center administration consoles:

  • Kaspersky Security Center Web Console (hereinafter also referred to as "Web Console"). It is a web interface for managing a protection system based on Kaspersky applications. You can work in Kaspersky Security Center Web Console using a browser on any device that has access to the Administration Server.

    The interface for managing the Kaspersky Security solution via Kaspersky Security Center Web Console is provided by management web plug-ins (hereinafter also referred to as "web plug-ins").

  • Kaspersky Security Center Administration Console (hereinafter also referred to as "Administration Console"). It is a Microsoft Management Console (MMC) snap-in that is installed on the administrator's workstation and provides a user interface to the Administration Server and Network Agent administrative services.

    The interface for managing the Kaspersky Security solution via Kaspersky Security Center Administration Console is provided by management MMC plug-ins for the Administration Console (hereinafter also referred to as "MMC plug-ins").

The Integration Server Console is not started via Kaspersky Security Center Web Console. If you use Web Console, you can launch the Integration Server Console using the executable file or install the Integration Server web plug-in and use Integration Server Web Console.

The set of functions available in applications running in Light Agent mode may depend on which Kaspersky Security Center management console you use. For more details, see the Help of the relevant application.

The Kaspersky Security solution is managed through Kaspersky Security Center by means of policies and tasks regardless of the administration console being used:

  • Policies define the settings for the operation of Light Agents and Protection Servers.
  • Tasks implement functions such as activating the solution, scanning virtual machines, and updating the solution's databases and application modules.

Using policies and tasks, you can set the same operating settings for Light Agents or Protection Servers installed on the client devices of an administration group.

For more detailed information about policies and tasks, please refer to the Kaspersky Security Center help.

Page top

[Topic 254210]

About Kaspersky Security management plug-ins

The following management web plug-ins are used to manage Kaspersky Security solution components using Kaspersky Security Center:

  • Management web plug-in for the Protection Server (Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server).
  • Management web plug-in for managing the Integration Server (Kaspersky Security for Virtualization 6.2 Light Agent – Integration Server). After the plug-in is installed, Integration Server Web Console will be available in Kaspersky Security Center Web Console.
  • Management web plug-in for Light Agent for Linux (Kaspersky Endpoint Security for Linux).
  • Management web plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows).

If you want to use Kaspersky Security Center Web Console to manage Kaspersky Security solution components, you need to install web plug-ins on the device on which Kaspersky Security Center Web Console is installed.

Kaspersky Security components can be managed via web plug-ins by all administrators who have access to Kaspersky Security Center Web Console through a browser.

The following management MMC plug-ins are used to manage Kaspersky Security solution components using the Kaspersky Security Center Administration Console:

  • MMC plug-in for managing the Protection Server (Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server).
  • Management MMC plug-in for Light Agent for Linux (Kaspersky Endpoint Security for Linux).
  • Management MMC plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows).

You need to install MMC plug-ins on the device on which Kaspersky Security Center Administration Console is installed.

Page top

[Topic 200034]

Starting and closing Kaspersky Security Center Web Console

To start Web Console, you need to know the web address of the Administration Server and the port number specified during Web Console installation (port 8080 is used by default). JavaScript must be enabled in the browser as well.

To start the Web Console:

  1. In the browser, go to <Administration Server web address>:<port number>.

    The login page opens.

  2. Enter the name and password of your account.
  3. Click the Enter button.

If the Administration Server does not respond or if you specified incorrect credentials, an error message will be displayed.

After you logged in, a dashboard is displayed with the last used language and theme.

For more information about the Web Console interface, refer to the Kaspersky Security Center help.

To close the Web Console:

  1. In the lower left corner of the screen, hover the mouse over the name of the account used to launch the Web Console.

    A context menu opens.

  2. In the context menu, select Exit.

The Web Console closes and the login page displays.

Page top

[Topic 254356]

Managing the solution using Kaspersky Security Center policies

You can use the Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console to work with policies.

You can perform the following policy management operations:

  • Create a policy.
  • Edit policy settings.
  • Delete a policy.
  • Change policy status.
  • Copy and move a policy.
  • Export and import a policy.

The policy settings and groups of settings have a lock attribute, which shows whether a setting or group of settings can be changed in task settings or in policies of the nested hierarchy level (for nested administration groups and virtual and secondary Administration Servers).

The following Kaspersky Security Center policies are used to manage Kaspersky Security solution settings:

  • A Protection Server policy (Kaspersky Security <version number> Light Agent – Protection Server policy) is applied to SVMs. The policy defines the operating settings of Protection Servers on all SVMs included in the administration group for which the policy is configured.

    The Kaspersky Security Center Initial Configuration Wizard lets you automatically create a default policy for the Protection Server. A default policy is created for the Managed devices administration group with the name Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server and is applied on all SVMs placed in the Managed devices administration group or to any nested administration group.

    You can change the default values of this policy's settings.

  • A Light Agent for Linux policy (Kaspersky Endpoint Security for Linux <version number> policy) is applied to virtual machines with Linux guest operating systems and defines the settings of the Kaspersky Endpoint Security for Linux application used in Light Agent mode. The policy is applied on all protected virtual machines belonging to the administration group for which the policy is configured.

    With a Light Agent for Linux policy, you can configure:

    • Kaspersky Endpoint Security for Linux application settings
    • settings for connecting Light Agent for Linux to SVMs and to the Integration Server, which are required for Kaspersky Endpoint Security for Linux to operate in Light Agent mode for protecting virtual infrastructure.

    For detailed information about Kaspersky Endpoint Security for Linux policy settings, see the Kaspersky Endpoint Security for Linux Help of the relevant version.

  • A Light Agent for Windows policy (Kaspersky Endpoint Security for Windows <version number> policy) is applied to virtual machines with Windows guest operating systems and defines the settings of the Kaspersky Endpoint Security for Windows application used in Light Agent mode. The policy is applied on all protected virtual machines belonging to the administration group for which the policy is configured.

    With a Light Agent for Windows policy, you can configure:

    • Kaspersky Endpoint Security for Windows application settings
    • settings for connecting Light Agent for Windows to SVMs and to the Integration Server, which are required for Kaspersky Endpoint Security for Windows to operate in Light Agent mode for protecting virtual infrastructure.

    For detailed information about Kaspersky Endpoint Security for Windows policy settings, see the Kaspersky Endpoint Security for Windows Help of the relevant version.

In the Light Agent policy for Windows and in the Light Agent policy for Linux, you can create policy profiles. Using policy profiles allows more flexibility in configuring the Light Agent settings on different virtual machines. A policy profile may contain settings that differ from the settings of a basic policy and that are applied to protected virtual machines when your own defined conditions (activation rules) are met.

You can create and configure policy profiles in policy properties for a Light Agent in the Policy profiles section.

For more information about managing policies and policy profiles, please refer to the Kaspersky Security Center help.

In this section:

Policy settings for the Protection Server

Creating a Protection Server policy

Editing settings of the Protection Server policy

Page top

[Topic 254359]

Policy settings for the Protection Server

You can use a Protection Server policy to configure the following solution settings:

For information about configuring general policy settings and event settings, please refer to the Kaspersky Security Center help.

Page top

[Topic 254420]

Creating a Protection Server policy

You can create a Protection Server policy using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to create a Protection Server policy in Kaspersky Security Center Web Console

To create a Protection Server policy:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies and policy profiles opens.

  2. Select the administration group containing the SVMs to which the policy should be applied. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens. The new policy will determine the operating settings of Protection Servers installed on SVMs in the selected administration group.
  3. Click the Add button located above the list of policies and profiles.

    The New Policy Wizard starts.

  4. At the first step of the wizard, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server from the list.

    Proceed to the next step of the wizard.

  5. Decide whether you want to use Kaspersky Security Network (KSN) in the operation of the Protection Server. To do so, carefully read the Kaspersky Security Network Statement. Then select one of the following options:

    If necessary, you can later change the decision to use KSN and configure the KSN mode in the Protection Server policy properties.

    If you want to use KSN in the operation of the Protection Server, make sure that the KSN settings are configured in the properties of the Kaspersky Security Center Administration Server (in the KSN proxy server settings section). The KSN infrastructure type (KSN or KPSN), KSN proxy server settings, and KPSN settings are defined in the Administration Server properties. See Kaspersky Security Center help for more information.

    KSN settings configured for the Protection Server do not affect the use of KSN in the operation of Light Agents. For information on configuring KSN for Light Agents, see the Help of the applications that you are using Light Agent mode. We recommend specifying the same KSN usage settings for the Protection Server and the Light Agent that interacts with the Protection Server.

    Proceed to the next step of the wizard.

  6. Configure the connection of SVMs to the Integration Server:
    1. Click the Settings button.
    2. In the Connection to the Integration Server window that opens, enter the following settings:
      • Address

        IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.

        If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.

      • Port

        Port for connecting to the Integration Server.

        By default, port number 7271 is specified.

    3. Click the Validate button.

      The New Policy Wizard checks the SSL certificate received from the Integration Server. If the certificate contains errors or is not trusted, a corresponding message is displayed in the Connection to the Integration Server window. Click View the received certificate to view information about the received certificate. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

    4. To save the received certificate and continue connecting to the Integration Server, in the Select an action block, select the Ignore option.
    5. Specify the password of the Integration Server administrator (password of the admin account) and click the Validate button.

      The New Policy Wizard connects to the Integration Server. If the connection fails, an error message appears in the window. If the connection succeeds, the Connection to the Integration Server window closes, and the Connection to the Integration Server field of the New Policy Wizard window shows the Connected status.

    Proceed to the next step of the wizard.

  7. On the General tab, specify the name of the new policy, define its status (Active or Inactive) and configure inheritance settings. For details, please refer to the Kaspersky Security Center help.
  8. If necessary, modify the default policy settings on the Application settings tab.
  9. Click Save to complete the policy creation.

The created policy will be displayed in the list of policies on the Policies and policy profiles tab.

The policy will be propagated to the SVM and will begin to be applied in the operation of the Protection Server on this SVM after the Kaspersky Security Center Administration Server sends information to the Protection Server the next time the SVM connects.

If Network Agent is not running on the SVM, the created policy is not applied on it.

If on the General tab you specified the Inactive policy status, the created policy is not applied to the SVMs.

How to create a Protection Server policy in Kaspersky Security Center Administration Console

To create a Protection Server policy:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVMs on which the policy should be applied. The policy will determine the operating settings of the Protection Servers installed on these SVMs.

    On the Devices tab of the folder with the name of the administration group, you can view a list of SVMs that belong to this administration group.

  2. In the workspace, select the Policies tab.
  3. Click the New policy button to start the New Policy Wizard.

    You can also start the wizard using the NewPolicy option in the context menu of the policy list.

  4. At the first step of the wizard, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server from the list.

    Proceed to the next step of the wizard.

  5. Enter a name for the new policy.
  6. To use the settings from the policy for the Protection Server of the previous version of Kaspersky Security in the policy being created, select the Use policy settings for the earlier application version check box.

    Proceed to the next step of the wizard.

  7. Decide whether you want to use Kaspersky Security Network (KSN) in the operation of the Protection Server. To do so, carefully read the Kaspersky Security Network Statement. Then select one of the following options:

    If necessary, you can later change the decision to use KSN and configure the KSN mode in the Protection Server policy properties.

    If you want to use KSN in the operation of the Protection Server, make sure that the KSN settings are configured in the properties of the Kaspersky Security Center Administration Server (in the KSN proxy server section). The KSN infrastructure type (KSN or KPSN), KSN proxy server settings, and KPSN settings are defined in the Administration Server properties. See Kaspersky Security Center help for more information.

    KSN settings configured for the Protection Server do not affect the use of KSN in the operation of Light Agents. For information on configuring KSN for Light Agents, see the Help of the applications that you are using Light Agent mode. We recommend specifying the same KSN usage settings for the Protection Server and the Light Agent that interacts with the Protection Server.

    Proceed to the next step of the wizard.

  8. Configure settings for downloading updates of databases and application modules to SVMs:
    • If you want to receive updates of the solution's application modules together with the solution database update package, select the Update solution modules check box.

      Enables/disables receiving updates for Kaspersky Security application modules along with updates to the solution databases.

      If the check box is selected, the Protection Server receives updates of application modules for Kaspersky Security components along with database updates from the Kaspersky Security Center Administration Server storage.

      This check box is cleared by default.

      If you edit a setting, the new value is applied the next time the database update task on the Protection Server runs.

    • If necessary, use the check boxes to configure the list of versions of Light Agents for which the Protection Server will receive updates. At least one version must be selected.

      The list contains the supported versions of Light Agents. If the version of the Light Agent you want to receive updates for is not listed, click the Refresh button.

    Proceed to the next step of the wizard.

  9. If you want to get SVM status using a network management system that uses the SNMP protocol, select the Enable SNMP monitoring of SVM status check box.

    Enabling / disabling SNMP monitoring of SVM status.

    If the check box is selected, the SNMP agent installed on an SVM relays information about the status of the SVM to the network management system of your organization.

    If the check box is cleared, no information about SVM state is sent.

    This check box is cleared by default.

    Proceed to the next step of the wizard.

  10. If you have enabled display of additional Protection Server policy settings, configure the additional Protection Server settings.
    • Maximum number of simultaneous scan requests

      Maximum number of scan requests from Light Agents simultaneously processed by the Protection Server. Light Agents generate scan requests during protection of virtual machines and while running scan tasks.

      By default, the Protection Server can process 75 scan requests simultaneously.

    • Maximum number of scan tasks started by schedule

      Maximum number of simultaneous scan tasks running on the Protection Server that have been started according to the Light Agent schedule. These scan tasks are low-priority tasks for the Protection Server.

      By default, five low-priority scan tasks are performed simultaneously.

    • Maximum number of scan tasks started manually

      Maximum number of simultaneous scan tasks running on the Protection Server that were started manually. These scan tasks are high-priority tasks for the Protection Server.

      By default, five high-priority scan tasks are performed simultaneously.

    • Trace level

      Drop-down list where you can select the trace level for the Protection Server (scanserver service on the SVM). The trace levels are arranged so that each level includes all of the levels below it.

      The following items are available from the drop-down list:

      • Default value. Default value.
      • Tracing is disabled (0). Creation of trace files is disabled.
      • Starting and stopping components (100). Informational messages about starting and stopping the Protection Server.
      • Critical errors (200). Messages about critical errors in the operation of the Protection Server.
      • Errors (300). Messages about errors and critical errors in the operation of the Protection Server.
      • Critical warnings (400). Critical warnings and messages about ordinary and critical errors.
      • Warnings (500). All warnings and messages about ordinary and critical errors.
      • Important messages (600). Important messages, all warnings and messages about ordinary and critical errors.
      • Informational messages (700). Informational messages, important messages and all warnings and messages about ordinary and critical errors.
      • Debugging messages (800). Debugging messages and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
      • Detailed debugging messages (900). Debugging messages with more detailed information and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
      • All messages (1000). All possible messages and warnings.
    • Restore default settings

      Restores the default settings.

    Proceed to the next step of the wizard.

  11. Configure the connection of SVMs to the Integration Server.
    • Address

      IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.

      If the device on which Kaspersky Security Center Administration Console is installed is part of a domain, the field indicates the domain name of this device by default.

      If the device on which the Kaspersky Security Center Administration Console is installed is not part of a domain or the Integration Server is installed on another device, the field must be filled in manually.

      If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.

    • Port

      Port for connecting to the Integration Server.

      By default, port number 7271 is specified.

    Proceed to the next step of the wizard.

    If the device hosting the Kaspersky Security Center Administration Console does not belong to a domain or your account does not belong to the KLAdmins local or domain group or to the local administrator group, in the Connection to the Integration Server window that opens, specify the Integration Server administrator password (password of the admin account).

    The New Policy Wizard checks the SSL certificate received from the Integration Server. If the certificate contains an error or is not trusted, the Verify Integration Server certificate window opens. You can view the details of the certificate received. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To continue connecting to the Integration Server, click the Ignore button. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed.

  12. If required, enable the use of encryption to protect the connection between Light Agents and Protection Servers.
    • Encrypt data channel between Light Agent and the Protection Server

      Encrypt the connection between Light Agents and Protection Servers.

      If the check box is selected, a secure connection is established between the Light Agent and the policy-controlled Protection Server after the Light Agent connects to the SVM with this Protection Server. A Light Agent can connect to an SVM that has connection protection enabled only if the Light Agent also has connection protection enabled or the SVM allows unsecure connections.

      If the check box is cleared, an unsecure connection is established between the Light Agent and the Protection Server after the Light Agent connects to the SVM with this Protection Server.

      This check box is cleared by default.

    • Allow nonsecure connection if secure connection cannot be established

      Allow an unsecure connection between Light Agents and Protection Servers.

      If the check box is selected, an unsecure connection may be established between Light Agents and policy-controlled Protection Servers if a secure connection cannot be established.

      If the check box is cleared, only a secure connection can be established between Light Agents and policy-controlled Protection Servers. A Light Agent will not be able to connect to the SVM if a secure connection cannot be established to the Protection Server on this SVM.

      This check box is cleared by default.

    Proceed to the next step of the wizard.

  13. If you want to control Light Agents' connection to SVMs using connection tags, configure the settings for using connection tags:
    • Allow connection of Light Agents with specified tags

      Allow SVM connections only for Light Agents that are assigned the tags specified in the field below.

      If the check box is selected, only Light Agents with the specified tags can connect to the SVM.

      If the check box is cleared, only Light Agents that do not have tags assigned to them can connect to the SVM.

      The check box is cleared by default.

    • Tag list

      Only Light Agents that are assigned the tags specified in this field can connect to the SVM.

      You can specify one or more tags separated by semicolons.

  14. If required, Enable optimization for protection of large infrastructures.

    Proceed to the next step of the wizard.

  15. Exit the Policy Wizard.

The created policy will be displayed in the list of policies of the administration group on the Policies tab and in the Policies folder of the console tree.

The policy will be propagated to the SVM and will begin to be applied in the operation of the Protection Server on this SVM after the Kaspersky Security Center Administration Server sends information to the Protection Server the next time the SVM connects.

If Network Agent is not running on the SVM, the created policy is not applied on it.

If you selected the Inactive policy option during the previous step of the New Policy Wizard, the newly created policy is not applied on the SVM.

Page top

[Topic 254422]

Editing settings of the Protection Server policy

You can edit Protection Server policy settings using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to change Protection Server policy settings in Kaspersky Security Center Web Console

To edit Protection Server policy settings:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies opens.

  2. Select the administration group containing the SVMs on which the policy is applied. To do so, click the link in the Current path field in the upper part of the window and select an administration group in the window that opens.

    The list displays the policies configured for the selected administration group.

  3. Click on the name of the desired policy in the list.

    The policy properties window opens.

  4. Modify the policy settings on the Application settings tab.

    If you want to configure additional settings of SVM operation, you need to enable the display of advanced Protection Server policy properties in the operating system registry.

  5. To save changes, click the Save button.

How to change Protection Server policy settings in Kaspersky Security Center Administration Console

To edit Protection Server policy settings:

  1. In the Managed devices folder in the Kaspersky Security Center Administration Console tree, open the folder with the name of the administration group to which the required SVMs belong.
  2. In the workspace, select the Policies tab.
  3. Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.

    You can also open the policy properties window using the Settings item of the policy context menu or by clicking the Configure policy settings link located to the right of the list of policies in the policy settings section.

  4. Edit the policy settings.

    If you want to configure additional settings of SVM operation, you need to enable the display of advanced Protection Server policy properties in the operating system registry.

    The General and Event notification sections of the Settings: <Policy name> window are the standard sections of Kaspersky Security Center. For descriptions of the standard sections, please refer to the Kaspersky Security Center help.

  5. Click OK in the Properties: <Policy name> window.
Page top

[Topic 254496]

Managing the solution using tasks

You can manage Kaspersky Security for Virtualization 6.2 Light Agent using Protection Server tasks and Light Agent tasks.

A Protection Server task is a task that runs on an SVM and determines the operation settings of the Protection Server on that SVM. You can use Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console to work with Protection Server tasks.

A Light Agent task is a task that runs on a protected virtual machine with the Light Agent component installed and implements Light Agent functions. You can manage Light Agent tasks either centrally through Kaspersky Security Center or locally on protected virtual machines. For details, see the Help of the application that you are using in Light Agent mode.

You can use the following types of tasks in Kaspersky Security Center:

  • Group task – a task that is performed on the client devices of the selected administration group. In relation to the Kaspersky Security solution, group tasks are performed on SVMs or protected virtual machines that belong to administration groups.
  • Task for device sets – a task that runs on one or more SVMs or protected virtual machines, regardless of their membership in administration groups.

You can manage Kaspersky Security for Virtualization 6.2 Light Agent using the following Protection Server tasks:

  • Solution activation. The task lets you add a license key to the SVM to activate the solution or to extend the license period.
  • Database update. During the execution of this task, the Protection Server downloads a package of database updates required for the solution to operate and installs the database updates on the SVM.
  • Solution module update on the SVM. During the execution of this task, the Protection Server installs updates of the solution's application modules on the SVM.
  • Database update rollback. During the execution of this task, the Protection Server rolls back the latest update of the solution's databases on the SVM.

You can perform the following actions on Protection Server tasks in Kaspersky Security Center:

The Protection Server sends information about all events that occur during task execution to the Kaspersky Security Center Administration Server. For more information about managing tasks, see Kaspersky Security Center help.

In this section:

Creating a Protection Server task

Editing the Protection Server task settings

Starting and stopping tasks for the Protection Server

Viewing information on the progress and results of task execution

Page top

[Topic 254500]

Creating a Protection Server task

You can create Protection Server tasks using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to create a Protection Server task in Kaspersky Security Center Web Console

To create a Protection Server task:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Tasks.

    A list of tasks opens.

  2. Click the Add button.

    The New Task Wizard starts.

  3. At the first step of the Wizard:
    1. In the Application drop-down list, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server.
    2. In the Task type drop-down list, select the type of task you want to create.
    3. In the Task name field, enter the name for the new task.
    4. In the Select devices to which the task will be assigned section, select a method for determining the task scope. A task scope is a set of SVMs on which a task will run.
      • Select the Assign task to an administration group option to execute the task on all SVMs belonging to the specified administration group.
      • Select the Specify device addresses manually or import from list option to execute the task on the specified SVMs.
      • Select the Assign task to selected devices option to execute the task on the SVMs included in the selection of devices according to a predefined criterion. For details on creating a selection of devices, please refer to the Kaspersky Security Center help.

    Proceed to the next step of the wizard.

  4. Depending on the selected method for defining the task scope, do one of the following:
    • In the administration group tree, select the check boxes next to the required administration groups.
    • In the list of devices, select the check boxes next to the required SVMs. If the required SVMs are not listed, you can add them in the following ways:
      • Using the Add devices button. You can add devices by names or IP addresses, add devices from the specified IP address range, or select devices from the list of devices detected by the Administration Server when polling the organization’s local network.
      • Using the Import devices from file button. Addresses are imported from a TXT file with a list of addresses of SVMs, with each address in a separate row.

      If you import a list of SVMs from file or specify the addresses manually and the SVMs are identified by name, the list of SVMs for which the task is being created can be supplemented only with those SVMs whose details have already been included in the Administration Server database upon connection of SVMs or following a poll of the local area network.

    • In the list, select the name of the selection containing the required SVMs.

    Proceed to the next step of the wizard.

  5. Configure the available task settings following the instructions of the wizard. The available options depend on the type of task being created.
  6. If you want to configure the schedule and other task settings that are not available in the New Task Wizard, select the Open task properties window after creation check box at the last step of the wizard.
  7. Click the Finish button to exit the Wizard.

How to create a Protection Server task in Kaspersky Security Center Administration Console

To create a Protection Server task:

  1. In the Kaspersky Security Center Administration Console, perform one of the following actions:
    • If you want to create a task that will run on SVMs included in the selected administration group, select this administration group in the console tree. Then in the workspace, select the Tasks tab and click the New task button.

      A wizard starts to create a task for devices of the selected administration group.

    • If you want to create a task that will run on one or more SVMs (a task for a set of devices), select the Tasks folder in the console tree and click the New task button in the workspace.

      A wizard starts to create a new task for a set of devices.

  2. At the first step of the wizard, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server and the task type.

    Proceed to the next step of the wizard.

  3. If you are creating a task for a set of devices, the wizard will prompt you to define the task scope. A task scope is a set of SVMs on which a task will run.
    1. Specify the method for defining the task scope: select SVMs from the list of devices discovered by the Administration Server, manually specify the SVM addresses, import a list of SVMs from a file, or specify a previously configured selection of devices (for details, see the Kaspersky Security Center Help).
    2. Depending on the specified method for defining the scope, perform one of the following operations in the window that opens:
      • In the list of detected devices, specify the SVMs on which the task will be run. To do so, select the check boxes in the list, on the left of the device names.
      • Click the Add or Add IP range button and enter the addresses of SVMs manually.
      • Click the Import button, and in the window that opens select a TXT file with the list of addresses of SVMs.
      • Click the Browse button, and in the window that opens specify the name of the selection containing the SVMs for which you want to create the task.

    Proceed to the next step of the wizard.

  4. Configure the available task settings following the instructions of the wizard.
  5. Enter the name of the new task and proceed to the next step of the wizard.
  6. If you want the task to start as soon as the wizard finishes, at the last step of the wizard, select the Run task when the wizard is complete check box.
  7. Finish the wizard.
Page top

[Topic 254509]

Editing the Protection Server task settings

You can edit Protection Server task settings using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to change Protection Server task settings in Kaspersky Security Center Web Console

To edit Protection Server task settings:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Tasks.

    A list of tasks opens.

  2. Do one of the following:
    • If you want to change the settings of a task that runs on all SVMs that are part of a specific administration group, click the link in the Current path field at the top of the window and select an administration group in the window that opens.

      The list displays only the tasks configured for the selected administration group.

    • If you want to change the settings of a task that runs on one or more SVMs (tasks for a set of devices), click on the link in the Current path field at the top of the window and select the top node named Administration Server in the window that opens.

      The list will display all tasks created on the Administration Server.

  3. In the list of tasks, select the required task and open the task properties window by clicking the link in the task name.
  4. Configure the task settings:
    • On the General tab, you can edit the task name.
    • On the Application settings tab, you can configure specific task settings. The set of configurable options depends on the type of task.
    • On the Schedule tab, you can configure the task launch schedule and advanced settings for starting and stopping the task.

    The General, Results, Settings, Schedule and Revision History tabs of the task properties window are standard for Kaspersky Security Center. For more information, see the Kaspersky Security Center Help.

  5. To save changes, click the Save button.

How to change Protection Server task settings in Kaspersky Security Center Administration Console

To edit Protection Server task settings:

  1. In the Kaspersky Security Center Administration Console, perform one of the following actions:
    • If you want to change the settings of a task that is executed on SVMs that are part of a specific administration group, select the administration group in the console tree, and then select the Tasks tab in the workspace.
    • If you want to edit the settings of a task that runs one or more SVMs (tasks for a set of devices), select the Tasks folder in the console tree.
  2. In the list of tasks, select the required task and double-click it to open the Settings: <Task name> window.

    You can also open the task properties window using the Settings item of the task context menu.

  3. Modify the task settings.
  4. Click the Apply button or the OK button in the Settings: <Task name> window to save the changes.
Page top

[Topic 254510]

Starting and stopping tasks for the Protection Server

You can start or stop Protection Server tasks using the Web Console as well as the Administration Console. You can start or stop a task at any time regardless of the selected task run mode.

Expand all | Collapse all

How to start or stop a Protection Server task in Kaspersky Security Center Web Console

To start or stop a Protection Server task:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Tasks.

    A list of tasks opens.

  2. Do one of the following:
    • If you want to start or stop a task running on all SVMs that are part of a specific administration group, click the link in the Current path field at the top of the window and select an administration group in the window that opens.

      The list displays only the tasks created for the selected administration group.

    • If you want to start or stop a task that runs on one or more SVMs (a task for a set of devices), click the link in the Current path field at the top of the window and select the top node named Administration Server in the window that opens.

      The list will display all tasks created on the Administration Server.

  3. In the list of tasks, select the check box to the left of the task that you want to start or stop.
  4. Do one of the following:
    • If you want to start the task, click the Run button.
    • If you want to stop the task, click the Stop button.

How to start or stop a Protection Server task in Kaspersky Security Center Administration Console

To start or stop a Protection Server task:

  1. In the Kaspersky Security Center Administration Console, perform one of the following actions:
    • If you want to start or stop a task that runs on SVMs that are part of a specific administration group, select the administration group in the console tree, and then select the Tasks tab in the workspace.
    • If you want to start or stop a task that runs one or more SVMs (tasks for a set of devices), select the Tasks folder in the console tree.
  2. In the list of tasks, select the required task, open the context menu of the task, and select the action you want to perform.
Page top

[Topic 254511]

Viewing information on the progress and results of task execution

You can view information about the progress and results of Protection Server tasks using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to view information about the execution of a Protection Server task in Kaspersky Security Center Web Console

To view Protection Server task execution information:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Tasks.

    A list of tasks opens.

  2. Do one of the following:
    • If you want to view information about a task that runs on all SVMs that are part of a specific administration group, click the link in the Current path field at the top of the window and select an administration group in the window that opens.

      The list displays only the tasks configured for the selected administration group.

    • If you want to change the settings of a task that runs on one or more SVMs (tasks for a set of devices), click on the link in the Current path field at the top of the window and select the top node named Administration Server in the window that opens.

      The list will display all tasks created on the Administration Server.

    Concise task execution information appears in the Status column in the task list.

  3. To view more detailed information about a task, do one of the following:
    • Open the task properties window by clicking the link in the task name and go to the Results tab.

      The table on the Results tab displays information about the execution of the task on devices.

    • Select the check box next to the name of the desired task in the task list and click the Execution Result button located above the list.

      The Task status window that opens displays a chart with information about the execution of the task on devices. The View results button opens the Results tab in the task properties window.

How to view information about the execution of a Protection Server task in Kaspersky Security Center Administration Console

You can view information on the progress and results of tasks in the Administration Console of Kaspersky Security Center in one of the following ways:

  • In the Task results window. The window can be opened using the Results item in the task context menu.
  • In the list of events that the Kaspersky Security solution sends to the Kaspersky Security Center Administration Server. You can view the lists of events on the Events tab in the workspace of the Administration Server <server name> node. Information on the Events tab is displayed as a set of event selections. Each selection includes only the events of a certain type. The list displays events from the selection that is currently specified in the Event selections drop-down list. To display a list of the selection events, use the Run selection button. To refresh the list, use the Refresh link.
Page top

[Topic 254468]

About access rights to the settings of policies and tasks in Kaspersky Security Center

Kaspersky Security Center provides role-based access to features of managed Kaspersky applications. The rights to access the settings of policies and tasks (read, write, and execute) are defined for each user who has access to the Kaspersky Security Center Administration Server. You can assign user accounts rights to perform certain actions in functional areas of the Kaspersky Security solution.

A single functional scope is allocated for the Kaspersky Security solution: Basic functionality. This functional scope includes the following settings and functions:

  • Settings for connecting SVMs to the Integration Server.
  • Settings for connecting Light Agents to SVMs.
  • SNMP monitoring settings.
  • Settings for using KSN in the operation of the Protection Server.
  • Additional Protection Server settings.
  • Task for activating the Kaspersky Security solution.
  • Task or rolling back the solution databases, and a task for rolling back the latest database update.
  • Task for updating the solution's application modules on SVMs.

The following actions are available to the user regardless of account rights in the functional areas of the Kaspersky Security solution:

  • Viewing the settings of policies.
  • Creating a policy.

    When creating a policy, the user can configure only settings related to the functional scopes for which the user account has modification rights.

To perform the following actions with policies and tasks, the user account must have rights in the functional areas of the Kaspersky Security solution:

  • Reconfiguration of a previously saved policy requires read and modification rights within the functional scopes of those settings.
  • Modifying the status of a policy (active/inactive) and removing the policy requires read and modification rights within the functional scopes of the policy settings closed with a "lock". If a policy has settings that are "locked" (in other words, these settings cannot be changed in child policies), and the user does not have read and modify rights within the functional scopes of these settings, the policy state cannot be deleted or modified. If a policy does not have settings for which it is prohibited to modify a parameter in child policies, the user can delete or modify the status of the policy regardless of the account's rights within the functional scopes of the solution.
  • Creation, removal, and configuration of the settings of tasks require read and modification rights within the functional scope of the task.
  • Viewing task settings requires read permissions within the functional scope of the task.
  • Execution rights within the functional scope of a task are required to run the task.

For more details on access rights to Kaspersky Security Center objects and on configuring access rights to functional areas of Kaspersky Security, see the Kaspersky Security Center Help.

Page top

[Topic 254469]

About Integration Server Console

Integration Server Console is installed on a device with a Windows operating system and is launched using an executable file or via a link from the Kaspersky Security Center Administration Console (if installed on the same device).

We do not recommend using Integration Server Console to manage the Linux-based Integration Server.

The Integration Server Console contains the following sections:

  • Integration Server settings

    This section displays the following information:

    • Version of the Integration Server with which the connection is established
    • Name of the user account that was used to establish the connection to the Integration Server
    • Type of authentication used when connecting to the Integration Server
    • IP address in IPv4 format or the fully qualified domain name (FQDN) of the Integration Server
  • Integration Server accounts

    In this section, you can change the passwords of the internal Integration Server accounts used to connect management consoles, SVMs, and Light Agents to the Integration Server.

  • List of connected SVMs

    In this section, you can view information about SVMs that are connected to the Integration Server.

  • SVM management

    This section opens by default after the Integration Server Console is started. In this section, you can run the SVM Management Wizard that lets you perform the following actions:

    • Deploy SVMs with the Protection Server component from an image in the virtual infrastructure.
    • Reconfigure previously deployed SVMs.
    • Remove SVMs.
  • Infrastructure connection settings

    In this section you can perform the following actions:

  • List of tenants

    If you use the solution in multitenancy mode, in this section you can view a list of all tenants registered in the Integration Server database.

  • Kaspersky Security Center connection settings

    If you use the solution in multitenancy mode and the tenant protection infrastructure was deployed using the Integration Server's REST API, then in this section you can configure connection settings required for the Integration Server REST API to interact with the Kaspersky Security Center Administration Server.

Page top

[Topic 254067]

Connecting to the Integration Server via Integration Server Console

If Integration Server Console is installed on the same device where the Kaspersky Security Center Administration Console is installed, you can open Integration Server Console from Kaspersky Security Center Administration Console.

If Integration Server Console is installed on a separate device independent of the Kaspersky Security Center components (for example, if you are using Kaspersky Security Center Linux), you can open Integration Server Console using the executable file located in the Integration Server Console installation folder.

How to open Integration Server Console from Kaspersky Security Center Administration Console and connect to the Integration Server

Before starting the Integration Server Console, if the device hosting the Integration Server Console belongs to a Microsoft Windows domain, make sure that your domain account belongs to a local or domain KLAdmins group or local administrator group on the device where the Integration Server is installed.

To open Integration Server Console and connect to the Integration Server:

  1. In the Kaspersky Security Center Administration Console tree, select the Administration Server: <server name> node.
  2. In the workspace of the node, on the Monitoring tab, in the Deployment block, follow the link Manage Kaspersky Security for Virtualization <version number> Light Agent, where <version number> is the number of the installed version of the Kaspersky Security solution.
  3. If one of the following conditions is satisfied, a window opens for entering the Integration Server connection settings:
    • If the device hosting the Integration Server Console does not belong to a Microsoft Windows domain.
    • If the device hosting the Integration Server Console belongs to a domain, but your domain account does not belong to a local or domain KLAdmins group or the group of local administrators on the device where the Integration Server is installed.
    • If the device hosting the Integration Server Console belongs to a domain but a connection to the Integration Server could not be established, the connection address and port specified in the Integration Server settings are used.

    Specify the following connection settings:

    • Integration Server address

      IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.

      If the Integration Server Console is installed on the same device as the Kaspersky Security Center Administration Server, the address specified in the settings of the Kaspersky Security Center Administration Server is used to connect to the Integration Server by default. You can change this address in the properties window of the Installation packages folder in the console tree (AdditionalRemote installationInstallation packages; the window opens when you select the Settings item in the context menu).

      If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.

    • Port

      Port number for connecting to the Integration Server.

    • Account name

      Name of the user account being used to establish the connection to the Integration Server.

      If the device hosting the Integration Server Console belongs to a domain, and your account belongs to the local or domain KLAdmins group or to the group of local administrators you can use your account. To do so, select the Use domain account check box.

      If the device hosting the Integration Server Console does not belong to a domain, or the device belongs to a domain but your domain account does not belong to a local or domain KLAdmins group or to the group of local administrators, you can use only the Integration Server administrator account.

    • Password

      Password of the user account being used to establish the connection to the Integration Server.

    • Use domain account

      Use of the domain account of the current user when connecting the Integration Server Console to the Integration Server.

      If the check box is selected, the domain account is used to connect to the Integration Server. Make sure that your domain account is part of the KLAdmins group or the local administrator group on the computer where the Integration Server is installed.

      If the check box is cleared, the Integration Server administrator account (admin) is used to connect to the Integration Server.

      This check box is cleared by default.

    Click the Connect button.

  4. The Console checks the SSL certificate received from the Integration Server. If the received certificate is not trusted or does not match the previously installed certificate, the Verify certificate window with the appropriate message opens. Click the link in this window to view the details of the received certificate. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

    To continue connecting to the Integration Server, click the Trust the certificate button in the Verify certificate window. The certificate that has been received is installed as a trusted certificate. The certificate is saved in the registry of the operating system on the device hosting the Integration Server Console.

The Integration Server Console opens. The Integration Server settings section of Integration Server Console displays the address and port of the Integration Server to which the connection is made, and the Integration Server version.

How to open Integration Server Console using the executable file and connect to the Integration Server

To open Integration Server Console and connect to the Integration Server:

  1. Run the following command:

    Kaspersky.VIISConsole.UI.exe /lang:<language ID>

    where:

    • Kaspersky.VIISConsole.UI.exe is a file located in the %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA Console\ folder on the device where you installed the Integration Server and Integration Server Console.
    • <language ID> – Integration Server Console language identifier formatted as follows: ru, en, de, fr, zh-Hans, zh-Hant, ja. It is case-sensitive.
  2. Specify the following connection settings:
    • Address and port of the Integration Server to which the connection is established.

      For the address, you can specify the IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.

      If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.

    • The Integration Server administrator password that you set when installing Integration Server.
  3. The Console checks the SSL certificate received from the Integration Server. If the received certificate is not trusted or does not match the previously installed certificate, the Verify certificate window with the appropriate message opens. Click the link in this window to view the details of the received certificate. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

    To continue connecting to the Integration Server, click the Trust the certificate button in the Verify certificate window. The certificate that has been received is installed as a trusted certificate. The certificate is saved in the registry of the operating system on the device hosting the Integration Server Console.

The Integration Server Console opens. The Integration Server settings section of Integration Server Console displays the address and port of the Integration Server to which the connection is made, and the Integration Server version.

Page top

[Topic 77367]

About the Integration Server Web Console

If you use Kaspersky Security Center Web Console, you can manage the Integration Server using the Integration Server Web Console. Integration Server Web Console is available in Kaspersky Security Center Web Console in the SettingsKaspersky Security for Virtualization <version number> Light Agent – Integration Server section after you install the Integration Server web plug-in.

The main page of Integration Server Web Console displays information about the connection to the Integration Server. If the connection is established, the address and port of the connection and the Integration Server version are displayed.

The Integration Server Web Console contains the following sections:

  • Integration Server accounts

    In this section, you can change the passwords of the internal Integration Server accounts used to connect management consoles, SVMs, and Light Agents to the Integration Server.

  • List of connected SVMs

    In this section, you can view information about SVMs that are connected to the Integration Server.

  • SVM management

    In this section, you can create the following tasks for the Integration Server:

    You create tasks using the wizard. After a task is created and started, it appears in the task list and is added to the task queue on the Integration Server.

    The task list in the SVM management section contains the tasks that you created and ran using the wizard (SVM deployment, reconfiguration, and removal tasks), as well as SVM image verification tasks that are created automatically when you run an SVM image integrity check while creating SVM deployment tasks. The task is placed in the list immediately after its creation and is automatically deleted from the list some time after the task has been completed (successfully or with an error) or canceled.

    You can view information about each task and its execution status. By clicking the link on a task name, you can view detailed information about the task and a list of all SVMs on which the task is being executed. For Deployment and Reconfiguration tasks, you can use the link on the SVM name to view information about the execution of stages of a task on the selected SVM.

  • List of virtual infrastructures

    This section displays a list of virtual infrastructures to which the Integration Server connects.

    In this section, you can:

    • Configure the Integration Server's connection to the virtual infrastructure. For each infrastructure in which the solution will be deployed, you need to specify the settings for connecting the Integration Server to the infrastructure object that the Integration Server needs to interact with. In an infrastructure based on VMware vSphere, you can also configure a connection to VMware NSX Manager.
    • Change the settings for the Integration Server's connection to the virtual infrastructure.
    • View the status of the connection between the Integration Server and the virtual infrastructure.
    • Remove virtual infrastructures from the list of infrastructures to which the Integration Server connects.
  • Multitenancy mode

    If you use the solution in multitenancy mode and the tenant protection infrastructure was deployed using the Integration Server REST API, then in this section you can specify the connection settings required for the interaction of the Integration Server REST API with the Kaspersky Security Center Administration Server.

    In this section, you can also view a list of all tenants registered in the Integration Server database, regardless of the method that was used to deploy the tenant protection structure.

Page top

[Topic 257761]

Connecting to the Integration Server via Integration Server Web Console

To connect to the Integration Server via Integration Server Web Console:

  1. In the main window of Kaspersky Security Center Web Console, select SettingsKaspersky Security for Virtualization <version number> Light Agent – Integration Server.

    The main page of Integration Server Web Console and the Connection settings window for entering the settings for connecting to the Integration Server will open.

    If the connection window does not open automatically, click the Connect button located on the main page of Integration Server Web Console.

  2. In the Connection settings window, specify the following settings:
    • Address

      IP address in IPv4 format or fully qualified domain name of the Integration Server.

      If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.

    • Port

      Port number for connecting to the Integration Server.

    • Password

      Password of the Integration Server administrator account (admin)

      Using a domain account is not supported when connecting to the Integration Server via Integration Server Web Console.

    Using a domain account is not supported when connecting to the Integration Server via Integration Server Web Console.

    Click the Connect button.

  3. The Integration Server web plug-in verifies the SSL certificate received from the Integration Server. If the received certificate is not trusted or does not match the previously installed certificate, the Verify certificate window with the appropriate message opens. Click the link in this window to view the details of the received certificate. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.

    To continue connecting to the Integration Server, click the Confirm and continue button in the Verify certificate window. The certificate that has been received is installed as a trusted certificate.

The main page of Integration Server Web Console displays the address and port of the Integration Server to which the connection is made, and the Integration Server version.

If necessary, you can open the Integration Server connection settings window by clicking Edit connection settings.

When the Integration Server is restarted, the connection to the Integration Server is interrupted. Re-authorization is required after a restart.

If you do not perform any action in Integration Server Web Console for 25 minutes, the connection to the Integration Server is automatically terminated. Re-authorization is required after the connection is terminated.

You can also disconnect from the Integration Server manually.

To disconnect from the Integration Server:

  1. In the main window of Kaspersky Security Center Web Console, select SettingsKaspersky Security for Virtualization <version number> Light Agent – Integration Server.
  2. On the main page of the Integration Server Web Console, click Disconnect.

The Integration Server connection session is finished. The main page of the Integration Server Web Console indicates the absence of a connection.

You can also terminate the connection to the Integration Server by closing Kaspersky Security Center Web Console.

Page top

[Topic 292452]

About the End User License Agreement

The End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the Kaspersky application.

Read through the terms of the End User License Agreement carefully before you start using the solution.

The following components of Kaspersky Security for Virtualization 6.2 Light Agent have their own end user license agreements:

  • Light Agent for Linux (Kaspersky Endpoint Security for Linux application running in Light Agent mode)
  • Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode)
  • Network Agent for Linux, used in the operation of Kaspersky Endpoint Security for Linux
  • Network Agent for Windows, used in the operation of Kaspersky Endpoint Security for Windows

You can read the terms of the end user license agreements for the Kaspersky Security solution and its components, and the Privacy Policy, which describes the processing and transfer of data, in the following ways:

  • After reading the license.txt files included in the solution's distribution kit and in the distribution kits of the applications running in Light Agent mode.
  • During installation of solution components.

    By confirming that you agree with the End User License Agreement during initial configuration of the solution, you accept the terms of the End User License Agreement. If you do not accept the terms of the End User License Agreement, you must stop installing the solution and must not use the solution.

  • After installing the solution components.

After installing the Kaspersky Security solution, you can find the files containing the text of the End User License Agreement for the Kaspersky Security solution and the text of the Privacy Policy:

  • on the device where the management MMC plug-ins for Kaspersky Security, Windows-based Integration Server and/or Integration Server Console are installed:

    %ProgramFiles(x86)%\Kaspersky Lab\KSV\Kaspersky Security for Virtualization <version number> Light Agent\EULA\license_<language identifier>.txt

    where:

    • <version number> refers to the number of the installed version of the Kaspersky Security solution;
    • <language identifier> is the identifier of the localization language of the installed Kaspersky Security components;
  • on the device where the Linux-based Integration Server is installed:

    /opt/kaspersky/viis/doc/EULA/<language identifier>/license.txt

    where <language identifier> is the identifier of the localization language of the Integration Server;

  • On a deployed SVM:

    /opt/kaspersky/ksvla/share/doc/license.<language identifier>

    where <language ID> is the identifier of the End User License Agreement localization language.

