Contents
- Kaspersky Security for Virtualization 6.2 Light Agent Help
- About Kaspersky Security for Virtualization 6.2 Light Agent
- Solution functions
- Distribution kit
- Hardware and software requirements
- Requirements for Kaspersky Security Center components
- Requirements for installing a Windows-based Integration Server
- Requirements for installing a Linux-based Integration Server
- Requirements for the virtual infrastructure
- Requirements for SVM resources
- Virtual machine requirements for installing Light Agent
- Supported versions of applications in Light Agent mode
- What’s new
- Solution architecture
- Preparing to install the solution
- Files required for installing the solution
- Downloading SVM images using the wizard
- Configuring the ports to use
- Accounts for installing and using the solution
- Configuring the use of secure cryptographic algorithms, ciphers, and protocols
- Configuring rules for moving virtual machines to administration groups
- Installing the Kaspersky Security solution
- Installing a Windows-based Integration Server
- Installing the Linux-based Integration Server
- Installing Kaspersky Security web plug-ins
- Installing Kaspersky Security MMC plug-ins
- SVM deployment using the Integration Server Web Console
- Connecting the Integration Server and the virtual infrastructure
- Creating and running an SVM deployment task
- Selecting infrastructure for SVM deployment
- Selecting the SVM image
- Selecting the number of SVMs for deployment (infrastructures based on OpenStack)
- Specifying SVM settings
- Specifying SVM settings (infrastructures based on OpenStack)
- Configuring SVM network settings (infrastructures based on OpenStack)
- Configuring IP address settings for SVM
- Specifying Kaspersky Security Center connection settings
- Creating the configuration password and the root account password
- Start task for SVM deployment
- Starting an SVM deployment task (OpenStack-based infrastructure)
- Viewing information about task execution
- Deploying SVMs using the Integration Server Console
- Selecting an action
- Selecting infrastructure for SVM deployment
- Selecting the SVM image
- Selecting the number of SVMs for deployment (infrastructures based on OpenStack)
- Specifying SVM settings
- Specifying SVM settings (infrastructures based on OpenStack)
- Configuring SVM network settings (infrastructures based on OpenStack)
- Configuring IP address settings for SVM
- Specifying Kaspersky Security Center connection settings
- Creating the configuration password and the root account password
- Starting SVM deployment
- Starting SVM deployment (infrastructures based on OpenStack)
- SVM deployment
- Finishing SVM deployment
- Automatically creating tasks and a default policy for the Protection Server
- Preparing the Protection Server for operation
- Installing Light Agents and Network Agent
- About installing Kaspersky Security Center Network Agent on virtual machines
- About installing Light Agent for Linux
- About installing Light Agent for Windows
- Installing Light Agent on a template for non-persistent virtual machines
- Compatibility of Light Agent for Windows with virtualization solutions
- Preparing Light Agents for operation
- Displaying virtual machines and SVMs in Kaspersky Security Center
- Viewing the list of SVMs connected to the Integration Server
- Updating Kaspersky Security from the previous version
- Removing the Kaspersky Security solution
- Application management framework
- About managing the solution using Kaspersky Security Center
- About Kaspersky Security management plug-ins
- Starting and closing Kaspersky Security Center Web Console
- Managing the solution using Kaspersky Security Center policies
- Managing the solution using tasks
- About access rights to the settings of policies and tasks in Kaspersky Security Center
- About Integration Server Console
- Connecting to the Integration Server via Integration Server Console
- About the Integration Server Web Console
- Connecting to the Integration Server via Integration Server Web Console
- Licensing Kaspersky Security for Virtualization 6.2 Light Agent
- About the End User License Agreement
- About data provision
- About the license
- About the License Certificate
- About license key
- About the activation code
- About the key file
- About subscription
- License-specific solution functionality
- About activating Kaspersky Security for Virtualization 6.2 Light Agent
- Procedure for activating the solution
- Renewing a license
- Renewing subscription
- Viewing information about the license keys used in Kaspersky Security Center
- View information about the license on a secure virtual machine
- Starting and stopping Kaspersky Security
- Virtual machine protection status
- Connecting SVMs and Light Agents to the Integration Server
- Connecting Light Agents to SVMs
- Protecting large infrastructures
- Updating Kaspersky Security databases and application modules
- Using Kaspersky Security Network
- Additional Protection Server settings
- Reports and notifications
- SVM reconfiguration
- Reconfiguring SVMs using Integration Server Web Console
- Selecting SVM for reconfiguration
- Entering the configuration password
- Editing SVM network settings
- Changing SVM IP settings
- Changing Kaspersky Security Center connection settings
- Changing the configuration password and root account settings
- Start task for SVM reconfiguration
- Start task for SVM reconfiguration (OpenStack)
- SVM reconfiguration using the Integration Server Console
- Selecting an action
- Selecting SVM for reconfiguration
- Entering the configuration password
- Editing SVM network settings
- Editing SVM network settings (infrastructures based on OpenStack)
- Changing SVM IP settings
- Changing Kaspersky Security Center connection settings
- Changing the configuration password and root account settings
- Starting SVM reconfiguration
- Starting SVM reconfiguration (infrastructures based on OpenStack)
- SVM reconfiguration
- Finishing SVM reconfiguration
- Reconfiguring SVMs using Integration Server Web Console
- Configuring Integration Server settings
- Changing passwords of Integration Server accounts
- Changing the settings for connecting to the virtual infrastructure in the Integration Server Web Console
- Changing the settings for connecting to the virtual infrastructure in the Integration Server Console
- Deleting the settings for connection of the Integration Server to the virtual infrastructure
- Replacing the Integration Server and SVM certificates
- Using a backup copy of the database and the Integration Server settings
- SNMP monitoring of SVM status
- Checking the integrity of solution components
- Using Kaspersky Security for Virtualization 6.2 Light Agent in multitenancy mode
- Deploying a tenant protection infrastructure
- Configuring the Integration Server connection settings to the Kaspersky Security Center Administration Server
- Creating a tenant and virtual Administration Server
- Configuring SVM location and Protection Server settings
- Configuring settings for SVM discovery by Light Agents and general tenant protection settings
- Installing a Light Agent on tenant virtual machines
- Registering tenant virtual machines
- Activating a tenant
- Registering existing tenants and their virtual machines
- Enabling and disabling tenant protection
- Getting information about tenants
- Getting tenant protection reports
- Removing virtual machines from the protected infrastructure
- Removing tenants
- Using Integration Server REST API in multi-tenancy scenarios
- Deploying a tenant protection infrastructure
- Contacting Technical Support
- How to get technical support
- Technical Support via Kaspersky CompanyAccount
- Getting information for Technical Support
- Protection Server and Light Agent dump files
- Trace files of the Kaspersky Security Components Installation Wizard
- Trace files of the Integration Server and Integration Server Console
- Trace files of the tool for managing Integration Server and SVM certificates
- Trace files of SVMs, Light Agents and Kaspersky Security management plug-ins
- The SVM Management Wizard log
- Using the utilities and scripts from the Kaspersky Security distribution kit
- Appendices
- Using the klconfig script API to define SVM configuration settings
- Executing configuration commands
- Using the SVM first startup script
- Configuring SVM configuration settings
- Description of commands
- accept_eula_and_privacypolicy
- apiversion
- checkconfig
- connectorlang
- dhcp
- dhcprenew
- dns
- dnslookup
- dnssearch
- dnsshow
- getdnshostname
- gethypervisordetails
- hostname
- listpatches
- manageservices
- nagent
- network
- ntp
- passwd
- permitrootlogin
- productinstall
- reboot
- resetnetwork
- rollbackpatch
- setsshkey
- settracelevel
- test
- timezone
- version
- Settings in the ScanServer.conf file
- Object ID values for SNMP
- How to remove duplicate virtual machines from the list of managed devices in Kaspersky Security Center
- Using the klconfig script API to define SVM configuration settings
- Sources of information about the solution
- Glossary
- Activation code
- Active key
- Administration Server
- Application activation
- Backup
- Backup copy of a file
- Compound file
- Database of malicious web addresses
- Database of phishing web addresses
- Desktop key
- End User License Agreement
- Heuristic Analysis
- Integration Server
- Kaspersky CompanyAccount
- Kaspersky Security databases
- Kaspersky Security Network (KSN)
- Key file
- Key with a limitation on the number of processor cores
- Key with a limitation on the number of processors
- Keylogger
- License
- License certificate
- License key (key)
- Light Agent
- OLE object
- Phishing
- Protected virtual machine
- Reserve key
- Server key
- Signature Analysis
- Startup objects
- SVM
- SVM Management Wizard
- Update source
- Information about third-party code
- Trademark notices
Kaspersky Security for Virtualization 6.2 Light Agent Help
New features
What's New in Kaspersky Security for Virtualization 6.2 Light Agent
Hardware and software requirements
Hardware and software requirements of the solution components
Feature comparison
Comparison of the license-specific features of the solution components
Getting started
- Preparatory steps before installing the solution
- Installing and performing the initial configuration of solution components
- Updating the previous version of the solution
- Connecting SVMs and Light Agents to the Integration Server
- Connecting Light Agents to SVMs
Licensing
- Licensing solution components
- Activating the solution and managing license keys
- Viewing information about used license keys
Monitoring and reporting
- Getting information about the protection status of virtual machines
- Viewing events and reports
- SNMP monitoring of SVM status
Data provision and protecting personal information
Additional capabilities
- Configuring advanced Protection Server settings
- Using Kaspersky Security Network
- Using Kaspersky Security for Virtualization 6.2 Light Agent in multitenancy mode
Contacting Technical Support
Page top
About Kaspersky Security for Virtualization 6.2 Light Agent
Kaspersky Security for Virtualization 6.2 Light Agent, hereinafter also referred to as "Kaspersky Security", is an integrated solution that provides comprehensive protection of virtual machines with Linux guest operating systems and Windows guest operating systems against various types of information threats, network attacks and fraud.
Kaspersky Security protects virtual machines on the following virtualization platforms:
- VMware vSphere.
- XenServer.
- Microsoft Hyper-V.
- KVM (Kernel-based Virtual Machine).
- Proxmox VE.
- Basis.
- Skala-R.
- HUAWEI FusionSphere.
- Nutanix Acropolis.
- Enterprise Cloud Platform VeiL.
- SharxBase.
- TIONIX Cloud Platform.
- OpenStack.
- ALT Virtualization Server.
- "Brest" Virtualization Tools software package.
- zVirt virtualization environment.
- ROSA Virtualization Environment Management System.
- RED Virtualization.
- Astra Linux.
- SpaceVM Cloud Platform.
- Basis.DynamiX Cloud Platform.
- VMmanager Infrastructure.
- Numa vServer.
- VK Cloud platform.
- R-Virtualization server virtualization system.
- Yandex Cloud Platform.
- Gorizont-VS virtualization management platform.
- HOSTVM Virtualization platform.
Some limitations apply to the installation and operation of the solution in virtual infrastructures running on the Enterprise Cloud Platform VeiL, SharxBase, "Brest" Virtualization Tools software package, zVirt Virtualization System, ROSA Virtualization, RED Virtualization, VMmanager Infrastructure, SpaceVM Cloud Platform, Basis.DynamiX Cloud Platform, R-Virtualization server virtualization system, and Yandex Cloud Platform, Gorizont-VS virtualization management platform, and HOSTVM Virtualization platform. Please refer to the Knowledge Base for details.
The Kaspersky Security solution is optimized to support maximum performance of the virtual machines that are protected by the solution.
The solution protects virtual machines running guest server operating systems and guest desktop operating systems.
The Kaspersky Security solution can be used in multitenancy mode. This mode of using the solution allows you to protect isolated virtual infrastructures in the tenant organization or units within a single organization (hereinafter also referred to as "tenants").
The solution includes the following components:
- Kaspersky Security Protection Server (hereinafter also "Protection Server"). The component is a service installed on a special virtual machine known as an SVM (secure virtual machine). SVMs must be deployed on hypervisors in the virtual infrastructure during installation of the Kaspersky Security solution.
- Kaspersky Security Light Agent (hereinafter also "Light Agent"). The component is an application designed to be installed on virtual machines. Light Agent must be installed on each virtual machine that you want to protect with Kaspersky Security.
The Kaspersky Security solution uses Kaspersky Endpoint Security for Linux as the Light Agent for Linux.
The Kaspersky Security solution uses Kaspersky Endpoint Security for Windows as the Light Agent for Windows.
- Kaspersky Security for Virtualization Light Agent Integration Server (hereinafter also "Integration Server"). The component is an application designed to be installed on a Linux device or a Windows device in your infrastructure. The Integration Server facilitates interaction between the Kaspersky Security solution components and the virtual infrastructure.
To install and manage Kaspersky Security, you need Kaspersky Security Center, Kaspersky's remote centralized application management system. You can use Kaspersky Security Center Windows or Kaspersky Security Center Linux.
Solution functions
The basic functions of protecting and monitoring virtual machines are provided by the functional components and tasks of the Light Agent for Linux and Light Agent for Windows.
The Kaspersky Security solution uses Kaspersky Endpoint Security for Linux as the Light Agent for Linux. The Kaspersky Security solution uses Kaspersky Endpoint Security for Windows as the Light Agent for Windows. For a description of the Light Agent functionality, please refer to the Online Help of the corresponding application.
Kaspersky Endpoint Security for Linux and Kaspersky Endpoint Security for Windows operating in Light Agent mode have the following features:
- The application is activated on the Protection Server.
- Updates of application databases and modules are managed on the Protection Server. The application gets updates from a folder on the SVM. You cannot select a different update source.
- The use of cloud databases is not supported.
- The application interacts with KSN servers using a KSN proxy server. Direct interaction with KSN is not supported.
- The use of the application's proxy server is not supported when connecting to the Integration Server, SVMs, and KSN servers.
- Managing the application using Kaspersky Security Center Cloud Console is not available.
- For the Kaspersky Endpoint Security for Linux application only: the application cannot be managed using the graphical user interface.
- For the Kaspersky Endpoint Security for Windows application only:
- Data encryption components and Adaptive Anomaly Control cannot be installed.
- The built-in EDR Expert agent does not work in Light Agent mode.
To keep the components of Kaspersky Security up-to-date and to expand the solution's capabilities, it provides the following additional functions:
- Activation. Using the solution under a commercial license ensures the full functionality of solution components and access to updates of the solution's databases and application modules.
- Updating databases and application modules. Updating the solution's databases and application modules ensures up-to-date protection of virtual machines against viruses and other applications that pose a threat.
- Using Kaspersky Security Network in the operation of solution components. Using Kaspersky's cloud knowledge base about the reputation of files, Internet resources, and software makes it possible to improve protection of virtual machines and user data, ensure faster response times to various threats, and reduce the number of false positives.
- Reports and notifications. Various types of events occur during the operation of solution components. You can receive notifications about events and generate reports based on events.
The update functionality (including anti-virus signature updates and code base updates), as well as the KSN functionality may not be available in the solution in the territory of the USA.
Page top
Distribution kit
For information about purchasing the solution, please visit the Kaspersky website at https://www.kaspersky.com or contact our partners.
The solution's distribution kit includes the following files:
- files required for installing the solution components
- files with the text of the End User License Agreement and the Privacy Policy
- MIB file that you can use to receive SVM status information with the aid of the SNMP Monitoring system
On the Kaspersky website, you can download the files that are included in the Kaspersky Security distribution kit as well as the files necessary for installing Kaspersky Security Center.
The contents of the solution's distribution kit can vary from region to region.
Information required to activate the solution is sent by email after payment.
Page top
Hardware and software requirements
This section contains the hardware and software requirements of Kaspersky Security.
Requirements for Kaspersky Security Center components
To install and manage the Kaspersky Security solution, you need Kaspersky Security Center Windows or Kaspersky Security Center Linux.
Kaspersky Security Center Linux includes a version of Administration Server intended for installation on a device running the Linux operating system. Kaspersky Security Center Linux interacts with Administration Server through Kaspersky Security Center Web Console. For more information on Kaspersky Security Center Linux, please refer to the Kaspersky Security Center Linux Help.
You can use one of the following versions of the Kaspersky Security Center application:
- Kaspersky Security Center Linux:
- Kaspersky Security Center 15.2 Linux. Components of the Kaspersky Security solution can be managed through Kaspersky Security Center Web Console using the management web plug-in.
- Kaspersky Security Center 15.1 Linux. Components of the Kaspersky Security solution can be administered through Kaspersky Security Center Web Console using the management web plug-in.
- Kaspersky Security Center 15 Linux. Components of the Kaspersky Security solution can be administered through Kaspersky Security Center Web Console using the management web plug-in.
- Kaspersky Security Center Windows:
- Kaspersky Security Center 15.1 Windows. Components of the Kaspersky Security solution can be managed through Administration Console using the management MMC plug-in and through Kaspersky Security Center Web Console using the management web plug-in.
- Kaspersky Security Center 14.2 Windows. Components of the Kaspersky Security solution can be managed through Administration Console using the management MMC plug-in and through Kaspersky Security Center Web Console using the management web plug-in.
The operation of Kaspersky Security requires the following Kaspersky Security Center components:
- Administration Server.
The following services must be configured on Administration Server:
- The proxy activation service is used when activating the Kaspersky Security solution. The activation proxy service is configured in the properties of the Kaspersky Security Center Administration Server. If the activation proxy service is disabled, the solution cannot be activated using an activation code.
- The KSN Proxy service facilitates data exchange between Kaspersky Security solution components and Kaspersky Security Network. The KSN Proxy service is configured in the properties of the Kaspersky Security Center Administration Server.
For more detailed information about the activation proxy service and KSN Proxy service, please refer to the Kaspersky Security Center help.
- Network Agent. Network Agent facilitates interaction between Administration Server and virtual machines on which Kaspersky Security solution components are installed.
Network Agent must be installed on all virtual machines that you want to protect:
The Network Agent does not need to be installed on SVMs because this component is included in the SVM images.
- Kaspersky Security Center Administration Console. Regardless of the version of Kaspersky Security Center, you can use Kaspersky Security Center Web Console (hereinafter also referred to as "Web Console"). To interact with Kaspersky Security Center Windows, you can also use the MMC-based Administration Console (hereinafter also referred to as "Administration Console").
For information on installing Kaspersky Security Center components, please refer to the Kaspersky Security Center help.
Page top
Requirements for installing a Windows-based Integration Server
To install and operate the Windows-based Integration Server and Integration Server Console, one of the following operating systems must be installed on the device:
- Windows Server 2022 Standard/Datacenter/Essentials
- Windows Server 2019 Standard/Datacenter/Essentials
- Windows Server 2016 Standard/Datacenter
- Windows Server 2012 R2 Standard/Datacenter/Essentials
- Windows Server 2012 Standard/Datacenter/Essentials
On the device where you want to install the Integration Server Console, the operating system must be installed in the Desktop Experience mode.
Microsoft .NET Framework 4.6.2, 4.7, or 4.8 is required to install the Windows-based Integration Server and to install and run the Integration Server Console. You can install the Microsoft .NET Framework in advance, or if you have Internet access, the Kaspersky Security Component Installation Wizard will offer to install it during the installation of the Integration Server and Integration Server Console.
The device must meet the following minimum hardware requirements to allow installing and running the Windows-based Integration Server and Integration Server Console:
- Quad-core 2 GHz virtual processor
- Available disk space:
- 4 GB for the Integration Server Console
- 4 GB for the Integration Server
- Available RAM:
- 4 GB for the Integration Server Console
- 4 GB for the Integration Server
The required volume of RAM and free disk space may change depending on the size of the virtual infrastructure. To improve the performance of the Integration Server, 10 GB of free disk space is recommended.
Page top
Requirements for installing a Linux-based Integration Server
To install and operate the Linux-based Integration Server, one of the following 64-bit operating systems must be installed on the device:
- Ubuntu 22.04 LTS.
- Astra Linux Special Edition RUSB.10015-01 (operational update 1.7).
- Astra Linux Special Edition RUSB.10015-01 (operational update 1.8).
The following packages must be installed on the device:
- regardless of the installed operating system:
- libc6
- libgssapi-krb5-2
- zlib1g
- in the Ubuntu 22.04 LTS operating system:
- ca-certificates
- libssl3
- libunwind8
- in the Astra Linux Special Edition operating system RUSB.10015-01 (operational update 1.7): libssl1.1
- in the operating system Astra Linux Special Edition RUSB.10015-01 (operational update 1.8): libssl3
The device must meet the following minimum hardware requirements to support the installation and operation of the Linux-based Integration Server:
- Quad-core 2500 MHz virtual processor
- 4 GB available disk space
- 8 GB available RAM
Hardware requirements may vary depending on the size of the virtual infrastructure. To improve the performance of the Integration Server, 10 GB of free disk space, and 12 GB RAM is recommended.
Page top
Requirements for the virtual infrastructure
Installation and operation of the Kaspersky Security solution is supported on the following virtualization platforms:
- Microsoft Hyper-V platform.
One of the following hypervisors must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
- Microsoft Windows Server 2022 Hyper-V (Desktop experience/Core) hypervisor
- Microsoft Windows Server 2019 Hyper-V (Desktop experience/Core) hypervisor
- Microsoft Windows Server 2016 Hyper-V (Desktop experience/Core) hypervisor with all available updates
The solution can be installed and run on Microsoft Windows Server (Hyper-V) hypervisors that are part of a hypervisor cluster managed by the Windows Failover Clustering service. Cluster Shared Volumes technology must be enabled on cluster nodes.
If you use Integration Server Console to manage the Integration Server, when deploying SVMs on Microsoft Windows Server (Hyper-V) hypervisors, you can use one of the following versions of the Microsoft System Center Virtual Machine Manager (hereinafter referred to as "Microsoft SCVMM") virtual infrastructure management server:
- Microsoft SCVMM 2022 with the latest updates.
- Microsoft SCVMM 2019 with the latest updates.
- Microsoft SCVMM 2016 with the latest updates.
If you use Integration Server Web Console or REST API to manage the Integration Server. Connecting to Microsoft SCVMM is not supported.
For the Linux-based Integration Server, connecting to virtual infrastructure based on Microsoft Hyper-V is not supported. Use the Windows-based Integration Server.
- XenServer platform
A XenServer 8 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
In a virtual infrastructure on the XenServer platform, you cannot deploy an SVM with a static IP address specified. Use dynamic IP addressing.
- VMware vSphere platform.
One of the following hypervisors must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
- VMware ESXi 8.0 hypervisor with the latest updates.
- VMware ESXi 7.0 hypervisor with the latest updates.
A VMware vCenter Server 8.0 or 7.0 virtual infrastructure administration server with all available updates must be installed in virtual infrastructure. There is support for the installation and operation of the solution in an infrastructure managed by standalone VMware vCenter servers and by a group of VMware vCenter servers running in Linked mode.
If you are using VMware NSX Manager in an infrastructure running the VMware vSphere platform, Kaspersky Security can assign security tags to the protected virtual machines. Kaspersky Security is compatible with VMware NSX Manager, which is included in the following packages:
- VMware NSX 4.0.1
- VMware NSX-T Data Center 3.2
If you use Integration Server Console to manage the Integration Server, when deploying SVMs on VMware ESXi hypervisors, you can use one of the following versions of the Microsoft SCVMM virtual infrastructure management server:
- Microsoft SCVMM 2022 with the latest updates.
- Microsoft SCVMM 2019 with the latest updates.
- Microsoft SCVMM 2016 with the latest updates.
If you use Integration Server Web Console or REST API to manage the Integration Server. Connecting to Microsoft SCVMM is not supported.
- KVM (Kernel-based Virtual Machine) platform.
A KVM hypervisor based on one of the following operating systems must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
- Debian GNU/Linux 12.0.
- Debian GNU/Linux 11.0.
- Ubuntu 22.04 LTS.
- Red Hat Enterprise Linux Server 8.0.
- CentOS Stream 9.
To deploy an SVM on KVM hypervisors running the CentOS operating system, you must delete or comment out the "Defaults requiretty" line in the /etc/sudoers configuration file of the hypervisor’s operating system.
- Proxmox VE platform.
A Proxmox VE 8 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
Only KVM-based Proxmox VE is supported. Operation of the solution on a Proxmox VE hypervisor using LXC (Linux Containers) is not supported.
- Basis platform.
An R-Virtualization 7.0.13 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
A Basis.vControl 2.2.1 virtual infrastructure administration server must be installed in the virtual infrastructure to support deployment and operation of an SVM on R-Virtualization hypervisors.
- Skala-R platform.
An R-Virtualization 7.0.13 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
A Skala-R Management 1.98 virtual infrastructure administration server must be installed in the virtual infrastructure to support deployment and operation of an SVM on R-Virtualization hypervisors.
- HUAWEI FusionSphere platform.
A HUAWEI FusionCompute CNA 8.0 or later hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
HUAWEI FusionCompute VRM 8.0 and later virtual infrastructure administration server must be installed in the virtual infrastructure to support deployment and operation of an SVM on HUAWEI FusionCompute CNA hypervisors.
- Nutanix Acropolis platform.
A Nutanix AHV 6.5.1.5 or 6.10.1 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
Nutanix Prism 6.5.1.5 or 6.10.1 and later virtual infrastructure administration server must be installed in the virtual infrastructure to support deployment and operation of an SVM on Nutanix AHV hypervisors.
- Enterprise Cloud Platform VeiL platform.
A VeiL Node 5.1.2 hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
There are some limitations on the installation and operation of the solution in a virtual infrastructure running on the Enterprise Cloud Platform VeiL platform. Please refer to the Knowledge Base for details.
- SharxBase platform.
A SharxBase 5.10.x hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
There are some limitations on the installation and operation of the solution in a SharxBase virtual infrastructure. Please refer to the Knowledge Base for details.
- TIONIX Cloud Platform.
For the Kaspersky Security solution to install and run, TIONIX Cloud Platform 2.9 or 3.0 must be installed.
The following microservices must be installed as part of the TIONIX Cloud Platform:
- Keystone – authentication microservice.
- Compute (Nova) – microservice used for creating virtual machine and operations with infrastructure.
- Cinder – microservice used for operations with storages.
- Glance – microservice used for operations with virtual machine images.
- Neutron – microservice used for operations with networks.
A KVM hypervisor must be installed in the virtual infrastructure.
- OpenStack platform.
For the Kaspersky Security solution to install and run, one of the following OpenStack platform releases must be installed: Havana, Stein, Newton, Victoria, Zed, Antelope, Bobcat.
The following microservices must be installed as part of the OpenStack platform:
- Keystone – authentication microservice.
- Compute (Nova) – microservice used for creating virtual machine and operations with infrastructure.
- Cinder – microservice used for operations with storages.
- Glance – microservice used for operations with virtual machine images.
- Neutron – microservice used for operations with networks.
A KVM hypervisor must be installed in the virtual infrastructure.
- ALT Virtualization Server.
The ALT Virtualization Server version 10.0 platform is required for installation and operation of the Kaspersky Security solution.
A basic hypervisor of the ALT Virtualization Server 10.0 platform (KVM-based hypervisor) must be installed as part of the platform.
- Brest Virtualization Software Platform.
The Brest Virtualization Software 3.2 or 3.3 platform is required to install and run the Kaspersky Security solution.
A KVM hypervisor must be installed in the virtual infrastructure.
There are some limitations on the installation and operation of the solution in a virtual infrastructure running on the "Brest" Virtualization Tools software package. Please refer to the Knowledge Base for details.
- zVirt virtualization environment.
A zVirt Node 3.x, 4.x, or zVirt Max hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
There are some limitations on the installation and operation of the solution in a virtual infrastructure running the zVirt Virtualization Environment. Please refer to the Knowledge Base for details.
- ROSA Virtualization platform.
ROSA Virtualization Environment Management System Platform version 2.1 or 3.0 is required for installation and operation of the Kaspersky Security solution.
A KVM hypervisor must be installed in the virtual infrastructure.
There are some limitations on the installation and operation of the solution in a virtual infrastructure running on the ROSA Virtualization platform. Please refer to the Knowledge Base for details.
You can remove the limitations related to use of the Integration Server in a virtual infrastructure running on the ROSA Virtualization platform. If you want Light Agents to use the advanced SVM discovery functionality (use of the Integration Server and the extended SVM selection algorithm), you can manually add infrastructure information to the Integration Server. Please refer to the Knowledge Base for details.
- RED Virtualization platform.
RED Virtualization platform 7.3 is required for installation and operation of the Kaspersky Security solution.
A KVM hypervisor must be installed in the virtual infrastructure.
There are some limitations when installing and operating the solution in a virtual infrastructure running the RED Virtualization platform. Please refer to the Knowledge Base for details.
- Astra Linux Platform.
To install and run the Kaspersky Security solution, Astra Linux Special Edition RUSB.10015-01 (regular update 1.7) must be installed along with Update 2022-1221SE17MD (operational update 1.7.3.UU.1).
A KVM hypervisor must be installed in the virtual infrastructure.
- SpaceVM Cloud Platform.
SpaceVM Cloud Platform 6.2 is required to install and run Kaspersky Security in a virtual infrastructure.
There are some limitations on the installation and operation of the solution in a virtual infrastructure on the SpaceVM Cloud platform. Please refer to the Knowledge Base for details.
- Basis.DynamiX Cloud Platform.
Basis.DynamiX Cloud Platform 3.8.5, 3.8.8, or 4.0.0 is required to install and run Kaspersky Security in a virtual infrastructure.
There are some limitations on the installation and operation of the solution in a virtual infrastructure on the Basis.DynamiX Cloud platform. Please refer to the Knowledge Base for details.
- VMmanager Infrastructure platform.
VMmanager Infrastructure 2023.11.1-1 is required for installation and operation of the Kaspersky Security solution.
A KVM hypervisor must be installed in the virtual infrastructure.
There are some limitations when installing and operating the solution in a virtual infrastructure running VMmanager Infrastructure. Please refer to the Knowledge Base for details.
- Numa vServer platform
A Numa vServer 1.1 or later hypervisor must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security solution.
- VK Cloud platform
To install and run the Kaspersky Security solution, you need one of the following OpenStack platform releases: Havana, Stein, Newton, Victoria, Zed, Antelope, Bobcat.
The following microservices must be installed as part of the VK Cloud platform:
- Keystone – authentication microservice.
- Compute (Nova) – microservice used for creating virtual machine and operations with infrastructure.
- Cinder – microservice used for operations with storages.
- Glance – microservice used for operations with virtual machine images.
- Neutron – microservice used for operations with networks.
A KVM hypervisor must be installed in the virtual infrastructure.
- R-Virtualization server virtualization system.
R-Virtualization hypervisor 7.0.13 or later must be installed in the virtual infrastructure to support installation and operation of the Kaspersky Security application.
Some limitations apply to the installation and operation of the application in a virtual infrastructure based on the ROSA Virtualization platform. Please refer to the Knowledge Base for details.
- Yandex Cloud Platform.
Yandex Cloud Platform is required to install and run Kaspersky Security.
There are some limitations on the installation and operation of the solution in a virtual infrastructure on the Yandex Cloud Platform. Please refer to the Knowledge Base for details.
- Gorizont-VS virtualization management platform.
The Gorizont-VS virtualization management platform version core_3.х, core_4.x, or Gorizont-VS-FSTEC is required to install and operate the Kaspersky Security solution.
The virtual infrastructure must have the "Gorizon-VS Server Virtualization subsystem" hypervisor and the "Gorizon-VS Multimanagement system" virtual infrastructure administration server (hereinafter also "Horizon-VS-SGU") installed.
Some limitations apply to installing and operating the solution on the Gorizont-VS virtualization management platform. Please refer to the Knowledge Base for details.
- HOSTVM Virtualization platform.
HOSTVM Virtualization platform is required to install and run Kaspersky Security.
The HOSTVM Node hypervisor must be installed in the virtual infrastructure.
Some limitations apply to installing and operating the solution on the HOSTVM virtualization management platform. Please refer to the Knowledge Base for details.
Kaspersky Security can protect virtual machines as part of an infrastructure that uses the following virtualization solutions:
- VMware Horizon 8.x.
- Huawei FusionAccess 8 (Windows guest operating system only).
- Citrix Virtual Apps and Desktops 7 2402 LTSR with the latest updates installed.
- Citrix Provisioning Services 7.
- Citrix XenApp and XenDesktop 7.15.
- Citrix App Layering 2009 (only virtual machines with a Windows guest operating system).
- Termidesk VDI 3.3.
- Basis.WorkPlace 1.98.2.
- Remote Desktop Host Services based on Microsoft and Citrix.
Some limitations apply to the operation of the solution in a VDI based on Termidesk and Basis.WorkPlace.
Page top
Requirements for SVM resources
To run the solution on an SVM, the following minimum system resources are required:
- Dual-core virtual processor
- 30 GB available disk space
- 2 GB available RAM
- Virtualized network interface with bandwidth of 100 Mbit/s
Virtual machine requirements for installing Light Agent
Requirements for Light Agent for Linux
On virtual machines running Linux operating systems, Kaspersky Endpoint Security for Linux installed in Light Agent mode is used as the Light Agent.
For the minimum hardware requirements and a list of supported operating systems for Kaspersky Endpoint Security for Linux in Light Agent mode, see the Kaspersky Endpoint Security for Linux Help of the relevant version.
There are limitations when Kaspersky Endpoint Security is used in Light Agent mode to protect virtual environments. Using Kaspersky Endpoint Security for Linux in Light Agent mode is not supported:
- On devices running operating systems for the Arm architecture.
- On devices running Astra Linux operating systems in mandatory access control and closed software environment modes.
Requirements for Light Agent for Windows
On virtual machines running Windows operating systems, Kaspersky Endpoint Security for Windows installed in Light Agent mode is used as the Light Agent.
For the minimum hardware requirements and a list of supported operating systems for Kaspersky Endpoint Security for Windows in Light Agent mode, see the Kaspersky Endpoint Security for Windows Help of the relevant version.
General requirements for Light Agent
Before installing Light Agent on virtual machines, the following packages must be installed, depending on the virtual infrastructure:
- In a Microsoft Hyper-V infrastructure, the Integration Services package must be installed on the virtual machines.
- In a VMware vSphere infrastructure, the VMware Tools package must be installed on the virtual machines.
- In a XenServer infrastructure, XenTools must be installed on the virtual machines.
- In a HUAWEI FusionSphere infrastructure, the HUAWEI Tools package must be installed on the virtual machines.
- In an infrastructure based on KVM, OpenStack, VK Cloud platform, TIONIX Cloud Platform, Astra Linux, or ALT Virtualization Server, QEMU Guest Agent must be installed on virtual machines.
Supported versions of applications in Light Agent mode
The following applications are used as part of Kaspersky Security for Virtualization 6.2 Light Agent:
- Kaspersky Endpoint Security for Linux 12.2.
- Kaspersky Endpoint Security for Windows 12.8.
- Kaspersky Endpoint Security for Windows 12.9.
Other components of the Kaspersky Security solution are compatible only with the specified application versions.
Page top
What’s new
Kaspersky Security for Virtualization 6.2 Light Agent has the following new features:
- The Kaspersky Security solution includes a new version of the Integration Server designed to be installed on a device with the Linux operating system (hereinafter also referred to as the "Linux-based Integration Server"). Now you can use the Windows-based Integration Server or the Linux-based Integration Server, depending on your infrastructure.
- In the new version of Kaspersky Security, you can use Integration Server Web Console to manage the Integration Server. The web console is available in Kaspersky Security Center Web Console after installing the Integration Server web plug-in. Web Console and Integration Server Console implement the same functions for managing the Integration Server. Using Integration Server Web Console, you can:
- configure the list of virtual infrastructures to which the Integration Server connects
- deploy, remove, or reconfigure SVMs
- view information about SVMs that are connected to the Integration Server
- change passwords of accounts that are used to connect to the Integration Server
- view the list of tenants registered in the Integration Server database and configure the connection settings required for interaction between the Integration Server REST API and Kaspersky Security Center Administration Server
Integration Server Web Console lets you manage the Windows-based Integration Server and the Linux-based Integration Server.
- You can now select the versions of Light Agents for which the Protection Server will receive updates of application databases and modules. You can reduce traffic by downloading updates to SVMs only for those versions of Light Agents that work in your infrastructure.
- For virtual infrastructure on the VK Cloud platform, you can now use the Integration Server while deploying and operating the Kaspersky Security solution. You can configure a connection to this infrastructure and manage SVMs through Integration Server Console or Integration Server Web Console. You can use the Integration Server to detect SVMs using Light Agents.
- You can now protect virtual infrastructures based on the Basis platform.
- You can now protect virtual infrastructures on the R-Virtualization server virtualization system.
Some limitations apply to the installation and operation of the application in a virtual infrastructure based on the ROSA Virtualization platform. Please refer to the Knowledge Base for details.
- As its Light Agent for Windows, the solution uses Kaspersky Endpoint Security for Windows 12.8 or 12.9, which provides expanded functionality for protecting virtual machines with Windows guest operating systems (compared to Light Agent for Windows 5.2). The following functions are now available in the solution:
- BadUSB Attack Prevention.
- Log Inspection.
- Intrusion Prevention (instead of Application Control functionality).
- Behavior Detection, Exploit Prevention and Remediation Engine (instead of System Monitoring functionality).
- Ability to integrate with the following Kaspersky solutions:
- Kaspersky Managed Detection and Response The solution automatically detects and analyzes security incidents in your infrastructure and sends incident data to Kaspersky experts. These experts can then handle the incident themselves or provide recommendations for handling the incident.
- Kaspersky Endpoint Detection and Response Optimum The solution is designed to protect an organization's IT infrastructure from advanced threats.
- Components of the Kaspersky Anti Targeted Attack Platform solution (Endpoint Detection and Response (KATA), Network Detection and Response (KATA), KATA Sandbox) The solution is designed for early detection of complex threats, such as targeted attacks, advanced persistent threats (APT), zero-day attacks and others.
- Kaspersky Sandbox The solution analyzes the behavior of objects to identify malicious activity and signs of targeted attacks on the organization's IT infrastructure, and automatically blocks advanced threats on devices.
- Kaspersky Unified Monitoring and Analysis Platform (KUMA) A SIEM solution for managing security information and security events in an organization's IT infrastructure. KUMA lets you detect, analyze and eliminate security threats before they can harm your organization.
Kaspersky Endpoint Security for Windows 12.9 has a new tool, Temporary password monitoring. A temporary password lets you grant access to Kaspersky Endpoint Security for Windows application with Password protection enabled for an individual device. Temporary password monitoring lets you save password history (up to 30 days), monitor the status of the temporary password (Active, Expired, Revoked), and revoke temporary passwords.
For a full description of the application's features, see the Kaspersky Endpoint Security for Windows Help of the relevant version.
The following limitations exist running Kaspersky Endpoint Security for Windows in Light Agent mode:
- Data encryption components and Adaptive Anomaly Control are not available.
- The built-in EDR Expert agent does not work in Light Agent mode.
- The solution uses Kaspersky Endpoint Security for Linux 12.2 as the Light Agent for Linux. The new version of the application implements the ability to integrate with Kaspersky Unified Monitoring and Analysis Platform and with components of the Kaspersky Anti Targeted Attack Platform solution: Kaspersky Network Detection and Response (KATA) and KATA Sandbox. For the full list of improvements relative to the previous version of the application, see the Kaspersky Endpoint Security for Linux Help of the relevant version.
- We added support for new licenses under which you can use the Kaspersky Security solution.
- We expanded the list of guest operating systems that can be protected by Kaspersky Security. For a list of supported Linux operating systems, see the Kaspersky Endpoint Security for Linux Help of the relevant version. For a list of supported Windows operating systems, see the Kaspersky Endpoint Security for Windows Help of the relevant version.
Solution architecture
Protection Server component
Kaspersky Security Protection Server (hereinafter also referred to as the "Protection Server") is a scanserver service installed on a special virtual machine called an SVM (secure virtual machine). An SVM is included in the Kaspersky Security distribution kit as a virtual machine image. During installation of the solution, you need to deploy SVMs from an image on hypervisors in the virtual infrastructure.
Protection Server performs the following functions:
- Scans the fragments of files sent by Light Agents installed on virtual machines for viruses and other malware. The SharedCache technology is used for scan. It optimizes the speed of file scan by excluding files that have been already scanned on another virtual machine. The Protection Server stores information about scanned files in a cache on the SVM in order to not scan them again.
- This ensures that the application receives an update package from the Kaspersky Security Center Administration Server repository, which contains the database and application module updates necessary for operation of the solution.
- Manages license keys and licensing restrictions.
Light Agent component
Kaspersky Security Light Agent (hereinafter also referred to as "Light Agent") is an application installed on each virtual machine that needs to be protected using the Kaspersky Security solution. A virtual machine with the Light Agent component installed is called protected virtual machine.
If Kaspersky Security is used to protect VDI, Light Agent is installed on virtual machine templates from which persistent or non-persistent virtual machines are created.
The Kaspersky Security solution includes:
- The Light Agent for Linux component is designed to protect virtual machines with Linux operating systems.
The Kaspersky Security solution uses Kaspersky Endpoint Security for Linux in Light Agent mode as the Light Agent for Linux. The application protects virtual machines running Linux operating systems from various types of threats, network attacks and fraud. For more information about the capabilities of Kaspersky Endpoint Security for Linux commands, see the application help of the relevant version.
- The Light Agent for Windows component is designed to protect virtual machines with Windows operating systems.
The Kaspersky Security solution uses Kaspersky Endpoint Security for Windows in Light Agent mode as the Light Agent for Windows. The application protects virtual machines running Windows operating systems from various types of threats, network attacks and fraud. For more information about the capabilities of Kaspersky Endpoint Security for Windows commands, see the application help of the relevant version.
When launched, the Light Agent establishes and maintains a connection to the SVM in order to interact with the Protection Server component.
Integration Server component
Kaspersky Security for Virtualization Light Agent Integration Server (hereinafter also referred to as the "Integration Server") is an application designed to be installed on a device running the Linux operating system or on a device running a Windows operating system in your infrastructure. The Integration Server facilitates interaction between the Kaspersky Security solution components and the virtual infrastructure.
The Integration Server is used for performing the following tasks:
- Deploying, removing, and reconfiguring SVMs with Protection Servers.
- Receiving information about the protected infrastructure from the virtual infrastructure and sending it to Protection Servers. The Integration Server can connect to hypervisors, virtual infrastructure administration servers, or cloud infrastructure microservices to acquire this information (depending on the type of virtual infrastructure).
- Receipt by Light Agents of a list of SVMs available for connection and information about them. This information is necessary for interaction between Light Agents and Protection Servers on the SVMs.
- Deploying and using the Kaspersky Security solution in multi-tenancy mode.
The Kaspersky Security solution includes:
- An Integration Server designed to be installed on a device with a Windows operating system (hereinafter also referred to as the "Windows-based Integration Server").
- An Integration Server designed to be installed on a device with a Linux operating system (hereinafter also referred to as the "Linux-based Integration Server").
You can use the Integration Server that corresponds to your infrastructure.
To manage the Windows-based Integration Server, you can use the following management consoles:
To manage the Linux-based Integration Server, you can use Integration Server Web Console.
We do not recommend using Integration Server Console to manage the Linux-based Integration Server.
You can also manage the Integration Server using the Integration Server REST API without using management consoles (open a description of REST API requests).
To use the Integration Server in the operation of Light Agents and Protection Servers, you need to configure the settings for connecting SVMs and Light Agents to the Integration Server.
After configuring the settings for connecting SVM to the Integration Server, SVM transmits the following information to the Integration Server every 5 minutes:
- IP address and number of ports for connecting to the SVM.
- Information about the SVM path in the virtual infrastructure.
- Information about the license used to activate the solution on the SVM.
- Information about the average load of the Protection Server on the SVM.
A Light Agent attempts to connect to the Integration Server once every 30 seconds if the Light Agent has no information about any SVM and the last attempt to connect to the Integration Server failed. After a Light Agent receives information about SVMs from the Integration Server, the connection interval increases to 5 minutes.
During its operation, the Integration Server saves the following information:
- Internal Integration Server accounts. These accounts are used to connect management consoles, SVMs and Light Agents to the Integration Server.
- Settings for connecting the Integration Server to the virtual infrastructure and the Kaspersky Security Center Administration Server.
- If the solution is used in multi-tenancy mode: a list of registered tenants and information about the time that virtual machines were protected by the solution.
- SVM service data.
All data is stored in encrypted form. Information is stored on the device on which Integration Server is installed and is not sent to Kaspersky.
Management plug-ins and Network Agent
The interface for managing Kaspersky Security solution components using Kaspersky Security Center is provided by Kaspersky Security management plug-ins.
Network Agent, a component of Kaspersky Security Center, facilitates interaction between the Kaspersky Security solution and Kaspersky Security Center, and also provides the ability to manage Kaspersky Security solution components via Kaspersky Security Center.
Network Agent must be installed on each virtual machine that needs to be protected using the Kaspersky Security solution. Network Agent does not need to be installed on SVMs because this component is included in the SVM images.
SVM deployment options
VMware vSphere platform
The following options are available for deploying SVMs on VMware virtual infrastructure:
- Deployment on a standalone VMware ESXi hypervisor managed by a VMware vCenter Server.
- Deployment on VMware ESXi hypervisors that are part of a cluster managed by a VMware vCenter Server.
After deployment, the SVM is automatically assigned to the hypervisor, i.e. it does not migrate to other VMware ESXi hypervisors within the cluster.
- Deployment on VMware ESXi hypervisors managed by VMware vCenter servers in Linked mode.
If you use Integration Server Console to manage the Integration Server, when deploying SVMs on VMware ESXi hypervisors, you can use the Microsoft SCVMM virtual infrastructure management server. If you use Integration Server Web Console or REST API to manage the Integration Server. Connecting to Microsoft SCVMM is not supported.
XenServer platform
The following SVM deployment options are available on a XenServer virtual infrastructure:
- Deployment on a standalone XenServer hypervisor
- Deployment on a hypervisor that is part of a XenServer hypervisor pool.
An SVM can be deployed in the local storage of the hypervisor or in the shared storage of a XenServer hypervisor pool.
After startup, an SVM deployed in shared storage is run on the hypervisor within the XenServer hypervisor pool that has the most resources and/or is under the least load. If a key with a limitation on the number of processor cores key has been installed on an SVM, the number of processor cores on the hypervisor the SVMs are running on is considered when checking the license restrictions.
Microsoft Hyper-V platform
The following options are available for deploying SVMs on Microsoft Hyper-V virtual infrastructure:
- Deployment on a standalone Microsoft Windows Server (Hyper-V) hypervisor.
- Deployment on Microsoft Windows Server (Hyper-V) hypervisors that are part of a hypervisor cluster managed by the Windows Failover Clustering service.
During deployment of an SVM on a Microsoft Windows Server (Hyper-V) hypervisor, all files required for operation of the SVM are stored in a separate folder. This folder is assigned the same name as the SVM.
If you use Integration Server Console to manage the Integration Server, when deploying SVMs on Microsoft Windows Server (Hyper-V) hypervisors, you can use the Microsoft SCVMM virtual infrastructure management server. If you use Integration Server Web Console or REST API to manage the Integration Server. Connecting to Microsoft SCVMM is not supported.
KVM platform
SVM deployment on a standalone KVM hypervisor is supported.
Proxmox VE platform
SVM deployment on a standalone Proxmox VE hypervisor is supported.
Basis platform
SVM deployment on R-Virtualization hypervisors included in a hypervisor cluster managed by a Basis.vControl server is supported.
Skala-R platform
SVM deployment on R-Virtualization hypervisors that are part of a hypervisor cluster managed by a Skala-R Management server is supported.
HUAWEI FusionSphere platform
The following options are available for deploying SVMs on HUAWEI virtual infrastructure:
- Deployment on a standalone HUAWEI FusionCompute CNA hypervisor managed by a HUAWEI FusionCompute VRM server.
- Deployment on HUAWEI FusionCompute CNA hypervisors that are part of a cluster managed by a HUAWEI FusionCompute VRM server.
Nutanix Acropolis platform
The following options are available for deploying SVMs on Nutanix Acropolis virtual infrastructure:
- Deployment on Nutanix AHV hypervisors that are a part of a hypervisor cluster managed by a Nutanix Prism Element server.
- Deployment on Nutanix AHV hypervisors that are a part of a hypervisor cluster managed by a Nutanix Prism Element server that is managed by Nutanix Prism Central.
OpenStack platform, VK Cloud platform, and TIONIX Cloud Platform
SVMs are deployed on hypervisors used within .
ALT Virtualization Server platform
An SVM can be deployed on a standalone hypervisor of the ALT Virtualization Server platform.
Astra Linux Platform
SVM deployment on a standalone KVM hypervisor running on the Astra Linux Platform is supported.
Numa vServer platform
SVM deployment on a standalone Numa vServer hypervisor is supported.
Page top
Connecting Light Agent to SVM
For the Kaspersky Security solution to function, constant interaction between the Light Agent and the Protection Server is required. If there is no connection to the Protection Server, the Light Agent cannot transfer file fragments to the Protection Server for scanning, and scanning is not performed. If Light Agent loses a connection to the Protection Server for more than 5 minutes while running scan tasks, the scan tasks stop and return an error.
To interact with the Protection Server, the Light Agent establishes and maintains a connection to the SVM on which this Protection Server is installed.
Light Agent can only connect to an SVM whose version is compatible with the Light Agent version.
To connect to an SVM, Light Agent must receive information about the SVMs to which a connection can be made. Light Agent selects an available SVM that is optimal for connection according to the SVM selection algorithm.
Regardless of the algorithm used in selecting SVMs, Light Agents also take into account the following parameters:
- Availability of a valid license (a license key that is not in the denylist is added to the SVM, and the license associated with the key has not expired). Light Agent first connects to the SVM on which the solution is activated (the key is added).
- Type of the license key added to the SVM. If you use a licensing scheme based on the number of virtual machines protected by the solution (server keys and desktop keys), the Light Agent first connects to the SVM on which the key type matches the operating system installed on the virtual machine with the Light Agent.
- Protecting the connection between the Light Agent and the Protection Server. A Light Agent for which connection protection is enabled can only connect to SVMs for which encryption of the data channel between the Light Agent and the Protection Server is enabled. A Light Agent for which connection protection is disabled can only connect to SVMs for which channel encryption is disabled or an unsecure connection between the Light Agent and the Protection Server is allowed.
- SVM connection tags. If a tag is assigned to a Light Agent, the Light Agent can only connect to SVMs that are configured to use that connection tag.
The ability to connect the Light Agent to the SVM also depends on the settings for downloading updates to the SVM, which are specified in the policy for the Protection Server. Only Light Agents for which database updates are downloaded to this SVM can connect to the SVM.
Keep in mind that the scope of functionality available on the Light Agent depends on the license under which the solution is activated on the SVM:
- If you want to use the Light Agent functionality included in the Enterprise license, you need to connect the Light Agent to a SVM on which the solution is activated under the Enterprise license. When connecting to an SVM on which the solution is activated under a Standard license, less functionality is available on the Light Agent.
- If you want to use additional Light Agent functionality (for example, integration the Kaspersky Detection and Response solution or integration with Kaspersky Unified Monitoring and Analysis Platform), you need to connect the Light Agent to an SVM on which the solution is activated under a license that includes this additional functionality, or to an SVM for which a separate license key for activating the additional functionality has been added. When a Light Agent is disconnected from the current SVM and connects to an SVM on which additional functionality has not been activated, the functionality becomes unavailable on the Light Agent.
To prevent Light Agents from switching between SVMs with different license types, you can use connection tags or a list of SVMs available for connection to limit the number of SVMs available to a Light Agent.
You can get information about the status of the Light Agent's connection to the SVM in the following ways:
- For Light Agent for Linux: using the Kaspersky Endpoint Security for Linux command
kesl-control --svm-info
. For details, see the Kaspersky Endpoint Security for Linux Help of the relevant version. - For Light Agent for Windows:
- in the local interface of Kaspersky Endpoint Security for Windows
- using the Kaspersky Endpoint Security for Windows command
avp.com SVMINFO
.
For details, see the Kaspersky Endpoint Security for Windows Help of the relevant version.
The lack of a connection between Light Agent and an SVM is communicated in Kaspersky Security Center through the status of the host device: if the connection to an SVM is not established, the status of the protected virtual machine changes to Critical. Information about the loss and restoration of the connection of the Light Agent and SVM is saved as events in Kaspersky Security Center.