You can find files with the text of the end user license agreements for Light Agents on virtual machines where applications running in Light Agent mode are installed.

You can find files with the text of the End User License Agreement for Network Agent for Linux:

  • On a virtual machine where Kaspersky Endpoint Security for Linux is installed and running in Light Agent mode
  • On a deployed SVM:

    /opt/kaspersky/klnagent64/share/license/license_<language identifier.txt

    where <language ID> is the identifier of the End User License Agreement localization language.

Page top

[Topic 255036]

About data provision

By accepting the terms of the Kaspersky Security End User License Agreement, you agree to automatically send the following information to Kaspersky:

  • When updating Kaspersky Security databases and application modules:
    • ID of Kaspersky Security
    • ID of the current license
    • Unique ID of the Kaspersky Security installation
    • Unique ID of the update task start
    • Full version of Kaspersky Security
  • When following links from the Kaspersky Security interface:
    • Kaspersky Security type
    • Kaspersky Security version
    • Kaspersky Security interface language
    • ID of the web page being accessed
    • Name of the link to the web page being accessed
  • If an activation code is being applied to activate Kaspersky Security:
    • Kaspersky Security solution activation code
    • Date and time on the SVM
    • Kaspersky Security solution ID
    • Kaspersky Security solution ID obtained from the license
    • A set of IDs of compatible applications that can be activated on the SVM
    • Full version of the Kaspersky Security solution
    • Localization of the Kaspersky Security solution
    • Unique ID of the SVM
    • Kaspersky Security solution installation ID
    • family, version, edition, build number, operating system update number, and extended information about the OS edition

    Information is sent periodically for the purpose of verifying that the solution is being used appropriately.

    Kaspersky may use this information to generate statistical information about the distribution and use of Kaspersky software.

    By using an activation code, you agree to automatically send to Kaspersky the data listed above. If you do not agree to send this information, you must use a key file to activate Kaspersky Security.

The received information is protected by Kaspersky in accordance with the requirements established by the law and the current Kaspersky rules. Data is transmitted via encrypted communication channels.

For more detailed information about processing, storage, and destruction of information obtained during the use of the solution and sent to Kaspersky, please refer to the Privacy Policy on the Kaspersky website.

Page top

[Topic 254068]

About the license

A license is a time-limited right to use a Kaspersky application, granted under the End User License Agreement.

The available functionality and period for use of the application depend on the type of license under which the application is being used.

The following license types are available for Kaspersky applications:

  • Trial – a free license intended for trying out a Kaspersky application.

    Trial licenses have a short validity period. When the trial license expires, Kaspersky applications no longer perform all of their functions. To continue using the application, you need to purchase a commercial license.

    You can activate a Kaspersky application under a trial license for only one trial period.

  • Commercial — a paid license.

    The main functions of a Kaspersky application stop working when a commercial license expires.

Kaspersky Security for Virtualization 6.2 Light Agent stops updating the solution's database and using Kaspersky Security Network after the commercial license expires. You can still protect and scan virtual machines, but only using the solution databases that were installed before the license expiration date. To continue using Kaspersky Security in fully functional mode, you must renew your commercial license.

It is recommended to renew the license before its expiration date to ensure maximum protection of virtual machines against security threats.

The main licenses for Kaspersky Security for Virtualization 6.2 Light Agent are available in the following two editions:

  • Standard license
  • Enterprise license

A main license is required to activate the solution. The type of the main license determines the how much of the solution's functionality is available.

A main license for the solution may or may not include additional Light Agent functionality (for example, integration with Kaspersky Detection and Response solutions). To activate additional Light Agent functionality, you can use separate licenses, for example, a license to activate the functionality of Kaspersky Endpoint Detection and Response Optimum. If the main license under which you are using the solution does not include the additional functionality you need, you will need to purchase a separate license to activate the additional functionality.

To clarify the range of functionality included in the main license and a license obtained for additional functionality, please contact the Kaspersky partner from whom you are purchasing the license.

Keep in mind that the scope of functionality available on the Light Agent depends on the license under which the solution is activated on the SVM:

  • If you want to use the Light Agent functionality included in the Enterprise license, you need to connect the Light Agent to a SVM on which the solution is activated under the Enterprise license. When connecting to an SVM on which the solution is activated under a Standard license, less functionality is available on the Light Agent.
  • If you want to use additional Light Agent functionality (for example, integration the Kaspersky Detection and Response solution or integration with Kaspersky Unified Monitoring and Analysis Platform), you need to connect the Light Agent to an SVM on which the solution is activated under a license that includes this additional functionality, or to an SVM for which a separate license key for activating the additional functionality has been added. When a Light Agent is disconnected from the current SVM and connects to an SVM on which additional functionality has not been activated, the functionality becomes unavailable on the Light Agent.

To prevent Light Agents from switching between SVMs with different license types, you can use connection tags or a list of SVMs available for connection to limit the number of SVMs available to a Light Agent.

The following licensing schemes are available for Kaspersky Security for Virtualization 6.2 Light Agent:

  • Licensing based on the number of virtual machines protected using the solution. This licensing scheme uses keys for virtual machines regardless of the operating system type, as well as server keys and desktop keys (depending on the operating system type of the virtual machines). In accordance with the license restriction, the solution is used to protect a certain number of virtual machines.

    You have the right to use the Kaspersky Security solution under a license with a limitation on the number of workstations only to protect virtual machines with desktop operating system or to protect devices that are used as workstations, including as part of VDI.

  • Licensing by number of cores used in the physical processors on the hypervisors on which protected virtual machines are running. This licensing scheme employs keys with a limitation on the number of processor cores. In accordance with the license restrictions, the solution is used to protect all virtual machines with the Light Agent component, which can run on hypervisors that use a certain number of physical processor cores.
  • Licensing by the number of processors used on the hypervisors on which protected virtual machines are running. This licensing scheme employs keys with a limitation on the number of processors. In accordance with the license restrictions, the solution is used to protect all virtual machines with the Light Agent component, which can run on hypervisors that use a certain number of processors.
Page top

[Topic 255040]

About the License Certificate

The License Certificate is a document provided together with the key file or activation code after purchasing or ordering a trial version of a Kaspersky application.

If you use the Kaspersky application under a subscription, no license certificate is issued.

The License Certificate contains the following license information:

  • Information about the license user
  • Information about the Kaspersky application that can be activated under the provided license
  • Restrictions on the number of licensing units (for example, devices on which the application can be used under the license)
  • License start date
  • License expiration date or validity period
  • License type
Page top

[Topic 255041]

About license key

The license key (hereinafter also "key") is a sequence of bits that can be used to activate the Kaspersky application for further use in accordance with the terms of the End User License Agreement. A key is generated by Kaspersky.

You can add a license key to the application using one of the following methods: by applying a key file or by entering an activation code. After you add a key to the application, the license key is displayed in the user interface of the Kaspersky application as a unique alphanumeric sequence.

After adding keys, you can replace them with other keys.

Kaspersky can block a key over violations of the End User License Agreement. If the key is blocked, add another license key must be added for the application to work.

For Kaspersky Security for Virtualization 6.2 Light Agent, the following types of license keys are available (based on the type of license restriction):

  • Keys with a limitation on the number of protected virtual machines: key for virtual machines regardless of operating system type, server key, desktop key. If a key of this key type is added, the solution is used to protect a specific number of virtual machines.
  • Key with a limitation on the number of processor cores – If this type of key is added, the solution is used to protect all virtual machines on hypervisors using a certain number of physical processor cores.
  • Key with a limitation on the number of processors – If this type of key is added, the solution is used to protect all virtual machines on hypervisors using a certain number of processors.

A license key can be added as an active key or as a reserve key.

  • Active key – the license key currently being used to run the Kaspersky application. A trial license key, commercial license key (commercial key), or subscription key can be added as the active key.

    To activate components of the Kaspersky Security for Virtualization 6.2 Light Agent solution, you must add the license key to the SVM.

    If you are using a per-core or per-processor licensing scheme, each SVM can have only one active key providing the solution's basic functionality. If you are using a licensing scheme based on the number of virtual machines, then one SVM can have two active keys for the solution's basic functionality: a server key and a desktop key. Two keys must be added if the SVM is used to protect both servers and workstations.

    If the main license under which you are using the solution does not include the additional functionality you need, then after activating the solution, you need to add an active key that provides the additional functionality to the SVM.

  • Reserve key – a key that confirms the right to use the Kaspersky application, but is not currently being used. The reserve key automatically becomes active when the license associated with the current active key expires.

    To extend the term of the solution's main license, you can add a reserve key for the basic functionality. If you have activated additional functionality under a separate license, you can also add a reserve key for additional functionality.

    The active and reserve keys must have the same license restriction type and must correspond to the same license type (Standard license / Enterprise license).

A trial license key or a subscription key can be added only as the active key. A trial license key or a subscription key cannot be added as a reserve key. A trial license key cannot replace the active commercial key.

Page top

[Topic 77309]

About the activation code

An activation code is a unique sequence of twenty Latin letters and numerals. You enter the activation code to add a license key that activates Kaspersky Security for Virtualization 6.2 Light Agent.

You receive the activation code at the email address that you provided when you bought the Kaspersky Security solution or requested the trial version of the solution.

To activate the Kaspersky Security solution with an activation code, you need Internet access in order to connect to Kaspersky activation servers.

If you have lost your activation code after activating the application, please contact the Kaspersky partner from whom you purchased the license.

Page top

[Topic 255046]

About the key file

A key file is a file with the .key extension that you receive from Kaspersky. A key file is for adding a key that activates Kaspersky Security for Virtualization 6.2 Light Agent.

You receive the key file at the email address that you provided when you bought the Kaspersky Security solution or requested the trial version of the solution.

You do not need to connect to Kaspersky activation servers in order to activate the solution with a key file.

You can restore a key file if it has been accidentally deleted. To restore the key file, contact Kaspersky partner that sold you a license.

Page top

[Topic 255049]

About subscription

A Kaspersky Security subscription is a purchase of use of the solution in accordance with specific parameters (subscription expiration date, number of devices protected). You can order a subscription for Kaspersky Security from your service provider (such as your ISP). You can renew your subscription or opt out of it.

Subscription can be limited (for one year, for example) or unlimited (without an expiration date). To continue using Kaspersky Security after a limited subscription expires, you must renew it. Unlimited subscription is renewed automatically if the vendor's services have been prepaid on time.

If your subscription ends, you may be offered a grace period for subscription renewal, during which the solution retains its functionality. The vendor decides whether or not to grant a grace period and, if so, determines the duration of the grace period.

If your subscription has not been renewed by the end of the grace period, Kaspersky Security continues to work but stops updating the solution databases and stops using Kaspersky Security Network.

To use Kaspersky Security under subscription, you have to apply the activation code received from the vendor. After the activation code is applied, a subscription key (an active key that corresponds to the subscription license for the solution) is added to the solution. Information about this key is displayed in the Kaspersky Security Center interface.

SVMs on which the solution is used under a subscription send events to Kaspersky Security Center when the subscription status changes or the subscription parameters are modified by the service provider. If the subscription has expired, the SVM status in Kaspersky Security Center changes to Critical.

If you want to cancel your subscription and continue to use the solution under a commercial license, you can add a commercial key as a reserve key to an SVM in advance. This key is applied automatically as the active key when your limited subscription ends or when you cancel your unlimited subscription. To cancel your subscription, contact the vendor that sold you Kaspersky Security.

A subscription key can be added only as the active key. A subscription key cannot be added as a reserve key.

Activation codes purchased under subscription may not be used to activate previous versions of Kaspersky Security.

Page top

[Topic 197628]

License-specific solution functionality

The set of available functions of Kaspersky Security for Virtualization 6.2 Light Agent depends on the type of the main license.

The main license may include additional Light Agent functionality. For example, a license for Kaspersky Next XDR Expert International Edition activates the functionality available under the Enterprise license, as well as the ability to integrate with Kaspersky Unified Monitoring and Analysis Platform, Kaspersky Endpoint Detection and Response Expert, and Kaspersky Endpoint Detection and Response (KATA).

To activate additional Light Agent functionality, you can use separate licenses, for example, a license to activate the functionality of Kaspersky Endpoint Detection and Response Optimum.

To clarify the range of functionality included in the main license and a license obtained for additional functionality, please contact the Kaspersky partner from whom you are purchasing the license.

The table below lists the key functions of the solution available under the Standard and Enterprise licenses.

Comparison of solution functions available by license type

Feature

Standard license

Enterprise license

Advanced SVM selection capabilities (use of connection tags and configuration of the SVM selection algorithm)

green_check

green_check

Light Agent for Linux

File Threat Protection

green_check

green_check

Removable Drives Scan

green_check

green_check

Firewall Management

green_check

green_check

Web Threat Protection

green_check

green_check

Network Threat Protection

green_check

green_check

Anti-Cryptor (for shared folders)

Only for servers

green_check

Behavior Detection

green_check

green_check

Container Scan

red_cross

green_check

Device Control

green_check

green_check

Application Control

Only for workstations

green_check

Web Control

green_check

green_check

System Integrity Monitoring

red_cross

green_check

Light Agent for Windows

File Threat Protection

green_check

green_check

Web Threat Protection

green_check

green_check

Mail Threat Protection

green_check

green_check

Firewall

green_check

green_check

Network Threat Protection

green_check

green_check

BadUSB Attack Prevention

green_check

green_check

AMSI Protection

green_check

green_check

Kaspersky Security Network

green_check

green_check

Behavior Detection

green_check

green_check

Exploit prevention

green_check

green_check

Intrusion Prevention

green_check

(functionality not available on servers)

green_check

(functionality not available on servers)

Remediation Engine

green_check

green_check

Log Inspection

red_cross

green_check

(functionality not available on workstations)

Application Control

Only for workstations

green_check

Device Control

green_check

green_check

Web Control

green_check

green_check

System Integrity Monitoring

red_cross

green_check

(functionality not available on workstations)

Page top

[Topic 255050]

About activating Kaspersky Security for Virtualization 6.2 Light Agent

Solution activation is the process of activating a license that allows you to use a fully-functional version of the solution until the license expires.

To activate Kaspersky Security for Virtualization 6.2 Light Agent, you need to add the main license key for the solution to all the SVMs. Adding a key to an SVM lets you activate all components of the solution. You do not need to separately activate the applications used as Light Agents in the solution.

If your main license does not include additional Light Agent functionality that you need (for example, integration with the Kaspersky Detection and Response solution), then in order to use this functionality, you need to add a separate license key for activating the additional functionality to the SVM after you add the main license key for the solution.

To add reserve keys to the SVM, use the Solution activation task for the Protection Server. The activation task allows you to add a key that is stored in Kaspersky Security Center key storage of to the SVM.

Automatic distribution of license keys is not supported.

Put a key in the Kaspersky Security Center key storage while creating an activation task or in advance. You can add a key to the Kaspersky Security Center key storage in one of the following ways:

  • Using the key file
  • Using the activation code

After activating the solution on an SVM, the Protection Server component installed on this SVM sends license information to Light Agents connected to the SVM. If the key status changes, the Protection Server notifies the Light Agents.

If the license information is not sent, the Light Agent ceases to perform its functions.

Information about license keys added to the SVM can be viewed in the Kaspersky Security Center Administration Console or in the Web Console. You can view information about the license used by Light Agent on a protected virtual machine with Light Agent.

The solution must be activated on an SVM with an accurate system date and time. If the system date and time are changed after activation of the solution, the key becomes void. The solution switches to a mode without database updates, and Kaspersky Security Network is unavailable. In this case, you need to redeploy the SVM and activate the solution on the SVM.

If your infrastructure has multiple instances of the Kaspersky Security solution installed running on multiple Kaspersky Security Center Administration Servers that are not organized in a hierarchy, you can activate different instances of Kaspersky Security by adding the same key. A key previously added to an SVM administered by a single Kaspersky Security Center Administration Server can be added to an SVM administered by a different Kaspersky Security Center Administration Server if the validity period of the license linked to the key has not expired.

When license restrictions are checked, the total number of licensing units on which the key is used on all Kaspersky Security Center Administration Servers is taken into account.

To use a previously added key without violating licensing restrictions:

  1. Remove SVMs on which the solution has been activated using this key on the same Kaspersky Security Center Administration Server.
  2. Create and run a Solution activation task on a different Kaspersky Security Center Administration Server. A key added to the Kaspersky Security Center key storage can be exported in advance from one Kaspersky Security Center Administration Server to another Administration Server (see the Kaspersky Security Center help for details).

In this section:

Conditions for activating the solution using an activation code

Important considerations when adding keys

Page top

[Topic 255097]

Conditions for activating the solution using an activation code

To be able to add a key to the Kaspersky Security Center key storage and activate the solution using an activation code, you need a connection to Kaspersky activation servers. The Key Storage Wizard sends data to Kaspersky activation servers to validate the activation code that was entered.

The activation proxy service establishes a connection to the activation servers. If the activation proxy service is disabled, the key cannot be added to the storage by using an activation code. If Internet access is provided via a proxy server, the proxy server settings must be configured in the properties of the Kaspersky Security Center Administration Server.

For more detailed information about the activation proxy service and proxy server settings, please refer to the Kaspersky Security Center help.

Page top

[Topic 255098]

Important considerations when adding keys

When adding keys, you should take the following into consideration:

  • You cannot add multiple active license keys of the same type providing basic functionality to a single SVM (for example, multiple server keys or multiple keys with a restriction on the number of processors). If a license key has already been added to an SVM, and you add a new key of the same type, then the new key replaces the previously added key.
  • If you are using a licensing scheme based on the number of protected virtual machines that distinguishes server keys and desktop keys, on the SVM you must add a key that matches the type of the guest operating system of the virtual machines you want to protect:
    • If the SVM only protects virtual machines with server operating systems, you need to add a server key to the SVM.
    • If the SVM only protects virtual machines with desktop operating systems, you need to add a desktop key to the SVM.
    • If the SVM protects virtual machines with server operating systems and desktop operating systems, you need to add two keys to the SVM: a server key and a desktop key.

    If you are using a licensing scheme based on the number of protected virtual machines regardless of the operating system type, a licensing scheme based on the number of CPU cores, or a licensing scheme based on the number of CPUs, you need one key (with the corresponding licensing limitation) regardless of the operating system of the protected virtual machines.

  • Simultaneous use of keys corresponding to different licensing schemes to activate basic functionality on SVMs is not supported. If a license key providing basic functionality has already been added to an SVM, and you add a new key corresponding to a different licensing scheme, then the new key replaces the previously added key. For example, suppose a desktop key and a server key have been added to SVMs (licensing scheme based on the number of virtual machines), and then you add a core-limited key (licensing scheme based on the number of cores). The task will remove the active and (if any) reserve desktop and server keys. They are replaced by the key with a limitation on the number of processor cores, which is added as an active key.

    A desktop key and server key can be used simultaneously on SVMs — these keys correspond to the same licensing scheme (based on the number of virtual machines).

  • A key that was removed from one SVM can be added to another SVM if the term of the license bound to the key has not expired.
  • Simultaneous use of commercial keys and subscription keys on an SVM is not supported. For example, if you add a commercial key on an SVM with a previously added subscription key, the subscription key is removed from the SVM. The commercial key is added in its place.
  • A reserve key can be added only if an active key has been added The active and reserve keys must have the same license restriction type and must correspond to the same license type (Standard license / Enterprise license).
  • A key for additional functionality can be added to an SVM regardless of the type of main license key added to that SVM.
  • A key for additional functionality can be added only after adding the main license key for the solution.
  • You cannot add multiple active license keys to an SVM to activate the same additional functionality of Light Agents (for example, multiple keys to activate the Kaspersky Endpoint Detection and Response Optimum functionality). If an SVM already has some additional functionality activated and you add a new key to activate the same additional functionality, the new key replaces the previously added key.
Page top

[Topic 255172]

Procedure for activating the solution

To activate the solution:

  1. Create a Solution activation task for the Protection Server. The task scope must include the SVMs on which you want to activate the solution.

    When creating a task, use the main solution license key added to the Kaspersky Security Center key storage. You can add a license key to the Kaspersky Security Center key storage in advance or when creating an activation task.

  2. Run the Solution activation task and make sure that the task completed successfully.

    If you add an active key, the task activates the solution on those SVMs on which an active key was missing. On SVMs on which the solution is already activated, the task replaces the old key with the new one.

    If the number of licensing units for which the key is used exceeds the number specified in the License Certificate, Kaspersky Security sends the Kaspersky Security Center Administration Server an event indicating a violation of license restrictions (for more information, see the Kaspersky Security Center Help).

  3. If the main license under which you have activated the solution does not include the additional Light Agent functionality that you need, you need to create and run another activation task. When creating this task, use a license key that provides the additional functionality. Adding a key that provides the additional functionality is no different from adding the main license key for the solution.
  4. Make sure that Light Agents are connected to the SVMs to which you added the license key.

In this section:

Adding a key to the key storage of Kaspersky Security Center

Creating a Solution Activation task

Page top

[Topic 255173]

Adding a key to the key storage of Kaspersky Security Center

You can add keys to the Kaspersky Security Center key storage using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to add a key to the Kaspersky Security Center key storage in Kaspersky Security Center Web Console

To add a key to Kaspersky Security Center key storage:

  1. In the main window of Kaspersky Security Center Web Console, select the OperationsLicensing → Kaspersky Licenses.

    A list of license keys added to the Kaspersky Security Center key storage is displayed.

  2. Click the Add button.
  3. In the window that opens, select the method for adding the key to the storage:
    • Enter activation code to add the key using an activation code.
    • Add key file to add the key using a key file.
  4. At the next step in the wizard, depending on your selected add key method:
    • Enter the activation code and click the Submit button.
    • Click the Select key file button and in the window that opens, select the file with the key extension.
  5. Click Close.

The added key will appear in the key storage.

How to add a key to the Kaspersky Security Center key storage in Kaspersky Security Center Administration Console

To add a key to Kaspersky Security Center key storage:

  1. In the Kaspersky Security Center Administration Console tree, select the Kaspersky licenses folder.

    The workspace shows a list of license keys added to the Kaspersky Security Center key storage.

  2. Click the Add activation code or key file button.

    The Key Storage Wizard starts.

  3. In the Select application activation method window of the Wizard, select the method used to add the key to storage:
    • If you want to add the key using an activation code, click the Activate application with activation code button.
    • To add the key using a key file, click the Activate application with key file button.
  4. At the next step in the wizard, depending on your selected add key method:
    • Enter the activation code.
    • Specify the path to the key file. To do so, click the Browse button and select the file (with the KEY extension) in the opened window.

    Proceed to the next step of the wizard.

  5. Finish the Key Storage Wizard.

The newly added key will be displayed in the key storage in the Kaspersky licenses folder.

You can use keys added to the Kaspersky Security Center key storage when creating a Solution activation task for the Protection Server.

Page top

[Topic 255174]

Creating a Solution activation task

You can create solution activation tasks using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to create an Activation task in Kaspersky Security Center Web Console

To create an activation task:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Tasks.

    A list of tasks opens.

  2. Click the Add button.

    The New Task Wizard starts.

  3. At the first step of the Wizard:
    1. In the Application drop-down list, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server.
    2. In the Task type drop-down list, select the Solution activation task type.
    3. In the Task name field, enter the name for the new task.
    4. In the Select devices to which the task will be assigned section, select a method for determining the task scope. A task scope is a set of SVMs on which a task will run.
      • Select the Assign task to an administration group option to execute the task on all SVMs belonging to the specified administration group.
      • Select the Specify device addresses manually or import from list option to execute the task on the specified SVMs.
      • Select the Assign task to selected devices option to execute the task on the SVMs included in the selection of devices according to a predefined criterion. For details on creating a selection of devices, please refer to the Kaspersky Security Center help.

    Proceed to the next step of the wizard.

  4. Depending on the selected method for defining the task scope, do one of the following:
    • In the administration group tree, select the check boxes next to the required administration groups.
    • In the list of devices, select the check boxes next to the required SVMs. If the required SVMs are not listed, you can add them in the following ways:
      • Using the Add devices button. You can add devices by names or IP addresses, add devices from the specified IP address range, or select devices from the list of devices detected by the Administration Server when polling the organization’s local network.
      • Using the Import devices from file button. Addresses are imported from a TXT file with a list of addresses of SVMs, with each address in a separate row.

      If you import a list of SVMs from file or specify the addresses manually and the SVMs are identified by name, the list of SVMs for which the task is being created can be supplemented only with those SVMs whose details have already been included in the Administration Server database upon connection of SVMs or following a poll of the local area network.

    • In the list, select the name of the selection containing the required SVMs.

    Proceed to the next step of the wizard.

  5. Click the Select key button. The Kaspersky Security Center key storage window opens. If you added a key to Kaspersky Security Center key storage in advance, select the key and click OK.

    If the required key is not in the key storage, you can add it without interrupting the New Task Wizard. To do this, click the Add a new key to the storage button located at the bottom of the Kaspersky Security Center key storage window. This starts the Key Storage Wizard, which is for adding a key to the Kaspersky Security Center key storage. Follow the wizard instructions.

    After you select a key, the following information is displayed in the lower part of the window:

    • License key – a unique alphanumeric sequence.
    • License type – trial, commercial, or commercial (subscription).
    • License term – the period in days during which you can use the solution activated by adding this key, for example, 365 days. This field is not displayed if you are using the solution under a subscription.
    • Grace period – the number of days after the subscription ends during which the solution retains its functionality. The field is displayed if you are using the solution under a subscription and the service provider with which you registered your subscription offers a grace period for renewing your subscription. If you are using the solution under an unlimited subscription, the field value is Unavailable.
    • Expires on – the date and time when your right to use the solution activated with the current key expires. If you are using the solution under an unlimited subscription, the field value is Unlimited.
    • Restriction – depends on the key type:
      • the maximum number of virtual machines that you can protect
      • the maximum number of physical processor cores used across all hypervisors whose virtual machines you can protect
      • the maximum number of physical processors used across all hypervisors whose virtual machines you can protect
    • Available functionality – by following the link, you can view information about the available solution functionality, which depends on the license edition.
  6. To use the selected key as a reserve key, select the Use the license key as a reserve key check box.

    The check box is not available when adding a key for a trial license or a subscription key. A trial license key or a subscription key cannot be added as a reserve key.

    Proceed to the next step of the wizard.

  7. If you want to configure the launch schedule for the activation task, select the Open task properties window after creation check box. For more information about the task schedule, see the Kaspersky Security Center Help.
  8. Click the Finish button to exit the Wizard.

How to create an activation task in Kaspersky Security Center Administration Console

To create an activation task:

  1. In the Kaspersky Security Center Administration Console, perform one of the following actions:
    • If you want to create a task that will run on SVMs included in the selected administration group, select this administration group in the console tree. Then in the workspace, select the Tasks tab and click the New task button.

      A wizard starts to create a task for devices of the selected administration group.

    • If you want to create a task that will run on one or more SVMs (a task for a set of devices):
      • In the console tree, select the Tasks folder and click the New task button in the workspace.
      • In the console tree, select the Kaspersky licenses folder and click the Automatically distribute a license key to managed devices button in the workspace.

      A wizard starts to create a new task for a set of devices.

  2. At the first step of the wizard, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server and the Solution activation task type. If you launched the New Task Wizard from the Kaspersky licenses folder, you do not need to select a task type.

    Proceed to the next step of the wizard.

  3. Click the Add button. The Kaspersky Security Center key storage window opens. If you added a key to Kaspersky Security Center key storage in advance, select the key and click OK.

    If the required key is not in the key storage, you can add it without interrupting the New Task Wizard. To do this, click the Add button located at the bottom of the Kaspersky Security Center key storage window. This starts the Key Storage Wizard, which is for adding a key to the Kaspersky Security Center key storage. Follow the wizard instructions.

    After you select a key, the following information is displayed in the lower part of the window:

    • License key – a unique alphanumeric sequence.
    • License type – trial, commercial, or commercial (subscription).
    • License term – the period in days during which you can use the solution activated by adding this key, for example, 365 days. This field is not displayed if you are using the solution under a subscription.
    • Grace period – the number of days after the subscription ends during which the solution retains its functionality. The field is displayed if you are using the solution under a subscription and the service provider with which you registered your subscription offers a grace period for renewing your subscription. If you are using the solution under an unlimited subscription, the field value is Unavailable.
    • Expires on – the date and time when your right to use the solution activated with the current key expires. If you are using the solution under an unlimited subscription, the field value is Unlimited.
    • Restriction – depends on the key type:
      • the maximum number of virtual machines that you can protect
      • the maximum number of physical processor cores used across all hypervisors whose virtual machines you can protect
      • the maximum number of physical processors used across all hypervisors whose virtual machines you can protect
    • Available functionality – by following the link, you can view information about the available solution functionality, which depends on the license edition.
  4. To use the selected key as a reserve key, select the Use the license key as a reserve key check box.

    The check box is not available when adding a key for a trial license or a subscription key. A trial license key or a subscription key cannot be added as a reserve key.

    Proceed to the next step of the wizard.

  5. If you are creating a task for a set of devices, the wizard will prompt you to define the task scope. A task scope is a set of SVMs on which a task will run.
    1. Specify the method for defining the task scope: select SVMs from the list of devices discovered by the Administration Server, manually specify the SVM addresses, import a list of SVMs from a file, or specify a previously configured selection of devices (for details, see the Kaspersky Security Center Help).
    2. Depending on the specified method for defining the scope, perform one of the following operations in the window that opens:
      • In the list of detected devices, specify the SVMs on which the task will be run. To do so, select the check boxes in the list, on the left of the device names.
      • Click the Add or Add IP range button and enter the addresses of SVMs manually.
      • Click the Import button, and in the window that opens select a TXT file with the list of addresses of SVMs.
      • Click the Browse button, and in the window that opens specify the name of the selection containing the SVMs for which you want to create the task.

    Proceed to the next step of the wizard.

  6. Configure the task launch schedule settings:
    • Scheduled start

      Choose the task run mode in the drop-down list. The settings displayed in the window depend on the task run mode chosen.

    • Run skipped tasks

      If you want the solution to start missed tasks immediately after an SVM appears on the network, select this check box.

      If this check box is cleared, in Manually mode, the task is started only on SVMs that are visible on the network.

    • Use automatically randomized delay for task starts

      By default, the time of task start on SVMs is randomized with the scope of a certain time period. This period is calculated automatically depending on the number of SVMs covered by the task:

      • 0–200 SVMs – task start is not randomized
      • 200–500 SVMs – task start is randomized within the scope of 5 minutes
      • 500–1000 SVMs – task start is randomized within the scope of 10 minutes
      • 1000–2000 SVMs – task start is randomized within the scope of 15 minutes
      • 2000–5000 SVMs – task start is randomized within the scope of 20 minutes
      • 5000–10000 SVMs – task start is randomized within the scope of 30 minutes
      • 10000–20000 SVMs – task start is randomized within the scope of 1 hour
      • 20000–50000 SVMs – task start is randomized within the scope of 2 hours
      • over 50000 SVMs – task start is randomized within the scope of 3 hours

      If you do not need to randomize the time of task start within the scope of an automatically calculated time period, clear the Use automatically randomized delay for task starts check box.

      This check box is set by default.

    • Use a random delay to start the task in an interval (min)

      If you want to start the task at a given time within a specified period after manual launch, select this check box. In the corresponding text box, specify the maximum task run delay time. In this case, after manual start, the task is started at a random time within the specified period.

      This check box can be changed if the Use automatically randomized delay for task starts check box is cleared.

    For more information about the task launch schedule settings, refer to the Kaspersky Security Center help.

    Proceed to the next step of the wizard.

  7. In the Name field, enter the name of the new task and proceed to the next step of the wizard.
  8. If you want the task to start as soon as the wizard finishes, at the last step of the wizard, select the Run task when the wizard is complete check box.
  9. Finish the wizard.

If you have set a task launch schedule, the task will run in accordance with this schedule. You can also run the Solution activation task manually at any time.

You can view information about the progress and results of the task in Kaspersky Security Center.

Page top

[Topic 255235]

Renewing a license

When your license is about to expire, you can renew it by adding a reserve key. This lets you avoid any limitations on solution functionality after the current license expires and before you activate the solution under a new license.

The type of reserve key must match the type of the previously added active key.

If you are using a licensing scheme based on the number of protected virtual machines that distinguishes server keys and desktop keys, the type of the reserve key must match the type of the guest operating system of the virtual machines. If the SVM is protecting virtual machines with server operating systems and desktop operating systems, you need to add two reserve keys to SVMs: a server key and a desktop key.

If you are using a licensing scheme based on the number of protected virtual machines regardless of the operating system type, a licensing scheme based on the number of CPUs, or a licensing scheme based on the number of CPU cores, you need one reserve key (with the corresponding licensing limitation) regardless of the operating system of the protected virtual machines.

To add a reserve key to the SVM, use the Solution activation task for the Protection Server.

You can create a Solution activation task to add a reserve key in the Administration Console or in the Web Console. At the Add a license key step of the New Task Wizard, select the Use the license key as a reserve key check box.

The task adds the reserve key on those SVMs on which the active key has already been added. The reserve key is automatically used as the active key after the Kaspersky Security license expires.

If you use an activation code to activate the solution, then when the license expires the solution automatically connects to Kaspersky activation servers in order to replace the active key that has expired. If the solution is unable to automatically connect to Kaspersky activation servers, you will have to manually start the Solution activation task in order to renew the license to use Kaspersky Security.

When one of the following conditions is met, the Solution activation task finishes with an error and the reserve key is not added:

  • There is no active key on the SVM.
  • The type of the reserve key being added does not match the type of the previously added active key.

If an SVM has an active key and a reserve key and you choose to replace the active key, Kaspersky Security checks the expiration date of the reserve key. If the reserve key expires before the previously renewed license term, Kaspersky Security automatically removes the reserve key. In this case, you can add a different reserve key after adding the active key.

Page top

[Topic 255236]

Renewing subscription

When you use the solution under a subscription, Kaspersky Security contacts Kaspersky activation servers at specific intervals until your subscription expires.

If you use the solution under an unlimited subscription, Kaspersky Security silently checks Kaspersky activation servers for a new key and, if one is available, adds it by replacing the previous key. In this way, unlimited subscription for Kaspersky Security is renewed without user involvement.

When your subscription expires, Kaspersky Security sends the relevant information to the Administration Server of Kaspersky Security Center and stops attempting to renew the subscription automatically. Kaspersky Security stops updating the solution databases and stops using Kaspersky Security Network.

You can renew your subscription by contacting the vendor that sold you Kaspersky Security.

After renewing subscription, you have to re-run the Solution activation task that you created to activate the solution under the subscription.

Page top

[Topic 255237]

Viewing information about the license keys used in Kaspersky Security Center

You can view information about the license keys used by Kaspersky Security for Virtualization 6.2 Light Agent in Kaspersky Security Center:

You can view information about the license used by Light Agent on a protected virtual machine with Light Agent.

In this section:

Viewing information about a license key in Kaspersky Security Center key storage

Viewing license key details in the properties of the Solution activation task

Viewing information about a license key added on the SVM

Viewing the license key usage report

Page top

[Topic 255240]

Viewing information about a license key in Kaspersky Security Center key storage

You can view information about license keys placed in the Kaspersky Security Center key storage using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to view information about a key in the Kaspersky Security Center key storage in Kaspersky Security Center Web Console

To open the list of license keys added to the Kaspersky Security Center key storage,

in the main window of Kaspersky Security Center Web Console, select the OperationsLicensing → Kaspersky Licenses.

The list is displayed as a table whose columns present information about the keys.

You can change the amount of displayed key information by configuring the display of table columns in the Column settings window. The window opens using the configuration button located above the table.

The table displays the following basic information about the key:

  • License name – the name of the license associated with the key and information about this license.
  • License Key – a license key, a unique alphanumeric sequence.
  • Maximum number of devices – depends on the key type:
    • the maximum number of virtual machines that you can protect
    • the maximum number of physical processor cores used across all hypervisors whose virtual machines you can protect
    • the maximum number of physical processors used across all hypervisors whose virtual machines you can protect
  • License type – trial, commercial, or subscription.
  • License term (days) – the period in days during which you can use the solution activated by adding this key, for example, 365 days. This field is not displayed if you are using the solution under a subscription.
  • License expiration date – the date when your right to use the solution activated by adding the current key expires. If the key was added on several SVMs at different times, this field shows the date for the SVM where the solution will expire soonest. If you are using the solution under an unlimited subscription, the field value is Unlimited.
  • License key expiration date – key expiration date. You can activate the solution by adding this key and use the solution only before this expiration date. If you are using the solution under an unlimited subscription, the field value is Unlimited.
  • Used as active – depends on the type of active key:
    • the number of protected virtual machines for which the key is used as the active key
    • the number of SVMs on which the key is added as an active key.
  • Used as reserve – the number of SVMs on which the key is added as a reserve key. If you are using the solution under a subscription, the field value is Unavailable or 0.

For a subscription key, the table may also display the following information:

  • Type of validity period restriction – if the solution is being used under an unlimited subscription, Unlimited is displayed in the field.
  • Grace period – if the subscription has the "Grace period activated" status, the field shows the number of remaining days during which the solution will continue to perform all of its functions. If the subscription has any other status, the field shows 0.
  • Link to service provider – web address of the service provider with whom the subscription is registered.
  • Subscription status – current status of your subscription (active, paused, expired, canceled, grace period activated).

You can also view basic information about the license key added to the key storage in the key properties window. The key properties window opens by clicking on the link on the license name.

How to view information about a key in the Kaspersky Security Center key storage in Kaspersky Security Center Administration Console

To open the list of license keys added to the Kaspersky Security Center key storage,

in the Kaspersky Security Center Administration Console tree, select the Kaspersky licenses folder.

The list is displayed as a table whose columns present information about the keys.

You can change the amount of displayed key information by configuring the display of table columns in the Add or remove columns window. The window opens via the Add or remove columns link located above the table.

The table displays the following basic information about the key:

  • Application – the name of the license associated with the key and information about this license.
  • Number – a license key, a unique alphanumeric sequence.
  • Type – trial, commercial, or subscription.
  • Restriction – depends on the key type:
    • the maximum number of virtual machines that you can protect
    • the maximum number of physical processor cores used across all hypervisors whose virtual machines you can protect
    • the maximum number of physical processors used across all hypervisors whose virtual machines you can protect
  • License term (days) – the period in days during which you can use the solution activated by adding this key, for example, 365 days. This field is not displayed if you are using the solution under a subscription.
  • License key expiration date key expiration date. You can activate the solution by adding this key and use the solution only before this expiration date. If you are using the solution under an unlimited subscription, the field value is Unlimited.
  • License expiration datethe date when your right to use the solution activated by adding the current key expires. If the key was added on several SVMs at different times, this field shows the date for the SVM where the solution will expire soonest. If you are using the solution under an unlimited subscription, the field value is Unlimited.
  • Active on – depending on the key type:
    • the number of protected virtual machines for which the key is used as the active key
    • the number of SVMs on which the key is added as an active key.
  • Used as reserve – the number of SVMs on which the key is added as a reserve key. If you are using the solution under a subscription, the field value is Unavailable or 0.

For a subscription key, the table may also display the following information:

  • Type of validity period restriction – if the solution is being used under an unlimited subscription, Unlimited is displayed in the field.
  • Grace period – if the subscription has the "Grace period activated" status, the field shows the number of remaining days during which the solution will continue to perform all of its functions. If the subscription has any other status, the field shows 0.
  • Subscription provider's web address – web address of the service provider with whom the subscription is registered.
  • Subscription status – current status of your subscription (active, paused, expired, canceled, grace period activated).

Basic key information is also displayed to the right of the key list when you select a key in the list.

You can also view basic information about the license key added to the key storage in the key properties window. The key properties window opens by double-clicking on the table row containing information about the key, or by double-clicking on the View license key properties link located to the right of the list of license keys.

Page top

[Topic 255244]

Viewing license key details in the properties of the Solution Activation task

The properties of the Solution Activation task for the Protection Server display information about the key that is added to the SVM as a result of executing this task. You can view the properties of an activation task using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to view information about a key in the properties of an activation task in Kaspersky Security Center Web Console

To view information about the key in the properties of the activation task:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Tasks.

    A list of tasks opens.

  2. Do one of the following:
    1. If you want to change the settings of a task that runs on all SVMs that are part of a specific administration group, click the link in the Current path field at the top of the window and select an administration group in the window that opens.

      The list displays only the tasks configured for the selected administration group.

    2. If you want to change the settings of a task that runs on one or more SVMs (tasks for a set of devices), click on the link in the Current path field at the top of the window and select the top node named Administration Server in the window that opens.

      The list will display all tasks created on the Administration Server.

  3. In the list of tasks, select the required task and open the task properties window by clicking the link in the task name.
  4. Select the Application settings tab.

The window displays the following information about the license and the key added to the SVM using this task:

  • License key – a unique alphanumeric sequence.
  • License type – trial, commercial, or commercial (subscription).
  • License term – the period in days during which you can use the solution activated by adding this key, for example, 365 days. This field is not displayed if you are using the solution under a subscription. This field is not displayed if you are using the solution under a subscription.
  • Grace period – the number of days after the subscription ends during which the solution retains its functionality. The field is displayed if you are using the solution under a subscription and the service provider with which you registered your subscription offers a grace period for renewing your subscription. If you are using the solution under an unlimited subscription, the field value is Unavailable.
  • Expires on – the date when your right to use the solution activated with the current key expires. If the key was added on several SVMs at different times, this field shows the date for the SVM where the solution will expire soonest. If you are using the solution under an unlimited subscription, the field value is Unlimited.
  • Restriction – depends on the key type:
    • the maximum number of virtual machines that you can protect
    • the maximum number of physical processor cores used across all hypervisors whose virtual machines you can protect
    • the maximum number of physical processors used across all hypervisors whose virtual machines you can protect
  • Available functionality – by following the link, you can view information about the available solution functionality, which depends on the license edition.

How to view information about a key in the properties of an activation task in Kaspersky Security Center Administration Console

To view information about the key in the properties of the activation task:

  1. In the Kaspersky Security Center Administration Console, perform one of the following actions:
    • If you want to view the properties of a task that is executed on SVMs that are part of a specific administration group, select the administration group in the console tree, and then select the Tasks tab in the workspace.
    • If you want to view the properties of a task that runs one or more SVMs (tasks for a set of devices), select the Tasks folder in the console tree.
  2. In the list of tasks, select the required task and double-click it to open the Settings: <Task name> window.

    You can also open the task properties window using the Settings item of the task context menu.

  3. In the list on the left, select the Add a license key section.

In the right part of the window, the Adding a license key section displays the following information about the license and the key being added to the SVM using this task:

  • License key – a unique alphanumeric sequence.
  • License type – trial, commercial, or commercial (subscription).
  • License term – the period in days during which you can use the solution activated by adding this key, for example, 365 days. This field is not displayed if you are using the solution under a subscription. This field is not displayed if you are using the solution under a subscription.
  • Grace period – the number of days after the subscription ends during which the solution retains its functionality. The field is displayed if you are using the solution under a subscription and the service provider with which you registered your subscription offers a grace period for renewing your subscription. If you are using the solution under an unlimited subscription, the field value is Unavailable.
  • Expires on – the date when your right to use the solution activated with the current key expires. If the key was added on several SVMs at different times, this field shows the date for the SVM where the solution will expire soonest. If you are using the solution under an unlimited subscription, the field value is Unlimited.
  • Restriction – depends on the key type:
    • the maximum number of virtual machines that you can protect
    • the maximum number of physical processor cores used across all hypervisors whose virtual machines you can protect
    • the maximum number of physical processors used across all hypervisors whose virtual machines you can protect
  • Available functionality – by following the link, you can view information about the available solution functionality, which depends on the license type.
Page top

[Topic 255245]

Viewing information about a license key added on the SVM

Information about the license keys used on a client device is displayed in the properties window of the application installed on the client device. In the case of the Kaspersky Security solution, information about the license keys added to the SVM is displayed in the properties of the Protection Server on the SVM.

You can open the properties window of the Protection Server on the SVM using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to view information about keys added to an SVM in Kaspersky Security Center Web Console

To view information about keys added to an SVM:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Managed devices.

    The list of managed devices opens.

  2. Select the administration group containing the desired SVM. To do so, click the link in the Current path field located above the list of managed devices and select an administration group in the window that opens.

    The list will display only managed devices in the selected administration group.

  3. Find the desired SVM in the list and click on the SVM name.
  4. In the SVM properties window that opens, select the Applications tab.
  5. Click on the name Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server in the list.

    The properties window for the Protection Server on this SVM will open.