We do not recommend using live snapshots of virtual machines taken on a running guest OS for SVMs and virtual machines with Light Agent for Linux installed. Restoring from such snapshots results in loss of the connection between Light Agents and the SVMs and degrades the performance of the virtual infrastructure. You can use virtual machine snapshots taken on a running guest OS only if the "Notify only" mode is enabled in the Light Agent settings. For details, see the Kaspersky Endpoint Security for Linux Help of the relevant version.
About SVM discovery
Light Agent can discover SVMs running on the network in one of the following ways:
- Using the Integration Server. SVMs relay information about themselves to the Integration Server. The Integration Server compiles a list of SVMs available for connection, and sends this list to Light Agents.
In a large-sized virtual infrastructure running the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, you can limit the size of the list of SVMs available for connection that the Integration Server relays to Light Agents. The Integration Server can transfer information only about the limited number of available SVMs, which you specified in the Integration Server configuration file.
To use this method of SVM discovery, you must connect SVMs and Light Agents to the Integration Server.
- With the use of the list of SVM addresses. You can specify a list of SVM addresses to which Light Agents can connect.
If the extended SVM selection algorithm is used for the Light Agent, and large infrastructure protection mode is enabled on the SVMs, it is recommended to select the Integration Server as the method for Light Agents to discover SVMs.
Each Light Agent can only use one of two possible SVM detection methods.
You can configure SVM detection settings for Light Agents in the following ways:
- For Light Agent for Linux: in the policy for Kaspersky Endpoint Security for Linux
- For Light Agent for Windows:
- in the policy for Kaspersky Endpoint Security for Windows
- in the local interface of Kaspersky Endpoint Security for Windows
About the SVM selection algorithms
Light Agents can apply one of the following SVM selection algorithms for connection:
You can specify which SVM selection algorithm the Light Agents will use, and configure the settings for using the extended SVM selection algorithm.
Page top
About data processing
During their operation, Kaspersky Security solution components may save and send to other solution components and to other Kaspersky applications the following information that may contain personal and confidential data:
- While deploying the SVM and editing SVM settings, the SVM Management Wizard or the Integration Server (also when using the Integration Server REST API) send the
root
andklconfig
passwords configured by the user to the SVM. - To make the installation and operation of the solution possible, the SVM Management Wizard and the Integration Server (also when using the Integration Server REST API) receive information about the virtual infrastructure, save it, and transmit it between each other and to the Protection Server. The transmitted data can contain names of the virtual machines, IP-addresses or names of the hypervisors, virtual infrastructure administration servers, or cloud infrastructure microservices, as well as account settings for connecting to virtual infrastructure.
- The Protection Server sends the Kaspersky Security Center Administration Server a list of Light Agents connected to the SVM. The transmitted information may include the name of the protected virtual machine, the BIOS ID of the protected virtual machine, and the path to it in the virtual infrastructure.
- The Integration Server Console sends the Integration Server the data necessary for configuring the solution's operating settings. The transmitted data can contain addresses of hypervisors, virtual infrastructure administration servers, or cloud infrastructure microservices, as well as account settings for connecting to virtual infrastructure. If the solution is installed in an infrastructure managed by a VMware vCenter Server and VMware NSX Manager, the address and settings of the accounts used to connect to VMware NSX Manager may also be sent.
- Light Agent sends the following data to the Protection Server:
- To activate the Light Agent: the validity term of the license key status confirmation; the ID (BIOS ID) of the protected virtual machine; information about the license that the Light Agent needs to work.
- To update the Light Agent databases: software identifier obtained from the license; full version of the software; software license identifier; software installation identifier (PCID); processed web address; license type; identifier of the update start.
- To provide protection, while scan tasks are running: information that is necessary for scanning objects. The transmitted information may include the names of files and paths to them in the file system, the checksums of files, web addresses, and the scanned objects or their fragments.
- To obtain statistics: OS version of the protected virtual machine; localization of the Light Agent; names of the active Light Agent components; ID (BIOS ID) of the protected virtual machine.
- To get information that is used when selecting an SVM for connection, the Light Agent sends the identifier of the protected virtual machine to the Integration Server and the Protection Server.
- In an infrastructure managed by a VMware vCenter Server and VMware NSX Manager, Light Agents and the Protection Server may send the Integration Server information about security tags that are assigned to a protected virtual machine upon detection of viruses, malware, or activity that is typical of network attacks. The IDs of protected virtual machines are also sent.
- The Protection Server and Light Agent receive the operating settings specified using policies from the Kaspersky Security Center Administration Server. The transmitted information may include the paths to files and registry keys, web addresses, IP addresses of the Integration Server and SVMs, settings for connecting SVMs and Light Agents to the Integration Server, public and private keys of SVMs, and the public key of the Integration Server.
- When using the solution in multitenancy mode, the Integration Server receives information about tenants and their virtual machines via the Integration Server REST API and stores it in the database. The following data may be sent: tenant name, identifier, and description, and other information about the tenant specified by the service provider's administrator; identifier of a tenant's virtual machine; account settings for connecting to a virtual Kaspersky Security Center Administration Server configured for the tenant; identifier of virtual Kaspersky Security Center Administration Server. The Integration Server may send information stored in the database about tenants and tenant virtual machines to the Integration Server Console for display or upon request to the Integration Server REST API.
- When using the solution in multitenancy mode, the information necessary for generating tenant protection reports may be sent to the Protection Server from Light Agents, and from the Protection Server to the Integration Server. The following may be transmitted: IDs of the SVM and the protected virtual machine, time periods when the Light Agent was connected to the SVM.
- When using the application in multitenancy mode, the Integration Server sends to Kaspersky Security Center Administration Server the information required to create a tenant protection infrastructure: tenant name, account settings for connecting to the virtual Kaspersky Security Center Administration Server, and operating settings specified using policies, including IP addresses of the Integration Server and SVMs.
- During the execution of tasks, the Protection Server and Light Agent send information about the task settings and results to the Kaspersky Security Center Administration Server. The transmitted information may include the user name and password indicated in the task settings for the user account used to run the task.
- To generate reports and events, the Protection Server and Light Agents send information about the operation of the solution to Kaspersky Security Center Administration Server. The transmitted information may include user names, names of processed files and paths to them in the file system, and processed web addresses.
- While activating the solution, the Protection Server receives from the Kaspersky Security Center Administration Server and saves license information, including information about the client to which the license was issued, and the number of the license specified in the license certificate. After activation, the Protection Server sends to the Kaspersky Security Center Administration Server information about the license that was used to activate the solution; this is done to keep track of license limits and generate a report about license key usage. The Protection Server also sends information about the license that was used to activate the solution to the Light Agent, this is done to activate the Light Agent.
For a description of the data that applications running in Light Agent mode can transmit to other Kaspersky applications, see the Help for the relevant application.
The specified information is transmitted over encrypted data channels (except for the information necessary for scanning objects, and the information that is used when selecting SVMs). The connection between Light Agents and Protection Servers is not encrypted by default. You can enable encryption of the data channel between the Light Agents and the Protection Servers in the solution settings.
Page top
Preparing to install the solution
Before installing the Kaspersky Security, you need to do the following.
General preparations
- Install one of the supported versions of Kaspersky Security Center.
- Check the virtual infrastructure components' compliance with the hardware and software requirements of the Kaspersky Security solution.
- Prepare the files required for installing the solution.
- Make sure that only secure cryptographic algorithms, cipher suites, and protocols are used on the devices where the solution components and virtual infrastructure objects are installed, to which the Integration Server connects.
- Make sure that the settings of the network equipment or software controlling traffic between virtual machines allow network traffic to pass through the ports used during installation and operation of the solution.
- Make sure that you have configured the settings of the accounts that are required for installation and operation of the solution.
- If the network uses dynamic IP addressing, ensure the capability to route network traffic from the SVM to the device on which the Kaspersky Security Center Administration Server is installed.
- Install the latest Windows updates on devices where the Windows-based Integration Server, Integration Server Console and MMC-based management plug-ins will be installed.
- If you want virtual machines on which the Kaspersky Security components are installed to be automatically moved into administration groups after installation of the components, create the administration groups in the Kaspersky Security Center Administration Console and configure rules for automatically moving the virtual machines to administration groups.
Preparing to install Light Agent for Linux on virtual machines
Before you start installing Light Agent for Linux, you need to do the following:
- Check that the virtual machines you plan to protect meet the hardware and software requirements of the Kaspersky Endpoint Security for Linux application, which is used as the Light Agent for Linux, and install the packages and utilities required for the application to work.
- Prepare to install Kaspersky Endpoint Security for Linux in Light Agent mode. For details, see the Kaspersky Endpoint Security for Linux Help of the relevant version.
Preparing to install Light Agent for Windows on virtual machines
Before you start installing Light Agent for Windows, you need to do the following:
- Check that the virtual machines you plan to protect meet the hardware and software requirements of the Kaspersky Endpoint Security for Windows application, which is used as the Light Agent for Windows, and install the packages and utilities required for the application to work.
- Prepare to install Kaspersky Endpoint Security for Windows in Light Agent mode. For details, see the Kaspersky Endpoint Security for Windows Help of the relevant version.
For Light Agent for Windows to be compatible with some virtualization solutions, additional steps are required during installation.
Additional steps for Microsoft Hyper-V platform
In a virtual infrastructure on the Microsoft Hyper-V platform, you also need to perform the following steps before installing the Kaspersky Security solution:
- Ensure that the Integration Services package is installed on virtual machines that you want to protect.
- Ensure that the ADMIN$ shared network resource is enabled on the hypervisor. To enable the ADMIN$ shared network resource on Microsoft Windows Server 2012 R2 Hyper-V hypervisors, a File Server role must be assigned in advance using the server configuration wizard.
- Ensure that the drive where the ADMIN$ shared network resource is located has enough space for the SVM image. During installation of the Protection Server component, the SVM image is copied to the ADMIN$ shared network resource and then moved to the folder specified during SVM deployment.
- Ensure that hypervisors that are not included in Active Directory domain have Windows Remote Management (WinRM) Ver. 3.0 installed. Windows Remote Management (WinRM) version 3.0 is included in the Windows Management Framework 3.0 installation package that can be downloaded from the Microsoft website.
- If you want to use a domain account to connect the Integration Server to the hypervisor, make sure that the following conditions are met:
- Integration Server is able to determine the hypervisor address using the domain name service (DNS) of the domain of the hypervisor on which the SVM is deployed.
- The DNS server has forward and reverse records for the Integration Server.
- Zones containing records about the Integration Server and the hypervisor on which the SVM is deployed are integrated with Active Directory.
- The device from which SVM deployment is performed is able to resolve the names of hypervisors on which the SVM is deployed.
- If you want the hypervisor user name and password, which were specified during installation of the SVM, to be encrypted when transmitted, you can use an SSL certificate to configure a secure connection between the hypervisor on which the SVM will be deployed and the device where the Kaspersky Security Center Administration Console is installed.
Additional Steps for VMware vSphere platform
In a virtual infrastructure on the VMware vSphere platform, you also need to perform the following steps before installing the Kaspersky Security solution:
- Make sure that the VMware Tools kit is installed on the virtual machines that you want to protect.
- If a proxy server is used to connect the device hosting the Kaspersky Security Center Administration Console to the VMware vCenter Server, make sure that the virtual machines are available via the proxy server.
Additional steps for the XenServer platform
In the virtual infrastructure on the XenServer platform, before installing the Kaspersky Security solution, make sure that the XenTools package is installed on the virtual machines that you want to protect.
Additional steps for Proxmox VE platform
In a virtual infrastructure on the Proxmox VE platform, make sure that there is at least 30 GB of free space in the /var/tmp directory before installing the Kaspersky Security solution.
Additional steps for HUAWEI FusionSphere platform
In the virtual infrastructure on the HUAWEI FusionSphere platform, before installing the Kaspersky Security solution, make sure that HUAWEI Tools is installed on the virtual machines that you want to protect.
While deploying an SVM in a virtual infrastructure based on the HUAWEI FusionSphere platform, the SVM Management Wizard installs the HUAWEI Tools package on the SVM. To receive this package, the Wizard queries the HUAWEI FusionCompute hypervisor. The HUAWEI Tools package is not included in the Kaspersky Security solution's distribution kit. It is recommended to make sure that the HUAWEI Tools package is available on the HUAWEI FusionCompute hypervisor.
Additional steps for Astra Linux Platform
Prior to starting installation of the solution in a virtual infrastructure running on the Astra Linux Platform, you need to configure the account that will be used for SVM deployment, removal, and reconfiguration as follows:
- Run the following command:
$ sudo usermod -a -G kvm,libvirt,libvirt-qemu,libvirt-admin <
user_name
>
- Open the sudoers configuration file by running the following command:
sudo visudo
- Specify the following in the file:
<
user name
> ALL = (ALL) NOPASSWD: ALL
<user name> refers to the name of the user account that will be used to connect to the virtual infrastructure during SVM deployment, removal and reconfiguration.
- Save the sudoers file and then close it.
Files required for installing the solution
Before you begin installing the Kaspersky Security solution, you need to download the files necessary for the installation and operation of the solution.
Kaspersky Security components installation wizard and the Windows-based Integration Server
The Kaspersky Security Components Installation Wizard is required for the following tasks:
- installing, updating and removing the Windows-based Integration Server and Integration Server Console
- downloading from the Kaspersky website the SVM images required for installing the Protection Server.
To start the Kaspersky Security components installation wizard, you will need the ksvla-components_<solution version number>_mlg.exe file. You can download this file from the Kaspersky website in the Kaspersky Security for Virtualization | Light Agent section (Build → Kaspersky Security Components Installation Wizard).
Linux-based Integration Server
Installation requires the ksvla-viis_<version number>-<build number>_amd64.deb package. You can download this file from the Kaspersky website in the Kaspersky Security for Virtualization | Light Agent section.
SVM images
To install the Protection Server, you need an SVM image file and an image description file (a file in XML format). The Kaspersky Security distribution kit includes the following archives for installing the Protection Server in virtual infrastructures of various types:
- The ksvla-svm_microsoft-hyper-v_<solution version number>_mlg.zip file is used to install the Protection Server in a Microsoft Hyper-V infrastructure; the archive contains an SVM image in VHDX format and an image description file, ksvla-svm_manifest_<solution version number>.xml.
- The ksvla-svm_xenserver_numa-vserver_<solution version number>_mlg.zip file is used to install the Protection Server in XenServer and Numa vServer infrastructures; the archive contains an SVM image in XVA format and an image description file, ksvla-svm_manifest_<solution version number>.xml.
- The ksvla-svm_vmware-vsphere_<solution version number>_mlg.zip file is used to install the Protection Server in a VMware vSphere infrastructure; the archive contains an SVM image in OVA format and an image description file, ksvla-svm_manifest_<solution version number>.xml.
- The archive ksvla-svm_kvm_based_<solution version number>_mlg.zip is used to install the Protection Server in the infrastructures based on KVM (Kernel-based Virtual Machine), OpenStack, VK Cloud platform, TIONIX Cloud Platform, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server and Astra Linux. The archive contains an SVM image in QCOW2 format and an image description file, ksvla-svm_manifest_<solution version number>.xml.
You can download archives containing SVM images and SVM image description files using the Kaspersky Security Components Installation Wizard. The archives are also available on the Kaspersky website in the Kaspersky Security for Virtualization | Light Agent section.
The required placement of the resulting SVM image file and image description file (XML file) depends on the SVM deployment method that you plan to use:
- If you plan to deploy using Integration Server Web Console, the SVM image file and image description file must be placed on the device where the Integration Server is installed, into a single folder that the Integration Server has read access to.
- If you plan to deploy using Integration Server Console, the SVM image file and image description file must be placed into the same folder on the device where the Kaspersky Security Center Administration Console is installed, or into the same folder on a network resource to which the user account performing the installation has read access.
Light Agent for Linux
You can download the files required to install Kaspersky Endpoint Security for Linux from the Kaspersky website in the Kaspersky Endpoint Security for Linux section. For more information about the distribution kit of Kaspersky Endpoint Security for Linux, see the application help of the relevant version.
Light Agent for Windows
You can download the files required to install Kaspersky Endpoint Security for Windows from the Kaspersky website in the Kaspersky Endpoint Security for Windows section. For more information about the distribution kit of Kaspersky Endpoint Security for Windows, see the application help of the relevant version.
Kaspersky Security Center and Kaspersky Security Center Network Agent
To install and manage the operation of the Kaspersky Security solution, you need to install Kaspersky Security Center.
For Light Agent components installed on virtual machines to interact with Kaspersky Security Center, you must install Network Agent on the virtual machines where Light Agent will be installed.
You can download the files required to install Kaspersky Security Center and Network Agent on the Kaspersky website in the Kaspersky Security Center section. For more information on installing Kaspersky Security Center, please refer to the Kaspersky Security Center Help.
Management MMC plug-ins
To manage solution components through Kaspersky Security Center Administration Console, you need to install management MMC plug-ins on the device where Kaspersky Security Center Administration Console is installed.
You can download MMC plug-in installation files from the Kaspersky website:
- You can find the klcfginst.msi installation file of the Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server MMC plug-in in the Kaspersky Security for Virtualization | Light Agent section.
- You can find the installation file of the Kaspersky Endpoint Security for Linux MMC plug-in in the Kaspersky Endpoint Security for Linux section.
- You can find the installation file of the Kaspersky Endpoint Security for Windows MMC plug-in in the Kaspersky Endpoint Security for Windows section.
To install and update MMC plug-ins, you can also use the list of Kaspersky applications in the Administration Console (Additional → Remote installation → Installation packages → Additional actions → View current versions of Kaspersky applications).
Management web plug-ins
To manage solution components via Kaspersky Security Center Web Console, you need to install management web plug-ins on the device where Kaspersky Security Center Web Console is installed.
To install web plug-ins, you can use the list of available plug-ins in the Web Console (Settings → Web plug-ins → Add) or download archives for installing management web plug-ins from the Kaspersky website:
- The ksvla-web_plugin_svm_<version number>_mlg.zip archive for installing the Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server web plug-in.
- The ksvla-web_plugin_viis_<version number>_mlg.zip archive for installing the Kaspersky Security for Virtualization 6.2 Light Agent – Integration Server web plug-in.
- Archives for installing the Kaspersky Endpoint Security for Linux web plug-in and the Kaspersky Endpoint Security for Windows web plug-in.
Downloading SVM images using the wizard
The Kaspersky Security Components Installation Wizard can download from the Kaspersky website the images necessary for deploying SVMs on hypervisors.
To download the SVM images:
- On the device where Administration Console and Kaspersky Security Center Administration Server are installed, run the ksvla-components_<solution version number>_mlg.exe file. This file is included in the distribution kit.
Kaspersky Security components installation Wizard starts.
- Select the localization language of the Wizard and of the Kaspersky Security components and proceed to the next step of the Wizard.
By default, the localization language of the operating system installed on the device where the Wizard was started is used.
- Select the Download SVM images option and proceed to the next step of the wizard.
- Select the type of hypervisor on which you want to deploy SVMs.
The archive containing the SVM image and SVM image description file (in XML format) will begin downloading in a window of the default browser.
- After the download completes, close the wizard (using the Cancel button) or return to the step for selecting the action taken by the Kaspersky Security Components Installation Wizard (using the Back button).
Information about the work of the Wizard is written to trace files of the Kaspersky Security Components Installation Wizard. If the wizard completed with an error, you can use these files when contacting Technical Support.
Page top
Configuring the ports to use
To install and operate the solution components, in the settings of the network equipment or software used to control traffic between virtual machines, you need to open the ports described in the table below.
Ports used by solution components
Port and protocol |
Direction |
Purpose and description |
---|---|---|
All platforms |
||
7271 TCP |
From the to the . |
For sending settings for connecting to the virtual infrastructure to the Integration Server. |
7271 TCP |
From the device, from which the requests are made to the Integration Server REST API, to the Integration Server. |
For automating deployment and operation of the solution in multitenancy mode using the Integration Server REST API. |
22 TCP |
From the SVM Management Wizard to an . |
For SVM reconfiguration. |
7271 TCP |
From the SVM to Integration Server. |
For interaction between the Protection Server and Integration Server. |
7271 TCP |
From the to the Integration Server. |
For interaction between Light Agent and Integration Server. |
8000 UDP |
From an SVM to the Light Agent. |
For sending information about available SVMs to Light Agents using a list of SVM addresses. |
8000 UDP |
From Light Agent to SVM. |
To provide Light Agent with information about the status of SVM. |
11111 TCP |
From Light Agent to SVM. |
For transmitting service requests (for example, to obtain license information) from the Light Agent to the Protection Server when the connection is unprotected. |
11112 TCP |
From Light Agent to SVM. |
For transmitting service requests (for example, to obtain license information) from the Light Agent to the Protection Server when the connection is protected. |
9876 TCP |
From Light Agent to SVM. |
For forwarding file scan requests from the Light Agent to the Protection Server when the connection is unprotected. |
9877 TCP |
From Light Agent to SVM. |
For transmitting file scan requests from the Light Agent to the Protection Server when the connection is protected. |
80 TCP |
From Light Agent to SVM. |
For updating databases and application modules of the solution on the Light Agent. |
15000 UDP |
From Kaspersky Security Center to SVM. |
For managing the Protection Server via Kaspersky Security Center. |
13000 TCP |
From SVM to Kaspersky Security Center. |
For managing the Protection Server via Kaspersky Security Center when the connection is protected. |
14000 TCP |
From SVM to Kaspersky Security Center. |
For managing the Protection Server via Kaspersky Security Center when the connection is unprotected. |
15000 UDP |
From Kaspersky Security Center to Light Agents. |
For managing the Light Agent via Kaspersky Security Center. |
13000 TCP |
From Light Agent to Kaspersky Security Center. |
For managing the Light Agent via Kaspersky Security Center when the connection is protected. |
14000 TCP |
From Light Agent to Kaspersky Security Center. |
For managing Light Agent via Kaspersky Security Center when the connection is unprotected. |
13111 TCP |
From the SVM to the Kaspersky Security Center Administration Server. |
For interaction between the Protection Server and KSN proxy server. |
17000 TCP |
From the SVM to the Kaspersky Security Center Administration Server. |
For interaction between the Protection Server and Kaspersky activation servers. |
123 UDP |
From the SVM to NTP servers obtained via DHCP or specified manually. |
Synchronizing time on the SVM with a time server. |
VMware vSphere platform |
||
80 TCP 443 TCP |
From the SVM Management Wizard to VMware vCenter Server. |
To deploy the SVM on a VMware ESXi hypervisor using a VMware vCenter Server. |
443 TCP |
From the SVM Management Wizard to an ESXi hypervisor. |
To deploy the SVM on a VMware ESXi hypervisor using a VMware vCenter Server. |
80 TCP 443 TCP |
From the Integration Server to the VMware vCenter Server. |
For interaction between the Integration Server and the VMware ESXi hypervisor using the VMware vCenter Server. |
Microsoft Hyper-V platform |
||
135 TCP/UDP 445 TCP/UDP |
From the SVM Management Wizard to a Microsoft Windows Server (Hyper-V) hypervisor. |
To deploy an SVM on a Microsoft Windows Server (Hyper-V) hypervisor. |
135 TCP/UDP 445 TCP/UDP 5985 TCP 5986 TCP |
From the Integration Server to the Microsoft Windows Server (Hyper-V) hypervisor. |
For interaction between the Integration Server and the Microsoft Windows Server (Hyper-V) hypervisor. |
XenServer platform |
||
80 TCP 443 TCP |
From the SVM Management Wizard to the XenServer hypervisor. |
To deploy the SVM on a XenServer hypervisor. |
80 TCP 443 TCP |
From the Integration Server to the XenServer hypervisor. |
For interaction between the Integration Server and the XenServer hypervisor. |
KVM platform |
||
22 TCP |
From the SVM Management Wizard to a KVM hypervisor. |
To deploy the SVM on a KVM hypervisor. |
22 TCP |
From the Integration Server to the KVM hypervisor. |
For interaction between the Integration Server and the KVM hypervisor. |
Proxmox VE platform |
||
22 TCP 8006 TCP |
From the SVM Management Wizard to a Proxmox VE hypervisor. |
To deploy the SVM on a Proxmox VE hypervisor. |
8006 TCP |
From the Integration Server to the Proxmox VE hypervisor. |
For interaction between the Integration Server and the Proxmox VE hypervisor. |
Basis platform |
||
443 TCP |
From the SVM Management Wizard to Basis.vControl. |
To deploy the SVM on an R-Virtualization hypervisor using Basis.vControl. |
22 TCP |
From the SVM Management Wizard to an R-Virtualization hypervisor. |
To deploy the SVM on an R-Virtualization hypervisor using Basis.vControl. |
22 TCP |
From the SVM Management Wizard to Basis.vControl. |
To deploy the SVM on an R-Virtualization hypervisor using Basis.vControl. |
443 TCP |
From the Integration Server to Basis.vControl. |
For the Integration Server’s interaction with an R-Virtualization hypervisor using Basis.vControl. |
Skala-R platform |
||
443 TCP |
From the SVM Management Wizard to Skala-R Management. |
To deploy an SVM on the R-Virtualization hypervisor using Skala-R Management. |
22 TCP |
From the SVM Management Wizard to an R-Virtualization hypervisor. |
To deploy an SVM on the R-Virtualization hypervisor using Skala-R Management. |
22 TCP |
From the SVM Management Wizard to Skala-R Management. |
To deploy an SVM on the R-Virtualization hypervisor using Skala-R Management. |
443 TCP |
From the Integration Server to Skala-R Management. |
For the Integration Server’s interaction with an R-Virtualization hypervisor using Skala-R Management. |
HUAWEI FusionSphere platform |
||
7443 TCP |
From the SVM Management Wizard to the HUAWEI FusionCompute VRM. |
To deploy an SVM on a HUAWEI FusionCompute CNA hypervisor using the HUAWEI FusionCompute VRM. |
8779 TCP |
From the SVM Management Wizard to a HUAWEI FusionCompute CNA hypervisor. |
To deploy an SVM on a HUAWEI FusionCompute CNA hypervisor using the HUAWEI FusionCompute VRM. |
7443 TCP |
From the Integration Server to the HUAWEI FusionCompute VRM. |
For interaction between the Integration Server and a HUAWEI FusionCompute CNA hypervisor using the HUAWEI FusionCompute VRM. |
Nutanix Acropolis platform |
||
9440 TCP |
From the SVM Management Wizard to Nutanix Prism Central. |
To deploy the SVMs on Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Central. |
9440 TCP |
From the SVM Management Wizard to Nutanix Prism Element. |
To deploy the SVMs on Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Element. |
9440 TCP |
From the Integration Server to Nutanix Prism Central. |
For interaction between the Integration Server and Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Central. |
9440 TCP |
From the Integration Server to Nutanix Prism Element. |
For interaction between the Integration Server and Nutanix AHV hypervisor in the infrastructure managed by Nutanix Prism Element. |
OpenStack platform |
||
5000 TCP |
From the SVM Management Wizard to the Keystone microservice. |
To deploy the SVM on a KVM hypervisor running on the OpenStack platform. |
8774 TCP |
From the SVM Management Wizard to the Compute (Nova) microservice. |
To deploy the SVM on a KVM hypervisor running on the OpenStack platform. |
8776 TCP |
From the SVM Management Wizard to the Cinder microservice. |
To deploy the SVM on a KVM hypervisor running on the OpenStack platform. |
9292 TCP |
From the SVM Management Wizard to the Glance microservice. |
To deploy the SVM on a KVM hypervisor running on the OpenStack platform. |
9696 TCP |
From the SVM Management Wizard to the Neutron microservice. |
To deploy the SVM on a KVM hypervisor running on the OpenStack platform. |
5000 TCP |
From the Integration Server to the Keystone microservice. |
For the Integration Server’s interaction with the OpenStack platform. |
8774 TCP |
From the Integration Server to the Compute (Nova) microservice. |
For the Integration Server’s interaction with the OpenStack platform. |
VK Cloud platform |
||
5000 TCP |
From the SVM Management Wizard to the Keystone microservice. |
To deploy the SVM on a KVM hypervisor running on the VK Cloud platform. |
8774 TCP |
From the SVM Management Wizard to the Compute (Nova) microservice. |
To deploy the SVM on a KVM hypervisor running on the VK Cloud platform. |
8776 TCP |
From the SVM Management Wizard to the Cinder microservice. |
To deploy the SVM on a KVM hypervisor running on the VK Cloud platform. |
9292 TCP |
From the SVM Management Wizard to the Glance microservice. |
To deploy the SVM on a KVM hypervisor running on the VK Cloud platform. |
9696 TCP |
From the SVM Management Wizard to the Neutron microservice. |
To deploy the SVM on a KVM hypervisor running on the VK Cloud platform. |
5000 TCP |
From the Integration Server to the Keystone microservice. |
For interaction of the Integration Server with the VK Cloud platform. |
8774 TCP |
From the Integration Server to the Compute (Nova) microservice. |
For interaction of the Integration Server with the VK Cloud platform. |
TIONIX Cloud Platform |
||
5000 TCP |
From the SVM Management Wizard to the Keystone microservice. |
To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform. |
8774 TCP |
From the SVM Management Wizard to the Compute (Nova) microservice. |
To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform. |
8776 TCP |
From the SVM Management Wizard to the Cinder microservice. |
To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform. |
9292 TCP |
From the SVM Management Wizard to the Glance microservice. |
To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform. |
9696 TCP |
From the SVM Management Wizard to the Neutron microservice. |
To deploy the SVM on a KVM hypervisor running on TIONIX Cloud Platform. |
5000 TCP |
From the Integration Server to the Keystone microservice. |
For interaction of the Integration Server with TIONIX Cloud Platform. |
8774 TCP |
From the Integration Server to the Compute (Nova) microservice. |
For interaction of the Integration Server with TIONIX Cloud Platform. |
ALT Virtualization Server platform |
||
22 TCP |
From the SVM Management Wizard to a hypervisor. |
To deploy the SVM on a basic hypervisor of the ALT Virtualization Server platform. |
22 TCP |
From the Integration Server to a hypervisor. |
For the Integration Server to interact with a basic hypervisor of the ALT Virtualization Server platform. |
Astra Linux Platform |
||
22 TCP |
From the SVM Management Wizard to a hypervisor. |
To deploy the SVM on a KVM hypervisor running on the Astra Linux platform. |
22 TCP |
From the Integration Server to a hypervisor. |
For interaction between the Integration Server and a KVM hypervisor running on the Astra Linux platform. |
Numa vServer platform |
||
80 TCP 443 TCP |
From the SVM Management Wizard to the Numa vServer hypervisor. |
To deploy the SVM on a Numa vServer hypervisor. |
80 TCP 443 TCP |
From the Integration Server to the Numa vServer hypervisor. |
For interaction between the Integration Server and the Numa vServer hypervisor. |
If you use the XenServer Hypervisor or VMware ESXi hypervisor, and promiscuous mode is enabled on the network adapter of the guest operating system of the virtual machine, the guest operating system receives all Ethernet frames passing through the virtual switch, if this is allowed by the VLAN policy. This mode may be used to monitor and analyze traffic in the network segment that the SVM and protected virtual machines are operating in. If you have not configured a secure connection between the SVM and the protected virtual machines, traffic between the SVM and the protected virtual machines is not encrypted and is transmitted as plaintext. For security purposes, it is not recommended to use promiscuous mode in network segments that have a running SVM. If you need to use this mode (for example, for monitoring traffic using external virtual machines to detect attempts at unauthorized network access or to correct network failures), you need to configure the appropriate restrictions to protect traffic between the SVM and the protected virtual machines from unauthorized access.
Page top
Accounts for installing and using the solution
General account requirements
To install the Kaspersky Security management MMC plug-ins and the Integration Server, an account that belongs to the local administrator group on the device where installation is being performed must be used.
The following accounts can be used to start the Integration Server Console:
- If you plan to use Kaspersky Security Center Administration Console to manage the Kaspersky Security solution and the device hosting Kaspersky Security Center Administration Console belongs to the Microsoft Windows domain, you can use an account that belongs to the local or domain KLAdmins group or an account that belongs to the local administrator group to start the Integration Server Console. You can also use the Integration Server administrator account created when installing the Integration Server.
- If you plan to use Kaspersky Security Center Web Console to manage the Kaspersky Security solution, or the device on which Kaspersky Security Center Administration Console is installed is not a member of a Microsoft Windows domain or your account is not a member of the local or domain KLAdmins group or the local administrator group, you can only start the Integration Server Console using the Integration Server administrator account that was created when installing the Integration Server.
VMware vSphere platform
The following accounts are required to install and operate the solution on a VMware vSphere infrastructure:
- An administrator account with the following rights is required to deploy, delete, or reconfigure an SVM:
- Datastore.Allocate space
- Datastore.Low level file operations
- Datastore.Remove file
- Global.Cancel task
- Global.Licenses
- Host.Config.Virtual machine autostart configuration
- Host.Inventory.Modify cluster
- Network.Assign network
- Tasks.Create task
- vApp.Import
- Virtual machine.Change configuration.Add new disk (only for VMware vCenter Server 7.0)
- VirtualMachine.Config.Memory
- Virtual machine.Interaction.Power Off
- Virtual machine.Interaction.Power On
- To connect the Integration Server to the VMware vCenter Server, it is recommended to use an account that has been assigned the preset system role ReadOnly.
- Connection of the Integration Server to VMware NSX Manager requires a VMware NSX Manager account that has been assigned the Enterprise Administrator role.
Roles should be assigned to accounts at the top level of the hierarchy of VMware inventory objects, that is, at the level of VMware vCenter Server.
Microsoft Hyper-V platform
To deploy, remove, or reconfigure an SVM on a Microsoft Windows Server (Hyper-V) hypervisor, a built-in local administrator account or domain account that belongs to the Hyper-V Administrators group is required. For a domain account, you must also grant permissions for remote connection and use of the following WMI namespaces:
- root\cimv2
- root\MSCluster
- root\virtualization
- root\virtualization\v2 (for versions of Microsoft Windows server operating systems, beginning with Windows Server 2012 R2)
A built-in local administrator account or domain account that belongs to the Hyper-V Administrators group and has the permissions listed above is also used to connect the Integration Server to a Microsoft Windows Server (Hyper-V) hypervisor.
XenServer platform
The following accounts are required for installation and operation of the solution in a XenServer infrastructure:
- To deploy, remove, or reconfigure an SVM, an account with Pool Admin rights is required.
- To connect the Integration Server to the XenServer hypervisor, we recommend using an account with the Read Only role.
KVM platform
The following accounts are required for installation and operation of the solution in a KVM infrastructure:
- Deploying, removing, or reconfiguring an SVM requires a
root
account or an account that has permission to perform actions as theroot
account. - To connect the Integration Server to the KVM hypervisor, it is recommended to use an unprivileged user account with access to the "read only" Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).
Proxmox VE platform
The following accounts are required for installation and operation of the solution in a Proxmox VE infrastructure:
- To deploy, remove, or reconfigure an SVM, the
root
account is required. - To connect the Integration Server to the Proxmox VE hypervisor, it is recommended to use an account that has been granted access with the PVEAuditor role to the root directory (/) and all child directories.
Basis platform, Skala-R platform
To install and operate the solution in Basis and Skala-R infrastructures, the following accounts are required:
- To deploy, remove, or reconfigure an SVM, an account with the "Main Administrator" role is required.
- To connect the Integration Server to the virtual infrastructure management server (Basis.vControl / Skala-R Management), we recommend using an account with the "Infrastructure Monitoring" role.
HUAWEI FusionSphere platform
The following accounts are required to install and operate the solution on a HUAWEI FusionSphere infrastructure:
- To deploy, remove, or reconfigure an SVM, an account with the VMManager role is required.
- To connect the Integration Server to a HUAWEI FusionCompute VRM, it is recommended to use an account with the Auditor role.
Nutanix Acropolis platform
The following accounts are required to install and operate the solution on a Nutanix Acropolis infrastructure:
- To deploy, remove, or reconfigure an SVM, an account with Cluster Admin role is required.
- To connect the Integration Server to Nutanix Prism virtual infrastructure administration server, it is recommended to use an account with the Viewer role. In the infrastructure managed by Nutanix Prism Central, an account with the Viewer role is required on the Nutanix Prism Central server and on the Nutanix Prism Element servers.
OpenStack platform, VK Cloud platform, and TIONIX Cloud Platform
The following accounts are required to install and operate the solution in an infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform:
- An account with the following permissions is required to deploy, delete, or reconfigure an SVM:
Permissions for infrastructure object operations.
Permissions for sending requests to OpenStack microservices API
Keystone
Authentication.
Querying the state of authentication token for the current user.
auth/tokens (POST/GET)
Getting a list of all OpenStack domains.
domains (GET)
Getting a list of available OpenStack projects for the current user.
auth/projects (GET)
Compute (Nova)
Getting a list of virtual machines.
servers/detail (GET)
Getting virtual machine information.
servers/{server_id} (GET)
Getting a list of virtual machine types (instance types).
flavors/detail (GET)
Getting information about available OpenStack project resources.
limits (GET)
Getting a list of server groups.
os-server-groups (GET)
Getting a list of availability zones.
os-availability-zone (GET)
Getting a list of network interface of the virtual machine.
servers/{server_id}/os-interface (GET)
Creating a network interface for the virtual machine.
servers/{server_id}/os-interface (POST)
Creating the virtual machine.
servers (POST)
Starting/stopping the virtual machine.
servers/{server_id}/action (POST)
Removing network interface of the virtual machine.
servers/{server_id}/os-interface/{port_id} (DELETE)
Removing the virtual machine.
servers/{server_id} (DELETE)
Cinder
Getting a list of volume types.
{project_id}/types (GET)
Getting disk information.
{project_id}/volumes/{volume_id} (GET)
Creating the disk.
{project_id}/volumes (POST)
Removing the disk that was created by the current user.
{project_id}/volumes/{volume_id} (DELETE)
Glance
Getting image information.
images/{image_id} (GET)
Creating the image.
images (POST)
Downloading the image.
images/{image_id}/file (PUT)
Removing the image that was created by the current user.
images/{image_id} (DELETE)
Neutron
Getting a list of networks.
networks (GET)
Getting a list of security groups.
security-groups (GET)
Creating a network port
ports (POST)
Deleting a network port
ports/{port_id} (DELETE)
Getting the ID of a network port
ports/{port_id} (GET)
- An account with the following permissions is required to connect the Integration Server to the virtual infrastructure:
Permissions for infrastructure object operations.
Permissions for sending requests to OpenStack microservices API
Keystone
Authentication.
Querying the state of authentication token for the current user.
auth/tokens (POST/GET)
Getting a list of available OpenStack projects for the current user.
auth/projects (GET)
Compute (Nova)
Getting a list of virtual machines.
servers/detail (GET)
Getting virtual machine information.
servers/{server_id} (GET)
Getting a list of server groups.
os-server-groups (GET)
Getting a list of availability zones.
os-availability-zone (GET)
Getting a list of hypervisors.
This permission is required only if you intend to apply licensing scheme that uses number of processors or number of processor cores on hypervisors, on which the protected virtual machines operate.
/os-hypervisors/detail (GET)
ALT Virtualization Server platform
The following accounts are required to install and operate the solution on an ALT Virtualization Server infrastructure:
- Deploying, removing, or reconfiguring an SVM requires a
root
account or an account that has permission to perform actions as theroot
account. - To connect the Integration Server to a basic hypervisor of the ALT Virtualization Server platform, it is recommended to use an unprivileged user account with access to the "read-only" Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).
Astra Linux Platform
The following accounts are required for installation and operation of the solution on a KVM hypervisor running on the Astra Linux platform:
- Deploying, removing, or reconfiguring an SVM requires a
root
account or an account that has permission to perform actions as theroot
account.Prior to starting installation of the solution, you need to configure the account that will be used for SVM deployment, removal, and reconfiguration.
- To connect the Integration Server to a KVM hypervisor running on the Astra Linux platform, it is recommended to use an unprivileged user account with access to the read-only Unix socket (libvirt-sock-ro) of the libvirtd service (libvirtd daemon).
Numa vServer platform
The following accounts are required for installation and operation of the solution in a Numa vServer infrastructure:
- To deploy, remove, or reconfigure an SVM, an account with Pool Admin rights is required.
- To connect the Integration Server to the Numa vServer hypervisor, we recommend using an account with the Read Only role.
Configuring the use of secure cryptographic algorithms, ciphers, and protocols
If you are using a Windows-based Integration Server, to ensure the security of network connections between the Integration Server and the virtual infrastructure, we recommend configuring encryption algorithms, ciphers, and protocols listed in this section. If you are using a Linux-based Integration Server, you do not need to configure network connection security.
On devices that host the Integration Server and virtual infrastructure objects to which the Integration Server connects, we recommend using the following encryption algorithms, cipher suites, and protocols:
- Encryption algorithms: AES 256.
- Hashing algorithms:
- SHA256.
- SHA384.
- SHA512.
- Key exchange algorithms:
- Diffie-Hellman (ServerMinKeyBitLength=2048, ClientMinKeyBitLength=2048).
- ECDH (key length at least 256, recommended elliptic curves: prime256v1, secp384r1, secp521r1, x25519).
- Protocols:
- TLS 1.2.
- TLS 1.3.
- Cipher suites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384.
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256.
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256.
- TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256.
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384.
- TLS_AES_128_GCM_SHA256.
- TLS_AES_256_GCM_SHA384.
- TLS_CHACHA20_POLY1305_SHA256.
- TLS_AES_128_CCM_SHA256.
If you do not have the latest versions of operating systems and hypervisors installed, problems may occur in the Integration Server's interactions with the virtual infrastructure due to incompatible cipher suites. In this case, we recommend to contact Technical Support.
Page top
Configuring rules for moving virtual machines to administration groups
To manage the operation of Kaspersky Security solution components via Kaspersky Security Center, you need to place devices with installed Kaspersky Security components (SVMs and protected virtual machines) into administration groups.
An administration group is a set of virtual machines combined according to some criterion for the purpose of controlling the virtual machines in the group as a unified whole.
Before starting installation of the Kaspersky Security solution, you can create administration groups in Kaspersky Security Center for the SVMs and virtual machines with Light Agents, and configure rules to automatically move managed devices to these administration groups.
If rules for moving devices to administration groups are not configured, after installing the solution components, Kaspersky Security Center places devices with installed Kaspersky Security components detected on the network in the Unassigned devices list. In this case, you need to manually move SVMs and virtual machines with Light Agents into administration groups.
You can configure the rules for moving virtual machines to administration groups using the Kaspersky Security Center Administration Console or using Kaspersky Security Center Web Console (for more details, see the Kaspersky Security Center Help).
You can use tags when creating rules for moving SVMs and virtual machines with Light Agents to administration groups. SVMs and protected virtual machines on which Kaspersky Security Center Network Agent is installed automatically relay information about tags to Kaspersky Security Center.
Page top
Installing the Kaspersky Security solution
Installation of Kaspersky Security for Virtualization 6.2 Light Agent in the virtual infrastructure consists of the following stages:
- Installing the Integration Server
Depending on your infrastructure, you need to install the Windows-based Integration Server or the Linux-based Integration Server.
For the Linux-based Integration Server, connecting to virtual infrastructure based on Microsoft Hyper-V is not supported. Use the Windows-based Integration Server to install and run Kaspersky Security in an infrastructure based on the Microsoft Hyper-V platform.
If you want to use the Integration Server Console to manage the Windows-based Integration Server, you also need to install Integration Server Console on the device where Kaspersky Security Center Administration Console is installed, or on another device with a Windows operating system.
If you want to use Integration Server Web Console to manage the Integration Server, you need to install the Integration Server web plug-in. After it is installed, Integration Server Web Console will be available in Kaspersky Security Center Web Console.
- Installing Kaspersky Security management plug-ins
If you want to manage components of the Kaspersky Security solution via Kaspersky Security Center Web Console and use Integration Server Web Console, you need to install management web plug-ins on the device where Kaspersky Security Center Web Console is installed.
If you want to manage solution components via Kaspersky Security using Kaspersky Security Center Administration Console, you need to install management MMC plug-ins on the device where Kaspersky Security Center Administration Console is installed.
If you are using Kaspersky Security Center Linux, you need to install the management web plug-ins. The Kaspersky Security Center Administration Console and management MMC plug-ins are not supported.
After installing the Protection Server management plug-in, it is recommended to run the Download updates to the Administration Server storage task in Kaspersky Security Center and make sure that the task completes successfully. For details, please refer to the Kaspersky Security Center help.
After installing the management plug-ins, you can create a default policy and an Update databases and solution modules task for the Protection Server using the Kaspersky Security Center Initial Configuration Wizard.
- Installing Kaspersky Security Protection Servers
The Protection Server is installed as a result of deploying SVMs on a hypervisor in a virtual infrastructure.
You can deploy SVMs in the following ways:
- Using the Integration Server Web Console. In the Web Console, you must first configure the connection of the Integration Server to the virtual infrastructure. Then you create a task for the Integration Server, in which you specify all the necessary SVM deployment settings, and start the task. The Integration Server runs the SVM deployment task. You can monitor the task progress in Integration Server Web Console.
- Using the Integration Server Console. In Integration Server Console, you launch the SVM Management Wizard. Following the instructions in the wizard, you configure the wizard's connection to the virtual infrastructure, enter all the necessary SVM deployment settings, and start the deployment. The Integration Server deploys the SVMs. You can monitor the deployment progress in the wizard.
- Without using the Integration Server management consoles, using the Integration Server REST API (open a description of REST API requests).
If none of the above methods are suitable, you can deploy SVMs using the tools of the virtual infrastructure and then configure the SVM using the klconfig script API manually or using automation tools.
In an infrastructure managed by VMware vCenter Server and VMware NSX Manager, if you use Integration Server Console for SVM deployment, then after the SVM deployment is complete, you need to configure the Integration Server's connection to VMware NSX Manager. If you use Integration Server Web Console for SVM deployment, you can configure a connection to VMware NSX Manager when configuring the Integration Server's connection to the virtual infrastructure or later, using the procedure for changing connection settings.
- Preparing the Protection Servers for operation
You must follow the steps to prepare the deployed SVMs and Protection Servers for operation.
- Installing Light Agents and Kaspersky Security Center Network Agent
On each virtual machine that needs to be protected using the Kaspersky Security solution, you need to install the following:
- On a virtual machine with the Linux operating system:
- Light Agent for Linux (Kaspersky Endpoint Security for Linux running in Light Agent mode).
- Kaspersky Security Center Network Agent for Linux.
- On a virtual machine with a Windows operating system:
- Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode)
- Kaspersky Security Center Network Agent for Windows
To protect your VDI, you need to install Light Agent and Network Agent on your virtual machine templates.
- On a virtual machine with the Linux operating system:
- Preparing Light Agents for operation
You must follow the steps to prepare the installed Light Agents for operation.
Installing a Windows-based Integration Server
The procedure for installing the Windows-based Integration Server depends on which version of Kaspersky Security Center you plan to use to manage the Kaspersky Security solution:
- If you want to use the Kaspersky Security Center Windows to manage the Kaspersky Security solution, you can use the Kaspersky Security components installation wizard. The wizard lets you install the Windows-based Integration Server and Integration Server Console.
The Integration Server must be installed on the device on which the Administration Server of Kaspersky Security Center is installed. The Integration Server Console must be installed on the device where the Kaspersky Security Center Administration Console is installed.
- If you want to use Kaspersky Security Center Linux to manage the Kaspersky Security solution, do not use the Kaspersky Security Components Installation Wizard. The Windows-based Integration Server must be installed on a device with a Windows operating system, regardless of the location of the Kaspersky Security Center components. You can also install the Integration Server Console on a Windows device. Installation is performed manually.
The Integration Server and Integration Server Console must be installed under an account that belongs to the local administrator group.
Installation requires at least 4 GB of free space on the drive containing the %ProgramData% folder.
For successful installation of the Integration Server, in the settings of network equipment or traffic monitoring software you need to allow connections through the port that will be used by SVMs and Light Agents to connect to the Integration Server. By default, port number 7271 (TCP) is used.
Installing the Integration Server and Integration Server Console using the wizard
You can install the Integration Server and Integration Server Console by using the Kaspersky Security Components installation wizard in interactive mode or in silent mode.
The Microsoft .NET Framework 4.6.2, 4.7, or 4.8 is required for the Kaspersky Security Components Installation Wizard. You can install the Microsoft .NET Framework platform in advance, or the Kaspersky Security Component Installation Wizard will suggest installing it during the installation of Kaspersky Security solution components. Internet access is required to install Microsoft .NET Framework. If there are any problems with the installation of Microsoft .NET Framework, make sure that Windows updates KB2919442 and KB2919355 have been installed on the device.
Depending on the availability of Kaspersky Security Center components installed on the device, the following operations are performed once installation is started:
- If only Kaspersky Security Center Administration Console is installed on the device, the Integration Server Console is installed.
- If the Kaspersky Security Center Administration Server and Kaspersky Security Center Administration Console are installed on the device, the Integration Server and Integration Server Console are installed.
When you install the Integration Server, the data kept while removing the previous version of the Integration Server can be used.
After installation of the Integration Server Console is complete, in Kaspersky Security Center Administration Console, in the workspace of the Administration Server <server name> node on the Monitoring tab, the Deployment section displays a Manage Kaspersky Security for Virtualization <version number> Light Agent link (where <version number> is the number of the installed version of the Kaspersky Security solution). This link is used to start the Integration Server Console.
The procedure for installing the Integration Server as part of Kaspersky Security solution update differs from the "clean" installation procedure described in this section.
Installing in interactive mode using the wizard
To install the Integration Server and Integration Server Console in interactive mode using the wizard:
- On the device where Administration Console and Kaspersky Security Center Administration Server are installed, run the ksvla-components_<solution version number>_mlg.exe file. This file is included in the distribution kit.
Kaspersky Security components installation Wizard starts.
- Select the localization language of the Wizard and of the Kaspersky Security components and proceed to the next step of the Wizard.
By default, the localization language of the operating system installed on the device where the Wizard was started is used.
- Make sure that the Install management components option is selected and proceed to the next step of the Wizard.
The Wizard checks the amount of free space on the drive that contains the %ProgramData% folder. If there is less than 4 GB of free space on the drive, the Wizard displays an error message and you cannot proceed to the next step of the Wizard. If this is the case, close the Wizard, free up space on the drive, and restart the Kaspersky Security Components Installation Wizard.
- In the next step, read the Kaspersky Security End User License Agreement, which is concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transmission of data.
To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy. To confirm, select both check boxes in the window of the Wizard.
Proceed to the next step of the wizard.
- Create the password of the Integration Server administrator (
admin
) account. Theadmin
account is used for the following purposes:- To connect the Integration Server Console to the Integration Server if the device on which the Integration Server Console is installed is not part of a Microsoft Windows domain.
- To connect the Integration Server Web Console to the Integration Server.
Enter a password in the Password and Confirm password fields. The account name cannot be edited.
A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters:
! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~
. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.Proceed to the next step of the wizard.
- If port 7271, which is the default port for connecting to the Integration Server, is occupied on the device where the wizard is running, the wizard will prompt you to specify a port number for connecting to the Integration Server.
In the Port field, specify a port number in the range of 1025–65535 and proceed to the next step of the Wizard.
- Review the information about the actions that the wizard will perform and click the Install button to begin performing the listed actions.
- Wait for the wizard to finish.
If an error occurs during wizard operation, the wizard rolls back the changes made.
- Click Finish to close the Wizard window.
Information about the work of the Wizard is written to trace files of the Kaspersky Security Components Installation Wizard. If the wizard completed with an error, you can use these files when contacting Technical Support.
Page top
Installing in silent mode using the wizard
Before starting installation of the Integration Server and Integration Server Console, it is recommended to close the Kaspersky Security Center Administration Console.
To install the Integration Server and Integration Server Console in silent mode using the wizard:
ksvla-components_<
solution version number
>_mlg.exe -q --lang=<
language ID
> --accept-EulaAndPrivacyPolicy=yes --viisPass=<
password
> [--log-path=<
file path
>] [--viisPort=<
port number
>]
where:
<
solution version number
>
is the version number of the solution in X.X.X.X format.-q
is an option specifying that the installation is performed in silent mode. If you want to run the installation interactively from the command line, do not specify this option.--lang=<
language ID
>
is the identifier of the language of the components to install.The language ID must be indicated in the following format: ru, en, de, fr, zh-Hans, zh-Hant, ja. It is case-sensitive.
--accept-EulaAndPrivacyPolicy=yes
means that you accept the terms of the Kaspersky Security End User License Agreement, concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transmission of data. By setting this parameter toyes
, you confirm the following:- You have fully read, understood and accept the terms and conditions of the Kaspersky Security End User License Agreement.
- You have fully read and understood the Privacy Policy, you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.
The text of the End User License Agreement and Privacy Policy is included in the solution's distribution kit. Accepting the terms of the End User License Agreement and Privacy Policy is a prerequisite for installing Integration Server and Integration Server Console.
You can read the text of the End User License Agreement and the Privacy Policy by executing the following command:
ksvla-components_<
solution version number
>_mlg.exe --lang=<
language ID
> --show-EulaAndPrivacyPolicy
The text of the End User License Agreement and the Privacy Policy is output to the license_<language ID>.txt file in the tmp folder.
--viisPass=<
password
>
is the password of the Integration Server administrator account (admin
). Theadmin
account is used for the following purposes:- To connect the Integration Server Console to the Integration Server if the device on which the Integration Server Console is installed is not part of a Microsoft Windows domain.
- To connect the Integration Server Web Console to the Integration Server.
A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters:
! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~
. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.--log-path=<
path to file
>
is the path to the file where information about installation results is saved.Optional parameter. By default, the installation results are logged in trace files saved at %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleInitialInstall_logs_<date and time>.zip, where:
- <version number> refers to the number of the installed version of the Kaspersky Security solution;
- <date and time> refers to the date and time when the installation was completed in the dd_MM_yyyy_HH_mm_ss format.
--viisPort=<
port number
>
is the port for connecting to the Integration Server.Optional parameter. Port number 7271 is used by default for connecting to the Integration Server. Specify this parameter if you want to use a different port to connect to the Integration Server.
To view a description of all available command line parameters for installing and updating Kaspersky Security components, use the --help
parameter.
Installing the Integration Server and Integration Server Console takes some time. Information about the work of the Wizard is written to trace files of the Kaspersky Security Components Installation Wizard. If the wizard completed with an error, you can use these files when contacting Technical Support.
Page top
Installing manually
To remove the Integration Server and Integration Server Console manually:
- Place the ksvla-components_<solution version number>_mlg.exe file (where <version number> is the version number of the solution in X.X.X.X format) on the Windows device. This file is included in the distribution kit.
- Extract files required for installing Integration Server and Integration Server Console by running:
ksvla-components_<
solution version
>_mlg.exe -layout <
folder
> --accept-EulaAndPrivacyPolicy=yes
where:
<
solution version
>
is the version number of the solution in X.X.X.X format.<
folder
>
is the path to the folder to extract the Integration Server and Integration Server Console installation files into. If you do not specify a folder path, the files are extracted into the 'data' subfolder inside the folder containing the ksvla-components_<solution version number>_mlg.exe file.accept-EulaAndPrivacyPolicy=yes
means that you accept the terms of the Kaspersky Security End User License Agreement between you and Kaspersky and the Privacy Policy that describes processing and transmission of data. By setting this parameter toyes
, you confirm the following:- You have fully read, understood and accept the terms and conditions of the Kaspersky Security End User License Agreement.
- You have fully read and understood the Privacy Policy, you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.
Accepting the terms of the End User License Agreement and Privacy Policy is a prerequisite for installing Integration Server and Integration Server Console. You can read the text of the End User License Agreement and the Privacy Policy by executing the following command:
ksvla-components_<
solution version
>_mlg.exe --lang=<
language ID
> --show-EulaAndPrivacyPolicy
The text of the End User License Agreement and the Privacy Policy is output to the license_<language ID>.txt file in the tmp folder.
Running the command creates two subfolders with files inside the specified folder. The AttachedContainer subfolder includes the following files, among others:
- viis_service.msi – file required to install the Integration Server
- viis_console.msi – file required to install Integration Server Console
- Start the Integration Server installation process by running:
viis_service.msi ADMIN_VIIS_PASSWORD=<
password
>
where:
<
password
>
is the password of the Integration Server administrator account (admin
). Theadmin
account is used for connecting Integration Server Console to Integration Server.A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters:
! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~
. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.
- Launch the Integration Server Console installation process by running:
viis_console.msi
After installation is complete, you can start the Integration Server Console using the executable file located in the Integration Server Console installation folder.
Page top
Installing a Linux-based Integration Server
To install the Linux-based Integration Server, you need to install the Integration Server package on a device with the Linux operating system and perform the initial configuration of the Integration Server.
To install the Linux-based Integration Server package, run the command:
sudo apt-get install ./ksvla-viis_<
build number
>-<
build number
>_amd64.deb
If the device does not have the required packages, they may be installed automatically during installation of the Integration Server, or a warning will be displayed about the need to install them.
After completing the installation of the Integration Server, you need to perform the initial configuration of the Integration Server.
To perform the initial configuration of the Integration Server:
- Run the following command:
sudo /opt/kaspersky/viis/bin/viis-setup.sh
The initial configuration script starts.
- When prompted by the script, do the following:
- Select the locale that will be used to display the End User License Agreement and Privacy Policy.
- Please read the text of the End User License Agreement, which is concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transfer of data. To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy.
Files with the text of the End User License Agreement and Privacy Policy are located in the directory /opt/kaspersky/viis/doc/EULA/<language identifier>/license.txt.
- Specify the port number to connect to the Integration Server.
- Create the password of the Integration Server administrator (
admin
) account.
When the script ends and the console is no longer busy, the initial configuration process is complete. After the initial configuration is complete, the Integration Server starts and is ready to work.
Integration Server Web Console is used to manage the Linux-based Integration Server. The Integration Server Web Console becomes available in Kaspersky Security Center Web Console after installing the Integration Server web plug-in.
You can view the installation results and the installed version of the Linux-based Integration Server by running the command:
# apt show ksvla-viis
Installing Kaspersky Security web plug-ins
To manage Kaspersky Security solution components via Kaspersky Security Center Web Console, you need to install:
- Management web plug-in for the Protection Server (Kaspersky Security for Virtualization <version number> Light Agent – Protection Server)
- Management web plug-in for Light Agent for Linux (Kaspersky Endpoint Security for Linux running in Light Agent mode) and/or management web plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode)
- Management web plug-in for the Integration Server (Kaspersky Security for Virtualization <version number> Light Agent – Integration Server), if you want to use Integration Server Web Console to manage the Integration Server
To install a web plug-in:
- In the Kaspersky Security Center Web Console main window, select Settings → Web plug-ins.
The list of installed web plug-ins opens.
- Start installation of the Kaspersky Security web plug-in in one of the following ways:
- Installing from a list of Kaspersky web plug-ins:
- Click the Add button.
A list of all available Kaspersky web plug-ins opens. The list is updated automatically as new web plug-in versions are released.
- Find the required web plug-in in the list and click the plug-in name.
- In the web plug-in description window that opens, click Install plug-in.
- Wait for the installation process to finish and click OK in the information window.
- Click the Add button.
- Installing a web plug-in from a third-party source. The solution distribution kit includes archives required for installing web plug-ins.
- Click the Add from file button.
- In the window that opens, download the ZIP archive with the web plug-in distribution and the file with the signature in TXT format. ZIP archives with web plug-in distributions and signed files are located in the archives with web plug-ins that are included in the solution distribution kit.
- Click the Add button.
- Wait for the installation process to finish and click OK in the information window.
- Installing from a list of Kaspersky web plug-ins:
Newly installed plug-ins are displayed in the list of installed web plug-ins.
Page top
Installing Kaspersky Security MMC plug-ins
To manage Kaspersky Security solution components via Kaspersky Security Center Administration Console, you need to install:
- Management MMC plug-in for the Protection Server (Kaspersky Security for Virtualization <version number> Light Agent – Protection Server)
- Management MMC plug-in for Light Agent for Linux (Kaspersky Endpoint Security for Linux running in Light Agent mode) and/or management MMC plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode)
We recommend closing the Kaspersky Security Center Administration Console before starting the installation of the MMC plug-ins.
To install the MMC plug-in,
on the device where Kaspersky Security Center Administration Console is installed, run the klcfginst.msi file.
The files required for installing MMC plug-ins are included in the Kaspersky Security solution distribution kit.
After installation, the MMC plug-ins appear in the list of installed management MMC plug-ins in the properties of the Kaspersky Security Center Administration Server.
To view the list of installed management MMC plug-ins:
- In the Kaspersky Security Center Administration Console tree, select the Administration Server: <server name> node, and open the Administration Server properties window in one of the following ways:
- Using the Properties command in the context menu of the Administration Server <server name> node.
- Using the Administration Server properties link in the workspace of the Administration Server <server name> node in the Administration Server section.
- In the list on the left, in the Additional section, select the Information about the installed application management plug-ins section.
SVM deployment using the Integration Server Web Console
Before deployment, you need to download the SVM images and SVM image description files.
To deploy an SVM using Integration Server Web Console, you need to do the following:
- Configure the connection of the Integration Server to the virtual infrastructure in which you want to deploy the SVM.
- Create and run an SVM deployment task for the Integration Server in the selected infrastructure.
After it starts, the task appears in the task list in Integration Server Web Console, in the SVM management section, and is added to the task queue on the Integration Server. You can view information about each task and its execution status.
Upon successful completion of the task, the SVM is deployed to the selected infrastructure.
Connecting the Integration Server and the virtual infrastructure
To configure the Integration Server's connection to the virtual infrastructure:
- Open Integration Server Web Console and connect to the Integration Server.
- Go to the List of virtual infrastructures section.
- Click the Add button.
- In the Add virtual infrastructure window that opens, specify the following required settings:
- Infrastructure object type
- Protocol
The Protocol field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.
- Infrastructure object address
- Account settings for connecting to the infrastructure with administrator rights:
- OpenStack domain
The OpenStack domain field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.
- User name
- Password
- OpenStack domain
- In a virtual infrastructure based on XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, OpenStack, Alt Virtualization Server, Astra Linux, Numa vServer, VK Cloud platform, or TIONIX Cloud Platform, we also recommend specifying an account that has limited rights to perform actions in the virtual infrastructure. Under this account, the Integration Server will connect to the virtual infrastructure while Kaspersky Security is running in order to get information about SVMs available for connection and to distribute Light Agents between SVMs.
To set restricted permissions for a user account:
- Click Add an account with restricted permissions in the Account with restricted permissions section.
- In the window that opens, specify the account name and password.
- Click the Save button.
If an account with restricted permissions is not configured the Integration Server uses the same user account that is used for SVM deployment, removal and reconfiguration, to connect to the virtual infrastructure while Kaspersky Security is running.
In a virtual infrastructure running on the Microsoft Hyper-V platform, you can connect to the virtual infrastructure during Kaspersky Security operation only by using the same user account that is used for SVM deployment, removal and reconfiguration.
- In a virtual infrastructure based on the VMware vSphere platform, you can configure the use of VMware NSX Manager by the Kaspersky Security solution:
- Click the Save button in the Add virtual infrastructure window.
The Integration Server adds the selected virtual infrastructure objects to the list and attempts to establish a connection.
The Integration Server verifies the authenticity of all virtual infrastructure objects with which the connection is established.
Authenticity is not verified for a Microsoft Windows Server (Hyper-V) hypervisor.
For Keystone microservices, authenticity is verified only when using the HTTPS protocol to connect the Integration Server to the virtual infrastructure.
To verify authenticity, the Integration Server receives an SSL certificate or fingerprint of the public key from each virtual infrastructure object and verifies them.
If the authenticity of the received certificate(s) cannot be established, the Verify certificate window opens with a message about this. Click the link in this window to view the details of the received certificate. If the certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and continue connecting to the virtual infrastructure object. The received certificate will be installed as a trusted certificate on the device where the Integration Server is installed. If you do not consider this certificate to be authentic, click the Cancel connection button in the Verify certificate window to disconnect, and replace the certificate with a new one.
If the authenticity of the open key could not be established, the Verify public key fingerprint window opens with a message about this. You can confirm the authenticity of the open key and continue the connection. The public key fingerprint will be saved on the device where the Integration Server is installed. If you do not consider this open key to be authentic, click the Cancel connection button in the Verify public key fingerprint window to terminate the connection.
If a connection to a virtual infrastructure object could not be established, information about connection errors is displayed in the list of infrastructures in the Status column.
Using the buttons above the table, you can:
- refresh the list of virtual infrastructures
- sort and search the list
- edit the settings for connecting the Integration Server to virtual infrastructures
- delete settings for connecting to virtual infrastructures
- export the list in CSV format
Creating and running an SVM deployment task
To create and run an SVM deployment task for the Integration Server:
- Open Integration Server Web Console and connect to the Integration Server.
- Go to the SVM management section.
- Click the New task button and select SVM deployment from the drop-down list.
The Integration Server New Task Wizard will start.
- Follow the wizard instructions.
Selecting infrastructure for SVM deployment
At this step, the table displays information about the virtual infrastructures to which connections are configured for the Integration Server. If SVMs are already deployed in the virtual infrastructure, the table also contains information about them. Each row of the table displays the following information about the virtual infrastructure:
You can search the list of virtual infrastructure objects based on the Name/Address column. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the search field.
You can update the list of virtual infrastructure objects using the Refresh button above the table. When updating a list, the Integration Server verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.
To select infrastructure for SVM deployment:
- Depending on the type of the virtual infrastructure, select checkboxes in the table to the left of the names of the hypervisors on which you want to deploy an SVM, or the OpenStack projects in which you want to deploy an SVM. You can select hypervisors or OpenStack projects to which the Integration Server has successfully connected.
If SVMs are being deployed in an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous SVM deployment in different infrastructures is not supported. You can deploy SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.
The simultaneous deployment of SVMs within OpenStack projects, which are running on different Keystone microservices, is not supported. You can simultaneously deploy SVMs only in OpenStack projects that are running on the same Keystone microservice.
Simultaneous deployment of SVMs to hypervisors of different types (for example, to a VMware ESXi hypervisor and a KVM hypervisor) is not supported.
- If you want to allow parallel deployment of multiple SVMs, select the Allow parallel deployment of N SVMs check box and specify the number of SVMs that should be deployed in parallel.
Proceed to the next step of the wizard.
Page top
Selecting the SVM image
At this step, select the file of the SVM image for deployment. The SVM image file and SVM image description file (in XML format) must be placed on the device where the Integration Server is installed, into a single folder that the Integration Server has read access to.
To specify the SVM image, in the field, enter the path to the SVM image description file (in XML format) relative to the file system of the device on which the Integration Server is installed, and click the Select button.
The Wizard automatically selects the required SVM image file:
- An XVA file for deployment on a XenServer hypervisor or on a Numa vServer hypervisor.
- An OVA file for deployment on a VMware ESXi hypervisor.
- A QCOW2 file for deployment on a KVM hypervisor (including on a KVM hypervisor running on OpenStack platform, Astra Linux, VK Cloud Platform or TIONIX Cloud Platform), on a Proxmox VE hypervisor, on a R-Virtualization hypervisor, on a HUAWEI FusionCompute CNA hypervisor, on a Nutanix AHV hypervisor, or on an ALT Virtualization Server platform basic hypervisor.
The window displays the following information about the selected image:
- Vendor is the name of the vendor of the solution that the SVM is part of.
- Publisher is the name of the publisher of the solution that the SVM is part of. If the image is authentic, the Publisher field displays the value
AO Kaspersky Lab
.If the authenticity of the image has not been verified, an error message is displayed at the top of the window, and
Unknown
is displayed in the Publisher field.If the authenticity of the image has not been verified, it is recommended to use a different image for SVM deployment. To do this, you need to re-download the archive with the files necessary for SVM deployment.
- Solution name is the name of the solution that the SVM is part of.
- SVM version is the SVM version number.
- Description is a brief description of the SVM image.
- Virtual drive size is the amount of disk space required to deploy the SVM.
It is recommended to validate the SVM image. To do so, click the Validate button in the SVM image integrity check section. The verification results are displayed in the window as follows:
- If the image file integrity check is successful, the
Completed successfully
message is displayed. - If the image file gets modified or corrupted while being transmitted from the publisher to the end user or if the image format is not supported, the upper part of the window shows an error message and the SVM image integrity check section displays information about the detected problem.
If an SVM image file integrity check ended with an error, it is recommended to use a different image for SVM deployment. To do this, you need to re-download the archive with the files necessary for SVM deployment.
If the authenticity of an image has been verified and the image file integrity check completed successfully, proceed to the next step of the Wizard.
If the authenticity of an image has not been verified or an image file integrity check has not been performed or ended with an error but you accept the risk and want to use the selected SVM image, to proceed to the next step of the Wizard you need to select the check box located in the lower part of the window.
Page top
Selecting the number of SVMs for deployment (infrastructures based on OpenStack)
This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
For this step, you must specify the number of SVMs to be deployed on the hypervisors within each selected OpenStack project. The OpenStack project name column displays the name of the project that the SVM will be deployed in, as well as the project path in the infrastructure.
In the Number of SVMs column, specify the number of SVMs to be deployed on the hypervisors within the OpenStack project.
Proceed to the next step of the wizard.
Page top
Specifying SVM settings
This step is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
At this step, you need to specify the name of the SVM and select the storage on the hypervisor where the SVM will be deployed. The Hypervisor address column displays the IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM will be deployed.
Specify the following settings:
Proceed to the next step of the wizard.
Page top
Specifying SVM settings (infrastructures based on OpenStack)
This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
On this step, you must specify deployment settings for each SVM that is to be deployed within the selected OpenStack projects. The OpenStack project name column displays the name of the project that the SVM will be deployed in, as well as the project path in the infrastructure.
Specify the following settings required for SVM deployment:
You can also specify the following settings:
Proceed to the next step of the wizard.
Page top
Configuring SVM network settings (infrastructures based on OpenStack)
For this step, you must specify network settings for each SVM to be deployed.
The window displays the following information:
- Hypervisor address
The Hypervisor address column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
- OpenStack project name
The OpenStack project name column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
For each SVM, specify one or more virtual networks in the Network name column.
You can also specify the following settings:
- VLAN ID
The VLAN ID column is displayed if you are deploying the SVM in a virtual infrastructure based on Microsoft Hyper-V platform or in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
- Security group
The Security group column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
Proceed to the next step of the wizard.
Page top
Configuring IP address settings for SVM
For this step, you must specify IP addressing settings for all SVMs. You can use dynamic or static IP addressing.
If you want to specify all network settings of the SVM manually, select:
- Select Static IP addressing. This opens a table containing the following information:
- Hypervisor address
The Hypervisor address column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
- OpenStack project name
The OpenStack project name column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
- SVM name
- Network name
- Hypervisor address
- Specify the following IP addressing settings for each SVM:
- DNS server
- alternative DNS server
- SVM IP address
- Subnet mask
- gateway
If you specified several virtual networks for the SVM at the previous step, specify the settings for each virtual network.
If you want to use DHCP network settings for all SVMs:
- Select Dynamic IP addressing (DHCP).
By default, the IP address of the DNS server and the IP address of the alternative DNS server received over the DHCP protocol are used for each SVM (the Use list of DNS servers received via DHCP check box is selected). If you specified several virtual networks for the SVM at the previous step, by default the network settings for the SVM are received from the DHCP server of the first virtual network in the list of the specified virtual networks.
- If you want to manually specify the IP address of the DNS server and alternative DNS server, clear the Use list of DNS servers received via DHCP check box. This opens a table containing the following information:
- Hypervisor address
The Hypervisor address column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
- OpenStack project name
The OpenStack project name column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
- SVM name
Specify the IP addresses of DNS servers in the DNS server and Alternative DNS server table columns.
- Hypervisor address
Proceed to the next step of the wizard.
Page top
Specifying Kaspersky Security Center connection settings
At this step, you must specify the settings of SVM connection to the Kaspersky Security Center Administration Server.
Specify the following settings:
Proceed to the next step of the wizard.
Page top
Creating the configuration password and the root account password
At this step, you need to create a klconfig
account password (configuration password) and a root
account password on the SVM.
The configuration password is required for SVM reconfiguration. The root
user account is used for access to the operating system on SVMs.
Enter passwords for each account into the Password and Confirm password fields.
Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~
. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.
If you want to configure access to SVMs over SSH under the root
account, select the Allow remote access to SVM for the root account via SSH check box.
Proceed to the next step of the wizard.
Page top
Start task for SVM deployment
This step is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
This step displays all the settings of the created SVM deployment task for the Integration Server:
- The task name is generated automatically and contains the task type. You can use this name to find the task in the list in Integration Server Web Console, in the SVM management section.
- The list at the top of the window contains general settings for all SVMs that will be deployed by the task:
- The table at the bottom of the window contains individual settings for each SVM:
- Hypervisor address
- SVM name
- Storage
- Network name
- VLAN ID
The VLAN ID is displayed if you are deploying the SVM in the virtual infrastructure running on Microsoft Hyper-V platform.
- All IP addressing settings that you provided for the SVM.
To start the SVM deployment task, click the Start button.
You can monitor the task progress in Integration Server Web Console, in the SVM management section.
Page top
Starting an SVM deployment task (OpenStack-based infrastructure)
This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
This step displays all the settings of the created SVM deployment task for the Integration Server:
- The task name is generated automatically and contains the task type. You can use this name to find the task in the list in Integration Server Web Console, in the SVM management section.
- The list at the top of the window contains general settings for all SVMs that will be deployed by the task:
- The table at the bottom of the window contains individual settings for each SVM:
- OpenStack project name
- SVM name
- Virtual machine type
- Volume type
- Availability zone
- Server group
- Network name
- VLAN ID
- Security group
- All IP addressing settings that you provided for the SVM.
To start the SVM deployment task, click the Start button.
You can monitor the task progress in Integration Server Web Console, in the SVM management section.
Page top
Viewing information about task execution
You can monitor the progress of tasks in Integration Server Web Console, in the SVM management section.
To view information about a task for the Integration Server:
- Open Integration Server Web Console and connect to the Integration Server.
- Go to the SVM management section.
In the window that opens, a list of tasks for the Integration Server is displayed as a table. The list contains the Integration Server tasks that you created and ran using the wizard (SVM deployment, reconfiguration, and removal tasks), as well as SVM image verification tasks that are created automatically when you run an SVM image file integrity check while creating SVM deployment tasks. The task is placed in the list immediately after its creation and is automatically deleted from the list some time after the task has been completed (successfully or with an error) or canceled. By default, completed or canceled tasks are listed for 60 minutes.
If necessary, you can cancel tasks that have not yet been completed. To do this, select the task in the list and click the Cancel button located above the table.
For tasks that are running, their progress is displayed. If a task completes with an error, an error message is displayed.
- To view detailed information about a task, click on the task name.
The window that opens displays the following information about the selected task:
- Task name
- Task type
- Time when the task was created
- Time when the task transitioned from the current status
- Current task status and an error message if the task was completed with an error
- List of all SVMs on which the task is running, and the progress of the task on each SVM Each row in the list contains the following information:
- SVM name
- IP address of the SVM in IPv4 format
- Task status on the SVM, and an error message if the task was completed with an error
- Location of the SVM in the virtual infrastructure (address and type of hypervisor or the OpenStack project name, address and type of infrastructure)
- For Deployment or Reconfiguration tasks, you can view information about the execution of stages of a task on the selected SVM. To open the list of stages, click on the SVM name in the list.
In the window that opens, information about the execution of each stage of the task on an individual SVM is displayed in the form of a table:
- Stage name
- Stage start time
- Stage execution status and error message if an error occurred at this stage
- Stage end time
Deploying SVMs using the Integration Server Console
If you use the Integration Server Console, SVMs are deployed using the SVM Management Wizard, which is launched from the Integration Server Console.
Following the instructions of the SVM Management Wizard, you need to configure the wizard's connection to the virtual infrastructure, specify all the SVM deployment settings, and start the deployment.
Information about SVM deployment results is displayed in the last step of the wizard.
Before deployment, you need to download the SVM images and SVM image description files.
To deploy SVMs using the Integration Server Console:
- Open Integration Server Console and connect to the Integration Server.
- In the SVM management section, click the SVM management button to start the SVM Management Wizard.
- Follow the wizard instructions.
Selecting an action
At this step, choose the SVM deployment option.
Proceed to the next step of the wizard.
Page top
Selecting infrastructure for SVM deployment
At this step, you need to select the virtual infrastructure in which you want to deploy the SVM. If SVM deployment was not previously performed in this virtual infrastructure, you need to configure the connection of the SVM Management Wizard to the virtual infrastructure. Then select the hypervisors or OpenStack projects for SVM deployment depending on the type of virtual infrastructure.
To configure the connection of SVM Management Wizard to the virtual infrastructure:
- Click the Add button.
- In the Virtual infrastructure connection settings window that opens, specify the following settings:
- Type
- Protocol
The Protocol field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.
- Addresses
- OpenStack domain
The OpenStack domain field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.
- User name
- Password
- If you are deploying SVMs in a virtual infrastructure based on XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, OpenStack, Alt Virtualization Server, Astra Linux, Numa vServer, VK Cloud platform, or TIONIX Cloud Platform, to connect the Integration Server to the virtual infrastructure while Kaspersky Security is running, we recommend using an account that has limited rights to perform actions in the virtual infrastructure. Select the Account with restricted permissions check box and specify the settings of the user account that the Integration Server will use to connect to the virtual infrastructure during operation of Kaspersky Security.
If the check box is cleared, during Kaspersky Security operation the Integration Server will connect to the virtual infrastructure using the same user account that is used for SVM deployment, removal and reconfiguration.
In a virtual infrastructure running on the Microsoft Hyper-V platform, you can connect to the virtual infrastructure during Kaspersky Security operation only by using the same user account that is used for SVM deployment, removal and reconfiguration.
- Click the Connect button.
The Virtual infrastructure connection settings window closes. The Wizard adds the selected virtual infrastructure objects to the list and attempts to establish a connection.
The Wizard verifies the authenticity of all virtual infrastructure objects with which the connection is established.
Authenticity is not verified for a Microsoft Windows Server (Hyper-V) hypervisor.
For Keystone microservices, authenticity is verified only when using the HTTPS protocol to connect the SVM Management Wizard to the virtual infrastructure.
To verify authenticity, the Wizard receives the SSL certificate or fingerprint of the public key from each virtual infrastructure object and verifies them.
If the authenticity of the received certificate(s) cannot be established, the Verify certificate window opens with a message about this. Click the link in this window to view the details of the received certificate. If the certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and continue connecting to the virtual infrastructure object. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this certificate to be authentic, click the Cancel button in the Verify certificate window to disconnect, and replace the certificate with a new one.
If the authenticity of the open key could not be established, the Verify public key fingerprint window opens with a message about this. You can confirm the authenticity of the open key and continue the connection. The open key fingerprint will be saved on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this open key to be authentic, click the Cancel button in the Verify public key fingerprint window to terminate the connection.
If a connection cannot be established with a virtual infrastructure object, information about the connection errors is displayed in the table.
The table displays information about the virtual infrastructures to which connections are configured in the SVM Management Wizard. If SVMs are already deployed in the virtual infrastructure, the table also contains information about them. Each row of the table displays a hierarchical list of virtual infrastructure objects and the following information:
You can search the list of virtual infrastructure objects based on the Name/Address column. The search starts as you type in the Search field. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the Search field.
You can update the list of virtual infrastructure objects using the Refresh button above the table. When updating a list, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.
You can use buttons in the Name/Address column to:
- Remove selected virtual infrastructure from the list.
The Integration Server continues to connect to the virtual infrastructure removed from this list, and to receive the information required for SVM operation.
- If you cannot connect to the virtual infrastructure, open the Virtual infrastructure connection settings window to change the settings of the account used to make the connection.
After the settings are modified, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.
To select infrastructure for SVM deployment:
- Depending on the type of the virtual infrastructure, select check boxes in the table to the left of the names of the hypervisors on which you want to deploy an SVM, or the OpenStack projects in which you want to deploy an SVM.
You can select hypervisors or OpenStack projects that are not subject to SVM deployment restrictions.
If SVMs are being deployed in an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous SVM deployment in different infrastructures is not supported. You can deploy SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.
The simultaneous deployment of SVMs within OpenStack projects, which are running on different Keystone microservices, is not supported. You can simultaneously deploy SVMs only in OpenStack projects that are running on the same Keystone microservice.
- If you want to allow concurrent deployment of multiple SVMs, select the Allow parallel deployment on N hypervisors or Allow parallel deployment on N SVMs check box (depending on the type of virtual infrastructure) and specify the number of SVMs to be deployed concurrently.
Proceed to the next step of the wizard.
Page top
Selecting the SVM image
At this step, select the file of the SVM image for deployment on the hypervisor. The SVM image file and SVM image description file (in XML format) must be placed in the same folder on the device where the Kaspersky Security Center Administration Console is installed, or in the same folder on a network resource to which the user account performing the installation has read access. If you are installing the Protection Server on different types of hypervisors, the SVM image files for each type of hypervisor and the SVM image description file must be located in the same folder.
To specify the SVM image, click Browse and in the window that opens select the SVM image description file (in XML format).
After a file has been selected, the field to the left of the button displays the full path to the file and its name. The Wizard automatically selects the required SVM image file:
- A VHDX file for deployment on a Microsoft Windows Server (Hyper-V) hypervisor.
- An XVA file for deployment on a XenServer hypervisor or on a Numa vServer hypervisor.
- An OVA file for deployment on a VMware ESXi hypervisor.
- A QCOW2 file for deployment on a KVM hypervisor (including on a KVM hypervisor running on OpenStack platform, Astra Linux, VK Cloud Platform or TIONIX Cloud Platform), on a Proxmox VE hypervisor, on a R-Virtualization hypervisor, on a HUAWEI FusionCompute CNA hypervisor, on a Nutanix AHV hypervisor, or on an ALT Virtualization Server platform basic hypervisor.
The window displays the following information about the selected image:
- Vendor is the name of the vendor of the solution that the SVM is part of.
- Publisher is the name of the publisher of the solution that the SVM is part of.
- Solution name is the name of the solution that the SVM is part of.
- SVM version is the version number of the SVM image.
- Description is a brief description of the SVM image.
- Virtual drive size is the amount of disk space required to deploy the SVM.
The Wizard verifies the authenticity of the image. The verification results are displayed in the window as follows:
- If the image is authentic, the Publisher field displays the value
AO Kaspersky Lab
. - If the authenticity of the image has not been verified, an error message is displayed at the top of the window, and
Unknown
is displayed in the Publisher field.
If the authenticity of the image has not been verified, it is recommended to use a different image for SVM deployment. To do this, you need to re-download the archive with the files necessary for SVM deployment using the Kaspersky Security Components Installation Wizard or on the Kaspersky website.
The SVM image integrity check section displays information about the results of SVM image file integrity check for each type of hypervisor. If integrity check was not performed, the Validation not performed
message is displayed.
It is recommended to validate the SVM image. To do so, click the Validate button in the SVM image integrity check section. The verification results are displayed in the window as follows:
- If the image file successfully passed the integrity check, the
Valid
message is displayed. - If the image file gets modified or corrupted while being transmitted from the publisher to the end user or if the image format is not supported, the upper part of the window shows an error message and the SVM image integrity check section displays information about the detected problem.
If an SVM image file integrity check ended with an error, it is recommended to use a different image for SVM deployment. To do this, you need to re-download the archive with the files necessary for SVM deployment using the Kaspersky Security Components Installation Wizard or on the Kaspersky website.
If the authenticity of an image has been verified and the image file integrity check completed successfully, proceed to the next step of the Wizard.
If the authenticity of an image has not been verified or an image file integrity check has not been performed or ended with an error but you accept the risk and want to use the selected SVM image, to proceed to the next step of the Wizard you need to select the check box located in the lower part of the window.
Page top
Selecting the number of SVMs for deployment (infrastructures based on OpenStack)
This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
For this step, you must specify the number of SVMs to be deployed on the hypervisors within each selected OpenStack project. The OpenStack project column displays the name of the project that the SVM will be deployed in, as well as the project path in the infrastructure.
In the Number of SVMs column, specify the number of SVMs to be deployed on the hypervisors within the OpenStack project.
Proceed to the next step of the wizard.
Page top
Specifying SVM settings
This step is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
For this step, you must specify deployment options for each SVM to be deployed on the selected hypervisors. The Hypervisor column displays the IP address in IPv4 format or the fully qualified domain name (FQDN) of the hypervisor on which the SVM will be deployed.
Specify the following settings required for SVM deployment:
If you are deploying an SVM in a virtual infrastructure running the Microsoft Hyper-V platform, you can also specify the VLAN ID.
Proceed to the next step of the wizard.
Page top
Specifying SVM settings (infrastructures based on OpenStack)
This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
On this step, you must specify deployment settings for each SVM that is to be deployed within the selected OpenStack projects. The OpenStack project column displays the name of the project that the SVM will be deployed in, as well as the project path in the infrastructure.
Specify the following settings required for SVM deployment:
You can also specify the following settings:
Proceed to the next step of the wizard.
Page top
Configuring SVM network settings (infrastructures based on OpenStack)
This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
For this step, you must specify network settings for each SVM to be deployed within the selected OpenStack projects. The OpenStack project column displays the name of the project that the SVM will be deployed in, as well as the project path in the infrastructure.
For each SVM, specify one or more virtual networks in the Network name column.
You can also specify the following settings:
Proceed to the next step of the wizard.
Page top
Configuring IP address settings for SVM
For this step, you must specify IP addressing settings for all SVMs. You can use dynamic or static IP addressing.
If you want to use DHCP network settings for all SVMs:
- Select Dynamic IP addressing (DHCP).
By default, the IP address of the DNS server and the IP address of the alternative DNS server received over the DHCP protocol are used for each SVM (the Use list of DNS servers received via DHCP check box is selected). If you specified several virtual networks for the SVM at the previous step, by default the network settings for the SVM are received from the DHCP server of the first virtual network in the list of the specified virtual networks.
- If you want to manually specify the IP address of the DNS server and alternative DNS server, clear the Use list of DNS servers received via DHCP check box. This opens a table containing the following information:
- Hypervisor
The Hypervisor column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
- OpenStack project
The OpenStack project column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
- SVM name
Specify the IP addresses of DNS servers in the DNS server and Alternative DNS server table columns.
- Hypervisor
If you want to specify all network settings of the SVM manually, select:
- Select Static IP addressing. This opens a table containing the following information:
- Hypervisor
The Hypervisor column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
- OpenStack project
The OpenStack project column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
- SVM name
- Network name
- Hypervisor
- Specify the following IP addressing settings for each SVM:
- SVM IP address
- Subnet mask
- Gateway
- DNS server
- Alternative DNS
If you specified several virtual networks for the SVM at the previous step, specify the settings for each virtual network.
Proceed to the next step of the wizard.
Page top
Specifying Kaspersky Security Center connection settings
This step is performed if the wizard cannot automatically determine the settings for connecting to Kaspersky Security Center.
At this step, you must specify the settings of SVM connection to the Kaspersky Security Center Administration Server.
Specify the following settings:
Proceed to the next step of the wizard.
Page top
Creating the configuration password and the root account password
At this step, you need to create a klconfig
account password (configuration password) and a root
account password on the SVM.
The configuration password is required for SVM reconfiguration. The root
user account is used for access to the operating system on SVMs.
Enter passwords for each account into the Password and Confirm password fields.
Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~
. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.
If you want to configure access to SVMs over SSH under the root
account, select the Allow remote access to SVM for the root account via SSH check box.
Proceed to the next step of the wizard.
Page top
Starting SVM deployment
This step is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
For this step, the wizard window displays all previously entered settings required for deploying the SVM:
General settings for all SVMs:
- SVM image description file
- SVM IP settings
- SSH-based remote access to the SVM for the root account
- Kaspersky Security Center connection settings
- Parallel deployment
Individual settings for each SVM:
- Hypervisor
- SVM name
- Storage
- Network name
- VLAN ID
The VLAN ID is displayed if you are deploying the SVM in the virtual infrastructure running on Microsoft Hyper-V platform.
- All IP addressing settings that you provided for the SVM.
To start deploying SVMs, go to the next step of the wizard.
Page top
Starting SVM deployment (infrastructures based on OpenStack)
This step is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
For this step, the wizard window displays all previously entered settings required for deploying the SVM:
General settings for all SVMs:
- Keystone microservice address
- SVM image description file
- SVM IP settings
- SSH-based remote access to the SVM for the root account
- Kaspersky Security Center connection settings
- Parallel deployment
Individual settings for each SVM:
- OpenStack project
- SVM name
- Virtual machine type
- Volume type
- Availability zone
- Server group
- Network name
- VLAN ID
- Security group
- All IP addressing settings that you provided for the SVM.
To start deploying SVMs, go to the next step of the wizard.
Page top
SVM deployment
At this step, SVMs are deployed on hypervisors. The process takes some time. Please wait until deployment is complete.
The window shows, one row at a time, the stages of deployment of each SVM with the status of each stage: Processing N%, Pending, Skipped, Completed, Error.
After SVM deployment is complete, you are advised to make sure that the Integration Server is running and can be accessed by the SVM over the network.
If an error occurs on a hypervisor during the SVM deployment process, the Wizard rolls back the changes on this hypervisor. Deployment continues on the other hypervisors.
When deployment is completed, SVM is turned on automatically.
Proceed to the next step of the wizard.
Page top
Finishing SVM deployment
This step displays information about the SVM deployment results in the virtual infrastructure.
You can use the links to open a brief report and the SVM Management Wizard log.
You can view the following information in the brief report:
- Addresses of the hypervisors on which SVMs were deployed, or OpenStack projects, within which SVMs were deployed (depending on the type of virtual infrastructure).
- Names of deployed SVMs.
- Brief description of the completed stages of deployment of each SVM, including the start and end times of each stage. If an error occurred during a particular stage, the relevant information is reflected in the report.
The brief report is saved in a temporary file. To be able to use information from the report later, save the log file in a permanent storage location.
The SVM Management Wizard log saves information specified by you at every step of the wizard. If the SVM deployment process ends in an error, you can use the wizard log when contacting Technical Support.
The SVM Management Wizard log is saved on the device where the wizard was launched, in the file %LOCALAPPDATA%\Kaspersky Lab\Kaspersky VIISLA Console\logs\KasperskyDeployWizard_<file creation date and time>.log and does not contain account passwords. A new log file is created each time the wizard starts.
Finish the wizard.
If your virtual infrastructure uses a Microsoft Windows Server (Hyper-V) hypervisor, after SVM deployment the event log may contain an event indicating the need to update the Integration Services package on the SVM. You can ignore this notification because the Integration Services do not need to be updated to operate the SVM.
Page top
Automatically creating tasks and a default policy for the Protection Server
The Kaspersky Security Center Initial Configuration Wizard lets you automatically create a default Protection Server policy and an Update databases and solution modules task for the Protection Server. The Initial Configuration Wizard is available in Kaspersky Security Center Administration Console and in Kaspersky Security Center Web Console.
If you use Kaspersky Security Center Web Console, the Initial Configuration Wizard starts the first time you launch Kaspersky Security Center Web Console.
You can also run the Initial Configuration Wizard manually.
How to run the Initial Configuration Wizard in Kaspersky Security Center Web Console
If you use Kaspersky Security Center Administration Console, the Initial Configuration Wizard starts automatically the first time you launch Administration Console after installing the management MMC plug-in for the Protection Server.
If the Initial Configuration Wizard for the managed application was not started automatically, you can manually start it.
How to run the Initial Configuration Wizard in Kaspersky Security Center Administration Console
Creating an Update databases and solution modules task for the Protection Server
An Update Solution Databases and Modules task is created for the Managed devices administration group and lets you download an update package for the databases and application modules of the Kaspersky Security solution to all SVMs that will be moved to the Managed devices administration group or to any nested administration group. The task is started every time an update package is downloaded to the Kaspersky Security Center Administration Server repository.
Creating default policy for Protection Server
A default Protection Server policy is created for the Managed devices administration group with the name Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server and is applied on all SVMs that will be moved to the Managed devices administration group or to any nested administration group.
When creating a default Protection Server policy, the wizard prompts you to configure the following settings:
- Decide whether you want to use Kaspersky Security Network in the operation of the Protection Server.
- Configure settings for connecting SVMs to the Integration Server.
The other policy settings take the default values. You can configure them later.
If you have not configured the settings for connecting SVMs to the Integration Server or cannot connect with the specified settings, the policy is created with the Inactive policy status. Later you can configure the settings of this policy and activate it.
Page top
Preparing the Protection Server for operation
After completing the SVM deployment procedure, it is recommended to use virtual infrastructure tools to check the system date on the SVM. A discrepancy between the system dates on Kaspersky Security Center Administration Server and the SVM may result in an error when connecting the SVM to Kaspersky Security Center as well as incorrect operation of Kaspersky Security solution components.
After deploying the SVM on a hypervisor, you can modify the resources allocated to the SVM, for example, to match those recommended by Kaspersky experts. You can regulate the performance of the SVM using the resources assigned to it.
To prepare the Protection Server for operation, you must perform the following actions:
- Make sure that new SVMs are connected to the Integration Server. You can view the list of connected SVMs in the Integration Server Console or in the Integration Server Web Console.
- Activate the solution on all new SVMs.
To activate the solution on SVMs, you must add a license key to the SVMs by using the Solution activation task. After installing the Light Agent component on virtual machines and connecting the Light Agents to the SVMs, the Protection Server component sends license information to the Light Agents.
- Update the databases of the solution on all new SVMs and download database updates for Light Agents to the SVMs. By default, database updates required for the operation of the Protection Server, Light Agent for Linux, and Light Agent for Windows are downloaded to the SVMs from the Administration Server repository.
If the current version of the solution supports more than one version of Light Agent for Linux or Light Agent for Windows, you need to make sure you are downloading database updates for the correct version of Light Agent. If you have different versions of Light Agent installed on protected devices, updates for all installed versions must be downloaded to the SVM.
To configure the downloading of updates for the correct versions of Light Agent:
- In the Protection Server policy, specify the versions of Light Agents for which the Protection Server must receive updates.
The Administration Server needs some time to download database updates for Light Agents. We recommend starting the database update process after completing the synchronization of the Network Agent on the SVM with the Administration Server (by default, the synchronization period is 15 minutes after changing the policy settings).
- Manually run the Download updates to the repository task.
- Download the update packages to the SVM. To download update packages to the SVM, you can use an automatically created Protection Server task, Updating databases and solution modules.
- In the Protection Server policy, specify the versions of Light Agents for which the Protection Server must receive updates.
Installing Light Agents and Network Agent
On each virtual machine that needs to be protected using the Kaspersky Security solution, you need to install Light Agent and Kaspersky Security Center Network Agent.
Installed on protected virtual machines, Kaspersky Security Center Network Agent facilitates interaction between a Light Agent installed on a virtual machine and the Kaspersky Security Center Administration Server, and lets you use Kaspersky Security Center to manage the operation of the Light Agent.
You can install Light Agent on a virtual machine template that will be used to create persistent and non-persistent virtual machines. When installing on a non-persistent virtual machine template, we recommend configuring additional installation settings for Light Agents and Network Agent.
You can install Light Agent on virtual machines as part of an infrastructure that uses VDI-based solutions for creating virtual desktops. For Light Agent for Windows to be compatible with some virtualization solutions, additional steps are required during installation.
About installing Kaspersky Security Center Network Agent on virtual machines
Before or during the installation of Kaspersky Endpoint Security for Linux in Light Agent mode, you need to install Network Agent for Linux on each virtual machine.
Before or during installation of Kaspersky Endpoint Security for Windows in Light Agent mode, you need to install Network Agent for Windows on each virtual machine.
The files required for installing Network Agent are included in the Kaspersky Security Center distribution kit. For more information on installing Network Agent, please refer to the Kaspersky Security Center Help.
Page top
About installing Light Agent for Linux
Kaspersky Endpoint Security for Linux in Light Agent mode for protection of virtual environments is installed in one of the following ways:
- Remotely from the administrator's workstation using Kaspersky Security Center.
To use Kaspersky Endpoint Security for Linux as a Light Agent for Linux, you select the Light Agent mode in one of the following ways:
- In the properties of the installation package of the Kaspersky Endpoint Security for Linux application, on the Settings tab.
- Using the autoinstall.ini configuration file, which is included in the application installation package (
KSVLA_MODE=yes
).
- Using the command line.
To use Kaspersky Endpoint Security for Linux as a Light Agent for Linux, after the installation is complete, you need to run the initial application configuration and select the Light Agent mode in one of the following ways:
- Enter
yes
in theSpecifying the application usage
step of the initial configuration script. - Specify the
KSVLA_MODE=yes
setting in the initial setup configuration file.
- Enter
When installing on a non-persistent virtual machine template, we recommend configuring additional installation settings for Light Agent and Network Agent.
For more information about installing Kaspersky Endpoint Security for Linux in Light Agent mode, see the application Help of the relevant version.
Page top
About installing Light Agent for Windows
Kaspersky Endpoint Security for Windows in Light Agent mode for protection of virtual environments is installed in one of the following ways:
- Remotely from the administrator's workstation using Kaspersky Security Center.
To use Kaspersky Endpoint Security for Windows as a Light Agent for Windows, you need to select the Light Agent configuration in the properties of the Kaspersky Endpoint Security for Windows installation package on the Settings tab.
- Locally on a virtual machine using the installation wizard.
To use Kaspersky Endpoint Security for Windows as a Light Agent for Windows, you need to select the Light Agent for protecting virtual environments configuration at the configuration selection step.
- Using the command line.
To use Kaspersky Endpoint Security for Windows as a Light Agent for Windows, you select the Light Agent mode in one of the following ways:
- Run the installation command with
LIGHTAGENTMODE=1
. - Perform a silent installation using a setup.ini file with
KSVLAMode=1
.
- Run the installation command with
To optimize the performance of Kaspersky Endpoint Security for Windows in Light Agent mode, we recommend using predefined groups of exclusions and trusted applications for various virtualization solutions. You can include recommended scan exclusions and trusted applications in the trusted zone during local installation using the wizard or when creating an installation package in interactive mode.
When installing on a non-persistent virtual machine template, we recommend configuring additional installation settings for Light Agent and Network Agent.
For more information about installing Kaspersky Endpoint Security for Windows in Light Agent mode, see the application Help of the relevant version.
Page top
Installing Light Agent on a template for non-persistent virtual machines
If you are installing on a virtual machine template that will be used to create non-persistent virtual machines, we recommend that you configure settings that optimize the operation of Light Agent on the non-persistent virtual machines.
If these settings are configured, the operation of non-persistent virtual machines created from the template will be optimized as follows:
- Kaspersky Security Center functionality that is not required for non-persistent virtual machines will be disabled, namely the receiving of information about software, hardware, vulnerabilities, and necessary updates.
- Updates that require restarting the protected virtual machine will not be installed on virtual machines created from the template. When receiving updates that require a restart, the Light Agent installed on the virtual machine sends a message to Kaspersky Security Center about the need to update the virtual machine template.
- Non-persistent virtual machines running Windows operating systems will not use the active infection disinfection technology regardless of the configured settings of Light Agent for Windows. If it is necessary to perform the disinfection procedure for an active infection, the Light Agent installed on the virtual machine will send a message to Kaspersky Security Center about the need to perform this procedure on the virtual machine template.
Kaspersky Security Center Network Agent settings
If you are installing Network Agent using Kaspersky Security Center, in the properties window of the Network Agent installation package, you need to specify the following settings in the Advanced section:
- Enable dynamic mode for VDI.
- Optimize the settings for VDI.
If you are installing Network Agent using the command line, you need to use a response file (in TXT format) with the following settings:
KLNAGENT_VM_VDI=1
KLNAGENT_VM_OPTIMIZE=1
For more information on installing Network Agent, please refer to the Kaspersky Security Center Help.
Light Agent for Linux settings
If you are installing Kaspersky Endpoint Security for Linux in Light Agent mode using Kaspersky Security Center, you need to include the autoinstall.ini configuration file in the installation package with the following settings:
KSVLA_MODE=yes
VDI_MODE=yes
If you create an installation package in Kaspersky Security Center Web Console, you can specify these settings using the following check boxes in the installation package properties on the Settings tab:
- Use the application in Light Agent mode
- Enable VDI protection mode.
If you are installing Kaspersky Endpoint Security for Linux in Light Agent mode using the command line, after the installation is complete, you need to configure the settings as follows, depending on the initial configuration mode:
- Run the initial configuration script and enter
yes
in theSpecifying the application usage mode
andEnabling VDI protection mode
steps. - Run the initial configuration in automatic mode by specifying the following settings in the initial configuration file:
KSVLA_MODE=yes
VDI_MODE=yes
For more information about installing Kaspersky Endpoint Security for Linux in Light Agent mode, see the application Help of the relevant version.
Light Agent for Windows settings
If you are installing Kaspersky Endpoint Security for Windows in Light Agent mode using Kaspersky Security Center, you need to configure the following settings in the properties of the Kaspersky Endpoint Security for Windows installation package on the Settings tab:
- select the Light Agent configuration
- select the Protect VDI check box
If you are installing Kaspersky Endpoint Security for Windows in Light Agent mode using the Installation Wizard, you need to configure the following settings at the configuration selection step:
- select the Light Agent for protecting virtual environments configuration
- select the Protect VDI check box
If you are installing Kaspersky Endpoint Security for Windows in Light Agent mode using the command line, you need to do one of the following:
- Run the installation command with
LIGHTAGENTMODE=1
andVDI=1
. - Perform installation in silent mode using a setup.ini file with
KSVLAMode=1
andInstallOnVDI=1
.
For more information about installing Kaspersky Endpoint Security for Windows in Light Agent mode, see the application Help of the relevant version.
Page top
Compatibility of Light Agent for Windows with virtualization solutions
You need to take additional steps when installing Light Agent for Windows on virtual infrastructures that use the following virtualization solutions:
- Citrix App Layering
- Citrix Provisioning (Citrix Provisioning Services)
- VMware App Volumes
Compatibility with Citrix App Layering technology
Compatibility with Citrix Provisioning (Citrix Provisioning Services) technology
Compatibility with VMware App Volumes technology
Page top
Preparing Light Agents for operation
To prepare Light Agents for operation, you must perform the following actions:
- Configure the settings required for SVM discovery and connection of Light Agents to SVMs.
To configure the settings for Light Agent for Linux, you need to create a policy for Kaspersky Endpoint Security for Linux running in Light Agent mode.
To configure the settings for Light Agent for Windows, you need to create a policy for Kaspersky Endpoint Security for Windows running in Light Agent mode.
Following the instructions in the New Policy Wizard, you need to select the SVM discovery method and, depending on the selected method, configure the settings for connecting to the Integration Server or specify a list of SVM addresses.
- Make sure that Light Agents connect to SVMs and to the Integration Server.
- Make sure that Light Agents have received information about the license used to activate Kaspersky Security for Virtualization Light Agent.
After activating the solution on SVMs and connecting Light Agents to the SVMs, the Protection Server component sends license information to Light Agents. You can view information about the license that Light Agent uses. You can view it on a protected virtual machine with Light Agent.
- Make sure that the database updates required for Light Agent are installed on the protected virtual machines.
Databases on protected virtual machines are updated using a special Update task, in which a folder on the SVM is specified as the update source. The update task is started automatically.
You can check how up-to-date the databases are on a protected virtual machine with Light Agent:
- For Light Agent for Linux: using the command
kesl-control --app-info
. - For Light Agent for Windows: in the local interface of Kaspersky Endpoint Security for Windows.
- For Light Agent for Linux: using the command
For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.
Page top
Displaying virtual machines and SVMs in Kaspersky Security Center
After installation of Kaspersky Security in the virtual infrastructure, the SVMs and protected virtual machines on which Network Agent is installed will forward information about themselves to Kaspersky Security Center. By default, Kaspersky Security Center adds devices on which Kaspersky Security components are installed to the Unassigned devices folder.
In the Kaspersky Security Center Administration Console, an SVM is displayed under the name that you specified during deployment of this SVM. The name of the protected virtual machine matches the network name of the virtual machine (hostname). If a virtual machine with the same name is already registered on the Kaspersky Security Center Administration Server, a sequence number is added to the name of the new virtual machine, for example: <Name>~1, <Name>~2.
If you configured rules for moving virtual machines to administration groups prior to installing the solution, Kaspersky Security Center moves the devices on which Kaspersky Security components are installed to the specified administration groups in accordance with the configured rules for moving devices.