  6. On the General tab, select the License section in the list on the left.

    The right part of the window displays a list of license keys added to the SVM. The following information is displayed for each key:

    • License key status – key status: active or reserve.
    • Application name – the name of the license associated with the key and information about this license.
    • License Key – a license key, a unique alphanumeric sequence.
    • License type – trial, commercial, or subscription.
    • Activation date – the date when the solution was activated with this key.
    • Term – the date when your right to use the solution activated with the current key expires. If the key was added on several SVMs at different times, this field shows the date for the SVM where the solution will expire soonest. If you are using the solution under an unlimited subscription, the field value is Unlimited.
  7. If you want to view additional information about the key, click on the license name. In the window that opens, you can view the following information:
    • License term (days) – the period in days during which you can use the solution activated by adding this key, for example, 365 days. This field is not displayed if you are using the solution under a subscription.
    • Maximum number of devices – depends on the key type:
      • the maximum number of virtual machines that you can protect
      • the maximum number of physical processor cores used across all hypervisors whose virtual machines you can protect
      • the maximum number of physical processors used across all hypervisors whose virtual machines you can protect

How to view information about keys added to an SVM in Kaspersky Security Center Administration Console

To view information about keys added to an SVM:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group that includes the desired SVM.
  2. In the workspace, select the Devices tab.
  3. Find the desired SVM in the list and double-click to open the Settings: <SVM name> window.
  4. In the displayed SVM properties window, in the list on the left, select the Applications section.
  5. In the right part of the window, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server in the list and open the properties window of the Protection Server on this SVM by double-clicking or using the Properties button at the bottom of the window.

    In the window that opens, in the list on the left, select the License keys section.

The right part of the window displays a list of license keys added to the SVM. The following information is displayed for each key:

  • Serial number – a license key, a unique alphanumeric sequence.
  • Status – key status: active or reserve.
  • Type – trial, commercial, or subscription.
  • License term – the period in days during which you can use the solution activated by adding this key, for example, 365 days. This field is not displayed if you are using the solution under a subscription.
  • License restrictions – depends on the key type:
    • the maximum number of virtual machines that you can protect
    • the maximum number of physical processor cores used across all hypervisors whose virtual machines you can protect
    • the maximum number of physical processors used across all hypervisors whose virtual machines you can protect
  • Activation date – the date when the solution was activated with this key.
  • Termthe date when your right to use the solution activated with the current key expires. If the key was added on several SVMs at different times, this field shows the date for the SVM where the solution will expire soonest. If you are using the solution under an unlimited subscription, the field value is Unlimited.
Page top

[Topic 255246]

Viewing the license key usage report

Information about the license keys used by the Kaspersky Security solution is displayed in the Kaspersky Security Center key usage report. You can view the key usage report using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to generate a key usage report in Kaspersky Security Center Web Console

To generate a key usage report:

  1. In the main window of Kaspersky Security Center Web Console, select Monitoring and reportingReports.

    A list of report templates opens.

  2. Find the License key usage report template in the list and generate the report by clicking on the template name.

    The generated license key usage report opens in a separate window.

The license key usage report has two tabs:

  • The Summary tab contains a chart with information about the use of keys in accordance with license restrictions and a summary table. The summary table contains information about all used license keys.
  • The Details tab contains a table of detailed information. The detailed table contains information about the SVMs to which keys have been added, or about the protected virtual machines the key is being used for.

You can change the amount of displayed report information by configuring the display of table columns in the Edit the license key usage report window. The window opens via the Edit button at the top of the report window. For more information about configuring the appearance of reports, see the Kaspersky Security Center Help.

How to generate a key usage report in Kaspersky Security Center Administration Console

To generate a key usage report:

  1. In the Kaspersky Security Center Administration Console tree, select the Administration Server <server name> node and go to the Reports tab.

    A list of report templates opens.

  2. Find the License key usage report template in the list and generate the report by double-clicking or using the Show report link located to the right of the list of report templates.

    The generated license key usage report opens in a separate window.

The license key usage report contains:

  • A chart with information about the use of keys in accordance with license restrictions.
  • Summary table. The table contains information about all used license keys.
  • Detailed table. The table contains information about the SVMs to which keys have been added, or about the protected virtual machines the key is being used for.

You can change the amount of displayed report information by configuring the display of table columns in the Columns window. The window opens via the Configure report columns link located at the top of the report window.

Summary information in the key usage report

The summary table contains the following information:

  • License key – a unique alphanumeric sequence.
  • Used as active – depends on the type of active key:
    • the number of protected virtual machines for which the key is used as the active key
    • the number of SVMs on which the key is added as an active key.
  • Used as reserve – the number of SVMs on which the key is added as a reserve key. If you are using the solution under a subscription, the field value is Unavailable or 0.
  • Restriction – depends on the key type:
    • the maximum number of virtual machines that you can protect
    • the maximum number of physical processor cores used across all hypervisors whose virtual machines you can protect
    • the maximum number of physical processors used across all hypervisors whose virtual machines you can protect
  • Earliest license expiration date – the date when your right to use the solution activated by adding the current key expires.
  • License key valid until – the key expiration date. You can activate the solution by adding this key and use the solution only before this expiration date. If you are using the solution under an unlimited subscription, the field value is Unlimited.

The row below contains the following consolidated information:

  • License keys – total number of keys in use.
  • License keys used up by more than 90% – total number of keys that have been used up by more than 90% of their license restrictions. For example, the restriction is 100 virtual machines. A key is used on two SVMs: the first one protects 42 virtual machines and the second one protects 53 virtual machines. The key is therefore 95% used and is included in the number of keys specified in this field.
  • License keys with exceeded restriction – total number of keys that have exceeded a license limit, such as a limit imposed on the number of simultaneously running virtual machines with server operating systems or a limit on the number of physical processors used on all hypervisors (depending on the key type).

Detailed information in the key usage report

Depending on the key type, the detailed table shows information about the SVM on which the key has been added (for a key with a limitation on the number of processors or processor cores), or information about the protected virtual machine the key is being used for (for a server or desktop key):

The detailed table contains the following information:

  • Virtual Administration Server – the name of the virtual Administration Server that manages the SVM or the protected virtual machine.
  • Group – the administration group to which the SVM or protected virtual machine belongs.
  • Device – the name of the SVM or protected virtual machine.
  • Application – the name of the Kaspersky Security solution component installed on the SVM or the protected virtual machine.
  • Version number – version number of the Kaspersky Security solution component.
  • Active license key – the key that has been added as an active key.
  • Reserve license key – the key that has been added as a reserve key.
  • License valid until – the expiration date for using the solution with this key.
  • IP address – the IP address of an SVM or protected virtual machine on which the key has been added.
  • Last visible on the network – the date and time when the SVM or protected virtual machine was last visible on the corporate LAN.
  • Last connection date – date and time of the last connection of the SVM or protected virtual machine to Kaspersky Security Center Administration Server.
  • NetBIOS name – the name of the SVM or protected virtual machine.
  • Windows domain – the domain to which the SVM or the protected virtual machine belongs.
  • DNS name – the DNS name of the SVM or protected virtual machine.
  • DNS domain – the DNS domain to which the SVM or protected virtual machine belongs (specified only if the name of the SVM or virtual machine contains the name of the DNS domain).
  • Subscription pending – indicates whether a solution subscription is pending.
  • License key valid until – the key expiration date. You can activate the solution by adding this key and use the solution only before this expiration date. If you are using the solution under an unlimited subscription, the field value is Unlimited.
Page top

[Topic 293635]

View information about the license on a secure virtual machine

You can view information about the license that Light Agent is using on a virtual machine with Light Agent installed:

Page top

[Topic 255873]

Starting and stopping Kaspersky Security

The Protection Server component starts automatically when the operating system starts on the SVM and stops when the operating system is shut down.

An SVM deployed on a VMware ESXi hypervisor is started automatically after the hypervisor is turned on. The SVM may fail to start automatically if this function is not activated at the level of the hypervisor or if this hypervisor belongs to a VMware HA cluster. For details, please refer to the VMware documentation.

The Integration Server component starts automatically when the operating system starts on the device where the Integration Server is installed, and stops when the operating system is shut down.

The Light Agent component starts automatically when the operating system starts on a protected virtual machine and stops when the operating system is shut down.

Virtual machine protection is started automatically when the Light Agent and Protection Server components are started.

If license info is not relayed to the protected virtual machine, Light Agent operates in limited functionality mode.

Tasks are started in accordance with their schedule. You can also run tasks manually.

You can use the standard tools of the Linux operating system to start and stop Light Agent for Linux. For details, see the Kaspersky Endpoint Security for Linux Help of the relevant version.

You can stop and start Light Agent for Windows remotely using Kaspersky Security Center or the command line. For details, see the Kaspersky Endpoint Security for Windows Help of the relevant version.

Page top

[Topic 256463]

Virtual machine protection status

You can view information about the protection status of the virtual machines as follows:

  • In Kaspersky Security Center using the statuses of client devices.
  • In Kaspersky Security Center, using the statuses of Light Agent functional components on virtual machines.
  • On a protected virtual machine:
    • For Light Agent for Linux: using the Kaspersky Endpoint Security for Linux command kesl-control --app-info. The command displays information about the operation of the application and the state of the application's functional components. For details, see the Kaspersky Endpoint Security for Linux Help of the relevant version.
    • For Light Agent for Windows: using the Protection status widget in the local interface of Kaspersky Endpoint Security for Windows.
  • In infrastructure based on the VMware vSphere platform: using security tags, which Kaspersky Security can assign to a protected virtual machine.

In this Help section

Statuses of client devices in Kaspersky Security Center

Statuses of Light Agent functional components on virtual machines

About security tags

Page top

[Topic 256476]

Statuses of client devices in Kaspersky Security Center

The protected virtual machine (the virtual machine on which the Light Agent component is installed) and the SVM are client devices for Kaspersky Security Center. Information about the state of a client device in Kaspersky Security Center is displayed by the client device status (OK, Critical, or Warning).

The client device status changes to Critical or Warning for the following reasons:

  • According to the rules defined in Kaspersky Security Center. For example, the status changes if a security application is not installed on the device, a virus scan has not been performed in a long time, anti-virus databases are outdated, or the license has expired. For more details about the reasons for status changes and configuring status assignment conditions, please refer to the Kaspersky Security Center help.
  • Kaspersky Security Center receives the device status from the managed application, i.e. from Kaspersky Security solution components.

    Receipt of the device status from the managed application must be enabled in Kaspersky Security Center in the lists of conditions for assigning the Critical and Warning statuses. Conditions for assigning device statuses are configured in the properties window of an administration group.

    The SVM status changes in the following cases:

    • No connection to the Integration Server
    • No connection to the virtual infrastructure

    The status of a protected virtual machine changes in the following cases:

    • No connection to the Integration Server
    • No connection to the SVM
    • A modification of files or modification of the registry was detected on the virtual machine

For details on client device statuses, please refer to the Kaspersky Security Center help.

Page top

[Topic 256477]

Statuses of Light Agent functional components on virtual machines

Information about keys added to the SVM can be viewed in the Kaspersky Security Center Administration Console or in the Web Console.

  • The properties of the application running in Light Agent mode on a virtual machine display a list of functional components of Light Agent. For each component, its status is displayed.
  • The Kaspersky Security Center report on the status of application components displays information about the Light Agent functional components that are installed or not installed on the virtual machines. For each of the installed components, the report displays the number of virtual machines on which this component is installed and the number of administration groups to which these virtual machines belong.

    The report on the status of application components is available in the list of report templates in Kaspersky Security Center Administration Console (on the Reports tab in the workspace of the Administration Server <server name> node), and in the Kaspersky Security Center Web Console (in the Monitoring and reportingReports section).

  • You can create selections of virtual machines by specifying as a selection condition the status of components and/or the version number of the application running in Light Agent mode.

For more information about working with tasks and configuring device selections, see the Kaspersky Security Center Help.

Page top

[Topic 256478]

About security tags

If the Kaspersky Security solution is running in a virtual infrastructure on the VMware vSphere platform and uses VMware NSX Manager, Kaspersky Security may assign the following security tags to the protected virtual machine:

  • ANTI_VIRUS.VirusFound.threat=high. This tag is assigned to a virtual machine on which viruses or other malicious programs were detected.
  • IDS_IPS.threat=high. This tag is assigned to a virtual machine whose inbound traffic displayed activity that is typical for network attacks.

Kaspersky Security can assign security tags only if you have enabled the use of VMware NSX Manager and configured the settings for connecting the Integration Server to VMware NSX Manager in Integration Server Web Console or Integration Server Console.

You can view the security tags assigned to the virtual machine in the properties of the virtual machine:

  • In the VMware vSphere Client console, in the Hosts and Clusters section of the Summary tab.
  • In VMware NSX Manager web console, in the InventoryVirtual Machines section.

The ANTI_VIRUS.VirusFound.threat=high security tag that Kaspersky Security assigned to the virtual machine is removed automatically if running a Full Scan task on the virtual machine detects no viruses or other malicious programs. If the ANTI_VIRUS.VirusFound.threat=high security tag is manually assigned to a virtual machine using virtual infrastructure, it can be removed only manually.

An IDS_IPS.threat=high security tag assigned to the virtual machine either by Kaspersky Security or manually using virtual infrastructure tools can be removed only manually.

After manually removing the tag, you need to restart the Light Agent on the virtual machine.

For more information on how to manually remove and assign security tags, refer to the Knowledge Base.

Page top

[Topic 254872]

Connecting SVMs and Light Agents to the Integration Server

For the Kaspersky Security solution to function, constant interaction between the Protection Server and the Integration Server is required. To ensure this interaction, you need to configure the connection of the SVM from the Protection Server to the Integration Server.

If you want Light Agents to receive information about SVMs via the Integration Server, or if you want to protect the connection between the Protection Server and Light Agent, you need to configure the connection of Light Agents to the Integration Server.

Information about the loss and restoration of the connection of the Light Agent and SVM to the Integration Server can be saved as events in Kaspersky Security Center.

In this Help section

Configuring the settings for connecting SVMs to the Integration Server

Configuring the settings for connecting Light Agents to the Integration Server

Page top

[Topic 254921]

Configuring the settings for connecting SVMs to the Integration Server

You can use the Web Console or the Administration Console to configure the connection of SVMs to the Integration Server in a Protection Server policy, for example, when creating the default policy for the Protection Server.

Expand all | Collapse all

How to configure settings for connecting SVMs to the Integration Server in Kaspersky Security Center Web Console

Configure the connection of SVMs to the Integration Server:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies opens.

  2. Select the administration group containing the SVM with the Protection Server whose settings you want to configure. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens.

    The list displays only the policies configured for the selected administration group.

  3. Click on the name of the desired policy in the list.
  4. In the policy properties window that opens, select the Application settings tab and go to the Settings for connecting SVMs to the Integration Server section.
  5. In the right part of the window, click the Edit button. In the Connection to the Integration Server window that opens, specify the address and port for connection:
    1. Specify the IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.

      If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.

    2. If the port for connecting to the Integration Server differs from the default port (7271), specify the port number in the Port field.
  6. Click Test in the Connection to the Integration Server window.
  7. Kaspersky Security web plug-in verifies the SSL certificate received from the Integration Server. If the certificate contains an error or is not trusted, a corresponding message is displayed in the Connection to the Integration Server window. You can view information about the received certificate. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To continue connecting to the Integration Server, select the Ignore option.
  8. Specify the password of the Integration Server administrator (password of the admin account) and click the Test button in the Connection to the Integration Server window.

    The capability to connect to the Integration Server is tested. If the connection test succeeds and the connection to the Integration Server is established, the Connection to the Integration Server window closes. After a connection has been established to the Integration Server under the administrator account, the account password is automatically relayed to the policy in order to connect SVM to the Integration Server.

    If the connection test failed or a connection to the Integration Server could not be established, an error is displayed in the policy properties window. Check the connection settings you have specified.

    Information about Integration Server connection errors may be saved in the Integration Server trace file (if you enabled the logging of information).

  9. Click the Save button.

How to configure the settings for connecting SVMs to the Integration Server in Kaspersky Security Center Administration Console

Configure the connection of SVMs to the Integration Server:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVM with the Protection Server whose settings you want to configure.
  2. In the workspace, select the Policies tab.
  3. Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.
  4. In the policy properties window, select the Settings for connecting SVMs to the Integration Server section in the list on the left.
  5. In the right part of the window, specify the address and port for the connection:
    1. By default, the Address field shows the domain name of the device hosting the Administration Console of Kaspersky Security Center. If this device does not belong to a domain or if the Integration Server is installed on a different device and the field shows the wrong address, specify the IP address in IPv4 format or the fully qualified domain name (FQDN) of the device on which the Integration Server is installed.

      If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.

    2. If the port for connecting to the Integration Server differs from the default port (7271), specify the port number in the Port field.
  6. Click Apply in the policy properties window.
  7. If the device hosting the Kaspersky Security Center Administration Console does not belong to a domain or your account does not belong to the KLAdmins local or domain group or to the group of local administrators, the Connection to the Integration Server window opens. Specify the password of the Integration Server administrator (password of the admin account). After a connection has been established to the Integration Server under the administrator account, the account password is automatically relayed to the policy in order to connect SVM to the Integration Server.

    Click OK in the Connection to the Integration Server window.

    Kaspersky Security MMC plug-in verifies the SSL certificate received from the Integration Server. If the certificate contains an error or is not trusted, the Verify Integration Server certificate window opens. You can view the details of the certificate received. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure. To continue connecting to the Integration Server, click the Ignore button. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed.

    The capability to connect to the Integration Server is tested. If the connection test failed or a connection to the Integration Server could not be established, an error is displayed in the policy properties window. Check the connection settings you have specified.

Information about Integration Server connection errors may be saved in the Integration Server trace file (if you enabled the logging of information).

Page top

[Topic 254920]

Configuring the settings for connecting Light Agents to the Integration Server

You can configure the settings for connecting Light Agents to the Integration Server in the Light Agent policy (in the policy of the application running in Light Agent mode). The SVM discovery settings for Light Agent for Windows are also available in the local interface of Kaspersky Endpoint Security for Windows.

You need to configure the following settings for connecting to the Integration Server:

  • IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.

    If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.

  • Port for connecting to the Integration Server.

    By default, port number 7271 is specified.

  • Password of the Integration Server administrator (password of the admin account).

Information about Integration Server connection errors may be saved in the Integration Server trace file (if you enabled the logging of information).

You can get information about the status of the Light Agent's connection to the Integration Server in the following ways:

  • For Light Agent for Linux: using the Kaspersky Endpoint Security for Linux command kesl-control --viis-info.
  • For Light Agent for Windows:
    • in the local interface of Kaspersky Endpoint Security for Windows
    • using the Kaspersky Endpoint Security for Windows command avp.com VIISINFO.

For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.

Page top

[Topic 254886]

Connecting Light Agents to SVMs

To interact with the Protection Server, the Light Agent establishes and maintains a connection to the SVM on which this Protection Server is installed. You can configure the following settings for connecting the Light Agent to the SVM:

  • SVM detection method. You can select the method used by Light Agents to detect SVMs that are available for connection.
  • Connection tags. If you use connection tags, Light Agent can only connect to SVMs that are configured to use that connection tag.
  • Protecting the connection between the Light Agent and the Protection Server. You can use encryption to protect the connection between Light Agents and Protection Servers.
  • SVM selection algorithm for connection. You can specify the algorithm to be used by the Light Agents to select SVMs to connect to.

In this Help section

Configuring SVM discovery settings

Configuring the use of connection tags

Protecting the connection between the Light Agent and the Protection Server

Configuring the SVM selection algorithm

Viewing the list of Light Agents connected to SVMs

Page top

[Topic 254887]

Configuring SVM discovery settings

You can configure the settings for detection of SVMs by Light Agents in the Light Agent policy (in the policy of the application running in Light Agent mode). The SVM discovery settings for Light Agent for Windows are also available in the local interface of Kaspersky Endpoint Security for Windows.

You can configure the following settings for discovery of SVMs by Light Agents:

  • Method used by Light Agents to discover SVMs:
    • Use Integration Server

      If this option is selected, Light Agent connects to Integration Server to get a list of SVMs available for connection and their details.

      If you want to use the Integration Server, configure the settings for connecting Light Agents to the Integration Server.

    • Use a custom list of SVM addresses

      If this option is selected, you can specify the list of SVMs to which Light Agents managed by the specified policy can connect. Light Agents will connect only to the SVMs specified in the list.

      If you select the Use a custom list of SVM addresses option, the Light Agent is using the extended SVM selection algorithm, and large infrastructure protection mode is enabled on an SVM, then connecting a Light Agent to this SVM is only possible if the Light Agent ignores the SVM path. In the SVM selection algorithm section, you need to set the SVM path setting to Ignore.

  • If you selected the Use a custom list of SVM addresses option, you need to create a list of SVMs to which Light Agents managed by the policy can connect. You can add multiple SVM IP addresses or FQDNs to the list.

    In the list of SVM addresses, specify only full domain names (FQDN) that are matched by a single IP address. Using a fully qualified domain name that corresponds to multiple IP addresses can lead to errors in the solution.

For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.

In a large-sized virtual infrastructure running the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, if you selected the Use Integration Server option, you can configure the size of the available SVMs list that the Integration Server relays to Light Agents.

To configure the size of the list of available SVMs:

  1. Open the Integration Server configuration file (appsettings.json) for editing. Depending on the version of the Integration Server, the file is located at one of the following paths:
    • /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
    • %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.
  2. Specify the OpenStackMaxSvmCountToReturn setting in the HypervisorSpecificSettings:Openstack section:
    • If you want to limit the size of available SVM list, which the Integration Server transmits to Light Agents, then specify number of SVMs, whose information must be included into this list.
    • If you want the Integration Server to transfer full list of available SVMs to Light Agents, specify a value of 0.
  3. Save the appsettings.json file.
  4. Restart the Integration Server.
Page top

[Topic 254888]

Configuring the use of connection tags

If you want to control Light Agents' connection to SVMs using connection tags, you need to do the following:

  • In the Light Agent settings: enable the use of tags by Light Agent and assign the tag that Light Agent will use to connect.
  • In the Protection Server settings: enable the use of tags on the SVM and specify the tags that are allowed to connect to the SVM. Only Light Agents that are assigned the specified tags will connect to the SVM. If a Light Agent is assigned a different tag or no tag is assigned, the Light Agent will not be able to connect to this SVM.

In this section:

Configuring the use of connection tags for an SVM

Assigning connection tags to Light Agents

Page top

[Topic 254929]

Configuring the use of connection tags for an SVM

You can use the Web Console or the Administration Console to configure connection tags on SVMs in a Protection Server policy.

Expand all | Collapse all

How to configure the use of tags on SVMs in Kaspersky Security Center Web Console

To configure tags on SVMs:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies opens.

  2. Select the administration group containing the SVM with the Protection Server whose settings you want to configure. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens.

    The list displays only the policies configured for the selected administration group.

  3. Click on the name of the desired policy in the list.
  4. In the policy properties window that opens, select the Application settings tab and go to the Connection tags section.
  5. In the right part of the window, configure the following settings:
    • Allow connection of Light Agents with specified tags

      Allow SVM connections only for Light Agents that are assigned the tags specified in the field below.

      If the check box is selected, only Light Agents with the specified tags can connect to the SVM.

      If the check box is cleared, only Light Agents that do not have tags assigned to them can connect to the SVM.

      The check box is cleared by default.

    • Tag list

      Only Light Agents that are assigned the tags specified in this field can connect to the SVM.

      You can specify one or more tags separated by semicolons.

    Only Light Agents which have been assigned the specified tags will connect to SVMs with a Protection Server managed by this policy.

  6. Click the Apply button.

How to configure the use of tags on SVMs in Kaspersky Security Center Administration Console

To configure tags on SVMs:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVM with the Protection Server whose settings you want to configure.
  2. In the workspace, select the Policies tab.
  3. Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.
  4. In the policy properties window, select the Connection tags section in the list on the left.
  5. In the right part of the window, configure the following settings:
    • Allow connection of Light Agents with specified tags

      Allow SVM connections only for Light Agents that are assigned the tags specified in the field below.

      If the check box is selected, only Light Agents with the specified tags can connect to the SVM.

      If the check box is cleared, only Light Agents that do not have tags assigned to them can connect to the SVM.

      The check box is cleared by default.

    • Tag list

      Only Light Agents that are assigned the tags specified in this field can connect to the SVM.

      You can specify one or more tags separated by semicolons.

    Only Light Agents which have been assigned the specified tags will connect to SVMs with a Protection Server managed by this policy.

  6. Click the Apply button.
Page top

[Topic 254928]

Assigning connection tags to Light Agents

You can configure the settings for the use of tags by Light Agents in the Light Agent policy (in the policy of the application running in Light Agent mode). The tag usage settings for Light Agent for Windows are also available in the local interface of Kaspersky Endpoint Security for Windows.

To assign a tag to a Light Agent to connect to an SVM, select the Use connection tag check box and enter the connection tag in the Tag field.

For a tag, you can enter a text string up to 255 characters long. You can use any character except the ; character.

For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.

Light Agents to which the tag is assigned can connect only to SVMs for which a connection to Light Agents with this tag is allowed.

Page top

[Topic 254889]

Protecting the connection between the Light Agent and the Protection Server

You can configure encryption of the connection between Light Agents and Protection Servers. To do this, you need to enable encryption of the data channel between the Light Agent and the Protection Server in the Protection Server settings on the SVM and in the Light Agent settings.

A Light Agent for which connection protection is enabled can only connect to SVMs for which encryption of the data channel between the Light Agent and the Protection Server is enabled. A Light Agent for which connection protection is disabled can only connect to SVMs for which channel encryption is disabled or an unsecure connection between the Protection Server and the Light Agent is allowed.

Using encryption to protect the connection may slow the performance of the Kaspersky Security solution.

In this section:

Configuring connection protection on the Protection Server

Configuring connection protection on the Light Agent

Page top

[Topic 254959]

Configuring connection protection on the Protection Server

You can use the Web Console or the Administration Console to configure connection protection on the Protection Server in a Protection Server policy.

Expand all | Collapse all

How to configure connection protection on the Protection Server in Kaspersky Security Center Web Console

To configure connection protection on the Protection Server:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies opens.

  2. Select the administration group containing the SVM with the Protection Server whose settings you want to configure. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens.

    The list displays only the policies configured for the selected administration group.

  3. Click on the name of the desired policy in the list.
  4. In the policy properties window that opens, select the Application settings tab and go to the Connection protection section.
  5. In the right part of the window, configure the following settings:
    • Encrypt data channel between Light Agent and the Protection Server

      Encrypt the connection between Light Agents and Protection Servers.

      If the check box is selected, a secure connection is established between the Light Agent and the policy-controlled Protection Server after the Light Agent connects to the SVM with this Protection Server. A Light Agent can connect to an SVM that has connection protection enabled only if the Light Agent also has connection protection enabled or the SVM allows unsecure connections.

      If the check box is cleared, an unsecure connection is established between the Light Agent and the Protection Server after the Light Agent connects to the SVM with this Protection Server.

      This check box is cleared by default.

    • Allow nonsecure connection if secure connection cannot be established

      Allow an unsecure connection between Light Agents and Protection Servers.

      If the check box is selected, an unsecure connection may be established between Light Agents and policy-controlled Protection Servers if a secure connection cannot be established.

      If the check box is cleared, only a secure connection can be established between Light Agents and policy-controlled Protection Servers. A Light Agent will not be able to connect to the SVM if a secure connection cannot be established to the Protection Server on this SVM.

      This check box is cleared by default.

    Only Light Agents for which connection protection is configured will connect to SVMs with Protection Servers managed by this policy.

  6. Click the Save button.

How to configure connection protection on the Protection Server in Kaspersky Security Center Administration Console

To configure connection protection on the Protection Server:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVM with the Protection Server whose settings you want to configure.
  2. In the workspace, select the Policies tab.
  3. Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.
  4. In the policy properties window, select the Connection protection section in the list on the left.
  5. In the right part of the window, configure the following settings:
    • Encrypt data channel between Light Agent and the Protection Server

      Encrypt the connection between Light Agents and Protection Servers.

      If the check box is selected, a secure connection is established between the Light Agent and the policy-controlled Protection Server after the Light Agent connects to the SVM with this Protection Server. A Light Agent can connect to an SVM that has connection protection enabled only if the Light Agent also has connection protection enabled or the SVM allows unsecure connections.

      If the check box is cleared, an unsecure connection is established between the Light Agent and the Protection Server after the Light Agent connects to the SVM with this Protection Server.

      This check box is cleared by default.

    • Allow nonsecure connection if secure connection cannot be established

      Allow an unsecure connection between Light Agents and Protection Servers.

      If the check box is selected, an unsecure connection may be established between Light Agents and policy-controlled Protection Servers if a secure connection cannot be established.

      If the check box is cleared, only a secure connection can be established between Light Agents and policy-controlled Protection Servers. A Light Agent will not be able to connect to the SVM if a secure connection cannot be established to the Protection Server on this SVM.

      This check box is cleared by default.

    Only Light Agents for which connection protection is configured will connect to SVMs with a Protection Server managed by this policy.

  6. Click the Apply button.
Page top

[Topic 254958]

Configuring connection protection on the Light Agent

You can configure the settings for connection protection on the Light Agent in the Light Agent policy (in the policy of the application running in Light Agent mode). Connection protection settings for Light Agent for Windows are also available in the local interface of Kaspersky Endpoint Security for Windows.

By default, protection of the connection between Light Agents and the Protection Server is disabled. To enable connection protection, select the Encrypt data channel between Light Agent and the Protection Server check box.

If the check box is selected, a secure connection is established between the Light Agent, which is managed by policy, and the Protection Server on the SVM that the Light Agent is connecting to. A Light Agent for which connection protection is enabled can only connect to an SVM on which connection protection is enabled or an unprotected connection to the Protection Server is allowed.

If the check box is cleared, an unprotected connection is established between the Light Agent and the Protection Server on the SVM that the Light Agent is connecting to.

For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.

Page top

[Topic 254885]

Configuring the SVM selection algorithm

You can specify which SVM selection algorithm Light Agents should use, and configure the settings for applying the extended SVM selection algorithm in the Light Agent policy (in the policy of the application running in Light Agent mode). For Light Agent for Windows, you can also select the algorithm in the local interface of Kaspersky Endpoint Security for Windows.

You can choose one of the following options:

  • Use the standard SVM selection algorithm

    If this option is selected, after installing and running on a virtual machine, the Light Agent selects an SVM to connect to that is local to Light Agent.

    SVM locality relative to Light Agent is determined depending on the type of virtual infrastructure:

    • In a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer, the SVM that is considered to be local to a Light Agent is the SVM that is deployed on the same hypervisor as the virtual machine with the Light Agent installed.
    • In the virtual infrastructure running on OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, SVM locality is determined in accordance with the StandardAlgorithmSvmLocality parameter in the HypervisorSpecificSettings:Openstack section of the Integration Server configuration file (appsettings.json). Depending on the version of the Integration Server, the file is located at one of the following paths:
      • /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
      • %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.

    If the default value is used, SVM is considered as local for Light Agent if it is located in the same server group, as the virtual machine with the installed Light Agent.

    If there are no local SVMs for connection, Light Agent selects a SVM with the lowest number of Light Agent connections regardless of SVM path in the virtual infrastructure.

    The application does not determine whether the SVM is local relative to the Light Agent if large infrastructure protection mode is enabled for the Protection Server on the SVM. In this case, it is recommended to use the extended SVM selection algorithm and select the Integration Server as the SVM discovery method.

    This option is selected by default.

  • Use the extended SVM selection algorithm

    If this option is selected, with the SVM path slider you can specify how the SVM location in the virtual infrastructure will affect the ‘local’ status of the SVM in relation to the Light Agent. Light Agent can connect only to local SVMs.

    You can also specify that SVM path in the virtual infrastructure must not be taken into the account when selecting SVM for connection.

    When selecting SVMs, Light Agents consider the number of Light Agents connected to an SVM to ensure that Light Agents are evenly distributed among SVMs available for connection.

If you selected Use the extended SVM selection algorithm option, and Light Agents use the Integration Server as SVM discovery method, you can specify how SVM path in the virtual infrastructure must be taken into the account when selecting SVM for connection using the SVM path slider.

Allows to specify SVM path type in the virtual infrastructure, which is taken into the account when selecting SVM for connection:

  • Hypervisor. Light Agent selects for connection a SVM that matches a particular criterion (depending on type of the virtual infrastructure):
    • The SVM is deployed on the same hypervisor as the virtual machine with the Light Agent installed (in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux or Numa vServer).
    • The SVM is located in the same server group as the virtual machine with the installed Light Agent (in a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform).

If there are no available SVMs on the same hypervisor or in the same server group, where the virtual machine with Light Agent is located, then Light Agent does not connect to SVM.

  • Cluster. Light Agent selects for connection a SVM that matches a particular criterion (depending on type of the virtual infrastructure):
    • The SVM is deployed in the same hypervisor cluster as the virtual machine with the Light Agent installed (in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux or Numa vServer).
    • The SVM is deployed in the same OpenStack project as the virtual machine with the installed Light Agent (in a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform).

If there are no available SVMs on the same hypervisor cluster or within the same OpenStack project, where the virtual machine with Light Agent is located, then Light Agent does not connect to SVM.

  • Data center. Light Agent selects for connection a SVM that matches a particular criterion (depending on type of the virtual infrastructure):
    • The SVM is deployed in the same data center as the virtual machine with the Light Agent installed (in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux or Numa vServer).
    • The SVM is located in the same availability zone as the virtual machine with the installed Light Agent (in a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform).

If there are no SVMs available for connection in the same data center or Availability Zone where the virtual machine with the Light Agent is located, the Light Agent does not connect to the SVM.

  • Ignore. Light Agent selects an SVM regardless of its location.

The default selected value is Hypervisor.

The setting is available if the Use the extended SVM selection algorithm option is selected.

If a Light Agent uses the extended SVM selection algorithm and a list of SVM addresses is selected as the SVM discovery method, and large infrastructure protection mode is enabled on an SVM, then connecting a Light Agent to this SVM is only possible if the Light Agent ignores the SVM path (the Ignore value is set for the SVM path setting).

For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.

In a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, if you selected Use the standard SVM selection algorithm option, you can specify how to determine SVM locality relative to Light Agent. To do so, perform the following actions:

  1. Open the Integration Server configuration file (appsettings.json) for editing. Depending on the version of the Integration Server, the file is located at one of the following paths:
    • /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
    • %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.
  2. Specify the StandardAlgorithmSvmLocality setting in the HypervisorSpecificSettings:Openstack section. This parameter can take the following values:
    • ServerGroup – if this value is selected, SVM is considered local for Light Agent if it is located within the same server group as the virtual machine where Light Agent is installed. This value is used by default.
    • Project – if this value is selected, SVM is considered as local for Light Agent if it is deployed within the same OpenStack project as the virtual machine with the installed Light Agent.
    • AvailabilityZone – if this value is selected, SVM is considered as local for Light Agent if it is located within the same availability zone as the virtual machine with the installed Light Agent.
  3. Save the appsettings.json file.
  4. Restart the Integration Server.
Page top

[Topic 256383]

Viewing the list of Light Agents connected to SVMs

Information about Light Agents connected to an SVM is displayed in the properties window of the Protection Server on the SVM.

You can open the properties window of the Protection Server on the SVM using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to open the list of Light Agents connected to an SVM in Kaspersky Security Center Web Console

To open the list of Light Agents connected to an SVM:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Managed devices.

    The list of managed devices opens.

  2. Select the administration group containing the desired SVM. To do so, click the link in the Current path field located above the list of managed devices and select an administration group in the window that opens.

    The list will display only managed devices in the selected administration group.

  3. Find the desired SVM in the list and click on the SVM name.
  4. In the SVM properties window that opens, select the Applications tab.
  5. Click on the name Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server in the list.

    The properties window for the Protection Server on this SVM will open.

  6. Select the Application settings tab.

The window displays a table containing the list of Light Agents connected to SVMs.

How to open the list of Light Agents connected to SVMs in Kaspersky Security Center Administration Console

To open the list of Light Agents connected to an SVM:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group that includes the desired SVM.
  2. In the workspace, select the Devices tab.
  3. Find the desired SVM in the list and double-click to open the Settings: <SVM name> window.
  4. In the displayed SVM properties window, in the list on the left, select the Applications section.
  5. In the right part of the window, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server in the list and open the properties window of the Protection Server on this SVM by double-clicking or using the Properties button at the bottom of the window.
  6. In the window that opens, in the list on the left, select the Connected Light Agents section.

The right part of the window displays a table containing the list of Light Agents connected to SVMs. The field above the table shows the time of the last request to the SVM.

The list of Light Agents displays the following information:

  • VM name – name of the virtual machine on which Light Agent is installed.
  • Address – IP address and port that the Light Agent uses to connect to the SVM.
  • Operating system – version of the operating system on the virtual machine on which the Light Agent is installed.
  • Virtual machine role – role of the virtual machine on which the Light Agent is installed: server or workstation.
  • ID – identifier of the virtual machine on which Light Agent is installed.
  • Path to VM – path in the virtual infrastructure to the virtual machine on which the Light Agent is installed.

If you want to update the information about Light Agents connected to SVMs, click the Refresh button.

Page top

[Topic 74322]

Protecting large infrastructures

If the solution is used to protect a large infrastructure (more than 50,000 protected virtual machines), the solution components' interaction with the virtual infrastructure as information about the SVMs is sent to Light Agents can increase the load on the virtual infrastructure.

To optimize the solution's performance in large infrastructures, it is recommended to configure the solution settings as follows:

If a Light Agent uses the extended SVM selection algorithm, a list of SVM addresses is selected as the SVM discovery method, and large infrastructure protection mode is enabled on an SVM, then connecting a Light Agent to this SVM is only possible if Light Agent ignores the SVM path.

You can use the Web Console or the Administration Console to enable or disable the large infrastructure protection mode when creating or editing a Protection Server policy.

Expand all | Collapse all

How to enable large infrastructure protection mode in Kaspersky Security Center Web Console

To enable Large infrastructure protection mode:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies opens.

  2. Select the administration group containing the SVM with the Protection Server whose settings you want to configure. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens.

    The list displays only the policies configured for the selected administration group.

  3. Click on the name of the desired policy in the list.
  4. In the policy properties window that opens, select the Application settings tab and go to the Large infrastructure protection settings section.
  5. On the right side of the window, configure the Enable optimization for protection of large infrastructures option.

    Enabling/disabling large infrastructure protection mode.

    This mode lets you optimize the operation of the Protection Server in order to reduce the load on the virtual infrastructure.

    If the mode is enabled, it is recommended to use the extended SVM selection algorithm.

    This check box is cleared by default.

  6. Click the Save button.

How to enable large infrastructure protection mode in Kaspersky Security Center Administration Console

To enable Large infrastructure protection mode:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVM with the Protection Server whose settings you want to configure.
  2. In the workspace, select the Policies tab.
  3. Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.
  4. In the policy properties window, in the list on the left, select the Large infrastructure protection settings section.
  5. On the right side of the window, configure the Enable optimization for protection of large infrastructures option.

    Enabling/disabling large infrastructure protection mode.

    This mode lets you optimize the operation of the Protection Server in order to reduce the load on the virtual infrastructure.

    If the mode is enabled, it is recommended to use the extended SVM selection algorithm.

    This check box is cleared by default.

  6. Click the Apply button.
Page top

[Topic 255465]

Updating Kaspersky Security databases and application modules

The update functionality (including anti-virus signature updates and code base updates) may not be available in the solution in the territory of the USA.

Updating the databases and application modules of the Kaspersky Security solution ensures up-to-date protection of virtual machines. New viruses and other types of malware appear worldwide on a daily basis. Kaspersky Security databases contain information about threats and ways of neutralizing them. Kaspersky Security databases include antivirus databases and other Kaspersky databases important for the security of the protected infrastructure. Updating Kaspersky Security application modules lets you promptly receive important updates to Kaspersky Security solution components. To enable the Kaspersky Security solution to promptly detect threats, you need to update the solution's databases and modules regularly.

If the Kaspersky Security databases have not been updated for a long time, a notification appears in Kaspersky Security Center in the SVM properties window (in the Events section, if you are working through Kaspersky Security Center Administration Console; on the Events tab, if you are working through Kaspersky Security Center Web Console).

Updating Kaspersky Security databases and application modules may change certain Kaspersky Security settings, for example, the heuristic analysis settings that improve the effectiveness of protection and scans.

Updates of Kaspersky Security databases and application modules require a current license to use the application.

Updating Kaspersky Security databases and application modules involves the following steps:

  1. Downloading an update package to a Kaspersky Security update source

    An update source is a resource that contains database updates and application module updates of Kaspersky applications. The Kaspersky Security Center Administration Server repository is the source of updates for Kaspersky Security for Virtualization 6.2 Light Agent.

    To download updates to the Administration Server repository, use the Download updates to Administration Server repository task. The task is created automatically by the Kaspersky Security Center Initial Configuration Wizard. If the "Download updates to Administration Server repository" task is not in the list of tasks for the Administration Server, you need to create it. For details, please refer to the Kaspersky Security Center help.

    The contents of the update package that Kaspersky Security Center creates in the Kaspersky Security repository depends on the update download settings configured in the Protection Server policy. By default, an update package contains the database updates required for the operation of the Protection Server, Light Agent for Linux, and Light Agent for Windows. You can configure the downloading of updates as well as enable application module updates for Kaspersky Security components.

    If the current version of the solution supports more than one version of Light Agent for Linux or Light Agent for Windows, make sure that the update settings in the Protection Server policy specify the same version of Light Agent that you are using.

  2. Downloading an update package from the Administration Server repository to a folder on the SVM

    To download update packages to SVMs, use the Database update task for the Protection Server.

    You can use the Update databases and solution modules task, which is created automatically after installing the MMC plug-in or the Protection Server web plug-in in Kaspersky Security Center. This task is created for the Managed devices administration group and lets you download an update package to all SVMs that are part of the Managed devices group or any nested administration group. The task is started every time an update package is downloaded to the Kaspersky Security Center Administration Server repository.

    If necessary, you can change the settings of the automatically created update task or delete it and create a new Database update task for the Protection Server.

    For the Protection Server to successfully download an update package from the Administration Server storage, the SVM on which the Protection Server is installed must have access to the Kaspersky Security Center Administration Server. The SVM connection to the Administration Server is configured when SVMs are deployed or reconfigured.

    If Kaspersky Security databases and application modules have not been updated for a long time, the size of the update package may be large. Downloading this update package may generate additional network traffic (up to several dozen megabytes).

  3. Installing database updates from a folder on the SVM

    The Protection Server automatically installs on SVMs the database updates necessary for the operation of the Protection Server.

    Light Agent checks the availability of an update package in the folder on the SVM to which it is connected.

    To receive updates to databases and application modules, the Light Agent must interact with the Protection Server via the HTTP protocol.

    If an update package is available, Light Agent installs the application database updates required for the operation of Light Agent on the protected virtual machine. Database and application module updates for Light Agent are obtained using the Update local predefined task. This task is created automatically in applications running in Light Agent mode. In this task, a folder on the SVM is specified as the update source. The task starts automatically in the following cases:

    • when connecting the Light Agent to the SVM, if the Kaspersky Security databases on the Light Agent are missing or do not correspond to the databases installed on the Protection Server;
    • 120 minutes after the previous successful update or 20 minutes if the update fails.

    You can also run the Update task manually. For details, see the Help for the application running in Light Agent mode.

  4. Installing Kaspersky Security application module updates from a folder on the SVM

    If application module updates are included in the update package, they are installed in the following way:

    • Updates to the Protection Server modules are installed on the SVM by running the Solution module update on the SVM task for the Protection Server.

      From the command line, you can view the list of installed application module updates on the SVM by running the patch_list.pl script, which is located in the /opt/kaspersky/la/patching/ directory.

    • Updates to Light Agent application modules are installed on virtual machines automatically by running the preset Update local task.

    After installing application module updates for Kaspersky Security components, the performance of each Protection Server and Light Agent is checked. If problems are detected, the application module update is automatically rolled back.

    If errors occur in the operation of the Protection Server after updating application modules, you can manually roll back the module update on the SVM.

To ensure up-to-date protection of non-persistent virtual machines, you are advised to regularly update Light Agent databases and application modules on the virtual machine templates from which non-persistent virtual machines have been deployed.

If you enabled VDI protection mode during installation of Light Agent on the virtual machine template, updates that require restarting the protected virtual machine are not installed on non-persistent virtual machines. On receiving updates that require restarting the protected virtual machine, Light Agent installed on a non-persistent virtual machine sends a message to Kaspersky Security Center informing it that the protected virtual machine template needs to be updated.

In this Help section

Configuring settings for downloading updates to SVMs

Creating a Database update task

Creating a Solution module update on the SVM task

Rolling back the last update of Kaspersky Security databases and application modules

Page top

[Topic 255525]

Configuring settings for downloading updates to SVMs

You can configure the following settings for downloading database and application module updates to SVMs:

  • Enable updating of application modules of Kaspersky Security components.

    If updating application modules is enabled, the Protection Server adds application module updates of Kaspersky Security components to the update package.

    Updates to Light Agent application modules are installed automatically on protected virtual machines. To install Protection Server application module updates, use the Solution module update on the SVM task.

  • Select the versions of Light Agents for which the Protection Server will receive updates. By default, an update package contains the database updates required for the operation of the Protection Server, Light Agent for Linux, and Light Agent for Windows.

    Only Light Agents for which database updates are downloaded to this SVM can connect to the SVM.

    If the current version of the solution supports more than one version of Light Agent for Linux or Light Agent for Windows, make sure that the update settings in the Protection Server policy specify the version of Light Agent that you are using.

You can use the Web Console or the Administration Console to configure update download settings in a Protection Server policy.