After installing the solution components, the SVMs and protected virtual machines send tags to Kaspersky Security Center. You can use these tags when creating rules for moving SVMs and protected virtual machines to administration groups.
The SVM sends the following tag to Kaspersky Security Center:
%VmType%=SVM – indicates that the virtual machine is an SVM.
A protected virtual machine with Kaspersky Security Center Network Agent installed sends the following tag to Kaspersky Security Center:
- %VmType%=<Persistent / Nonpersistent> – indicates whether this virtual machine is non-persistent or persistent virtual machine:
- %VmType%=Persistent – persistent virtual machine;
- %VmType%=Nonpersistent – non-persistent virtual machine.
- %KsvlaMode%=<Yes / No> – a flag that determines the operating mode of the Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Windows application on a virtual machine:
- %KsvlaMode%=Yes – the application is being used in Light Agent mode to protect virtual environments;
- %KsvlaMode%=No – the application is being used in standard mode.
You can manually move SVMs to the Managed devices administration group or nested administration groups (for more information about moving virtual machines to administration groups, see the Kaspersky Security Center Help).
Page top
Viewing the list of SVMs connected to the Integration Server
You can view a list of all SVMs that are connected to the Integration Server in the Integration Server Web Console or the Integration Server Console.
Page top
Updating Kaspersky Security from the previous version
Upgrading the solution
You can upgrade Kaspersky Security for Virtualization 6.1 Light Agent to Kaspersky Security for Virtualization 6.2 Light Agent.
Upgrading of earlier Kaspersky Security versions to version 6.2 is not provided.
Before you begin the upgrade, you need to prepare the files required to install the solution and complete the steps necessary to prepare the virtual infrastructure for installation of the solution.
Updating the version of the solution to Kaspersky Security to Kaspersky Security for Virtualization 6.2 Light Agent involves the following steps:
- Updating the Integration Server
When upgrading the solution, you can switch to the Linux-based Integration Server or continue using the Windows-based Integration Server.
If you want to continue using the Windows-based Integration Server, you need to update the Integration Server and Integration Server Console. The procedure for updating the Windows-based Integration Server depends on which version of Kaspersky Security Center you are using to manage the Kaspersky Security solution (Kaspersky Security Center Windows or Kaspersky Security Center Linux).
- Updating Kaspersky Security management plug-ins
- Depending on the Kaspersky Security Center management console you use, you need to update the management web plug-ins or management MMC plug-ins of the previous version of the Protection Server and Light Agent for Linux.
- If you want to use Integration Server Web Console to manage the Integration Server, you need to install the Integration Server web plug-in.
- If you want to protect virtual machines with Windows guest operating systems, you need to install the management web plug-in or management MMC plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode).
- Updating the Protection Servers
Deploy SVMs with the new version of the Protection Server on your hypervisors.
- Preparing the Protection Servers for operation
You must follow the steps to prepare the updated SVMs and Protection Servers for operation.
- Updating Light Agent for Linux and Network Agent for Linux
To protect virtual machines with Linux guest operating systems, you need to update Light Agent for Linux (Kaspersky Endpoint Security for Linux running in Light Agent mode) and Network Agent on virtual machines and virtual machine templates with Linux guest operating systems.
For a description of the process of updating Kaspersky Endpoint Security for Linux and Network Agent for Linux, see the Kaspersky Endpoint Security for Linux Help of the relevant version.
- Installing/updating Light Agent for Windows and Network Agent for Windows
To protect virtual machines with Windows guest operating systems, you need to install Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode) and Network Agent on virtual machines and virtual machine templates with Windows guest operating systems.
You can use the following versions of Light Agent for Windows: Kaspersky Endpoint Security for Windows 12.8 or Kaspersky Endpoint Security for Windows 12.9.
Make sure you are downloading database updates for the correct version of Light Agent to the SVM. If you have different versions of Light Agent for Windows installed on protected devices, updates for all installed versions must be downloaded to the SVM.
If you were using the Light Agent for Windows component included in Kaspersky Security for Virtualization 5.2 Light Agent, you need to switch to using the Light Agent for Windows that is part of the Kaspersky Security for Virtualization 6.2 Light Agent solution.
- Preparing Light Agents for operation
You need to perform the actions required to prepare Light Agents for operation.
Upgrading Light Agent for Windows
Kaspersky Security 6.2 supports two versions of Light Agent for Windows: Kaspersky Endpoint Security for Windows 12.8 and Kaspersky Endpoint Security for Windows 12.9. If you have Kaspersky Security 6.2 and Kaspersky Endpoint Security for Windows 12.8 in Light Agent mode installed, you can upgrade the Light Agent version for Windows as follows:
- Upgrade Kaspersky Endpoint Security for Windows 12.8 to version 12.9. For a description of the update process of the Kaspersky Endpoint Security for Windows application, see the application Help of the relevant version.
- Specify the new version of Light Agent for Windows in the update settings in your Protection Server policy.
The Administration Server needs some time to download database updates for Light Agents. We recommend starting the database update process after completing the synchronization of the Network Agent on the SVM with the Administration Server (by default, the synchronization period is 15 minutes after changing the policy settings).
- Manually run the Download updates to the repository task.
- Download the update packages to the SVM. To download update packages to the SVM, you can use an automatically created Protection Server task, Updating databases and solution modules. As a result of the update task, the Protection Server gets database updates for the specified version of Light Agent.
- Upgrade the management web plug-in or MMC management plug-in of the previous version of Light Agent for Windows.
Migrating from the Windows-based Integration Server to the Linux-based Integration Server
If you previously had the Windows-based Integration Server installed in your virtual infrastructure, you need to do the following to switch to using the Linux-based Integration Server:
- Install the Linux-based Integration Server.
- Install the Integration Server Web Console.
- In Integration Server Web Console, configure the settings for connecting to the virtual infrastructures to which the Windows-based Integration Server connected.
- Update the Integration Server address in all configured Protection Server polices and Light Agent policies.
- Make sure that the SVMs are connected to the Linux-based Integration Server.
- Ensure that Light Agents are connected to the Linux-based Integration Server and to the SVMs.
- Uninstall the Windows-based Integration Server (see the solution help for the corresponding version for more details).
Uninstalling the Integration Server will delete the data used in the operation of the Integration Server, including the list of registered tenants and information about the time that virtual machines have been protected by the solution. If necessary, save tenant protection reports.
If you are using Kaspersky Security in multi-tenancy mode, after completing the procedure for switching to using the Linux-based Integration Server, you need to redeploy the tenant protection structure or register existing tenants and their virtual machines (depending on the scenario for using Kaspersky Security in multi-tenancy mode).
Page top
Updating the Windows-based Integration Server and Integration Server Console
The Windows-based Integration Server and Integration Server Console must be updated under an account that belongs to local administrator group.
Close the Integration Server Console before starting the update.
The procedure for installing the Windows-based Integration Server depends on which version of Kaspersky Security Center you are using to manage the Kaspersky Security solution:
- If you use Kaspersky Security Center Windows to manage Kaspersky Security, and in accordance with the recommendations of Kaspersky specialists, you used the Kaspersky Security Components Installation Wizard to install the Integration Server and Integration Server Console, we recommend to also perform the update using the wizard.
You can update the Integration Server and Integration Server Console by using the Kaspersky Security Components Installation Wizard in interactive mode or in silent mode.
The update is performed by installing the new version of the Integration Server and the Integration Server Console.
During the upgrade, you can save a backup copy of the database, settings, and certificate of the previous version of the Integration Server. If errors occur in the operation of the Integration Server after an update, you can use the backup copy to restore the previous version of the Integration Server.
If you want to save a backup copy of the database and settings of the Integration Server of the previous version, the upgrade requires additional space on the drive containing the %ProgramData% folder.
- If you use Kaspersky Security Center Linux to manage Kaspersky Security, the Kaspersky Security Components Installation Wizard cannot be used to update the Integration Server and Integration Server Console. The update is performed by manually installing the new version of the Integration Server and the Integration Server Console.
Updating requires at least 4 GB of free space on the drive containing the %ProgramData% folder on the device where the previous version of the Integration Server and Integration Server Console are installed.
After upgrading the Integration Server, we recommend to replace the self-signed SSL certificate of the Integration Server with a more secure certificate. You can create a new certificate and install it using the certificate management tool included with the solution.
Updating in interactive mode using the wizard
To update the Integration Server and Integration Server Console in interactive mode using the wizard:
- On the device where Administration Console and Kaspersky Security Center Administration Server are installed, run the ksvla-components_<solution version number>_mlg.exe file. This file is included in the distribution kit.
Kaspersky Security components installation Wizard starts.
- Select the localization language of the Wizard and of the Kaspersky Security components and proceed to the next step of the Wizard.
By default, the localization language of the operating system installed on the device where the Wizard was started is used.
- Make sure that the Install management components option is selected and proceed to the next step of the Wizard.
- If you want to save a backup copy of the database and settings and certificate of a previously installed Integration Server, select the Create a backup copy of the Integration Server database, settings, and certificate check box. The default path is %ProgramData%\Kaspersky Lab\VIISLA_Backup\VIISData(1). The number in the folder name is incremented with each subsequent update attempt.
The Wizard checks the amount of free space on the drive that contains the %ProgramData% folder. If there is insufficient free space on the drive, the Wizard displays an error message and you cannot proceed to the next step of the Wizard. If this is the case, close the Wizard, free up space on the drive, and restart the Kaspersky Security Components Installation Wizard.
- In the next step, read the Kaspersky Security End User License Agreement, which is concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transmission of data.
To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy. To confirm, select both check boxes in the window of the Wizard.
Proceed to the next step of the wizard.
- Create the password of the Integration Server administrator (
admin
) account. Theadmin
account is used for the following purposes:- To connect the Integration Server Console to the Integration Server if the device on which the Integration Server Console is installed is not part of a Microsoft Windows domain.
- To connect the Integration Server Web Console to the Integration Server.
Enter a password in the Password and Confirm password fields. The account name cannot be edited.
A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters:
! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~
. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.Proceed to the next step of the wizard.
- Review the information about the actions that the wizard will perform and click the Install button to begin performing the listed actions.
- Wait for the wizard to finish.
If an error occurs during wizard operation, the wizard rolls back the changes made.
- Click Finish to close the Wizard window.
Information about the work of the Wizard is written to trace files of the Kaspersky Security Components Installation Wizard. If the wizard completed with an error, you can use these files when contacting Technical Support.
Page top
Updating from the command line
To update the Integration Server and Integration Server Console from the command line,
Run the following command:
ksvla-components_<
solution version numbe
>_mlg.exe -q --lang=<
language ID
> --accept-EulaAndPrivacyPolicy=yes --viisPass=<
password
> [--log-path=<
file path
>] [--createBackup] [--backupFolder=<
folder path
>]
where:
<
solution version number
>
is the version number of the solution in X.X.X.X format.-q
is an option specifying that the update is performed in silent mode. If you want to run the update interactively from the command line, do not specify this option.--lang=<
language ID
>
is the identifier of the language of the components to install.The language ID must be indicated in the following format: ru, en, de, fr, zh-Hans, zh-Hant, ja. It is case-sensitive.
--accept-EulaAndPrivacyPolicy=yes
means that you accept the terms of the Kaspersky Security End User License Agreement, concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transmission of data. By setting this parameter toyes
, you confirm the following:- You have fully read, understood and accept the terms and conditions of the Kaspersky Security End User License Agreement.
- You have fully read and understood the Privacy Policy, you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.
The text of the End User License Agreement and Privacy Policy is included in the solution's distribution kit. Accepting the terms of the End User License Agreement and Privacy Policy is a prerequisite for updating the Integration Server and Integration Server Console.
You can read the text of the End User License Agreement and the Privacy Policy by executing the following command:
ksvla-components_<
solution version number
>_mlg.exe --lang=<
language ID
> --show-EulaAndPrivacyPolicy
The text of the End User License Agreement and the Privacy Policy is output to the license_<language ID>.txt file in the tmp folder.
--viisPass=<
password
>
is the password of the Integration Server administrator account (admin
). Theadmin
account is used for the following purposes:- To connect the Integration Server Console to the Integration Server if the device on which the Integration Server Console is installed is not part of a Microsoft Windows domain.
- To connect the Integration Server Web Console to the Integration Server.
A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters:
! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~
. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.--log-path=<
path to file
>
is the path to the file where information about update results is saved.Optional parameter. By default, update results are logged to trace files saved at %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleInitialInstall_logs_<date and time>.zip, where:
- <version number> refers to the number of the installed version of the Kaspersky Security solution;
- <date and time> refers to the date and time when the update was completed, in the dd_MM_yyyy_HH_mm_ss format.
--createBackup
Optional parameter. Indicates that it is necessary to save a backup copy of the database and settings and the certificate of the previously installed Integration Server. By default, the data is saved in the %ProgramData%\Kaspersky Lab\VIISLA_Backup\VIISData(1) folder. The number in the folder name is incremented each time an update is done. You can select the path for saving this data using the
--backupFolder
option:--backupFolder=<
path to folder
>
is the path to the folder where the backup copy of the database and settings and certificate of the previously installed Integration Server will be saved.Optional parameter. If this option is not specified, the data will be saved to the default folder.
To view a description of all available command line parameters for installing and updating Kaspersky Security components, use the --help
parameter.
Updating the Integration Server and Integration Server Console takes some time.
Page top
About updating management plug-ins
The Protection Server management plug-in is updated by installing a new version of the management plug-in. After installing the Protection Server management plug-in, it is recommended to run the Download updates to the repository task in Kaspersky Security Center and make sure that the task completes successfully. For details, please refer to the Kaspersky Security Center help.
Policies and tasks configured in Kaspersky Security Center for the previous version of Kaspersky Security components are not compatible with the updated version of the solution. If you use the Kaspersky Security Center Administration Console to manage solution components, after updating the management MMC plug-ins, you can migrate previously configured policy and task settings to the policies and tasks for the updated version of solution components. Settings are migrated using the Kaspersky Security Center Policies and Tasks Batch Conversion Wizard (for more details, see the Kaspersky Security Center Help).
The converted policies and tasks use the settings of policies and tasks of the previous version of Kaspersky Security components. The settings that were not configured in the policies and tasks of the previous version take default values in the converted policies and tasks. The converted policies and tasks have names "<Original policy/task name> (converted)".
The policy and task conversion procedure is not available in Kaspersky Security Center Web Console. If you are using the Web Console to manage solution components, you must create new policies and tasks for the updated solution components.
Management plug-ins of the previous version continue to operate after installation of the new version of the Kaspersky Security management plug-ins. You can use them to manage SVMs and Light Agents of the previous version of Kaspersky Security.
After all the application components are updated, you can remove the management plug-ins of the previous version.
Page top
About the upgrade of the Protection Server
The Protection Server is updated by deploying SVMs with the new version of the Protection Server in the virtual infrastructure. You can deploy SVMs in the following ways:
- Using the Integration Server Web Console.
- Using the Integration Server Console.
- Without using the Integration Server management consoles, using the Integration Server REST API (open a description of REST API requests).
You can also deploy SVMs using the virtual infrastructure tools and then configure SVM settings using the klconfig script API manually or using automation tools.
If you are using a licensing scheme based on the number of cores in physical processors on the hypervisors, then after the solution is activated on a new SVM, Kaspersky Security may send Kaspersky Security Center an event indicating that the license restriction has been exceeded. You can ignore this event.
SVMs with the previous version of the Protection Server continue to work on hypervisors. They allow legacy Light Agents to run on virtual machines that have not yet been updated.
If you have updated all Light Agents, you can remove the SVM with the previous version of Protection Server.
SVMs that have been removed continue to be displayed in the Administration Console of Kaspersky Security Center. When the period specified in Kaspersky Security Center settings elapses (see Kaspersky Security Center help for details), the SVMs are automatically removed from the Administration Console.
You can manually remove SVMs with the previous version of the Protection Server from the Administration Console of Kaspersky Security Center as soon as the upgrade process has been completed.
Page top
About updating Light Agent for Windows 5.2
If you were using the Light Agent for Windows component included in Kaspersky Security for Virtualization 5.2 Light Agent, you need to switch to using the Light Agent for Windows that is part of the Kaspersky Security for Virtualization 6.2 Light Agent solution. To do so:
- Remove Light Agent for Windows 5.2 from virtual machines and virtual machine templates (for details, see the Kaspersky Security for Virtualization 5.2 Light Agent Help).
- Install the Kaspersky Endpoint Security for Windows application in Light Agent mode, and Network Agent on virtual machines and virtual machine templates.
- If you use Kaspersky Security Center Administration Console to manage solution components, you can convert policies and virus scan tasks configured for Light Agent for Windows 5.2. Settings are converted using the Kaspersky Security Center Policies and Tasks Batch Conversion Wizard (for more details, see the Kaspersky Security Center Help).
Converted policies and tasks use the settings of the policies and tasks for Light Agent for Windows 5.2. Settings not present in policies and tasks in version 5.2 take default values in the converted policies and tasks. The converted policies and tasks have names "<Original policy/task name> (converted)".
To use a converted policy, change its status to Active.
- Remove the policies for the Protection Server and Light Agent for Windows 5.2 along with the remaining Kaspersky Security for Virtualization 5.2 Light Agent application components:
- components for managing Kaspersky Security for Virtualization 5.2 Light Agent
- SVMs included in Kaspersky Security 5.2
For more information on removing the components of version 5.2, see the Kaspersky Security for Virtualization 5.2 Light Agent Help.
For more information about migrating from Light Agent for Windows version 5.2 to Kaspersky Endpoint Security for Windows in Light Agent mode, see Kaspersky Endpoint Security for Windows Help of the relevant version.
Page top
Removing the Kaspersky Security solution
Virtual machines and user data will no longer be protected if the Kaspersky Security solution is uninstalled.
The procedure to uninstall the Kaspersky Security solution from the virtual infrastructure consists of the following stages:
- Removing Protection Servers
To remove the Protection Server component, remove the deployed SVM from the virtual infrastructure.
If you completely uninstall the Kaspersky Security solution, you need to remove all SVMs. If necessary, you can remove only some of the SVMs.
After removal of SVM, protected virtual machines that were connected to it, can connect to another SVM that operates in the virtual infrastructure.
- Removing Light Agents and Kaspersky Security Center Network Agent
You need to remove the following from virtual machines and virtual machine templates:
- Light Agent (Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Windows installed in Light Agent mode)
- Kaspersky Security Center Network Agent
- Removing the Integration Server
Depending on the version of Integration Server you were using, you need to remove the Windows-based Integration Server and Integration Server Console or the Linux-based Integration Server.
- Removing Kaspersky Security management plug-ins
You need to remove the management web plug-ins on the device where Kaspersky Security Center Web Console is installed, or the management MMC plug-ins on the device where the Kaspersky Security Center Administration Console is installed.
After the Protection Server and Light Agent components are removed, the SVMs and virtual machines on which Light Agents were installed are still displayed in the Kaspersky Security Center Administration Console. After the expiration of the period specified in the Kaspersky Security Center settings (see the Kaspersky Security Center help), information about the SVMs and virtual machines is automatically deleted. You can remove this information from Kaspersky Security Center Administration Console manually after uninstalling the solution.
Removing the Protection Server
You can remove an SVM from the virtual infrastructure in the following ways:
- Using the Integration Server Web Console.
- Using the Integration Server Console.
- Without using the Integration Server management consoles, using the Integration Server REST API (open a description of REST API requests).
You can also remove SVMs manually using virtual infrastructure tools.
If you have removed all SVMs from a virtual infrastructure, we recommend deleting the connection settings for that virtual infrastructure from the list of virtual infrastructures to which the Integration Server connects to get information about the protected infrastructure. If you are using the Integration Server Console, we also recommend deleting the connection settings of that virtual infrastructure from the list of virtual infrastructure objects to which the SVM Management Wizard connects (see, for example, the "Selecting SVMs to remove" step in the SVM removal procedure).
SVM removal using the Integration Server Web Console
To remove an SVM using Integration Server Web Console, you need to create and run an SVM removal task for the Integration Server to remove the selected SVM.
After it starts, the task appears in the task list in Integration Server Web Console, in the SVM management section, and is added to the task queue on the Integration Server. You can view information about each task and its execution status.
When the task completes successfully, the selected SVM is removed.
To create and run an SVM removal task for the Integration Server:
- Open Integration Server Web Console and connect to the Integration Server.
- Go to the SVM management section.
- Click the New task button and select SVM removal from the drop-down list.
The Integration Server New Task Wizard will start.
- Follow the wizard instructions.
Selecting SVMs to remove
In this step, you need to select one or more SVMs that you want to remove.
The table displays information about the virtual infrastructures to which connections are configured for the Integration Server. The table also contains information about deployed SVMs. Each row of the table displays the following information about the virtual infrastructure object:
You can search the list of virtual infrastructure objects based on the Name/Address column. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the search field.
You can update the list of virtual infrastructure objects using the Refresh button above the table. When updating a list, the Integration Server verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.
If the virtual infrastructure from which you want to remove the SVM is not in the list, you need to configure a connection from the Integration Server to this virtual infrastructure.
To select the SVMs to remove:
In the table, select the check boxes on the left of the SVMs that you want to remove.
If SVMs are being removed from an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous reconfiguration of SVMs deployed in different infrastructures is not supported. You can remove SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.
The simultaneous removal of SVMs within OpenStack projects, which are running on different Keystone microservices, is not supported. You can simultaneously remove SVMs deployed within OpenStack projects that are running on the same Keystone microservice.
Proceed to the next step of the wizard.
Page top
Start an SVM removal task
This step displays information about the SVMs that will be removed by the task.
To start the SVM removal task, click the Start button.
You can monitor the task progress in Integration Server Web Console, in the SVM management section.
Page top
Removing SVMs using the Integration Server Console
You can remove SVMs using the SVM Management Wizard, which is launched in the Integration Server Console.
To remove SVMs using the SVM Management Wizard:
- Open Integration Server Console and connect to the Integration Server.
- In the SVM management section, click the SVM management button to start the SVM Management Wizard.
- Follow the wizard instructions.
Selecting an action
At this step, select the SVM removal option.
Proceed to the next step of the wizard.
Page top
Selecting SVMs to remove
At this step, select the SVMs that you want to remove.
The table displays information about virtual infrastructures, to which the connection is configured for SVM Management Wizard, as well as information about the deployed SVMs:
You can search the list of virtual infrastructure objects. The search is performed based on the value of the Name/Address. The search starts as you type in the Search field. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the Search field.
To select the SVMs to remove:
In the table, select the check boxes on the left of the SVMs that you want to remove.
If SVMs are being removed in an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous removal of SVMs deployed in different infrastructures is not supported. You can remove SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.
The simultaneous removal of SVMs within OpenStack projects, which are running on different Keystone microservices, is not supported. You can simultaneously remove SVMs deployed within OpenStack projects that are running on the same Keystone microservice.
If the list contains no virtual infrastructure, from which you want to remove the SVM, you must configure SVM Management Wizard connection to this infrastructure.
To configure the connection of SVM Management Wizard to the virtual infrastructure:
- Click the Add button.
- In the Virtual infrastructure connection settings window that opens, specify the following settings:
- Type
- Protocol
The Protocol field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.
- Addresses
- OpenStack domain
The OpenStack domain field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.
- User name
- Password
- Click the Connect button.
The Virtual infrastructure connection settings window closes. The Wizard adds the selected virtual infrastructure objects to the list and attempts to establish a connection.
The Wizard verifies the authenticity of all virtual infrastructure objects with which the connection is established.
Authenticity is not verified for a Microsoft Windows Server (Hyper-V) hypervisor.
For Keystone microservices, authenticity is verified only when using the HTTPS protocol to connect the SVM Management Wizard to the virtual infrastructure.
To verify authenticity, the Wizard receives the SSL certificate or fingerprint of the public key from each virtual infrastructure object and verifies them.
If the authenticity of the received certificate(s) cannot be established, the Verify certificate window opens with a message about this. Click the link in this window to view the details of the received certificate. If the certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and continue connecting to the virtual infrastructure object. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this certificate to be authentic, click the Cancel button in the Verify certificate window to disconnect, and replace the certificate with a new one.
If the authenticity of the open key could not be established, the Verify public key fingerprint window opens with a message about this. You can confirm the authenticity of the open key and continue the connection. The open key fingerprint will be saved on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this open key to be authentic, click the Cancel button in the Verify public key fingerprint window to terminate the connection.
If a connection cannot be established with a virtual infrastructure object, information about the connection errors is displayed in the table.
You can update the list of virtual infrastructure objects using the Refresh button above the table. When updating a list, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.
You can use buttons in the Name/Address column to:
- Remove selected virtual infrastructure from the list.
The Integration Server continues to connect to the virtual infrastructure removed from this list, and to receive the information required for SVM operation.
- If you cannot connect to the virtual infrastructure, open the Virtual infrastructure connection settings window to change the settings of the account used to make the connection.
After the settings are modified, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.
Proceed to the next step of the wizard.
Page top
Starting SVM removal
At this step, the Wizard window shows the number of SVMs selected for removal.
To start removing SVMs, proceed to the next step of the wizard.
Page top
SVM removal
At this step, SVMs are removed from hypervisors. The process takes some time. Please wait until the process is complete.
The window displays information about the removal of each SVM, including the status of its progress, one row at a time: Processing N%, Pending, Skipped, Completed, Error.
Proceed to the next step of the wizard.
Page top
Finishing SVM removal
This step displays information about the SVM removal results in the virtual infrastructure.
The wizard displays links that you can use to open a brief report and the SVM Management Wizard log.
You can view the following information in the brief report:
- Addresses of the hypervisors from which SVMs were removed, or names of the OpenStack projects within which SVMs were removed (depending on type of the virtual infrastructure).
- Names of removed SVMs.
- Brief description of the completed stages of removal of each SVM, including the start and end times of each stage. If an error occurred during a particular stage, the relevant information is reflected in the report.
The brief report is saved in a temporary file. To be able to use information from the report later, save the log file in a permanent storage location.
If the SVM removal process ends with an error, you can use the SVM Management Wizard log when contacting Technical Support.
The SVM Management Wizard log is saved on the device where the wizard was launched, in the file %LOCALAPPDATA%\Kaspersky Lab\Kaspersky VIISLA Console\logs\KasperskyDeployWizard_<file creation date and time>.log and does not contain account passwords. A new log file is created each time the wizard starts.
Finish the wizard.
Page top
Removing Light Agents and Network Agent
You can remove Light Agent and Kaspersky Security Center Network Agent from a virtual machine using Kaspersky Security Center. Uninstallation is performed using a Remote Application Removal task in the Kaspersky Security Center Administration Console or in the Kaspersky Security Center Web Console. For details, please refer to the Kaspersky Security Center help.
For other removal methods, see the Help of the application that you are using in Light Agent mode.
Page top
Removing the Windows-based Integration Server and Integration Server Console
The procedure for removing the Windows-based Integration Server depends on which version of Kaspersky Security Center you are using to manage the Kaspersky Security solution:
- If you are using Kaspersky Security Center Windows, and in accordance with the recommendations of Kaspersky experts, you used the Kaspersky Security components installation wizard to install the Integration Server and Integration Server Console, we recommend removing using the wizard as well.
You can remove the Integration Server and Integration Server Console by using the Kaspersky Security Components Installation Wizard in interactive mode or in silent mode.
- If you are using Kaspersky Security Center Linux, the Kaspersky Security Components Installation Wizard cannot be used to remove the Integration Server and Integration Server Console. Removal is performed manually.
You can remove the Integration Server without preserving the data used by the Integration Server.
If you remove the Integration Server and preserve its data, the following data of the Integration Server will be saved:
- The SSL certificate used to establish a secure connection to the Integration Server.
- Internal accounts of the Integration Server, which are used to connect management consoles, SVMs, and Light Agents to the Integration Server.
- Settings for connecting the Integration Server to hypervisors, virtual infrastructure administration servers, NSX Manager, Kaspersky Security Center Administration Server.
- if the Kaspersky Security solution is used in multi-tenancy mode: a list of registered tenants and information about the time that virtual machines were protected by the solution.
- SVM service data.
- Trace files of the Integration Server and Integration Server Console.
A backup copy of the Integration Server data from the previous version of Kaspersky Security can also be saved if you saved a backup copy of the database and settings and the certificate of the Integration Server in the default folder (%ProgramData%\Kaspersky Lab\VIISLA\Backup\) when upgrading the solution to Kaspersky Security for Virtualization 6.2 Light Agent.
The saved data and settings are automatically used when you install the Integration Server again.
If you remove the Integration Server without preserving its data, all data used in the operation of the Integration Server, as well as the backup copy of the Integration Server data from the previous version of Kaspersky Security, are removed along with the Integration Server if the backup copy is located in the default folder.
If, when saving a backup copy of the Integration Server data from the previous version of Kaspersky Security, you specified a different folder than the default folder, then when you remove the Integration Server, the backup copy of the data is not deleted automatically. You can delete a backup copy of Integration Server data manually.
Removing using the Kaspersky Security Components Installation Wizard
If you want to save the data used in the operation of the Integration Server, you need to remove the Integration Server using the Kaspersky Security Components Installation Wizard in interactive mode.
To remove the Integration Server and Integration Server Console in interactive mode,
- in the list of applications installed on the operating system, select to remove Kaspersky Security for Virtualization <version number> Light Agent – management components.
- If you want to save the Integration Server data, click the Save button in the window prompting you to save data.
To remove the Integration Server and Integration Server Console in silent mode,
in the command line, enter the following:
ksvla-components_<
version number
>_mlg.exe -q -uninstall
where <version number>
is the version number of the solution in X.X.X.X format.
Removing manually
To remove the Integration Server Console, run the following command:
msiexec.exe /X {87C1E11A-03CA-45F7-8693-117909354B43} /qn
To remove the Integration Server while preserving the data used by the Integration Server, run the following command:
msiexec.exe /X {4239BB9B-1D87-427D-9C5D-26D8444BE585} SAVE_SETTINGS="1" /qn
To remove the Integration Server without preserving the data used by the Integration Server, run the following command:
msiexec.exe /X {4239BB9B-1D87-427D-9C5D-26D8444BE585} SAVE_SETTINGS="0" /qn
Removing the Linux-based Integration Server
Removing the Integration Server will delete the SSL certificate used to establish a secure connection with the Integration Server, and all data used in the operation of the Integration Server: accounts, settings for connecting to infrastructures, information about tenants, and trace files. The data will be permanently deleted. If required, before starting the removal, create a backup copy of the database and Integration Server settings.
To remove the Linux-based Integration Server:
- Run the following command:
sudo apt-get purge ksvla-viis
- When prompted, confirm the removal of the Integration Server.
Removing Kaspersky Security management plug-ins
Removing web plug-ins
The web plug-ins can be removed in the Kaspersky Security Center Web Console in the list of installed plug-ins (Settings → Web plug-ins).
Removing MMC plug-ins
We recommend closing the Kaspersky Security Center Administration Console before starting the removal of the management MMC plug-ins.
The MMC plug-in for Protection Server and the MMC plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode) is are removed using the standard tools for uninstalling applications on the operating system on the device where the Kaspersky Security Center Administration Console is installed.
To remove the MMC plug-in for managing Light Agent for Linux (Kaspersky Endpoint Security for Linux running in Light Agent mode):
- On the device where the Kaspersky Security Center Administration Console is installed, open the Windows registry editor and go to the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\28\Plugins key.
This key contains the data of all management plug-ins installed in the Administration Console. The name of the managed application is specified in the DisplayName value.
- Select the key that corresponds to the plug-in of the Kaspersky Endpoint Security for Linux of the relevant version.
- Open the UninstallString value and copy it.
- Open the command line prompt as administrator, paste the copied value and press Enter.
Application management framework
You can control the operation of solution components using the following tools:
- To manage the Protection Server component, you can use Kaspersky Security Center Web Console or the Kaspersky Security Center Administration Console.
- To manage the Integration Server component, you can use:
- The Integration Server Web Console
- Integration Server Console (only for the Windows-based Integration Server)
- The Integration Server REST API (see the description of REST API requests).
- To manage the Light Agent for Linux component, you can use:
- Kaspersky Security Center Web Console or Kaspersky Security Center Administration Console
- Management commands and tasks of Kaspersky Endpoint Security for Linux on the command line
For more information about managing Kaspersky Endpoint Security for Linux, see the application Help of the relevant version.
- To manage the Light Agent for Windows component, you can use:
- Kaspersky Security Center Web Console or Kaspersky Security Center Administration Console
- Local interface of Kaspersky Endpoint Security for Windows
- Commands for managing Kaspersky Endpoint Security for Windows from the command line
For more information about managing Kaspersky Endpoint Security for Windows, see the application Help of the relevant version.
About managing the solution using Kaspersky Security Center
Kaspersky Security Center lets you remotely manage the operation of Kaspersky Security solution components installed on client devices. In the case of the Kaspersky Security solution, the client devices of Kaspersky Security Center are SVMs with Protection Servers and virtual machines on which Light Agents are installed.
You can use Kaspersky Security Center to:
- Install and remove solution components in the virtual infrastructure.
- Start and stop Light Agents on protected virtual machines.
- Centrally manage the protection of virtual machines using policies and tasks.
- Manage license keys for the solution.
- Update the solution's databases and software modules.
- Generate reports about events that occur during the operation of the solution components.
To manage the Kaspersky Security solution via Kaspersky Security Center, you can use the following Kaspersky Security Center administration consoles:
- Kaspersky Security Center Web Console (hereinafter also referred to as "Web Console"). It is a web interface for managing a protection system based on Kaspersky applications. You can work in Kaspersky Security Center Web Console using a browser on any device that has access to the Administration Server.
The interface for managing the Kaspersky Security solution via Kaspersky Security Center Web Console is provided by management web plug-ins (hereinafter also referred to as "web plug-ins").
- Kaspersky Security Center Administration Console (hereinafter also referred to as "Administration Console"). It is a Microsoft Management Console (MMC) snap-in that is installed on the administrator's workstation and provides a user interface to the Administration Server and Network Agent administrative services.
The interface for managing the Kaspersky Security solution via Kaspersky Security Center Administration Console is provided by management MMC plug-ins for the Administration Console (hereinafter also referred to as "MMC plug-ins").
The Integration Server Console is not started via Kaspersky Security Center Web Console. If you use Web Console, you can launch the Integration Server Console using the executable file or install the Integration Server web plug-in and use Integration Server Web Console.
The set of functions available in applications running in Light Agent mode may depend on which Kaspersky Security Center management console you use. For more details, see the Help of the relevant application.
The Kaspersky Security solution is managed through Kaspersky Security Center by means of policies and tasks regardless of the administration console being used:
- Policies define the settings for the operation of Light Agents and Protection Servers.
- Tasks implement functions such as activating the solution, scanning virtual machines, and updating the solution's databases and application modules.
Using policies and tasks, you can set the same operating settings for Light Agents or Protection Servers installed on the client devices of an administration group.
For more detailed information about policies and tasks, please refer to the Kaspersky Security Center help.
Page top
About Kaspersky Security management plug-ins
The following management web plug-ins are used to manage Kaspersky Security solution components using Kaspersky Security Center:
- Management web plug-in for the Protection Server (Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server).
- Management web plug-in for managing the Integration Server (Kaspersky Security for Virtualization 6.2 Light Agent – Integration Server). After the plug-in is installed, Integration Server Web Console will be available in Kaspersky Security Center Web Console.
- Management web plug-in for Light Agent for Linux (Kaspersky Endpoint Security for Linux).
- Management web plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows).
If you want to use Kaspersky Security Center Web Console to manage Kaspersky Security solution components, you need to install web plug-ins on the device on which Kaspersky Security Center Web Console is installed.
Kaspersky Security components can be managed via web plug-ins by all administrators who have access to Kaspersky Security Center Web Console through a browser.
The following management MMC plug-ins are used to manage Kaspersky Security solution components using the Kaspersky Security Center Administration Console:
- MMC plug-in for managing the Protection Server (Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server).
- Management MMC plug-in for Light Agent for Linux (Kaspersky Endpoint Security for Linux).
- Management MMC plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows).
You need to install MMC plug-ins on the device on which Kaspersky Security Center Administration Console is installed.
Page top
Starting and closing Kaspersky Security Center Web Console
To start Web Console, you need to know the web address of the Administration Server and the port number specified during Web Console installation (port 8080 is used by default). JavaScript must be enabled in the browser as well.
To start the Web Console:
- In the browser, go to
<
Administration Server web address
>:<
port number
>
.The login page opens.
- Enter the name and password of your account.
- Click the Enter button.
If the Administration Server does not respond or if you specified incorrect credentials, an error message will be displayed.
After you logged in, a dashboard is displayed with the last used language and theme.
For more information about the Web Console interface, refer to the Kaspersky Security Center help.
To close the Web Console:
- In the lower left corner of the screen, hover the mouse over the name of the account used to launch the Web Console.
A context menu opens.
- In the context menu, select Exit.
The Web Console closes and the login page displays.
Page top
Managing the solution using Kaspersky Security Center policies
You can use the Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console to work with policies.
You can perform the following policy management operations:
- Create a policy.
- Edit policy settings.
- Delete a policy.
- Change policy status.
- Copy and move a policy.
- Export and import a policy.
The policy settings and groups of settings have a lock attribute, which shows whether a setting or group of settings can be changed in task settings or in policies of the nested hierarchy level (for nested administration groups and virtual and secondary Administration Servers).
The following Kaspersky Security Center policies are used to manage Kaspersky Security solution settings:
- A Protection Server policy (Kaspersky Security <version number> Light Agent – Protection Server policy) is applied to SVMs. The policy defines the operating settings of Protection Servers on all SVMs included in the administration group for which the policy is configured.
The Kaspersky Security Center Initial Configuration Wizard lets you automatically create a default policy for the Protection Server. A default policy is created for the Managed devices administration group with the name Kaspersky Security for Virtualization 6.2 Light Agent – Protection Server and is applied on all SVMs placed in the Managed devices administration group or to any nested administration group.
You can change the default values of this policy's settings.
- A Light Agent for Linux policy (Kaspersky Endpoint Security for Linux <version number> policy) is applied to virtual machines with Linux guest operating systems and defines the settings of the Kaspersky Endpoint Security for Linux application used in Light Agent mode. The policy is applied on all protected virtual machines belonging to the administration group for which the policy is configured.
With a Light Agent for Linux policy, you can configure:
- Kaspersky Endpoint Security for Linux application settings
- settings for connecting Light Agent for Linux to SVMs and to the Integration Server, which are required for Kaspersky Endpoint Security for Linux to operate in Light Agent mode for protecting virtual infrastructure.
For detailed information about Kaspersky Endpoint Security for Linux policy settings, see the Kaspersky Endpoint Security for Linux Help of the relevant version.
- A Light Agent for Windows policy (Kaspersky Endpoint Security for Windows <version number> policy) is applied to virtual machines with Windows guest operating systems and defines the settings of the Kaspersky Endpoint Security for Windows application used in Light Agent mode. The policy is applied on all protected virtual machines belonging to the administration group for which the policy is configured.
With a Light Agent for Windows policy, you can configure:
- Kaspersky Endpoint Security for Windows application settings
- settings for connecting Light Agent for Windows to SVMs and to the Integration Server, which are required for Kaspersky Endpoint Security for Windows to operate in Light Agent mode for protecting virtual infrastructure.
For detailed information about Kaspersky Endpoint Security for Windows policy settings, see the Kaspersky Endpoint Security for Windows Help of the relevant version.
In the Light Agent policy for Windows and in the Light Agent policy for Linux, you can create policy profiles. Using policy profiles allows more flexibility in configuring the Light Agent settings on different virtual machines. A policy profile may contain settings that differ from the settings of a basic policy and that are applied to protected virtual machines when your own defined conditions (activation rules) are met.
You can create and configure policy profiles in policy properties for a Light Agent in the Policy profiles section.
For more information about managing policies and policy profiles, please refer to the Kaspersky Security Center help.
Policy settings for the Protection Server
You can use a Protection Server policy to configure the following solution settings:
- Settings for using Kaspersky Security Network (KSN) in the operation of the Protection Server.
- Settings for downloading updates of databases and application modules to SVMs.
- Settings for SNMP monitoring of SVM status.
- Settings for connecting SVMs to the Integration Server.
- Settings for connecting Light Agents to SVMs:
- Connection tags for Light Agents.
- Settings for protecting the connection between Light Agents and the Protection Server.
- Large infrastructure protection mode.
- Additional Protection Server settings.
If you want to configure additional Protection Server settings, you need to enable display of additional settings in the policy.
For information about configuring general policy settings and event settings, please refer to the Kaspersky Security Center help.
Page top
Creating a Protection Server policy
You can create a Protection Server policy using the Web Console as well as the Administration Console.
How to create a Protection Server policy in Kaspersky Security Center Web Console
How to create a Protection Server policy in Kaspersky Security Center Administration Console
Page top
Editing settings of the Protection Server policy
You can edit Protection Server policy settings using the Web Console as well as the Administration Console.
How to change Protection Server policy settings in Kaspersky Security Center Web Console
How to change Protection Server policy settings in Kaspersky Security Center Administration Console
Page top
Managing the solution using tasks
You can manage Kaspersky Security for Virtualization 6.2 Light Agent using Protection Server tasks and Light Agent tasks.
A Protection Server task is a task that runs on an SVM and determines the operation settings of the Protection Server on that SVM. You can use Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console to work with Protection Server tasks.
A Light Agent task is a task that runs on a protected virtual machine with the Light Agent component installed and implements Light Agent functions. You can manage Light Agent tasks either centrally through Kaspersky Security Center or locally on protected virtual machines. For details, see the Help of the application that you are using in Light Agent mode.
You can use the following types of tasks in Kaspersky Security Center:
- Group task – a task that is performed on the client devices of the selected administration group. In relation to the Kaspersky Security solution, group tasks are performed on SVMs or protected virtual machines that belong to administration groups.
- Task for device sets – a task that runs on one or more SVMs or protected virtual machines, regardless of their membership in administration groups.
You can manage Kaspersky Security for Virtualization 6.2 Light Agent using the following Protection Server tasks:
- Solution activation. The task lets you add a license key to the SVM to activate the solution or to extend the license period.
- Database update. During the execution of this task, the Protection Server downloads a package of database updates required for the solution to operate and installs the database updates on the SVM.
- Solution module update on the SVM. During the execution of this task, the Protection Server installs updates of the solution's application modules on the SVM.
- Database update rollback. During the execution of this task, the Protection Server rolls back the latest update of the solution's databases on the SVM.
You can perform the following actions on Protection Server tasks in Kaspersky Security Center:
The Protection Server sends information about all events that occur during task execution to the Kaspersky Security Center Administration Server. For more information about managing tasks, see Kaspersky Security Center help.
Creating a Protection Server task
You can create Protection Server tasks using the Web Console as well as the Administration Console.
How to create a Protection Server task in Kaspersky Security Center Web Console
How to create a Protection Server task in Kaspersky Security Center Administration Console
Page top
Editing the Protection Server task settings
You can edit Protection Server task settings using the Web Console as well as the Administration Console.
How to change Protection Server task settings in Kaspersky Security Center Web Console
How to change Protection Server task settings in Kaspersky Security Center Administration Console
Page top
Starting and stopping tasks for the Protection Server
You can start or stop Protection Server tasks using the Web Console as well as the Administration Console. You can start or stop a task at any time regardless of the selected task run mode.
How to start or stop a Protection Server task in Kaspersky Security Center Web Console
How to start or stop a Protection Server task in Kaspersky Security Center Administration Console
Page top
Viewing information on the progress and results of task execution
You can view information about the progress and results of Protection Server tasks using the Web Console as well as the Administration Console.
Page top
About access rights to the settings of policies and tasks in Kaspersky Security Center
Kaspersky Security Center provides role-based access to features of managed Kaspersky applications. The rights to access the settings of policies and tasks (read, write, and execute) are defined for each user who has access to the Kaspersky Security Center Administration Server. You can assign user accounts rights to perform certain actions in functional areas of the Kaspersky Security solution.
A single functional scope is allocated for the Kaspersky Security solution: Basic functionality. This functional scope includes the following settings and functions:
- Settings for connecting SVMs to the Integration Server.
- Settings for connecting Light Agents to SVMs.
- SNMP monitoring settings.
- Settings for using KSN in the operation of the Protection Server.
- Additional Protection Server settings.
- Task for activating the Kaspersky Security solution.
- Task or rolling back the solution databases, and a task for rolling back the latest database update.
- Task for updating the solution's application modules on SVMs.
The following actions are available to the user regardless of account rights in the functional areas of the Kaspersky Security solution:
- Viewing the settings of policies.
- Creating a policy.
When creating a policy, the user can configure only settings related to the functional scopes for which the user account has modification rights.
To perform the following actions with policies and tasks, the user account must have rights in the functional areas of the Kaspersky Security solution:
- Reconfiguration of a previously saved policy requires read and modification rights within the functional scopes of those settings.
- Modifying the status of a policy (active/inactive) and removing the policy requires read and modification rights within the functional scopes of the policy settings closed with a "lock". If a policy has settings that are "locked" (in other words, these settings cannot be changed in child policies), and the user does not have read and modify rights within the functional scopes of these settings, the policy state cannot be deleted or modified. If a policy does not have settings for which it is prohibited to modify a parameter in child policies, the user can delete or modify the status of the policy regardless of the account's rights within the functional scopes of the solution.
- Creation, removal, and configuration of the settings of tasks require read and modification rights within the functional scope of the task.
- Viewing task settings requires read permissions within the functional scope of the task.
- Execution rights within the functional scope of a task are required to run the task.
For more details on access rights to Kaspersky Security Center objects and on configuring access rights to functional areas of Kaspersky Security, see the Kaspersky Security Center Help.
Page top
About Integration Server Console
Integration Server Console is installed on a device with a Windows operating system and is launched using an executable file or via a link from the Kaspersky Security Center Administration Console (if installed on the same device).
We do not recommend using Integration Server Console to manage the Linux-based Integration Server.
The Integration Server Console contains the following sections:
- Integration Server settings
This section displays the following information:
- Version of the Integration Server with which the connection is established
- Name of the user account that was used to establish the connection to the Integration Server
- Type of authentication used when connecting to the Integration Server
- IP address in IPv4 format or the fully qualified domain name (FQDN) of the Integration Server
- Integration Server accounts
In this section, you can change the passwords of the internal Integration Server accounts used to connect management consoles, SVMs, and Light Agents to the Integration Server.
- List of connected SVMs
In this section, you can view information about SVMs that are connected to the Integration Server.
- SVM management
This section opens by default after the Integration Server Console is started. In this section, you can run the SVM Management Wizard that lets you perform the following actions:
- Deploy SVMs with the Protection Server component from an image in the virtual infrastructure.
- Reconfigure previously deployed SVMs.
- Remove SVMs.
- Infrastructure connection settings
In this section you can perform the following actions:
- View the status of the connection between the Integration Server and the virtual infrastructure.
- Change the Integration Server connection settings to the virtual infrastructure.
- If the Kaspersky Security solution is installed in VMware infrastructure, configure use of VMware NSX Manager in the operation of the solution.
- Remove the virtual infrastructure from the list of infrastructures to which the Integration Server connects.
- List of tenants
If you use the solution in multitenancy mode, in this section you can view a list of all tenants registered in the Integration Server database.
- Kaspersky Security Center connection settings
If you use the solution in multitenancy mode and the tenant protection infrastructure was deployed using the Integration Server's REST API, then in this section you can configure connection settings required for the Integration Server REST API to interact with the Kaspersky Security Center Administration Server.
Connecting to the Integration Server via Integration Server Console
If Integration Server Console is installed on the same device where the Kaspersky Security Center Administration Console is installed, you can open Integration Server Console from Kaspersky Security Center Administration Console.
If Integration Server Console is installed on a separate device independent of the Kaspersky Security Center components (for example, if you are using Kaspersky Security Center Linux), you can open Integration Server Console using the executable file located in the Integration Server Console installation folder.
Page top
About the Integration Server Web Console
If you use Kaspersky Security Center Web Console, you can manage the Integration Server using the Integration Server Web Console. Integration Server Web Console is available in Kaspersky Security Center Web Console in the Settings → Kaspersky Security for Virtualization <version number> Light Agent – Integration Server section after you install the Integration Server web plug-in.
The main page of Integration Server Web Console displays information about the connection to the Integration Server. If the connection is established, the address and port of the connection and the Integration Server version are displayed.
The Integration Server Web Console contains the following sections:
- Integration Server accounts
In this section, you can change the passwords of the internal Integration Server accounts used to connect management consoles, SVMs, and Light Agents to the Integration Server.
- List of connected SVMs
In this section, you can view information about SVMs that are connected to the Integration Server.
- SVM management
In this section, you can create the following tasks for the Integration Server:
You create tasks using the wizard. After a task is created and started, it appears in the task list and is added to the task queue on the Integration Server.
The task list in the SVM management section contains the tasks that you created and ran using the wizard (SVM deployment, reconfiguration, and removal tasks), as well as SVM image verification tasks that are created automatically when you run an SVM image integrity check while creating SVM deployment tasks. The task is placed in the list immediately after its creation and is automatically deleted from the list some time after the task has been completed (successfully or with an error) or canceled.
You can view information about each task and its execution status. By clicking the link on a task name, you can view detailed information about the task and a list of all SVMs on which the task is being executed. For Deployment and Reconfiguration tasks, you can use the link on the SVM name to view information about the execution of stages of a task on the selected SVM.
- List of virtual infrastructures
This section displays a list of virtual infrastructures to which the Integration Server connects.
In this section, you can:
- Configure the Integration Server's connection to the virtual infrastructure. For each infrastructure in which the solution will be deployed, you need to specify the settings for connecting the Integration Server to the infrastructure object that the Integration Server needs to interact with. In an infrastructure based on VMware vSphere, you can also configure a connection to VMware NSX Manager.
- Change the settings for the Integration Server's connection to the virtual infrastructure.
- View the status of the connection between the Integration Server and the virtual infrastructure.
- Remove virtual infrastructures from the list of infrastructures to which the Integration Server connects.
- Multitenancy mode
If you use the solution in multitenancy mode and the tenant protection infrastructure was deployed using the Integration Server REST API, then in this section you can specify the connection settings required for the interaction of the Integration Server REST API with the Kaspersky Security Center Administration Server.
In this section, you can also view a list of all tenants registered in the Integration Server database, regardless of the method that was used to deploy the tenant protection structure.
Connecting to the Integration Server via Integration Server Web Console
To connect to the Integration Server via Integration Server Web Console:
- In the main window of Kaspersky Security Center Web Console, select Settings → Kaspersky Security for Virtualization <version number> Light Agent – Integration Server.
The main page of Integration Server Web Console and the Connection settings window for entering the settings for connecting to the Integration Server will open.
If the connection window does not open automatically, click the Connect button located on the main page of Integration Server Web Console.
- In the Connection settings window, specify the following settings:
Using a domain account is not supported when connecting to the Integration Server via Integration Server Web Console.
Click the Connect button.
- The Integration Server web plug-in verifies the SSL certificate received from the Integration Server. If the received certificate is not trusted or does not match the previously installed certificate, the Verify certificate window with the appropriate message opens. Click the link in this window to view the details of the received certificate. If there are problems with the SSL certificate, it is recommended to make sure that the utilized data transfer channel is secure.
To continue connecting to the Integration Server, click the Confirm and continue button in the Verify certificate window. The certificate that has been received is installed as a trusted certificate.
The main page of Integration Server Web Console displays the address and port of the Integration Server to which the connection is made, and the Integration Server version.
If necessary, you can open the Integration Server connection settings window by clicking Edit connection settings.
When the Integration Server is restarted, the connection to the Integration Server is interrupted. Re-authorization is required after a restart.
If you do not perform any action in Integration Server Web Console for 25 minutes, the connection to the Integration Server is automatically terminated. Re-authorization is required after the connection is terminated.
You can also disconnect from the Integration Server manually.
To disconnect from the Integration Server:
- In the main window of Kaspersky Security Center Web Console, select Settings → Kaspersky Security for Virtualization <version number> Light Agent – Integration Server.
- On the main page of the Integration Server Web Console, click Disconnect.
The Integration Server connection session is finished. The main page of the Integration Server Web Console indicates the absence of a connection.
You can also terminate the connection to the Integration Server by closing Kaspersky Security Center Web Console.