Expand all | Collapse all

How to configure settings for downloading updates to SVMs in Kaspersky Security Center Web Console

To configure the downloading of updates on an SVM:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies opens.

  2. Select the administration group containing the SVM with the Protection Server whose settings you want to configure. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens.

    The list displays only the policies configured for the selected administration group.

  3. Click on the name of the desired policy in the list.
  4. In the policy properties window that opens, select the Application settings tab and go to the Update settings section.
  5. In the right part of the window, configure the Update solution modules setting.

    Enables/disables receiving updates for Kaspersky Security application modules along with updates to the solution databases.

    If the check box is selected, the Protection Server receives updates of application modules for Kaspersky Security components along with database updates from the Kaspersky Security Center Administration Server storage.

    This check box is cleared by default.

    If you edit a setting, the new value is applied the next time the database update task on the Protection Server runs.

  6. If necessary, use the check boxes to configure the list of versions of Light Agents for which the Protection Server will receive updates. At least one version must be selected.

    The list contains the supported versions of Light Agents. If the version of the Light Agent you want to receive updates for is not listed, click the Refresh button.

  7. Click the Save button.

How to configure settings for downloading updates to SVMs in Kaspersky Security Center Administration Console

To configure the downloading of updates on an SVM:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVM with the Protection Server whose settings you want to configure.
  2. In the workspace, select the Policies tab.
  3. Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.
  4. In the policy properties window, select the Update settings section in the list on the left.
  5. In the right part of the window, configure the Update solution modules setting.

    Enables/disables receiving updates for Kaspersky Security application modules along with updates to the solution databases.

    If the check box is selected, the Protection Server receives updates of application modules for Kaspersky Security components along with database updates from the Kaspersky Security Center Administration Server storage.

    This check box is cleared by default.

    If you edit a setting, the new value is applied the next time the database update task on the Protection Server runs.

  6. If necessary, use the check boxes to configure the list of versions of Light Agents for which the Protection Server will receive updates. At least one version must be selected.

    The list contains the supported versions of Light Agents. If the version of the Light Agent you want to receive updates for is not listed, click the Refresh button.

  7. Click the Apply button.

If you have modified the list of Light Agent versions for which the Protection Server must get updates, we recommend starting the database update process after completing the synchronization of the Network Agent on the SVM with the Administration Server (by default, the synchronization period is 15 minutes after changing the policy settings).

Page top

[Topic 255622]

Creating a Database update task

You can create database update tasks on the Protection Server using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to create a Database update task in Kaspersky Security Center Web Console

To create a database update task:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Tasks.

    A list of tasks opens.

  2. Click the Add button.

    The New Task Wizard starts.

  3. At the first step of the Wizard:
    1. In the Application drop-down list, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server.
    2. In the Task type drop-down list, select the Database update task type.
    3. In the Task name field, enter the name for the new task.
    4. In the Select devices to which the task will be assigned section, select a method for determining the task scope. A task scope is a set of SVMs on which a task will run.
      • Select the Assign task to an administration group option to execute the task on all SVMs belonging to the specified administration group.
      • Select the Specify device addresses manually or import from list option to execute the task on the specified SVMs.
      • Select the Assign task to selected devices option to execute the task on the SVMs included in the selection of devices according to a predefined criterion. For details on creating a selection of devices, please refer to the Kaspersky Security Center help.

    Proceed to the next step of the wizard.

  4. Depending on the selected method for defining the task scope, do one of the following:
    • In the administration group tree, select the check boxes next to the required administration groups.
    • In the list of devices, select the check boxes next to the required SVMs. If the required SVMs are not listed, you can add them in the following ways:
      • Using the Add devices button. You can add devices by names or IP addresses, add devices from the specified IP address range, or select devices from the list of devices detected by the Administration Server when polling the organization’s local network.
      • Using the Import devices from file button. Addresses are imported from a TXT file with a list of addresses of SVMs, with each address in a separate row.

      If you import a list of SVMs from file or specify the addresses manually and the SVMs are identified by name, the list of SVMs for which the task is being created can be supplemented only with those SVMs whose details have already been included in the Administration Server database upon connection of SVMs or following a poll of the local area network.

    • In the list, select the name of the selection containing the required SVMs.

    Proceed to the next step of the wizard.

  5. Select the Open task properties window after creation check box to configure the task launch schedule, and click the Finish button to exit the wizard.
  6. In the properties window that opens for the new task, go to the Schedule tab. In the Scheduled start drop-down list, select When new updates are downloaded to the repository.

    If necessary, configure other task launch schedule settings. For more information about the task schedule, see the Kaspersky Security Center Help.

  7. Click Save in the policy properties window.

How to create a Database update task in Kaspersky Security Center Administration Console

To create a Database update task:

  1. In the Kaspersky Security Center Administration Console, perform one of the following actions:
    • If you want to create a task that will run on SVMs included in the selected administration group, select this administration group in the console tree. Then in the workspace, select the Tasks tab and click the New task button.

      A wizard starts to create a task for devices of the selected administration group.

    • If you want to create a task that will run on one or more SVMs (a task for a set of devices), select the Tasks folder in the console tree and click the New task button in the workspace.

      A wizard starts to create a new task for a set of devices.

  2. At the first step of the wizard, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server and the Database update task type.

    Proceed to the next step of the wizard.

  3. If you are creating a task for a set of devices, the wizard will prompt you to define the task scope. A task scope is a set of SVMs on which a task will run.
    1. Specify the method for defining the task scope: select SVMs from the list of devices discovered by the Administration Server, manually specify the SVM addresses, import a list of SVMs from a file, or specify a previously configured selection of devices (for details, see the Kaspersky Security Center Help).
    2. Depending on the specified method for defining the scope, perform one of the following operations in the window that opens:
      • In the list of detected devices, specify the SVMs on which the task will be run. To do so, select the check boxes in the list, on the left of the device names.
      • Click the Add or Add IP range button and enter the addresses of SVMs manually.
      • Click the Import button, and in the window that opens select a TXT file with the list of addresses of SVMs.
      • Click the Browse button, and in the window that opens specify the name of the selection containing the SVMs for which you want to create the task.

    Proceed to the next step of the wizard.

  4. In the Scheduled start drop-down list, select When new updates are downloaded to the repository.
  5. If necessary, configure other task launch schedule settings:
    • Run skipped tasks

      If you want the solution to start missed tasks immediately after an SVM appears on the network, select this check box.

      If this check box is cleared, in Manually mode, the task is started only on SVMs that are visible on the network.

    • Use automatically randomized delay for task starts

      By default, the time of task start on SVMs is randomized with the scope of a certain time period. This period is calculated automatically depending on the number of SVMs covered by the task:

      • 0–200 SVMs – task start is not randomized
      • 200–500 SVMs – task start is randomized within the scope of 5 minutes
      • 500–1000 SVMs – task start is randomized within the scope of 10 minutes
      • 1000–2000 SVMs – task start is randomized within the scope of 15 minutes
      • 2000–5000 SVMs – task start is randomized within the scope of 20 minutes
      • 5000–10000 SVMs – task start is randomized within the scope of 30 minutes
      • 10000–20000 SVMs – task start is randomized within the scope of 1 hour
      • 20000–50000 SVMs – task start is randomized within the scope of 2 hours
      • over 50000 SVMs – task start is randomized within the scope of 3 hours

      If you do not need to randomize the time of task start within the scope of an automatically calculated time period, clear the Use automatically randomized delay for task starts check box.

      This check box is set by default.

    • Use a random delay to start the task in an interval (min)

      If you want to start the task at a given time within a specified period after manual launch, select this check box. In the corresponding text box, specify the maximum task run delay time. In this case, after manual start, the task is started at a random time within the specified period.

      This check box can be changed if the Use automatically randomized delay for task starts check box is cleared.

    For more information about the task launch schedule settings, refer to the Kaspersky Security Center help.

    Proceed to the next step of the wizard.

  6. In the Name field, enter the name of the new task and proceed to the next step of the new task wizard.
  7. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.
  8. Finish the wizard.

The task is started every time the update package is downloaded into the storage of the Administration Server. You can also run the Database update task manually on the Protection Server at any time.

Page top

[Topic 255623]

Creating a Solution module update on the SVM task

You can create solution module update tasks on SVMs using the Web Console as well as the Administration Console.

Expand all | Collapse all

How to create a Solution module update on the SVM task in Kaspersky Security Center Web Console

To create a Solution module update task on an SVM:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Tasks.

    A list of tasks opens.

  2. Click the Add button.

    The New Task Wizard starts.

  3. At the first step of the Wizard:
    1. In the Application drop-down list, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server.
    2. In the Task type drop-down list, select the Solution module update on the SVM task type.
    3. In the Task name field, enter the name for the new task.
    4. In the Select devices to which the task will be assigned section, select a method for determining the task scope. A task scope is a set of SVMs on which a task will run.
      • Select the Assign task to an administration group option to execute the task on all SVMs belonging to the specified administration group.
      • Select the Specify device addresses manually or import from list option to execute the task on the specified SVMs.
      • Select the Assign task to selected devices option to execute the task on the SVMs included in the selection of devices according to a predefined criterion. For details on creating a selection of devices, please refer to the Kaspersky Security Center help.

    Proceed to the next step of the wizard.

  4. Depending on the selected method for defining the task scope, do one of the following:
    • In the administration group tree, select the check boxes next to the required administration groups.
    • In the list of devices, select the check boxes next to the required SVMs. If the required SVMs are not listed, you can add them in the following ways:
      • Using the Add devices button. You can add devices by names or IP addresses, add devices from the specified IP address range, or select devices from the list of devices detected by the Administration Server when polling the organization’s local network.
      • Using the Import devices from file button. Addresses are imported from a TXT file with a list of addresses of SVMs, with each address in a separate row.

      If you import a list of SVMs from file or specify the addresses manually and the SVMs are identified by name, the list of SVMs for which the task is being created can be supplemented only with those SVMs whose details have already been included in the Administration Server database upon connection of SVMs or following a poll of the local area network.

    • In the list, select the name of the selection containing the required SVMs.

    Proceed to the next step of the wizard.

  5. Select the Open task properties window after creation check box to configure the task launch schedule, and click the Finish button to exit the wizard.
  6. In the properties window that opens for the new task, go to the Schedule tab. In the Scheduled start drop-down list, select Manually.

    It is not recommended to use other launch schedule options for the Solution module update on the SVM task.

    If necessary, configure other task launch schedule settings. For more information about the task schedule, see the Kaspersky Security Center Help.

  7. Click Save in the policy properties window.

How to create a Solution module update on the SVM task in Kaspersky Security Center Administration Console

To create a Solution module update task on an SVM:

  1. In the Kaspersky Security Center Administration Console, perform one of the following actions:
    • If you want to create a task that will run on SVMs included in the selected administration group, select this administration group in the console tree. Then in the workspace, select the Tasks tab and click the New task button.

      A wizard starts to create a task for devices of the selected administration group.

    • If you want to create a task that will run on one or more SVMs (a task for a set of devices), select the Tasks folder in the console tree and click the New task button in the workspace.

      A wizard starts to create a new task for a set of devices.

  2. At the first step of the wizard, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server and the Solution module update on the SVM task type.

    Proceed to the next step of the wizard.

  3. If you are creating a task for a set of devices, the wizard will prompt you to define the task scope. A task scope is a set of SVMs on which a task will run.
    1. Specify the method for defining the task scope: select SVMs from the list of devices discovered by the Administration Server, manually specify the SVM addresses, import a list of SVMs from a file, or specify a previously configured selection of devices (for details, see the Kaspersky Security Center Help).
    2. Depending on the specified method for defining the scope, perform one of the following operations in the window that opens:
      • In the list of detected devices, specify the SVMs on which the task will be run. To do so, select the check boxes in the list, on the left of the device names.
      • Click the Add or Add IP range button and enter the addresses of SVMs manually.
      • Click the Import button, and in the window that opens select a TXT file with the list of addresses of SVMs.
      • Click the Browse button, and in the window that opens specify the name of the selection containing the SVMs for which you want to create the task.

    Proceed to the next step of the wizard.

  4. In the Scheduled start drop-down list, select Manually.

    It is not recommended to use other launch schedule options for the Solution module update on the SVM task.

  5. If necessary, configure other task launch schedule settings:
    • Run skipped tasks

      If you want the solution to start missed tasks immediately after an SVM appears on the network, select this check box.

      If this check box is cleared, in Manually mode, the task is started only on SVMs that are visible on the network.

    • Use automatically randomized delay for task starts

      By default, the time of task start on SVMs is randomized with the scope of a certain time period. This period is calculated automatically depending on the number of SVMs covered by the task:

      • 0–200 SVMs – task start is not randomized
      • 200–500 SVMs – task start is randomized within the scope of 5 minutes
      • 500–1000 SVMs – task start is randomized within the scope of 10 minutes
      • 1000–2000 SVMs – task start is randomized within the scope of 15 minutes
      • 2000–5000 SVMs – task start is randomized within the scope of 20 minutes
      • 5000–10000 SVMs – task start is randomized within the scope of 30 minutes
      • 10000–20000 SVMs – task start is randomized within the scope of 1 hour
      • 20000–50000 SVMs – task start is randomized within the scope of 2 hours
      • over 50000 SVMs – task start is randomized within the scope of 3 hours

      If you do not need to randomize the time of task start within the scope of an automatically calculated time period, clear the Use automatically randomized delay for task starts check box.

      This check box is set by default.

    • Use a random delay to start the task in an interval (min)

      If you want to start the task at a given time within a specified period after manual launch, select this check box. In the corresponding text box, specify the maximum task run delay time. In this case, after manual start, the task is started at a random time within the specified period.

      This check box can be changed if the Use automatically randomized delay for task starts check box is cleared.

    For more information about the task launch schedule settings, refer to the Kaspersky Security Center help.

    Proceed to the next step of the wizard.

  6. In the Name field, enter the name of the new task and proceed to the next step of the new task wizard.
  7. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.
  8. Finish the wizard.

You can run the Solution module update on the SVM task manually at any time.

Page top

[Topic 255673]

Rolling back the last update of Kaspersky Security databases and application modules

After Kaspersky Security databases and application modules are updated for the first time, the ability to roll back databases and application modules to their previous versions becomes available.

Every time a database update is started on the Protection Server, Kaspersky Security creates a backup copy of the existing databases and application modules and only then proceeds to update them. This makes it possible to return to the previous version of databases and application modules if necessary. The ability to roll back an update is useful if, for example, the new version of the application database contains an invalid signature that causes Kaspersky Security to block a safe application.

A rollback of the last update of Kaspersky Security databases and application modules is performed as follows:

  1. The Protection Server component rolls back the last update of Kaspersky Security databases and application modules on SVMs. You can roll back the last update of databases and application modules on one or more SVMs:

    When rolling back the latest update of databases and application modules on the SVM, the Protection Server also rolls back updates of Light Agent databases, which are located in a folder on the SVM. The Protection Server sends Light Agents an event indicating that an update is required.

  2. After the database and application module update is rolled back on the SVM, a special Update local task is automatically launched on the Light Agents connected to the SVM. In this task, a folder on the SVM is specified as the update source.

    The update task causes the Light Agent to switch to using the previous set of Kaspersky Security databases.

In this section:

Creating a Database update rollback task

Rolling back an application module update on an SVM

Page top

[Topic 255675]

Creating a Database update rollback task

You can create Database update rollback tasks using the Web Console as well as the Administration Console.

How to create a Database update rollback task in Kaspersky Security Center Web Console

To create a Database update rollback task:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices) → Tasks.

    A list of tasks opens.

  2. Click the Add button.

    The New Task Wizard starts.

  3. At the first step of the Wizard:
    1. In the Application drop-down list, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server.
    2. In the Task type drop-down list, select the Database update rollback task type.
    3. In the Task name field, enter the name for the new task.
    4. In the Select devices to which the task will be assigned section, select a method for determining the task scope. A task scope is a set of SVMs on which a task will run.
      • Select the Assign task to an administration group option to execute the task on all SVMs belonging to the specified administration group.
      • Select the Specify device addresses manually or import from list option to execute the task on the specified SVMs.
      • Select the Assign task to selected devices option to execute the task on the SVMs included in the selection of devices according to a predefined criterion. For details on creating a selection of devices, please refer to the Kaspersky Security Center help.

    Proceed to the next step of the wizard.

  4. Depending on the selected method for defining the task scope, do one of the following:
    • In the administration group tree, select the check boxes next to the required administration groups.
    • In the list of devices, select the check boxes next to the required SVMs. If the required SVMs are not listed, you can add them in the following ways:
      • Using the Add devices button. You can add devices by names or IP addresses, add devices from the specified IP address range, or select devices from the list of devices detected by the Administration Server when polling the organization’s local network.
      • Using the Import devices from file button. Addresses are imported from a TXT file with a list of addresses of SVMs, with each address in a separate row.

      If you import a list of SVMs from file or specify the addresses manually and the SVMs are identified by name, the list of SVMs for which the task is being created can be supplemented only with those SVMs whose details have already been included in the Administration Server database upon connection of SVMs or following a poll of the local area network.

    • In the list, select the name of the selection containing the required SVMs.

    Proceed to the next step of the wizard.

  5. Select the Open task properties window after creation check box to configure the task launch schedule, and click the Finish button to exit the wizard.
  6. In the properties window that opens for the new task, go to the Schedule tab. In the Scheduled start drop-down list, select Manually.

    If necessary, configure other task launch schedule settings. For more information about the task schedule, see the Kaspersky Security Center Help.

  7. Click Save in the policy properties window.

How to create a Database update rollback task in Kaspersky Security Center Administration Console

To create a Database update rollback task:

  1. In the Kaspersky Security Center Administration Console, perform one of the following actions:
    • If you want to create a task that will run on SVMs included in the selected administration group, select this administration group in the console tree. Then in the workspace, select the Tasks tab and click the New task button.

      A wizard starts to create a task for devices of the selected administration group.

    • If you want to create a task that will run on one or more SVMs (a task for a set of devices), select the Tasks folder in the console tree and click the New task button in the workspace.

      A wizard starts to create a new task for a set of devices.

  2. At the first step of the wizard, select Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server and the Database update rollback task type.

    Proceed to the next step of the wizard.

  3. If you are creating a task for a set of devices, the wizard will prompt you to define the task scope. A task scope is a set of SVMs on which a task will run.
    1. Specify the method for defining the task scope: select SVMs from the list of devices discovered by the Administration Server, manually specify the SVM addresses, import a list of SVMs from a file, or specify a previously configured selection of devices (for details, see the Kaspersky Security Center Help).
    2. Depending on the specified method for defining the scope, perform one of the following operations in the window that opens:
      • In the list of detected devices, specify the SVMs on which the task will be run. To do so, select the check boxes in the list, on the left of the device names.
      • Click the Add or Add IP range button and enter the addresses of SVMs manually.
      • Click the Import button, and in the window that opens select a TXT file with the list of addresses of SVMs.
      • Click the Browse button, and in the window that opens specify the name of the selection containing the SVMs for which you want to create the task.

    Proceed to the next step of the wizard.

  4. In the Scheduled start drop-down list, select Manually.
  5. If necessary, configure other task launch schedule settings:
    • Run skipped tasks

      If you want the solution to start missed tasks immediately after an SVM appears on the network, select this check box.

      If this check box is cleared, in Manually mode, the task is started only on SVMs that are visible on the network.

    • Use automatically randomized delay for task starts

      By default, the time of task start on SVMs is randomized with the scope of a certain time period. This period is calculated automatically depending on the number of SVMs covered by the task:

      • 0–200 SVMs – task start is not randomized
      • 200–500 SVMs – task start is randomized within the scope of 5 minutes
      • 500–1000 SVMs – task start is randomized within the scope of 10 minutes
      • 1000–2000 SVMs – task start is randomized within the scope of 15 minutes
      • 2000–5000 SVMs – task start is randomized within the scope of 20 minutes
      • 5000–10000 SVMs – task start is randomized within the scope of 30 minutes
      • 10000–20000 SVMs – task start is randomized within the scope of 1 hour
      • 20000–50000 SVMs – task start is randomized within the scope of 2 hours
      • over 50000 SVMs – task start is randomized within the scope of 3 hours

      If you do not need to randomize the time of task start within the scope of an automatically calculated time period, clear the Use automatically randomized delay for task starts check box.

      This check box is set by default.

    • Use a random delay to start the task in an interval (min)

      If you want to start the task at a given time within a specified period after manual launch, select this check box. In the corresponding text box, specify the maximum task run delay time. In this case, after manual start, the task is started at a random time within the specified period.

      This check box can be changed if the Use automatically randomized delay for task starts check box is cleared.

    For more information about the task launch schedule settings, refer to the Kaspersky Security Center help.

    Proceed to the next step of the wizard.

  6. In the Name field, enter the name of the new task and proceed to the next step of the new task wizard.
  7. If you want the task to start as soon as the New Task Wizard finishes, select the Run task when the wizard is complete check box.
  8. Finish the wizard.

You can run a Database update rollback task manually at any time.

Page top

[Topic 255674]

Rolling back an application module update on an SVM

A script is used to roll back the Kaspersky Security module update on SVMs.

To roll back an application module update on SVMs,

In the command line on the SVM, run the script named patch_rollback.pl located in the /opt/kaspersky/la/patching/ folder.

The script lets you roll back only the most recently installed application module update. You can view a list of all installed updates by running the command line script named patch_list.pl located in the /opt/kaspersky/la/patching/ folder.

Page top

[Topic 254188]

Using Kaspersky Security Network

The KSN functionality may not be available in the solution in the territory of the USA.

To enhance the protection of virtual machines, Kaspersky Security solution components can use data received from Kaspersky users all over the world. Kaspersky Security Network is designed for getting such data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to Kaspersky online knowledge base with information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by the Kaspersky Security solution to unknown threats, improves the performance of some protection components, and reduces the likelihood of false positives.

Kaspersky Security supports the following infrastructure solutions to work with Kaspersky's reputation databases:

  • Kaspersky Security Network (KSN) – A solution that receives information from Kaspersky and sends data about objects detected on user devices to Kaspersky for additional verification by Kaspersky analysts and to add to reputation and statistical databases.
  • Kaspersky Private Security Network (KPSN) – A solution that allows accessing Kaspersky's reputation databases, as well as other statistical data, without sending data to Kaspersky. KPSN is designed for corporate clients who can't use Kaspersky Security Network, for example, for the following reasons:
    • No connection of local workplaces to the Internet
    • Legal prohibition or corporate security restrictions on sending any data outside the country or the organization's local network

If you use Kaspersky Security Network, KSN services provide Kaspersky Security solution components with information about the category and reputation of scanned files, as well as information about the reputation of scanned web addresses.

Use of Kaspersky Security Network is voluntary. You can start or stop using KSN at any time.

Settings for using KSN in the operation of Kaspersky Security solution components are specified separately for each component. For information on configuring KSN for Light Agents, see the Help of the applications that you are using Light Agent mode.

It is recommended to specify the same KSN usage settings for the Protection Server and the Light Agent that interacts with this Protection Server.

Using KSN in the operation of the Protection Server

Use of KSN is enabled and disabled in the Protection Server policy properties.

If you have enabled the use of Kaspersky Security Network, by default the Protection Server uses KSN in extended mode. The KSN mode affects the amount of data that is transmitted to Kaspersky when KSN is being used.

The Protection Server's interaction with the KSN infrastructure is facilitated by the KSN Proxy service. To use KSN in Kaspersky Security operations, the KSN Proxy service must be enabled in Kaspersky Security Center. For more information about the KSN Proxy service, see the Kaspersky Security Center Help.

If the KSN Proxy service is disabled in Kaspersky Security Center, no data is exchanged between the Protection Server and KSN. If the use of KSN is enabled in the Protection Server policy, Kaspersky Security's performance may decrease. It is recommended to disable KSN usage in the Protection Server policy if the KSN Proxy service is disabled in Kaspersky Security Center.

The KSN infrastructure solution (KSN or KPSN) used by the Protection Server is defined in the properties of the Kaspersky Security Center Administration Server (in Administration Console, in the KSN proxy server section; or in Web Console, in the KSN proxy server settings section). In this section you can also configure KPSN settings. For details, please refer to the Kaspersky Security Center help.

In this Help section

About data provision when using KSN in the operation of the Protection Server

Viewing the Kaspersky Security Network Statement

Configuring the use of KSN in the operation of the Protection Server

Page top

[Topic 254190]

About data provision when using KSN in the operation of the Protection Server

For information about data provision when Light Agent use KSN, see the Help of the applications that are used in Light Agent mode.

If you use KSN in standard mode, you agree to automatically send the following data to Kaspersky:

  • Information necessary for scanning files: name and ID of the detected threat according to the Kaspersky classification, checksum of the scanned object or type of hash function, and the ID of the utilized anti-virus databases.
  • Information necessary for obtaining the reputation of web addresses: the scanned web address, type of connection protocol, utilized port number, and the web address from which the user was directed to the scanned web address.
  • General information: type and full version of the Kaspersky Security solution, information about solution components and about updates of the solution's application modules, and information about the operating system installed on the SVMs and protected virtual machines.

If you use KSN in Extended mode, you agree to automatically submit to Kaspersky all data listed in Kaspersky Security Network Statement. Files (or parts thereof) that could be exploited by hackers to harm the virtual machine or data stored in its operating system may also be sent to Kaspersky for analysis. Extended KSN is used by default. You can disable the use of extended KSN in the Protection Server policy properties.

You can view the text of the Kaspersky Security Network Statement in the Protection Server policy properties in the Kaspersky Security Network settings section.

For information about the storage, protection and destruction of statistical information that is obtained during the use of KSN and transmitted to Kaspersky, please refer to the Privacy Policy on Kaspersky website.

If you do not participate in Kaspersky Security Network, the data listed in the Kaspersky Security Network Statement is not transmitted to Kaspersky.

Page top

[Topic 254191]

Viewing the Kaspersky Security Network Statement

You can read the Kaspersky Security Network Statement in the Protection Server policy properties.

Expand all | Collapse all

How to view the Kaspersky Security Network Statement in Kaspersky Security Center Web Console

To view the Kaspersky Security Network Statement:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies opens.

  2. Select the administration group containing the SVM with the Protection Servers. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens.

    The list displays only the policies configured for the selected administration group.

  3. Click on the name of the desired policy in the list.
  4. In the policy properties window that opens, select the Application settings tab and go to the Kaspersky Security Network settings section.
  5. Follow the Kaspersky Security Network Statement link.

This opens a window containing the text of the Kaspersky Security Network Statement.

How to view the Kaspersky Security Network Statement in Kaspersky Security Center Administration Console

To view the Kaspersky Security Network Statement:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVM with the Protection Servers.
  2. In the workspace, select the Policies tab.
  3. Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.
  4. In the policy properties window, select the Kaspersky Security Network settings section in the list on the left.
  5. On the right side, follow the Kaspersky Security Network Statement link.

This opens a window containing the text of the Kaspersky Security Network Statement.

Page top

[Topic 254192]

Configuring the use of KSN in the operation of the Protection Server

KSN services are used in the operation of the Protection Server if the use of KSN is enabled in the active Protection Server policy. If a policy with use of KSN enabled is inactive, KSN is not used by the Protection Server.

If you want to use KSN in the operation of the Protection Server, make sure that the KSN settings are configured in the properties of the Kaspersky Security Center Administration Server (in Administration Console, in the KSN proxy server section; in Web Console, in the KSN proxy server settings section). The KSN infrastructure type (KSN or KPSN), KSN proxy server settings, and KPSN settings are defined in the Administration Server properties. For details, please refer to the Kaspersky Security Center help.

Expand all | Collapse all

How to configure use of KSN in Kaspersky Security Center Web Console

To configure KSN:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies opens.

  2. Select the administration group containing the SVM with the Protection Server whose settings you want to configure. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens.

    The list displays only the policies configured for the selected administration group.

  3. Click on the name of the desired policy in the list.
  4. In the policy properties window that opens, select the Application settings tab and go to the Kaspersky Security Network settings section.
  5. To enable the use of KSN, in the right part of the window do the following:
    1. Select the Use KSN check box.
    2. In the opened window, read the Kaspersky Security Network Statement.
    3. If you agree with all the terms of the Statement, select I confirm that I have fully read, understand, and accept the terms and conditions of the Kaspersky Security Network Statement and click OK.
    4. By default, KSN is used in extended mode. The KSN mode affects the amount of data that is automatically transmitted to Kaspersky when KSN is being used. If you want to disable the use of extended KSN, clear the Extended KSN mode check box.
  6. If you want to disable the use of KSN, clear the Use KSN check box.
  7. Click the Save button.

How to configure the use of KSN in Kaspersky Security Center Administration Console

To configure KSN:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVM with the Protection Server whose settings you want to configure.
  2. In the workspace, select the Policies tab.
  3. Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.
  4. In the policy properties window, select the Kaspersky Security Network settings section in the list on the left.
  5. To enable the use of KSN, in the right part of the window do the following:
    1. Select the Use KSN check box.
    2. In the opened window, read the Kaspersky Security Network Statement.
    3. If you agree with all the terms of the Statement, select I confirm that I have fully read, understand, and accept the terms and conditions of the Kaspersky Security Network Statement and click OK.
    4. By default, KSN is used in extended mode. The KSN mode affects the amount of data that is automatically transmitted to Kaspersky when KSN is being used. If you want to disable the use of extended KSN, clear the Extended KSN mode check box.
  6. If you want to disable the use of KSN, clear the Use KSN check box.
  7. Click the Apply button.
Page top

[Topic 255830]

Additional Protection Server settings

You can configure the following additional settings for the Protection Server:

  • Maximum number of simultaneous scan requests on the Protection Server.
  • Maximum number of scan tasks started by schedule on the Protection Server.
  • Maximum number of scan tasks manually started on the Protection Server.
  • Trace level for the Protection Server.

You first need to enable the display of additional parameters in the Protection Server policy. By default, additional settings are not displayed.

In this Help section

Configuring the display of additional Protection Server settings

Configuring additional Protection Server settings

Page top

[Topic 255831]

Configuring the display of additional Protection Server settings

If you want to configure additional Protection Server settings using Kaspersky Security Center Administration Console, you need to create an AdvancedUI key whose type is REG_DWORD and set its value to 1 in the following branch of the operating system registry on the device where Kaspersky Security Center Administration Console is installed:

  • HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Products\SVM\<version number>\Settings\ – for 32-bit operating systems
  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\Components\34\Products\SVM\<version number>\Settings\ – for 64-bit operating systems

    where <version number> is the number of the installed version of the Kaspersky Security solution, in X.X.X.X format.

If you want to configure advanced SVM settings using Web Console, you need to create the file AdvancedPluginSettings.json in the following folder:

  • %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\server\plugins\svm_<version number> – for devices with Windows operating systems
  • /var/opt/kaspersky/ksc-web-console/server/plugins/svm_<version number> – for devices with Linux operating systems

    where <version number> is the number of the installed version of the Kaspersky Security solution, in X_X_X_X format.

The structure and parameters of the AdvancedPluginSettings.json file can be viewed in the template file named ~AdvancedPluginSettings.json, located in the same folder.

The AdvancedPluginSettings.json file must contain the AdvancedUI parameter with the 1 value:

{

"AdvancedUI" : 1

}

After the file is created or saved, reopen the Protection Server policy in the Web Console.

Page top

[Topic 255851]

Configuring additional Protection Server settings

You can configure additional settings for the Protection Server in the Protection Server policy using Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console. You first need to enable the display of additional settings in the policy.

Expand all | Collapse all

How to configure additional settings for the Protection Server in Kaspersky Security Center Administration Console

To edit advanced Protection Server settings:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVM with the Protection Server whose settings you want to configure.
  2. In the workspace, select the Policies tab.
  3. Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.
  4. In the policy properties window, select the Advanced settings section in the list on the left.
  5. In the right part of the window, configure the following settings:
    • Maximum number of simultaneous scan requests

      Maximum number of scan requests from Light Agents simultaneously processed by the Protection Server. Light Agents generate scan requests during protection of virtual machines and while running scan tasks.

      By default, the Protection Server can process 75 scan requests simultaneously.

    • Maximum number of scan tasks started by schedule

      Maximum number of simultaneous scan tasks running on the Protection Server that have been started according to the Light Agent schedule. These scan tasks are low-priority tasks for the Protection Server.

      By default, five low-priority scan tasks are performed simultaneously.

    • Maximum number of scan tasks started manually

      Maximum number of simultaneous scan tasks running on the Protection Server that were started manually. These scan tasks are high-priority tasks for the Protection Server.

      By default, five high-priority scan tasks are performed simultaneously.

    • Trace level

      Drop-down list where you can select the trace level for the Protection Server (scanserver service on the SVM). The trace levels are arranged so that each level includes all of the levels below it.

      The following items are available from the drop-down list:

      • Default value. Default value.
      • Tracing is disabled (0). Creation of trace files is disabled.
      • Starting and stopping components (100). Informational messages about starting and stopping the Protection Server.
      • Critical errors (200). Messages about critical errors in the operation of the Protection Server.
      • Errors (300). Messages about errors and critical errors in the operation of the Protection Server.
      • Critical warnings (400). Critical warnings and messages about ordinary and critical errors.
      • Warnings (500). All warnings and messages about ordinary and critical errors.
      • Important messages (600). Important messages, all warnings and messages about ordinary and critical errors.
      • Informational messages (700). Informational messages, important messages and all warnings and messages about ordinary and critical errors.
      • Debugging messages (800). Debugging messages and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
      • Detailed debugging messages (900). Debugging messages with more detailed information and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
      • All messages (1000). All possible messages and warnings.
    • Restore default settings

      Restores the default settings.

  6. Click the Apply button.

How to configure additional settings for the Protection Server in Kaspersky Security Center Web Console

To edit advanced Protection Server settings:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies opens.

  2. Select the administration group containing the SVM with the Protection Server whose settings you want to configure. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens.

    The list displays only the policies configured for the selected administration group.

  3. Click on the name of the desired policy in the list.
  4. In the policy properties window that opens, select the Application settings tab and go to the Advanced settings section.
  5. In the right part of the window, configure the following settings:
    • Maximum number of simultaneous scan requests

      Maximum number of scan requests from Light Agents simultaneously processed by the Protection Server. Light Agents generate scan requests during protection of virtual machines and while running scan tasks.

      By default, the Protection Server can process 75 scan requests simultaneously.

    • Maximum number of scan tasks started by schedule

      Maximum number of simultaneous scan tasks running on the Protection Server that have been started according to the Light Agent schedule. These scan tasks are low-priority tasks for the Protection Server.

      By default, five low-priority scan tasks are performed simultaneously.

    • Maximum number of scan tasks started manually

      Maximum number of simultaneous scan tasks running on the Protection Server that were started manually. These scan tasks are high-priority tasks for the Protection Server.

      By default, five high-priority scan tasks are performed simultaneously.

    • Trace level

      Drop-down list where you can select the trace level for the Protection Server (scanserver service on the SVM). The trace levels are arranged so that each level includes all of the levels below it.

      The following items are available from the drop-down list:

      • Default value. Default value.
      • Tracing is disabled (0). Creation of trace files is disabled.
      • Starting and stopping components (100). Informational messages about starting and stopping the Protection Server.
      • Critical errors (200). Messages about critical errors in the operation of the Protection Server.
      • Errors (300). Messages about errors and critical errors in the operation of the Protection Server.
      • Critical warnings (400). Critical warnings and messages about ordinary and critical errors.
      • Warnings (500). All warnings and messages about ordinary and critical errors.
      • Important messages (600). Important messages, all warnings and messages about ordinary and critical errors.
      • Informational messages (700). Informational messages, important messages and all warnings and messages about ordinary and critical errors.
      • Debugging messages (800). Debugging messages and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
      • Detailed debugging messages (900). Debugging messages with more detailed information and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
      • All messages (1000). All possible messages and warnings.
    • Restore default settings

      Restores the default settings.

  6. Click the Apply button.
Page top

[Topic 250878]

Reports and notifications

Various types of events occur during the operation of Kaspersky Security solution components. They can be either formal or critical. For example, the solution component can use events to notify about a successful update of the solution's databases and application modules, or to inform about an error in the operation of the solution component that must be eliminated.

A list of all solution component events is displayed in Kaspersky Security Center Administration Console and in Kaspersky Security Center Web Console. You can configure event notifications. A notification is a message containing information about an event that occurred on an SVM or a protected virtual machine. You can use notifications to promptly inform the user about events that occur during the operation of the solution.

You can generate various reports based on the events that occur during the operation of Kaspersky Security solution components.

You can use Kaspersky Security Center reports to, for example, receive information about infected files, modifications to protection settings, and the use of keys and application databases. You can generate and view Kaspersky Security Center reports in the Administration Console and in the Web Console. For detailed information about events and working with Kaspersky Security Center reports, see the Kaspersky Security Center Help.

Page top

[Topic 152165]

SVM reconfiguration

You can change the following settings in the configuration of deployed SVMs:

  • Mode for remote access to SVMs via SSH.
  • List of virtual networks that SVMs use to connect to Light Agents, the Integration Server, and the Kaspersky Security Center Administration Server, as well as SVM IP addressing settings.
  • IP addresses of DNS servers.
  • Settings of SVM connection to the Kaspersky Security Center Administration Server.
  • Configuration password and root account password.

You can reconfigure an SVM in the following ways:

You can also reconfigure SVMs using the klconfig script API manually or using automation tools.

In this Help section

Reconfiguring SVMs using Integration Server Web Console

SVM reconfiguration using the Integration Server Console

Page top

[Topic 197590]

Reconfiguring SVMs using Integration Server Web Console

To manage SVM settings using Integration Server Web Console, you need to create and run a task an SVM reconfiguration task for the Integration Server to reconfigure the selected SVM.

After it starts, the task appears in the task list in Integration Server Web Console, in the SVM management section, and is added to the task queue on the Integration Server. You can view information about each task and its execution status.

When the task completes successfully, the selected SVM is reconfigured.

To create and run an SVM reconfiguration task for the Integration Server:

  1. Open Integration Server Web Console and connect to the Integration Server.
  2. Go to the SVM management section.
  3. Click the New task button and select SVM reconfiguration from the drop-down list.

    The Integration Server New Task Wizard will start.

  4. Follow the wizard instructions.

In this section

Selecting SVM for reconfiguration

Entering the configuration password

Editing SVM network settings

Changing SVM IP settings

Changing Kaspersky Security Center connection settings

Changing the configuration password and root account settings

Start task for SVM reconfiguration

Start task for SVM reconfiguration (OpenStack)

Page top

[Topic 74291]

Selecting SVM for reconfiguration

At this step, you must select the SVM or SVMs that you want to reconfigure.

The table displays information about the virtual infrastructures to which connections are configured for the Integration Server. The table also contains information about deployed SVMs. Each row of the table displays the following information about the virtual infrastructure object:

  • Name/Address

    This column contains the IP addresses or fully qualified domain names (FQDN) of the virtual infrastructure objects to which the Integration Server connects, and the names of the SVMs deployed on the hypervisors.

    Depending on the type of virtual infrastructure, the column may display:

    • IP address or the fully qualified domain name (FQDN) of the virtual infrastructure administration server
    • IP address or the fully qualified domain name of the hypervisor
    • IP address or the fully qualified domain name of the Keystone microservice
    • OpenStack project and domain name.
  • Status

    This column contains information about the status of the Integration Server's connection to the virtual infrastructure, the state of the infrastructure objects to which the connection is made, and the state of the SVMs deployed in the infrastructure.

    If the Integration Server is not connected to the virtual infrastructure object, the column displays an error message.

  • SVM version

    This column contains the SVM version number.

  • Infrastructure object type

    The column contains the type of the virtual infrastructure object that the Integration Server will connect to.

You can search the list of virtual infrastructure objects based on the Name/Address column. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the search field.

You can update the list of virtual infrastructure objects using the Refresh button above the table. When updating a list, the Integration Server verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.

If the virtual infrastructure in which you want to reconfigure the SVM is not in the list, you need to configure a connection from the Integration Server to this virtual infrastructure.

To selecting an SVM for reconfiguration,

In the table, select the check boxes to the left of the names of the SVMs you want to reconfigure.

If SVMs are being reconfigured in an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous reconfiguration of SVMs deployed in different infrastructures is not supported. You can reconfigure SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.

SVMs in OpenStack projects that are running on different Keystone microservices cannot be reconfigured simultaneously. You can simultaneously reconfigure SVMs deployed in OpenStack projects that are running on the same Keystone microservice.

Proceed to the next step of the wizard.

Page top

[Topic 67759]

Entering the configuration password

At this step, specify the configuration password that was created during SVM deployment.

Proceed to the next step of the wizard.

Page top

[Topic 65904]

Editing SVM network settings

At this step, you can edit the network settings of the SVM.

Changing the list of networks on SVMs results in the creation of new network adapters. This could change the IP address of an SVM.

To change SVM network settings:

  1. Select the Change SVM network settings check box.

    The window displays a table containing the following information about SVMs selected for reconfiguration:

    • Hypervisor address

      IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.

      The Hypervisor address column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

    • OpenStack project name

      Name of the OpenStack project that the SVM is deployed in, as well as project path in the infrastructure.

      The OpenStack project name column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

    • SVM name

      The name that was defined when specifying SVM settings.

  2. For each SVM, specify one or more virtual networks in the Network name column.

    The name of the virtual network that the SVM will use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    You can specify one or more virtual networks. To add a field for selecting virtual networks, use the button located next to the network selection field.

    If you intend to use dynamic IP addressing (DHCP) for all SVMs, the network settings will be received from the DHCP server via the first virtual network in the list of networks specified for each SVM. Make sure that the Wizard can connect to the SVM with the network settings of the first virtual network received from the DHCP server.

    If the virtual infrastructure uses the VMware Distributed Virtual Switch component, you can specify a Distributed Virtual Port Group to which the SVM will be connected.

  3. If you have selected to reconfigure SVMs deployed in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, you can also specify one or more security groups for each selected network in the Security group column.

    Set of network traffic filtering rules that are created in the virtual infrastructure and applied in the virtual network.

    The drop-down list displays all available security groups. You can specify one or more security groups for each selected virtual network. To select a security group, select the check box to the left of its name. The names of the selected security groups are displayed in the field.

  4. If the SVMs that you selected for reconfiguration are deployed in a virtual infrastructure running the Microsoft Hyper-V platform, you can also specify the VLAN ID.

    The ID of the virtual local area network (VLAN) that the SVM will use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    If VLAN is not used, the column shows No.

Proceed to the next step of the wizard.

Page top

[Topic 65907]

Changing SVM IP settings

For this step, you can edit IP addressing settings used for all SVMs. You can use dynamic or static IP addressing.

To edit the IP address settings:

  1. Select the Edit SVM IP settings check box.

    If you added virtual networks for one or more SVMs at the previous step of the Wizard, the Edit SVM IP settings check box is not displayed. You cannot proceed to the next step until the network settings of SVMs selected for reconfiguration have been configured.

  2. If you want to specify all network settings of the SVM manually, select Static IP addressing. This opens a table containing the following information:
    • Hypervisor address

      IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.

      The Hypervisor address column is displayed if the SVM is deployed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

    • OpenStack project name

      Name of the OpenStack project that the SVM is deployed in, as well as project path in the infrastructure.

      The OpenStack project name column is displayed if the SVM is deployed in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

    • SVM name

      The name that was defined when specifying SVM settings.

    • Network name

      The name of the virtual network that the SVM uses to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    Specify the following network settings for each SVM:

    • SVM IP address
    • Subnet mask
    • Gateway
    • DNS server
    • Alternative DNS
  3. If you want to use DHCP network settings for all SVMs, select Dynamic IP addressing (DHCP).

    By default, the IP address of the DNS server and the IP address of the alternative DNS server received over the DHCP protocol are used for each SVM. If you specified several virtual networks for the SVM at the previous step, by default the network settings for the SVM are received from the DHCP server of the first virtual network in the list of the specified virtual networks.

    If you want to manually specify the IP address of the DNS server and alternative DNS server, clear the Use list of DNS servers received via DHCP check box. This opens a table containing the following information:

    • Hypervisor address

      IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.

      The Hypervisor address column is displayed if the SVM is deployed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

    • OpenStack project name

      Name of the OpenStack project that the SVM is deployed in, as well as project path in the infrastructure.

      The OpenStack project name column is displayed if the SVM is deployed in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

    • SVM name

      The name that was defined when specifying SVM settings.

    Specify the IP addresses of DNS servers in the DNS server and Alternative DNS server table columns.

Proceed to the next step of the wizard.

Page top

[Topic 293532]

Changing Kaspersky Security Center connection settings

At this step, you can edit the settings of SVM connection to the Kaspersky Security Center Administration Server.

To edit the settings for connecting SVMs to Kaspersky Security Center Administration Server:

  1. Select the Edit settings for SVM connection to Kaspersky Security Center check box.
  2. Specify the following settings:
    • Address

      Address of the device hosting the Kaspersky Security Center Administration Server. You can specify the IP address in IPv4 format or the fully qualified domain name (FQDN) of the device.

    • Port

      Number of the port for connecting the SVM to the Kaspersky Security Center Administration Server.

    • SSL port

      Number of the port for connecting an SVM to the Kaspersky Security Center Administration Server using an SSL certificate.

Proceed to the next step of the wizard.

Page top

[Topic 65890]

Changing the configuration password and root account settings

At this step, you can modify the following settings:

  • Configuration password (the password used to reconfigure SVMs).
  • Root account password.
  • Remote access mode to the SVM over SSH for the root user account.