Page top
Licensing Kaspersky Security for Virtualization 6.2 Light Agent
This section contains information about the basic concepts associated with licensing Kaspersky applications, as well as information about the specifics of activating the Kaspersky Security solution.
About the End User License Agreement
The End User License Agreement is a binding agreement between you and AO Kaspersky Lab, stipulating the terms on which you may use the Kaspersky application.
Read through the terms of the End User License Agreement carefully before you start using the solution.
The following components of Kaspersky Security for Virtualization 6.2 Light Agent have their own end user license agreements:
- Light Agent for Linux (Kaspersky Endpoint Security for Linux application running in Light Agent mode)
- Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode)
- Network Agent for Linux, used in the operation of Kaspersky Endpoint Security for Linux
- Network Agent for Windows, used in the operation of Kaspersky Endpoint Security for Windows
You can read the terms of the end user license agreements for the Kaspersky Security solution and its components, and the Privacy Policy, which describes the processing and transfer of data, in the following ways:
- After reading the license.txt files included in the solution's distribution kit and in the distribution kits of the applications running in Light Agent mode.
- During installation of solution components.
By confirming that you agree with the End User License Agreement during initial configuration of the solution, you accept the terms of the End User License Agreement. If you do not accept the terms of the End User License Agreement, you must stop installing the solution and must not use the solution.
- After installing the solution components.
After installing the Kaspersky Security solution, you can find the files containing the text of the End User License Agreement for the Kaspersky Security solution and the text of the Privacy Policy:
- on the device where the management MMC plug-ins for Kaspersky Security, Windows-based Integration Server and/or Integration Server Console are installed:
%ProgramFiles(x86)%\Kaspersky Lab\KSV\Kaspersky Security for Virtualization <version number> Light Agent\EULA\license_<language identifier>.txt
where:
- <version number> refers to the number of the installed version of the Kaspersky Security solution;
- <language identifier> is the identifier of the localization language of the installed Kaspersky Security components;
- on the device where the Linux-based Integration Server is installed:
/opt/kaspersky/viis/doc/EULA/<language identifier>/license.txt
where <language identifier> is the identifier of the localization language of the Integration Server;
- On a deployed SVM:
/opt/kaspersky/ksvla/share/doc/license.<language identifier>
where <language ID> is the identifier of the End User License Agreement localization language.
You can find files with the text of the end user license agreements for Light Agents on virtual machines where applications running in Light Agent mode are installed.
You can find files with the text of the End User License Agreement for Network Agent for Linux:
- On a virtual machine where Kaspersky Endpoint Security for Linux is installed and running in Light Agent mode
- On a deployed SVM:
/opt/kaspersky/klnagent64/share/license/license_<language identifier.txt
where <language ID> is the identifier of the End User License Agreement localization language.
About data provision
By accepting the terms of the Kaspersky Security End User License Agreement, you agree to automatically send the following information to Kaspersky:
- When updating Kaspersky Security databases and application modules:
- ID of Kaspersky Security
- ID of the current license
- Unique ID of the Kaspersky Security installation
- Unique ID of the update task start
- Full version of Kaspersky Security
- When following links from the Kaspersky Security interface:
- Kaspersky Security type
- Kaspersky Security version
- Kaspersky Security interface language
- ID of the web page being accessed
- Name of the link to the web page being accessed
- If an activation code is being applied to activate Kaspersky Security:
- Kaspersky Security solution activation code
- Date and time on the SVM
- Kaspersky Security solution ID
- Kaspersky Security solution ID obtained from the license
- A set of IDs of compatible applications that can be activated on the SVM
- Full version of the Kaspersky Security solution
- Localization of the Kaspersky Security solution
- Unique ID of the SVM
- Kaspersky Security solution installation ID
- family, version, edition, build number, operating system update number, and extended information about the OS edition
Information is sent periodically for the purpose of verifying that the solution is being used appropriately.
Kaspersky may use this information to generate statistical information about the distribution and use of Kaspersky software.
By using an activation code, you agree to automatically send to Kaspersky the data listed above. If you do not agree to send this information, you must use a key file to activate Kaspersky Security.
The received information is protected by Kaspersky in accordance with the requirements established by the law and the current Kaspersky rules. Data is transmitted via encrypted communication channels.
For more detailed information about processing, storage, and destruction of information obtained during the use of the solution and sent to Kaspersky, please refer to the Privacy Policy on the Kaspersky website.
Page top
About the license
A license is a time-limited right to use a Kaspersky application, granted under the End User License Agreement.
The available functionality and period for use of the application depend on the type of license under which the application is being used.
The following license types are available for Kaspersky applications:
- Trial – a free license intended for trying out a Kaspersky application.
Trial licenses have a short validity period. When the trial license expires, Kaspersky applications no longer perform all of their functions. To continue using the application, you need to purchase a commercial license.
You can activate a Kaspersky application under a trial license for only one trial period.
- Commercial — a paid license.
The main functions of a Kaspersky application stop working when a commercial license expires.
Kaspersky Security for Virtualization 6.2 Light Agent stops updating the solution's database and using Kaspersky Security Network after the commercial license expires. You can still protect and scan virtual machines, but only using the solution databases that were installed before the license expiration date. To continue using Kaspersky Security in fully functional mode, you must renew your commercial license.
It is recommended to renew the license before its expiration date to ensure maximum protection of virtual machines against security threats.
The main licenses for Kaspersky Security for Virtualization 6.2 Light Agent are available in the following two editions:
- Standard license
- Enterprise license
A main license is required to activate the solution. The type of the main license determines the how much of the solution's functionality is available.
A main license for the solution may or may not include additional Light Agent functionality (for example, integration with Kaspersky Detection and Response solutions). To activate additional Light Agent functionality, you can use separate licenses, for example, a license to activate the functionality of Kaspersky Endpoint Detection and Response Optimum. If the main license under which you are using the solution does not include the additional functionality you need, you will need to purchase a separate license to activate the additional functionality.
To clarify the range of functionality included in the main license and a license obtained for additional functionality, please contact the Kaspersky partner from whom you are purchasing the license.
Keep in mind that the scope of functionality available on the Light Agent depends on the license under which the solution is activated on the SVM:
- If you want to use the Light Agent functionality included in the Enterprise license, you need to connect the Light Agent to a SVM on which the solution is activated under the Enterprise license. When connecting to an SVM on which the solution is activated under a Standard license, less functionality is available on the Light Agent.
- If you want to use additional Light Agent functionality (for example, integration the Kaspersky Detection and Response solution or integration with Kaspersky Unified Monitoring and Analysis Platform), you need to connect the Light Agent to an SVM on which the solution is activated under a license that includes this additional functionality, or to an SVM for which a separate license key for activating the additional functionality has been added. When a Light Agent is disconnected from the current SVM and connects to an SVM on which additional functionality has not been activated, the functionality becomes unavailable on the Light Agent.
To prevent Light Agents from switching between SVMs with different license types, you can use connection tags or a list of SVMs available for connection to limit the number of SVMs available to a Light Agent.
The following licensing schemes are available for Kaspersky Security for Virtualization 6.2 Light Agent:
- Licensing based on the number of virtual machines protected using the solution. This licensing scheme uses keys for virtual machines regardless of the operating system type, as well as server keys and desktop keys (depending on the operating system type of the virtual machines). In accordance with the license restriction, the solution is used to protect a certain number of virtual machines.
You have the right to use the Kaspersky Security solution under a license with a limitation on the number of workstations only to protect virtual machines with desktop operating system or to protect devices that are used as workstations, including as part of VDI.
- Licensing by number of cores used in the physical processors on the hypervisors on which protected virtual machines are running. This licensing scheme employs keys with a limitation on the number of processor cores. In accordance with the license restrictions, the solution is used to protect all virtual machines with the Light Agent component, which can run on hypervisors that use a certain number of physical processor cores.
- Licensing by the number of processors used on the hypervisors on which protected virtual machines are running. This licensing scheme employs keys with a limitation on the number of processors. In accordance with the license restrictions, the solution is used to protect all virtual machines with the Light Agent component, which can run on hypervisors that use a certain number of processors.
About the License Certificate
The License Certificate is a document provided together with the key file or activation code after purchasing or ordering a trial version of a Kaspersky application.
If you use the Kaspersky application under a subscription, no license certificate is issued.
The License Certificate contains the following license information:
- Information about the license user
- Information about the Kaspersky application that can be activated under the provided license
- Restrictions on the number of licensing units (for example, devices on which the application can be used under the license)
- License start date
- License expiration date or validity period
- License type
About license key
The license key (hereinafter also "key") is a sequence of bits that can be used to activate the Kaspersky application for further use in accordance with the terms of the End User License Agreement. A key is generated by Kaspersky.
You can add a license key to the application using one of the following methods: by applying a key file or by entering an activation code. After you add a key to the application, the license key is displayed in the user interface of the Kaspersky application as a unique alphanumeric sequence.
After adding keys, you can replace them with other keys.
Kaspersky can block a key over violations of the End User License Agreement. If the key is blocked, add another license key must be added for the application to work.
For Kaspersky Security for Virtualization 6.2 Light Agent, the following types of license keys are available (based on the type of license restriction):
- Keys with a limitation on the number of protected virtual machines: key for virtual machines regardless of operating system type, server key, desktop key. If a key of this key type is added, the solution is used to protect a specific number of virtual machines.
- Key with a limitation on the number of processor cores – If this type of key is added, the solution is used to protect all virtual machines on hypervisors using a certain number of physical processor cores.
- Key with a limitation on the number of processors – If this type of key is added, the solution is used to protect all virtual machines on hypervisors using a certain number of processors.
A license key can be added as an active key or as a reserve key.
- Active key – the license key currently being used to run the Kaspersky application. A trial license key, commercial license key (commercial key), or subscription key can be added as the active key.
To activate components of the Kaspersky Security for Virtualization 6.2 Light Agent solution, you must add the license key to the SVM.
If you are using a per-core or per-processor licensing scheme, each SVM can have only one active key providing the solution's basic functionality. If you are using a licensing scheme based on the number of virtual machines, then one SVM can have two active keys for the solution's basic functionality: a server key and a desktop key. Two keys must be added if the SVM is used to protect both servers and workstations.
If the main license under which you are using the solution does not include the additional functionality you need, then after activating the solution, you need to add an active key that provides the additional functionality to the SVM.
- Reserve key – a key that confirms the right to use the Kaspersky application, but is not currently being used. The reserve key automatically becomes active when the license associated with the current active key expires.
To extend the term of the solution's main license, you can add a reserve key for the basic functionality. If you have activated additional functionality under a separate license, you can also add a reserve key for additional functionality.
The active and reserve keys must have the same license restriction type and must correspond to the same license type (Standard license / Enterprise license).
A trial license key or a subscription key can be added only as the active key. A trial license key or a subscription key cannot be added as a reserve key. A trial license key cannot replace the active commercial key.
Page top
About the activation code
An activation code is a unique sequence of twenty Latin letters and numerals. You enter the activation code to add a license key that activates Kaspersky Security for Virtualization 6.2 Light Agent.
You receive the activation code at the email address that you provided when you bought the Kaspersky Security solution or requested the trial version of the solution.
To activate the Kaspersky Security solution with an activation code, you need Internet access in order to connect to Kaspersky activation servers.
If you have lost your activation code after activating the application, please contact the Kaspersky partner from whom you purchased the license.
Page top
About the key file
A key file is a file with the .key extension that you receive from Kaspersky. A key file is for adding a key that activates Kaspersky Security for Virtualization 6.2 Light Agent.
You receive the key file at the email address that you provided when you bought the Kaspersky Security solution or requested the trial version of the solution.
You do not need to connect to Kaspersky activation servers in order to activate the solution with a key file.
You can restore a key file if it has been accidentally deleted. To restore the key file, contact Kaspersky partner that sold you a license.
Page top
About subscription
A Kaspersky Security subscription is a purchase of use of the solution in accordance with specific parameters (subscription expiration date, number of devices protected). You can order a subscription for Kaspersky Security from your service provider (such as your ISP). You can renew your subscription or opt out of it.
Subscription can be limited (for one year, for example) or unlimited (without an expiration date). To continue using Kaspersky Security after a limited subscription expires, you must renew it. Unlimited subscription is renewed automatically if the vendor's services have been prepaid on time.
If your subscription ends, you may be offered a grace period for subscription renewal, during which the solution retains its functionality. The vendor decides whether or not to grant a grace period and, if so, determines the duration of the grace period.
If your subscription has not been renewed by the end of the grace period, Kaspersky Security continues to work but stops updating the solution databases and stops using Kaspersky Security Network.
To use Kaspersky Security under subscription, you have to apply the activation code received from the vendor. After the activation code is applied, a subscription key (an active key that corresponds to the subscription license for the solution) is added to the solution. Information about this key is displayed in the Kaspersky Security Center interface.
SVMs on which the solution is used under a subscription send events to Kaspersky Security Center when the subscription status changes or the subscription parameters are modified by the service provider. If the subscription has expired, the SVM status in Kaspersky Security Center changes to Critical.
If you want to cancel your subscription and continue to use the solution under a commercial license, you can add a commercial key as a reserve key to an SVM in advance. This key is applied automatically as the active key when your limited subscription ends or when you cancel your unlimited subscription. To cancel your subscription, contact the vendor that sold you Kaspersky Security.
A subscription key can be added only as the active key. A subscription key cannot be added as a reserve key.
Activation codes purchased under subscription may not be used to activate previous versions of Kaspersky Security.
Page top
License-specific solution functionality
The set of available functions of Kaspersky Security for Virtualization 6.2 Light Agent depends on the type of the main license.
The main license may include additional Light Agent functionality. For example, a license for Kaspersky Next XDR Expert International Edition activates the functionality available under the Enterprise license, as well as the ability to integrate with Kaspersky Unified Monitoring and Analysis Platform, Kaspersky Endpoint Detection and Response Expert, and Kaspersky Endpoint Detection and Response (KATA).
To activate additional Light Agent functionality, you can use separate licenses, for example, a license to activate the functionality of Kaspersky Endpoint Detection and Response Optimum.
To clarify the range of functionality included in the main license and a license obtained for additional functionality, please contact the Kaspersky partner from whom you are purchasing the license.
The table below lists the key functions of the solution available under the Standard and Enterprise licenses.
Comparison of solution functions available by license type
Feature |
Standard license |
Enterprise license |
---|---|---|
Advanced SVM selection capabilities (use of connection tags and configuration of the SVM selection algorithm) |
||
Light Agent for Linux |
||
File Threat Protection |
||
Removable Drives Scan |
||
Firewall Management |
||
Web Threat Protection |
||
Network Threat Protection |
||
Anti-Cryptor (for shared folders) |
Only for servers |
|
Behavior Detection |
||
Container Scan |
||
Device Control |
||
Application Control |
Only for workstations |
|
Web Control |
||
System Integrity Monitoring |
||
Light Agent for Windows |
||
File Threat Protection |
||
Web Threat Protection |
||
Mail Threat Protection |
||
Firewall |
||
Network Threat Protection |
||
BadUSB Attack Prevention |
||
AMSI Protection |
||
Kaspersky Security Network |
||
Behavior Detection |
||
Exploit prevention |
||
Intrusion Prevention |
(functionality not available on servers) |
(functionality not available on servers) |
Remediation Engine |
||
Log Inspection |
(functionality not available on workstations) |
|
Application Control |
Only for workstations |
|
Device Control |
||
Web Control |
||
System Integrity Monitoring |
(functionality not available on workstations) |
About activating Kaspersky Security for Virtualization 6.2 Light Agent
Solution activation is the process of activating a license that allows you to use a fully-functional version of the solution until the license expires.
To activate Kaspersky Security for Virtualization 6.2 Light Agent, you need to add the main license key for the solution to all the SVMs. Adding a key to an SVM lets you activate all components of the solution. You do not need to separately activate the applications used as Light Agents in the solution.
If your main license does not include additional Light Agent functionality that you need (for example, integration with the Kaspersky Detection and Response solution), then in order to use this functionality, you need to add a separate license key for activating the additional functionality to the SVM after you add the main license key for the solution.
To add reserve keys to the SVM, use the Solution activation task for the Protection Server. The activation task allows you to add a key that is stored in Kaspersky Security Center key storage of to the SVM.
Automatic distribution of license keys is not supported.
Put a key in the Kaspersky Security Center key storage while creating an activation task or in advance. You can add a key to the Kaspersky Security Center key storage in one of the following ways:
- Using the key file
- Using the activation code
After activating the solution on an SVM, the Protection Server component installed on this SVM sends license information to Light Agents connected to the SVM. If the key status changes, the Protection Server notifies the Light Agents.
If the license information is not sent, the Light Agent ceases to perform its functions.
Information about license keys added to the SVM can be viewed in the Kaspersky Security Center Administration Console or in the Web Console. You can view information about the license used by Light Agent on a protected virtual machine with Light Agent.
The solution must be activated on an SVM with an accurate system date and time. If the system date and time are changed after activation of the solution, the key becomes void. The solution switches to a mode without database updates, and Kaspersky Security Network is unavailable. In this case, you need to redeploy the SVM and activate the solution on the SVM.
If your infrastructure has multiple instances of the Kaspersky Security solution installed running on multiple Kaspersky Security Center Administration Servers that are not organized in a hierarchy, you can activate different instances of Kaspersky Security by adding the same key. A key previously added to an SVM administered by a single Kaspersky Security Center Administration Server can be added to an SVM administered by a different Kaspersky Security Center Administration Server if the validity period of the license linked to the key has not expired.
When license restrictions are checked, the total number of licensing units on which the key is used on all Kaspersky Security Center Administration Servers is taken into account.
To use a previously added key without violating licensing restrictions:
- Remove SVMs on which the solution has been activated using this key on the same Kaspersky Security Center Administration Server.
- Create and run a Solution activation task on a different Kaspersky Security Center Administration Server. A key added to the Kaspersky Security Center key storage can be exported in advance from one Kaspersky Security Center Administration Server to another Administration Server (see the Kaspersky Security Center help for details).
Conditions for activating the solution using an activation code
To be able to add a key to the Kaspersky Security Center key storage and activate the solution using an activation code, you need a connection to Kaspersky activation servers. The Key Storage Wizard sends data to Kaspersky activation servers to validate the activation code that was entered.
The activation proxy service establishes a connection to the activation servers. If the activation proxy service is disabled, the key cannot be added to the storage by using an activation code. If Internet access is provided via a proxy server, the proxy server settings must be configured in the properties of the Kaspersky Security Center Administration Server.
For more detailed information about the activation proxy service and proxy server settings, please refer to the Kaspersky Security Center help.
Page top
Important considerations when adding keys
When adding keys, you should take the following into consideration:
- You cannot add multiple active license keys of the same type providing basic functionality to a single SVM (for example, multiple server keys or multiple keys with a restriction on the number of processors). If a license key has already been added to an SVM, and you add a new key of the same type, then the new key replaces the previously added key.
- If you are using a licensing scheme based on the number of protected virtual machines that distinguishes server keys and desktop keys, on the SVM you must add a key that matches the type of the guest operating system of the virtual machines you want to protect:
- If the SVM only protects virtual machines with server operating systems, you need to add a server key to the SVM.
- If the SVM only protects virtual machines with desktop operating systems, you need to add a desktop key to the SVM.
- If the SVM protects virtual machines with server operating systems and desktop operating systems, you need to add two keys to the SVM: a server key and a desktop key.
If you are using a licensing scheme based on the number of protected virtual machines regardless of the operating system type, a licensing scheme based on the number of CPU cores, or a licensing scheme based on the number of CPUs, you need one key (with the corresponding licensing limitation) regardless of the operating system of the protected virtual machines.
- Simultaneous use of keys corresponding to different licensing schemes to activate basic functionality on SVMs is not supported. If a license key providing basic functionality has already been added to an SVM, and you add a new key corresponding to a different licensing scheme, then the new key replaces the previously added key. For example, suppose a desktop key and a server key have been added to SVMs (licensing scheme based on the number of virtual machines), and then you add a core-limited key (licensing scheme based on the number of cores). The task will remove the active and (if any) reserve desktop and server keys. They are replaced by the key with a limitation on the number of processor cores, which is added as an active key.
A desktop key and server key can be used simultaneously on SVMs — these keys correspond to the same licensing scheme (based on the number of virtual machines).
- A key that was removed from one SVM can be added to another SVM if the term of the license bound to the key has not expired.
- Simultaneous use of commercial keys and subscription keys on an SVM is not supported. For example, if you add a commercial key on an SVM with a previously added subscription key, the subscription key is removed from the SVM. The commercial key is added in its place.
- A reserve key can be added only if an active key has been added The active and reserve keys must have the same license restriction type and must correspond to the same license type (Standard license / Enterprise license).
- A key for additional functionality can be added to an SVM regardless of the type of main license key added to that SVM.
- A key for additional functionality can be added only after adding the main license key for the solution.
- You cannot add multiple active license keys to an SVM to activate the same additional functionality of Light Agents (for example, multiple keys to activate the Kaspersky Endpoint Detection and Response Optimum functionality). If an SVM already has some additional functionality activated and you add a new key to activate the same additional functionality, the new key replaces the previously added key.
Procedure for activating the solution
To activate the solution:
- Create a Solution activation task for the Protection Server. The task scope must include the SVMs on which you want to activate the solution.
When creating a task, use the main solution license key added to the Kaspersky Security Center key storage. You can add a license key to the Kaspersky Security Center key storage in advance or when creating an activation task.
- Run the Solution activation task and make sure that the task completed successfully.
If you add an active key, the task activates the solution on those SVMs on which an active key was missing. On SVMs on which the solution is already activated, the task replaces the old key with the new one.
If the number of licensing units for which the key is used exceeds the number specified in the License Certificate, Kaspersky Security sends the Kaspersky Security Center Administration Server an event indicating a violation of license restrictions (for more information, see the Kaspersky Security Center Help).
- If the main license under which you have activated the solution does not include the additional Light Agent functionality that you need, you need to create and run another activation task. When creating this task, use a license key that provides the additional functionality. Adding a key that provides the additional functionality is no different from adding the main license key for the solution.
- Make sure that Light Agents are connected to the SVMs to which you added the license key.
Adding a key to the key storage of Kaspersky Security Center
You can add keys to the Kaspersky Security Center key storage using the Web Console as well as the Administration Console.
You can use keys added to the Kaspersky Security Center key storage when creating a Solution activation task for the Protection Server.
Page top
Creating a Solution activation task
You can create solution activation tasks using the Web Console as well as the Administration Console.
How to create an Activation task in Kaspersky Security Center Web Console
How to create an activation task in Kaspersky Security Center Administration Console
If you have set a task launch schedule, the task will run in accordance with this schedule. You can also run the Solution activation task manually at any time.
You can view information about the progress and results of the task in Kaspersky Security Center.
Page top
Renewing a license
When your license is about to expire, you can renew it by adding a reserve key. This lets you avoid any limitations on solution functionality after the current license expires and before you activate the solution under a new license.
The type of reserve key must match the type of the previously added active key.
If you are using a licensing scheme based on the number of protected virtual machines that distinguishes server keys and desktop keys, the type of the reserve key must match the type of the guest operating system of the virtual machines. If the SVM is protecting virtual machines with server operating systems and desktop operating systems, you need to add two reserve keys to SVMs: a server key and a desktop key.
If you are using a licensing scheme based on the number of protected virtual machines regardless of the operating system type, a licensing scheme based on the number of CPUs, or a licensing scheme based on the number of CPU cores, you need one reserve key (with the corresponding licensing limitation) regardless of the operating system of the protected virtual machines.
To add a reserve key to the SVM, use the Solution activation task for the Protection Server.
You can create a Solution activation task to add a reserve key in the Administration Console or in the Web Console. At the Add a license key step of the New Task Wizard, select the Use the license key as a reserve key check box.
The task adds the reserve key on those SVMs on which the active key has already been added. The reserve key is automatically used as the active key after the Kaspersky Security license expires.
If you use an activation code to activate the solution, then when the license expires the solution automatically connects to Kaspersky activation servers in order to replace the active key that has expired. If the solution is unable to automatically connect to Kaspersky activation servers, you will have to manually start the Solution activation task in order to renew the license to use Kaspersky Security.
When one of the following conditions is met, the Solution activation task finishes with an error and the reserve key is not added:
- There is no active key on the SVM.
- The type of the reserve key being added does not match the type of the previously added active key.
If an SVM has an active key and a reserve key and you choose to replace the active key, Kaspersky Security checks the expiration date of the reserve key. If the reserve key expires before the previously renewed license term, Kaspersky Security automatically removes the reserve key. In this case, you can add a different reserve key after adding the active key.
Page top
Renewing subscription
When you use the solution under a subscription, Kaspersky Security contacts Kaspersky activation servers at specific intervals until your subscription expires.
If you use the solution under an unlimited subscription, Kaspersky Security silently checks Kaspersky activation servers for a new key and, if one is available, adds it by replacing the previous key. In this way, unlimited subscription for Kaspersky Security is renewed without user involvement.
When your subscription expires, Kaspersky Security sends the relevant information to the Administration Server of Kaspersky Security Center and stops attempting to renew the subscription automatically. Kaspersky Security stops updating the solution databases and stops using Kaspersky Security Network.
You can renew your subscription by contacting the vendor that sold you Kaspersky Security.
After renewing subscription, you have to re-run the Solution activation task that you created to activate the solution under the subscription.
Page top
Viewing information about the license keys used in Kaspersky Security Center
You can view information about the license keys used by Kaspersky Security for Virtualization 6.2 Light Agent in Kaspersky Security Center:
- In the Kaspersky Security Center key storage.
The storage displays information about all keys added to Kaspersky Security Center Administration Server.
- In the application activation properties. The properties of the Solution activation task for the Protection Server display information about the key that is added to the SVM as a result of executing this task.
- In the properties of the Kaspersky application installed on the client device. The properties of the Protection Server on an SVM display information about the keys added to the SVM. The properties of the Light Agent on a virtual machine display license information sent from the SVM.
- In the license key usage report.
You can view information about the license used by Light Agent on a protected virtual machine with Light Agent.
Viewing information about a license key in Kaspersky Security Center key storage
You can view information about license keys placed in the Kaspersky Security Center key storage using the Web Console as well as the Administration Console.
Page top
Viewing license key details in the properties of the Solution Activation task
The properties of the Solution Activation task for the Protection Server display information about the key that is added to the SVM as a result of executing this task. You can view the properties of an activation task using the Web Console as well as the Administration Console.
Page top
Viewing information about a license key added on the SVM
Information about the license keys used on a client device is displayed in the properties window of the application installed on the client device. In the case of the Kaspersky Security solution, information about the license keys added to the SVM is displayed in the properties of the Protection Server on the SVM.
You can open the properties window of the Protection Server on the SVM using the Web Console as well as the Administration Console.
How to view information about keys added to an SVM in Kaspersky Security Center Web Console
Page top
Viewing the license key usage report
Information about the license keys used by the Kaspersky Security solution is displayed in the Kaspersky Security Center key usage report. You can view the key usage report using the Web Console as well as the Administration Console.
How to generate a key usage report in Kaspersky Security Center Web Console
How to generate a key usage report in Kaspersky Security Center Administration Console
Summary information in the key usage report
The summary table contains the following information:
- License key – a unique alphanumeric sequence.
- Used as active – depends on the type of active key:
- the number of protected virtual machines for which the key is used as the active key
- the number of SVMs on which the key is added as an active key.
- Used as reserve – the number of SVMs on which the key is added as a reserve key. If you are using the solution under a subscription, the field value is
Unavailable
or0
. - Restriction – depends on the key type:
- the maximum number of virtual machines that you can protect
- the maximum number of physical processor cores used across all hypervisors whose virtual machines you can protect
- the maximum number of physical processors used across all hypervisors whose virtual machines you can protect
- Earliest license expiration date – the date when your right to use the solution activated by adding the current key expires.
- License key valid until – the key expiration date. You can activate the solution by adding this key and use the solution only before this expiration date. If you are using the solution under an unlimited subscription, the field value is
Unlimited
.
The row below contains the following consolidated information:
- License keys – total number of keys in use.
- License keys used up by more than 90% – total number of keys that have been used up by more than 90% of their license restrictions. For example, the restriction is 100 virtual machines. A key is used on two SVMs: the first one protects 42 virtual machines and the second one protects 53 virtual machines. The key is therefore 95% used and is included in the number of keys specified in this field.
- License keys with exceeded restriction – total number of keys that have exceeded a license limit, such as a limit imposed on the number of simultaneously running virtual machines with server operating systems or a limit on the number of physical processors used on all hypervisors (depending on the key type).
Detailed information in the key usage report
Depending on the key type, the detailed table shows information about the SVM on which the key has been added (for a key with a limitation on the number of processors or processor cores), or information about the protected virtual machine the key is being used for (for a server or desktop key):
The detailed table contains the following information:
- Virtual Administration Server – the name of the virtual Administration Server that manages the SVM or the protected virtual machine.
- Group – the administration group to which the SVM or protected virtual machine belongs.
- Device – the name of the SVM or protected virtual machine.
- Application – the name of the Kaspersky Security solution component installed on the SVM or the protected virtual machine.
- Version number – version number of the Kaspersky Security solution component.
- Active license key – the key that has been added as an active key.
- Reserve license key – the key that has been added as a reserve key.
- License valid until – the expiration date for using the solution with this key.
- IP address – the IP address of an SVM or protected virtual machine on which the key has been added.
- Last visible on the network – the date and time when the SVM or protected virtual machine was last visible on the corporate LAN.
- Last connection date – date and time of the last connection of the SVM or protected virtual machine to Kaspersky Security Center Administration Server.
- NetBIOS name – the name of the SVM or protected virtual machine.
- Windows domain – the domain to which the SVM or the protected virtual machine belongs.
- DNS name – the DNS name of the SVM or protected virtual machine.
- DNS domain – the DNS domain to which the SVM or protected virtual machine belongs (specified only if the name of the SVM or virtual machine contains the name of the DNS domain).
- Subscription pending – indicates whether a solution subscription is pending.
- License key valid until – the key expiration date. You can activate the solution by adding this key and use the solution only before this expiration date. If you are using the solution under an unlimited subscription, the field value is
Unlimited
.
View information about the license on a secure virtual machine
You can view information about the license that Light Agent is using on a virtual machine with Light Agent installed:
- On a virtual machine with Light Agent for Linux: using the command
kesl-control -L --query
. For details, see the Kaspersky Endpoint Security for Linux Help of the relevant version. - On a virtual machine with Light Agent for Windows.
- in the local interface of Kaspersky Endpoint Security for Windows
- using the Kaspersky Endpoint Security for Windows command
avp.com LICENSE /CHECK
.
For details, see the Kaspersky Endpoint Security for Windows Help of the relevant version.
Starting and stopping Kaspersky Security
The Protection Server component starts automatically when the operating system starts on the SVM and stops when the operating system is shut down.
An SVM deployed on a VMware ESXi hypervisor is started automatically after the hypervisor is turned on. The SVM may fail to start automatically if this function is not activated at the level of the hypervisor or if this hypervisor belongs to a VMware HA cluster. For details, please refer to the VMware documentation.
The Integration Server component starts automatically when the operating system starts on the device where the Integration Server is installed, and stops when the operating system is shut down.
The Light Agent component starts automatically when the operating system starts on a protected virtual machine and stops when the operating system is shut down.
Virtual machine protection is started automatically when the Light Agent and Protection Server components are started.
If license info is not relayed to the protected virtual machine, Light Agent operates in limited functionality mode.
Tasks are started in accordance with their schedule. You can also run tasks manually.
You can use the standard tools of the Linux operating system to start and stop Light Agent for Linux. For details, see the Kaspersky Endpoint Security for Linux Help of the relevant version.
You can stop and start Light Agent for Windows remotely using Kaspersky Security Center or the command line. For details, see the Kaspersky Endpoint Security for Windows Help of the relevant version.
Page top
Virtual machine protection status
You can view information about the protection status of the virtual machines as follows:
- In Kaspersky Security Center using the statuses of client devices.
- In Kaspersky Security Center, using the statuses of Light Agent functional components on virtual machines.
- On a protected virtual machine:
- For Light Agent for Linux: using the Kaspersky Endpoint Security for Linux command
kesl-control --app-info
. The command displays information about the operation of the application and the state of the application's functional components. For details, see the Kaspersky Endpoint Security for Linux Help of the relevant version. - For Light Agent for Windows: using the Protection status widget in the local interface of Kaspersky Endpoint Security for Windows.
- For Light Agent for Linux: using the Kaspersky Endpoint Security for Linux command
- In infrastructure based on the VMware vSphere platform: using security tags, which Kaspersky Security can assign to a protected virtual machine.
Statuses of client devices in Kaspersky Security Center
The protected virtual machine (the virtual machine on which the Light Agent component is installed) and the SVM are client devices for Kaspersky Security Center. Information about the state of a client device in Kaspersky Security Center is displayed by the client device status (OK, Critical, or Warning).
The client device status changes to Critical or Warning for the following reasons:
- According to the rules defined in Kaspersky Security Center. For example, the status changes if a security application is not installed on the device, a virus scan has not been performed in a long time, anti-virus databases are outdated, or the license has expired. For more details about the reasons for status changes and configuring status assignment conditions, please refer to the Kaspersky Security Center help.
- Kaspersky Security Center receives the device status from the managed application, i.e. from Kaspersky Security solution components.
Receipt of the device status from the managed application must be enabled in Kaspersky Security Center in the lists of conditions for assigning the Critical and Warning statuses. Conditions for assigning device statuses are configured in the properties window of an administration group.
The SVM status changes in the following cases:
- No connection to the Integration Server
- No connection to the virtual infrastructure
The status of a protected virtual machine changes in the following cases:
- No connection to the Integration Server
- No connection to the SVM
- A modification of files or modification of the registry was detected on the virtual machine
For details on client device statuses, please refer to the Kaspersky Security Center help.
Page top
Statuses of Light Agent functional components on virtual machines
Information about keys added to the SVM can be viewed in the Kaspersky Security Center Administration Console or in the Web Console.
- The properties of the application running in Light Agent mode on a virtual machine display a list of functional components of Light Agent. For each component, its status is displayed.
- The Kaspersky Security Center report on the status of application components displays information about the Light Agent functional components that are installed or not installed on the virtual machines. For each of the installed components, the report displays the number of virtual machines on which this component is installed and the number of administration groups to which these virtual machines belong.
The report on the status of application components is available in the list of report templates in Kaspersky Security Center Administration Console (on the Reports tab in the workspace of the Administration Server <server name> node), and in the Kaspersky Security Center Web Console (in the Monitoring and reporting → Reports section).
- You can create selections of virtual machines by specifying as a selection condition the status of components and/or the version number of the application running in Light Agent mode.
For more information about working with tasks and configuring device selections, see the Kaspersky Security Center Help.
Page top
About security tags
If the Kaspersky Security solution is running in a virtual infrastructure on the VMware vSphere platform and uses VMware NSX Manager, Kaspersky Security may assign the following security tags to the protected virtual machine:
- ANTI_VIRUS.VirusFound.threat=high. This tag is assigned to a virtual machine on which viruses or other malicious programs were detected.
- IDS_IPS.threat=high. This tag is assigned to a virtual machine whose inbound traffic displayed activity that is typical for network attacks.
Kaspersky Security can assign security tags only if you have enabled the use of VMware NSX Manager and configured the settings for connecting the Integration Server to VMware NSX Manager in Integration Server Web Console or Integration Server Console.
You can view the security tags assigned to the virtual machine in the properties of the virtual machine:
- In the VMware vSphere Client console, in the Hosts and Clusters section of the Summary tab.
- In VMware NSX Manager web console, in the Inventory → Virtual Machines section.
The ANTI_VIRUS.VirusFound.threat=high security tag that Kaspersky Security assigned to the virtual machine is removed automatically if running a Full Scan task on the virtual machine detects no viruses or other malicious programs. If the ANTI_VIRUS.VirusFound.threat=high security tag is manually assigned to a virtual machine using virtual infrastructure, it can be removed only manually.
An IDS_IPS.threat=high security tag assigned to the virtual machine either by Kaspersky Security or manually using virtual infrastructure tools can be removed only manually.
After manually removing the tag, you need to restart the Light Agent on the virtual machine.
For more information on how to manually remove and assign security tags, refer to the Knowledge Base.
Page top
Connecting SVMs and Light Agents to the Integration Server
For the Kaspersky Security solution to function, constant interaction between the Protection Server and the Integration Server is required. To ensure this interaction, you need to configure the connection of the SVM from the Protection Server to the Integration Server.
If you want Light Agents to receive information about SVMs via the Integration Server, or if you want to protect the connection between the Protection Server and Light Agent, you need to configure the connection of Light Agents to the Integration Server.
Information about the loss and restoration of the connection of the Light Agent and SVM to the Integration Server can be saved as events in Kaspersky Security Center.
Configuring the settings for connecting SVMs to the Integration Server
You can use the Web Console or the Administration Console to configure the connection of SVMs to the Integration Server in a Protection Server policy, for example, when creating the default policy for the Protection Server.
Page top
Configuring the settings for connecting Light Agents to the Integration Server
You can configure the settings for connecting Light Agents to the Integration Server in the Light Agent policy (in the policy of the application running in Light Agent mode). The SVM discovery settings for Light Agent for Windows are also available in the local interface of Kaspersky Endpoint Security for Windows.
You need to configure the following settings for connecting to the Integration Server:
- IP address in IPv4 format or fully qualified domain name (FQDN) of the device on which the Integration Server is installed.
If the address is specified as a NetBIOS name, localhost or 127.0.0.1, connection to the Integration Server completes with an error.
- Port for connecting to the Integration Server.
By default, port number 7271 is specified.
- Password of the Integration Server administrator (password of the
admin
account).
Information about Integration Server connection errors may be saved in the Integration Server trace file (if you enabled the logging of information).
You can get information about the status of the Light Agent's connection to the Integration Server in the following ways:
- For Light Agent for Linux: using the Kaspersky Endpoint Security for Linux command
kesl-control --viis-info
. - For Light Agent for Windows:
- in the local interface of Kaspersky Endpoint Security for Windows
- using the Kaspersky Endpoint Security for Windows command
avp.com VIISINFO
.
For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.
Page top
Connecting Light Agents to SVMs
To interact with the Protection Server, the Light Agent establishes and maintains a connection to the SVM on which this Protection Server is installed. You can configure the following settings for connecting the Light Agent to the SVM:
- SVM detection method. You can select the method used by Light Agents to detect SVMs that are available for connection.
- Connection tags. If you use connection tags, Light Agent can only connect to SVMs that are configured to use that connection tag.
- Protecting the connection between the Light Agent and the Protection Server. You can use encryption to protect the connection between Light Agents and Protection Servers.
- SVM selection algorithm for connection. You can specify the algorithm to be used by the Light Agents to select SVMs to connect to.
Configuring SVM discovery settings
You can configure the settings for detection of SVMs by Light Agents in the Light Agent policy (in the policy of the application running in Light Agent mode). The SVM discovery settings for Light Agent for Windows are also available in the local interface of Kaspersky Endpoint Security for Windows.
You can configure the following settings for discovery of SVMs by Light Agents:
- Method used by Light Agents to discover SVMs:
- Use Integration Server
If you want to use the Integration Server, configure the settings for connecting Light Agents to the Integration Server.
- Use a custom list of SVM addresses
If you select the Use a custom list of SVM addresses option, the Light Agent is using the extended SVM selection algorithm, and large infrastructure protection mode is enabled on an SVM, then connecting a Light Agent to this SVM is only possible if the Light Agent ignores the SVM path. In the SVM selection algorithm section, you need to set the SVM path setting to Ignore.
- Use Integration Server
- If you selected the Use a custom list of SVM addresses option, you need to create a list of SVMs to which Light Agents managed by the policy can connect. You can add multiple SVM IP addresses or FQDNs to the list.
In the list of SVM addresses, specify only full domain names (FQDN) that are matched by a single IP address. Using a fully qualified domain name that corresponds to multiple IP addresses can lead to errors in the solution.
For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.
In a large-sized virtual infrastructure running the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, if you selected the Use Integration Server option, you can configure the size of the available SVMs list that the Integration Server relays to Light Agents.
To configure the size of the list of available SVMs:
- Open the Integration Server configuration file (appsettings.json) for editing. Depending on the version of the Integration Server, the file is located at one of the following paths:
- /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.
- Specify the
OpenStackMaxSvmCountToReturn
setting in theHypervisorSpecificSettings:Openstack
section:- If you want to limit the size of available SVM list, which the Integration Server transmits to Light Agents, then specify number of SVMs, whose information must be included into this list.
- If you want the Integration Server to transfer full list of available SVMs to Light Agents, specify a value of
0
.
- Save the appsettings.json file.
- Restart the Integration Server.
Configuring the use of connection tags
If you want to control Light Agents' connection to SVMs using connection tags, you need to do the following:
- In the Light Agent settings: enable the use of tags by Light Agent and assign the tag that Light Agent will use to connect.
- In the Protection Server settings: enable the use of tags on the SVM and specify the tags that are allowed to connect to the SVM. Only Light Agents that are assigned the specified tags will connect to the SVM. If a Light Agent is assigned a different tag or no tag is assigned, the Light Agent will not be able to connect to this SVM.
Configuring the use of connection tags for an SVM
You can use the Web Console or the Administration Console to configure connection tags on SVMs in a Protection Server policy.
How to configure the use of tags on SVMs in Kaspersky Security Center Web Console
How to configure the use of tags on SVMs in Kaspersky Security Center Administration Console
Page top
Assigning connection tags to Light Agents
You can configure the settings for the use of tags by Light Agents in the Light Agent policy (in the policy of the application running in Light Agent mode). The tag usage settings for Light Agent for Windows are also available in the local interface of Kaspersky Endpoint Security for Windows.
To assign a tag to a Light Agent to connect to an SVM, select the Use connection tag check box and enter the connection tag in the Tag field.
For a tag, you can enter a text string up to 255 characters long. You can use any character except the ;
character.
For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.
Light Agents to which the tag is assigned can connect only to SVMs for which a connection to Light Agents with this tag is allowed.
Page top
Protecting the connection between the Light Agent and the Protection Server
You can configure encryption of the connection between Light Agents and Protection Servers. To do this, you need to enable encryption of the data channel between the Light Agent and the Protection Server in the Protection Server settings on the SVM and in the Light Agent settings.
A Light Agent for which connection protection is enabled can only connect to SVMs for which encryption of the data channel between the Light Agent and the Protection Server is enabled. A Light Agent for which connection protection is disabled can only connect to SVMs for which channel encryption is disabled or an unsecure connection between the Protection Server and the Light Agent is allowed.
Using encryption to protect the connection may slow the performance of the Kaspersky Security solution.
Configuring connection protection on the Protection Server
You can use the Web Console or the Administration Console to configure connection protection on the Protection Server in a Protection Server policy.
Page top
Configuring connection protection on the Light Agent
You can configure the settings for connection protection on the Light Agent in the Light Agent policy (in the policy of the application running in Light Agent mode). Connection protection settings for Light Agent for Windows are also available in the local interface of Kaspersky Endpoint Security for Windows.
By default, protection of the connection between Light Agents and the Protection Server is disabled. To enable connection protection, select the Encrypt data channel between Light Agent and the Protection Server check box.
If the check box is selected, a secure connection is established between the Light Agent, which is managed by policy, and the Protection Server on the SVM that the Light Agent is connecting to. A Light Agent for which connection protection is enabled can only connect to an SVM on which connection protection is enabled or an unprotected connection to the Protection Server is allowed.
If the check box is cleared, an unprotected connection is established between the Light Agent and the Protection Server on the SVM that the Light Agent is connecting to.
For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.
Page top
Configuring the SVM selection algorithm
You can specify which SVM selection algorithm Light Agents should use, and configure the settings for applying the extended SVM selection algorithm in the Light Agent policy (in the policy of the application running in Light Agent mode). For Light Agent for Windows, you can also select the algorithm in the local interface of Kaspersky Endpoint Security for Windows.
You can choose one of the following options:
If you selected Use the extended SVM selection algorithm option, and Light Agents use the Integration Server as SVM discovery method, you can specify how SVM path in the virtual infrastructure must be taken into the account when selecting SVM for connection using the SVM path slider.
If a Light Agent uses the extended SVM selection algorithm and a list of SVM addresses is selected as the SVM discovery method, and large infrastructure protection mode is enabled on an SVM, then connecting a Light Agent to this SVM is only possible if the Light Agent ignores the SVM path (the Ignore value is set for the SVM path setting).
For details about configuring the applications running in Light Agent mode, see the Help for the relevant application.
In a virtual infrastructure running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, if you selected Use the standard SVM selection algorithm option, you can specify how to determine SVM locality relative to Light Agent. To do so, perform the following actions:
- Open the Integration Server configuration file (appsettings.json) for editing. Depending on the version of the Integration Server, the file is located at one of the following paths:
- /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.
- Specify the
StandardAlgorithmSvmLocality
setting in theHypervisorSpecificSettings:Openstack
section. This parameter can take the following values:ServerGroup
– if this value is selected, SVM is considered local for Light Agent if it is located within the same server group as the virtual machine where Light Agent is installed. This value is used by default.Project
– if this value is selected, SVM is considered as local for Light Agent if it is deployed within the same OpenStack project as the virtual machine with the installed Light Agent.AvailabilityZone
– if this value is selected, SVM is considered as local for Light Agent if it is located within the same availability zone as the virtual machine with the installed Light Agent.
- Save the appsettings.json file.
- Restart the Integration Server.
Viewing the list of Light Agents connected to SVMs
Information about Light Agents connected to an SVM is displayed in the properties window of the Protection Server on the SVM.
You can open the properties window of the Protection Server on the SVM using the Web Console as well as the Administration Console.
How to open the list of Light Agents connected to an SVM in Kaspersky Security Center Web Console
The list of Light Agents displays the following information:
- VM name – name of the virtual machine on which Light Agent is installed.
- Address – IP address and port that the Light Agent uses to connect to the SVM.
- Operating system – version of the operating system on the virtual machine on which the Light Agent is installed.
- Virtual machine role – role of the virtual machine on which the Light Agent is installed: server or workstation.
- ID – identifier of the virtual machine on which Light Agent is installed.
- Path to VM – path in the virtual infrastructure to the virtual machine on which the Light Agent is installed.
If you want to update the information about Light Agents connected to SVMs, click the Refresh button.
Page top
Protecting large infrastructures
If the solution is used to protect a large infrastructure (more than 50,000 protected virtual machines), the solution components' interaction with the virtual infrastructure as information about the SVMs is sent to Light Agents can increase the load on the virtual infrastructure.
To optimize the solution's performance in large infrastructures, it is recommended to configure the solution settings as follows:
- Enable large infrastructure protection mode for the Protection Server. This mode lets you reduce the load on the virtual infrastructure.
- Use the extended SVM selection algorithm.
- Select Integration Server as the method for Light Agents to discover SVMs.
If a Light Agent uses the extended SVM selection algorithm, a list of SVM addresses is selected as the SVM discovery method, and large infrastructure protection mode is enabled on an SVM, then connecting a Light Agent to this SVM is only possible if Light Agent ignores the SVM path.
You can use the Web Console or the Administration Console to enable or disable the large infrastructure protection mode when creating or editing a Protection Server policy.
How to enable large infrastructure protection mode in Kaspersky Security Center Web Console
Page top
Updating Kaspersky Security databases and application modules
The update functionality (including anti-virus signature updates and code base updates) may not be available in the solution in the territory of the USA.
Updating the databases and application modules of the Kaspersky Security solution ensures up-to-date protection of virtual machines. New viruses and other types of malware appear worldwide on a daily basis. Kaspersky Security databases contain information about threats and ways of neutralizing them. Kaspersky Security databases include antivirus databases and other Kaspersky databases important for the security of the protected infrastructure. Updating Kaspersky Security application modules lets you promptly receive important updates to Kaspersky Security solution components. To enable the Kaspersky Security solution to promptly detect threats, you need to update the solution's databases and modules regularly.
If the Kaspersky Security databases have not been updated for a long time, a notification appears in Kaspersky Security Center in the SVM properties window (in the Events section, if you are working through Kaspersky Security Center Administration Console; on the Events tab, if you are working through Kaspersky Security Center Web Console).
Updating Kaspersky Security databases and application modules may change certain Kaspersky Security settings, for example, the heuristic analysis settings that improve the effectiveness of protection and scans.
Updates of Kaspersky Security databases and application modules require a current license to use the application.
Updating Kaspersky Security databases and application modules involves the following steps:
- Downloading an update package to a Kaspersky Security update source
An update source is a resource that contains database updates and application module updates of Kaspersky applications. The Kaspersky Security Center Administration Server repository is the source of updates for Kaspersky Security for Virtualization 6.2 Light Agent.
To download updates to the Administration Server repository, use the Download updates to Administration Server repository task. The task is created automatically by the Kaspersky Security Center Initial Configuration Wizard. If the "Download updates to Administration Server repository" task is not in the list of tasks for the Administration Server, you need to create it. For details, please refer to the Kaspersky Security Center help.
The contents of the update package that Kaspersky Security Center creates in the Kaspersky Security repository depends on the update download settings configured in the Protection Server policy. By default, an update package contains the database updates required for the operation of the Protection Server, Light Agent for Linux, and Light Agent for Windows. You can configure the downloading of updates as well as enable application module updates for Kaspersky Security components.
If the current version of the solution supports more than one version of Light Agent for Linux or Light Agent for Windows, make sure that the update settings in the Protection Server policy specify the same version of Light Agent that you are using.
- Downloading an update package from the Administration Server repository to a folder on the SVM
To download update packages to SVMs, use the Database update task for the Protection Server.
You can use the Update databases and solution modules task, which is created automatically after installing the MMC plug-in or the Protection Server web plug-in in Kaspersky Security Center. This task is created for the Managed devices administration group and lets you download an update package to all SVMs that are part of the Managed devices group or any nested administration group. The task is started every time an update package is downloaded to the Kaspersky Security Center Administration Server repository.
If necessary, you can change the settings of the automatically created update task or delete it and create a new Database update task for the Protection Server.
For the Protection Server to successfully download an update package from the Administration Server storage, the SVM on which the Protection Server is installed must have access to the Kaspersky Security Center Administration Server. The SVM connection to the Administration Server is configured when SVMs are deployed or reconfigured.
If Kaspersky Security databases and application modules have not been updated for a long time, the size of the update package may be large. Downloading this update package may generate additional network traffic (up to several dozen megabytes).
- Installing database updates from a folder on the SVM
The Protection Server automatically installs on SVMs the database updates necessary for the operation of the Protection Server.
Light Agent checks the availability of an update package in the folder on the SVM to which it is connected.
To receive updates to databases and application modules, the Light Agent must interact with the Protection Server via the HTTP protocol.
If an update package is available, Light Agent installs the application database updates required for the operation of Light Agent on the protected virtual machine. Database and application module updates for Light Agent are obtained using the Update local predefined task. This task is created automatically in applications running in Light Agent mode. In this task, a folder on the SVM is specified as the update source. The task starts automatically in the following cases:
- when connecting the Light Agent to the SVM, if the Kaspersky Security databases on the Light Agent are missing or do not correspond to the databases installed on the Protection Server;
- 120 minutes after the previous successful update or 20 minutes if the update fails.
You can also run the Update task manually. For details, see the Help for the application running in Light Agent mode.
- Installing Kaspersky Security application module updates from a folder on the SVM
If application module updates are included in the update package, they are installed in the following way:
- Updates to the Protection Server modules are installed on the SVM by running the Solution module update on the SVM task for the Protection Server.
From the command line, you can view the list of installed application module updates on the SVM by running the patch_list.pl script, which is located in the /opt/kaspersky/la/patching/ directory.
- Updates to Light Agent application modules are installed on virtual machines automatically by running the preset Update local task.
After installing application module updates for Kaspersky Security components, the performance of each Protection Server and Light Agent is checked. If problems are detected, the application module update is automatically rolled back.
If errors occur in the operation of the Protection Server after updating application modules, you can manually roll back the module update on the SVM.
- Updates to the Protection Server modules are installed on the SVM by running the Solution module update on the SVM task for the Protection Server.
To ensure up-to-date protection of non-persistent virtual machines, you are advised to regularly update Light Agent databases and application modules on the virtual machine templates from which non-persistent virtual machines have been deployed.