If you want to change the configuration password, select the Change the klconfig account password (configuration password) check box and specify the new configuration password in the Password and Confirm password fields.

If you want to change the root account password, select the Change the root account password check box and specify the new password in the Password and Confirm password fields.

Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

If you want to change the mode of remote access over SSH to the SVM, select the Change remote access for the root account check box, and then select or clear the Allow remote access to SVM for the root account via SSH check box.

Proceed to the next step of the wizard.

Page top

[Topic 65889]

Start task for SVM reconfiguration

This step is displayed if the SVM reconfiguration is being performed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

This step displays all the settings of the created SVM reconfiguration task for the Integration Server:

  • The task name is generated automatically and contains the task type. You can use this name to find the task in the list in Integration Server Web Console, in the SVM management section.
  • The list at the top of the window contains information about which configuration settings will be changed for all the SVMs that you selected when creating the task. For the settings that will be changed, the new value is displayed.
  • The table at the bottom of the window contains the individual settings for each SVM.

To start the SVM reconfiguration task, click the Start button.

You can monitor the task progress in Integration Server Web Console, in the SVM management section.

Page top

[Topic 65905]

Start task for SVM reconfiguration (OpenStack)

This step is displayed if you are reconfiguring an SVM in a virtual infrastructure running the TIONIX Cloud Platform or in a virtual infrastructure running the OpenStack platform.

This step displays all the settings of the created SVM reconfiguration task for the Integration Server:

  • The task name is generated automatically and contains the task type. You can use this name to find the task in the list in Integration Server Web Console, in the SVM management section.
  • The upper part of the window displays the IP address or fully qualified domain name (FQDN) of the Keystone microservice that manages the OpenStack project in which the SVMs are deployed. The list below contains information about which configuration settings will be changed for all the SVMs that you selected when creating the task. For the settings that will be changed, the new value is displayed.
  • The table at the bottom of the window contains individual settings for each SVM:

To start the SVM reconfiguration task, click the Start button.

You can monitor the task progress in Integration Server Web Console, in the SVM management section.

Page top

[Topic 75917]

Selecting an action

At this step, choose the SVM reconfiguration option.

Proceed to the next step of the wizard.

Page top

[Topic 265508]

Selecting SVM for reconfiguration

At this step, you must select the SVM or SVMs that you want to reconfigure.

The table displays the following information about the virtual infrastructures, to which the SVM Management Wizard connection is configured, as well as information about the deployed SVMs:

  • Name/Address

    Depending on the type of virtual infrastructure, the column may contain the following:

    • IP address or the fully qualified domain name (FQDN) of the virtual infrastructure administration server
    • IP address or the fully qualified domain name of the hypervisor
    • IP address or the fully qualified domain name of the Keystone microservice
    • Name of the OpenStack domain
    • Name of the OpenStack project
    • Name of the SVM deployed on the hypervisor

    If the connection with the virtual infrastructure could not be established, the warning icon is displayed against this connection in the column. A description of the connection error is shown in the table and in the tooltip of the warning icon.

  • State

    This column contains information on the state of the virtual infrastructure object or the SVM.

    For the hypervisor, one of the following values is specified: Enabled or Disabled. If a connection to the hypervisor cannot be established, the column shows Disconnected.

    For the Keystone microservice, the OpenStack project, and the OpenStack domain, one of the following values is specified: Enabled or Disconnected.

    One of the following values is specified for an SVM: Enabled, Disabled.

  • Protection

    This column contains the SVM version number.

  • Type

    This column contains the type of virtual infrastructure object that the SVM Management Wizard will connect to.

You can search the list of virtual infrastructure objects. The search is performed based on the value of the Name/Address. The search starts as you type in the Search field. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the Search field.

To selecting an SVM for reconfiguration,

In the table, select the check boxes to the left of the names of the SVMs you want to reconfigure.

If SVMs are being reconfigured in an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous reconfiguration of SVMs deployed in different infrastructures is not supported. You can reconfigure SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.

SVMs in OpenStack projects that are running on different Keystone microservices cannot be reconfigured simultaneously. You can simultaneously reconfigure SVMs deployed in OpenStack projects that are running on the same Keystone microservice.

If the list does not contain virtual infrastructure, in which you want to reconfigure SVM, you must configure the SVM Management Wizard connection to this virtual infrastructure.

To configure the connection of SVM Management Wizard to the virtual infrastructure:

  1. Click the Add button.
  2. In the Virtual infrastructure connection settings window that opens, specify the following settings:
    • Type

      Type of virtual infrastructure object that SVM Management Wizard will connect to.

      Depending on the type of virtual infrastructure, select a hypervisor, virtual infrastructure administration server, or Keystone microservice.

    • Protocol

      Protocol used to connect SVM Management Wizard to the virtual infrastructure. By default, the HTTPS protocol is used.

      The Protocol field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

    • Addresses

      Addresses of the virtual infrastructure objects that SVM Management Wizard will connect to.

      Depending on the type of virtual infrastructure, you need to specify the hypervisor address or the address of the virtual infrastructure administration server. To connect to an OpenStack-based infrastructure, you need to specify the address of the Keystone microservice.

      The address can be specified as the IP address in IPv4 format or the fully qualified domain name (FQDN).

      You can specify multiple addresses by separating them with a semicolon, a space, or a new line. The number of correctly recognized addresses is shown under the list of addresses.

      In this field, you can also specify the port used to connect to the virtual infrastructure object in the format <IP address>:<port>.

      If you are configuring a connection to Microsoft Windows Server (Hyper-V) hypervisors that are part of a hypervisor cluster managed by the Windows Failover Clustering service, you can specify the address of the cluster. All hypervisors that are part of the cluster will be added to the list.

      If you are configuring a connection to VMware ESXi hypervisors managed by VMware vCenter Servers running in Linked mode, you can specify the address of any of these VMware vCenter Servers. All the hypervisors running on VMware vCenter servers in Linked mode will be added to the list.

      If you are configuring a connection to hypervisors that are managed by Microsoft SCVMM, you can specify the settings for connecting to Microsoft SCVMM. All hypervisors that are managed by Microsoft SCVMM will be added to the list.

      If you are configuring a connection to an infrastructure managed by Nutanix Prism Element, you need to specify the Nutanix Prism Element address. If the infrastructure is managed by Nutanix Prism Central, specify the Nutanix Prism Central address. All Nutanix Prism Element servers managed by Nutanix Prism Central will be added to the list.

    • OpenStack domain

      Name of the OpenStack domain that contains an account used to connect SVM Management Wizard to the virtual infrastructure object.

      The OpenStack domain field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

    • User name

      Name of the user account that the SVM Management Wizard uses to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration. This account must have privileges that are sufficient for SVM deployment, removal and reconfiguration.

      If you use a domain account to connect to a virtual infrastructure object, you can specify the account name in the <domain>\<user name> or <user name>@<domain> format.

    • Password

      Password of the user account that the SVM Management Wizard uses to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration.

  3. Click the Connect button.

    The Virtual infrastructure connection settings window closes. The Wizard adds the selected virtual infrastructure objects to the list and attempts to establish a connection.

    The Wizard verifies the authenticity of all virtual infrastructure objects with which the connection is established.

    Authenticity is not verified for a Microsoft Windows Server (Hyper-V) hypervisor.

    For Keystone microservices, authenticity is verified only when using the HTTPS protocol to connect the SVM Management Wizard to the virtual infrastructure.

    To verify authenticity, the Wizard receives the SSL certificate or fingerprint of the public key from each virtual infrastructure object and verifies them.

    If the authenticity of the received certificate(s) cannot be established, the Verify certificate window opens with a message about this. Click the link in this window to view the details of the received certificate. If the certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and continue connecting to the virtual infrastructure object. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this certificate to be authentic, click the Cancel button in the Verify certificate window to disconnect, and replace the certificate with a new one.

    If the authenticity of the open key could not be established, the Verify public key fingerprint window opens with a message about this. You can confirm the authenticity of the open key and continue the connection. The open key fingerprint will be saved on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this open key to be authentic, click the Cancel button in the Verify public key fingerprint window to terminate the connection.

    If a connection cannot be established with a virtual infrastructure object, information about the connection errors is displayed in the table.

You can use the Refresh button above the table to update the list of virtual infrastructure objects. When updating a list, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.

You can use buttons in the Name/Address column to:

  • Remove selected virtual infrastructure from the list.

    The Integration Server continues to connect to the virtual infrastructure removed from this list, and to receive the information required for SVM operation.

  • If you cannot connect to the virtual infrastructure, open the Virtual infrastructure connection settings window to change the settings of the account used to make the connection.

    After the settings are modified, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.

Proceed to the next step of the wizard.

Page top

[Topic 67759_1]

Entering the configuration password

At this step, specify the configuration password that was created during SVM deployment.

Proceed to the next step of the wizard.

Page top

[Topic 274248]

Editing SVM network settings

This step is displayed if the SVM reconfiguration is being performed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

At this step, you can change the virtual network(s) that the SVMs use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

Changing the list of networks on SVMs results in the creation of new network adapters. This could change the IP address of an SVM.

To change the list of virtual networks used by an SVM:

  1. Select the Change SVM network settings check box.

    The window displays a table containing the following information about SVMs selected for reconfiguration:

    • Hypervisor

      IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.

    • SVM name

      The name that was defined when specifying SVM settings.

  2. For each SVM, specify one or more virtual networks in the Network name column.

    The name of the virtual network that the SVM will use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    You can specify one or more virtual networks available on the hypervisor. To add or remove a field for selecting virtual networks, use the buttons next to the network selection field.

    If you intend to use dynamic IP addressing (DHCP) for all SVMs, the network settings will be received from the DHCP server via the first virtual network in the list of networks specified for each SVM. Make sure that the Wizard can connect to the SVM with the network settings of the first virtual network received from the DHCP server.

    If the virtual infrastructure uses the VMware Distributed Virtual Switch component, you can specify a Distributed Virtual Port Group to which the SVM will be connected.

  3. If the SVMs that you selected for reconfiguration are deployed in a virtual infrastructure running the Microsoft Hyper-V platform, you can also specify the VLAN ID.

    The ID of the virtual local area network (VLAN) that the SVM will use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    If VLAN is not used, the column shows No.

Proceed to the next step of the wizard.

Page top

[Topic 93765]

Editing SVM network settings (infrastructures based on OpenStack)

This step is displayed if you are performing SVM reconfiguration in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

At this step, you can change the virtual network or networks that the SVMs use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server, and can change the Security Group for each virtual network.

Changing the list of networks on SVMs results in the creation of new network adapters. This could change the IP address of an SVM.

To change SVM network settings:

  1. Select the Change SVM network settings check box.

    The window displays a table containing the following information about SVMs selected for reconfiguration:

    • OpenStack project

      Name of the OpenStack project that the SVM is deployed in, as well as project path in the infrastructure.

    • SVM name

      The name that was defined when specifying SVM settings.

  2. For each SVM, specify one or more virtual networks in the Network name column.

    The name of the virtual network that the SVM will use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    You can specify one or more virtual networks available within the OpenStack project. To add or remove a field for selecting virtual networks, use the buttons next to the network selection field.

    If you intend to use dynamic IP addressing (DHCP) for all SVMs, the network settings will be received from the DHCP server via the first virtual network in the list of networks specified for each SVM. Make sure that the Wizard can connect to the SVM with the network settings of the first virtual network received from the DHCP server.

  3. If necessary, specify one or more security groups for each selected network in the Security group column.

    Set of network traffic filtering rules that are created in the virtual infrastructure and applied in the virtual network.

    You can specify one or more security groups for each selected virtual network. To add or remove a field for selecting security groups, use the buttons next to the Security groups selection field.

Proceed to the next step of the wizard.

Page top

[Topic 274251]

Changing SVM IP settings

For this step, you can edit IP addressing settings used for all SVMs. You can use dynamic or static IP addressing.

To edit the IP address settings:

  1. Select the Edit SVM IP settings check box.

    If you added virtual networks for one or more SVMs at the previous step of the Wizard, the Edit SVM IP settings check box is not displayed. You cannot proceed to the next step until the network settings of SVMs selected for reconfiguration have been configured.

  2. If you want to use DHCP network settings for all SVMs, select Dynamic IP addressing (DHCP).

    By default, the IP address of the DNS server and the IP address of the alternative DNS server received over the DHCP protocol are used for each SVM. If you specified several virtual networks for the SVM at the previous step, by default the network settings for the SVM are received from the DHCP server of the first virtual network in the list of the specified virtual networks.

    If you want to manually specify the IP address of the DNS server and alternative DNS server, clear the Use list of DNS servers received via DHCP check box. This opens a table containing the following information:

    • Hypervisor

      IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.

      The Hypervisor column is displayed if the SVM is deployed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

    • OpenStack project

      Name of the OpenStack project that the SVM is deployed in, as well as project path in the infrastructure.

      The OpenStack project column is displayed if the SVM is deployed in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

    • SVM name

      The name that was defined when specifying SVM settings.

    Specify the IP addresses of DNS servers in the DNS server and Alternative DNS server table columns.

  3. If you want to specify all network settings of the SVM manually, select Static IP addressing. This opens a table containing the following information:
    • Hypervisor

      IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.

      The Hypervisor column is displayed if the SVM is deployed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

    • OpenStack project

      Name of the OpenStack project that the SVM is deployed in, as well as project path in the infrastructure.

      The OpenStack project column is displayed if the SVM is deployed in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.

    • SVM name

      The name that was defined when specifying SVM settings.

    • Network name

      The name of the virtual network that the SVM uses to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

    Specify the following network settings for each SVM:

    • SVM IP address
    • Subnet mask
    • Gateway
    • DNS server
    • Alternative DNS

Proceed to the next step of the wizard.

Page top

[Topic 85417]

Changing Kaspersky Security Center connection settings

At this step, you can edit the settings of SVM connection to the Kaspersky Security Center Administration Server.

To edit the settings for connecting SVMs to Kaspersky Security Center Administration Server:

  1. Select the Change Kaspersky Security Center connection settings check box.
  2. Specify the following settings:
    • Address

      Address of the device hosting the Kaspersky Security Center Administration Server. You can specify the IP address in IPv4 format or the fully qualified domain name (FQDN) of the device.

    • Port

      Number of the port for connecting the SVM to the Kaspersky Security Center Administration Server.

    • SSL port

      Number of the port for connecting an SVM to the Kaspersky Security Center Administration Server using an SSL certificate.

Proceed to the next step of the wizard.

Page top

[Topic 102020]

Changing the configuration password and root account settings

At this step, you can modify the following settings:

  • Configuration password (the password used to reconfigure SVMs).
  • Root account password.
  • Remote access mode to the SVM over SSH for the root user account.

If you want to change the configuration password, select the Change the klconfig account password (configuration password) check box and specify the new configuration password in the Password and Confirmation fields.

If you want to change the root account password, select the Change the root account password check box and specify the new password in the Password and Confirmation fields.

Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

If you want to change the mode of remote access over SSH to the SVM, select the Change remote access for the root account check box, and then select or clear the Allow remote access to SVM for the root account via SSH check box.

Proceed to the next step of the wizard.

Page top

[Topic 102022]

Starting SVM reconfiguration

This step is displayed if the SVM reconfiguration is being performed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.

At this step, the Wizard displays all of the previously entered settings required for reconfiguration of the SVM.

General settings for all SVMs:

  • Number of SVMs

    Number of SVMs to be reconfigured.

  • Configuration password

    Information on the need to change the configuration password on SVMs.

    Possible values: Leave unchanged, Changes are needed.

  • Root account password

    Information regarding the need to change the root account password on SVMs.

    Possible values: Leave unchanged, Changes are needed.

  • SSH-based remote access to the SVM for the root account

    Information on the need to change the option of remote access to SVMs via SSH.

    Possible values: Change to Allowed, Change to Blocked, Leave unchanged.

  • Kaspersky Security Center connection settings

    Information on the need to change the settings for connecting SVMs to Kaspersky Security Center.

    Possible values: Leave unchanged, Changes are needed.

  • SVM IP settings

    Information on the need to change the IP addressing settings for all SVMs.

    Possible values: use DHCP, use static IP addressing, leave unchanged.

Individual settings for each SVM:

  • Hypervisor

    IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.

  • SVM name

    The name that was defined when specifying SVM settings.

  • Network name

    The name of the virtual network that the SVM uses to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

  • VLAN ID

    The ID of the virtual local area network (VLAN) that the SVM uses to connect to virtual machines, the Integration Server and the Kaspersky Security Center Administration Server.

    The VLAN ID column is displayed only if the SVMs that you selected for reconfiguration are deployed in a virtual infrastructure running the Microsoft Hyper-V platform.

  • All IP addressing settings that you provided for the SVM.

To start the reconfiguration of the SVM, go to the next step in the wizard.

Page top

[Topic 102023]

Starting SVM reconfiguration (infrastructures based on OpenStack)

This step is displayed if you are reconfiguring an SVM in a virtual infrastructure running the TIONIX Cloud Platform or in a virtual infrastructure running the OpenStack platform.

At this step, the Wizard displays all of the previously entered settings required for reconfiguration of the SVM.

General settings for all SVMs:

  • Keystone microservice address

    IP address or fully qualified domain name (FQDN) of the Keystone microservice that manages the OpenStack project in which the SVMs are deployed.

  • Number of SVMs

    Number of SVMs to be reconfigured.

  • Configuration password

    Information on the need to change the configuration password on SVMs.

    Possible values: Leave unchanged, Changes are needed.

  • Root account password

    Information regarding the need to change the root account password on SVMs.

    Possible values: Leave unchanged, Changes are needed.

  • SSH-based remote access to the SVM for the root account

    Information on the need to change the option of remote access to SVMs via SSH.

    Possible values: Change to Allowed, Change to Blocked, Leave unchanged.

  • Kaspersky Security Center connection settings

    Information on the need to change the settings for connecting SVMs to Kaspersky Security Center.

    Possible values: Leave unchanged, Changes are needed.

  • SVM IP settings

    Information on the need to change the IP addressing settings for all SVMs.

    Possible values: use DHCP, use static IP addressing, leave unchanged.

Individual settings for each SVM:

  • OpenStack project

    Name of the OpenStack project that the SVM is deployed in, as well as project path in the infrastructure.

  • SVM name

    The name that was defined when specifying SVM settings.

  • Network name

    The name of the virtual network that the SVM uses to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.

  • Security group

    Security group selected for the virtual network.

  • All IP addressing settings that you provided for the SVM.

To start the reconfiguration of the SVM, go to the next step in the wizard.

Page top

[Topic 67989]

SVM reconfiguration

At this step, the SVMs are reconfigured.

The window displays, one row at a time, the stages of SVM reconfiguration of each SVM with the status of each stage: Pending, Connecting, Processing N%, Completed, Error.

The process takes some time. Please wait until the process is complete.

Proceed to the next step of the wizard.

Page top

[Topic 72906]

Finishing SVM reconfiguration

This step displays information about the results of SVM reconfiguration.

The wizard displays links that you can use to open a brief report and the SVM Management Wizard log.

The brief report contains the following information:

  • Addresses of hypervisors whose SVM configuration was changed, or OpenStack project names containing the deployed SVMs that have been reconfigured (depending on type of the virtual infrastructure).
  • Names of SVMs that have been reconfigured.
  • Brief description of the completed stages of reconfiguration of each SVM, including the start and end times of each stage. If an error occurred during a particular stage, the relevant information is reflected in the report.

The brief report is saved in a temporary file. To be able to use information from the report later, save the log file in a permanent storage location.

The SVM Management Wizard log saves information specified by you at every step of the wizard. If errors occur during reconfiguration of SVMs, you can use the wizard log when contacting Technical Support.

The SVM Management Wizard log is saved on the device where the wizard was launched, in the file %LOCALAPPDATA%\Kaspersky Lab\Kaspersky VIISLA Console\logs\KasperskyDeployWizard_<file creation date and time>.log and does not contain account passwords. A new log file is created each time the wizard starts.

Finish the wizard.

Page top

[Topic 256399]

Configuring Integration Server settings

You can perform the following actions to configure the Integration Server settings:

  • Change passwords of internal Integration Server accounts. The following accounts are provided:
    • admin – the Integration Server administrator account, which is used:
      • to connect to the Integration Server in the Protection Server policy and in the Light Agent policy
      • to connect management consoles to the Integration Server

      The password for the admin account is set during installation of the Integration Server.

    • svm – used to connect SVMs to the Integration Server.
    • agent – used to connect Light Agents to the Integration Server.
    • multitenancy – used to interact with the Integration Server REST API in multitenancy scenarios.

    Account names cannot be edited.

  • Change settings that the Integration Server uses to connect to the virtual infrastructure.

    The Integration Server connects to each protected virtual infrastructure and receives information necessary for the operation of the solution. Depending on the type of protected virtual infrastructure the Integration Server connects to one of the following virtual infrastructure objects:

    • hypervisor;
    • virtual infrastructure administration server;
    • Keystone microservice.

    If you used the Integration Server Console to deploy SVMs, the Integration Server connects to the virtual infrastructure with the settings that you specified in the SVM Management Wizard.

    If you used the Integration Server Web Console to deploy SVMs, the Integration Server connects to the virtual infrastructure with the settings that you specified in the Integration Server Web Console before SVM deployment.

    You can edit the settings for connecting the Integration Server to the virtual infrastructure (except for the infrastructure address).

    In a VMware vSphere infrastructure, you can also enable or disable the use of VMware NSX Manager in Kaspersky Security, as well as change the settings for connecting the Integration Server to VMware NSX Manager.

  • Remove the Integration Server connection settings to the virtual infrastructure.

You can edit the settings of the Integration Server in the Integration Server Console or in the Integration Server Web Console.

In this Help section

Changing passwords of Integration Server accounts

Changing the settings for connecting to the virtual infrastructure in the Integration Server Web Console

Changing the settings for connecting to the virtual infrastructure in the Integration Server Console

Deleting the settings for connection of the Integration Server to the virtual infrastructure

Page top

[Topic 256396]

Changing passwords of Integration Server accounts

You can change the passwords of Integration Server accounts in Integration Server Web Console or in Integration Server Console.

Expand all | Collapse all

How to change the passwords of Integration Server user accounts in the Integration Server Web Console

To change the passwords of Integration Server accounts:

  1. Open Integration Server Web Console and connect to the Integration Server.
  2. Go to the Integration Server accounts section.
  3. In the window that opens, select the name of the account whose password you want to change.

    The Change password window will open. The Account name field displays the name of the selected account.

  4. Enter the new password in the New password and Confirm password fields.

    Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

  5. Click the Save button in the Change password window.

How to change the passwords of Integration Server user accounts in the Integration Server Console

To change the passwords of Integration Server accounts:

  1. Open Integration Server Console and connect to the Integration Server.
  2. In the list on the left, select the Integration Server user accounts section.
  3. In the table on the right, select the name of the account whose password you want to change.
  4. Click the Change the account password link located above the table to open the Account password window and enter the new password in the Password and Confirm password fields.

    Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

  5. In the Account password window, click OK.

If you changed the account password for connecting SVMs to the Integration Server, you need to reconfigure the SVM connection to the Integration Server.

If the Light Agent policy is configured to connect Light Agents to the Integration Server and you have changed the account password for connecting Light Agents, you need to re-configure the Light Agents' connection to the Integration Server.

Page top

[Topic 256525]

Changing the settings for connecting to the virtual infrastructure in the Integration Server Web Console

  1. Open Integration Server Web Console and connect to the Integration Server.
  2. In the workspace, select the List of virtual infrastructures section.

    The window that opens displays a table of virtual infrastructures to which the Integration Server connects. Each row of the table displays the following information about the virtual infrastructure:

    • Infrastructure object address

      This column contains the IP addresses or fully qualified domain names (FQDN) of the virtual infrastructure objects to which the Integration Server connects, and the names of the SVMs deployed on the hypervisors.

      Depending on the type of virtual infrastructure, the column may display:

      • IP address or the fully qualified domain name (FQDN) of the virtual infrastructure administration server
      • IP address or the fully qualified domain name of the hypervisor
      • IP address or the fully qualified domain name of the Keystone microservice
      • OpenStack project and domain name.
    • Infrastructure object type

      The column contains the type of the virtual infrastructure object that the Integration Server will connect to.

    • Status

      This column contains information about the status of the Integration Server's connection to the virtual infrastructure, the state of the infrastructure objects to which the connection is made, and the state of the SVMs deployed in the infrastructure.

      If the Integration Server is not connected to the virtual infrastructure object, the column displays an error message.

    • VMware NSX Manager

      For an infrastructure running on VMware vCenter Server with VMware NSX Manager by Kaspersky Security enabled, the column contains the IP address in IPv4 format or the fully qualified domain name (FQDN) of VMware NSX Manager.

Using the buttons above the table, you can:

  • edit the account with administrator rights that the Integration Server uses to connect to the virtual infrastructure
  • edit the account with restricted permissions to perform actions in the virtual infrastructure that the Integration Server uses while Kaspersky Security is running in order to get information about SVMs available for connection and to distribute Light Agents between SVMs
  • change the settings for connecting the Integration Server to VMware NSX Manager (in a virtual infrastructure based on VMware vSphere)
  • confirm the authenticity of a certificate or public key fingerprint received from a virtual infrastructure if its authenticity could not be established.

Expand all | Collapse all

How to edit the account with administrator rights

  1. In the List of virtual infrastructures section, select the virtual infrastructure for which you want to change the connection settings, click the Edit button located above the table, and select Administrator account settings.
  2. In the window that opens, specify the account settings:
    • OpenStack domain

      Name of the OpenStack domain that contains an account used to connect the Integration Server to the virtual infrastructure.

      The OpenStack domain field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

    • User name

      Name of the user account that the Integration Server uses to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration. This account must have privileges that are sufficient for SVM deployment, removal and reconfiguration.

    • Password

      Password of the user account that the Integration Server uses to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration.

  3. Click the Save button.

How to edit the account with limited permissions

  1. In the List of virtual infrastructures section, select the virtual infrastructure for which you want to change the connection settings, click the Edit button located above the table, and select Settings for account with restricted permissions.
  2. In the window that opens, specify the account settings:
    • OpenStack domain

      Name of the OpenStack domain that contains an account used to connect the Integration Server to the virtual infrastructure.

      The OpenStack domain field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

    • User name

      The name of the account that the Integration Server uses to connect to the virtual infrastructure while Kaspersky Security is running in order to get information about SVMs available for connection and to distribute Light Agents between SVMs.

      To connect to a virtual infrastructure based on Citrix Hypervisor, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, OpenStack, Alt Virtualization Server, Astra Linux, VK Cloud platform, or TIONIX Cloud Platform, we recommend using an account that has limited rights to perform actions in the virtual infrastructure.

      To connect to a virtual infrastructure running on the Microsoft Hyper-V platform during Kaspersky Security operation, you must use the same user account that is used for SVM deployment, removal and reconfiguration.

    • Password

      Password of the user account that the Integration Server uses to connect to the virtual infrastructure during Kaspersky Security operation.

  3. Click the Save button.

How to change VMware NSX Manager connection settings

  1. In the List of virtual infrastructures section, select the virtual infrastructure for which you want to change the connection settings, click the Edit button located above the table, and select VMware NSX Manager settings.
  2. In the window that opens, specify the account settings:
    • Address

      New IP address in IPv4 format or the fully qualified domain name (FQDN) of the VMware NSX Manager.

      If your VMware NSX Manager virtual infrastructure is clustered, specify the virtual IP address of the cluster. First, you need to assign a virtual IP address and certificate to the cluster (for more information on configuring a VMware NSX Manager cluster, see the VMware documentation).

    • User name

      Name of the account that the Integration Server uses to connect to VMware NSX Manager. A VMware NSX Manager account that has been assigned the Enterprise Administrator role is required.

    • Password

      Password of the account that the Integration Server uses to connect to VMware NSX Manager.

  3. Click the Save button.

How to confirm a certificate or public key fingerprint

  1. In the List of virtual infrastructures section, select the virtual infrastructure for which you want to confirm the authenticity of a certificate or public key, and click the Confirm certificate button.

    The Verify certificate or Verify public key fingerprint window opens (depending on the type of virtual infrastructure object).

    By clicking on the link in this window you can view information about the received certificate or the key fingerprint.

  2. If the certificate complies with your organization's security policy, click the Confirm and continue button.

    The received certificate or public key fingerprint will be saved on the device where the Integration Server is installed.

    If you do not consider this public key is authentic, click the Cancel connection button to terminate the connection.

Page top

[Topic 256506]

Changing the settings for connecting to the virtual infrastructure in the Integration Server Console

To open the list of virtual infrastructures to which the Integration Server connects:

  1. Open Integration Server Console and connect to the Integration Server.
  2. In the list on the left, select the Infrastructure connection settings section.

    A table of virtual infrastructures to which the Integration Server connects will open.

Each row of the table contains the following information:

  • Infrastructure

    Type of virtual infrastructure and IP address in IPv4 format or the fully qualified domain name (FQDN) of the virtual infrastructure object to which the Integration Server connects for interaction with virtual infrastructure.

    For an infrastructure running on VMware vCenter Server with VMware NSX Manager by Kaspersky Security enabled, the column displays the IP address in IPv4 format or the fully qualified domain name (FQDN) of VMware NSX Manager.

  • State

    Status of the connection between the Integration Server and the virtual infrastructure.

If the Integration Server is not connected to the virtual infrastructure object, the table displays an error message.

The Integration Server verifies the authenticity of all virtual infrastructure objects with which a connection is being established, except a Microsoft Windows Server (Hyper-V) hypervisor.

Authenticity is not verified for a Microsoft Windows Server (Hyper-V) hypervisor.

Authentication for microservices of the OpenStack platform, VK Cloud platform, and TIONIX Cloud Platform is performed only if you are using HTTPS for connecting the Integration Server to the virtual infrastructure.

To verify authenticity, the Integration Server receives an SSL certificate or fingerprint of the public key from each virtual infrastructure object and verifies them.

If it fails to ascertain the authenticity of the certificate or public key received from the virtual infrastructure object, the Integration Server breaks the connection with the virtual infrastructure. An error message is displayed in the table. You can resolve this error.

To resolve an SSL certificate validation error or public key validation error received from a virtual infrastructure object, do one of the following:

  • Confirm the authenticity of the certificate or public key received from the virtual infrastructure object. To do this, you need to launch the SVM Management Wizard (in the SVM management section of the Integration Server Console) and open the list of virtual infrastructures to which the SVM Management Wizard is configured to connect (for example, see the "Selecting infrastructure for SVM deployment" step in the procedure for installing the Protection Server). The wizard prompts you to verify the authenticity of the certificate or public key in the Verify certificate or Verify public key fingerprint window (depending on the type of virtual infrastructure object).
  • Replace the certificate with a new one if you do not believe that the existing certificate is authentic.

If the use of VMware NSX Manager in Kaspersky Security is enabled, the Integration Server also checks the VMware NSX Manager certificate. If the certificate is not trusted by the Integration Server or does not match a previously installed certificate, an error message is displayed in the table. You can resolve this error.

To resolve a VMware NSX Manager SSL certificate validation error, do one of the following:

  • Verify the authenticity of the certificate. To view information about the received certificate, you need to click the Confirm VMware NSX Manager certificate authenticity link that is displayed in the error message. If the certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and continue connecting to VMware NSX Manager. To do so, click the Trust the certificate button in the Verify certificate window. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed.
  • If you do not consider the certificate to be trusted, you can disconnect by clicking the Cancel button, and replace the certificate with a new one.

Expand all | Collapse all

How to change the settings for connecting to the virtual infrastructure

  1. Open Integration Server Console and connect to the Integration Server.
  2. In the list on the left, select the Infrastructure connection settings section.

    The list of all virtual infrastructures to which the Integration Server connects opens:

  3. In the table, select a virtual infrastructure whose connection settings you want to modify, and click the Edit link above the table.

    The Change virtual infrastructure connection settings window opens.

    The Address field displays the IP address in IPv4 format or the fully qualified domain name (FQDN) of the virtual infrastructure object to which the Integration Server is connected for interaction with protected virtual infrastructure. The Address field cannot be changed.

  4. Make the necessary changes. You can change the following settings for connecting the Integration Server to the virtual infrastructure:
    • Protocol

      Protocol used to connect the Integration Server to the virtual infrastructure. By default, HTTPS protocol is used.

      The Protocol field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

    • OpenStack domain

      Name of the OpenStack domain that contains an account used to connect the Integration Server to the virtual infrastructure.

      The OpenStack domain field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.

    • User name

      Name of the user account that the Integration Server uses to connect to the virtual infrastructure during Kaspersky Security operation.

      To connect to a virtual infrastructure based on XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, OpenStack, Alt Virtualization Server, Astra Linux, Numa vServer, VK Cloud platform, or TIONIX Cloud Platform, we recommend using an account that has limited rights to perform actions in the virtual infrastructure.

      To connect to a virtual infrastructure running on the Microsoft Hyper-V platform during Kaspersky Security operation, you must use the same user account that is used for SVM deployment, removal and reconfiguration.

    • Password

      Password of the user account that the Integration Server uses to connect to the virtual infrastructure during Kaspersky Security operation.

  5. Click the OK button in the Change virtual infrastructure connection settings window.

How to configure the use of VMware NSX Manager in the Kaspersky Security solution

  1. Open Integration Server Console and connect to the Integration Server.
  2. In the list on the left, select the Infrastructure connection settings section.

    The list of all virtual infrastructures to which the Integration Server connects opens:

  3. In the table, select the virtual infrastructure managed by VMware vCenter Server, and click the Edit link located above the table.

    The Change virtual infrastructure connection settings window opens.

  4. Configure the settings for connecting the Integration Server to VMware NSX Manager:
    • Use VMware NSX Manager

      Enables or disables the use of VMware NSX Manager in the Kaspersky Security solution

      If VMware NSX Manager is used in the operation of the solution, Kaspersky Security can assign security tags to the protected virtual machine.

    • Address

      New IP address in IPv4 format or the fully qualified domain name (FQDN) of the VMware NSX Manager.

      If your VMware NSX Manager virtual infrastructure is clustered, specify the virtual IP address of the cluster. First, you need to assign a virtual IP address and certificate to the cluster (for more information on configuring a VMware NSX Manager cluster, see the VMware documentation).

    • User name

      Name of the account that the Integration Server uses to connect to VMware NSX Manager. A VMware NSX Manager account that has been assigned the Enterprise Administrator role is required.

    • Password

      Password of the account that the Integration Server uses to connect to VMware NSX Manager.

    If you change the password for the account used to connect to VMware NSX Manager, the Integration Server will not be able to connect to VMware NSX Manager until at least 15 minutes have passed since the new connection settings were saved.

  5. Click the OK button in the Change virtual infrastructure connection settings window.
Page top

[Topic 256497]

Deleting the settings for connection of the Integration Server to the virtual infrastructure

If you want the Integration Server to stop receiving information from the virtual infrastructure, you can remove this infrastructure from the list of infrastructures, to which the Integration Server connects.

It is recommended to remove a virtual infrastructure from the list only if it has no installed Kaspersky Security solution components.

Expand all | Collapse all

How to delete a virtual infrastructure in the Integration Server Web Console

To delete a virtual infrastructure:

  1. Open Integration Server Web Console and connect to the Integration Server.
  2. Go to the List of virtual infrastructures section.
  3. In the table, select the virtual infrastructure that you want to delete and click the Delete button above the table.
  4. Confirm the deletion in the window that opens.

How to delete a virtual infrastructure in the Integration Server Console

To delete a virtual infrastructure:

  1. Open Integration Server Console and connect to the Integration Server.
  2. In the list on the left, select the Infrastructure connection settings section.
  3. In the table on the right side of the window, select a virtual infrastructure you want to remove, and click the Delete link.
  4. Confirm the deletion in the window that opens.

If you have removed the virtual infrastructure from this list, it is recommended to remove it also from the list of virtual infrastructures, to which the SVM Management Wizard connection is configured (see, for example, the "Selecting SVMs to remove" step of the SVM removal procedure).

Page top

[Topic 97888]

Replacing the Integration Server and SVM certificates

The Kaspersky Security distribution kit includes a certificate management utility for managing Integration Server certificates and SVM certificates. The Integration Server SSL certificate is used when establishing a secure connection with the Integration Server and for encrypting the communication channel between the Protection Server and Light Agent. The SSL certificate of an SVM is used to encrypt the communication channel between Light Agent and the Protection Server.

The certificate management tool lets you:

  • Create an Integration Server certificate.
  • Replace the self-signed Integration Server certificate installed during solution deployment.

    When the Integration Server certificate is replaced, the SVM certificate is automatically replaced. A new SVM certificate is created based on the Integration Server certificate.

Certificates may need to be replaced in the following cases:

  • When upgrading the solution in order to replace a previously installed certificate with a more secure one.
  • If the used certificate has expired or has been compromised.
  • If the IP address or domain name of the device on which the Integration Server is installed has changed.

You can replace the Integration Server certificate with a new certificate created using the tool or using third-party tools. If you want to use an Integration Server certificate created using third-party tools, make sure that the new certificate meets the tool's certificate requirements.

The Integration Server certificate must meet the following requirements:

  • PFX format.
  • The certificate contains the private key.
  • The certificate is password protected.
  • The "Subject alternative name" field contains the following values:
    • IP Address – external and local IP addresses of the Integration Server;
    • DNS Name – external and local IP addresses, as well as the domain name (FQDN) of the Integration Server.
  • Key Usage:
    • KeyEncipherment;
    • DigitalSignature;
    • DataEncipherment;
    • KeyCertSign.
  • Enhanced Key Usage:
    • Server Authentication (1.3.6.1.5.5.7.3.1);
    • Client Authentication (1.3.6.1.5.5.7.3.2).
  • The certificate expiration date is later than the current date.
  • Key algorithm: RSA (1.2.840.113549.1.1.1).
  • Key size: 4096 bits.
  • Allowed signature algorithms:
    • Sha256WithRSA (1.2.840.113549.1.1.11);
    • Sha384WithRSA (1.2.840.113549.1.1.12);
    • Sha512WithRSA (1.2.840.113549.1.1.13).

The certificate management tool can work with the Linux-based Integration Server and with the Windows-based Integration Server. The tool is located on the device where the Integration Server is installed. Depending on the operating system of the device, the utility is located at one the following paths:

  • /opt/kaspersky/viis/bin/certificate_manager.sh – on devices with Linux operating systems
  • %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe – on devices with Windows operating systems

To use the utility in the Linux operating system, the user account must be in the sudoers group. To use the utility in the Windows operating system, Administrator rights in the operating system are required.

How to use the utility to create a certificate for the Linux-based Integration Server

On the device where the Integration Server is installed, run the command:

sudo /opt/kaspersky/viis/bin/certificate_manager.sh create-self-signed-certs --outputFolder <path to the directory with the certificate> [--keySize <2048 or 4096>] [--quiet]

where:

  • <path to the directory with the certificate> – path to the directory where the created certificate will be placed. The directory must be located on the device where the Integration Server is installed.
  • --keySize <2048 or 4096> is the certificate key length. Optional parameter. If this parameter is not specified, 4096 is used by default.
  • --quiet is an optional parameter. If the parameter is specified, the utility will run in silent mode: nothing will be output to the console.

The command will cause the utility to create an Integration Server certificate (viis.pfx file) and place it in the specified directory.

It is recommended to protect the certificate from unauthorized access. For example, you can place the certificate in a secure directory.

How to use the utility to create a certificate for the Windows-based Integration Server

On the device where the Integration Server is installed, run the command:

%ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe create-self-signed-certs --outputFolder <path to the folder with the certificate> [--keySize <2048 or 4096>] [--quiet]

where:

  • <path to the folder with the certificate> is the path to the folder where the created certificate will be placed. The folder must be located on the device where the Integration Server is installed.
  • --keySize <2048 or 4096> is the certificate key length. Optional parameter. If this parameter is not specified, 4096 is used by default.
  • --quiet is an optional parameter. If this parameter is specified, the input console window is closed after the command is executed, otherwise the console window remains open.

The command will cause the utility to create an Integration Server certificate (viis.pfx file) and place it in the specified folder.

It is recommended to protect the certificate from unauthorized access. For example, you can place the certificate in a secure folder.

How to replace the Linux-based Integration Server certificate and SVM certificate

On the device where the Integration Server is installed, run the command:

sudo /opt/kaspersky/viis/bin/certificate_manager.sh replace --certificatePath <path to certificate> [--quiet]

where:

  • <path to certificate> is the path to the Integration Server certificate (viis.pfx file).
  • --quiet is an optional parameter. If the parameter is specified, the utility will run in silent mode: nothing will be output to the console.

As a result of executing the command, the tool performs the following actions:

  • Creates an SVM certificate based on the certificate located in the specified folder.
  • Replaces the previously installed Integration Server certificate and SVM certificate with new ones.
  • Restarts the Integration Server service.

How to replace the Windows-based Integration Server certificate and SVM certificate

On the device where the Integration Server is installed, run the command:

% ProgramFiles (x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe replace --certificatePath <path to certificate>

where <path to certificate> is the path to the Integration Server certificate (viis.pfx file).

As a result of executing the command, the tool performs the following actions:

  • Creates an SVM certificate based on the certificate located in the specified folder.
  • Replaces the previously installed Integration Server certificate and SVM certificate with new ones.
  • Restarts the Integration Server service.

After replacing the Integration Server certificate and SVM certificate, you need to update all Light Agent policies and Protection Server policies to send the public key of the new certificate to the policies.

Trace files may be created while the certificate management tool is running.

Page top

[Topic 274374]

Using a backup copy of the database and the Integration Server settings

For the Integration Server, it is possible to save a backup copy of the Integration Server database, settings and certificate. Before updating the Integration Server, you can create a backup copy of the current version of the Integration Server. If errors occur in the operation of the Integration Server after an update, you can use the backup copy to restore the previous version of the Integration Server.

The backup copy of the Integration Server database and settings contains the following data:

  • Internal accounts of the Integration Server, which are used to connect management consoles, SVMs, and Light Agents to the Integration Server.
  • Settings for connecting the Integration Server to the virtual infrastructure and the Kaspersky Security Center Administration Server.
  • If the solution is used in multitenancy mode: a list of registered tenants and protection statistics of the tenant virtual machines is displayed.
  • Configuration files that define the Integration Server operation settings.

In this Help section

Linux-based Integration Server. Working with a backup copy

Windows-based Integration Server. Working with a backup copy

Page top

[Topic 65650]

Linux-based Integration Server. Working with a backup copy

Create a backup copy of the database and the Integration Server settings

You can manually save a backup copy of the Linux-based Integration Server database and settings.

An account with root account privileges is required to complete the procedure.

To save a backup copy of the database and Integration Server settings:

  1. Stop the Integration Server (viis service):

    sudo systemctl stop viis

  2. Create a directory outside the directories used by the Integration Server, preferably in the user directory: /home/{username}. For example, create the /home/root/viis_backup directory:

    sudo mkdir /home/root/viis_backup

  3. Ensure that the backup directory is secure. For example, restrict other users' access to this directory:

    sudo chmod 600 /home/root/viis_backup

  4. Copy the following Integration Server data to the created directory:
    • data from /var/opt/kaspersky/viis/common:

      sudo cp -pr /var/opt/kaspersky/viis/common /home/root/viis_backup

    • file with machine-id:

      sudo find /home/viis/ -name machine-id-* -exec cp -p {} /home/root/viis_backup \;

  5. Restart the Integration Server (viis service):

    sudo systemctl start viis

Restoring data from a backup copy of the Integration Server database and settings

An account with root account privileges is required to complete the procedure.

If errors occur in the operation of the Integration Server after an update, you can use the backup copy of the database and settings to restore the previous version of the Integration Server and the saved data.

To revert to the previous version of the Linux-based Integration Server:

  1. If you moved the backup copy of the Integration Server database and settings to another device or archived it, assign the viis account as the owner of the files in the backup copy:

    sudo chown -R viis:viis /home/root/viis_backup/*

  2. Remove the previously installed Linux-based Integration Server.
  3. Perform the installation and initial configuration of the Linux-based Integration Server. Make sure that the Integration Server is started and ready to work.
  4. Stop the Integration Server (viis service):

    sudo systemctl stop viis

  5. Delete the current Integration Server data:

    sudo rm -rf /var/opt/kaspersky/viis/common

  6. Restoring Integration Server data from a backup copy:

    sudo cp -pr /home/root/viis_backup/common /var/opt/kaspersky/viis/

  7. Delete the existing machine-id file:

    sudo find /home/viis/ -name machine-id-* -exec rm {} \;

  8. Restore the machine-id file from the backup copy:

    sudo find /home/root/viis_backup -name machine-id-* -exec cp -p {} /home/viis \;

  9. Restart the Integration Server (viis service):

    sudo systemctl start viis

If all of these operations succeeded, the directory with the backup copy of the Integration Server can be deleted:

sudo rm -rf /home/root/viis_backup

Page top

[Topic 82508]

Windows-based Integration Server. Working with a backup copy

You can save a backup copy of the database, settings and certificate of the Windows-based Integration Server automatically while updating the Integration Server using the Kaspersky Security Components Installation Wizard.

The backup copy of the database and settings of the Integration Server can be deleted automatically when removing the Integration Server, or you can delete it manually. The default path is: %ProgramData%\Kaspersky Lab\VIISLA\Backup\VIISData(1). The number in the folder name increases by 1 with each subsequent attempted update.