If you enabled VDI protection mode during installation of Light Agent on the virtual machine template, updates that require restarting the protected virtual machine are not installed on non-persistent virtual machines. On receiving updates that require restarting the protected virtual machine, Light Agent installed on a non-persistent virtual machine sends a message to Kaspersky Security Center informing it that the protected virtual machine template needs to be updated.
Configuring settings for downloading updates to SVMs
You can configure the following settings for downloading database and application module updates to SVMs:
- Enable updating of application modules of Kaspersky Security components.
If updating application modules is enabled, the Protection Server adds application module updates of Kaspersky Security components to the update package.
Updates to Light Agent application modules are installed automatically on protected virtual machines. To install Protection Server application module updates, use the Solution module update on the SVM task.
- Select the versions of Light Agents for which the Protection Server will receive updates. By default, an update package contains the database updates required for the operation of the Protection Server, Light Agent for Linux, and Light Agent for Windows.
Only Light Agents for which database updates are downloaded to this SVM can connect to the SVM.
If the current version of the solution supports more than one version of Light Agent for Linux or Light Agent for Windows, make sure that the update settings in the Protection Server policy specify the version of Light Agent that you are using.
You can use the Web Console or the Administration Console to configure update download settings in a Protection Server policy.
How to configure settings for downloading updates to SVMs in Kaspersky Security Center Web Console
If you have modified the list of Light Agent versions for which the Protection Server must get updates, we recommend starting the database update process after completing the synchronization of the Network Agent on the SVM with the Administration Server (by default, the synchronization period is 15 minutes after changing the policy settings).
Page top
Creating a Database update task
You can create database update tasks on the Protection Server using the Web Console as well as the Administration Console.
How to create a Database update task in Kaspersky Security Center Web Console
How to create a Database update task in Kaspersky Security Center Administration Console
The task is started every time the update package is downloaded into the storage of the Administration Server. You can also run the Database update task manually on the Protection Server at any time.
Page top
Creating a Solution module update on the SVM task
You can create solution module update tasks on SVMs using the Web Console as well as the Administration Console.
How to create a Solution module update on the SVM task in Kaspersky Security Center Web Console
You can run the Solution module update on the SVM task manually at any time.
Page top
Rolling back the last update of Kaspersky Security databases and application modules
After Kaspersky Security databases and application modules are updated for the first time, the ability to roll back databases and application modules to their previous versions becomes available.
Every time a database update is started on the Protection Server, Kaspersky Security creates a backup copy of the existing databases and application modules and only then proceeds to update them. This makes it possible to return to the previous version of databases and application modules if necessary. The ability to roll back an update is useful if, for example, the new version of the application database contains an invalid signature that causes Kaspersky Security to block a safe application.
A rollback of the last update of Kaspersky Security databases and application modules is performed as follows:
- The Protection Server component rolls back the last update of Kaspersky Security databases and application modules on SVMs. You can roll back the last update of databases and application modules on one or more SVMs:
- The latest database update on the SVM is rolled back using the Database update rollback task for the Protection Server. The task is started from Kaspersky Security Center and is performed on the SVM.
- A script is used to roll back an application module update on SVMs.
When rolling back the latest update of databases and application modules on the SVM, the Protection Server also rolls back updates of Light Agent databases, which are located in a folder on the SVM. The Protection Server sends Light Agents an event indicating that an update is required.
- After the database and application module update is rolled back on the SVM, a special Update local task is automatically launched on the Light Agents connected to the SVM. In this task, a folder on the SVM is specified as the update source.
The update task causes the Light Agent to switch to using the previous set of Kaspersky Security databases.
Creating a Database update rollback task
You can create Database update rollback tasks using the Web Console as well as the Administration Console.
How to create a Database update rollback task in Kaspersky Security Center Web Console
How to create a Database update rollback task in Kaspersky Security Center Administration Console
You can run a Database update rollback task manually at any time.
Page top
Rolling back an application module update on an SVM
A script is used to roll back the Kaspersky Security module update on SVMs.
To roll back an application module update on SVMs,
In the command line on the SVM, run the script named patch_rollback.pl located in the /opt/kaspersky/la/patching/ folder.
The script lets you roll back only the most recently installed application module update. You can view a list of all installed updates by running the command line script named patch_list.pl located in the /opt/kaspersky/la/patching/ folder.
Page top
Using Kaspersky Security Network
The KSN functionality may not be available in the solution in the territory of the USA.
To enhance the protection of virtual machines, Kaspersky Security solution components can use data received from Kaspersky users all over the world. Kaspersky Security Network is designed for getting such data.
Kaspersky Security Network (KSN) is an infrastructure of cloud services providing access to Kaspersky online knowledge base with information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by the Kaspersky Security solution to unknown threats, improves the performance of some protection components, and reduces the likelihood of false positives.
Kaspersky Security supports the following infrastructure solutions to work with Kaspersky's reputation databases:
- Kaspersky Security Network (KSN) – A solution that receives information from Kaspersky and sends data about objects detected on user devices to Kaspersky for additional verification by Kaspersky analysts and to add to reputation and statistical databases.
- Kaspersky Private Security Network (KPSN) – A solution that allows accessing Kaspersky's reputation databases, as well as other statistical data, without sending data to Kaspersky. KPSN is designed for corporate clients who can't use Kaspersky Security Network, for example, for the following reasons:
- No connection of local workplaces to the Internet
- Legal prohibition or corporate security restrictions on sending any data outside the country or the organization's local network
If you use Kaspersky Security Network, KSN services provide Kaspersky Security solution components with information about the category and reputation of scanned files, as well as information about the reputation of scanned web addresses.
Use of Kaspersky Security Network is voluntary. You can start or stop using KSN at any time.
Settings for using KSN in the operation of Kaspersky Security solution components are specified separately for each component. For information on configuring KSN for Light Agents, see the Help of the applications that you are using Light Agent mode.
It is recommended to specify the same KSN usage settings for the Protection Server and the Light Agent that interacts with this Protection Server.
Using KSN in the operation of the Protection Server
Use of KSN is enabled and disabled in the Protection Server policy properties.
If you have enabled the use of Kaspersky Security Network, by default the Protection Server uses KSN in extended mode. The KSN mode affects the amount of data that is transmitted to Kaspersky when KSN is being used.
The Protection Server's interaction with the KSN infrastructure is facilitated by the KSN Proxy service. To use KSN in Kaspersky Security operations, the KSN Proxy service must be enabled in Kaspersky Security Center. For more information about the KSN Proxy service, see the Kaspersky Security Center Help.
If the KSN Proxy service is disabled in Kaspersky Security Center, no data is exchanged between the Protection Server and KSN. If the use of KSN is enabled in the Protection Server policy, Kaspersky Security's performance may decrease. It is recommended to disable KSN usage in the Protection Server policy if the KSN Proxy service is disabled in Kaspersky Security Center.
The KSN infrastructure solution (KSN or KPSN) used by the Protection Server is defined in the properties of the Kaspersky Security Center Administration Server (in Administration Console, in the KSN proxy server section; or in Web Console, in the KSN proxy server settings section). In this section you can also configure KPSN settings. For details, please refer to the Kaspersky Security Center help.
About data provision when using KSN in the operation of the Protection Server
For information about data provision when Light Agent use KSN, see the Help of the applications that are used in Light Agent mode.
If you use KSN in standard mode, you agree to automatically send the following data to Kaspersky:
- Information necessary for scanning files: name and ID of the detected threat according to the Kaspersky classification, checksum of the scanned object or type of hash function, and the ID of the utilized anti-virus databases.
- Information necessary for obtaining the reputation of web addresses: the scanned web address, type of connection protocol, utilized port number, and the web address from which the user was directed to the scanned web address.
- General information: type and full version of the Kaspersky Security solution, information about solution components and about updates of the solution's application modules, and information about the operating system installed on the SVMs and protected virtual machines.
If you use KSN in Extended mode, you agree to automatically submit to Kaspersky all data listed in Kaspersky Security Network Statement. Files (or parts thereof) that could be exploited by hackers to harm the virtual machine or data stored in its operating system may also be sent to Kaspersky for analysis. Extended KSN is used by default. You can disable the use of extended KSN in the Protection Server policy properties.
You can view the text of the Kaspersky Security Network Statement in the Protection Server policy properties in the Kaspersky Security Network settings section.
For information about the storage, protection and destruction of statistical information that is obtained during the use of KSN and transmitted to Kaspersky, please refer to the Privacy Policy on Kaspersky website.
If you do not participate in Kaspersky Security Network, the data listed in the Kaspersky Security Network Statement is not transmitted to Kaspersky.
Page top
Viewing the Kaspersky Security Network Statement
You can read the Kaspersky Security Network Statement in the Protection Server policy properties.
How to view the Kaspersky Security Network Statement in Kaspersky Security Center Web Console
Page top
Configuring the use of KSN in the operation of the Protection Server
KSN services are used in the operation of the Protection Server if the use of KSN is enabled in the active Protection Server policy. If a policy with use of KSN enabled is inactive, KSN is not used by the Protection Server.
If you want to use KSN in the operation of the Protection Server, make sure that the KSN settings are configured in the properties of the Kaspersky Security Center Administration Server (in Administration Console, in the KSN proxy server section; in Web Console, in the KSN proxy server settings section). The KSN infrastructure type (KSN or KPSN), KSN proxy server settings, and KPSN settings are defined in the Administration Server properties. For details, please refer to the Kaspersky Security Center help.
How to configure use of KSN in Kaspersky Security Center Web Console
How to configure the use of KSN in Kaspersky Security Center Administration Console
Page top
Additional Protection Server settings
You can configure the following additional settings for the Protection Server:
- Maximum number of simultaneous scan requests on the Protection Server.
- Maximum number of scan tasks started by schedule on the Protection Server.
- Maximum number of scan tasks manually started on the Protection Server.
- Trace level for the Protection Server.
You first need to enable the display of additional parameters in the Protection Server policy. By default, additional settings are not displayed.
Configuring the display of additional Protection Server settings
If you want to configure additional Protection Server settings using Kaspersky Security Center Administration Console, you need to create an AdvancedUI
key whose type is REG_DWORD and set its value to 1
in the following branch of the operating system registry on the device where Kaspersky Security Center Administration Console is installed:
- HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\Products\SVM\<version number>\Settings\ – for 32-bit operating systems
- HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\KasperskyLab\Components\34\Products\SVM\<version number>\Settings\ – for 64-bit operating systems
where <version number> is the number of the installed version of the Kaspersky Security solution, in X.X.X.X format.
If you want to configure advanced SVM settings using Web Console, you need to create the file AdvancedPluginSettings.json in the following folder:
- %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\server\plugins\svm_<version number> – for devices with Windows operating systems
- /var/opt/kaspersky/ksc-web-console/server/plugins/svm_<version number> – for devices with Linux operating systems
where <version number> is the number of the installed version of the Kaspersky Security solution, in X_X_X_X format.
The structure and parameters of the AdvancedPluginSettings.json file can be viewed in the template file named ~AdvancedPluginSettings.json, located in the same folder.
The AdvancedPluginSettings.json file must contain the AdvancedUI
parameter with the 1
value:
{
"AdvancedUI" : 1
}
After the file is created or saved, reopen the Protection Server policy in the Web Console.
Page top
Configuring additional Protection Server settings
You can configure additional settings for the Protection Server in the Protection Server policy using Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console. You first need to enable the display of additional settings in the policy.
Page top
Reports and notifications
Various types of events occur during the operation of Kaspersky Security solution components. They can be either formal or critical. For example, the solution component can use events to notify about a successful update of the solution's databases and application modules, or to inform about an error in the operation of the solution component that must be eliminated.
A list of all solution component events is displayed in Kaspersky Security Center Administration Console and in Kaspersky Security Center Web Console. You can configure event notifications. A notification is a message containing information about an event that occurred on an SVM or a protected virtual machine. You can use notifications to promptly inform the user about events that occur during the operation of the solution.
You can generate various reports based on the events that occur during the operation of Kaspersky Security solution components.
You can use Kaspersky Security Center reports to, for example, receive information about infected files, modifications to protection settings, and the use of keys and application databases. You can generate and view Kaspersky Security Center reports in the Administration Console and in the Web Console. For detailed information about events and working with Kaspersky Security Center reports, see the Kaspersky Security Center Help.
Page top
SVM reconfiguration
You can change the following settings in the configuration of deployed SVMs:
- Mode for remote access to SVMs via SSH.
- List of virtual networks that SVMs use to connect to Light Agents, the Integration Server, and the Kaspersky Security Center Administration Server, as well as SVM IP addressing settings.
- IP addresses of DNS servers.
- Settings of SVM connection to the Kaspersky Security Center Administration Server.
- Configuration password and
root
account password.
You can reconfigure an SVM in the following ways:
- Using the Integration Server Web Console.
- Using the SVM Management Wizard, which is launched in the Integration Server Console.
- Without using the Integration Server management consoles, using the Integration Server REST API (open a description of REST API requests).
You can also reconfigure SVMs using the klconfig script API manually or using automation tools.
Reconfiguring SVMs using Integration Server Web Console
To manage SVM settings using Integration Server Web Console, you need to create and run a task an SVM reconfiguration task for the Integration Server to reconfigure the selected SVM.
After it starts, the task appears in the task list in Integration Server Web Console, in the SVM management section, and is added to the task queue on the Integration Server. You can view information about each task and its execution status.
When the task completes successfully, the selected SVM is reconfigured.
To create and run an SVM reconfiguration task for the Integration Server:
- Open Integration Server Web Console and connect to the Integration Server.
- Go to the SVM management section.
- Click the New task button and select SVM reconfiguration from the drop-down list.
The Integration Server New Task Wizard will start.
- Follow the wizard instructions.
Selecting SVM for reconfiguration
At this step, you must select the SVM or SVMs that you want to reconfigure.
The table displays information about the virtual infrastructures to which connections are configured for the Integration Server. The table also contains information about deployed SVMs. Each row of the table displays the following information about the virtual infrastructure object:
You can search the list of virtual infrastructure objects based on the Name/Address column. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the search field.
You can update the list of virtual infrastructure objects using the Refresh button above the table. When updating a list, the Integration Server verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.
If the virtual infrastructure in which you want to reconfigure the SVM is not in the list, you need to configure a connection from the Integration Server to this virtual infrastructure.
To selecting an SVM for reconfiguration,
In the table, select the check boxes to the left of the names of the SVMs you want to reconfigure.
If SVMs are being reconfigured in an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous reconfiguration of SVMs deployed in different infrastructures is not supported. You can reconfigure SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.
SVMs in OpenStack projects that are running on different Keystone microservices cannot be reconfigured simultaneously. You can simultaneously reconfigure SVMs deployed in OpenStack projects that are running on the same Keystone microservice.
Proceed to the next step of the wizard.
Page top
Entering the configuration password
At this step, specify the configuration password that was created during SVM deployment.
Proceed to the next step of the wizard.
Page top
Editing SVM network settings
At this step, you can edit the network settings of the SVM.
Changing the list of networks on SVMs results in the creation of new network adapters. This could change the IP address of an SVM.
To change SVM network settings:
- Select the Change SVM network settings check box.
The window displays a table containing the following information about SVMs selected for reconfiguration:
- Hypervisor address
The Hypervisor address column is displayed if you are deploying the SVM to a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
- OpenStack project name
The OpenStack project name column is displayed if you are performing SVM deployment in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
- SVM name
- Hypervisor address
- For each SVM, specify one or more virtual networks in the Network name column.
- If you have selected to reconfigure SVMs deployed in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, you can also specify one or more security groups for each selected network in the Security group column.
- If the SVMs that you selected for reconfiguration are deployed in a virtual infrastructure running the Microsoft Hyper-V platform, you can also specify the VLAN ID.
Proceed to the next step of the wizard.
Page top
Changing SVM IP settings
For this step, you can edit IP addressing settings used for all SVMs. You can use dynamic or static IP addressing.
To edit the IP address settings:
- Select the Edit SVM IP settings check box.
If you added virtual networks for one or more SVMs at the previous step of the Wizard, the Edit SVM IP settings check box is not displayed. You cannot proceed to the next step until the network settings of SVMs selected for reconfiguration have been configured.
- If you want to specify all network settings of the SVM manually, select Static IP addressing. This opens a table containing the following information:
- Hypervisor address
The Hypervisor address column is displayed if the SVM is deployed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
- OpenStack project name
The OpenStack project name column is displayed if the SVM is deployed in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
- SVM name
- Network name
Specify the following network settings for each SVM:
- SVM IP address
- Subnet mask
- Gateway
- DNS server
- Alternative DNS
- Hypervisor address
- If you want to use DHCP network settings for all SVMs, select Dynamic IP addressing (DHCP).
By default, the IP address of the DNS server and the IP address of the alternative DNS server received over the DHCP protocol are used for each SVM. If you specified several virtual networks for the SVM at the previous step, by default the network settings for the SVM are received from the DHCP server of the first virtual network in the list of the specified virtual networks.
If you want to manually specify the IP address of the DNS server and alternative DNS server, clear the Use list of DNS servers received via DHCP check box. This opens a table containing the following information:
- Hypervisor address
The Hypervisor address column is displayed if the SVM is deployed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
- OpenStack project name
The OpenStack project name column is displayed if the SVM is deployed in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
- SVM name
Specify the IP addresses of DNS servers in the DNS server and Alternative DNS server table columns.
- Hypervisor address
Proceed to the next step of the wizard.
Page top
Changing Kaspersky Security Center connection settings
At this step, you can edit the settings of SVM connection to the Kaspersky Security Center Administration Server.
To edit the settings for connecting SVMs to Kaspersky Security Center Administration Server:
- Select the Edit settings for SVM connection to Kaspersky Security Center check box.
- Specify the following settings:
Proceed to the next step of the wizard.
Page top
Changing the configuration password and root account settings
At this step, you can modify the following settings:
- Configuration password (the password used to reconfigure SVMs).
Root
account password.- Remote access mode to the SVM over SSH for the
root
user account.
If you want to change the configuration password, select the Change the klconfig account password (configuration password) check box and specify the new configuration password in the Password and Confirm password fields.
If you want to change the root
account password, select the Change the root account password check box and specify the new password in the Password and Confirm password fields.
Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~
. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.
If you want to change the mode of remote access over SSH to the SVM, select the Change remote access for the root account check box, and then select or clear the Allow remote access to SVM for the root account via SSH check box.
Proceed to the next step of the wizard.
Page top
Start task for SVM reconfiguration
This step is displayed if the SVM reconfiguration is being performed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
This step displays all the settings of the created SVM reconfiguration task for the Integration Server:
- The task name is generated automatically and contains the task type. You can use this name to find the task in the list in Integration Server Web Console, in the SVM management section.
- The list at the top of the window contains information about which configuration settings will be changed for all the SVMs that you selected when creating the task. For the settings that will be changed, the new value is displayed.
- The table at the bottom of the window contains the individual settings for each SVM.
To start the SVM reconfiguration task, click the Start button.
You can monitor the task progress in Integration Server Web Console, in the SVM management section.
Page top
Start task for SVM reconfiguration (OpenStack)
This step is displayed if you are reconfiguring an SVM in a virtual infrastructure running the TIONIX Cloud Platform or in a virtual infrastructure running the OpenStack platform.
This step displays all the settings of the created SVM reconfiguration task for the Integration Server:
- The task name is generated automatically and contains the task type. You can use this name to find the task in the list in Integration Server Web Console, in the SVM management section.
- The upper part of the window displays the IP address or fully qualified domain name (FQDN) of the Keystone microservice that manages the OpenStack project in which the SVMs are deployed. The list below contains information about which configuration settings will be changed for all the SVMs that you selected when creating the task. For the settings that will be changed, the new value is displayed.
- The table at the bottom of the window contains individual settings for each SVM:
To start the SVM reconfiguration task, click the Start button.
You can monitor the task progress in Integration Server Web Console, in the SVM management section.
Page top
SVM reconfiguration using the Integration Server Console
To change the SVM configuration using the SVM Management Wizard:
- Open Integration Server Console and connect to the Integration Server.
- In the SVM management section, click the SVM management button to start the SVM Management Wizard.
- Follow the wizard instructions.
Selecting an action
At this step, choose the SVM reconfiguration option.
Proceed to the next step of the wizard.
Page top
Selecting SVM for reconfiguration
At this step, you must select the SVM or SVMs that you want to reconfigure.
The table displays the following information about the virtual infrastructures, to which the SVM Management Wizard connection is configured, as well as information about the deployed SVMs:
You can search the list of virtual infrastructure objects. The search is performed based on the value of the Name/Address. The search starts as you type in the Search field. The table displays only those virtual infrastructure objects that meet the search criteria. To reset the search results, delete the contents of the Search field.
To selecting an SVM for reconfiguration,
In the table, select the check boxes to the left of the names of the SVMs you want to reconfigure.
If SVMs are being reconfigured in an infrastructure based on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform, simultaneous reconfiguration of SVMs deployed in different infrastructures is not supported. You can reconfigure SVMs in only one of these infrastructures at a time, or in one or more infrastructures of other types.
SVMs in OpenStack projects that are running on different Keystone microservices cannot be reconfigured simultaneously. You can simultaneously reconfigure SVMs deployed in OpenStack projects that are running on the same Keystone microservice.
If the list does not contain virtual infrastructure, in which you want to reconfigure SVM, you must configure the SVM Management Wizard connection to this virtual infrastructure.
To configure the connection of SVM Management Wizard to the virtual infrastructure:
- Click the Add button.
- In the Virtual infrastructure connection settings window that opens, specify the following settings:
- Type
- Protocol
The Protocol field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.
- Addresses
- OpenStack domain
The OpenStack domain field is displayed if you are configuring a connection to a virtual infrastructure based on the OpenStack platform, VK Cloud platform or TIONIX Cloud Platform.
- User name
- Password
- Click the Connect button.
The Virtual infrastructure connection settings window closes. The Wizard adds the selected virtual infrastructure objects to the list and attempts to establish a connection.
The Wizard verifies the authenticity of all virtual infrastructure objects with which the connection is established.
Authenticity is not verified for a Microsoft Windows Server (Hyper-V) hypervisor.
For Keystone microservices, authenticity is verified only when using the HTTPS protocol to connect the SVM Management Wizard to the virtual infrastructure.
To verify authenticity, the Wizard receives the SSL certificate or fingerprint of the public key from each virtual infrastructure object and verifies them.
If the authenticity of the received certificate(s) cannot be established, the Verify certificate window opens with a message about this. Click the link in this window to view the details of the received certificate. If the certificate complies with the security policy of your organization, you can confirm the authenticity of the certificate and continue connecting to the virtual infrastructure object. The received certificate will be installed as a trusted certificate on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this certificate to be authentic, click the Cancel button in the Verify certificate window to disconnect, and replace the certificate with a new one.
If the authenticity of the open key could not be established, the Verify public key fingerprint window opens with a message about this. You can confirm the authenticity of the open key and continue the connection. The open key fingerprint will be saved on the device where the Kaspersky Security Center Administration Console is installed. If you do not consider this open key to be authentic, click the Cancel button in the Verify public key fingerprint window to terminate the connection.
If a connection cannot be established with a virtual infrastructure object, information about the connection errors is displayed in the table.
You can use the Refresh button above the table to update the list of virtual infrastructure objects. When updating a list, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.
You can use buttons in the Name/Address column to:
- Remove selected virtual infrastructure from the list.
The Integration Server continues to connect to the virtual infrastructure removed from this list, and to receive the information required for SVM operation.
- If you cannot connect to the virtual infrastructure, open the Virtual infrastructure connection settings window to change the settings of the account used to make the connection.
After the settings are modified, the Wizard verifies the SSL certificates or fingerprints of the public key, just like what happens when adding virtual infrastructure objects to the list.
Proceed to the next step of the wizard.
Page top
Entering the configuration password
At this step, specify the configuration password that was created during SVM deployment.
Proceed to the next step of the wizard.
Page top
Editing SVM network settings
This step is displayed if the SVM reconfiguration is being performed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
At this step, you can change the virtual network(s) that the SVMs use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server.
Changing the list of networks on SVMs results in the creation of new network adapters. This could change the IP address of an SVM.
To change the list of virtual networks used by an SVM:
- Select the Change SVM network settings check box.
The window displays a table containing the following information about SVMs selected for reconfiguration:
- For each SVM, specify one or more virtual networks in the Network name column.
- If the SVMs that you selected for reconfiguration are deployed in a virtual infrastructure running the Microsoft Hyper-V platform, you can also specify the VLAN ID.
Proceed to the next step of the wizard.
Page top
Editing SVM network settings (infrastructures based on OpenStack)
This step is displayed if you are performing SVM reconfiguration in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
At this step, you can change the virtual network or networks that the SVMs use to connect to Light Agents, the Integration Server and the Kaspersky Security Center Administration Server, and can change the Security Group for each virtual network.
Changing the list of networks on SVMs results in the creation of new network adapters. This could change the IP address of an SVM.
To change SVM network settings:
- Select the Change SVM network settings check box.
The window displays a table containing the following information about SVMs selected for reconfiguration:
- For each SVM, specify one or more virtual networks in the Network name column.
- If necessary, specify one or more security groups for each selected network in the Security group column.
Proceed to the next step of the wizard.
Page top
Changing SVM IP settings
For this step, you can edit IP addressing settings used for all SVMs. You can use dynamic or static IP addressing.
To edit the IP address settings:
- Select the Edit SVM IP settings check box.
If you added virtual networks for one or more SVMs at the previous step of the Wizard, the Edit SVM IP settings check box is not displayed. You cannot proceed to the next step until the network settings of SVMs selected for reconfiguration have been configured.
- If you want to use DHCP network settings for all SVMs, select Dynamic IP addressing (DHCP).
By default, the IP address of the DNS server and the IP address of the alternative DNS server received over the DHCP protocol are used for each SVM. If you specified several virtual networks for the SVM at the previous step, by default the network settings for the SVM are received from the DHCP server of the first virtual network in the list of the specified virtual networks.
If you want to manually specify the IP address of the DNS server and alternative DNS server, clear the Use list of DNS servers received via DHCP check box. This opens a table containing the following information:
- Hypervisor
The Hypervisor column is displayed if the SVM is deployed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
- OpenStack project
The OpenStack project column is displayed if the SVM is deployed in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
- SVM name
Specify the IP addresses of DNS servers in the DNS server and Alternative DNS server table columns.
- Hypervisor
- If you want to specify all network settings of the SVM manually, select Static IP addressing. This opens a table containing the following information:
- Hypervisor
The Hypervisor column is displayed if the SVM is deployed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
- OpenStack project
The OpenStack project column is displayed if the SVM is deployed in a virtual infrastructure managed by the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform.
- SVM name
- Network name
Specify the following network settings for each SVM:
- SVM IP address
- Subnet mask
- Gateway
- DNS server
- Alternative DNS
- Hypervisor
Proceed to the next step of the wizard.
Page top
Changing Kaspersky Security Center connection settings
At this step, you can edit the settings of SVM connection to the Kaspersky Security Center Administration Server.
To edit the settings for connecting SVMs to Kaspersky Security Center Administration Server:
- Select the Change Kaspersky Security Center connection settings check box.
- Specify the following settings:
Proceed to the next step of the wizard.
Page top
Changing the configuration password and root account settings
At this step, you can modify the following settings:
- Configuration password (the password used to reconfigure SVMs).
Root
account password.- Remote access mode to the SVM over SSH for the
root
user account.
If you want to change the configuration password, select the Change the klconfig account password (configuration password) check box and specify the new configuration password in the Password and Confirmation fields.
If you want to change the root
account password, select the Change the root account password check box and specify the new password in the Password and Confirmation fields.
Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~
. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.
If you want to change the mode of remote access over SSH to the SVM, select the Change remote access for the root account check box, and then select or clear the Allow remote access to SVM for the root account via SSH check box.
Proceed to the next step of the wizard.
Page top
Starting SVM reconfiguration
This step is displayed if the SVM reconfiguration is being performed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer.
At this step, the Wizard displays all of the previously entered settings required for reconfiguration of the SVM.
General settings for all SVMs:
- Number of SVMs
- Configuration password
- Root account password
- SSH-based remote access to the SVM for the root account
- Kaspersky Security Center connection settings
- SVM IP settings
Individual settings for each SVM:
- Hypervisor
- SVM name
- Network name
- VLAN ID
The VLAN ID column is displayed only if the SVMs that you selected for reconfiguration are deployed in a virtual infrastructure running the Microsoft Hyper-V platform.
- All IP addressing settings that you provided for the SVM.
To start the reconfiguration of the SVM, go to the next step in the wizard.
Page top
Starting SVM reconfiguration (infrastructures based on OpenStack)
This step is displayed if you are reconfiguring an SVM in a virtual infrastructure running the TIONIX Cloud Platform or in a virtual infrastructure running the OpenStack platform.
At this step, the Wizard displays all of the previously entered settings required for reconfiguration of the SVM.
General settings for all SVMs:
- Keystone microservice address
- Number of SVMs
- Configuration password
- Root account password
- SSH-based remote access to the SVM for the root account
- Kaspersky Security Center connection settings
- SVM IP settings
Individual settings for each SVM:
- OpenStack project
- SVM name
- Network name
- Security group
- All IP addressing settings that you provided for the SVM.
To start the reconfiguration of the SVM, go to the next step in the wizard.
Page top
SVM reconfiguration
At this step, the SVMs are reconfigured.
The window displays, one row at a time, the stages of SVM reconfiguration of each SVM with the status of each stage: Pending, Connecting, Processing N%, Completed, Error.
The process takes some time. Please wait until the process is complete.
Proceed to the next step of the wizard.
Page top
Finishing SVM reconfiguration
This step displays information about the results of SVM reconfiguration.
The wizard displays links that you can use to open a brief report and the SVM Management Wizard log.
The brief report contains the following information:
- Addresses of hypervisors whose SVM configuration was changed, or OpenStack project names containing the deployed SVMs that have been reconfigured (depending on type of the virtual infrastructure).
- Names of SVMs that have been reconfigured.
- Brief description of the completed stages of reconfiguration of each SVM, including the start and end times of each stage. If an error occurred during a particular stage, the relevant information is reflected in the report.
The brief report is saved in a temporary file. To be able to use information from the report later, save the log file in a permanent storage location.
The SVM Management Wizard log saves information specified by you at every step of the wizard. If errors occur during reconfiguration of SVMs, you can use the wizard log when contacting Technical Support.
The SVM Management Wizard log is saved on the device where the wizard was launched, in the file %LOCALAPPDATA%\Kaspersky Lab\Kaspersky VIISLA Console\logs\KasperskyDeployWizard_<file creation date and time>.log and does not contain account passwords. A new log file is created each time the wizard starts.
Finish the wizard.
Page top
Configuring Integration Server settings
You can perform the following actions to configure the Integration Server settings:
- Change passwords of internal Integration Server accounts. The following accounts are provided:
admin
– the Integration Server administrator account, which is used:- to connect to the Integration Server in the Protection Server policy and in the Light Agent policy
- to connect management consoles to the Integration Server
The password for the
admin
account is set during installation of the Integration Server.svm
– used to connect SVMs to the Integration Server.agent
– used to connect Light Agents to the Integration Server.multitenancy
– used to interact with the Integration Server REST API in multitenancy scenarios.
Account names cannot be edited.
- Change settings that the Integration Server uses to connect to the virtual infrastructure.
The Integration Server connects to each protected virtual infrastructure and receives information necessary for the operation of the solution. Depending on the type of protected virtual infrastructure the Integration Server connects to one of the following virtual infrastructure objects:
- hypervisor;
- virtual infrastructure administration server;
- Keystone microservice.
If you used the Integration Server Console to deploy SVMs, the Integration Server connects to the virtual infrastructure with the settings that you specified in the SVM Management Wizard.
If you used the Integration Server Web Console to deploy SVMs, the Integration Server connects to the virtual infrastructure with the settings that you specified in the Integration Server Web Console before SVM deployment.
You can edit the settings for connecting the Integration Server to the virtual infrastructure (except for the infrastructure address).
In a VMware vSphere infrastructure, you can also enable or disable the use of VMware NSX Manager in Kaspersky Security, as well as change the settings for connecting the Integration Server to VMware NSX Manager.
- Remove the Integration Server connection settings to the virtual infrastructure.
You can edit the settings of the Integration Server in the Integration Server Console or in the Integration Server Web Console.
Changing passwords of Integration Server accounts
You can change the passwords of Integration Server accounts in Integration Server Web Console or in Integration Server Console.
How to change the passwords of Integration Server user accounts in the Integration Server Console
If you changed the account password for connecting SVMs to the Integration Server, you need to reconfigure the SVM connection to the Integration Server.
If the Light Agent policy is configured to connect Light Agents to the Integration Server and you have changed the account password for connecting Light Agents, you need to re-configure the Light Agents' connection to the Integration Server.
Page top
Changing the settings for connecting to the virtual infrastructure in the Integration Server Web Console
- Open Integration Server Web Console and connect to the Integration Server.
- In the workspace, select the List of virtual infrastructures section.
The window that opens displays a table of virtual infrastructures to which the Integration Server connects. Each row of the table displays the following information about the virtual infrastructure:
Using the buttons above the table, you can:
- edit the account with administrator rights that the Integration Server uses to connect to the virtual infrastructure
- edit the account with restricted permissions to perform actions in the virtual infrastructure that the Integration Server uses while Kaspersky Security is running in order to get information about SVMs available for connection and to distribute Light Agents between SVMs
- change the settings for connecting the Integration Server to VMware NSX Manager (in a virtual infrastructure based on VMware vSphere)
- confirm the authenticity of a certificate or public key fingerprint received from a virtual infrastructure if its authenticity could not be established.
How to edit the account with administrator rights
How to edit the account with limited permissions
How to change VMware NSX Manager connection settings
How to confirm a certificate or public key fingerprint
Page top
Changing the settings for connecting to the virtual infrastructure in the Integration Server Console
To open the list of virtual infrastructures to which the Integration Server connects:
- Open Integration Server Console and connect to the Integration Server.
- In the list on the left, select the Infrastructure connection settings section.
A table of virtual infrastructures to which the Integration Server connects will open.
Each row of the table contains the following information:
If the Integration Server is not connected to the virtual infrastructure object, the table displays an error message.
The Integration Server verifies the authenticity of all virtual infrastructure objects with which a connection is being established, except a Microsoft Windows Server (Hyper-V) hypervisor.
Authenticity is not verified for a Microsoft Windows Server (Hyper-V) hypervisor.
Authentication for microservices of the OpenStack platform, VK Cloud platform, and TIONIX Cloud Platform is performed only if you are using HTTPS for connecting the Integration Server to the virtual infrastructure.
To verify authenticity, the Integration Server receives an SSL certificate or fingerprint of the public key from each virtual infrastructure object and verifies them.
If it fails to ascertain the authenticity of the certificate or public key received from the virtual infrastructure object, the Integration Server breaks the connection with the virtual infrastructure. An error message is displayed in the table. You can resolve this error.
If the use of VMware NSX Manager in Kaspersky Security is enabled, the Integration Server also checks the VMware NSX Manager certificate. If the certificate is not trusted by the Integration Server or does not match a previously installed certificate, an error message is displayed in the table. You can resolve this error.
How to change the settings for connecting to the virtual infrastructure
How to configure the use of VMware NSX Manager in the Kaspersky Security solution
Page top
Deleting the settings for connection of the Integration Server to the virtual infrastructure
If you want the Integration Server to stop receiving information from the virtual infrastructure, you can remove this infrastructure from the list of infrastructures, to which the Integration Server connects.
It is recommended to remove a virtual infrastructure from the list only if it has no installed Kaspersky Security solution components.
How to delete a virtual infrastructure in the Integration Server Web Console
How to delete a virtual infrastructure in the Integration Server Console
Page top
Replacing the Integration Server and SVM certificates
The Kaspersky Security distribution kit includes a certificate management utility for managing Integration Server certificates and SVM certificates. The Integration Server SSL certificate is used when establishing a secure connection with the Integration Server and for encrypting the communication channel between the Protection Server and Light Agent. The SSL certificate of an SVM is used to encrypt the communication channel between Light Agent and the Protection Server.
The certificate management tool lets you:
- Create an Integration Server certificate.
- Replace the self-signed Integration Server certificate installed during solution deployment.
When the Integration Server certificate is replaced, the SVM certificate is automatically replaced. A new SVM certificate is created based on the Integration Server certificate.
Certificates may need to be replaced in the following cases:
- When upgrading the solution in order to replace a previously installed certificate with a more secure one.
- If the used certificate has expired or has been compromised.
- If the IP address or domain name of the device on which the Integration Server is installed has changed.
You can replace the Integration Server certificate with a new certificate created using the tool or using third-party tools. If you want to use an Integration Server certificate created using third-party tools, make sure that the new certificate meets the tool's certificate requirements.
The certificate management tool can work with the Linux-based Integration Server and with the Windows-based Integration Server. The tool is located on the device where the Integration Server is installed. Depending on the operating system of the device, the utility is located at one the following paths:
- /opt/kaspersky/viis/bin/certificate_manager.sh – on devices with Linux operating systems
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\certificate_manager.exe – on devices with Windows operating systems
To use the utility in the Linux operating system, the user account must be in the sudoers group. To use the utility in the Windows operating system, Administrator rights in the operating system are required.
How to use the utility to create a certificate for the Linux-based Integration Server
How to use the utility to create a certificate for the Windows-based Integration Server
How to replace the Linux-based Integration Server certificate and SVM certificate
How to replace the Windows-based Integration Server certificate and SVM certificate
After replacing the Integration Server certificate and SVM certificate, you need to update all Light Agent policies and Protection Server policies to send the public key of the new certificate to the policies.
Trace files may be created while the certificate management tool is running.
Page top
Using a backup copy of the database and the Integration Server settings
For the Integration Server, it is possible to save a backup copy of the Integration Server database, settings and certificate. Before updating the Integration Server, you can create a backup copy of the current version of the Integration Server. If errors occur in the operation of the Integration Server after an update, you can use the backup copy to restore the previous version of the Integration Server.
The backup copy of the Integration Server database and settings contains the following data:
- Internal accounts of the Integration Server, which are used to connect management consoles, SVMs, and Light Agents to the Integration Server.
- Settings for connecting the Integration Server to the virtual infrastructure and the Kaspersky Security Center Administration Server.
- If the solution is used in multitenancy mode: a list of registered tenants and protection statistics of the tenant virtual machines is displayed.
- Configuration files that define the Integration Server operation settings.
Linux-based Integration Server. Working with a backup copy
Create a backup copy of the database and the Integration Server settings
You can manually save a backup copy of the Linux-based Integration Server database and settings.
An account with root account privileges is required to complete the procedure.
To save a backup copy of the database and Integration Server settings:
- Stop the Integration Server (viis service):
sudo systemctl stop viis
- Create a directory outside the directories used by the Integration Server, preferably in the user directory: /home/{username}. For example, create the /home/root/viis_backup directory:
sudo mkdir /home/root/viis_backup
- Ensure that the backup directory is secure. For example, restrict other users' access to this directory:
sudo chmod 600 /home/root/viis_backup
- Copy the following Integration Server data to the created directory:
- data from /var/opt/kaspersky/viis/common:
sudo cp -pr /var/opt/kaspersky/viis/common /home/root/viis_backup
- file with machine-id:
sudo find /home/viis/ -name machine-id-* -exec cp -p {} /home/root/viis_backup \;
- data from /var/opt/kaspersky/viis/common:
- Restart the Integration Server (viis service):
sudo systemctl start viis
Restoring data from a backup copy of the Integration Server database and settings
An account with root account privileges is required to complete the procedure.
If errors occur in the operation of the Integration Server after an update, you can use the backup copy of the database and settings to restore the previous version of the Integration Server and the saved data.
To revert to the previous version of the Linux-based Integration Server:
- If you moved the backup copy of the Integration Server database and settings to another device or archived it, assign the
viis
account as the owner of the files in the backup copy:sudo chown -R viis:viis /home/root/viis_backup/*
- Remove the previously installed Linux-based Integration Server.
- Perform the installation and initial configuration of the Linux-based Integration Server. Make sure that the Integration Server is started and ready to work.
- Stop the Integration Server (viis service):
sudo systemctl stop viis
- Delete the current Integration Server data:
sudo rm -rf /var/opt/kaspersky/viis/common
- Restoring Integration Server data from a backup copy:
sudo cp -pr /home/root/viis_backup/common /var/opt/kaspersky/viis/
- Delete the existing machine-id file:
sudo find /home/viis/ -name machine-id-* -exec rm {} \;
- Restore the machine-id file from the backup copy:
sudo find /home/root/viis_backup -name machine-id-* -exec cp -p {} /home/viis \;
- Restart the Integration Server (viis service):
sudo systemctl start viis
If all of these operations succeeded, the directory with the backup copy of the Integration Server can be deleted:
sudo rm -rf /home/root/viis_backup
Windows-based Integration Server. Working with a backup copy
You can save a backup copy of the database, settings and certificate of the Windows-based Integration Server automatically while updating the Integration Server using the Kaspersky Security Components Installation Wizard.
The backup copy of the database and settings of the Integration Server can be deleted automatically when removing the Integration Server, or you can delete it manually. The default path is: %ProgramData%\Kaspersky Lab\VIISLA\Backup\VIISData(1). The number in the folder name increases by 1 with each subsequent attempted update.
If errors occur in the operation of the Integration Server after an update, you can use the backup copy of the database and settings to restore the previous version of the Integration Server and the saved data.
To perform the procedure, you need a user account that is a member of the local administrators group.
To revert the Integration Server to the previous version:
- If you saved a backup copy of your data in the default folder (%ProgramData%\Kaspersky Lab\VIISLA\Backup), copy this folder to another location outside the %ProgramData%\Kaspersky Lab\VIISLA folder.
- Remove the Integration Server and Integration Server Console installed on the device without preserving data.
- Install the previous version of the Integration Server and Integration Server Console.
- Restore the Integration Server database and settings from the backup copy manually or using a script.
Before using the script, please read the terms of the End User License Agreement between you and Kaspersky. The license.txt file with the text of the End User License Agreement is inside the archive with the script. By using the script, you accept the terms of the End User License Agreement. If you do not accept the terms of the End User License Agreement, you may not use the script.
How to restore the Integration Server database and settings from the backup copy using a script
How to restore the Integration Server database and settings from a backup copy manually
Page top
SNMP monitoring of SVM status
You can receive information about the status of SVMs deployed in the virtual infrastructure by using any network management system that utilizes the SNMP protocol. An SVM is installed with an SNMP agent that can send information about the status of the SVM to the network management system of your organization.
SNMP Agent can relay the following SVM status information:
- RAM consumption by the Protection Server (scanserver service) as a percentage of the maximum value that, when reached, causes the Protection Server to restart.
- Page file usage by the Protection Server (scanserver service) as a percentage of the maximum value that, when reached, causes the Protection Server to restart.
- Number of protected virtual machines with the "workstation" role or with desktop operating systems (includes only virtual machines that are not turned off and not suspended).
- Number of protected virtual machines with the "server" role or with server operating systems (includes only virtual machines that are not turned off and not suspended).
- Information about whether virtual machine scan tasks are currently running on the Protection Server installed on this SVM;
- If scan tasks are running: information about the number of virtual machines that are currently waiting to be scanned, and the number of virtual machines that are being simultaneously scanned.
- Information about the status of the following services on SVMs:
- scanserver (Protection Server)
- klnagent (Kaspersky Security Center Network Agent)
- Apache
- watchdog (wdserver)
SNMP Agent relays the Running (service is running) or Stopped (service is not running) value for each service.
This data is specific to the Kaspersky Security solution and described in the KSVLA-MIB.txt MIB file, which is included in the solution's distribution kit. You can use this file to receive additional information from SVMs. You can also receive other values of SNMP counters from the standard set of the Net-SNMP package.
You can enable or disable SNMP monitoring in a Protection Server policy using Kaspersky Security Center Administration Console or Kaspersky Security Center Web Console.
How to enable or disable SNMP monitoring in Kaspersky Security Center Administration Console
How to enable or disable SNMP monitoring in Kaspersky Security Center Web Console
If SNMP Monitoring is enabled in the active Protection Server policy, the SNMP agent installed on an SVM relays information about the status of the SVM to the network management system of your organization.
If the policy that enables SNMP monitoring is inactive, information about the status of SVMs is not relayed.
Page top
Checking the integrity of solution components
Kaspersky Security solution components contain many different binary modules in the form of dynamic-link libraries, executable files, configuration files, and interface files. A hacker may replace one or more solution modules or files with other modules or files containing malicious code. To prevent the replacement of solution modules and files, Kaspersky Security can check the integrity of solution files and modules. The check detects the presence of unauthorized changes or damage to files and modules of the solution components. If a solution file or module has an incorrect checksum, it is considered corrupted.
The integrity of Kaspersky Security solution components is checked using the integrity check utility. Special lists called manifest files are used to perform the integrity check. The manifest file for a solution component lists the files and modules whose integrity is critical for correct operation of the solution component. The manifest files are digitally signed and their integrity is checked as well.
You can use the integrity check utility to check the integrity of files and modules of the following solution components:
- Components installed on SVMs: Protection Server and Kaspersky Security Center Network Agent
- Windows-based Integration Server and Linux-based Integration Server
- Integration Server Console
- Management web plug-ins for the Protection Server and Integration Server
- Protection Server management MMC plug-in
- Light Agent for Linux and Light Agent for Linux management plug-ins (Kaspersky Endpoint Security for Linux)
To run the integrity check tool on the SVM and on the virtual machine with Light Agent for Linux installed, you need the root
account. An administrator account is required for running the integrity check tool for all other solution components.
For detailed information about checking the integrity of Light Agent for Linux and the Light Agent for Linux management plug-ins, see the Kaspersky Endpoint Security for Linux Help of the relevant version.
For detailed information on performing a Kaspersky Security Center Network Agent integrity check, see the Kaspersky Security Center Help.
For Light Agent for Windows (Kaspersky Endpoint Security for Windows), the application integrity is checked using a special task (for more information, see the Kaspersky Endpoint Security for Windows Help of the relevant version).
The manifest files and tool for checking the integrity of the Protection Server, management plug-ins for the Protection Server, Integration Server, and Integration Server Console are located at the following paths:
- To perform an integrity check of the Protection Server installed on the SVM:
- Manifest file: /opt/kaspersky/la/bin/integrity_check.xml
- Integrity check tool: /opt/kaspersky/la/bin/integrity_checker
- To check the Linux-based Integration Server:
- Manifest file: /opt/kaspersky/viis/bin/integrity_check.xml.
- Integrity check utility: /opt/kaspersky/viis/bin/integrity_checker.
- To check the Windows-based Integration Server:
- Manifest file: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\integrity_check.xml.
- Integrity check utility: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\integrity_checker.exe.
- To check the Integration Server Console:
- Manifest file: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA Console\integrity_check.xml.
- Integrity check utility: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA Console\integrity_checker.exe.
- To check the Protection Server management MMC plug-in:
- Manifest file: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Plugins\KSVLA<version number>.SVM.plg\\integrity_check.xml.
- Integrity check utility: %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky Security Center\Plugins\KSVLA<version number>.SVM.plg\integrity_checker.exe.
- To check the management web plug-ins for the Protection Server and Integration Server
- Manifest file for the Protection Server web plug-in:
- /var/opt/kaspersky/ksc-web-console/server/plugins/svm_<version number>/integrity_check.xml – for the Protection Server web plug-in on devices with Linux operating systems
- %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\server\plugins\svm_<version number>\integrity_check.xml – for the Protection Server web plug-in on devices with Windows operating systems
- Manifest file for the Integration Server web plug-in:
- var/opt/kaspersky/ksc-web-console/server/plugins/VIISLA_<version number>/integrity_check.xml – for the Integration Server web plug-in on devices with Linux operating systems
- %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\server\plugins\VIISLA_<version number>\integrity_check.xml – for the Integration Server web plug-in on devices with Windows operating systems
- Integrity check tool:
- /var/opt/kaspersky/ksc-web-console/integrity_checker – on devices with Linux operating systems
- %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\integrity_checker.exe – on devices with Windows operating systems
- Manifest file for the Protection Server web plug-in:
To check the integrity of a solution component, you need to run the tool from the folder of that component's tool.
To run the integrity check utility, run one of the following commands:
- To check the integrity of the Protection Server:
integrity_checker --signature-type kds-with-filename [<
path to manifest file
>]
- To check the integrity of the MMC management plug-in of the Protection Server, Windows-based Integration Server or Integration Server Console:
integrity_checker.exe --signature-type kds-with-filename [<
path to manifest file
>]
- To check the integrity of the Linux-based Integration Server:
integrity_checker --signature-type kds-with-filename [<
path to manifest file
>]
- To check the integrity of management web plug-ins on devices with Linux operating systems:
integrity_checker --signature-type kds-with-filename [<
path to manifest file
>]
- To check the integrity of management web plug-ins on devices with Windows operating systems:
integrity_checker.exe --signature-type kds-with-filename [<
path to manifest file
>]
where <
path to manifest file
>
is the full path to the manifest file of the component being checked. By default, the path to the manifest file located in the same directory as the integrity check utility is used.
You can view the description of all available integrity check utility options in the utility options help. To do this, run the tool with the --help
option.
The results of checking the integrity of solution components are displayed as follows:
SUCCEEDED
– integrity of the files and modules is confirmed (return code0
).FAILED
– integrity of the files is not confirmed (return code is other than0
).
Using Kaspersky Security for Virtualization 6.2 Light Agent in multitenancy mode
When using Kaspersky Security in multitenancy mode, a single instance of Kaspersky Security installed in the infrastructure of the cybersecurity service provider (hereinafter also referred to as the "service provider") allows protection of isolated virtual infrastructures of tenant organizations or isolated units of one tenant organization (hereinafter also referred to as "tenants").
The procedures for deploying and using Kaspersky Security in multitenancy mode are automated using the Integration Server REST API.
The following Kaspersky Security multitenancy usage scenarios are supported:
- Deploying a tenant protection infrastructure using the Integration Server REST API via virtual Kaspersky Security Center Administration Servers and receiving tenant protection reports.
- Receiving tenant protection reports without deploying tenant protection infrastructure using the Integration Server REST API.
If the tenant protection infrastructure is already deployed in your infrastructure without using the Integration Server REST API, you can register existing tenants and their virtual machines and receive tenant protection reports.
Deploying a tenant protection infrastructure
The tenant protection infrastructure created using the Integration Server REST API is based on the use of virtual Kaspersky Security Center Administration Servers. Each tenant is provided with a virtual Administration Server and an account that the tenant administrator uses to connect to the virtual Administration Server.
One Kaspersky Security Center Administration Server can support up to 500 virtual Administration Servers.
Tenant virtual machines with Light Agents installed are located on the tenant's virtual Administration Server.
A tenant administrator can perform the following actions on their virtual Administration Server:
- Centrally manage protection of their virtual machines using the Light Agent policies and group tasks.
- Receive information about their infrastructure protection status using event notifications and reports available on the virtual Administration Server.
- Work with copies of files placed in backup storage on all of the virtual machines of this tenant.
For more information about virtual Administration Servers, see the Kaspersky Security Center help.
The service provider's administrator installs the solution in their infrastructure and ensures the operation of Light Agents and other solution components:
- Configures the settings for connecting Light Agents installed on tenant virtual machines to the SVMs and to the Integration Server.
- Activates the solution and monitors license restrictions.
- Updates the solution's databases and application modules.
- Configures the Protection Server settings.
The service provider's administrator can also configure general protection settings for tenant virtual machines.
During operation, information that may contain personal and confidential data is transmitted between Kaspersky Security Center and Kaspersky Security solution components installed in the service provider's infrastructure and on tenant virtual machines.
Before creating a tenant protection infrastructure, you need to perform the following steps:
- Install or update the Kaspersky Security solution.
The following components must be installed in the service provider's infrastructure:
- Integration Server and Integration Server Console.
- Protection Server.
- Kaspersky Security management plug-ins.
- Prepare the solution for work:
- Prepare the Protection Server for operation.
- Change the default password of the
multitenancy
account. Amultitenancy
account is created automatically as a result of Integration Server installation. It is required to interact with the Integration Server REST API. - Configure the settings for connecting the Integration Server to Kaspersky Security Center Administration Server. These settings are required for authorization on the Kaspersky Security Center Administration Server when executing requests to the Integration Server REST API.
Deploying a tenant protection infrastructure consists of the following steps:
- Creating a tenant and virtual Kaspersky Security Center Administration Server for the tenant.
- Configuring the location of SVMs that will protect tenants' virtual machines and configuring Protection Server settings.
- Configuring SVM discovery settings and general operating settings for Light Agents installed on tenant virtual machines.
- Installing Kaspersky Security Center Network Agent and Light Agent on tenant virtual machines and moving the virtual machines to a virtual Administration Server configured for the tenant.
- Registering tenant virtual machines in the Integration Server database.
- Activating a tenant.
- Transferring the following Kaspersky Security Center Administration Server connection settings to the tenant administrator:
- Address of the virtual Administration Server configured for the tenant;
- Administrator account settings of the virtual Administration Server.
Tenant administrator are advised to change the account password they receive from the service provider's administrator.
The steps of deploying tenant protection infrastructure can be automated using the Integration Server REST API and the Kaspersky Security Center OpenAPI (open the description of Kaspersky Security Center OpenAPI methods).
To prevent unauthorized access, it is recommended to deploy the SVM and the device on which the Kaspersky Security Center Administration Server and the Integration Server are installed in a dedicated virtual network and to configure routing with address translation (SNAT) from the tenant subnets to this subnet.
Configuring the Integration Server connection settings to the Kaspersky Security Center Administration Server
For the Integration Server REST API interaction with the Kaspersky Security Center Administration Server during execution of requests, an account is required that has the following permissions in the Kaspersky Security Center:
- Permissions in the functional areas of the Administration Server:
- General functionality → Basic functionality: Read, Modify
- General functionality → Administration group management: Modify
- General functionality → User permissions: Modify access control lists
- General functionality → Virtual Administration Servers: Read, Modify, Execute, Manage
- Permissions to read and modify objects in the functional areas related to Light Agent settings.
You can create and configure an account to connect the Integration Server to Kaspersky Security Center:
- In Kaspersky Security Center Administration Console, in the Security section of the Kaspersky Security Center Administration Server properties window.
By default, the Security section is not displayed in the Administration Server properties window. To enable the display of the Security section, you must select the Display security settings sections check box in the Configure interface window (View → Configure interface menu) and restart the Kaspersky Security Center Administration Console.
- In Kaspersky Security Center Web Console, in the Users and roles → Users and groups section of the main window.
For more information on creating and configuring account rights in Kaspersky Security Center, see the Kaspersky Security Center Help.
Page top
Creating a tenant and virtual Administration Server
At this step of the deployment of tenant protection infrastructure, tenant information is added to the Integration Server database and a virtual Administration Server is created for the tenant. The procedures are automated by means of the Integration Server REST API.
The actions performed in response to the REST API request depend on the tenant type specified when calling the REST API method: deployment of tenant protection infrastructure is available only for the complete tenant type.
Specify the following information in the REST API request:
- Tenant name.
- Tenant type: complete.
- Settings of the account used by the tenant administrator to connect to the virtual Administration Server configured for the tenant. During the procedure, an account with the main administrator permissions will be automatically created on the virtual Administration Server.
Kaspersky Security Center verifies the uniqueness of account names within the main Kaspersky Security Center Administration Server and all its virtual Administration Servers. By default, if the account name is not unique, the account creation fails. If you want to use same account names for the virtual Administration Servers, you can disable uniqueness check for internal user names. See Kaspersky Security Center help for more information.
As a result of the procedure, the following actions are performed:
- Tenant data is saved in the Integration Server database, and the tenant is assigned a unique identifier.
- A virtual Kaspersky Security Center Administration Server and an account used by the tenant administrator to connect to the virtual Administration Server are created for each tenant.
- When registering the first tenant on the main Administration Server, a folder with the default name Multitenancy KSV LA is created in the Managed devices folder. You can change this name if required.
- The following structure of folders and nodes is created for each tenant in the Multitenancy KSV LA folder:
<Tenant name> folder
- Administration Servers node
- Administration Servers <Tenant name> node
- Folders and administration groups required for managing protection of this tenant, similar to the structure of folders and groups of the main Kaspersky Security Center Administration Server.
- Administration Servers <Tenant name> node
- Administration Servers node
Configuring SVM location and Protection Server settings
At this step of the deployment of tenant security infrastructure, you can perform the following actions:
- Configure the location of SVMs that will protect tenant virtual machines in the Kaspersky Security Center administration group hierarchy.
- Configure the operation settings of the Protection Server installed on these SVMs using the Protection Server policy.
- Configure the general settings of the Light Agents that will be installed on tenant virtual machines using Light Agent policies.
You can deploy SVMs that will protect tenant virtual machines in any folder or administration group on the main Kaspersky Security Center Administration Server.
It is not recommended to deploy the SVMs and Protection Server policy in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <Tenant name> node.
If you want the SVM to protect virtual machines of only particular tenants, you need to restrict Light Agents' access to the SVM in one of the following ways:
- Using the connection tags mechanism. Tags must be specified in the Protection Server policy and in the Light Agent policy. It is recommended to "lock" the configured settings in order to prevent these settings from being changed in child policies.
- By blocking network connections from the tenant subnet to the subnet with the SVM on TCP ports 80, 9876, 9877, 11111, and 11112.
It is not recommended to configure connection tags in Light Agent policies located in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <Tenant name> node.
In accordance with the procedure for inheritance of Kaspersky Security Center policies, the default Protection Server policy is applied on all SVMs in administration group hierarchy. It is created in the Managed devices folder on the main Administration Server. If you want to configure specific operating settings for the SVMs that will protect tenant virtual machines, you need to create a Protection Server policy in the folder where the SVM that protects tenant virtual machines is located.
If you want to centrally enable use of Kaspersky Security Network to protect tenants' virtual machines, make sure that tenants' personal data is being processed legally.
Page top
Configuring settings for SVM discovery by Light Agents and general tenant protection settings
At this stage of deployment of the tenant protection infrastructure, you need to create a Light Agent policy in one of the following folders:
- In the Multitenancy KSV LA → <Tenant name> folder, if you want to configure general operating settings for all Light Agents that will be installed on the virtual machines of one particular tenant. A policy in the Multitenancy KSV LA → <Tenant name> folder must be created for each tenant.
- In the Multitenancy KSV LA folder, if you want to configure general operating settings for all Light Agents that will be installed on the virtual machines of all tenants.
In the Light Agent policy, configure the Light Agent operation settings as follows:
- Settings for connecting Light Agents to SVMs:
- Enable the use of the Integration Server for SVM discovery in the Light Agent policy. Light Agents installed on the virtual machines of complete tenants must use the Integration Server to discover SVMs that are available for connection.
- If you want to restrict Light Agents access to SVMs using the mechanism of connection tags, you can assign connection tags to Light Agents.
To restrict Light Agents' access to SVMs, you can also block network connections from the tenant subnet to the subnet with the SVM on TCP ports 80, 9876, 9877, 11111, and 11112.
The default values can be used for other settings for connecting Light Agents to SVMs.
It is recommended to "lock" all the settings for connecting Light Agents to SVMs in order to prevent these settings from being changed in child policies.
- If required, you can configure general operating settings for the Light Agents that will be installed on the tenant virtual machines.
You can use the "lock" attribute to allow or block changing of settings or groups of settings in task settings or in nested policies (for nested administration groups and secondary Administration Servers). Tenant administrators cannot configure "locked" settings. If the "locks" are open, the tenant administrator can independently configure the operation of Light Agent components.
It is not recommended to configure the general operating settings of Light Agents in the policies located in folders and administration groups to which the tenant administrator has access, that is, in folders and administration groups under the Administration Server <Tenant name> node.
Page top
Installing a Light Agent on tenant virtual machines
At this step of the deployment of the tenant security infrastructure, the following actions are performed:
- Kaspersky Security Center Network Agent, which is configured to connect to the tenant's virtual Administration Server, is installed on tenant virtual machines.
- Tenant virtual machines are moved to the Managed devices folder of the virtual Administration Server configured for the tenant.
- Light Agent for Linux or Light Agent for Windows is installed on tenant virtual machines.
The listed actions can be performed both on the service provider's side and on the tenant's side after the tenant administrator receives the virtual Administration Server connection settings.
If installation is performed on the service provider's side
You can use the following installation methods:
- Using Kaspersky Security Center OpenAPI, automate the installation of applications on tenant virtual machines and the movement of virtual machines to administration groups (open a description of Kaspersky Security Center OpenAPI methods).
- Remotely install applications on virtual machines using the Kaspersky Security Center wizard or remote installation task.
- Deploy virtual machines from a virtual machine template.
If you want to use Kaspersky Security Center OpenAPI or Kaspersky Security Center remote installation tools, then for each tenant you need to prepare the installation packages required to install Light Agent and Kaspersky Security Center Network Agent. You can distribute installation packages to the selected virtual Administration Servers using the Administration Server task or automate the distribution of packages using Kaspersky Security Center OpenAPI (open the description of Kaspersky Security Center OpenAPI methods).
In the package properties or in the properties of the remote installation task, you can specify the administration group that the virtual machine should be assigned to after Network Agent is installed on it. For more information about configuring installation packages and the deployment procedure, see the Kaspersky Security Center Help.
If you want to deploy virtual machines from a virtual machine template, then for each tenant you need to prepare a virtual machine template that has an installed Network Agent configured to connect to the tenant's virtual Administration Server and an installed Light Agent. Then you can deploy virtual machines for the tenant from this template.
When installing Network Agent on a virtual machine template, it is recommended to enable optimization of Network Agent settings for VDI.
If installation is performed on the tenant's side
If there are installation packages or virtual machine templates prepared by the service provider's administrator, the tenant's administrator can install Network Agent and Light Agent on the tenant virtual machines.
Page top
Registering tenant virtual machines
At this step of the deployment of the tenant security infrastructure, tenant virtual machines are registered. The procedure is automated by means of the Integration Server REST API.
In the request to the REST API, you need to specify the virtual machine ID (BIOS ID) and the tenant ID of the tenant to which these virtual machines belong.
As a result of performing the procedure, information about the virtual machine is saved in the Integration Server database and a connection is established between the virtual machine and the tenant.
Page top
Activating a tenant
The tenant activation procedure is performed at this stage of deploying the tenant security structure. Tenants are registered with the "Inactive" status in the Integration Server database. As long as the tenant has this status, Light Agents installed on the tenant virtual machines do not receive information about the SVMs they can connect to, and protection of the tenant virtual machines is disabled. To start protecting tenant virtual machines, you must activate the tenant.
The tenant activation procedure is automated using the Integration Server REST API.
As a result of the procedure, the following actions are performed:
- The tenant status changes to "Active". The tenant status is saved in the Integration Server database. You can get information about the tenant status using the Integration Server REST API or by viewing the list of tenants in the Integration Server Console.
- The Light agents installed on the tenant virtual machines receive information about the SVMs available for connection from the Integration Server. The Light Agents select the best SVMs for connection in accordance with the configured SVM connection settings, and protection of the tenant virtual machines is enabled.
Registering existing tenants and their virtual machines
If the tenant protection infrastructure is configured without the use of the Integration Server REST API, you need to add information about the tenants and their virtual machines to the Integration Server database in order to generate tenant protection reports.
Registration of an existing tenant and its virtual machines in the Integration Server database consists of the following steps:
- Creating a tenant in the Integration Server database.
The tenant creation procedure is automated using the Integration Server REST API.
The actions performed in response to the REST API request depend on the tenant type specified when calling the REST API method. To enter the tenant data into the Integration Server database without creating a tenant protection infrastructure, specify the simple tenant type.
Specify the following information in the REST API request:
- Tenant name.
- Tenant type: simple.
As a result, the tenant data is saved in the Integration Server database and the tenant is assigned an identifier.
- Registering tenant virtual machines in the Integration Server database.
The virtual machine registration procedure is automated by means of the Integration Server REST API.
In the request to the REST API, specify the identifier (BIOS ID) of each virtual machine and the tenant ID of the tenant to which these virtual machines belong.
As a result, the data on the tenant virtual machines is saved in the Integration Server database.
- Activating a tenant.
The tenant activation procedure is automated using the Integration Server REST API.
After activation, the tenant status is saved in the Integration Server database. You can get information about the tenant status using the Integration Server REST API or by viewing the list of tenants in the Integration Server Console.
For a simple tenant, its status ("Active" or "Inactive") does not affect the protection state of tenant virtual machines.
Enabling and disabling tenant protection
Tenants registered in the Integration Server database may have the "Active" or "Inactive" status. By default, the tenant status is "Inactive".
For a complete tenant, the tenant status determines the protection status of tenant virtual machines:
- If the tenant status is "Active", the Integration Server sends Light Agents installed on the tenant virtual machines the list of SVMs available for connection. The Light Agents select the best SVM for connection in accordance with the configured SVM connection settings and connect to it. Protection of the tenant virtual machines is enabled.
- If the tenant status is "Inactive", the Integration Server sends Light Agents installed on the tenant virtual machines the address of a non-existent SVM. This means that Light Agents are not able to connect to any SVM. Protection of the tenant virtual machines is disabled.
To enable protection of the virtual machines for a complete tenant, you must activate the tenant. If you want to disable protection of the virtual machines for a complete tenant (stop providing protection services to the tenant), you can deactivate the tenant.
After the tenant is deactivated, events from the Light Agents installed on the tenant virtual machines are logged to the Kaspersky Security Center Administration Server. An event that there are no SVMs available for connection is logged once, and events indicating that the update task could not be run on the protected virtual machine are logged every 2 hours.
To avoid unauthorized use of the application, after a tenant is deactivated, it is recommended to block network connections from the deactivated tenant's subnet to the following TCP ports of the SVM subnet: 80, 9876, 9877, 11111, 11112.
For a simple tenant, the status does not affect the virtual machine protection status.
The tenant activation and deactivation procedures are automated using the Integration Server REST API.
Page top
Getting information about tenants
Kaspersky Security implements the following methods for getting information about tenants:
- View the list of tenants in Integration Server Web Console or in Integration Server Console
- Get the list of tenants, list of tenant virtual machines and tenant information using the Integration Server REST API
How to view tenant information in Integration Server Web Console
How to view tenant information in Integration Server Console
Page top
Getting tenant protection reports
A virtual machine is considered protected if the Light Agent installed on it is connected to the SVM. Each SVM can receive data about the time intervals when Light Agents were connected to the SVM and pass this data to the Integration Server database. Based on this information, you can use the Integration Server REST API to receive reports on the protection status of the tenant virtual machines.
You can use the tenant protection report to get information about all protected tenant virtual machines and all time intervals when each virtual machine was protected by Kaspersky Security. The report can also be used to get information about the protection of all virtual machines that connected to the SVM during the specified reporting period, including the virtual machines that do not belong to any tenant.
Getting tenant protection reports consists of the following steps:
- Enabling the function of transferring report data to the Integration Server database.
- Report generation. The report is generated as a CSV file in a temporary folder.
- Report upload. The generated report can be uploaded in its entirety or in parts for integration into the service provider's reporting system.
Enabling the function of transferring report data
By default, the function of transferring report data is disabled on the Integration Server. If you want to receive tenant protection reports, you need to enable the reporting data feature in the Integration Server configuration file appsettings.json. Depending on the version of the Integration Server, the file is located at one of the following paths:
- /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.
To enable the function of receiving report data:
- Open the appsettings.json configuration file for editing.
- In the
Multitenancy
section, set theEnableProtectionReports
parameter totrue
and save the file. - Restart the Integration Server.
The Integration Server will receive data on the time intervals when Light Agents were connected to SVMs from each SVM.
If the function of receiving report data is enabled, but SVM is not connected to the Integration Server, the data packets are queued for sending. When the maximum number of packets in the queue is reached, older data packets are deleted. The parameters for sending data are set up in the /etc/opt/kaspersky/agents_monitor/agents_monitor.conf configuration file on SVM. You can configure the maximum queue size for the packets to be sent using the max_queue_size
parameter.
The received data is stored in the Integration Server database. The default report retention period is 460 days. You can specify this value using the ProtectionPeriodsRecordsLifetimeDays
parameter in the Multitenancy
section of the appsettings.json configuration file of the Integration Server.
The size of the Integration Server database increases in proportion to the number of the protected tenant virtual machines.
Generating tenant protection reports
The report generation procedure is automated by means of the Integration Server REST API.
You can pass the following report generation parameters in the request to the REST API:
- Identifier of the tenant for which you want to generate the report.
- Start date and time of the period for which you want to generate a report.
- End date and time of the period for which you want to generate a report.
If a tenant ID is not specified in the request, the report will include data on all virtual machines that were protected during the specified period, data on virtual machines that do not belong to tenants.
If the report generation period is not specified in the request, the report will include data stored in the Integration Server database from the earliest date up to the current moment.
To obtain reliable information in the reports, it is recommended to follow these rules when specifying the reporting period:
- Specify the reporting period accurate to a day.
- Set the end of the reporting period not less than 60 minutes from the current moment.
As a result of the report generation procedure, the report identifier is returned. Depending on the version of the Integration Server, the report is saved at the following path:
- /var/opt/kaspersky/viis/common/reports – protected directory of the Linux-based Integration Server.
- %ProgramData%\Kaspersky Lab\VIISLA\protectionPeriodsReports – protected folder of the Linux-based Integration Server.
By default, the report is stored for 24 hours from the moment of generation. To get the report, use the report identifier in the request to the REST API to upload the report.
You can configure the report retention period using the ProtectionPeriodsRecordsLifetimeDays
parameter in the Multitenancy
section of the appsettings.json configuration file of the Integration Server. Depending on the version of the Integration Server, the file is located at one of the following paths:
- /var/opt/kaspersky/viis/common/ for the Linux-based Integration Server
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ for the Windows-based Integration Server.
The data in the report is presented line by line. Each line contains information about one virtual machine protection period in the following format:
{
tenant ID
};{
tenant name
};{
virtual machine ID
};{
virtual machine name
};{
date and time when protection was enabled
};{
date and time when protection was disabled
}
where:
{
tenant ID
}
– identifier of the tenant to which the virtual machine belongs. If the virtual machine does not belong to any tenant, nothing is displayed in this field.{
tenant name
}
– tenant name specified when creating the tenant. If the virtual machine does not belong to any tenant, nothing is displayed in this field.{
virtual machine ID
}
– identifier of the virtual machine that was protected by the application.{
virtual machine name
}
– name of the virtual machine that was protected by the application.{
date and time when protection was enabled
}
– start date and time of the virtual machine protection period.{
date and time when protection was disabled
}
– end date and time of the virtual machine protection period.
If during the reporting period the virtual machine was protected by the application several times (protection was enabled and disabled), the report displays each virtual machine protection period.
Page top
Uploading tenant protection reports
The report upload procedure is automated by means of the Integration Server REST API.
In the request to the REST API, the report identifier obtained at the previous step and the data display format (CSV) must be specified.
Other data display formats are not supported.
You can upload all report data or get partial data.
You can integrate data obtained as a result of the query into your reporting system.
Page top
Removing virtual machines from the protected infrastructure
To remove a virtual machine from the protected infrastructure of a complete tenant:
- Unregister the virtual machine in the Integration Server database. The virtual machine unregistration procedure is automated by means of the Integration Server REST API.
As a result, information about the tenant virtual machine is deleted from the Integration Server database.
- On the virtual machine, uninstall Kaspersky Security Center Network Agent, Light Agent for Linux, or Light Agent for Windows.
You can perform these actions manually in the Kaspersky Security Center interface or automate the removal using Kaspersky Security Center OpenAPI (open a description of Kaspersky Security Center OpenAPI methods).
- Remove the virtual machine from the list of the tenant's managed devices. You can move the virtual machine to the Unassigned devices folder of Kaspersky Security Center main Administration Server or delete the virtual machine from Kaspersky Security Center.
You can perform these actions manually in Kaspersky Security Center interface or automate virtual machine removal form the list of managed devices using Kaspersky Security Center OpenAPI (open the description of Kaspersky Security Center OpenAPI methods).
If the virtual machine is removed from the protected infrastructure of a simple tenant, you need to unregister the virtual machine in the Integration Server database.
Page top
Removing tenants
If you want to stop providing services to a complete tenant, you need to remove the tenant. To do so, perform the following actions:
- On the virtual machine, uninstall Kaspersky Security Center Network Agent, Light Agent for Linux, or Light Agent for Windows.
You can perform these actions manually in the Kaspersky Security Center interface or automate the removal using Kaspersky Security Center OpenAPI (open a description of Kaspersky Security Center OpenAPI methods).
- Remove the tenant from the Integration Server database, and remove the tenant protection infrastructure. The removal procedure is automated by means of the Integration Server REST API. When calling the REST API method, specify the
removeTenantArtifacts=true
parameter.As a result of the procedure, the following actions are automatically performed:
- Information about the tenant and the tenant virtual machines is deleted from the Integration Server database.
- The tenant protection infrastructure is removed from Kaspersky Security Center, namely: virtual Administration Server and the account for connecting to it, the Multitenancy KSV LA → <Tenant name> folder and its contents (subfolders and administration groups, policies and tasks, and installation packages).
- If there are no other tenants, the Multitenancy KSV LA folder is also deleted.
If protection services are terminated for a simple tenant, you need to remove the tenant from the Integration Server database.
Page top
Using the Integration Server REST API in multi-tenancy scenarios
Interaction with the Integration Server REST API is based on requests and responses and is carried out over the HTTPS protocol using the multitenancy
account.
Account parameters are passed as the following string {username}:{password}
at every method call in the Authorization request header and are encoded with the Base64 method. Authentication of the Basic type is used.
The address of the request to the Integration Server REST API consists of the following parts:
https://{
Integration Server address
}:{
Integration Server port
}/{
method
}?{
parameters
}
where:
{
Integration Server address
}
– IP address or fully qualified domain name (FQDN) of the Integration Server.{
Integration Server port
}
– port for connecting to the Integration Server (port 7271 by default).{
method
}
– method to call.{
parameters
}
– method parameters, if any.
For processing requests that are time consuming and run asynchronously, tasks are used. The task is created as an intermediate query result.
Methods for working with tenants
Using the Integration Server REST API, you can perform the following actions when working with tenants and tenant virtual machines:
- Get information about a tenant
- Get a list of tenants
- Get a list of tenant virtual machines
- Create a new tenant and its protection infrastructure, or register an existing tenant
- remove a tenant
- activate and deactivate a tenant
- register and unregister tenant virtual machines
The set of actions performed as a result of some REST API requests depends on the tenant type that you specify when adding the tenant information to the Integration Server database. Deployment and deletion of the tenant protection infrastructure using the Integration Server REST API is available for complete tenants. For a simple tenant, only report generation is automated.
Getting information about a tenant
Allows you to get information about the tenant from the Integration Server database.
Method:
GET /api/2.0/virtualization/tenants/{tenant ID
}
where:
{
tenant ID
}
– tenant identifier in the Integration Server database (required parameter).
In case of successful completion of the request, the REST API returns the following information about the tenant:
<tenant id="{ID
}" created="{date and time
}" updated="{date and time
}">
<name>{name
}</name>
<description>{description
}</description>
<userData><![CDATA[{additional information
}]]></userData>
<!-- Information in the vKsc section is available only for a complete tenant -->
<vKsc id="{ID
}">
<user>
<name>{administrator
}</name>
</user>
</vKsc>
<status>{status
}</status>
<type>{tenant type
}</type>
</tenant>
where:
tenant id="{
ID
}"
– tenant identifier in the Integration Server database.created="{
date and time
}"
– date and time when the tenant was registered in the Integration Server database, in YYYY-MM-DDThh:mm:ss format.updated="{
date and time
}"
– date and time when the tenant data was updated in the Integration Server database, in YYYY-MM-DDThh:mm:ss format.{
name
}
– tenant name specified when the tenant was created.{
description
}
– tenant description.{
additional information
}
– additional tenant information added to the Integration Server database.vKsc id="{
ID
}"
– identifier assigned to the tenant's virtual Administration Server in Kaspersky Security Center.{
administrator
}
– name of the administrator of the tenant's virtual Administration Server.{
status
}
– current tenant status:Active
orInactive
.{
tenant type
}
– type of tenant:Complete
orSimple
.
Return codes:
200 (OK)
– request completed successfully. The tenant information is returned in the response.403 (Forbidden)
– access to the resource is denied.404 (Not Found) VIRMT_TenantWithSpecifiedIdNotFound
– a tenant with the specified identifier is not found in the Integration Server database.
Getting a tenant list
Allows you to get a list of all tenants whose information is stored in the Integration Server database, as well as information about each tenant.
Method:
GET /api/2.0/virtualization/tenants
Return codes:
200 (OK)
– request completed successfully. A list of information about all tenants is returned in the response.403 (Forbidden)
– access to the resource is denied.
Getting a list of tenant virtual machines
Allows you to get a list of all registered tenant virtual machines.
Method:
GET /api/2.0/virtualization/tenants/{tenant ID
}/vms
where:
{
tenant ID
}
– tenant identifier in the Integration Server database (required parameter).
If the request succeeds, the REST API returns a list of virtual machines and the following information about each tenant virtual machine:
<vm id="{
ID in the database
}" biosId={
BIOS ID} created="{
date and time
}" updated="{
date and time
}">
<name>{
name
}</name>
<userData><![CDATA[{
additional information
}]]></userData>
</vm>
where:
{
ID in the database
}
– identifier assigned to the virtual machine in the Integration Server database.{
BIOS ID}
– virtual machine identifier (BIOS ID) in UUID format.created="{
date and time
}"
– date and time when the virtual machine was registered in the Integration Server database in YYYY-MM-DDThh:mm:ss format.updated="{
date and time
}"
– date and time when the virtual machine data was updated in the Integration Server database in YYYY-MM-DDThh:mm:ss format.{
name
}
– virtual machine name.{
additional information
}
– additional information about the virtual machine stored in the Integration Server database.
Return codes:
200 (OK)
– request completed successfully. A list of the tenant virtual machines is returned in the response.403 (Forbidden)
– access to the resource is denied.404 (Not Found) VIRMT_TenantWithSpecifiedIdNotFound
– a tenant with the specified identifier is not found in the Integration Server database.
Creating a tenant
Depending on the tenant type that you specify when calling the REST API method, the following actions can be performed:
- For a complete tenant:
- Add tenant data to the Integration Server database.
- Create the tenant protection infrastructure in Kaspersky Security Center (virtual Administration Server, account for connecting to it, structure of folders and administration groups).
- Add information about the tenant's virtual Administration Server to the Integration Server database.
- For a simple tenant: add the tenant data to the Integration Server database.
Method:
POST /api/2.0/virtualization/tenants
The following parameters must be specified in the request body:
<tenant>
<name>{name
}</name>
<description>{description
}</description>
<userData><![CDATA[{additional information
}]]></userData>
<preferredViisAddress>{IP address
}</preferredViisAddress>
<type>{tenant type
}</type>
<!-- Data in the vKsc section is specified only for a complete tenant -->
<vKsc>
<user>
<name>{administrator name
}</name>
<password>{administrator password
}</password>
</user>
</vKsc>
</tenant>
where:
{
name
}
– tenant name (required parameter).{
description
}
– tenant description (optional parameter).{
additional information
}
– additional tenant information (optional parameter).{
IP address
}
– IP address of the Integration Server to which the Light Agents installed on tenant virtual machines will connect (optional parameter). The specified address is used by default when creating the Light Agent policy. If the parameter is not specified, the policy uses the Integration Server IP address from the request to REST API.{
tenant type
}
– type of tenant:Complete
orSimple
(optional parameter).{
administrator name
}
– name of the administrator account used to connect to the tenant's virtual Administration Server (required when creating a complete tenant). The account will be created automatically during the procedure.{
administrator password
}
– Base64-encoded password for the administrator account (required when creating a complete tenant).
The request is executed asynchronously, REST API returns identifier of the CreateTenant task. Using the task, you can monitor the progress of the tenant creation procedure. When the task completes, the result field displays information about the tenant including the identifier of the created tenant, or an error message. In case of an error at any step of the procedure, all the changes are rolled back.
Return codes:
202 (Accepted)
– the request is accepted for execution. The response returns the identifier of the CreateTenant task.400 (Bad request) VIRMT_MandatoryParameterIsNotSpecified
– one of the required parameters, for example, the tenant name, is not specified in the request body.400 (Bad request) VIRMT_InvalidTenantType
– an invalid tenant type is specified in the request body; the specified tenant type does not exist.400 (Bad request) VIRMT_VKscCredentialsNotSpecified
– the name or password of the administrator account of the virtual Kaspersky Security Center Administration Server is not specified (when creating a complete tenant).400 (Bad request) VIRMT_InvalidViisAddressFormat
– invalid format of the Integration Server IP address.403 (Forbidden)
– access to the resource is denied.
Possible error codes in the task:
KSC_ServiceNotConfigured
– Kaspersky Security Center connection settings are not specified.VIRMT_TenantGroupAlreadyExists
– a folder whose name corresponds to the specified tenant name already exists in Kaspersky Security Center.VIRMT_TenantWithSpecifiedNameAlreadyExists
– a tenant with the specified name already exists in the Integration Server database.VIRMT_PasswordNotComplyPolicy
– failed to create an administrator account for Kaspersky Security Center virtual Administration Server: the specified password does not meet Kaspersky Security Center password requirements.VIRMT_UserWithSpecifiedNameAlreadyExists
– failed to create an administrator account for Kaspersky Security Center virtual Administration Server: a user with the specified name already exists in Kaspersky Security Center.
Activating a tenant
Allows changing the tenant status to "Active".
Method:
POST /api/2.0/virtualization/tenants/{tenant ID
}/activate
where:
{
tenant ID
}
– tenant identifier in the Integration Server database (required parameter).
The request is executed asynchronously, REST API returns identifier of the ChangeTenantActivation task. Using the task, you can monitor the progress of the procedure for changing the tenant status. When the task is done, the result field displays confirmation that the tenant status changed (true
) or an error message.
Return codes:
202 (Accepted)
– the request is accepted for execution. The response returns the identifier of the ChangeTenantActivation task.403 (Forbidden)
– access to the resource is denied.
Error codes in the task:
VIRMT_TenantWithSpecifiedIdNotFound
– a tenant with the specified identifier is not found in the Integration Server database.KSC_ServiceNotConfigured
– Kaspersky Security Center connection settings are not specified.
Deactivating a tenant
Allows changing the tenant status to "Inactive".
Method:
POST /api/2.0/virtualization/tenants/{tenant ID
}/deactivate
where:
{
tenant ID
}
– tenant identifier in the Integration Server database (required parameter).
The request is executed asynchronously, REST API returns identifier of the ChangeTenantActivation task. Using the task, you can monitor the progress of the procedure for changing the tenant status. When the task is done, the result field displays confirmation that the tenant status changed (true
) or an error message.
Return codes:
202 (Accepted)
– the request is accepted for execution. The response returns the identifier of the ChangeTenantActivation task.403 (Forbidden)
– access to the resource is denied.
Error codes in the task:
VIRMT_TenantWithSpecifiedIdNotFound
– a tenant with the specified identifier is not found in the Integration Server database.KSC_ServiceNotConfigured
– Kaspersky Security Center connection settings are not specified.
Registering tenant virtual machines
Allows you to add information about the tenant virtual machines to the Integration Server database.
Method:
POST /api/2.0/virtualization/tenants/{tenant ID
}/vms/register
where:
{
tenant ID
}
– tenant identifier in the Integration Server database (required parameter).
The following parameters must be specified In the request body:
<vm biosId="{BIOS ID
}">
<name>{name
}</name>
<userData><![CDATA[{additional information
}]]></userData>
</vm>
where:
{
BIOS ID}
– unique virtual machine identifier (BIOS ID) (required parameter).{
name
}
– virtual machine name (optional parameter).{
additional information
}
– additional information about the virtual machine (optional parameter).
Return codes:
200 (OK)
– request completed successfully (information about the virtual machine is added to the Integration Server database).403 (Forbidden)
– access to the resource is denied.404 (Not Found) VIRMT_TenantWithSpecifiedIdNotFound
– a tenant with the specified identifier is not found in the Integration Server database.409 (Conflict) VIRMT_VmWithSpecifiedBiosIdAlreadyExists
– virtual machine with the specified identifier is already registered in the Integration Server database.
Unregistering a virtual machine
Allows you to delete information about the tenant virtual machine from the Integration Server database.
Unregistration does not disable protection of the tenant virtual machine. You can disable protection of the virtual machine for a complete tenant by following all the steps of the procedure for removing virtual machines from the protected infrastructure.
Method:
POST /api/2.0/virtualization/tenants/{tenant ID
}/vms/unregister?biosId={ID
}
or
POST /api/2.0/virtualization/tenants/{tenant ID
}/vms/unregister?vmId={ID
}
where:
{
tenant ID
}
– tenant identifier in the Integration Server database (required parameter).biosId={
ID}
– virtual machine identifier (BIOS ID) in UUID format (required parameter).vmId={
ID
}
– identifier of the virtual machine in the Integration Server database, in the UUID format (required parameter).
Return codes:
200 (OK)
– request completed successfully (information about the virtual machine is deleted from the Integration Server database).403 (Forbidden)
– access to the resource is denied.404 (Not Found) VIRMT_TenantWithSpecifiedIdNotFound
– a tenant with the specified identifier is not found in the Integration Server database.404 (Not Found) VIRMT_VmWithSpecifiedIdNotFound
– virtual machine with the specified identifier is not found in the Integration Server database.
Removing a tenant
Depending on the tenant type and specified parameters, lets you perform the following actions:
- For a complete tenant:
- Delete information about the tenant and tenant virtual machines from the Integration Server database.
- Delete the tenant protection infrastructure in Kaspersky Security Center (virtual Administration Server, account for connecting to it, structure of folders and administration groups, policies, tasks, and installation packages). If there are no other tenants, the Multitenancy KSV LA folder is also deleted.
- Delete information about the tenant's virtual Administration Server from the Integration Server database.
Calling the tenant removal method does not disable protection on tenant virtual machines. To disable protection, you need to perform all steps of the tenant removal procedure, including removal of Light Agent for Windows, Light Agent for Linux, and Kaspersky Security Center Network Agent from the virtual machines. To suspend protection of the virtual machine for a complete tenant, use the tenant deactivation method.
- For a simple tenant: remove the tenant from the Integration Server database.
Method:
DELETE /api/2.0/virtualization/tenants/{tenant ID
}?removeTenantArtifacts={true|false}
where:
{
tenant ID
}
– tenant identifier in the Integration Server database (required parameter).removeTenantArtifacts={true|false}
– optional parameter that indicates whether the tenant protection infrastructure must be removed when removing the tenant from the Integration Server database. Possible values:true
– when the tenant is removed, the following actions are performed:- Remove the tenant's virtual Administration Server.
- Delete the administrator account of the tenant's virtual Administration Server.
- Delete the Multitenancy KSV LA → <Tenant name> folder and its contents.
- Delete the Multitenancy KSV LA folder if there are no other tenants.
false
– the tenant is only deleted from the Integration Server database; the tenant protection infrastructure is not deleted.
The request is executed asynchronously, REST API returns identifier of the DeleteTenant task. You can use the task to monitor the progress of the tenant removal procedure. When the task completes, the result field displays information about the removed tenant or an error message.
In case of an error at any step of the procedure, all the changes are rolled back.
Return codes:
202 (Accepted)
– the request is accepted for execution. The response returns the identifier of the DeleteTenant task.403 (Forbidden)
– access to the resource is denied.
Error codes in the task:
VIRMT_TenantWithSpecifiedIdNotFound
– a tenant with the specified identifier is not found in the Integration Server database.KSC_ServiceNotConfigured
– Kaspersky Security Center connection settings are not specified.
Methods for working with reports
Using the Integration Server REST API, you can perform the following actions when working with tenant protection reports:
- Generate a report
- Upload a report
Report generation
Allows you to generate a report based on data saved to the Integration Server database, taking into account the specified report settings. You can specify the tenant about whose protection you want to generate a report, as well as the time interval for which you want to receive data.
In the header of the Accept
request, pass the data output format: Accept:application/csv
.
Method:
POST /api/2.0/virtualization/reports/tenants?tenantId={tenant ID
}&from={date and time
}&to={date and time
}
where:
tenantId={
tenant ID
}
– tenant identifier in the Integration Server database. If a tenant is specified, the report includes only information about periods of protection of the virtual machines of this tenant. If a tenant is not specified, the report will include data on all virtual machines that were protected during the specified period.from={
date and time
}
– start date and time of the reporting period in YYYY-MM-DDThh:mm:ss format. If the value is not specified, the date of the earliest record in the Integration Server database is used.to={
date and time
}
– end date and time of the reporting period in YYYY-MM-DDThh:mm:ss format. If the value not specified, the current date is used.
The request is executed asynchronously, REST API returns identifier of the CreateTenantReport task. Using the task, you can monitor the progress of the report generation procedure. When the task execution completes, the result field displays the report identifier or an error message.
Return codes:
202 (Accepted)
– the request is accepted for execution. The response returns the identifier of the CreateTenantReport task.403 (Forbidden)
– access to the resource is denied.404 (Not Found)
– a tenant with the specified identifier is not found in the Integration Server database.
Report upload
Allows you to upload a report generated before.
In the header of the Accept
request, pass the data output format: Accept: application/csv
.
The report can be uploaded in parts. You can specify the data range in the Range
request header, for example:
Range: bytes=0-1023
In response to a request with this header, the REST API returns the 206 (Partial content)
result and the first kilobyte of data. The response contains the Content-Range
and Content-Length
headers.
For example:
Content-Range: bytes=0-1023/123456
Content-Length: 1024
Method:
GET /api/2.0/virtualization/reports/tenants/{report ID
}
where:
{
report ID
}
– report identifier obtained as a result of successful completion of the CreateTenantReport task (required parameter).
Return codes:
200 (OK)
– request completed successfully. The response returns the report data in the format specified in theAccept
header.206 (Partial content)
– request completed successfully. The response returns the part of the report specified by theRange
heading.403 (Forbidden)
– access to the resource is denied.404 (Not Found)
– report with the specified identifier is not found.415 (Unsupported Media Type)
– unsupported format of the requested data (incorrect format was passed in theAccept
request header).
Methods for working with tasks
The tasks are used for processing requests that are time consuming and run asynchronously. Task statuses allow you to monitor the progress of actions specified in the request.
A task may have one of the following states:
- Created – task is created but not started.
- Starting – the task is in the process of starting.
- Running – the task is running. For a task in this state, the execution progress is displayed as a percent value.
- Completed – the task has been successfully completed. For a task in this state, the task execution result is displayed. The result contains task-specific data, for example, the identifier of a new tenant after the CreateTenant task completes.
- Stopping – the task is being prepared for completion. If you stopped a task, it may be in this state before switching to the Canceled state.
- Failed – the task failed. For a task in this state, detailed error information is indicated.
- Canceled – the task is terminated by the user or the system. For a task in this state, detailed error information is indicated.
- Queued – the task has been queued and is waiting for execution to start.
By means of the Integration Server REST API, you can perform the following tasks:
- Get a list of tasks
- Get information about a specified task
- Cancel execution of a specified task
Getting task information
Allows you to get information about the task by its identifier.
Method:
GET /api/2.0/virtualization/tasks/{
ID
}
where:
{
ID
}
– task identifier (required parameter).
In case of successful completion of the request, the REST API returns the following information about the task:
<task id="{ID
}" created="{date and time
}" stateChanged="{date and time
}" changed="{date and time
}">
<state>{state
}</state>
<type>{type
}</type>
<stage>{stage
}</stage>
<progress>{execution progress
}</progress>
<result>{result
}</result>
<!-- If the task execution fails, an error message is displayed instead of the result.
<error>{error message
}</error>
</task>
where:
{
ID
}
– task ID.created="{
date and time
}"
– task creation time in YYYY-MM-DDThh:mm:ss format.stateChanged="{
date and time
}"
– time of the task state change in YYYY-MM-DDThh:mm:ss format.changed="{
date and time
}"
– task change time in YYYY-MM-DDThh:mm:ss format.{
state
}
– task state.{
type
}
– task type. For example:CreateTenant
– a task that is used in the tenant creation procedure.ChangeTenantActivation
– a task that is used in tenant activation and deactivation procedures.DeleteTenant
– a task that is used in the tenant deletion procedure.CreateTenantReport
– a task that is used in the procedure for generating a tenant protection report.
{
name
}
– task name.{
stage
}
– task execution stage.{
execution progress
}
– the progress of task execution indicated as a percentage.{
result
}
– result of executing the task, for example, information about a created tenant or a report identifier.{
error message
}
– if an error occurs during task execution, an error message is displayed.
Return codes:
200 (OK)
– request completed successfully.403 (Forbidden)
– access to the resource is denied.404 (Not Found)
– task with the specified identifier is not found in the Integration Server database.
Getting a list of tasks
Allows you to get a list of all existing tasks and information about each task in the list.
Method:
GET /api/2.0/virtualization/tasks?createdFrom={date and time
}&state={status
}&type={type
}
where:
createdFrom={
date and time
}
– date and time in YYYY-MM-DDThh:mm:ss format (optional parameter). If the parameter is specified, the list displays the tasks that were created not earlier than the specified date and time.state={
state
}
– task state (optional parameter). If the parameter is specified, the list displays only the tasks with the specified state.type={
type
}
– task type (optional parameter). If the parameter is specified, the list displays only the tasks of the specified type.
Return codes:
200 (OK)
– request completed successfully. The response returns a list of tasks.403 (Forbidden)
– access to the resource is denied.
Canceling a task
Allows you to stop running tasks. Some tasks cannot be completed immediately. In this case, the 202 (Accepted)
code is returned and the task state changes to Stopping.
Method:
POST /api/2.0/virtualization/tasks/{ID
}/cancel
where:
{
ID
}
– task identifier (required parameter).
Return codes:
200 (OK)
– request completed successfully (the task was canceled).202 (Accepted)
– request is accepted for execution (the task state changes to Stopping).403 (Forbidden)
– access to the resource is denied.404 (Not Found)
– task with the specified identifier is not found.405 (Method Not Allowed)
– for child tasks: you can cancel a child task only if you cancel the parent task.409 (Conflict)
– the task is already in one of the following states: Cancelled, Failed, Stopped.
Contacting Technical Support
This section describes the ways to get technical support and the terms on which it is available.
How to get technical support
If you cannot find a resolution to your issue in the help or in other sources of information about the Kaspersky Security solution, you are advised to contact Technical Support. Technical Support specialists will answer your questions about installing and using the solution.
Kaspersky provides support for the solution throughout its lifecycle (see the Kaspersky application lifecycle page). Before contacting Technical Support, please read the support rules.
You can contact Technical Support in one of the following ways:
- Visit the Technical Support website.
- Submit a request to Kaspersky Technical Support through the Kaspersky CompanyAccount portal.
Technical Support via Kaspersky CompanyAccount
Kaspersky CompanyAccount is a portal for organizations that use Kaspersky applications. The Kaspersky CompanyAccount portal is designed to facilitate interaction between users and Kaspersky experts via online requests. The Kaspersky CompanyAccount portal lets you monitor the progress of electronic request processing by Kaspersky experts and store a history of electronic requests.
You can register all of your organization's employees under a single Kaspersky CompanyAccount. A single account lets you centrally manage electronic requests from registered employees to Kaspersky and also manage the privileges of these employees via Kaspersky CompanyAccount.
The Kaspersky CompanyAccount portal is available in the following languages:
- English
- Spanish
- Italian
- German
- Polish
- Portuguese
- Russian
- French
- Japanese
To learn more about Kaspersky CompanyAccount, visit the Technical Support website.
Page top
Getting information for Technical Support
Getting data files
After you inform Kaspersky Technical Support specialists about your issue, they may ask you to send the following files:
- SVM system statistics files
- Dump files of the Protection Server and Light Agents
- Trace files from the Solution Components Installation Wizard
- Trace files of the Integration Server and Integration Server Console
- Trace files of SVMs, Light Agent, and Kaspersky Security management plug-ins
A dump file contains all information about the operation memory of Kaspersky Security processes at the time the dump file was created.
A trace file helps track the step-by-step execution of instructions by solution components and can help detect the stage of execution when an error occurs.
Changing solution component settings
Technical Support specialists may also require additional information about the operating system, processes that are running on the protected virtual machine, and detailed reports on the operation of solution components.
While diagnosing the problem, Technical Support specialists may, for the debugging purposes, ask you to change the solution component settings to:
- Activate the functionality that obtains extended diagnostic information.
- Run the tools, which are included in the solution's distribution kit.
- Change the settings for storing diagnostic information.
- Enable debugging mode for the Integration Server.
- Configure interception of network traffic and save it to file.
- Perform more detailed configuration of the operation of the Light Agents, Protection Server, Integration Server, Integration Server Console, and management plug-ins. This detailed configuration is not available through the solution management tools described in this help.
Technical Support experts will provide you with all the information needed to perform the listed operations, including a description of the sequence of steps, settings to be modified, configuration files, scripts, additional command line functionality, debugging modules, special-purpose tools, and will inform you about the scope of data submitted for debugging purposes.
The extended diagnostic information is saved on your virtual machine. The data is not automatically sent to Kaspersky.
You are strongly advised to perform the above-mentioned steps solely under the guidance of Technical Support specialists and according to their instructions. Independent modification of the solution settings in ways not described in the solution's help or in recommendations from Technical Support specialists may cause operating system slowdowns and malfunctions, decrease of the protection level of virtual machines, and lead to the loss or corruption of the information being processed.
Disabling the rollback function
You may need to disable the rollback function in order to analyze an error that occurs during SVM deployment using the Integration Server Console.
To disable the rollback function:
- On the device where the Kaspersky Security Center Administration Console is installed, open the file %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA Console\Kaspersky.VIISConsole.UI.exe.config in a text editor for editing.
You must edit the file under the administrator account.
- In the
<appSettings></appSettings>
section, edit the<!--<add key="disableRollback" value="1" />-->
string as follows:<add key="disableRollback" value="1" />
- Save and close the Kaspersky.VIISConsole.UI.exe.config file.
The new settings are applied after the Integration Server Console is restarted.
Getting information about SVMs connected to the Integration Server
Technical Support experts may ask you to provide information about the SVMs that are connected to the Integration Server. You can view a list of all SVMs connected to the Integration Server in the Integration Server Console.
Troubleshooting the solution
To diagnose performance issues, you may need to turn on debug mode for the Integration Server. To turn on debug mode, you need to use special configuration file settings. For more detailed information, please contact Technical Support.
Protection Server and Light Agent dump files
A dump file contains information about the working memory of Kaspersky Security processes at the time the file was created.
Dump files may contain personal data. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.
Dump files are not sent to Kaspersky automatically.
By default, dump files are not created. You can enable or disable creation of dump files.
Protection Server dump files
To enable creation of Protection Server dump files:
- On the SVM, create the etc/opt/kaspersky/la/dumps_enabled file.
- Restart the scanserver service by running the
systemctl restart la-scanserver
command.
All created dump files are located by default on the SVM in the /var/opt/kaspersky/la/dumps directory. The name of each *.dmp file contains the date and time when the file was created, the process identifier (PID), and the dump number in the session.
You can change the dump logging settings in the ScanServer.conf configuration file (in the [dumps] section).
Access to the dump files requires the password of the SVM root
account assigned during Protection Server installation. If you change the default directory for storing dump files, Kaspersky Security does not control access to dump files. If the file system where the specified directory is located supports appropriate access control, the root
account permissions are required to access the dump files.
Dump files are automatically deleted when the SVM is deleted.
To disable creation of Protection Server dump files:
- Delete the etc/opt/kaspersky/la/dumps_enabled file.
- Restart the scanserver service by running the
systemctl restart la-scanserver
command.
Light Agent dump files
You can enable or disable creation of dump files for Light Agent for Linux and Light Agent for Windows on devices where Kaspersky Endpoint Security for Linux or Kaspersky Endpoint Security for Windows is installed in Light Agent mode.
For details, see the Help of the application that you are using in Light Agent mode.
Page top
Trace files of the Kaspersky Security Components Installation Wizard
Information about the progress and results of the Kaspersky Security Components Installation Wizard is written to trace files. If installation, upgrade, or removal of the Integration Server or Integration Server Console ends with an error, you can use these trace files when contacting Technical Support.
Trace files of the Kaspersky Security Components Installation Wizard are files in TXT format. They are automatically saved on the same device where the Wizard was started.
If you installed Kaspersky Security components or downloaded SVM images, the trace files are saved to an archive in the path %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleInitialInstall_logs_<date and time>.zip, where:
- <version number> refers to the number of the installed version of Kaspersky Security;
- <date and time> refers to the date and time when the installation was completed.
If you upgraded Kaspersky Security components, the trace files are saved to an archive in the path %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleMajorUpgrade_logs_<date and time>.zip, where:
- <version number> refers to the number of the installed version of Kaspersky Security;
- <date and time> refers to the date and time when the upgrade was completed.
If you removed Kaspersky Security components, the trace files are saved to an archive in the path %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleUninstall_logs_<date and time>.zip, where:
- <version number> refers to the number of the installed version of Kaspersky Security;
- <date and time> refers to the date and time when the removal was completed.
Trace files of the Kaspersky Security Components Installation Wizard contain the following information:
- Diagnostic information about the process of installation, upgrade, or removal of Kaspersky Security components.
- Name of the device on which the user started the procedure for installing, upgrading or removing Kaspersky Security components, and the name of the user that started the procedure.
- Information about errors that occurred during the process of installation, upgrade, or removal of Kaspersky Security components.
Trace files of Kaspersky Security components Installation Wizard are stored in a readable format. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.
Trace files of Kaspersky Security components Installation Wizard are not automatically sent to Kaspersky.
Page top
Trace files of the Integration Server and Integration Server Console
Trace files of the Linux-based Integration Server
Information about the operation of the Linux-based Integration Server can be logged in the following trace files:
- /var/log/kaspersky/viis/service.log – Integration Server trace file.
- /var/log/kaspersky/viis/SvmManagement/sm_<file creation date>.log – trace file for the deployment, reconfiguration, and deletion of SVMs using the REST API of the Linux-based Integration Server
By default, logging of information to trace files is disabled.
You can enable or disable logging of information to the Linux-based Integration Server trace files using the /var/opt/kaspersky/viis/common/appsettings.logging.json configuration file.
A privileged account is required to edit the configuration file.
To enable logging of information to the trace files of the Linux-based Integration Server:
- Open the /var/opt/kaspersky/viis/common/appsettings.logging.json file.
- In the LogLevel section, set the value of the
Default
setting toTrace
. The default value isNone
. - In the rules section, in the Service and SvmManagement subsections, set the value of the
minlevel
setting toTrace
. The default value isNone
. - Save the /var/opt/kaspersky/viis/common/appsettings.logging.json file.
The new settings are applied without restarting the Integration Server.
Trace files are moved to the archival directory (/var/log/kaspersky/viis/archives). Integration Server trace files are moved to the archive when the file size reaches 50 MB. Trace files of deployment, reconfiguration, and deletion procedures are archived daily. The archive contains up to 20 Integration Server trace files and up to 10 trace files for SVM deployment, reconfiguration, and deletion procedures. When this number is reached, older files are deleted.
Access to the directory where trace files are saved is restricted by using an ACL. To access the directory, administrator rights (root, sudoers) are required.
If you change the default directory for storing trace files, Kaspersky Security does not control access to trace files. You are advised to ensure that information is protected against unauthorized access.
Trace files of the Windows-based Integration Server and Integration Server Console
Information about the operation of the Windows-based Integration Server and Integration Server Console can be logged in the following trace files:
- %ProgramData%\Kaspersky Lab\VIISLA\logs\viisla_service_loader.log – trace file for startup of the Windows-based Integration Server. The file does not contain personal data.
- %ProgramData%\Kaspersky Lab\VIISLA\logs\service.log – Windows-based Integration Server trace file.
- %ProgramData%\Kaspersky Lab\VIISLA Console\logs\console.log – Integration Server Console trace file.
- %ProgramData%\Kaspersky Lab\VIISLA\logs\SvmManagement\sm_<file creation date>.log – trace file for the deployment, reconfiguration, and removal of SVMs using the REST API of the Windows-based Integration Server.
By default, trace files are created with the Error level of detail. You can use the following configuration files to enable and disable logging of information to the trace files of the Integration Server and Integration Server Console, and change the level of detail of information in the trace files:
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\appsettings.logging.json – for the Integration Server trace file and the trace file for the deployment, reconfiguration, and removal of SVMs.
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA Console\NLog.config – for the Integration Server Console trace file.
Contact Technical Support representatives for details.