If errors occur in the operation of the Integration Server after an update, you can use the backup copy of the database and settings to restore the previous version of the Integration Server and the saved data.

To perform the procedure, you need a user account that is a member of the local administrators group.

To revert the Integration Server to the previous version:

  1. If you saved a backup copy of your data in the default folder (%ProgramData%\Kaspersky Lab\VIISLA\Backup), copy this folder to another location outside the %ProgramData%\Kaspersky Lab\VIISLA folder.
  2. Remove the Integration Server and Integration Server Console installed on the device without preserving data.
  3. Install the previous version of the Integration Server and Integration Server Console.
  4. Restore the Integration Server database and settings from the backup copy manually or using a script.

    Before using the script, please read the terms of the End User License Agreement between you and Kaspersky. The license.txt file with the text of the End User License Agreement is inside the archive with the script. By using the script, you accept the terms of the End User License Agreement. If you do not accept the terms of the End User License Agreement, you may not use the script.

Expand all | Collapse all

How to restore the Integration Server database and settings from the backup copy using a script

  1. Get the archive with the script from Technical Support and extract it.
  2. Run the PowerShell command prompt as administrator.
  3. Run the following command:

    recover_viis_config_from_backup.ps1 "<path to folder with backup copies>"

    where <path to folder with backup copies> is the path to the folder containing the Integration Server certificate and the backup copy of the Integration Server database and settings.

    For example, if you saved the backup copy to the C:\Backup folder, the command looks like this:

    recover_viis_config_from_backup.ps1 "C:\Backup\VIISData(1)"

  4. Open Integration Server Console and connect to the Integration Server by specifying the port for connecting to the Integration Server. Port 7271 is used by default.
  5. Specify the settings of the connection to the virtual infrastructure using the SVM Management Wizard:
    1. In the SVM management section, click the SVM management button to start the SVM Management Wizard.
    2. Select the SVM deployment option and proceed to the infrastructure selection step.
    3. Specify the settings of the connection to the virtual infrastructure in the same way as when performing the SVM deployment procedure.
    4. Finish the SVM Management Wizard.

How to restore the Integration Server database and settings from a backup copy manually

  1. Find out the port number for connecting to the Integration Server:
    1. Go to the folder containing the Integration Server certificate and the backup copy of the Integration Server database and settings.
    2. Open the appsettings.json configuration file and find the Integration Server port number:

      "Server": {

      "Address": "https://0.0.0.0:<Integration Server port>"

  2. If the Integration Server is running, stop it:

    net stop viisla

  3. Delete the contents of the %ProgramData%\Kaspersky Lab\VIISLA folder. To delete it, grant the current user from the administrators group owner rights to the %ProgramData%\Kaspersky Lab\VIISLA folder and its contents.
  4. Copy the following Integration Server databases from the backup folder to the %ProgramData%\Kaspersky Lab\VIISLA\db\ folder:
    • viisla.db
    • protectionPeriods.db
  5. Grant the NT SERVICE\VIISLA user full rights to access the %ProgramData%\Kaspersky Lab\VIISLA folder and its contents.
  6. Copy the following Integration Server configuration files from the backup folder to the %Program Files(x86)%\Kaspersky Lab\Kaspersky VIISLA\ folder:
    • appsettings.json
    • appsettings.logging.json
    • appsettings.certificate_manager.json
  7. Open the registry editor, go to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\VIISLA\Server\Public key and in the ServicePortProperty parameter specify the Integration Server port number that you received in the first step of the instructions.
  8. Start the Integration Server:

    net start viisla

  9. Open Integration Server Console and connect to the Integration Server by specifying the port for connecting to the Integration Server. Port 7271 is used by default.
  10. Specify the settings of the connection to the virtual infrastructure using the SVM Management Wizard:
    1. In the SVM management section, click the SVM management button to start the SVM Management Wizard.
    2. Select the SVM deployment option and proceed to the infrastructure selection step.
    3. Specify the settings of the connection to the virtual infrastructure in the same way as when performing the SVM deployment procedure.
    4. Finish the SVM Management Wizard.
Page top

[Topic 255806]

SNMP monitoring of SVM status

You can receive information about the status of SVMs deployed in the virtual infrastructure by using any network management system that utilizes the SNMP protocol. An SVM is installed with an SNMP agent that can send information about the status of the SVM to the network management system of your organization.

SNMP Agent can relay the following SVM status information:

  • RAM consumption by the Protection Server (scanserver service) as a percentage of the maximum value that, when reached, causes the Protection Server to restart.
  • Page file usage by the Protection Server (scanserver service) as a percentage of the maximum value that, when reached, causes the Protection Server to restart.
  • Number of protected virtual machines with the "workstation" role or with desktop operating systems (includes only virtual machines that are not turned off and not suspended).
  • Number of protected virtual machines with the "server" role or with server operating systems (includes only virtual machines that are not turned off and not suspended).
  • Information about whether virtual machine scan tasks are currently running on the Protection Server installed on this SVM;
  • If scan tasks are running: information about the number of virtual machines that are currently waiting to be scanned, and the number of virtual machines that are being simultaneously scanned.
  • Information about the status of the following services on SVMs:
    • scanserver (Protection Server)
    • klnagent (Kaspersky Security Center Network Agent)
    • Apache
    • watchdog (wdserver)

    SNMP Agent relays the Running (service is running) or Stopped (service is not running) value for each service.

This data is specific to the Kaspersky Security solution and described in the KSVLA-MIB.txt MIB file, which is included in the solution's distribution kit. You can use this file to receive additional information from SVMs. You can also receive other values of SNMP counters from the standard set of the Net-SNMP package.

You can enable or disable SNMP monitoring in a Protection Server policy using Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console.

Expand all | Collapse all

How to enable or disable SNMP monitoring in Kaspersky Security Center Administration Console

To enable or disable SNMP Monitoring:

  1. In the Kaspersky Security Center Administration Console tree, in the Managed devices folder, select the administration group containing the SVM with the Protection Server whose settings you want to configure.
  2. In the workspace, select the Policies tab.
  3. Select a Protection Server policy in the list of policies and right-click to open the Properties: <Policy name> window.
  4. In the policy properties window, select the SNMP monitoring settings section in the list on the left.
  5. In the right part of the window, configure the Enable SNMP monitoring of SVM status setting.

    Enabling / disabling SNMP monitoring of SVM status.

    If the check box is selected, the SNMP agent installed on an SVM relays information about the status of the SVM to the network management system of your organization.

    If the check box is cleared, no information about SVM state is sent.

    This check box is cleared by default.

  6. Click the Apply button.

How to enable or disable SNMP monitoring in Kaspersky Security Center Web Console

To enable or disable SNMP Monitoring:

  1. In the main window of Kaspersky Security Center Web Console, select Assets (Devices)Policies and policy profiles.

    A list of policies opens.

  2. Select the administration group containing the SVM with the Protection Server whose settings you want to configure. To do so, click the link in the Current path field located above the list of policies and policy profiles, and select an administration group in the window that opens.

    The list displays only the policies configured for the selected administration group.

  3. Click on the name of the desired policy in the list.
  4. In the policy properties window that opens, select the Application settings tab and go to the SNMP monitoring settings section.
  5. In the right part of the window, configure the Enable SNMP monitoring of SVM status setting.

    Enabling / disabling SNMP monitoring of SVM status.

    If the check box is selected, the SNMP agent installed on an SVM relays information about the status of the SVM to the network management system of your organization.

    If the check box is cleared, no information about SVM state is sent.

    This check box is cleared by default.

  6. Click the Save button.

If SNMP Monitoring is enabled in the active Protection Server policy, the SNMP agent installed on an SVM relays information about the status of the SVM to the network management system of your organization.

If the policy that enables SNMP monitoring is inactive, information about the status of SVMs is not relayed.

Page top

[Topic 262066]

Checking the integrity of solution components

Kaspersky Security solution components contain many different binary modules in the form of dynamic-link libraries, executable files, configuration files, and interface files. A hacker may replace one or more solution modules or files with other modules or files containing malicious code. To prevent the replacement of solution modules and files, Kaspersky Security can check the integrity of solution files and modules. The check detects the presence of unauthorized changes or damage to files and modules of the solution components. If a solution file or module has an incorrect checksum, it is considered corrupted.

The integrity of Kaspersky Security solution components is checked using the integrity check utility. Special lists called manifest files are used to perform the integrity check. The manifest file for a solution component lists the files and modules whose integrity is critical for correct operation of the solution component. The manifest files are digitally signed and their integrity is checked as well.

You can use the integrity check utility to check the integrity of files and modules of the following solution components:

  • Components installed on SVMs: Protection Server and Kaspersky Security Center Network Agent
  • Windows-based Integration Server and Linux-based Integration Server
  • Integration Server Console
  • Management web plug-ins for the Protection Server and Integration Server
  • Protection Server management MMC plug-in
  • Light Agent for Linux and Light Agent for Linux management plug-ins (Kaspersky Endpoint Security for Linux)

To run the integrity check tool on the SVM and on the virtual machine with Light Agent for Linux installed, you need the root account. An administrator account is required for running the integrity check tool for all other solution components.

For detailed information about checking the integrity of Light Agent for Linux and the Light Agent for Linux management plug-ins, see the Kaspersky Endpoint Security for Linux Help of the relevant version.

For detailed information on performing a Kaspersky Security Center Network Agent integrity check, see the Kaspersky Security Center Help.

For Light Agent for Windows (Kaspersky Endpoint Security for Windows), the application integrity is checked using a special task (for more information, see the Kaspersky Endpoint Security for Windows Help of the relevant version).

The manifest files and tool for checking the integrity of the Protection Server, management plug-ins for the Protection Server, Integration Server, and Integration Server Console are located at the following paths:

  • To perform an integrity check of the Protection Server installed on the SVM:
    • Manifest file: /opt/kaspersky/la/bin/integrity_check.xml
    • Integrity check tool: /opt/kaspersky/la/bin/integrity_checker
  • To check the Linux-based Integration Server:
    • Manifest file: /opt/kaspersky/viis/bin/integrity_check.xml.
    • Integrity check utility: /opt/kaspersky/viis/bin/integrity_checker.
  • To check the Windows-based Integration Server:
    • Manifest file: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\integrity_check.xml.
    • Integrity check utility: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\integrity_checker.exe.
  • To check the Integration Server Console:
    • Manifest file: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA Console\integrity_check.xml.
    • Integrity check utility: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA Console\integrity_checker.exe.
  • To check the Protection Server management MMC plug-in:
    • Manifest file: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Plugins\KSVLA<version number>.SVM.plg\\integrity_check.xml.
    • Integrity check utility: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Plugins\KSVLA<version number>.SVM.plg\integrity_checker.exe.
  • To check the management web plug-ins for the Protection Server and Integration Server
    • Manifest file for the Protection Server web plug-in:
      • /var/opt/kaspersky/ksc-web-console/server/plugins/svm_<version number>/integrity_check.xml – for the Protection Server web plug-in on devices with Linux operating systems
      • %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\server\plugins\svm_<version number>\integrity_check.xml – for the Protection Server web plug-in on devices with Windows operating systems
    • Manifest file for the Integration Server web plug-in:
      • var/opt/kaspersky/ksc-web-console/server/plugins/VIISLA_<version number>/integrity_check.xml – for the Integration Server web plug-in on devices with Linux operating systems
      • %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\server\plugins\VIISLA_<version number>\integrity_check.xml – for the Integration Server web plug-in on devices with Windows operating systems
    • Integrity check tool:
      • /var/opt/kaspersky/ksc-web-console/integrity_checker – on devices with Linux operating systems
      • %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\integrity_checker.exe – on devices with Windows operating systems

To check the integrity of a solution component, you need to run the tool from the folder of that component's tool.

To run the integrity check utility, run one of the following commands:

  • To check the integrity of the Protection Server:

    integrity_checker --signature-type kds-with-filename [<path to manifest file>]

  • To check the integrity of the MMC management plug-in of the Protection Server, Windows-based Integration Server or Integration Server Console:

    integrity_checker.exe --signature-type kds-with-filename [<path to manifest file>]

  • To check the integrity of the Linux-based Integration Server:

    integrity_checker --signature-type kds-with-filename [<path to manifest file>]

  • To check the integrity of management web plug-ins on devices with Linux operating systems:

    integrity_checker --signature-type kds-with-filename [<path to manifest file>]

  • To check the integrity of management web plug-ins on devices with Windows operating systems:

    integrity_checker.exe --signature-type kds-with-filename [<path to manifest file>]

where <path to manifest file> is the full path to the manifest file of the component being checked. By default, the path to the manifest file located in the same directory as the integrity check utility is used.

You can view the description of all available integrity check utility options in the utility options help. To do this, run the tool with the --help option.

The results of checking the integrity of solution components are displayed as follows:

  • SUCCEEDED – integrity of the files and modules is confirmed (return code 0).
  • FAILED – integrity of the files is not confirmed (return code is other than 0).
Page top

[Topic 257637]

Using Kaspersky Security for Virtualization 6.2 Light Agent in multitenancy mode

When using Kaspersky Security in multitenancy mode, a single instance of Kaspersky Security installed in the infrastructure of the cybersecurity service provider (hereinafter also referred to as the "service provider") allows protection of isolated virtual infrastructures of tenant organizations or isolated units of one tenant organization (hereinafter also referred to as "tenants").

The procedures for deploying and using Kaspersky Security in multitenancy mode are automated using the Integration Server REST API.

The following Kaspersky Security multitenancy usage scenarios are supported:

In this Help section

Deploying a tenant protection infrastructure

Registering existing tenants and their virtual machines

Enabling and disabling tenant protection

Getting information about tenants

Getting tenant protection reports

Removing virtual machines from the protected infrastructure

Removing tenants

Using the Integration Server REST API in multi-tenancy scenarios

Page top

[Topic 259229]

Deploying a tenant protection infrastructure

The tenant protection infrastructure created using the Integration Server REST API is based on the use of virtual Kaspersky Security Center Administration Servers. Each tenant is provided with a virtual Administration Server and an account that the tenant administrator uses to connect to the virtual Administration Server.

One Kaspersky Security Center Administration Server can support up to 500 virtual Administration Servers.

Tenant virtual machines with Light Agents installed are located on the tenant's virtual Administration Server.

A tenant administrator can perform the following actions on their virtual Administration Server:

  • Centrally manage protection of their virtual machines using the Light Agent policies and group tasks.
  • Receive information about their infrastructure protection status using event notifications and reports available on the virtual Administration Server.
  • Work with copies of files placed in backup storage on all of the virtual machines of this tenant.

For more information about virtual Administration Servers, see the Kaspersky Security Center help.

The service provider's administrator installs the solution in their infrastructure and ensures the operation of Light Agents and other solution components:

  • Configures the settings for connecting Light Agents installed on tenant virtual machines to the SVMs and to the Integration Server.
  • Activates the solution and monitors license restrictions.
  • Updates the solution's databases and application modules.
  • Configures the Protection Server settings.

The service provider's administrator can also configure general protection settings for tenant virtual machines.

During operation, information that may contain personal and confidential data is transmitted between Kaspersky Security Center and Kaspersky Security solution components installed in the service provider's infrastructure and on tenant virtual machines.

Before creating a tenant protection infrastructure, you need to perform the following steps:

  1. Install or update the Kaspersky Security solution.

    The following components must be installed in the service provider's infrastructure:

  2. Prepare the solution for work:

Deploying a tenant protection infrastructure consists of the following steps:

  1. Creating a tenant and virtual Kaspersky Security Center Administration Server for the tenant.
  2. Configuring the location of SVMs that will protect tenants' virtual machines and configuring Protection Server settings.
  3. Configuring SVM discovery settings and general operating settings for Light Agents installed on tenant virtual machines.
  4. Installing Kaspersky Security Center Network Agent and Light Agent on tenant virtual machines and moving the virtual machines to a virtual Administration Server configured for the tenant.
  5. Registering tenant virtual machines in the Integration Server database.
  6. Activating a tenant.
  7. Transferring the following Kaspersky Security Center Administration Server connection settings to the tenant administrator:
    • Address of the virtual Administration Server configured for the tenant;
    • Administrator account settings of the virtual Administration Server.

    Tenant administrator are advised to change the account password they receive from the service provider's administrator.

The steps of deploying tenant protection infrastructure can be automated using the Integration Server REST API and the Kaspersky Security Center OpenAPI (open the description of Kaspersky Security Center OpenAPI methods).

To prevent unauthorized access, it is recommended to deploy the SVM and the device on which the Kaspersky Security Center Administration Server and the Integration Server are installed in a dedicated virtual network and to configure routing with address translation (SNAT) from the tenant subnets to this subnet.

In this section:

Configuring the Integration Server connection settings to the Kaspersky Security Center Administration Server

Creating a tenant and virtual Administration Server

Configuring SVM path and Protection Server settings

Configuring settings for SVM discovery by Light Agents and general tenant protection settings

Installing a Light Agent on tenant virtual machines

Registering tenant virtual machines

Activating a tenant

Page top

[Topic 259326]

Configuring the Integration Server connection settings to the Kaspersky Security Center Administration Server

For the Integration Server REST API interaction with the Kaspersky Security Center Administration Server during execution of requests, an account is required that has the following permissions in the Kaspersky Security Center:

  • Permissions in the functional areas of the Administration Server:
    • General functionality → Basic functionality: Read, Modify
    • General functionality → Administration group management: Modify
    • General functionality → User permissions: Modify access control lists
    • General functionality → Virtual Administration Servers: Read, Modify, Execute, Manage
  • Permissions to read and modify objects in the functional areas related to Light Agent settings.

You can create and configure an account to connect the Integration Server to Kaspersky Security Center:

  • In Kaspersky Security Center Administration Console, in the Security section of the Kaspersky Security Center Administration Server properties window.

    By default, the Security section is not displayed in the Administration Server properties window. To enable the display of the Security section, you must select the Display security settings sections check box in the Configure interface window (View → Configure interface menu) and restart the Kaspersky Security Center Administration Console.

  • In Kaspersky Security Center Web Console, in the Users and rolesUsers and groups section of the main window.

For more information on creating and configuring account rights in Kaspersky Security Center, see the Kaspersky Security Center Help.

How to configure the Integration Server's connection to Kaspersky Security Center Administration Server in Integration Server Web Console

To configure the Integration Server's connection to the Administration Server:

  1. Open Integration Server Web Console and connect to the Integration Server.
  2. Go to the Multitenancy mode section.
  3. Click the Connect button located in the Kaspersky Security Center connection settings block.
  4. In the window that opens, specify the connection settings:
    • IP address in IPv4 format or fully qualified domain name (FQDN) of the Kaspersky Security Center Administration Server.
    • Name and password of the account that will be used for interaction between the Integration Server REST API and the Kaspersky Security Center Administration Server.
  5. Click the Save button.

The Integration Server performs a connection attempt to verify the specified connection settings. If the SSL certificate received from the Kaspersky Security Center Administration Server is not trusted by the Integration Server, the Verify certificate window opens with a corresponding message. Click the link in this window to view the details of the received certificate. If the certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and continue connecting to Administration Server. If you do not consider this certificate is authentic, click the Cancel connection button to terminate the connection.

After the connection is established, the Integration Server saves the connection settings. The address of the Kaspersky Security Center Administration Server to which the connection is established is displayed in the Multitenancy mode window in the Kaspersky Security Center connection settings block. Using the buttons to the right of the Administration Server address, you can:

  • Open the Kaspersky Security Center connection settings window to change the connection settings
  • Terminate the connection between the Integration Server and the Kaspersky Security Center Administration Server and delete the configured connection settings

How to configure the Integration Server's connection to Kaspersky Security Center Administration Server in Integration Server Console

To configure the Integration Server's connection to the Administration Server:

  1. Open Integration Server Console and connect to the Integration Server.
  2. In the list on the left, select the Kaspersky Security Center connection settings section.
  3. Specify the following connection settings:
    • IP address in IPv4 format or fully qualified domain name (FQDN) of the Kaspersky Security Center Administration Server.
    • Name and password of the account that will be used for interaction between the Integration Server REST API and the Kaspersky Security Center Administration Server.
  4. Click the Save button.

The Integration Server performs a connection attempt to verify the specified connection settings. If the SSL certificate received from the Kaspersky Security Center Administration Server is not trusted for the Integration Server, a notification is displayed. Click the link in this window to view the details of the received certificate. If the received certificate complies with the security policy of your organization, you can confirm the certificate authenticity by clicking the Install certificate button. The received certificate is saved as a trusted certificate for the Integration Server.

After the connection is established, the Integration Server saves the connection settings. If necessary, you can edit connection settings in the same section.

By clicking Delete, you can terminate the connection of the Integration Server with the Kaspersky Security Center Administration Server and delete the configured connection settings.

Page top

[Topic 259230]

Creating a tenant and virtual Administration Server

At this step of the deployment of tenant protection infrastructure, tenant information is added to the Integration Server database and a virtual Administration Server is created for the tenant. The procedures are automated by means of the Integration Server REST API.

The actions performed in response to the REST API request depend on the tenant type specified when calling the REST API method: deployment of tenant protection infrastructure is available only for the complete tenant type.

Specify the following information in the REST API request:

  • Tenant name.
  • Tenant type: complete.
  • Settings of the account used by the tenant administrator to connect to the virtual Administration Server configured for the tenant. During the procedure, an account with the main administrator permissions will be automatically created on the virtual Administration Server.

    Kaspersky Security Center verifies the uniqueness of account names within the main Kaspersky Security Center Administration Server and all its virtual Administration Servers. By default, if the account name is not unique, the account creation fails. If you want to use same account names for the virtual Administration Servers, you can disable uniqueness check for internal user names. See Kaspersky Security Center help for more information.

As a result of the procedure, the following actions are performed:

  • Tenant data is saved in the Integration Server database, and the tenant is assigned a unique identifier.
  • A virtual Kaspersky Security Center Administration Server and an account used by the tenant administrator to connect to the virtual Administration Server are created for each tenant.
  • When registering the first tenant on the main Administration Server, a folder with the default name Multitenancy KSV LA is created in the Managed devices folder. You can change this name if required.
  • The following structure of folders and nodes is created for each tenant in the Multitenancy KSV LA folder:

    <Tenant name> folder

    • Administration Servers node
      • Administration Servers <Tenant name> node
        • Folders and administration groups required for managing protection of this tenant, similar to the structure of folders and groups of the main Kaspersky Security Center Administration Server.
Page top

[Topic 259231]

Configuring SVM location and Protection Server settings

At this step of the deployment of tenant security infrastructure, you can perform the following actions:

  1. Configure the location of SVMs that will protect tenant virtual machines in the Kaspersky Security Center administration group hierarchy.
  2. Configure the operation settings of the Protection Server installed on these SVMs using the Protection Server policy.
  3. Configure the general settings of the Light Agents that will be installed on tenant virtual machines using Light Agent policies.

You can deploy SVMs that will protect tenant virtual machines in any folder or administration group on the main Kaspersky Security Center Administration Server.

It is not recommended to deploy the SVMs and Protection Server policy in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <Tenant name> node.

If you want the SVM to protect virtual machines of only particular tenants, you need to restrict Light Agents' access to the SVM in one of the following ways:

It is not recommended to configure connection tags in Light Agent policies located in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <Tenant name> node.

In accordance with the procedure for inheritance of Kaspersky Security Center policies, the default Protection Server policy is applied on all SVMs in administration group hierarchy. It is created in the Managed devices folder on the main Administration Server. If you want to configure specific operating settings for the SVMs that will protect tenant virtual machines, you need to create a Protection Server policy in the folder where the SVM that protects tenant virtual machines is located.

If you want to centrally enable use of Kaspersky Security Network to protect tenants' virtual machines, make sure that tenants' personal data is being processed legally.

Page top

[Topic 259232]

Configuring settings for SVM discovery by Light Agents and general tenant protection settings

At this stage of deployment of the tenant protection infrastructure, you need to create a Light Agent policy in one of the following folders:

  • In the Multitenancy KSV LA<Tenant name> folder, if you want to configure general operating settings for all Light Agents that will be installed on the virtual machines of one particular tenant. A policy in the Multitenancy KSV LA<Tenant name> folder must be created for each tenant.
  • In the Multitenancy KSV LA folder, if you want to configure general operating settings for all Light Agents that will be installed on the virtual machines of all tenants.

In the Light Agent policy, configure the Light Agent operation settings as follows:

  • Settings for connecting Light Agents to SVMs:

    The default values can be used for other settings for connecting Light Agents to SVMs.

    It is recommended to "lock" all the settings for connecting Light Agents to SVMs in order to prevent these settings from being changed in child policies.

  • If required, you can configure general operating settings for the Light Agents that will be installed on the tenant virtual machines.

    You can use the "lock" attribute to allow or block changing of settings or groups of settings in task settings or in nested policies (for nested administration groups and secondary Administration Servers). Tenant administrators cannot configure "locked" settings. If the "locks" are open, the tenant administrator can independently configure the operation of Light Agent components.

It is not recommended to configure the general operating settings of Light Agents in the policies located in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <Tenant name> node.

Page top

[Topic 259233]

Installing a Light Agent on tenant virtual machines

At this step of the deployment of the tenant security infrastructure, the following actions are performed:

  • Kaspersky Security Center Network Agent, which is configured to connect to the tenant's virtual Administration Server, is installed on tenant virtual machines.
  • Tenant virtual machines are moved to the Managed devices folder of the virtual Administration Server configured for the tenant.
  • Light Agent for Linux or Light Agent for Windows is installed on tenant virtual machines.

The listed actions can be performed both on the service provider's side and on the tenant's side after the tenant administrator receives the virtual Administration Server connection settings.

If installation is performed on the service provider's side

You can use the following installation methods:

  • Using Kaspersky Security Center OpenAPI, automate the installation of applications on tenant virtual machines and the movement of virtual machines to administration groups (open a description of Kaspersky Security Center OpenAPI methods).
  • Remotely install applications on virtual machines using the Kaspersky Security Center wizard or remote installation task.
  • Deploy virtual machines from a virtual machine template.

    If you want to use Kaspersky Security Center OpenAPI or Kaspersky Security Center remote installation tools, then for each tenant you need to prepare the installation packages required to install Light Agent and Kaspersky Security Center Network Agent. You can distribute installation packages to the selected virtual Administration Servers using the Administration Server task or automate the distribution of packages using Kaspersky Security Center OpenAPI (open the description of Kaspersky Security Center OpenAPI methods).

    In the package properties or in the properties of the remote installation task, you can specify the administration group that the virtual machine should be assigned to after Network Agent is installed on it. For more information about configuring installation packages and the deployment procedure, see the Kaspersky Security Center Help.

    If you want to deploy virtual machines from a virtual machine template, then for each tenant you need to prepare a virtual machine template that has an installed Network Agent configured to connect to the tenant's virtual Administration Server and an installed Light Agent. Then you can deploy virtual machines for the tenant from this template.

    When installing Network Agent on a virtual machine template, it is recommended to enable optimization of Network Agent settings for VDI.

If installation is performed on the tenant's side

If there are installation packages or virtual machine templates prepared by the service provider's administrator, the tenant's administrator can install Network Agent and Light Agent on the tenant virtual machines.

Page top

[Topic 259234]

Registering tenant virtual machines

At this step of the deployment of the tenant security infrastructure, tenant virtual machines are registered. The procedure is automated by means of the Integration Server REST API.

In the request to the REST API, you need to specify the virtual machine ID (BIOS ID) and the tenant ID of the tenant to which these virtual machines belong.

As a result of performing the procedure, information about the virtual machine is saved in the Integration Server database and a connection is established between the virtual machine and the tenant.

Page top

[Topic 259235]

Activating a tenant

The tenant activation procedure is performed at this stage of deploying the tenant security structure. Tenants are registered with the "Inactive" status in the Integration Server database. As long as the tenant has this status, Light Agents installed on the tenant virtual machines do not receive information about the SVMs they can connect to, and protection of the tenant virtual machines is disabled. To start protecting tenant virtual machines, you must activate the tenant.

The tenant activation procedure is automated using the Integration Server REST API.

As a result of the procedure, the following actions are performed:

  • The tenant status changes to "Active". The tenant status is saved in the Integration Server database. You can get information about the tenant status using the Integration Server REST API or by viewing the list of tenants in the Integration Server Console.
  • The Light agents installed on the tenant virtual machines receive information about the SVMs available for connection from the Integration Server. The Light Agents select the best SVMs for connection in accordance with the configured SVM connection settings, and protection of the tenant virtual machines is enabled.
Page top

[Topic 259236]

Registering existing tenants and their virtual machines

If the tenant protection infrastructure is configured without the use of the Integration Server REST API, you need to add information about the tenants and their virtual machines to the Integration Server database in order to generate tenant protection reports.

Registration of an existing tenant and its virtual machines in the Integration Server database consists of the following steps:

  1. Creating a tenant in the Integration Server database.

    The tenant creation procedure is automated using the Integration Server REST API.

    The actions performed in response to the REST API request depend on the tenant type specified when calling the REST API method. To enter the tenant data into the Integration Server database without creating a tenant protection infrastructure, specify the simple tenant type.

    Specify the following information in the REST API request:

    • Tenant name.
    • Tenant type: simple.

    As a result, the tenant data is saved in the Integration Server database and the tenant is assigned an identifier.

  2. Registering tenant virtual machines in the Integration Server database.

    The virtual machine registration procedure is automated by means of the Integration Server REST API.

    In the request to the REST API, specify the identifier (BIOS ID) of each virtual machine and the tenant ID of the tenant to which these virtual machines belong.

    As a result, the data on the tenant virtual machines is saved in the Integration Server database.

  3. Activating a tenant.

    The tenant activation procedure is automated using the Integration Server REST API.

    After activation, the tenant status is saved in the Integration Server database. You can get information about the tenant status using the Integration Server REST API or by viewing the list of tenants in the Integration Server Console.

    For a simple tenant, its status ("Active" or "Inactive") does not affect the protection state of tenant virtual machines.

Page top

[Topic 259237]

Enabling and disabling tenant protection

Tenants registered in the Integration Server database may have the "Active" or "Inactive" status. By default, the tenant status is "Inactive".

For a complete tenant, the tenant status determines the protection status of tenant virtual machines:

  • If the tenant status is "Active", the Integration Server sends Light Agents installed on the tenant virtual machines the list of SVMs available for connection. The Light Agents select the best SVM for connection in accordance with the configured SVM connection settings and connect to it. Protection of the tenant virtual machines is enabled.
  • If the tenant status is "Inactive", the Integration Server sends Light Agents installed on the tenant virtual machines the address of a non-existent SVM. This means that Light Agents are not able to connect to any SVM. Protection of the tenant virtual machines is disabled.

To enable protection of the virtual machines for a complete tenant, you must activate the tenant. If you want to disable protection of the virtual machines for a complete tenant (stop providing protection services to the tenant), you can deactivate the tenant.

After the tenant is deactivated, events from the Light Agents installed on the tenant virtual machines are logged to the Kaspersky Security Center Administration Server. An event that there are no SVMs available for connection is logged once, and events indicating that the update task could not be run on the protected virtual machine are logged every 2 hours.

To avoid unauthorized use of the application, after a tenant is deactivated, it is recommended to block network connections from the deactivated tenant's subnet to the following TCP ports of the SVM subnet: 80, 9876, 9877, 11111, 11112.

For a simple tenant, the status does not affect the virtual machine protection status.

The tenant activation and deactivation procedures are automated using the Integration Server REST API.

Page top

[Topic 259238]

Getting information about tenants

Kaspersky Security implements the following methods for getting information about tenants:

How to view tenant information in Integration Server Web Console

To view information about tenants:

  1. Open Integration Server Web Console and connect to the Integration Server.
  2. Go to the Multitenancy mode section.

    In the window that opens, the List of tenants block displays a table of all tenants registered in the Integration Server database.

    The table contains the following information about each tenant:

    • Tenant status in the Integration Server database For a complete tenant, the status determines the protection status of tenant virtual machines:
      • If the tenant status is "Active", protection of the tenant virtual machines is enabled.
      • If the tenant status is "Inactive", protection of the tenant virtual machines is disabled.

      For a simple tenant, the tenant status does not affect the virtual machine protection status.

    • Tenant name.
    • Tenant type: Complete or Simple
    • Tenant ID
    • ID of the virtual Administration Server configured for the tenant
    • Name of the account under which the tenant administrator connects to the virtual Administration Server configured for the tenant (only for complete tenants).

    You can sort the list by the Status, Name, and Type columns, and search the list.

  3. To view the list of virtual machines in a selected tenant, click a tenant name in the list. The window that opens displays a table with the tenant information contained in the list of tenants, as well as the list of virtual machines of the tenant. The table contains the following information about each virtual machine:
    • Identifier (BIOS ID) of the virtual machine.
    • Name of the virtual machine

How to view tenant information in Integration Server Console

To view information about tenants:

  1. Open Integration Server Console and connect to the Integration Server.
  2. In the list on the left, select the List of tenants section.

    The right side of the window displays a table of all tenants registered in the Integration Server database.

The following information about each tenant is displayed in the list:

  • Status – tenant status in the Integration Server database. The status is indicated by the following icon:
    • green_check means the tenant has the "Active" status.
    • red_cross menas the tenant has the "Inactive" status.

    For a complete tenant, the status determines the protection status of tenant virtual machines:

    • If the tenant status is "Active", protection of the tenant virtual machines is enabled.
    • If the tenant status is "Inactive", protection of the tenant virtual machines is disabled.

    For a simple tenant, the tenant status does not affect the virtual machine protection status.

  • Information about the tenant and the tenant virtual machines:
    • tenant name
    • tenant type: Complete or Simple
    • tenant ID
    • for a complete tenant: identifier of the virtual Administration Server configured for the tenant
    • list of identifiers (BIOS ID) or names of the tenant virtual machines
  • Administrator account – name of the account used by the administrator of a complete tenant to connect to the virtual Administration Server configured for the tenant. The list displays the account name specified when the tenant was created, even if this name was subsequently changed.

You can update the list of tenants using the Refresh link above the table.

Page top

[Topic 259240]

Getting tenant protection reports

A virtual machine is considered protected if the Light Agent installed on it is connected to the SVM. Each SVM can receive data about the time intervals when Light Agents were connected to the SVM and pass this data to the Integration Server database. Based on this information, you can use the Integration Server REST API to receive reports on the protection status of the tenant virtual machines.

You can use the tenant protection report to get information about all protected tenant virtual machines and all time intervals when each virtual machine was protected by Kaspersky Security. The report can also be used to get information about the protection of all virtual machines that connected to the SVM during the specified reporting period, including the virtual machines that do not belong to any tenant.

Getting tenant protection reports consists of the following steps:

  1. Enabling the function of transferring report data to the Integration Server database.
  2. Report generation. The report is generated as a CSV file in a temporary folder.
  3. Report upload. The generated report can be uploaded in its entirety or in parts for integration into the service provider's reporting system.

In this section:

Enabling the function of transferring report data

Generating tenant protection reports

Uploading tenant protection reports

Page top

[Topic 259241]

Enabling the function of transferring report data

By default, the function of transferring report data is disabled on the Integration Server. If you want to receive tenant protection reports, you need to enable the reporting data feature in the Integration Server configuration file appsettings.json. Depending on the version of the Integration Server, the file is located at one of the following paths:

  • /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
  • %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.

To enable the function of receiving report data:

  1. Open the appsettings.json configuration file for editing.
  2. In the Multitenancy section, set the EnableProtectionReports parameter to true and save the file.
  3. Restart the Integration Server.

The Integration Server will receive data on the time intervals when Light Agents were connected to SVMs from each SVM.

If the function of receiving report data is enabled, but SVM is not connected to the Integration Server, the data packets are queued for sending. When the maximum number of packets in the queue is reached, older data packets are deleted. The parameters for sending data are set up in the /etc/opt/kaspersky/agents_monitor/agents_monitor.conf configuration file on SVM. You can configure the maximum queue size for the packets to be sent using the max_queue_size parameter.

The received data is stored in the Integration Server database. The default report retention period is 460 days. You can specify this value using the ProtectionPeriodsRecordsLifetimeDays parameter in the Multitenancy section of the appsettings.json configuration file of the Integration Server.

The size of the Integration Server database increases in proportion to the number of the protected tenant virtual machines.

Page top

[Topic 259242]

Generating tenant protection reports

The report generation procedure is automated by means of the Integration Server REST API.

You can pass the following report generation parameters in the request to the REST API:

  • Identifier of the tenant for which you want to generate the report.
  • Start date and time of the period for which you want to generate a report.
  • End date and time of the period for which you want to generate a report.

If a tenant ID is not specified in the request, the report will include data on all virtual machines that were protected during the specified period, data on virtual machines that do not belong to tenants.

If the report generation period is not specified in the request, the report will include data stored in the Integration Server database from the earliest date up to the current moment.

To obtain reliable information in the reports, it is recommended to follow these rules when specifying the reporting period:

  • Specify the reporting period accurate to a day.
  • Set the end of the reporting period not less than 60 minutes from the current moment.

As a result of the report generation procedure, the report identifier is returned. Depending on the version of the Integration Server, the report is saved at the following path:

  • /var/opt/kaspersky/viis/common/reports – protected directory of the Linux-based Integration Server.
  • %ProgramData%\Kaspersky Lab\VIISLA\protectionPeriodsReports – protected folder of the Linux-based Integration Server.

By default, the report is stored for 24 hours from the moment of generation. To get the report, use the report identifier in the request to the REST API to upload the report.

You can configure the report retention period using the ProtectionPeriodsRecordsLifetimeDays parameter in the Multitenancy section of the appsettings.json configuration file of the Integration Server. Depending on the version of the Integration Server, the file is located at one of the following paths:

  • /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
  • %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.

The data in the report is presented line by line. Each line contains information about one virtual machine protection period in the following format:

{tenant ID};{tenant name};{virtual machine ID};{virtual machine name};{date and time when protection was enabled};{date and time when protection was disabled}

where:

  • {tenant ID} – identifier of the tenant to which the virtual machine belongs. If the virtual machine does not belong to any tenant, nothing is displayed in this field.
  • {tenant name} – tenant name specified when creating the tenant. If the virtual machine does not belong to any tenant, nothing is displayed in this field.
  • {virtual machine ID} – identifier of the virtual machine that was protected by the application.
  • {virtual machine name} – name of the virtual machine that was protected by the application.
  • {date and time when protection was enabled} – start date and time of the virtual machine protection period.
  • {date and time when protection was disabled} – end date and time of the virtual machine protection period.

If during the reporting period the virtual machine was protected by the application several times (protection was enabled and disabled), the report displays each virtual machine protection period.

Page top

[Topic 259243]

Uploading tenant protection reports

The report upload procedure is automated by means of the Integration Server REST API.

In the request to the REST API, the report identifier obtained at the previous step and the data display format (CSV) must be specified.

Other data display formats are not supported.

You can upload all report data or get partial data.

You can integrate data obtained as a result of the query into your reporting system.

Page top

[Topic 259244]

Removing virtual machines from the protected infrastructure

To remove a virtual machine from the protected infrastructure of a complete tenant:

  1. Unregister the virtual machine in the Integration Server database. The virtual machine unregistration procedure is automated by means of the Integration Server REST API.

    As a result, information about the tenant virtual machine is deleted from the Integration Server database.

  2. On the virtual machine, uninstall Kaspersky Security Center Network Agent, Light Agent for Linux, or Light Agent for Windows.

    You can perform these actions manually in the Kaspersky Security Center interface or automate the removal using Kaspersky Security Center OpenAPI (open a description of Kaspersky Security Center OpenAPI methods).

  3. Remove the virtual machine from the list of the tenant's managed devices. You can move the virtual machine to the Unassigned devices folder of Kaspersky Security Center main Administration Server or delete the virtual machine from Kaspersky Security Center.

    You can perform these actions manually in Kaspersky Security Center interface or automate virtual machine removal form the list of managed devices using Kaspersky Security Center OpenAPI (open the description of Kaspersky Security Center OpenAPI methods).

If the virtual machine is removed from the protected infrastructure of a simple tenant, you need to unregister the virtual machine in the Integration Server database.

Page top

[Topic 259245]

Removing tenants

If you want to stop providing services to a complete tenant, you need to remove the tenant. To do so, perform the following actions:

  1. On the virtual machine, uninstall Kaspersky Security Center Network Agent, Light Agent for Linux, or Light Agent for Windows.

    You can perform these actions manually in the Kaspersky Security Center interface or automate the removal using Kaspersky Security Center OpenAPI (open a description of Kaspersky Security Center OpenAPI methods).

  2. Remove the tenant from the Integration Server database, and remove the tenant protection infrastructure. The removal procedure is automated by means of the Integration Server REST API. When calling the REST API method, specify the removeTenantArtifacts=true parameter.

    As a result of the procedure, the following actions are automatically performed:

    • Information about the tenant and the tenant virtual machines is deleted from the Integration Server database.
    • The tenant protection infrastructure is removed from Kaspersky Security Center, namely: virtual Administration Server and the account for connecting to it, the Multitenancy KSV LA<Tenant name> folder and its contents (subfolders and administration groups, policies and tasks, and installation packages).
    • If there are no other tenants, the Multitenancy KSV LA folder is also deleted.

If protection services are terminated for a simple tenant, you need to remove the tenant from the Integration Server database.

Page top

[Topic 199331]

Using the Integration Server REST API in multi-tenancy scenarios

Interaction with the Integration Server REST API is based on requests and responses and is carried out over the HTTPS protocol using the multitenancy account.

Account parameters are passed as the following string {username}:{password} at every method call in the Authorization request header and are encoded with the Base64 method. Authentication of the Basic type is used.

The address of the request to the Integration Server REST API consists of the following parts:

https://{Integration Server address}:{Integration Server port}/{method}?{parameters}

where:

  • {Integration Server address} – IP address or fully qualified domain name (FQDN) of the Integration Server.
  • {Integration Server port} – port for connecting to the Integration Server (port 7271 by default).
  • {method} – method to call.
  • {parameters} – method parameters, if any.

For processing requests that are time consuming and run asynchronously, tasks are used. The task is created as an intermediate query result.

In this section:

Methods for working with tenants

Methods for working with reports

Methods for working with tasks

Page top

[Topic 259246]

Methods for working with tenants

Using the Integration Server REST API, you can perform the following actions when working with tenants and tenant virtual machines:

  • Get information about a tenant
  • Get a list of tenants
  • Get a list of tenant virtual machines
  • Create a new tenant and its protection infrastructure, or register an existing tenant
  • remove a tenant
  • activate and deactivate a tenant
  • register and unregister tenant virtual machines

The set of actions performed as a result of some REST API requests depends on the tenant type that you specify when adding the tenant information to the Integration Server database. Deployment and deletion of the tenant protection infrastructure using the Integration Server REST API is available for complete tenants. For a simple tenant, only report generation is automated.

In this section:

Getting information about a tenant

Getting a tenant list

Getting a list of tenant virtual machines

Creating a tenant

Activating a tenant

Deactivating a tenant

Registering tenant virtual machines

Unregistering a virtual machine

Removing a tenant

Page top

[Topic 259247]

Getting information about a tenant

Allows you to get information about the tenant from the Integration Server database.

Method:

GET /api/2.0/virtualization/tenants/{tenant ID}

where:

{tenant ID} – tenant identifier in the Integration Server database (required parameter).

In case of successful completion of the request, the REST API returns the following information about the tenant:

<tenant id="{ID}" created="{date and time}" updated="{date and time}">

<name>{name}</name>

<description>{description}</description>

<userData><![CDATA[{additional information}]]></userData>

<!-- Information in the vKsc section is available only for a complete tenant -->

<vKsc id="{ID}">

<user>

<name>{administrator}</name>

</user>

</vKsc>

<status>{status}</status>

<type>{tenant type}</type>

</tenant>

where:

  • tenant id="{ID}" – tenant identifier in the Integration Server database.
  • created="{date and time}" – date and time when the tenant was registered in the Integration Server database, in YYYY-MM-DDThh:mm:ss format.
  • updated="{date and time}" – date and time when the tenant data was updated in the Integration Server database, in YYYY-MM-DDThh:mm:ss format.
  • {name} – tenant name specified when the tenant was created.
  • {description} – tenant description.
  • {additional information} – additional tenant information added to the Integration Server database.
  • vKsc id="{ID}" – identifier assigned to the tenant's virtual Administration Server in Kaspersky Security Center.
  • {administrator} – name of the administrator of the tenant's virtual Administration Server.
  • {status} – current tenant status: Active or Inactive.
  • {tenant type} – type of tenant: Complete or Simple.

Return codes:

  • 200 (OK) – request completed successfully. The tenant information is returned in the response.
  • 403 (Forbidden) – access to the resource is denied.
  • 404 (Not Found) VIRMT_TenantWithSpecifiedIdNotFound – a tenant with the specified identifier is not found in the Integration Server database.
Page top

[Topic 259248]

Getting a tenant list

Allows you to get a list of all tenants whose information is stored in the Integration Server database, as well as information about each tenant.

Method:

GET /api/2.0/virtualization/tenants

Return codes:

  • 200 (OK) – request completed successfully. A list of information about all tenants is returned in the response.
  • 403 (Forbidden) – access to the resource is denied.
Page top

[Topic 259249]

Getting a list of tenant virtual machines

Allows you to get a list of all registered tenant virtual machines.

Method:

GET /api/2.0/virtualization/tenants/{tenant ID}/vms

where:

{tenant ID} – tenant identifier in the Integration Server database (required parameter).

If the request succeeds, the REST API returns a list of virtual machines and the following information about each tenant virtual machine:

<vm id="{ID in the database}" biosId={BIOS ID} created="{date and time}" updated="{date and time}">

<name>{name}</name>

<userData><![CDATA[{additional information}]]></userData>

</vm>

where:

  • {ID in the database} – identifier assigned to the virtual machine in the Integration Server database.
  • {BIOS ID} – virtual machine identifier (BIOS ID) in UUID format.
  • created="{date and time}" – date and time when the virtual machine was registered in the Integration Server database in YYYY-MM-DDThh:mm:ss format.
  • updated="{date and time}" – date and time when the virtual machine data was updated in the Integration Server database in YYYY-MM-DDThh:mm:ss format.
  • {name} – virtual machine name.
  • {additional information} – additional information about the virtual machine stored in the Integration Server database.

Return codes:

  • 200 (OK) – request completed successfully. A list of the tenant virtual machines is returned in the response.
  • 403 (Forbidden) – access to the resource is denied.
  • 404 (Not Found) VIRMT_TenantWithSpecifiedIdNotFound – a tenant with the specified identifier is not found in the Integration Server database.
Page top

[Topic 259250]

Creating a tenant

Depending on the tenant type that you specify when calling the REST API method, the following actions can be performed:

  • For a complete tenant:
    • Add tenant data to the Integration Server database.
    • Create the tenant protection infrastructure in Kaspersky Security Center (virtual Administration Server, account for connecting to it, structure of folders and administration groups).
    • Add information about the tenant's virtual Administration Server to the Integration Server database.
  • For a simple tenant: add the tenant data to the Integration Server database.

Method:

POST /api/2.0/virtualization/tenants

The following parameters must be specified in the request body:

<tenant>

<name>{name}</name>

<description>{description}</description>

<userData><![CDATA[{additional information}]]></userData>

<preferredViisAddress>{IP address}</preferredViisAddress>

<type>{tenant type}</type>

<!-- Data in the vKsc section is specified only for a complete tenant -->

<vKsc>

<user>

<name>{administrator name}</name>

<password>{administrator password}</password>

</user>

</vKsc>

</tenant>

where:

  • {name} – tenant name (required parameter).
  • {description} – tenant description (optional parameter).
  • {additional information} – additional tenant information (optional parameter).
  • {IP address} – IP address of the Integration Server to which the Light Agents installed on tenant virtual machines will connect (optional parameter). The specified address is used by default when creating the Light Agent policy. If the parameter is not specified, the policy uses the Integration Server IP address from the request to REST API.
  • {tenant type} – type of tenant: Complete or Simple (optional parameter).
  • {administrator name} – name of the administrator account used to connect to the tenant's virtual Administration Server (required when creating a complete tenant). The account will be created automatically during the procedure.
  • {administrator password} – Base64-encoded password for the administrator account (required when creating a complete tenant).

The request is executed asynchronously, REST API returns identifier of the CreateTenant task. Using the task, you can monitor the progress of the tenant creation procedure. When the task completes, the result field displays information about the tenant including the identifier of the created tenant, or an error message. In case of an error at any step of the procedure, all the changes are rolled back.

Return codes:

  • 202 (Accepted) – the request is accepted for execution. The response returns the identifier of the CreateTenant task.
  • 400 (Bad request) VIRMT_MandatoryParameterIsNotSpecified – one of the required parameters, for example, the tenant name, is not specified in the request body.
  • 400 (Bad request) VIRMT_InvalidTenantType – an invalid tenant type is specified in the request body; the specified tenant type does not exist.
  • 400 (Bad request) VIRMT_VKscCredentialsNotSpecified – the name or password of the administrator account of the virtual Kaspersky Security Center Administration Server is not specified (when creating a complete tenant).
  • 400 (Bad request) VIRMT_InvalidViisAddressFormat – invalid format of the Integration Server IP address.
  • 403 (Forbidden) – access to the resource is denied.

Possible error codes in the task:

  • KSC_ServiceNotConfigured – Kaspersky Security Center connection settings are not specified.
  • VIRMT_TenantGroupAlreadyExists – a folder whose name corresponds to the specified tenant name already exists in Kaspersky Security Center.
  • VIRMT_TenantWithSpecifiedNameAlreadyExists – a tenant with the specified name already exists in the Integration Server database.
  • VIRMT_PasswordNotComplyPolicy – failed to create an administrator account for Kaspersky Security Center virtual Administration Server: the specified password does not meet Kaspersky Security Center password requirements.
  • VIRMT_UserWithSpecifiedNameAlreadyExists – failed to create an administrator account for Kaspersky Security Center virtual Administration Server: a user with the specified name already exists in Kaspersky Security Center.
Page top

[Topic 259251]

Activating a tenant

Allows changing the tenant status to "Active".

Method:

POST /api/2.0/virtualization/tenants/{tenant ID}/activate

where:

{tenant ID} – tenant identifier in the Integration Server database (required parameter).

The request is executed asynchronously, REST API returns identifier of the ChangeTenantActivation task. Using the task, you can monitor the progress of the procedure for changing the tenant status. When the task is done, the result field displays confirmation that the tenant status changed (true) or an error message.

Return codes:

  • 202 (Accepted) – the request is accepted for execution. The response returns the identifier of the ChangeTenantActivation task.
  • 403 (Forbidden) – access to the resource is denied.

Error codes in the task:

  • VIRMT_TenantWithSpecifiedIdNotFound – a tenant with the specified identifier is not found in the Integration Server database.
  • KSC_ServiceNotConfigured – Kaspersky Security Center connection settings are not specified.
Page top

[Topic 259252]

Deactivating a tenant

Allows changing the tenant status to "Inactive".

Method:

POST /api/2.0/virtualization/tenants/{tenant ID}/deactivate

where:

{tenant ID} – tenant identifier in the Integration Server database (required parameter).

The request is executed asynchronously, REST API returns identifier of the ChangeTenantActivation task. Using the task, you can monitor the progress of the procedure for changing the tenant status. When the task is done, the result field displays confirmation that the tenant status changed (true) or an error message.

Return codes:

  • 202 (Accepted) – the request is accepted for execution. The response returns the identifier of the ChangeTenantActivation task.
  • 403 (Forbidden) – access to the resource is denied.

Error codes in the task:

  • VIRMT_TenantWithSpecifiedIdNotFound – a tenant with the specified identifier is not found in the Integration Server database.
  • KSC_ServiceNotConfigured – Kaspersky Security Center connection settings are not specified.
Page top

[Topic 259253]

Registering tenant virtual machines

Allows you to add information about the tenant virtual machines to the Integration Server database.

Method:

POST /api/2.0/virtualization/tenants/{tenant ID}/vms/register

where:

{tenant ID} – tenant identifier in the Integration Server database (required parameter).

The following parameters must be specified In the request body:

<vm biosId="{BIOS ID}">

<name>{name}</name>

<userData><![CDATA[{additional information}]]></userData>

</vm>

where:

  • {BIOS ID} – unique virtual machine identifier (BIOS ID) (required parameter).
  • {name} – virtual machine name (optional parameter).
  • {additional information} – additional information about the virtual machine (optional parameter).

Return codes:

  • 200 (OK) – request completed successfully (information about the virtual machine is added to the Integration Server database).
  • 403 (Forbidden) – access to the resource is denied.
  • 404 (Not Found) VIRMT_TenantWithSpecifiedIdNotFound – a tenant with the specified identifier is not found in the Integration Server database.
  • 409 (Conflict) VIRMT_VmWithSpecifiedBiosIdAlreadyExists – virtual machine with the specified identifier is already registered in the Integration Server database.
Page top

[Topic 259254]

Unregistering a virtual machine

Allows you to delete information about the tenant virtual machine from the Integration Server database.

Unregistration does not disable protection of the tenant virtual machine. You can disable protection of the virtual machine for a complete tenant by following all the steps of the procedure for removing virtual machines from the protected infrastructure.

Method:

POST /api/2.0/virtualization/tenants/{tenant ID}/vms/unregister?biosId={ID}

or

POST /api/2.0/virtualization/tenants/{tenant ID}/vms/unregister?vmId={ID}

where:

  • {tenant ID} – tenant identifier in the Integration Server database (required parameter).
  • biosId={ID} – virtual machine identifier (BIOS ID) in UUID format (required parameter).
  • vmId={ID} – identifier of the virtual machine in the Integration Server database, in the UUID format (required parameter).

Return codes:

  • 200 (OK) – request completed successfully (information about the virtual machine is deleted from the Integration Server database).
  • 403 (Forbidden) – access to the resource is denied.
  • 404 (Not Found) VIRMT_TenantWithSpecifiedIdNotFound – a tenant with the specified identifier is not found in the Integration Server database.
  • 404 (Not Found) VIRMT_VmWithSpecifiedIdNotFound – virtual machine with the specified identifier is not found in the Integration Server database.
Page top

[Topic 259255]

Removing a tenant

Depending on the tenant type and specified parameters, lets you perform the following actions:

  • For a complete tenant:
    • Delete information about the tenant and tenant virtual machines from the Integration Server database.
    • Delete the tenant protection infrastructure in Kaspersky Security Center (virtual Administration Server, account for connecting to it, structure of folders and administration groups, policies, tasks, and installation packages). If there are no other tenants, the Multitenancy KSV LA folder is also deleted.
    • Delete information about the tenant's virtual Administration Server from the Integration Server database.

    Calling the tenant removal method does not disable protection on tenant virtual machines. To disable protection, you need to perform all steps of the tenant removal procedure, including removal of Light Agent for Windows, Light Agent for Linux, and Kaspersky Security Center Network Agent from the virtual machines. To suspend protection of the virtual machine for a complete tenant, use the tenant deactivation method.

  • For a simple tenant: remove the tenant from the Integration Server database.

Method:

DELETE /api/2.0/virtualization/tenants/{tenant ID}?removeTenantArtifacts={true|false}

where:

  • {tenant ID} – tenant identifier in the Integration Server database (required parameter).
  • removeTenantArtifacts={true|false} – optional parameter that indicates whether the tenant protection infrastructure must be removed when removing the tenant from the Integration Server database. Possible values:
    • true – when the tenant is removed, the following actions are performed:
      • Remove the tenant's virtual Administration Server.
      • Delete the administrator account of the tenant's virtual Administration Server.
      • Delete the Multitenancy KSV LA → <Tenant name> folder and its contents.
      • Delete the Multitenancy KSV LA folder if there are no other tenants.
    • false – the tenant is only deleted from the Integration Server database; the tenant protection infrastructure is not deleted.

The request is executed asynchronously, REST API returns identifier of the DeleteTenant task. You can use the task to monitor the progress of the tenant removal procedure. When the task completes, the result field displays information about the removed tenant or an error message.

In case of an error at any step of the procedure, all the changes are rolled back.

Return codes:

  • 202 (Accepted) – the request is accepted for execution. The response returns the identifier of the DeleteTenant task.
  • 403 (Forbidden) – access to the resource is denied.

Error codes in the task:

  • VIRMT_TenantWithSpecifiedIdNotFound – a tenant with the specified identifier is not found in the Integration Server database.
  • KSC_ServiceNotConfigured – Kaspersky Security Center connection settings are not specified.
Page top

[Topic 259256]

Methods for working with reports

Using the Integration Server REST API, you can perform the following actions when working with tenant protection reports:

  • Generate a report
  • Upload a report

In this section:

Report generation

Report upload

Page top

[Topic 259257]

Report generation

Allows you to generate a report based on data saved to the Integration Server database, taking into account the specified report settings. You can specify the tenant about whose protection you want to generate a report, as well as the time interval for which you want to receive data.

In the header of the Accept request, pass the data output format: Accept:application/csv.

Method:

POST /api/2.0/virtualization/reports/tenants?tenantId={tenant ID}&from={date and time}&to={date and time}

where:

  • tenantId={tenant ID} – tenant identifier in the Integration Server database. If a tenant is specified, the report includes only information about periods of protection of the virtual machines of this tenant. If a tenant is not specified, the report will include data on all virtual machines that were protected during the specified period.
  • from={date and time} – start date and time of the reporting period in YYYY-MM-DDThh:mm:ss format. If the value is not specified, the date of the earliest record in the Integration Server database is used.
  • to={date and time} – end date and time of the reporting period in YYYY-MM-DDThh:mm:ss format. If the value not specified, the current date is used.

The request is executed asynchronously, REST API returns identifier of the CreateTenantReport task. Using the task, you can monitor the progress of the report generation procedure. When the task execution completes, the result field displays the report identifier or an error message.

Return codes:

  • 202 (Accepted) – the request is accepted for execution. The response returns the identifier of the CreateTenantReport task.
  • 403 (Forbidden) – access to the resource is denied.
  • 404 (Not Found) – a tenant with the specified identifier is not found in the Integration Server database.
Page top

[Topic 199658]

Report upload

Allows you to upload a report generated before.

In the header of the Accept request, pass the data output format: Accept: application/csv.

The report can be uploaded in parts. You can specify the data range in the Range request header, for example:

Range: bytes=0-1023

In response to a request with this header, the REST API returns the 206 (Partial content) result and the first kilobyte of data. The response contains the Content-Range and Content-Length headers.

For example:

Content-Range: bytes=0-1023/123456

Content-Length: 1024

Method:

GET /api/2.0/virtualization/reports/tenants/{report ID}

where:

{report ID} – report identifier obtained as a result of successful completion of the CreateTenantReport task (required parameter).

Return codes:

  • 200 (OK) – request completed successfully. The response returns the report data in the format specified in the Accept header.
  • 206 (Partial content) – request completed successfully. The response returns the part of the report specified by the Range heading.
  • 403 (Forbidden) – access to the resource is denied.
  • 404 (Not Found) – report with the specified identifier is not found.
  • 415 (Unsupported Media Type) – unsupported format of the requested data (incorrect format was passed in the Accept request header).
Page top

[Topic 259258]

Methods for working with tasks

The tasks are used for processing requests that are time consuming and run asynchronously. Task statuses allow you to monitor the progress of actions specified in the request.

A task may have one of the following states:

  • Created – task is created but not started.
  • Starting – the task is in the process of starting.
  • Running – the task is running. For a task in this state, the execution progress is displayed as a percent value.
  • Completed – the task has been successfully completed. For a task in this state, the task execution result is displayed. The result contains task-specific data, for example, the identifier of a new tenant after the CreateTenant task completes.
  • Stopping – the task is being prepared for completion. If you stopped a task, it may be in this state before switching to the Canceled state.
  • Failed – the task failed. For a task in this state, detailed error information is indicated.
  • Canceled – the task is terminated by the user or the system. For a task in this state, detailed error information is indicated.
  • Queued – the task has been queued and is waiting for execution to start.

By means of the Integration Server REST API, you can perform the following tasks:

  • Get a list of tasks
  • Get information about a specified task
  • Cancel execution of a specified task

In this section:

Getting task information

Getting a list of tasks

Canceling a task

Page top

[Topic 259259]

Getting task information

Allows you to get information about the task by its identifier.

Method:

GET /api/2.0/virtualization/tasks/{ID}

where:

{ID} – task identifier (required parameter).

In case of successful completion of the request, the REST API returns the following information about the task:

<task id="{ID}" created="{date and time}" stateChanged="{date and time}" changed="{date and time}">

<state>{state}</state>

<type>{type}</type>

<stage>{stage}</stage>

<progress>{execution progress}</progress>

<result>{result}</result>

<!-- If the task execution fails, an error message is displayed instead of the result.

<error>{error message}</error>

</task>

where:

  • {ID} – task ID.
  • created="{date and time}" – task creation time in YYYY-MM-DDThh:mm:ss format.
  • stateChanged="{date and time}" – time of the task state change in YYYY-MM-DDThh:mm:ss format.
  • changed="{date and time}" – task change time in YYYY-MM-DDThh:mm:ss format.
  • {state} – task state.
  • {type} – task type. For example:
  • {name} – task name.
  • {stage} – task execution stage.
  • {execution progress} – the progress of task execution indicated as a percentage.
  • {result} – result of executing the task, for example, information about a created tenant or a report identifier.
  • {error message} – if an error occurs during task execution, an error message is displayed.

Return codes:

  • 200 (OK) – request completed successfully.
  • 403 (Forbidden) – access to the resource is denied.
  • 404 (Not Found) – task with the specified identifier is not found in the Integration Server database.
Page top

[Topic 199645]

Getting a list of tasks

Allows you to get a list of all existing tasks and information about each task in the list.

Method:

GET /api/2.0/virtualization/tasks?createdFrom={date and time}&state={status}&type={type}

where:

  • createdFrom={date and time} – date and time in YYYY-MM-DDThh:mm:ss format (optional parameter). If the parameter is specified, the list displays the tasks that were created not earlier than the specified date and time.
  • state={state} – task state (optional parameter). If the parameter is specified, the list displays only the tasks with the specified state.
  • type={type} – task type (optional parameter). If the parameter is specified, the list displays only the tasks of the specified type.

Return codes:

  • 200 (OK) – request completed successfully. The response returns a list of tasks.
  • 403 (Forbidden) – access to the resource is denied.
Page top

[Topic 199647]

Canceling a task

Allows you to stop running tasks. Some tasks cannot be completed immediately. In this case, the 202 (Accepted) code is returned and the task state changes to Stopping.

Method:

POST /api/2.0/virtualization/tasks/{ID}/cancel

where:

{ID} – task identifier (required parameter).

Return codes:

  • 200 (OK) – request completed successfully (the task was canceled).
  • 202 (Accepted) – request is accepted for execution (the task state changes to Stopping).
  • 403 (Forbidden) – access to the resource is denied.
  • 404 (Not Found) – task with the specified identifier is not found.
  • 405 (Method Not Allowed) – for child tasks: you can cancel a child task only if you cancel the parent task.
  • 409 (Conflict) – the task is already in one of the following states: Cancelled, Failed, Stopped.
Page top

[Topic 241127]

Contacting Technical Support

This section describes the ways to get technical support and the terms on which it is available.

In this Help section

How to get technical support

Technical Support via Kaspersky CompanyAccount

Getting information for Technical Support

Page top

[Topic 257635]

How to get technical support

If you cannot find a resolution to your issue in the help or in other sources of information about the Kaspersky Security solution, you are advised to contact Technical Support. Technical Support specialists will answer your questions about installing and using the solution.

Kaspersky provides support for the solution throughout its lifecycle (see the Kaspersky application lifecycle page). Before contacting Technical Support, please read the support rules.

You can contact Technical Support in one of the following ways:

Page top

[Topic 68417]

Technical Support via Kaspersky CompanyAccount

Kaspersky CompanyAccount is a portal for organizations that use Kaspersky applications. The Kaspersky CompanyAccount portal is designed to facilitate interaction between users and Kaspersky experts via online requests. The Kaspersky CompanyAccount portal lets you monitor the progress of electronic request processing by Kaspersky experts and store a history of electronic requests.

You can register all of your organization's employees under a single Kaspersky CompanyAccount. A single account lets you centrally manage electronic requests from registered employees to Kaspersky and also manage the privileges of these employees via Kaspersky CompanyAccount.

The Kaspersky CompanyAccount portal is available in the following languages:

  • English
  • Spanish
  • Italian
  • German
  • Polish
  • Portuguese
  • Russian
  • French
  • Japanese

To learn more about Kaspersky CompanyAccount, visit the Technical Support website.

Page top

[Topic 257859]

Getting information for Technical Support

Getting data files

After you inform Kaspersky Technical Support specialists about your issue, they may ask you to send the following files:

A dump file contains all information about the operation memory of Kaspersky Security processes at the time the dump file was created.

A trace file helps track the step-by-step execution of instructions by solution components and can help detect the stage of execution when an error occurs.

Changing solution component settings

Technical Support specialists may also require additional information about the operating system, processes that are running on the protected virtual machine, and detailed reports on the operation of solution components.

While diagnosing the problem, Technical Support specialists may, for the debugging purposes, ask you to change the solution component settings to:

  • Activate the functionality that obtains extended diagnostic information.
  • Run the tools, which are included in the solution's distribution kit.
  • Change the settings for storing diagnostic information.
  • Enable debugging mode for the Integration Server.
  • Configure interception of network traffic and save it to file.
  • Perform more detailed configuration of the operation of the Light Agents, Protection Server, Integration Server, Integration Server Console, and management plug-ins. This detailed configuration is not available through the solution management tools described in this help.

Technical Support experts will provide you with all the information needed to perform the listed operations, including a description of the sequence of steps, settings to be modified, configuration files, scripts, additional command line functionality, debugging modules, special-purpose tools, and will inform you about the scope of data submitted for debugging purposes.

The extended diagnostic information is saved on your virtual machine. The data is not automatically sent to Kaspersky.

You are strongly advised to perform the above-mentioned steps solely under the guidance of Technical Support specialists and according to their instructions. Independent modification of the solution settings in ways not described in the solution's help or in recommendations from Technical Support specialists may cause operating system slowdowns and malfunctions, decrease of the protection level of virtual machines, and lead to the loss or corruption of the information being processed.

Disabling the rollback function

You may need to disable the rollback function in order to analyze an error that occurs during SVM deployment using the Integration Server Console.

To disable the rollback function:

  1. On the device where the Kaspersky Security Center Administration Console is installed, open the file %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA Console\Kaspersky.VIISConsole.UI.exe.config in a text editor for editing.

    You must edit the file under the administrator account.

  2. In the <appSettings></appSettings> section, edit the <!--<add key="disableRollback" value="1" />--> string as follows:

    <add key="disableRollback" value="1" />

  3. Save and close the Kaspersky.VIISConsole.UI.exe.config file.

The new settings are applied after the Integration Server Console is restarted.

Getting information about SVMs connected to the Integration Server

Technical Support experts may ask you to provide information about the SVMs that are connected to the Integration Server. You can view a list of all SVMs connected to the Integration Server in the Integration Server Console.

Troubleshooting the solution

To diagnose performance issues, you may need to turn on debug mode for the Integration Server. To turn on debug mode, you need to use special configuration file settings. For more detailed information, please contact Technical Support.

In this section:

Protection Server and Light Agent dump files

Trace files of the Kaspersky Security Components Installation Wizard

Trace files of the Integration Server and Integration Server Console

Trace files of the tool for managing Integration Server and SVM certificates

Trace files of SVMs, Light Agents and Kaspersky Security management plug-ins

The SVM Management Wizard log

Using the utilities and scripts from the Kaspersky Security distribution kit

Page top

[Topic 99617]

Protection Server and Light Agent dump files

A dump file contains information about the working memory of Kaspersky Security processes at the time the file was created.

Dump files may contain personal data. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.

Dump files are not sent to Kaspersky automatically.

By default, dump files are not created. You can enable or disable creation of dump files.

Protection Server dump files

To enable creation of Protection Server dump files:

  1. On the SVM, create the etc/opt/kaspersky/la/dumps_enabled file.
  2. Restart the scanserver service by running the systemctl restart la-scanserver command.

All created dump files are located by default on the SVM in the /var/opt/kaspersky/la/dumps directory. The name of each *.dmp file contains the date and time when the file was created, the process identifier (PID), and the dump number in the session.

You can change the dump logging settings in the ScanServer.conf configuration file (in the [dumps] section).

Access to the dump files requires the password of the SVM root account assigned during Protection Server installation. If you change the default directory for storing dump files, Kaspersky Security does not control access to dump files. If the file system where the specified directory is located supports appropriate access control, the root account permissions are required to access the dump files.

Dump files are automatically deleted when the SVM is deleted.

To disable creation of Protection Server dump files:

  1. Delete the etc/opt/kaspersky/la/dumps_enabled file.
  2. Restart the scanserver service by running the systemctl restart la-scanserver command.

Light Agent dump files

You can enable or disable creation of dump files for Light Agent for Linux and Light Agent for Windows on devices where Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Windows is installed in Light Agent mode.

For details, see the Help of the application that you are using in Light Agent mode.

Page top

[Topic 98846]

Trace files of the Kaspersky Security Components Installation Wizard

Information about the progress and results of the Kaspersky Security Components Installation Wizard is written to trace files. If installation, upgrade, or removal of the Integration Server or Integration Server Console ends with an error, you can use these trace files when contacting Technical Support.

Trace files of the Kaspersky Security Components Installation Wizard are files in TXT format. They are automatically saved on the same device where the Wizard was started.

If you installed Kaspersky Security components or downloaded SVM images, the trace files are saved to an archive in the path %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleInitialInstall_logs_<date and time>.zip, where:

  • <version number> refers to the number of the installed version of Kaspersky Security;
  • <date and time> refers to the date and time when the installation was completed.

If you upgraded Kaspersky Security components, the trace files are saved to an archive in the path %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleMajorUpgrade_logs_<date and time>.zip, where:

  • <version number> refers to the number of the installed version of Kaspersky Security;
  • <date and time> refers to the date and time when the upgrade was completed.

If you removed Kaspersky Security components, the trace files are saved to an archive in the path %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleUninstall_logs_<date and time>.zip, where:

  • <version number> refers to the number of the installed version of Kaspersky Security;
  • <date and time> refers to the date and time when the removal was completed.

Trace files of the Kaspersky Security Components Installation Wizard contain the following information:

  • Diagnostic information about the process of installation, upgrade, or removal of Kaspersky Security components.
  • Name of the device on which the user started the procedure for installing, upgrading or removing Kaspersky Security components, and the name of the user that started the procedure.
  • Information about errors that occurred during the process of installation, upgrade, or removal of Kaspersky Security components.

Trace files of Kaspersky Security components Installation Wizard are stored in a readable format. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.

Trace files of Kaspersky Security components Installation Wizard are not automatically sent to Kaspersky.

Page top

[Topic 259280]

Trace files of the Integration Server and Integration Server Console

Trace files of the Linux-based Integration Server

Information about the operation of the Linux-based Integration Server can be logged in the following trace files:

  • /var/log/kaspersky/viis/service.log – Integration Server trace file.
  • /var/log/kaspersky/viis/SvmManagement/sm_<file creation date>.log – trace file for the deployment, reconfiguration, and deletion of SVMs using the REST API of the Linux-based Integration Server

By default, logging of information to trace files is disabled.

You can enable or disable logging of information to the Linux-based Integration Server trace files using the /var/opt/kaspersky/viis/common/appsettings.logging.json configuration file.

A privileged account is required to edit the configuration file.

To enable logging of information to the trace files of the Linux-based Integration Server:

  1. Open the /var/opt/kaspersky/viis/common/appsettings.logging.json file.
  2. In the LogLevel section, set the value of the Default setting to Trace. The default value is None.
  3. In the rules section, in the Service and SvmManagement subsections, set the value of the minlevel setting to Trace. The default value is None.
  4. Save the /var/opt/kaspersky/viis/common/appsettings.logging.json file.

The new settings are applied without restarting the Integration Server.

Trace files are moved to the archival directory (/var/log/kaspersky/viis/archives). Integration Server trace files are moved to the archive when the file size reaches 50 MB. Trace files of deployment, reconfiguration, and deletion procedures are archived daily. The archive contains up to 20 Integration Server trace files and up to 10 trace files for SVM deployment, reconfiguration, and deletion procedures. When this number is reached, older files are deleted.

Access to the directory where trace files are saved is restricted by using an ACL. To access the directory, administrator rights (root, sudoers) are required.

If you change the default directory for storing trace files, Kaspersky Security does not control access to trace files. You are advised to ensure that information is protected against unauthorized access.

Trace files of the Windows-based Integration Server and Integration Server Console

Information about the operation of the Windows-based Integration Server and Integration Server Console can be logged in the following trace files:

  • %ProgramData%\Kaspersky Lab\VIISLA\logs\viisla_service_loader.log – trace file for startup of the Windows-based Integration Server. The file does not contain personal data.
  • %ProgramData%\Kaspersky Lab\VIISLA\logs\service.log – Windows-based Integration Server trace file.
  • %ProgramData%\Kaspersky Lab\VIISLA Console\logs\console.log – Integration Server Console trace file.
  • %ProgramData%\Kaspersky Lab\VIISLA\logs\SvmManagement\sm_<file creation date>.log – trace file for the deployment, reconfiguration, and removal of SVMs using the REST API of the Windows-based Integration Server.

By default, trace files are created with the Error level of detail. You can use the following configuration files to enable and disable logging of information to the trace files of the Integration Server and Integration Server Console, and change the level of detail of information in the trace files:

  • %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\appsettings.logging.json – for the Integration Server trace file and the trace file for the deployment, reconfiguration, and removal of SVMs.
  • %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA Console\NLog.config – for the Integration Server Console trace file.

Contact Technical Support representatives for details.

Trace files are moved to the archive folder (%ProgramData%\Kaspersky Lab\VIISLA\logs\archives). Integration Server trace files are moved to the archive when the file size reaches 50 MB. Trace files of deployment, reconfiguration, and deletion procedures are archived daily. The archive contains up to 20 Integration Server trace files and up to 10 trace files for SVM deployment, reconfiguration, and deletion procedures. When this number is reached, older files are deleted.

Access to the folder where trace files are saved is restricted by using an ACL. Administrator rights are required to access this folder.

If you change the default folder for storing trace files, Kaspersky Security does not control access to trace files. It is recommended to protect the information from unauthorized access.

Contents of trace files

The following information may be saved in the Integration Server trace file:

  • Diagnostic information about the operation of the Integration Server, its workload, and the results of a data integrity check.
  • Headers and contents of HTTP requests that are sent and received by the Integration Server during its operation.
  • IP addresses of SVMs and protected virtual machines, and the IP address of the device hosting the Kaspersky Security Center Administration Console if the Kaspersky Security Center Administration Console is installed separately from the Kaspersky Security Center Administration Server.
  • Tracing of requests to the Integration Server.
  • Description of exclusions and errors that occurred when working with internal subsystems and external services.
  • Names of internal Integration Server accounts.
  • Names of accounts that are used to connect the Integration Server to virtual infrastructure objects.
  • Depending on the type of virtual infrastructure:
    • IP addresses or fully qualified domain names (FQDN) of hypervisors or virtual infrastructure administration servers to which the Integration Server connects.
    • IP addresses or fully qualified domain names (FQDN) of the Keystone microservice or other cloud infrastructure microservices to which the Integration Server connects.
  • If Kaspersky Security is used in multitenancy mode:
    • Names and identifiers of the tenants registered in the Integration Server database.
    • Account names of Kaspersky Security Center virtual Administration Servers administrators.
    • Identifiers and IP addresses of the tenant virtual machines.

The following information may be saved in the Integration Server Console trace file:

  • Diagnostic information about the operation of the Integration Server Console.
  • Tracing of command line parameters and results of checking them.
  • Headers and contents of HTTP requests that are sent and received by the Integration Server Console during its operation.
  • Information about navigations through sections of the Integration Server Console and working with interface elements.
  • IP address of the Kaspersky Security Center Administration Server.
  • Port numbers for interaction with the Kaspersky Security Center Administration Server through the Kaspersky Security Center Network Agent.
  • Description of exclusions and errors that occurred when working with internal subsystems and external services.
  • Names of internal Integration Server accounts.
  • Names of accounts that are used to connect the Integration Server to virtual infrastructure objects.
  • Depending on the type of virtual infrastructure:
    • IP addresses or fully qualified domain names (FQDN) of hypervisors or virtual infrastructure administration servers to which the Integration Server connects.
    • IP addresses or fully qualified domain names (FQDN) of the Keystone microservice or other cloud infrastructure microservices to which the Integration Server connects.
  • If Kaspersky Security is used in multitenancy mode, the names of tenants registered in the Integration Server database are listed.

You can use Integration Server trace files and Integration Server Console trace files when contacting the Technical Support. The information recorded in trace files may be needed for analysis and identification of the causes of errors in the operation of the Integration Server.

Integration Server trace files and Integration Server Console trace files are not automatically sent to Kaspersky.

Page top

[Topic 197208]

Trace files of the tool for managing Integration Server and SVM certificates

Information about the operation of the utility for managing Integration Server and SVM certificates can be logged in trace files. Depending on the operating system of the device on which the utility is running, the files are located at one of the following paths:

  • /var/log/kaspersky/viis/ – on devices with Linux operating systems
  • %ProgramData%\Kaspersky Lab\VIISLA\logs – on devices with Windows operating systems

By default, logging of information to trace files is disabled.

You can enable or disable logging of information to the trace files of the certificate management utility, and configure trace settings in the certificate management utility configuration file appsettings.certificate_manager.json. Depending on the operating system of the device on which the utility is running, the file is located at one of the following paths:

  • /var/opt/kaspersky/viis/common/ – on devices with Linux operating systems
  • %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ – on devices with Windows operating systems

Trace files of the certificate management tool may contain the following information:

  • Lines used to invoke the tool, including parameters and arguments, except passwords.
  • Tool output lines containing requests to the user.
  • Information about the progress of command execution, including information about errors.

Trace files of the certificate management tool do not contain personal information.

Trace files are moved to the archive when the file size reaches 5 MB. Up to 10 files are stored in the archive folder. Once this number is reached, older files are deleted. Depending on the operating system of the device on which the utility is running, the archive is located at one of the following paths:

  • /var/log/kaspersky/viis/archives/ – on devices with Linux operating systems
  • %ProgramData%\Kaspersky Lab\VIISLA\logs\archives – on devices with Windows operating systems

Access to the folder where the trace files are stored is restricted. On the Linux operating system, only accounts that are in the sudoers group have access to the directory. On Windows operating system, administrator rights are required to access the folder.

If you change the default folder for storing trace files, Kaspersky Security does not control access to trace files. It is recommended to protect the information from unauthorized access.

Trace files are not sent to Kaspersky automatically.

Page top

[Topic 266851]

Trace files of SVMs, Light Agents and Kaspersky Security management plug-ins

Trace files of SVMs, Light Agents and Kaspersky Security management plug-ins may contain the following data:

  • Event time
  • Number of the thread of execution
  • Name of the Kaspersky Security component that caused the event
  • Degree of event importance (informational event, warning, critical event, error)
  • Description of the event involving execution of a command received from the Kaspersky Security component, and the result of execution of this command

For more information about trace files of Light Agent for Linux and Light Agent for Windows, see the Help of the application used in Light Agent mode.

In this section:

SVM trace files

Trace files of management plug-ins

Page top

[Topic 266866]

SVM trace files

During SVM operation, the following trace files may be created on an SVM:

  • Protection Server trace file (ScanServer.log). The name of the file contains the file creation date and time. In addition to general data, this file may contain the following information:
    • Personal data, including the last name, first name and middle name, if such data is included in the path to files on protected virtual machines.
    • The name of the account used to log in to the operating system if the user account name is part of a file name.
    • Your email address or web address containing the name of your account and password if they are contained in the name of the detected object.
    • Settings for connecting SVMs to the Integration Server.
    • Information about connecting Light Agents to SVM: unique SVM identifier, unique identifier and information about the operating system of the virtual machine, on which Light Agent is installed, time intervals during which the Light Agent was connected to the SVM.
  • boot_config.log trace file This file records the results of executing commands of the SVM first startup script.
  • wdserver.log trace file. This file records information about events that occur during operation of the watchdog service (wdserver). The file contains general data.
  • SnmpTool.log trace file This file records information about events that occur during operation of the SNMP service (SnmpTool). The file contains general data.
  • Trace file of the Kaspersky Security Center Network Agent. This file records information about events occurring during operation of the Kaspersky Security Center connectivity module. The file contains general data.

boot_config.log and wdserver.log trace files are created automatically.

You can create the ScanServer.log and SnmpTool.log trace files using the ScanServer.conf and SnmpTool.conf configuration files, which are located in the /etc/opt/kaspersky/la/ directory on the SVM. A special script is used to create a Network Agent trace file.

For detailed information on how to create and configure trace files, please contact our Technical Support experts.

All created SVM trace files are located in the /var/log/kaspersky/la/ directory.

ScanServer.log trace file can also be created in the Protection Server policy. To do this, you need to:

  1. Enable the display of additional settings in the Protection Server policy. By default, additional settings are not displayed.
  2. Configure the trace level in the Advanced settings section of the policy and apply the change.

    You are advised to clarify the required trace level with a Technical Support specialist.

SVM trace files are stored in readable format. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.

SVM trace files are not automatically sent to Kaspersky. Trace files are automatically deleted when uninstalling Kaspersky Security.

Page top

[Topic 100522]

Trace files of management plug-ins

Trace files of web plug-ins

If you use the Kaspersky Security Center Web Console to manage Kaspersky Security solution components, information about events that occur during operation of the management web plug-ins may be written to the trace files of the web plug-ins:

Web plug-in trace files are created automatically if logging to the Kaspersky Security Center Web Console activity log was enabled during installation of Kaspersky Security Center Web Console. For more information, see the Kaspersky Security Center Help.

Web plug-in trace files are saved in the Kaspersky Security Center Web Console installation folder in the logs subfolder:

  • /var/opt/kaspersky/ksc-web-console/logs – on devices with Linux operating systems
  • %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\logs – on devices with Windows operating systems

The following information may be stored in the Integration Server web plug-in trace file:

  • Diagnostic information about the operation of the Integration Server Web Console.
  • IP address of the Kaspersky Security Center Administration Server.
  • Port numbers for interaction with the Kaspersky Security Center Administration Server through the Kaspersky Security Center Network Agent.
  • Description of exclusions and errors that occurred when working with internal subsystems and external services.
  • Names of internal Integration Server accounts.
  • IP addresses or fully qualified domain names (FQDN) of hypervisors or virtual infrastructure administration servers to which the Integration Server connects.
  • IP addresses, versions, and names of SVMs deployed on hypervisors.

The following information may be stored in the Protection Server web plug-in trace file:

  • Diagnostic information about the operation of the Protection Server web plug-in.
  • Description of exclusions and errors that occurred when working with internal subsystems and external services.

Trace files of MMC plug-ins

If you use the Kaspersky Security Center Administration Console to manage Kaspersky Security solution components, information about events that occur during operation of the management MMC plug-ins may be written to the following files on the device where the Kaspersky Security Center Administration Server is installed:

  • Trace file of the MMC plug-in for managing the Protection Server. The file name is specified by the user, and the user name and process ID (PID) are added to the specified name. This file contains information about the events that occur during the plug-in operation, in particular, about the operation of the Protection Server policy and tasks.
  • Trace files for management MMC plug-ins for Light Agent for Linux and Light Agent for Windows (applications running in Light Agent mode). The file names contain the application version number, the date and time the file was created, and the process identifier (PID). This file records information about events that occur during operation of the plug-in, in particular, about the operation of tasks and the Light Agent policy.

In addition to general data, MMC plug-in trace files may contain the following information:

  • Personal data, including the last name, first name, and middle name, if such data is part of the path to files.
  • The name of the account used to log in to the operating system if the user account name is part of a file name.

By default, trace files of Kaspersky Security MMC plug-ins are not created. You can create all trace files of the MMC plug-ins by using the registry keys. Contact Technical Support representatives for detailed information on how to create trace files.

All created MMC plug-in trace files are located in the %ProgramData%\Kaspersky Lab\Plugins\ folder.

The trace files of the management plug-ins are saved in a human-readable format. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.

The trace files of the management plug-ins are not sent to Kaspersky automatically. Trace files are automatically deleted when Kaspersky Security is uninstalled.

Page top

[Topic 94572]

SVM Management Wizard log

During SVM deployment and reconfiguration, the SVM Management Wizard logs all information that you specify at every step of the wizard in the wizard log.

You can use the wizard log when contacting Technical Support if SVM deployment or reconfiguration has ended with an error. Information recorded in the wizard log is not sent to Kaspersky automatically.

The SVM Management Wizard log is saved on the device where the wizard was launched, in the file %LOCALAPPDATA%\Kaspersky Lab\Kaspersky VIISLA Console\logs\KasperskyDeployWizard_<file creation date and time>.log and does not contain account passwords. A new log file is created each time the wizard starts.

During SVM deployment, the following information is saved in the wizard log:

  • Selected action (SVM deployment).
  • Type of the virtual infrastructure object, to which SVM Management Wizard connects.
  • Address of the virtual infrastructure object, to which SVM Management Wizard connects.
  • When deployed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer:
    • The version of the hypervisor or virtual infrastructure administration server.
    • The name of the hypervisor and the version of the operating system installed on the hypervisor, and the number of virtual machines on the hypervisor.
  • When deploying in an infrastructure based on the OpenStack platform, VK Cloud platform or the TIONIX Cloud Platform: the name and ID of the domain and OpenStack project within which the SVM is deployed.
  • Name of the account used to connect the SVM Management Wizard to the virtual infrastructure.
  • Name of the account used to connect the Integration Server to the virtual infrastructure.
  • SVM image version.
  • Versions of previously deployed SVMs.
  • Status of the publisher of the SVM image.
  • SVM image path and SVM image data.
  • SVM image validation status.
  • For deployments on the VMware vSphere platform:
    • A list of all VMware ESXi hypervisors managed by a single VMware vCenter Server, their state, the protection status and privileges of the account used to connect to the VMware vCenter Server.
    • A list of VMware ESXi hypervisors that were selected for SVM deployment, and their versions.
  • When deploying on the Microsoft Hyper-V platform, the OpenStack platform, VK Cloud platform or the TIONIX Cloud Platform:
    • Whether or not parallel deployment of several SVMs is enabled, as well as number of parallel sessions.
    • VLAN ID.
  • Settings for the SVM being deployed that you specified.
  • Settings to connect the SVM to the Kaspersky Security Center Administration Server (IP address, port, SSL port).
  • Whether the root account is allowed to gain access to the SVM using SSH.
  • For deployments on the Microsoft Hyper-V platform: type of the Integration Server authentication on the hypervisor (local / domain).
  • SVM IP settings (IP address, IP address of default network gateway, IP address of main and alternative DNS servers, subnet mask).

During SVM reconfiguration, the following information is saved in the wizard log:

  • Selected action (SVM reconfiguration)
  • Depending on the type of virtual infrastructure:
    • IP addresses or fully qualified domain names (FQDN) of hypervisors on which SVMs are being reconfigured
    • Names of OpenStack domains and projects, within which the SVMs being reconfigured operate
  • IP addresses or full domain names of SVMs being reconfigured
  • Information on whether or not the reconfiguration will change the following:
    • Settings of accounts for connecting to the SVM (configuration password, root account password, ability to connect to the SVM using the root account over SSH)
    • List of virtual networks used by the SVM
    • SVM IP settings (IP address, IP address of the default network gateway, IP address of the main and alternative DNS servers, subnet mask)
Page top

[Topic 98765]

Using the utilities and scripts from the Kaspersky Security distribution kit

To analyze the cause of errors in the operation of Kaspersky Security, Technical Support experts may ask you to use the following tools included in the Kaspersky Security distribution kit:

  • ai_config is the tool that allows converting the SVM settings from configuration database format to text file and back.
  • cleanUpdateShare.sh is the script for removing the old Light Agent bases from the SVM.
  • configure.sh is the script for managing the SVM, viewing settings, and reconfiguration of the SVM. It is used by the SVM Management Wizard to reconfigure the SVM using the klconfig account.
  • dump_ods_scan_queue and dump_ods_scan_queue.sh are the tools for viewing the current scan tasks queue.
  • eventlog_client and eventlog_client.sh are the tools for generating the events to be sent to Kaspersky Security Center.
  • firewall.sh is the script for opening up the ports to connect to Network Agent.
  • first_boot.sh is the script for SVM reconfiguration on the first boot of the SVM.
  • get_used_mem.sh is the script for showing memory usage statistics.
  • kvp_read is the tool for viewing shared data of a hypervisor from the Hyper-V KVP Exchange storage.
  • la-kvm-guest is the init.d script for managing the KVM guest service.
  • la-scanserver is the init.d script for managing the scanserver service.
  • managenet.sh is the script for managing the network interfaces.
  • on_product_install.sh is the script which allows to set a one-time SVM configuration during the SVM deployment.
  • sfw is the tool for managing the netfilter firewall of the Linux operating system.
  • show_inventory and show_inventory.sh are the tools for viewing information about the virtual infrastructure inventory received by the Protection Server from the Integration Server.
  • show_virt_info and show_virt_info.sh are the tools for viewing the virtual machine information (for example BIOS version or hypervisor information).
  • snmp.sh is the script for enabling or disabling the SNMP monitoring on the SVM.
  • storage_util is the tool for managing the storage of the data used for Kaspersky Security database updates.
  • patch_detector.pl is the script for searching the application module update in the folder specified and run the KSV Patch Installer to install it.
  • patch_installer.pl is the script for installing the Kaspersky Security module update from the tar.gz file.
  • patch_list.pl is the script for generating the list of Kaspersky Security module updates installed on the SVM in XML format.
  • patch_rollback.pl is the script for rolling back the latest Kaspersky Security module update installed.
Page top

[Topic 179760]

Using the klconfig script API to define SVM configuration settings

The main resource for deploying and configuring an SVM is the SVM Management Wizard, which you can run from the Integration Server Console.

You can also perform initial configuration of new SVMs and change the configuration settings of previously deployed SVMs using the klconfig script API manually or by means of automation tools.

If the SVM Management Wizard is not used, the SVM deployment procedure consists of the following stages (the sequence and number of stages depends on the type of virtual infrastructure):

  1. SVM deployment using virtual infrastructure tools from the image included in the Kaspersky Security distribution kit, and configuration of SVM system resources.
  2. Configuring an SVM first startup script. To configure certain SVM configuration settings, you can use a script that is started when the SVM is started for the first time.
  3. Starting the SVM. At this step, the SVM receives an IP address.
  4. Assigning SVM configuration settings and checking the success of SVM deployment using configuration commands.

You can also use configuration commands to change the configuration settings of previously deployed SVMs.

In this section:

Executing configuration commands

Using the SVM first startup script

Configuring an SVM

Description of commands

Page top

[Topic 179763]

Executing configuration commands

Configuration commands are executed over SSH using the klconfig account.

To execute a command, enter the following into the command line:

ssh klconfig@<SVM address> <command>

where:

  • <SVM address> – IP address of the SVM or localhost if the command is run on an SVM.
  • <command> – command, with parameters (if necessary).

Each command requires entry of the klconfig account password (configuration password) if you have not configured authorization by SSH key for accessing the SVM without a password (the setsshkey command).

Certain commands require additional interactive entry of data. For example, the passwd command requires entry of a new user password.

Each command displays the result of its execution in the following format:

  • KLCONFIG OK – if the command was executed successfully.
  • KLCONFIG FAILED – if an error occurred during execution of the command.

Certain commands may provide additional information about an error in the following format:

ERROR:<NNNN error description>

where <NNNN error description> is the digital error code and text description. Some errors may not contain a digital code.

For example, executing the connectorlang command without parameters for an SVM with the IP address 10.16.98.17 returns an error message and a message about how to use the command (the lang parameter is required):

> ssh klconfig@10.16.98.17 connectorlang

> klconfig@10.16.98.17’s password:

Usage: connectorlang lang

KLCONFIG FAILED

Result of execution of the same command with the correct parameters:

> ssh klconfig@10.16.98.17 connectorlang en

> klconfig@10.16.98.17’s password:

KLCONFIG OK

The result of execution of each command is written to the file results.log located in the folder /var/opt/kaspersky/klconfig/.

Page top

[Topic 97916]

Using the SVM first startup script

An SVM supports the use of a first startup script to run configuration commands. It is recommended to use an SVM first startup script to perform the following tasks:

  • Configure the network settings of SVMs when using static IP addressing. You can use the following commands: network, dns, manageservices (to restart the network service).
  • Configure authorization by SSH key for accessing an SVM without the klconfig account password (configuration password). The setsshkey command is provided for this purpose.

It is not recommended to use a long list of commands because the first startup script is intended for performing a minimal set of commands.

Commands using the standard input stream, for example, passwd, should not be sent to the first startup script. This leads to the inability to start the SVM.

To send commands to the first startup script, you need to specify them in the following format:

KL_CMD1="<command 1>" KL_CMD2="<command 2>" … KL_CMDn="<command N>"

where <command> is the name of the command, with parameters (if necessary).

For example, the following sequence of commands lets you configure SVM network settings when using static IP addressing:

KL_CMD1="network eth0 10.65.78.35 255.255.255.0 10.65.78.255 10.65.78.1" KL_CMD2="manageservices restart network"

While the first startup script is being run, commands are numbered and executed in the order in which they were sent to the first startup script.

After the script is executed, the file named boot_config.log containing the script execution results is created in the folder /var/log/kaspersky/la/.

You can use the following special commands when creating a first startup script:

  • RESET – delete the boot_config_done file (an indicator that the first startup script has already been executed). As a result, all commands sent to the first startup script will also be executed the next time the SVM is started.
  • ALWAYS – execute the commands following this command even if the SVM first startup script has already been executed (the boot_config_done file is present).
  • REPORT – write information about the command execution results to a file.

For example:

KL_CMD1="ALWAYS" KL_CMD2="network eth0 10.65.78.35 255.255.255.0 10.65.78.255 10.65.78.1"

The mechanism used to send commands to the first startup script depends on the type of hypervisor:

  • XenServer hypervisor: first startup commands can be added to the kernel command line in the following format:

    KL_CMD1="…" KL_CMD2="…"

  • Microsoft Windows Server (Hyper-V) hypervisor: uses a system of exchanging key-value pairs (for details, please refer to the Microsoft documentation).
  • VMware ESXi hypervisor: first startup commands can be conveyed in one of the following ways:
    • In a VMX configuration file
    • In the VMware vSphere Web Client Console: Edit Settings / Options / Advanced / General / Configuration Parameters
    • Using the vmware-cmd setguestinfo command

    First startup commands must be specified in the following format:

    guestinfo.klfirstboot.cmd1

    guestinfo.klfirstboot.cmd2

  • KVM hypervisor: commands may be inserted into the file /opt/kaspersky/la/bin/kvm_first_boot_args in string format:

    KL_CMD1="…" KL_CMD2="…"

  • Proxmox VE hypervisor: commands may be inserted into the file /var/opt/kaspersky/la/patches/default_patch_index/bin/kvm_first_boot_args in the following format:

    KL_CMD0=%command1%

    KL_CMD1=%command2%

  • R-Virtualization hypervisor: uses the QEMU guest agent utility that lets you execute commands under the root account:

    POST /api/0/vm/%vm_id%/execute

    In the request body:

    command_with_args=[ "bash", "-c", "%command%" ]

Page top

[Topic 179765]

Configuring SVM configuration settings

Initial configuration of an SVM using configuration commands consists of the following steps:

  1. Modify the SVM name (the hostname command).
  2. For each network interface of the SVM:
    • Allow the use of DHCP if dynamic IP addressing is used (the dhcp command).
    • Configure the network settings of the SVM if static IP addressing is used (the network command).
  3. Configure DNS settings if static IP addressing is used (the dns command).
  4. Configure the settings for connecting the SVM to Kaspersky Security Center Administration Server: address and ports (the nagent command).
  5. Initial configuration of the Protection Server (the productinstall command).
  6. Accept Kaspersky Security End User License Agreement and the Privacy Policy (the accept_eula_and_privacypolicy command or the accept_eula_and_privacypolicy setting in the ScanServer.conf configuration file).

    You must accept the terms of the End User License Agreement and the Privacy Policy for the proper SVM operation.

  7. Start the Protection Server (the manageservices start scanserver command).

In addition, you can configure the following SVM configuration settings:

  • Select the language of Kaspersky Security Center Network Agent Connector (the connectorlang command).
  • Change the configuration password and root account password that were defined by default (the passwd klconfig and passwd root commands).
  • Allow or deny access to the SVM over SSH under the root account.

After initial configuration of the SVM is completed, it is recommended to make sure that the SVM is deployed and configured successfully. To do so, you can use the checkconfig command.

Page top

[Topic 179766]

Description of commands

This section contains a description of the configuration commands.

Page top

[Topic 204031]

accept_eula_and_privacypolicy

This command allows you to accept or decline the terms of Kaspersky Security End User License Agreement between you and Kaspersky and the Privacy Policy that describes processing and transmission of data.

You must accept the terms of the End User License Agreement and the Privacy Policy to install Protection Server. The text of the End User License Agreement and Privacy Policy is included in the Kaspersky Security distribution kit.

Settings

<acceptFlag> = yes|no – possible values:

  • yes – accept the terms of the End User License Agreement and the Privacy Policy.
  • no – do not accept the terms of the End User License Agreement and the Privacy Policy.

By setting this parameter to yes, you confirm the following:

  • You have fully read, understood and accept the terms and conditions of the Kaspersky Security End User License Agreement.
  • You have fully read and understood the Privacy Policy, you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.

Example:

> ssh klconfig@10.16.98.17 accept_eula_and_privacypolicy yes

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179773]

apiversion

This command displays the current version of the klconfig script API.

Settings

None.

Example:

> ssh klconfig@10.16.98.17 apiversion

> klconfig@10.16.98.17’s password:

1.0.0

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179774]

checkconfig

This command lets you check if the configuration of one or multiple Kaspersky Security components is correct.

Settings

findsvm hv_connect network routing sc_connect

where:

  • findsvm – check for the SVM in the list of virtual infrastructure objects (Inventory).
  • hv_connect – check the connection between the SVM and the Integration Server and check for a list of virtual infrastructure objects (Inventory).
  • network – check the network configuration.
  • permitrootlogin — check whether the root account is allowed to gain access to the SVM over SSH.
  • routing – check network routing.
  • sc_connect – check the connection to Kaspersky Security Center.

You can specify one or multiple parameters.

Example:

> ssh klconfig@10.16.98.17 checkconfig network routing

> klconfig@10.16.98.17’s password:

ERROR:0001 hostname is not set or contains invalid data

NOTE:0004 Host interface IP address 10.16.98.17 does not match DNS

KLCONFIG OK

Specific errors

The command always returns KLCONFIG, even if an error was detected. For this reason, it is recommended to always pay attention to errors when analyzing the output.

0001 Hostname is not set or contains invalid data. The domain name of the SVM is not set or contains an invalid value, for example, LightAgentSVM, localhost or localdomain. Use the hostname command to define the domain name of the SVM.

0002 Could not get hostname FQDN. Failed to receive the fully qualified domain name (FQDN) of the SVM. Check the SVM name and DNS settings.

0003 Could not find the host interface IP address. The IP address of the network interface eth0 is not found or is not configured.

0004 Host interface IP address <host IP> does not match DNS <DNS IP of hostname>. The IP address associated with the primary network interface does not match the IP address returned for the domain name of the SVM in the DNS PTR entry.

0010 Could not find the default route. A default network route is not configured.

0011 Cannot ping the default route address. Failed to verify the default network route using the ping command. Check the network settings.

0030 Inventory is not valid. The list of virtual infrastructure objects (Inventory) is empty or contains invalid values. Make sure that the SVM has received a policy with the correct Integration Server address. Use the checkconfig sc_connect command to make sure that the SVM is connected to Kaspersky Security Center.

0060 Could not get the UUID of the SVM. Failed to receive a unique ID (BIOS ID) for the SVM.

0061 Could not find our self in the inventory. Failed to detect the unique ID of the SVM in the list of virtual infrastructure objects (Inventory). Check the Integration Server settings.

0062 Could not find host in inventory path. Failed to detect information about the hypervisor on which an SVM is deployed in the list of virtual infrastructure objects (Inventory). Check the Integration Server settings.

0070 klnagchk reported failure. The klnagchk command returned an error. Analyze the additional error messages.

0071 Could not verify klnagent settings. Cannot verify the settings of the Kaspersky Security Center Network Agent. Kaspersky Security Center Network Agent is not configured or is configured incorrectly.

0072 Could not connect to the Kaspersky Security Center Server. Kaspersky Security Center Network Agent cannot connect to the Kaspersky Security Center Administration Server. Check the settings of Kaspersky Security Center Network Agent and make sure that the network is configured correctly.

0073 Could not connect to the klnagent administration agent. Failed to connect to Kaspersky Security Center Network Agent. Possibly, Kaspersky Security Center Network Agent is not running on the SVM.

0074 Could not get the klnagent administration agent statistics. Kaspersky Security Center Network Agent cannot obtain Administration Server statistics. Kaspersky Security Center Network Agent on the SVM is operating incorrectly.

0100 Could not look up <address> in DNS. The domain name or IP address is not found. Check the DNS settings.

0101 Look up of <address> returned no DNS data. The DNS search returned no data. The DNS server responded, but the relevant types of entries were not detected.

0110 Host to IP to host is not equal in DNS. An error occurs when a DNS check is looped: a search is run for the IP address based on the domain name, and then a search for the domain name based on this IP address returns a name that is different from the original name.

Page top

[Topic 179777]

connectorlang

This command lets you define the language of Kaspersky Security Center Network Agent Connector in the configuration file /etc/opt/kaspersky/la/ScanServer.conf. The Connector language affects the language of the events and errors sent to Kaspersky Security Center.

The new settings are applied after the Protection Server is restarted.

Settings

<lang> – language ID. Possible values:

  • de – German.
  • en – English.
  • fr – French.
  • ja – Japanese.
  • ru – Russian.
  • zh-Hans – Chinese (Simplified).
  • zh-Hant – Chinese (Traditional).

Example:

> ssh klconfig@10.16.98.17 connectorlang en

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179778]

dhcp

This command lets you configure the use of DHCP for the network interface of the SVM.

The new settings are applied after the file /etc/resolv.conf is overwritten as a result of a restart of the SVM or network service (the manageservices restart network command).

If you want to change the IP address assignment method for SVMs using static IP addressing to the use of DHCP, sequentially execute the dns and dnssearch commands without parameters after the dhcp command. This lets you delete the previously configured list of DNS servers and search domains in the file /etc/resolv.conf.

If you want to add a DNS server or search domain to the list of DNS servers and search domains received over the DHCP protocol when using dynamic IP addressing, first restart the SVM or restart the network service (the manageservices restart network command). This lets you overwrite the file /etc/resolv.conf. Then execute the dns and dnssearch commands with the necessary parameters.

Settings

<InterfaceName> [<MakePrimary>]

where:

  • <InterfaceName> – name of the network interface. For example, eth0.
  • <MakePrimary> = yes|no – indicator of whether it is the primary network interface (optional parameter). Possible values:
    • yes – network interface is primary.
    • no – network interface is not primary.

The primary network interface sets the default route and DNS servers (DEFROUTE = yes, PEERDNS = yes). Only one network interface from those utilized by an SVM may be primary. If the "primary" indicator is assigned to multiple network interfaces, the last one of them becomes the primary network interface.

Example:

> ssh klconfig@10.16.98.17 dhcp eth0 yes

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179779]

dhcprenew

This command lets you renew and continue the lease of an IP address for the network interface on the DHCP server.

Depending on the specifics of the virtual infrastructure in which the SVM is running, command execution may result in modification of the IP address and termination of network connections.

You can use this command to let the DHCP server accept the new name of the SVM.

Settings

<InterfaceName> – name of the network interface of the SVM. For example, eth0.

Example:

> ssh klconfig@10.16.98.17 dhcprenew eth0

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

0140 Failed to release dhcp. Failed to release the IP address for the specified network interface on the DHCP server.

0141 Failed to request a new lease. Failed to receive a new IP address lease for the specified network interface on the DHCP server.

Page top

[Topic 179780]

dns

This command lets you define a list of DNS servers that will be used in the specified order in the file /etc/resolv.conf. The previously configured list of DNS servers is deleted.

If you are also planning to configure the use of DHCP (the dhcp command), execute the dns command after the dhcp command is executed and after the SVM is restarted or the network service is restarted (the manageservices restart network command).

As a result of execution of the dns command, the list of search domains in the file /etc/resolv.conf is deleted. If you are planning to configure a list of search domains, execute the dnssearch command after the dns command.

Settings

[<Server1>] [<Server2>] [<Server3>]

where <Server> is the IP address of the DNS server (optional parameter). You can specify up to three IP addresses.

If the command is executed without parameters (no address is specified), all nameserver entries in the file /etc/resolv.conf are deleted.

Example:

> ssh klconfig@10.16.98.17 dns 10.64.64.5 10.64.16.3

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179781]

dnslookup

This command lets you receive an IP address from the DNS server based on the domain name, or vice versa (analogous to the host command in Linux). The command returns only the first entry.

You can also use this command to verify that DNS is operating correctly.

Settings

<HostNameOrIpAddress> – domain name or IP address.

Example:

> ssh klconfig@10.16.98.17 dnslookup www.google.com

> klconfig@10.16.98.17’s password:

173.194.122.144

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179783]

dnssearch

This command lets you define a list of search domains that are used to determine domain names for name resolution in the file /etc/resolv.conf. The previously configured list of search domains is deleted.

If you are also planning to configure a list of DNS servers (the dns command), execute the dnssearch command after the dns command because the dns command will cause the list of search domains in the file /etc/resolv.conf to be deleted.

Settings

[<Domain1>] [<Domain2>] [<Domain3>]

where:

<Domain> – name of the search domain (optional parameter). You can specify up to three domains.

If the command is executed without parameters (no domain is specified), all search entries in the file /etc/resolv.conf are deleted.

Example:

> ssh klconfig@10.16.98.17 dnssearch mylocaldomain.com kaspersky.com

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179784]

dnsshow

This command lets you view information about DNS settings from the file /etc/resolv.conf.

The command returns all entries in one string, separated by a space. If an empty string is returned, the DNS settings are not configured.

Settings

<InfoKind> = nameservers|search – type of information that you want to view. Possible values:

  • nameservers – display the list of DNS servers.
  • search – display the list of search domains.

Example:

> ssh klconfig@10.16.98.17 dnsshow nameservers

> klconfig@10.16.98.17’s password:

10.64.64.5 10.64.16.3

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179785]

getdnshostname

The command returns the domain name corresponding to the IP address of the primary network interface.

Settings

None.

Example:

> ssh klconfig@10.16.98.17 getdnshostname

> klconfig@10.16.98.17’s password:

testsvm.avp.ru.

KLCONFIG OK

Specific errors

0100 Could not look up <IP> in DNS. Failed to find the IP address. Check the DNS settings.

Page top

[Topic 179788]

gethypervisordetails

The command allows to receive information about the SVM path. One of the following values is returned depending on type of the virtual infrastructure:

  • For virtual infrastructures based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux or Numa vServer – the IP address or fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.
  • For virtual infrastructures running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform – IP address or fully qualified domain name (FQDN) of the Keystone microservice that manages the OpenStack project within which the SVM is deployed.

Information is available only after the SVM is connected to the Integration Server whose connection settings are specified in the Protection Server policy applied on the SVM.

Settings

address or all – return name or address of the hypervisor, on which the SVM is running, or name or address of the Keystone microservice that manages the OpenStack project, within which the SVM is deployed.

Example:

> ssh klconfig@10.16.98.17 gethypervisordetails address

> klconfig@10.16.98.17’s password:

ERROR:0061 could not find our self in the inventory, uuid=564d6880-b121-ba46-d2e0-9996f9e0cc2d

KLCONFIG OK

Specific errors

0060 Could not get the UUID of the SVM. Failed to receive the unique ID of the SVM (BIOS ID).

0061 Could not find our self in the inventory. The unique ID of the SVM is not found in the list of virtual infrastructure objects (Inventory). Check the Integration Server settings.

0062 Could not find host in inventory path. The list of virtual infrastructure objects (Inventory) does not contain information about the hypervisor on which the SVM is running, or about the Keystone microservice that manages the OpenStack project, within which the SVM is deployed. Check the Integration Server settings.

Page top

[Topic 179789]

hostname

This command lets you define the domain name of the SVM and make sure that the IP address and domain name of the SVM are in the file /etc/hosts.

Settings

<hostname> [<IP>]

where:

  • <hostname> – domain name of the SVM.
  • [<IP>] – IP address of the SVM (optional parameter).

Example:

> ssh klconfig@10.16.98.17 hostname testsvm.avp.ru 10.16.98.17

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

0120 Invalid hostname characters <characters>. Invalid characters in the SVM name.

0121 Invalid hostname, empty label present. The SVM name contains an empty section.

Page top

[Topic 179790]

listpatches

This command lets you generate an XML list of Kaspersky Security application module updates installed on SVMs.

The XML file has the following format:

<?xml version="1.0" encoding="UTF-8"?>

<patches>

<patch>

<id>patchId</id>

<sha_256>checkSum</sha_256>

<status>status</status>

<patch_type>type</patch_type>

<version>productTargetVersion</version>

<description><![CDATA[description]]></description>

<status_changed_date>statusChangedDate</status_changed_date>

dependsOn

</patch>

<patch>

...

</patch>

...

</patches>

where:

  • patchId is an identifier of the Kaspersky Security module update.
  • checkSum is a hash of the TGZ archive in HEX format.
  • status is a module update installation status. Possible values:
    • installed: the module update was successfully installed.
    • failed: an error occurred.
    • rolledback: the module update was rolled back.
  • type is a type of module update. Possible values:
    • auto: module update received with the update package from the Kaspersky Security Center Administration Server repository.
    • config: module update resulting from applying a configuration file.
    • custom: a special release of a module update.
  • productTargetVersion is a version of the update.
  • description is a description of the update.
  • statusChangedDate is date and time of the status change.
  • depensOn is an ID of the module update upon which this specific module update depends (optional parameter).

Settings

None.

Example:

> ssh klconfig@10.16.98.17 listpatches

> klconfig@10.16.98.17’s password:

<?xml version="1.0" encoding="UTF-8"?>

<patches>

</patches>

KLCONFIG OK

Page top

[Topic 179791]

manageservices

This command lets you start, stop, or restart the specified service.

Remotely stopping or restarting the network service may cause the connection to drop or hang. For this reason, two types of network service are provided: network_local and network. For the network_local service, the action is applied immediately (synchronous). It is recommended to use this type of service in the SVM first startup script. For the network service, the action is applied asynchronously (in a separate shell). Therefore, the klconfig script can return control. This means that the invoking side must check the command execution result in no less than 20 seconds.

Settings

<Action> <ServiceType1> [<ServiceType2>] [<ServiceType3>]

where:

  • <Action> = start|stop|restart – type of action applied. Possible values:
    • start
    • stop
    • restart
  • <ServiceType> – type of service. Possible values:
    • klnagent – Kaspersky Security Center Network Agent.
    • network – network service (asynchronous).
    • network_local – network service (synchronous).
    • scanserver – Protection Server.
    • sshd – SSH service.

Example:

> ssh klconfig@10.16.98.17 manageservices restart klnagent scanserver

> klconfig@10.16.98.17’s password:

Restarting la-scanserver (via systemctl):[OK]

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179792]

nagent

This command lets you set the address and ports for connecting an SVM to the Kaspersky Security Center Administration Server.

Settings

<Address> <SslPort> [<Port>]

where:

  • <Address> – IP address or fully qualified domain name (FQDN) of the device on which the Kaspersky Security Center Administration Server is installed.
  • <SslPort> – Number of the port for connecting an SVM to the Kaspersky Security Center Administration Server using an SSL certificate (13000 is recommended).
  • <Port> – Port number for connecting an SVM to the Kaspersky Security Center Administration Server (14000 is recommended) (optional parameter).

Example:

> ssh klconfig@10.16.98.17 nagent 10.16.98.22 13000 14000

> klconfig@10.16.98.17’s password:

Execute automatic installation

Kaspersky Network Agent is installed.

Binaries were installed in /opt/kaspersky/klnagent64/bin

klnagent64.service is not a native service, redirecting to /sbin/chkconfig.

Executing /sbin/chkconfig klnagent64 on

KLCONFIG OK

A repeated call of the command may return the following result:

> ssh klconfig@10.16.98.17 nagent 10.16.98.22 13000 14000

> klconfig@10.16.98.17’s password:

Checking command-line arguments...OK

Initializing basic libraries...OK

Checking settings...OK

Reading settings...OK

Preparing new settings...OK

Writing new settings...OK

Restarting Network Agent...

OK

Operation completed successfully !

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179793]

network

This command lets you configure static IP addressing and SVM network settings.

The new settings are applied after the SVM is restarted or the network service is restarted (the manageservices restart network command).

Settings

<InterfaceName> <IP> <NetMask> <Broadcast> [<GateWay>]

where:

  • <InterfaceName> – name of the network interface, for example, eth0.
  • <IP> – IP address of the network interface that you want to assign.
  • <NetMask> – network mask.
  • <Broadcast> – broadcast address.
  • <GateWay> – gateway address (optional parameter). It should be set only on one network interface that uses DHCP.

Example:

> ssh klconfig@10.16.98.17 network eth0 10.60.70.35 255.255.255.0 10.60.70.255 10.60.70.1

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179794]

ntp

This command lets you assign an NTP server and make sure that it is running.

Settings

<ServerName> – fully qualified domain name (FQDN) or IP address of the NTP server.

Example:

> ssh klconfig@10.16.98.17 ntp pool.ntp.com

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179795]

passwd

This command lets you change the password for the specified account.

Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

The password is read from the standard input stream of the SSH connection without an invitation.

Settings

<UserName> – name of the account for which you need to create a password.

Example:

> ssh klconfig@10.16.98.17 passwd klconfig

> klconfig@10.16.98.17’s password:

newpassword

KLCONFIG OK

Specific errors

0130 Invalid password. Invalid password.

Page top

[Topic 179796]

permitrootlogin

The command allows or denies access to the SVM over SSH under the root account

The new settings are applied after the SVM is restarted or the SSH service is restarted (the manageservices restart sshd command).

Settings

<AllowOrNot> = yes|no – possible values:

  • yes — allow access to the SVM over SSH under the root account.
  • no — deny access to the SVM over SSH under the root account.

    Example:

    > ssh klconfig@10.16.98.17 permitrootlogin yes

    > klconfig@10.16.98.17’s password:

    Permit root login = yes

    KLCONFIG OK

Specific errors

None.

Page top

[Topic 179797]

productinstall

This command lets you perform various one-time tasks for Protection Server installation, such as configuring the installation ID.

You can execute a command more than once consecutively.

The new settings are applied after the SVM is restarted or the scanserver service is restarted (the manageservices restart scanserver command).

Settings

None.

Example:

> ssh klconfig@10.16.98.17 productinstall

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179798]

reboot

This command lets you restart the SVM in one minute.

Settings

None.

Example:

> ssh klconfig@10.16.98.17 reboot

> klconfig@10.16.98.17’s password:

Shutdown scheduled for Tue 2018-08-14 14:14:39 UTC, use ’shutdown -c' to cancel.

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179799]

resetnetwork

This command lets you return all network settings to their default values, including DNS settings and the settings of network interfaces. This means that DHCP will be used with the first network interface as the primary network interface for the SVM.

You can use this command to reset network settings to their original state before SVM configuration settings were changed.

The new settings are applied after the SVM is restarted or the network service is restarted (the manageservices restart network command).

Settings

None.

Example:

> ssh klconfig@10.16.98.17 resetnetwork

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179800]

rollbackpatch

This command lets you roll back the last update of the Kaspersky Security modules on SVMs.

Settings

[Patchid] is an ID of the Kaspersky Security module update (optional parameter). If no ID is specified, the last installed module update will be determined automatically.

Example:

> ssh klconfig@10.16.98.17 rollbackpatch

> klconfig@10.16.98.17’s password:

ERROR: rollback: There is no last installed patch.

2018-08-14 14:16:52: rollback: Current product version: 5.1.5.57

’system::PatchError' event has been sent successfully.

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179802]

setsshkey

This command lets you configure authorization by SSH key for accessing an SVM without the klconfig account password (configuration password). As a result of command execution, the specified key (text in Base64 encoding) is added to the authorized SSH key file. The key is valid for 2 hours.

You can use this command in the SVM first startup script for configuring access to the SVM prior to setting the configuration password.

Settings

<Base64EncodedAuthorizationKeyEntry> – key (text encoded in 64-bit code without spaces).

Example:

> ssh klconfig@10.16.98.17 setsshkey SGVsbG8gd29ybGQh

> klconfig@10.16.98.17’s password:

job 1 at Tue Aug 14 16:17:00 2018

KLCONFIG OK

Specific errors

0160 Could not decode key. Make sure that the key is correctly encoded and does not contain spaces.

Page top

[Topic 179803]

settracelevel

This command lets you configure the trace level for the Protection Server (ScanServer.log).

The trace level is changed immediately if the <Immediately>=yes parameter is set. Otherwise, the change occurs after a restart of the SVM or Protection Server (the manageservices restart scanserver command).

Settings

<TraceLevel> [<Immediately>]

where:

  • <TraceLevel> is a numerical value that determines the trace level. Possible values:
    • 0: creation of trace files is disabled.
    • 100: informational messages about the Protection Server components being started and stopped.
    • 200: messages about critical errors in the Protection Server operation.
    • 300: messages about errors and critical errors in the Protection Server operation.
    • 400: critical warnings and messages about ordinary and critical errors.
    • 500: all warnings and messages about ordinary and critical errors.
    • 600: important messages, all warnings and messages about ordinary and critical errors.
    • 700: informational messages, important messages and all warnings and messages about ordinary and critical errors.
    • 800: debugging messages and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
    • 900: debugging messages with more detailed information and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
    • 1000: all possible messages and warnings.
  • <Immediately> = yes|no is an indicator determining when the new trace level settings should be applied (optional parameter). Possible values:
    • yes: apply immediately.
    • no: apply after restart of the SVM or the scanserver service (the manageservices restart scanserver command).

Example:

> ssh klconfig@10.16.98.17 settracelevel 1000

> klconfig@10.16.98.17’s password:

KLCONFIG OK

Specific errors

0150 Could not update <configfile>. Failed to update the configuration file /etc/opt/kaspersky/la/ScanServer.conf. Make sure that the file exists and is accessible.

Page top

[Topic 179804]

test

This command returns information about an SVM.

You can use this command for SVM operability validation.

Settings

None.

Example:

> ssh klconfig@10.16.98.17 test

> klconfig@10.16.98.17’s password:

uid=0(root) gid=0(root) groups=0(root)

Tue Aug 14 14:19:35 UTC 2018

Kaspersky Security for Virtualization 5.0 Light Agent 5.1.5.57

14:19:35 up 4 min,0 users,load average: 0.04, 0.18, 0.11

DONE –-

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179805]

timezone

This command lets you set the time zone for an SVM.

This change is applied after the SVM is restarted.

Settings

<TimeZoneName> – name of the time zone in Linux format.

Example:

> ssh klconfig@10.16.98.17 timezone GMT

> klconfig@10.16.98.17’s password:

Timezone is changed to 'GMT' (GMT)

KLCONFIG OK

Specific errors

None.

Page top

[Topic 179806]

version

This command returns the SVM version.

Settings

None.

Example:

> ssh klconfig@10.16.98.17 version

> klconfig@10.16.98.17’s password:

5.1.5.57

KLCONFIG OK

Specific errors

None.

Page top

[Topic 266858]

Settings in the ScanServer.conf file

The ScanServer.conf file contains the SVM operation settings. The file is located on the SVM in the /etc/opt/kaspersky/la/ directory.

Root account permissions are required to view and modify the file.

This section describes the settings in the ScanServer.conf file that allow you to configure logging of the SVM traces and dumps, usage of the SVM system log, and agree to the terms of the End User License Agreement. Information about other settings, if necessary, can be obtained from the Technical Support.

Unassisted modification of the Kaspersky Security operation settings in the ways not described in the Kaspersky Security help or in the recommendations from the Technical Support specialists can lead to slowdowns and malfunctions of the operating system, decrease of the virtual machine protection level, as well as to a violation of the availability and integrity of the processed information.

Expand all | Collapse all

General settings

trace_level = 0

Determines the trace level for all SVM trace files except the SnmpTool.log file.

Possible values:

  • 0: creation of trace files is disabled.
  • 100: "Always" – informational messages about Kaspersky Security components being started and stopped.
  • 200: "Critical" – messages about critical errors that can result in termination of Kaspersky Security.
  • 300: "Error": messages about errors, which can result in partial inoperability of Kaspersky Security.
  • 400: "Danger" – warnings about the possibility of critical errors.
  • 500: "Warning" – warnings about possible errors.
  • 600: "Important" – important messages.
  • 700: "Information" – informational messages.
  • 800: "Debug": debug messages used by developers.
  • 900 ("Paranoiac"): debug messages with more detailed information used by developers.
  • 1000: "Any" – all possible messages and warnings.

After changing the trace level, restart the scanserver service by running the following command:

systemctl reload la-scanserver

trace_protected_data

Writing potentially personal data (for example, passwords) to trace files.

Possible values:

  • 0 - do not write potentially personal data to trace files (default value).
  • 1 - write potentially personal data to trace files.

trace_file = /var/log/kaspersky/la/ScanServer.log

The name of the Protection Server trace file. The date is appended to the file name, for example, ScanServer.2020-11-19T130126.log. The rotation settings are controlled by the scanserver service.

The trace file is used if system log usage is disabled (see section [syslog]).

trace_format = %Y-%m-%dT%X %I %p:

The format for logging the lines in the Protection Server trace file (ScanServer.log).

Qualifiers: %Y = year, %m = month, %d = day, %H = hour, %M = minute, %S = second, %i = millisecond, %p = trace level, %N = device name, %P = process identifier (PID), %I = thread ID, %C = component ID, %D = component instance ID, %X = time.

The trace file is used if system log usage is disabled (see section [syslog]).

accept_eula_and_privacypolicy = yes|no

Accept or decline the terms of Kaspersky Security End User License Agreement between you and Kaspersky and the Privacy Policy that describes processing and transmission of data.

Possible values: yes – accept the terms of the End User License Agreement and the Privacy Policy, no – do not accept the terms of the End User License Agreement and the Privacy Policy.

You must accept the terms of the End User License Agreement and the Privacy Policy for the proper SVM operation.

By setting this parameter to 'yes', you confirm the following:

  • You have fully read, understood and accept the terms and conditions of the Kaspersky Security End User License Agreement.
  • You have fully read and understood the Privacy Policy, you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.

The text of the End User License Agreement and Privacy Policy is included in the Kaspersky Security distribution kit.

[rotation_settings] section

This section contains processing and rotation settings for the Protection Server trace file (ScanServer.log).

period = 3

File rotation frequency.

Possible values: 1 – monthly, 2 – weekly, 3 – daily, 4 – hourly.

max_file_size = 1073741824

The maximum trace file size in bytes. When reached, rotation is performed.

Possible values: 0 – unlimited, 1073741824 – 1 GB.

max_file_count = 15

The maximum number of the trace files. When the limit is reached, old files are deleted.

Possible values: number or 0 – unlimited.

new_file_on_start = 1

Logging to a new file or to the last available trace file when Protection Server starts.

Possible values: 1 – write to a new file, 0 – write to the last created file.

[extra_tracing] section

enabled = 1

Logging general information to trace files every time the trace level is changed (information about the license, KSN usage, and the anti-virus databases used). Possible values: 0 – disabled, 1 – enabled.

[syslog] section

This section contains the system log usage settings.

enabled = 0

System log usage. Possible values: 1 – enable, 0 – disable.

If the system log usage is disabled, data is logged to the Protection Server trace file. The file name is specified by the trace_file setting (see the General settings section).

program_name = ScanServer

System log name.

facility = 176

System log category (LOG_LOCAL6 = 176).

format = %I %p:

Syslog entry format: %Y = year, %m = month, %d = day, %H = hour, %M = minute, %S = second, %i = millisecond, %p = trace level, %N = device name, %P = process identifier (PID), %I = thread ID, %C = component ID, %D = component instance ID, %X = time.

[dumps] section

This section contains the settings of the Protection Server dump files.

dir = /var/opt/kaspersky/la/dumps

Directory for logging dumps.

schema = ScanServer_%d_%p_%n.dmp

Name configuration:

  • %d – date and time (08.27_19.39);
  • %p – process ID;
  • %n – dump number in the session.

max = 10

The maximum number of dumps in the repository.

freeMiB = 1024

The minimum amount of free disk space required to write the dump (in MB).

Page top

[Topic 266267]

Object ID values for SNMP

The table presents the values and descriptions of object identifiers (OID) that are used to transfer information about the SVM state.

Values and descriptions of OID settings for SNMP

Symbolic name

Description

Settings

OID

ksvlaODSStatus

Status of the virtual machine scan task.

  • In progress
  • Waiting
  • None

.1.3.6.1.4.1.23668.1491.1539.0.0

ksvlaODSQueueLenght

Number of virtual machine scan tasks in Waiting status.

 

.1.3.6.1.4.1.23668.1491.1539.0.1

ksvlaODSTaskCount

Number of simultaneously running virtual machine scan tasks.

 

.1.3.6.1.4.1.23668.1491.1539.0.2

ksvlaProtectedServerCount

Number of protected virtual machines running server operating systems.

 

.1.3.6.1.4.1.23668.1491.1539.1.0

ksvlaProtectedDesktopCount

Number of protected virtual machines running desktop operating systems.

 

.1.3.6.1.4.1.23668.1491.1539.1.1

ksvlaScanServerStatus

Status of the scanserver service (Protection Server).

  • Running
  • Stopped

.1.3.6.1.4.1.23668.1491.1539.2.0

ksvlaKlnagentStatus

Status of the klnagent service (Kaspersky Security Center Network Agent).

  • Running
  • Stopped

.1.3.6.1.4.1.23668.1491.1539.2.1

ksvlaApacheStatus

Status of the Apache service.

  • Running
  • Stopped

.1.3.6.1.4.1.23668.1491.1539.2.2

ksvlaWatchdogStatus

Status of the watchdog service (wdserver).

  • Running
  • Stopped

.1.3.6.1.4.1.23668.1491.1539.2.3

ksvlaMemoryConsumption

RAM usage (percentage) by the scanserver service.

 

.1.3.6.1.4.1.23668.1491.1539.3.0

ksvlaSwapConsumption

Page file usage (percentage) by the scanserver service.

 

.1.3.6.1.4.1.23668.1491.1539.3.1

Page top

[Topic 99595]

How to remove duplicate virtual machines from the list of managed devices in Kaspersky Security Center

In some VDI infrastructures, after a user session ends, the non-persistent virtual machine is powered off without shutting down the guest operating system or stopping applications. As a result, the Light Agent running on the virtual machine does not transmit information about the shutdown of that virtual machine to Kaspersky Security Center, and the virtual machine is not removed from the list of managed devices in Kaspersky Security Center. At the next startup, the non-persistent virtual machine is registered in Kaspersky Security Center, causing a duplicate to appear in the list of managed devices, representing the previous session for the virtual machine template. As a result, the list of managed devices contains a large number of non-persistent virtual machines corresponding to each user session in the VDI infrastructure.

This problem exists, for example, for VDI infrastructures based on Termidesk and Basis.WorkPlace.

You can use one of the following methods to remove a non-persistent virtual machine from the list of managed devices in Kaspersky Security Center after it is powered off:

  • Before powering off the non-persistent virtual machine, stop the Kaspersky Security Center Network Agent (the 'klnagent' service). To do this, run the following command:
    • On a virtual machine with a 64-bit Linux operating system:

      systemctl stop klnagent64

    • On a virtual machine with a 32-bit Linux operating system:

      systemctl stop klnagent

    • On a virtual machine with a 32-bit Windows operating system:

      net stop klnagent

    While shutting down, the Network Agent notifies Kaspersky Security Center about the non-persistent virtual machine shutting down, and the virtual machine is removed from the list of managed devices in Kaspersky Security Center.

  • After starting the virtual machine and the Network Agent (the 'klnagent' service):
    1. Take note of the device ID assigned to the virtual machine. The device ID is in the Protection_HostId parameter in the protection information of the client device:
      • On a Linux virtual machine, it is in the text files in the "/var/opt/kaspersky/klnagent/1103/1.0.0.0/Statistics/AVState/" directory.
      • On a 32-bit Windows virtual machine, it is in the HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState registry key.
      • On a 64-bit Windows virtual machine, it is in the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState registry key.
    2. When the user is done working with the non-persistent virtual machine, delete the device by ID using the Kaspersky Security Center Open API: HostGroup::RemoveHost (wstring strHostName).
Page top

[Topic 257636]

Sources of information about the solution

Kaspersky Security page on Kaspersky website

On the Kaspersky Security page, you can view general information about the solution, its functions, and features.

Kaspersky Security page in the Knowledge Base

Knowledge Base is a section on the Technical Support website.

On the Kaspersky Security page in the Knowledge Base, you can read articles that provide useful information, recommendations, and answers to frequently asked questions on how to purchase, install, and use the solution.

Knowledge Base articles can answer questions relating not only to Kaspersky Security but also to other Kaspersky applications. Knowledge Base articles can also include Technical Support news.

Discuss Kaspersky applications on the forum

If your question does not require an urgent answer, you can discuss it with Kaspersky experts and other users on our Forum.

On this Forum, you can view existing threads, leave your own comments, and create new discussion threads.

Page top

[Topic 90]

Glossary

Activation code

A code provided by Kaspersky when you receive a trial license or buy a commercial license to use Kaspersky Security. This code is required for activating the application.

The activation code is a unique sequence of twenty Latin characters and numerals in the format XXXXX-XXXXX-XXXXX-XXXXX.

Active key

The key that is currently being used by the application.

Administration Server

A Kaspersky Security Center component that centrally stores information about all Kaspersky applications that are installed within an enterprise network. It can also be used to manage these applications.

Application activation

The process of implementing a license that allows you to use a fully-functional version of the application until the license expires.

Backup

A dedicated storage for backup copies of files that have been deleted or modified during disinfection.

Backup copy of a file

A copy of a virtual machine file that is created when this file is disinfected or removed. Backup copies of files are stored in Backup in a special format and pose no danger.

Compound file

A compound file is comprised of several individual files that are stored in one physical file, and each of those files is accessible. Examples of compound files include archives, installation packages, embedded OLE objects, and files in email formats. A common technique for concealing viruses is to implant them into compound files. To detect viruses concealed using this method, the compound file must be unpacked.

Database of malicious web addresses

A list of addresses of web resources whose content may be considered dangerous. The list is created by Kaspersky experts. It is regularly updated and is included in the Kaspersky application distribution kit.

Database of phishing web addresses

A list of web resources that Kaspersky experts have determined to be phishing-related. The database is regularly updated and is included in the Kaspersky application distribution kit.

Desktop key

A license key that corresponds to the licensing scheme based on the number of virtual machines with operating systems for workstations.

End User License Agreement

A binding agreement between you and AO Kaspersky Lab that stipulates the terms on which you may use the application.

Heuristic Analysis

A technology designed to detect threats that cannot be detected using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus.

Integration Server

Component of Kaspersky Security for Virtualization Light Agent. It facilitates interaction between Kaspersky Security components and the virtual infrastructure.

Kaspersky CompanyAccount

A portal for sending requests to Kaspersky and tracking the progress made in processing them by the Kaspersky experts.

Kaspersky Security databases

Databases that contain information about computer security threats known to Kaspersky as of when antivirus databases are released. Entries in antivirus databases make it possible to detect malicious code in scanned objects. Antivirus databases are created by Kaspersky specialists and updated hourly.

Kaspersky Security Network (KSN)

An infrastructure of cloud services that provides access to the online Knowledge Base of Kaspersky, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures that Kaspersky applications respond faster to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.

Key file

An 'xxxxxxxx.key' file that is provided by Kaspersky when you receive a trial license or buy a commercial license to use Kaspersky Security. A key file is required for activating the application.

Key with a limitation on the number of processor cores

A license key that corresponds to the licensing scheme based on the number of cores used in the physical processors on the hypervisors where protected virtual machines are running.

Key with a limitation on the number of processors

A license key that corresponds to the licensing scheme based on the number of processors used on the hypervisors where protected virtual machines are running.

Keylogger

A program designed for hidden logging of information about keys pressed by the user. Keyloggers function as keystroke interceptors.

License

A time-limited right to use the application granted under the End User License Agreement.

License certificate

A document that Kaspersky transfers to the user together with the key file or activation code. It contains information about the license granted to the user.

License key (key)

Unique alphanumeric sequence. A license key makes it possible to use the application in accordance with the terms of the End User License Agreement, such as the type of license, license validity term, and license restrictions. You may use the application only if you have a valid license key.

Light Agent

Component of Kaspersky Security for Virtualization Light Agent. It is installed on each virtual machine that needs to be protected.

OLE object

An object attached to another file or embedded into another file using the Object Linking and Embedding (OLE) technology. An example of an OLE object is a Microsoft Office Excel spreadsheet embedded into a Microsoft Office Word document.

Phishing

A kind of online fraud aimed at obtaining unauthorized access to confidential data of users.

Protected virtual machine

A virtual machine with the Light Agent component installed.

Reserve key

A key that confirms the right to use the application but is not currently in use.

Server key

A license key that corresponds to the licensing scheme based on the number of virtual machines with server operating systems.

Signature Analysis

A threat detection technology that uses the Kaspersky application databases containing descriptions of known threats and methods for neutralizing them. Protection that uses signature analysis provides the minimum acceptable security level. As recommended by Kaspersky experts, the application always has this analysis method enabled.

Startup objects

A set of applications that are required for the operating system and software installed on the virtual machine to start and operate correctly. The operating system launches these objects at every startup. There are viruses capable of infecting such objects specifically, which may lead, for example, to blocking of operating system startup.

SVM

A secure virtual machine is a special virtual machine with the scanserver service installed (scanserver is the Protection Server component of Kaspersky Security for Virtualization Light Agent).

SVM Management Wizard

A wizard that deploys, removes, and reconfigures the SVM with the Protection Server component.

Update source

A resource that contains updates for databases and application software modules of Kaspersky applications. The update source for Kaspersky Security is the storage of the Kaspersky Security Center Administration Server.

Page top

[Topic 37531]

Information about third-party code

Information about third-party code is contained in the file legal_notices.txt, in the application installation folder.

Page top

[Topic 295545]

Trademark notices

Registered trademarks and service marks are the property of their respective owners.

Apache is either a registered trademark or a trademark of the Apache Software Foundation.

Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.

Ubuntu and LTS are registered trademarks of Canonical Ltd.

Citrix, Citrix Provisioning, Citrix Provisioning Services, Citrix Virtual Apps and Desktop, XenApp, XenDesktop, and XenServer are either registered trademarks or trademarks of Cloud Software Group, Inc., and/or its subsidiaries in the United States and/or other countries.

HUAWEI, FusionCompute and FusionSphere are trademarks of Huawei Technologies Co., Ltd.

Core is a trademark of Intel Corporation or its subsidiaries.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Microsoft, Active Directory, Excel, Hyper-V, PowerShell, Windows, and Windows Server are trademarks of the Microsoft group of companies.

OpenStack is a registered trademark of the OpenStack Foundation in the United States and other countries.

Red Hat Enterprise Linux and CentOS are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.

Debian is a registered trademark of Software in the Public Interest, Inc.

OpenAPI is a trademark of The Linux Foundation.

Page top