Trace files are moved to the archive folder (%ProgramData%\Kaspersky Lab\VIISLA\logs\archives). Integration Server trace files are moved to the archive when the file size reaches 50 MB. Trace files of deployment, reconfiguration, and deletion procedures are archived daily. The archive contains up to 20 Integration Server trace files and up to 10 trace files for SVM deployment, reconfiguration, and deletion procedures. When this number is reached, older files are deleted.
Access to the folder where trace files are saved is restricted by using an ACL. Administrator rights are required to access this folder.
If you change the default folder for storing trace files, Kaspersky Security does not control access to trace files. It is recommended to protect the information from unauthorized access.
Contents of trace files
The following information may be saved in the Integration Server trace file:
- Diagnostic information about the operation of the Integration Server, its workload, and the results of a data integrity check.
- Headers and contents of HTTP requests that are sent and received by the Integration Server during its operation.
- IP addresses of SVMs and protected virtual machines, and the IP address of the device hosting the Kaspersky Security Center Administration Console if the Kaspersky Security Center Administration Console is installed separately from the Kaspersky Security Center Administration Server.
- Tracing of requests to the Integration Server.
- Description of exclusions and errors that occurred when working with internal subsystems and external services.
- Names of internal Integration Server accounts.
- Names of accounts that are used to connect the Integration Server to virtual infrastructure objects.
- Depending on the type of virtual infrastructure:
- IP addresses or fully qualified domain names (FQDN) of hypervisors or virtual infrastructure administration servers to which the Integration Server connects.
- IP addresses or fully qualified domain names (FQDN) of the Keystone microservice or other cloud infrastructure microservices to which the Integration Server connects.
- If Kaspersky Security is used in multitenancy mode:
- Names and identifiers of the tenants registered in the Integration Server database.
- Account names of Kaspersky Security Center virtual Administration Servers administrators.
- Identifiers and IP addresses of the tenant virtual machines.
The following information may be saved in the Integration Server Console trace file:
- Diagnostic information about the operation of the Integration Server Console.
- Tracing of command line parameters and results of checking them.
- Headers and contents of HTTP requests that are sent and received by the Integration Server Console during its operation.
- Information about navigations through sections of the Integration Server Console and working with interface elements.
- IP address of the Kaspersky Security Center Administration Server.
- Port numbers for interaction with the Kaspersky Security Center Administration Server through the Kaspersky Security Center Network Agent.
- Description of exclusions and errors that occurred when working with internal subsystems and external services.
- Names of internal Integration Server accounts.
- Names of accounts that are used to connect the Integration Server to virtual infrastructure objects.
- Depending on the type of virtual infrastructure:
- IP addresses or fully qualified domain names (FQDN) of hypervisors or virtual infrastructure administration servers to which the Integration Server connects.
- IP addresses or fully qualified domain names (FQDN) of the Keystone microservice or other cloud infrastructure microservices to which the Integration Server connects.
- If Kaspersky Security is used in multitenancy mode, the names of tenants registered in the Integration Server database are listed.
You can use Integration Server trace files and Integration Server Console trace files when contacting the Technical Support. The information recorded in trace files may be needed for analysis and identification of the causes of errors in the operation of the Integration Server.
Integration Server trace files and Integration Server Console trace files are not automatically sent to Kaspersky.
Page top
Trace files of the tool for managing Integration Server and SVM certificates
Information about the operation of the utility for managing Integration Server and SVM certificates can be logged in trace files. Depending on the operating system of the device on which the utility is running, the files are located at one of the following paths:
- /var/log/kaspersky/viis/ – on devices with Linux operating systems
- %ProgramData%\Kaspersky Lab\VIISLA\logs – on devices with Windows operating systems
By default, logging of information to trace files is disabled.
You can enable or disable logging of information to the trace files of the certificate management utility, and configure trace settings in the certificate management utility configuration file appsettings.certificate_manager.json. Depending on the operating system of the device on which the utility is running, the file is located at one of the following paths:
- /var/opt/kaspersky/viis/common/ – on devices with Linux operating systems
- %ProgramFiles(x86)%\Kaspersky Lab\Kaspersky VIISLA\ – on devices with Windows operating systems
Trace files of the certificate management tool may contain the following information:
- Lines used to invoke the tool, including parameters and arguments, except passwords.
- Tool output lines containing requests to the user.
- Information about the progress of command execution, including information about errors.
Trace files of the certificate management tool do not contain personal information.
Trace files are moved to the archive when the file size reaches 5 MB. Up to 10 files are stored in the archive folder. Once this number is reached, older files are deleted. Depending on the operating system of the device on which the utility is running, the archive is located at one of the following paths:
- /var/log/kaspersky/viis/archives/ – on devices with Linux operating systems
- %ProgramData%\Kaspersky Lab\VIISLA\logs\archives – on devices with Windows operating systems
Access to the folder where the trace files are stored is restricted. On the Linux operating system, only accounts that are in the sudoers group have access to the directory. On Windows operating system, administrator rights are required to access the folder.
If you change the default folder for storing trace files, Kaspersky Security does not control access to trace files. It is recommended to protect the information from unauthorized access.
Trace files are not sent to Kaspersky automatically.
Page top
Trace files of SVMs, Light Agents and Kaspersky Security management plug-ins
Trace files of SVMs, Light Agents and Kaspersky Security management plug-ins may contain the following data:
- Event time
- Number of the thread of execution
- Name of the Kaspersky Security component that caused the event
- Degree of event importance (informational event, warning, critical event, error)
- Description of the event involving execution of a command received from the Kaspersky Security component, and the result of execution of this command
For more information about trace files of Light Agent for Linux and Light Agent for Windows, see the Help of the application used in Light Agent mode.
SVM trace files
During SVM operation, the following trace files may be created on an SVM:
- Protection Server trace file (ScanServer.log). The name of the file contains the file creation date and time. In addition to general data, this file may contain the following information:
- Personal data, including the last name, first name and middle name, if such data is included in the path to files on protected virtual machines.
- The name of the account used to log in to the operating system if the user account name is part of a file name.
- Your email address or web address containing the name of your account and password if they are contained in the name of the detected object.
- Settings for connecting SVMs to the Integration Server.
- Information about connecting Light Agents to SVM: unique SVM identifier, unique identifier and information about the operating system of the virtual machine, on which Light Agent is installed, time intervals during which the Light Agent was connected to the SVM.
- boot_config.log trace file This file records the results of executing commands of the SVM first startup script.
- wdserver.log trace file. This file records information about events that occur during operation of the watchdog service (wdserver). The file contains general data.
- SnmpTool.log trace file This file records information about events that occur during operation of the SNMP service (SnmpTool). The file contains general data.
- Trace file of the Kaspersky Security Center Network Agent. This file records information about events occurring during operation of the Kaspersky Security Center connectivity module. The file contains general data.
boot_config.log and wdserver.log trace files are created automatically.
You can create the ScanServer.log and SnmpTool.log trace files using the ScanServer.conf and SnmpTool.conf configuration files, which are located in the /etc/opt/kaspersky/la/ directory on the SVM. A special script is used to create a Network Agent trace file.
For detailed information on how to create and configure trace files, please contact our Technical Support experts.
All created SVM trace files are located in the /var/log/kaspersky/la/ directory.
ScanServer.log trace file can also be created in the Protection Server policy. To do this, you need to:
- Enable the display of additional settings in the Protection Server policy. By default, additional settings are not displayed.
- Configure the trace level in the Advanced settings section of the policy and apply the change.
You are advised to clarify the required trace level with a Technical Support specialist.
SVM trace files are stored in readable format. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.
SVM trace files are not automatically sent to Kaspersky. Trace files are automatically deleted when uninstalling Kaspersky Security.
Page top
Trace files of management plug-ins
Trace files of web plug-ins
If you use the Kaspersky Security Center Web Console to manage Kaspersky Security solution components, information about events that occur during operation of the management web plug-ins may be written to the trace files of the web plug-ins:
Web plug-in trace files are created automatically if logging to the Kaspersky Security Center Web Console activity log was enabled during installation of Kaspersky Security Center Web Console. For more information, see the Kaspersky Security Center Help.
Web plug-in trace files are saved in the Kaspersky Security Center Web Console installation folder in the logs subfolder:
- /var/opt/kaspersky/ksc-web-console/logs – on devices with Linux operating systems
- %ProgramFiles%\Kaspersky Lab\Kaspersky Security Center Web Console\logs – on devices with Windows operating systems
The following information may be stored in the Integration Server web plug-in trace file:
- Diagnostic information about the operation of the Integration Server Web Console.
- IP address of the Kaspersky Security Center Administration Server.
- Port numbers for interaction with the Kaspersky Security Center Administration Server through the Kaspersky Security Center Network Agent.
- Description of exclusions and errors that occurred when working with internal subsystems and external services.
- Names of internal Integration Server accounts.
- IP addresses or fully qualified domain names (FQDN) of hypervisors or virtual infrastructure administration servers to which the Integration Server connects.
- IP addresses, versions, and names of SVMs deployed on hypervisors.
The following information may be stored in the Protection Server web plug-in trace file:
- Diagnostic information about the operation of the Protection Server web plug-in.
- Description of exclusions and errors that occurred when working with internal subsystems and external services.
Trace files of MMC plug-ins
If you use the Kaspersky Security Center Administration Console to manage Kaspersky Security solution components, information about events that occur during operation of the management MMC plug-ins may be written to the following files on the device where the Kaspersky Security Center Administration Server is installed:
- Trace file of the MMC plug-in for managing the Protection Server. The file name is specified by the user, and the user name and process ID (PID) are added to the specified name. This file contains information about the events that occur during the plug-in operation, in particular, about the operation of the Protection Server policy and tasks.
- Trace files for management MMC plug-ins for Light Agent for Linux and Light Agent for Windows (applications running in Light Agent mode). The file names contain the application version number, the date and time the file was created, and the process identifier (PID). This file records information about events that occur during operation of the plug-in, in particular, about the operation of tasks and the Light Agent policy.
In addition to general data, MMC plug-in trace files may contain the following information:
- Personal data, including the last name, first name, and middle name, if such data is part of the path to files.
- The name of the account used to log in to the operating system if the user account name is part of a file name.
By default, trace files of Kaspersky Security MMC plug-ins are not created. You can create all trace files of the MMC plug-ins by using the registry keys. Contact Technical Support representatives for detailed information on how to create trace files.
All created MMC plug-in trace files are located in the %ProgramData%\Kaspersky Lab\Plugins\ folder.
The trace files of the management plug-ins are saved in a human-readable format. It is recommended that you ensure that information is protected against unauthorized access before it is sent to Kaspersky.
The trace files of the management plug-ins are not sent to Kaspersky automatically. Trace files are automatically deleted when Kaspersky Security is uninstalled.
Page top
SVM Management Wizard log
During SVM deployment and reconfiguration, the SVM Management Wizard logs all information that you specify at every step of the wizard in the wizard log.
You can use the wizard log when contacting Technical Support if SVM deployment or reconfiguration has ended with an error. Information recorded in the wizard log is not sent to Kaspersky automatically.
The SVM Management Wizard log is saved on the device where the wizard was launched, in the file %LOCALAPPDATA%\Kaspersky Lab\Kaspersky VIISLA Console\logs\KasperskyDeployWizard_<file creation date and time>.log and does not contain account passwords. A new log file is created each time the wizard starts.
During SVM deployment, the following information is saved in the wizard log:
- Selected action (SVM deployment).
- Type of the virtual infrastructure object, to which SVM Management Wizard connects.
- Address of the virtual infrastructure object, to which SVM Management Wizard connects.
- When deployed in a virtual infrastructure based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux, or Numa vServer:
- The version of the hypervisor or virtual infrastructure administration server.
- The name of the hypervisor and the version of the operating system installed on the hypervisor, and the number of virtual machines on the hypervisor.
- When deploying in an infrastructure based on the OpenStack platform, VK Cloud platform or the TIONIX Cloud Platform: the name and ID of the domain and OpenStack project within which the SVM is deployed.
- Name of the account used to connect the SVM Management Wizard to the virtual infrastructure.
- Name of the account used to connect the Integration Server to the virtual infrastructure.
- SVM image version.
- Versions of previously deployed SVMs.
- Status of the publisher of the SVM image.
- SVM image path and SVM image data.
- SVM image validation status.
- For deployments on the VMware vSphere platform:
- A list of all VMware ESXi hypervisors managed by a single VMware vCenter Server, their state, the protection status and privileges of the account used to connect to the VMware vCenter Server.
- A list of VMware ESXi hypervisors that were selected for SVM deployment, and their versions.
- When deploying on the Microsoft Hyper-V platform, the OpenStack platform, VK Cloud platform or the TIONIX Cloud Platform:
- Whether or not parallel deployment of several SVMs is enabled, as well as number of parallel sessions.
- VLAN ID.
- Settings for the SVM being deployed that you specified.
- Settings to connect the SVM to the Kaspersky Security Center Administration Server (IP address, port, SSL port).
- Whether the
root
account is allowed to gain access to the SVM using SSH. - For deployments on the Microsoft Hyper-V platform: type of the Integration Server authentication on the hypervisor (local / domain).
- SVM IP settings (IP address, IP address of default network gateway, IP address of main and alternative DNS servers, subnet mask).
During SVM reconfiguration, the following information is saved in the wizard log:
- Selected action (SVM reconfiguration)
- Depending on the type of virtual infrastructure:
- IP addresses or fully qualified domain names (FQDN) of hypervisors on which SVMs are being reconfigured
- Names of OpenStack domains and projects, within which the SVMs being reconfigured operate
- IP addresses or full domain names of SVMs being reconfigured
- Information on whether or not the reconfiguration will change the following:
- Settings of accounts for connecting to the SVM (configuration password,
root
account password, ability to connect to the SVM using theroot
account over SSH) - List of virtual networks used by the SVM
- SVM IP settings (IP address, IP address of the default network gateway, IP address of the main and alternative DNS servers, subnet mask)
- Settings of accounts for connecting to the SVM (configuration password,
Using the utilities and scripts from the Kaspersky Security distribution kit
To analyze the cause of errors in the operation of Kaspersky Security, Technical Support experts may ask you to use the following tools included in the Kaspersky Security distribution kit:
- ai_config is the tool that allows converting the SVM settings from configuration database format to text file and back.
- cleanUpdateShare.sh is the script for removing the old Light Agent bases from the SVM.
- configure.sh is the script for managing the SVM, viewing settings, and reconfiguration of the SVM. It is used by the SVM Management Wizard to reconfigure the SVM using the
klconfig
account. - dump_ods_scan_queue and dump_ods_scan_queue.sh are the tools for viewing the current scan tasks queue.
- eventlog_client and eventlog_client.sh are the tools for generating the events to be sent to Kaspersky Security Center.
- firewall.sh is the script for opening up the ports to connect to Network Agent.
- first_boot.sh is the script for SVM reconfiguration on the first boot of the SVM.
- get_used_mem.sh is the script for showing memory usage statistics.
- kvp_read is the tool for viewing shared data of a hypervisor from the Hyper-V KVP Exchange storage.
- la-kvm-guest is the init.d script for managing the KVM guest service.
- la-scanserver is the init.d script for managing the scanserver service.
- managenet.sh is the script for managing the network interfaces.
- on_product_install.sh is the script which allows to set a one-time SVM configuration during the SVM deployment.
- sfw is the tool for managing the netfilter firewall of the Linux operating system.
- show_inventory and show_inventory.sh are the tools for viewing information about the virtual infrastructure inventory received by the Protection Server from the Integration Server.
- show_virt_info and show_virt_info.sh are the tools for viewing the virtual machine information (for example BIOS version or hypervisor information).
- snmp.sh is the script for enabling or disabling the SNMP monitoring on the SVM.
- storage_util is the tool for managing the storage of the data used for Kaspersky Security database updates.
- patch_detector.pl is the script for searching the application module update in the folder specified and run the KSV Patch Installer to install it.
- patch_installer.pl is the script for installing the Kaspersky Security module update from the tar.gz file.
- patch_list.pl is the script for generating the list of Kaspersky Security module updates installed on the SVM in XML format.
- patch_rollback.pl is the script for rolling back the latest Kaspersky Security module update installed.
Appendices
This section provides information that complements the primary text of the document.
Using the klconfig script API to define SVM configuration settings
The main resource for deploying and configuring an SVM is the SVM Management Wizard, which you can run from the Integration Server Console.
You can also perform initial configuration of new SVMs and change the configuration settings of previously deployed SVMs using the klconfig script API manually or by means of automation tools.
If the SVM Management Wizard is not used, the SVM deployment procedure consists of the following stages (the sequence and number of stages depends on the type of virtual infrastructure):
- SVM deployment using virtual infrastructure tools from the image included in the Kaspersky Security distribution kit, and configuration of SVM system resources.
- Configuring an SVM first startup script. To configure certain SVM configuration settings, you can use a script that is started when the SVM is started for the first time.
- Starting the SVM. At this step, the SVM receives an IP address.
- Assigning SVM configuration settings and checking the success of SVM deployment using configuration commands.
You can also use configuration commands to change the configuration settings of previously deployed SVMs.
Executing configuration commands
Configuration commands are executed over SSH using the klconfig
account.
To execute a command, enter the following into the command line:
ssh klconfig@<
SVM address
> <
command
>
where:
<
SVM address
>
– IP address of the SVM or localhost if the command is run on an SVM.<
command
>
– command, with parameters (if necessary).
Each command requires entry of the klconfig
account password (configuration password) if you have not configured authorization by SSH key for accessing the SVM without a password (the setsshkey
command).
Certain commands require additional interactive entry of data. For example, the passwd
command requires entry of a new user password.
Each command displays the result of its execution in the following format:
KLCONFIG OK
– if the command was executed successfully.KLCONFIG FAILED
– if an error occurred during execution of the command.
Certain commands may provide additional information about an error in the following format:
ERROR:<NNNN
error description
>
where <NNNN
error description
>
is the digital error code and text description. Some errors may not contain a digital code.
For example, executing the connectorlang
command without parameters for an SVM with the IP address 10.16.98.17 returns an error message and a message about how to use the command (the lang parameter is required):
> ssh klconfig@10.16.98.17 connectorlang
> klconfig@10.16.98.17’s password:
Usage: connectorlang lang
KLCONFIG FAILED
Result of execution of the same command with the correct parameters:
> ssh klconfig@10.16.98.17 connectorlang en
> klconfig@10.16.98.17’s password:
KLCONFIG OK
The result of execution of each command is written to the file results.log located in the folder /var/opt/kaspersky/klconfig/.
Page top
Using the SVM first startup script
An SVM supports the use of a first startup script to run configuration commands. It is recommended to use an SVM first startup script to perform the following tasks:
- Configure the network settings of SVMs when using static IP addressing. You can use the following commands:
network, dns, manageservices
(to restart the network service). - Configure authorization by SSH key for accessing an SVM without the
klconfig
account password (configuration password). Thesetsshkey
command is provided for this purpose.
It is not recommended to use a long list of commands because the first startup script is intended for performing a minimal set of commands.
Commands using the standard input stream, for example, passwd
, should not be sent to the first startup script. This leads to the inability to start the SVM.
To send commands to the first startup script, you need to specify them in the following format:
KL_CMD1="<
command 1
>" KL_CMD2="<
command
2>" … KL_CMDn="<
command
N>"
where <
command
>
is the name of the command, with parameters (if necessary).
For example, the following sequence of commands lets you configure SVM network settings when using static IP addressing:
KL_CMD1="network eth0 10.65.78.35 255.255.255.0 10.65.78.255 10.65.78.1" KL_CMD2="manageservices restart network"
While the first startup script is being run, commands are numbered and executed in the order in which they were sent to the first startup script.
After the script is executed, the file named boot_config.log containing the script execution results is created in the folder /var/log/kaspersky/la/.
You can use the following special commands when creating a first startup script:
RESET
– delete the boot_config_done file (an indicator that the first startup script has already been executed). As a result, all commands sent to the first startup script will also be executed the next time the SVM is started.ALWAYS
– execute the commands following this command even if the SVM first startup script has already been executed (the boot_config_done file is present).REPORT
– write information about the command execution results to a file.
For example:
KL_CMD1="ALWAYS" KL_CMD2="network eth0 10.65.78.35 255.255.255.0 10.65.78.255 10.65.78.1"
The mechanism used to send commands to the first startup script depends on the type of hypervisor:
- XenServer hypervisor: first startup commands can be added to the kernel command line in the following format:
KL_CMD1="…" KL_CMD2="…"
- Microsoft Windows Server (Hyper-V) hypervisor: uses a system of exchanging key-value pairs (for details, please refer to the Microsoft documentation).
- VMware ESXi hypervisor: first startup commands can be conveyed in one of the following ways:
- In a VMX configuration file
- In the VMware vSphere Web Client Console: Edit Settings / Options / Advanced / General / Configuration Parameters
- Using the
vmware-cmd setguestinfo
command
First startup commands must be specified in the following format:
guestinfo.klfirstboot.cmd1
guestinfo.klfirstboot.cmd2
- KVM hypervisor: commands may be inserted into the file /opt/kaspersky/la/bin/kvm_first_boot_args in string format:
KL_CMD1="…" KL_CMD2="…"
- Proxmox VE hypervisor: commands may be inserted into the file /var/opt/kaspersky/la/patches/default_patch_index/bin/kvm_first_boot_args in the following format:
KL_CMD0=%command1%
KL_CMD1=%command2%
- R-Virtualization hypervisor: uses the QEMU guest agent utility that lets you execute commands under the
root
account:POST /api/0/vm/%vm_id%/execute
In the request body:
command_with_args=[ "bash", "-c", "%command%" ]
Configuring SVM configuration settings
Initial configuration of an SVM using configuration commands consists of the following steps:
- Modify the SVM name (the
hostname
command). - For each network interface of the SVM:
- Configure DNS settings if static IP addressing is used (the
dns
command). - Configure the settings for connecting the SVM to Kaspersky Security Center Administration Server: address and ports (the
nagent
command). - Initial configuration of the Protection Server (the
productinstall
command). - Accept Kaspersky Security End User License Agreement and the Privacy Policy (the
accept_eula_and_privacypolicy
command or theaccept_eula_and_privacypolicy
setting in the ScanServer.conf configuration file).You must accept the terms of the End User License Agreement and the Privacy Policy for the proper SVM operation.
- Start the Protection Server (the
manageservices start scanserver
command).
In addition, you can configure the following SVM configuration settings:
- Select the language of Kaspersky Security Center Network Agent Connector (the
connectorlang
command). - Change the configuration password and
root
account password that were defined by default (thepasswd klconfig
andpasswd root
commands). - Allow or deny access to the SVM over SSH under the
root
account.
After initial configuration of the SVM is completed, it is recommended to make sure that the SVM is deployed and configured successfully. To do so, you can use the checkconfig
command.
accept_eula_and_privacypolicy
This command allows you to accept or decline the terms of Kaspersky Security End User License Agreement between you and Kaspersky and the Privacy Policy that describes processing and transmission of data.
You must accept the terms of the End User License Agreement and the Privacy Policy to install Protection Server. The text of the End User License Agreement and Privacy Policy is included in the Kaspersky Security distribution kit.
Settings
<acceptFlag> = yes|no
– possible values:
- yes – accept the terms of the End User License Agreement and the Privacy Policy.
- no – do not accept the terms of the End User License Agreement and the Privacy Policy.
By setting this parameter to yes
, you confirm the following:
- You have fully read, understood and accept the terms and conditions of the Kaspersky Security End User License Agreement.
- You have fully read and understood the Privacy Policy, you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.
Example:
|
Specific errors
None.
Page top
apiversion
This command displays the current version of the klconfig script API.
Settings
None.
Example:
|
Specific errors
None.
checkconfig
This command lets you check if the configuration of one or multiple Kaspersky Security components is correct.
Settings
findsvm hv_connect network routing sc_connect
where:
- findsvm – check for the SVM in the list of virtual infrastructure objects (Inventory).
- hv_connect – check the connection between the SVM and the Integration Server and check for a list of virtual infrastructure objects (Inventory).
- network – check the network configuration.
- permitrootlogin — check whether the
root
account is allowed to gain access to the SVM over SSH. - routing – check network routing.
- sc_connect – check the connection to Kaspersky Security Center.
You can specify one or multiple parameters.
Example:
|
Specific errors
The command always returns KLCONFIG
, even if an error was detected. For this reason, it is recommended to always pay attention to errors when analyzing the output.
0001 Hostname is not set or contains invalid data. The domain name of the SVM is not set or contains an invalid value, for example, LightAgentSVM, localhost or localdomain. Use the hostname
command to define the domain name of the SVM.
0002 Could not get hostname FQDN. Failed to receive the fully qualified domain name (FQDN) of the SVM. Check the SVM name and DNS settings.
0003 Could not find the host interface IP address. The IP address of the network interface eth0 is not found or is not configured.
0004 Host interface IP address <host IP> does not match DNS <DNS IP of hostname>. The IP address associated with the primary network interface does not match the IP address returned for the domain name of the SVM in the DNS PTR entry.
0010 Could not find the default route. A default network route is not configured.
0011 Cannot ping the default route address. Failed to verify the default network route using the ping command. Check the network settings.
0030 Inventory is not valid. The list of virtual infrastructure objects (Inventory) is empty or contains invalid values. Make sure that the SVM has received a policy with the correct Integration Server address. Use the checkconfig sc_connect
command to make sure that the SVM is connected to Kaspersky Security Center.
0060 Could not get the UUID of the SVM. Failed to receive a unique ID (BIOS ID) for the SVM.
0061 Could not find our self in the inventory. Failed to detect the unique ID of the SVM in the list of virtual infrastructure objects (Inventory). Check the Integration Server settings.
0062 Could not find host in inventory path. Failed to detect information about the hypervisor on which an SVM is deployed in the list of virtual infrastructure objects (Inventory). Check the Integration Server settings.
0070 klnagchk reported failure. The klnagchk
command returned an error. Analyze the additional error messages.
0071 Could not verify klnagent settings. Cannot verify the settings of the Kaspersky Security Center Network Agent. Kaspersky Security Center Network Agent is not configured or is configured incorrectly.
0072 Could not connect to the Kaspersky Security Center Server. Kaspersky Security Center Network Agent cannot connect to the Kaspersky Security Center Administration Server. Check the settings of Kaspersky Security Center Network Agent and make sure that the network is configured correctly.
0073 Could not connect to the klnagent administration agent. Failed to connect to Kaspersky Security Center Network Agent. Possibly, Kaspersky Security Center Network Agent is not running on the SVM.
0074 Could not get the klnagent administration agent statistics. Kaspersky Security Center Network Agent cannot obtain Administration Server statistics. Kaspersky Security Center Network Agent on the SVM is operating incorrectly.
0100 Could not look up <address> in DNS. The domain name or IP address is not found. Check the DNS settings.
0101 Look up of <address> returned no DNS data. The DNS search returned no data. The DNS server responded, but the relevant types of entries were not detected.
0110 Host to IP to host is not equal in DNS. An error occurs when a DNS check is looped: a search is run for the IP address based on the domain name, and then a search for the domain name based on this IP address returns a name that is different from the original name.
Page top
connectorlang
This command lets you define the language of Kaspersky Security Center Network Agent Connector in the configuration file /etc/opt/kaspersky/la/ScanServer.conf. The Connector language affects the language of the events and errors sent to Kaspersky Security Center.
The new settings are applied after the Protection Server is restarted.
Settings
<lang>
– language ID. Possible values:
- de – German.
- en – English.
- fr – French.
- ja – Japanese.
- ru – Russian.
- zh-Hans – Chinese (Simplified).
- zh-Hant – Chinese (Traditional).
Example:
|
Specific errors
None.
Page top
dhcp
This command lets you configure the use of DHCP for the network interface of the SVM.
The new settings are applied after the file /etc/resolv.conf is overwritten as a result of a restart of the SVM or network service (the manageservices restart network
command).
If you want to change the IP address assignment method for SVMs using static IP addressing to the use of DHCP, sequentially execute the dns
and dnssearch
commands without parameters after the dhcp
command. This lets you delete the previously configured list of DNS servers and search domains in the file /etc/resolv.conf.
If you want to add a DNS server or search domain to the list of DNS servers and search domains received over the DHCP protocol when using dynamic IP addressing, first restart the SVM or restart the network service (the manageservices restart network
command). This lets you overwrite the file /etc/resolv.conf. Then execute the dns
and dnssearch
commands with the necessary parameters.
Settings
<InterfaceName> [<MakePrimary>]
where:
- <InterfaceName> – name of the network interface. For example, eth0.
- <MakePrimary> = yes|no – indicator of whether it is the primary network interface (optional parameter). Possible values:
- yes – network interface is primary.
- no – network interface is not primary.
The primary network interface sets the default route and DNS servers (DEFROUTE = yes, PEERDNS = yes). Only one network interface from those utilized by an SVM may be primary. If the "primary" indicator is assigned to multiple network interfaces, the last one of them becomes the primary network interface.
Example:
|
Specific errors
None.
Page top
dhcprenew
This command lets you renew and continue the lease of an IP address for the network interface on the DHCP server.
Depending on the specifics of the virtual infrastructure in which the SVM is running, command execution may result in modification of the IP address and termination of network connections.
You can use this command to let the DHCP server accept the new name of the SVM.
Settings
<InterfaceName>
– name of the network interface of the SVM. For example, eth0.
Example:
|
Specific errors
0140 Failed to release dhcp. Failed to release the IP address for the specified network interface on the DHCP server.
0141 Failed to request a new lease. Failed to receive a new IP address lease for the specified network interface on the DHCP server.
Page top
dns
This command lets you define a list of DNS servers that will be used in the specified order in the file /etc/resolv.conf. The previously configured list of DNS servers is deleted.
If you are also planning to configure the use of DHCP (the dhcp
command), execute the dns
command after the dhcp
command is executed and after the SVM is restarted or the network service is restarted (the manageservices restart network
command).
As a result of execution of the dns
command, the list of search domains in the file /etc/resolv.conf is deleted. If you are planning to configure a list of search domains, execute the dnssearch
command after the dns
command.
Settings
[<Server1>] [<Server2>] [<Server3>]
where <Server> is the IP address of the DNS server (optional parameter). You can specify up to three IP addresses.
If the command is executed without parameters (no address is specified), all nameserver entries in the file /etc/resolv.conf are deleted.
Example:
|
Specific errors
None.
Page top
dnslookup
This command lets you receive an IP address from the DNS server based on the domain name, or vice versa (analogous to the host
command in Linux). The command returns only the first entry.
You can also use this command to verify that DNS is operating correctly.
Settings
<HostNameOrIpAddress>
– domain name or IP address.
Example:
|
Specific errors
None.
Page top
dnssearch
This command lets you define a list of search domains that are used to determine domain names for name resolution in the file /etc/resolv.conf. The previously configured list of search domains is deleted.
If you are also planning to configure a list of DNS servers (the dns
command), execute the dnssearch
command after the dns
command because the dns
command will cause the list of search domains in the file /etc/resolv.conf to be deleted.
Settings
[<Domain1>] [<Domain2>] [<Domain3>]
where:
<Domain> – name of the search domain (optional parameter). You can specify up to three domains.
If the command is executed without parameters (no domain is specified), all search entries in the file /etc/resolv.conf are deleted.
Example:
|
Specific errors
None.
Page top
dnsshow
This command lets you view information about DNS settings from the file /etc/resolv.conf.
The command returns all entries in one string, separated by a space. If an empty string is returned, the DNS settings are not configured.
Settings
<InfoKind> = nameservers|search
– type of information that you want to view. Possible values:
- nameservers – display the list of DNS servers.
- search – display the list of search domains.
Example:
|
Specific errors
None.
Page top
getdnshostname
The command returns the domain name corresponding to the IP address of the primary network interface.
Settings
None.
Example:
|
Specific errors
0100 Could not look up <IP> in DNS. Failed to find the IP address. Check the DNS settings.
Page top
gethypervisordetails
The command allows to receive information about the SVM path. One of the following values is returned depending on type of the virtual infrastructure:
- For virtual infrastructures based on Microsoft Hyper-V, XenServer, VMware vSphere, KVM, Proxmox VE, Basis, Skala-R, HUAWEI FusionSphere, Nutanix Acropolis, Alt Virtualization Server, Astra Linux or Numa vServer – the IP address or fully qualified domain name (FQDN) of the hypervisor on which the SVM is deployed.
- For virtual infrastructures running on the OpenStack platform, VK Cloud platform, or TIONIX Cloud Platform – IP address or fully qualified domain name (FQDN) of the Keystone microservice that manages the OpenStack project within which the SVM is deployed.
Information is available only after the SVM is connected to the Integration Server whose connection settings are specified in the Protection Server policy applied on the SVM.
Settings
address
or all
– return name or address of the hypervisor, on which the SVM is running, or name or address of the Keystone microservice that manages the OpenStack project, within which the SVM is deployed.
Example:
|
Specific errors
0060 Could not get the UUID of the SVM. Failed to receive the unique ID of the SVM (BIOS ID).
0061 Could not find our self in the inventory. The unique ID of the SVM is not found in the list of virtual infrastructure objects (Inventory). Check the Integration Server settings.
0062 Could not find host in inventory path. The list of virtual infrastructure objects (Inventory) does not contain information about the hypervisor on which the SVM is running, or about the Keystone microservice that manages the OpenStack project, within which the SVM is deployed. Check the Integration Server settings.
Page top
hostname
This command lets you define the domain name of the SVM and make sure that the IP address and domain name of the SVM are in the file /etc/hosts.
Settings
<hostname> [<IP>]
where:
- <hostname> – domain name of the SVM.
- [<IP>] – IP address of the SVM (optional parameter).
Example:
|
Specific errors
0120 Invalid hostname characters <characters>. Invalid characters in the SVM name.
0121 Invalid hostname, empty label present. The SVM name contains an empty section.
Page top
listpatches
This command lets you generate an XML list of Kaspersky Security application module updates installed on SVMs.
The XML file has the following format:
<?xml version="1.0" encoding="UTF-8"?>
<patches>
<patch>
<id>patchId</id>
<sha_256>checkSum</sha_256>
<status>status</status>
<patch_type>type</patch_type>
<version>productTargetVersion</version>
<description><![CDATA[description]]></description>
<status_changed_date>statusChangedDate</status_changed_date>
dependsOn
</patch>
<patch>
...
</patch>
...
</patches>
where:
- patchId is an identifier of the Kaspersky Security module update.
- checkSum is a hash of the TGZ archive in HEX format.
- status is a module update installation status. Possible values:
- installed: the module update was successfully installed.
- failed: an error occurred.
- rolledback: the module update was rolled back.
- type is a type of module update. Possible values:
- auto: module update received with the update package from the Kaspersky Security Center Administration Server repository.
- config: module update resulting from applying a configuration file.
- custom: a special release of a module update.
- productTargetVersion is a version of the update.
- description is a description of the update.
- statusChangedDate is date and time of the status change.
- depensOn is an ID of the module update upon which this specific module update depends (optional parameter).
Settings
None.
Example:
|
manageservices
This command lets you start, stop, or restart the specified service.
Remotely stopping or restarting the network service may cause the connection to drop or hang. For this reason, two types of network service are provided: network_local and network. For the network_local service, the action is applied immediately (synchronous). It is recommended to use this type of service in the SVM first startup script. For the network service, the action is applied asynchronously (in a separate shell). Therefore, the klconfig script can return control. This means that the invoking side must check the command execution result in no less than 20 seconds.
Settings
<Action> <ServiceType1> [<ServiceType2>] [<ServiceType3>]
where:
- <Action> = start|stop|restart – type of action applied. Possible values:
- start
- stop
- restart
- <ServiceType> – type of service. Possible values:
- klnagent – Kaspersky Security Center Network Agent.
- network – network service (asynchronous).
- network_local – network service (synchronous).
- scanserver – Protection Server.
- sshd – SSH service.
Example:
|
Specific errors
None.
Page top
nagent
This command lets you set the address and ports for connecting an SVM to the Kaspersky Security Center Administration Server.
Settings
<Address> <SslPort> [<Port>]
where:
- <Address> – IP address or fully qualified domain name (FQDN) of the device on which the Kaspersky Security Center Administration Server is installed.
- <SslPort> – Number of the port for connecting an SVM to the Kaspersky Security Center Administration Server using an SSL certificate (13000 is recommended).
- <Port> – Port number for connecting an SVM to the Kaspersky Security Center Administration Server (14000 is recommended) (optional parameter).
Example:
A repeated call of the command may return the following result:
|
Specific errors
None.
Page top
network
This command lets you configure static IP addressing and SVM network settings.
The new settings are applied after the SVM is restarted or the network service is restarted (the manageservices restart network
command).
Settings
<InterfaceName> <IP> <NetMask> <Broadcast> [<GateWay>]
where:
- <InterfaceName> – name of the network interface, for example, eth0.
- <IP> – IP address of the network interface that you want to assign.
- <NetMask> – network mask.
- <Broadcast> – broadcast address.
- <GateWay> – gateway address (optional parameter). It should be set only on one network interface that uses DHCP.
Example:
|
Specific errors
None.
Page top
ntp
This command lets you assign an NTP server and make sure that it is running.
Settings
<ServerName>
– fully qualified domain name (FQDN) or IP address of the NTP server.
Example:
|
Specific errors
None.
Page top
passwd
This command lets you change the password for the specified account.
Passwords must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~
. For security purposes, you are advised to set passwords that are at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.
The password is read from the standard input stream of the SSH connection without an invitation.
Settings
<UserName>
– name of the account for which you need to create a password.
Example:
|
Specific errors
0130 Invalid password. Invalid password.
Page top
permitrootlogin
The command allows or denies access to the SVM over SSH under the root
account
The new settings are applied after the SVM is restarted or the SSH service is restarted (the manageservices restart sshd
command).
Settings
<AllowOrNot> = yes|no
– possible values:
- yes — allow access to the SVM over SSH under the
root
account. - no — deny access to the SVM over SSH under the
root
account.Example:
> ssh klconfig@10.16.98.17 permitrootlogin yes
> klconfig@10.16.98.17’s password:
Permit root login = yes
KLCONFIG OK
Specific errors
None.
Page top
productinstall
This command lets you perform various one-time tasks for Protection Server installation, such as configuring the installation ID.
You can execute a command more than once consecutively.
The new settings are applied after the SVM is restarted or the scanserver service is restarted (the manageservices restart scanserver
command).
Settings
None.
Example:
|
Specific errors
None.
Page top
reboot
This command lets you restart the SVM in one minute.
Settings
None.
Example:
|
Specific errors
None.
Page top
resetnetwork
This command lets you return all network settings to their default values, including DNS settings and the settings of network interfaces. This means that DHCP will be used with the first network interface as the primary network interface for the SVM.
You can use this command to reset network settings to their original state before SVM configuration settings were changed.
The new settings are applied after the SVM is restarted or the network service is restarted (the manageservices restart network
command).
Settings
None.
Example:
|
Specific errors
None.
Page top
rollbackpatch
This command lets you roll back the last update of the Kaspersky Security modules on SVMs.
Settings
[Patchid]
is an ID of the Kaspersky Security module update (optional parameter). If no ID is specified, the last installed module update will be determined automatically.
Example:
|
Specific errors
None.
Page top
setsshkey
This command lets you configure authorization by SSH key for accessing an SVM without the klconfig
account password (configuration password). As a result of command execution, the specified key (text in Base64 encoding) is added to the authorized SSH key file. The key is valid for 2 hours.
You can use this command in the SVM first startup script for configuring access to the SVM prior to setting the configuration password.
Settings
<Base64EncodedAuthorizationKeyEntry>
– key (text encoded in 64-bit code without spaces).
Example:
|
Specific errors
0160 Could not decode key. Make sure that the key is correctly encoded and does not contain spaces.
Page top
settracelevel
This command lets you configure the trace level for the Protection Server (ScanServer.log).
The trace level is changed immediately if the <Immediately>=yes
parameter is set. Otherwise, the change occurs after a restart of the SVM or Protection Server (the manageservices restart scanserver
command).
Settings
<TraceLevel> [<Immediately>]
where:
- <TraceLevel> is a numerical value that determines the trace level. Possible values:
- 0: creation of trace files is disabled.
- 100: informational messages about the Protection Server components being started and stopped.
- 200: messages about critical errors in the Protection Server operation.
- 300: messages about errors and critical errors in the Protection Server operation.
- 400: critical warnings and messages about ordinary and critical errors.
- 500: all warnings and messages about ordinary and critical errors.
- 600: important messages, all warnings and messages about ordinary and critical errors.
- 700: informational messages, important messages and all warnings and messages about ordinary and critical errors.
- 800: debugging messages and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
- 900: debugging messages with more detailed information and all informational and important messages, as well as all warnings and messages about ordinary and critical errors.
- 1000: all possible messages and warnings.
- <Immediately> = yes|no is an indicator determining when the new trace level settings should be applied (optional parameter). Possible values:
- yes: apply immediately.
- no: apply after restart of the SVM or the scanserver service (the
manageservices restart scanserver
command).
Example:
|
Specific errors
0150 Could not update <configfile>. Failed to update the configuration file /etc/opt/kaspersky/la/ScanServer.conf. Make sure that the file exists and is accessible.
Page top
test
This command returns information about an SVM.
You can use this command for SVM operability validation.
Settings
None.
Example:
|
Specific errors
None.
Page top
timezone
This command lets you set the time zone for an SVM.
This change is applied after the SVM is restarted.
Settings
<TimeZoneName>
– name of the time zone in Linux format.
Example:
|
Specific errors
None.
Page top
version
This command returns the SVM version.
Settings
None.
Example:
|
Specific errors
None.
Page top
Settings in the ScanServer.conf file
The ScanServer.conf file contains the SVM operation settings. The file is located on the SVM in the /etc/opt/kaspersky/la/ directory.
Root
account permissions are required to view and modify the file.
This section describes the settings in the ScanServer.conf file that allow you to configure logging of the SVM traces and dumps, usage of the SVM system log, and agree to the terms of the End User License Agreement. Information about other settings, if necessary, can be obtained from the Technical Support.
Unassisted modification of the Kaspersky Security operation settings in the ways not described in the Kaspersky Security help or in the recommendations from the Technical Support specialists can lead to slowdowns and malfunctions of the operating system, decrease of the virtual machine protection level, as well as to a violation of the availability and integrity of the processed information.
Page top
Object ID values for SNMP
The table presents the values and descriptions of object identifiers (OID) that are used to transfer information about the SVM state.
Values and descriptions of OID settings for SNMP
Symbolic name |
Description |
Settings |
OID |
ksvlaODSStatus |
Status of the virtual machine scan task. |
|
.1.3.6.1.4.1.23668.1491.1539.0.0 |
ksvlaODSQueueLenght |
Number of virtual machine scan tasks in Waiting status. |
|
.1.3.6.1.4.1.23668.1491.1539.0.1 |
ksvlaODSTaskCount |
Number of simultaneously running virtual machine scan tasks. |
|
.1.3.6.1.4.1.23668.1491.1539.0.2 |
ksvlaProtectedServerCount |
Number of protected virtual machines running server operating systems. |
|
.1.3.6.1.4.1.23668.1491.1539.1.0 |
ksvlaProtectedDesktopCount |
Number of protected virtual machines running desktop operating systems. |
|
.1.3.6.1.4.1.23668.1491.1539.1.1 |
ksvlaScanServerStatus |
Status of the scanserver service (Protection Server). |
|
.1.3.6.1.4.1.23668.1491.1539.2.0 |
ksvlaKlnagentStatus |
Status of the klnagent service (Kaspersky Security Center Network Agent). |
|
.1.3.6.1.4.1.23668.1491.1539.2.1 |
ksvlaApacheStatus |
Status of the Apache service. |
|
.1.3.6.1.4.1.23668.1491.1539.2.2 |
ksvlaWatchdogStatus |
Status of the watchdog service (wdserver). |
|
.1.3.6.1.4.1.23668.1491.1539.2.3 |
ksvlaMemoryConsumption |
RAM usage (percentage) by the scanserver service. |
|
.1.3.6.1.4.1.23668.1491.1539.3.0 |
ksvlaSwapConsumption |
Page file usage (percentage) by the scanserver service. |
|
.1.3.6.1.4.1.23668.1491.1539.3.1 |
How to remove duplicate virtual machines from the list of managed devices in Kaspersky Security Center
In some VDI infrastructures, after a user session ends, the non-persistent virtual machine is powered off without shutting down the guest operating system or stopping applications. As a result, the Light Agent running on the virtual machine does not transmit information about the shutdown of that virtual machine to Kaspersky Security Center, and the virtual machine is not removed from the list of managed devices in Kaspersky Security Center. At the next startup, the non-persistent virtual machine is registered in Kaspersky Security Center, causing a duplicate to appear in the list of managed devices, representing the previous session for the virtual machine template. As a result, the list of managed devices contains a large number of non-persistent virtual machines corresponding to each user session in the VDI infrastructure.
This problem exists, for example, for VDI infrastructures based on Termidesk and Basis.WorkPlace.
You can use one of the following methods to remove a non-persistent virtual machine from the list of managed devices in Kaspersky Security Center after it is powered off:
- Before powering off the non-persistent virtual machine, stop the Kaspersky Security Center Network Agent (the 'klnagent' service). To do this, run the following command:
- On a virtual machine with a 64-bit Linux operating system:
systemctl stop klnagent64
- On a virtual machine with a 32-bit Linux operating system:
systemctl stop klnagent
- On a virtual machine with a 32-bit Windows operating system:
net stop klnagent
While shutting down, the Network Agent notifies Kaspersky Security Center about the non-persistent virtual machine shutting down, and the virtual machine is removed from the list of managed devices in Kaspersky Security Center.
- On a virtual machine with a 64-bit Linux operating system:
- After starting the virtual machine and the Network Agent (the 'klnagent' service):
- Take note of the device ID assigned to the virtual machine. The device ID is in the Protection_HostId parameter in the protection information of the client device:
- On a Linux virtual machine, it is in the text files in the "/var/opt/kaspersky/klnagent/1103/1.0.0.0/Statistics/AVState/" directory.
- On a 32-bit Windows virtual machine, it is in the HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState registry key.
- On a 64-bit Windows virtual machine, it is in the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState registry key.
- When the user is done working with the non-persistent virtual machine, delete the device by ID using the Kaspersky Security Center Open API: HostGroup::RemoveHost (wstring strHostName).
- Take note of the device ID assigned to the virtual machine. The device ID is in the Protection_HostId parameter in the protection information of the client device:
Sources of information about the solution
Kaspersky Security page on Kaspersky website
On the Kaspersky Security page, you can view general information about the solution, its functions, and features.
Kaspersky Security page in the Knowledge Base
Knowledge Base is a section on the Technical Support website.
On the Kaspersky Security page in the Knowledge Base, you can read articles that provide useful information, recommendations, and answers to frequently asked questions on how to purchase, install, and use the solution.
Knowledge Base articles can answer questions relating not only to Kaspersky Security but also to other Kaspersky applications. Knowledge Base articles can also include Technical Support news.
Discuss Kaspersky applications on the forum
If your question does not require an urgent answer, you can discuss it with Kaspersky experts and other users on our Forum.
On this Forum, you can view existing threads, leave your own comments, and create new discussion threads.
Page topGlossary
Activation code
A code provided by Kaspersky when you receive a trial license or buy a commercial license to use Kaspersky Security. This code is required for activating the application.
The activation code is a unique sequence of twenty Latin characters and numerals in the format XXXXX-XXXXX-XXXXX-XXXXX.
Active key
The key that is currently being used by the application.
Administration Server
A Kaspersky Security Center component that centrally stores information about all Kaspersky applications that are installed within an enterprise network. It can also be used to manage these applications.
Application activation
The process of implementing a license that allows you to use a fully-functional version of the application until the license expires.
Backup
A dedicated storage for backup copies of files that have been deleted or modified during disinfection.
Backup copy of a file
A copy of a virtual machine file that is created when this file is disinfected or removed. Backup copies of files are stored in Backup in a special format and pose no danger.
Compound file
A compound file is comprised of several individual files that are stored in one physical file, and each of those files is accessible. Examples of compound files include archives, installation packages, embedded OLE objects, and files in email formats. A common technique for concealing viruses is to implant them into compound files. To detect viruses concealed using this method, the compound file must be unpacked.
Database of malicious web addresses
A list of addresses of web resources whose content may be considered dangerous. The list is created by Kaspersky experts. It is regularly updated and is included in the Kaspersky application distribution kit.
Database of phishing web addresses
A list of web resources that Kaspersky experts have determined to be phishing-related. The database is regularly updated and is included in the Kaspersky application distribution kit.
Desktop key
A license key that corresponds to the licensing scheme based on the number of virtual machines with operating systems for workstations.
End User License Agreement
A binding agreement between you and AO Kaspersky Lab that stipulates the terms on which you may use the application.
Heuristic Analysis
A technology designed to detect threats that cannot be detected using the current version of Kaspersky application databases. It detects files that may be infected with an unknown virus or a new variety of a known virus.
Integration Server
Component of Kaspersky Security for Virtualization Light Agent. It facilitates interaction between Kaspersky Security components and the virtual infrastructure.
Kaspersky CompanyAccount
A portal for sending requests to Kaspersky and tracking the progress made in processing them by the Kaspersky experts.
Kaspersky Security databases
Databases that contain information about computer security threats known to Kaspersky as of when antivirus databases are released. Entries in antivirus databases make it possible to detect malicious code in scanned objects. Antivirus databases are created by Kaspersky specialists and updated hourly.
Kaspersky Security Network (KSN)
An infrastructure of cloud services that provides access to the online Knowledge Base of Kaspersky, which contains information about the reputation of files, web resources, and software. The use of data from Kaspersky Security Network ensures that Kaspersky applications respond faster to threats, improves the performance of some protection components, and reduces the likelihood of false alarms.
Key file
An 'xxxxxxxx.key' file that is provided by Kaspersky when you receive a trial license or buy a commercial license to use Kaspersky Security. A key file is required for activating the application.
Key with a limitation on the number of processor cores
A license key that corresponds to the licensing scheme based on the number of cores used in the physical processors on the hypervisors where protected virtual machines are running.
Key with a limitation on the number of processors
A license key that corresponds to the licensing scheme based on the number of processors used on the hypervisors where protected virtual machines are running.
Keylogger
A program designed for hidden logging of information about keys pressed by the user. Keyloggers function as keystroke interceptors.
License
A time-limited right to use the application granted under the End User License Agreement.
License certificate
A document that Kaspersky transfers to the user together with the key file or activation code. It contains information about the license granted to the user.
License key (key)
Unique alphanumeric sequence. A license key makes it possible to use the application in accordance with the terms of the End User License Agreement, such as the type of license, license validity term, and license restrictions. You may use the application only if you have a valid license key.
Light Agent
Component of Kaspersky Security for Virtualization Light Agent. It is installed on each virtual machine that needs to be protected.
OLE object
An object attached to another file or embedded into another file using the Object Linking and Embedding (OLE) technology. An example of an OLE object is a Microsoft Office Excel spreadsheet embedded into a Microsoft Office Word document.
Phishing
A kind of online fraud aimed at obtaining unauthorized access to confidential data of users.
Protected virtual machine
A virtual machine with the Light Agent component installed.
Reserve key
A key that confirms the right to use the application but is not currently in use.
Server key
A license key that corresponds to the licensing scheme based on the number of virtual machines with server operating systems.
Signature Analysis
A threat detection technology that uses the Kaspersky application databases containing descriptions of known threats and methods for neutralizing them. Protection that uses signature analysis provides the minimum acceptable security level. As recommended by Kaspersky experts, the application always has this analysis method enabled.
Startup objects
A set of applications that are required for the operating system and software installed on the virtual machine to start and operate correctly. The operating system launches these objects at every startup. There are viruses capable of infecting such objects specifically, which may lead, for example, to blocking of operating system startup.
SVM
A secure virtual machine is a special virtual machine with the scanserver service installed (scanserver is the Protection Server component of Kaspersky Security for Virtualization Light Agent).
SVM Management Wizard
A wizard that deploys, removes, and reconfigures the SVM with the Protection Server component.
Update source
A resource that contains updates for databases and application software modules of Kaspersky applications. The update source for Kaspersky Security is the storage of the Kaspersky Security Center Administration Server.
Page top
Information about third-party code
Information about third-party code is contained in the file legal_notices.txt, in the application installation folder.
Page top
Trademark notices
Registered trademarks and service marks are the property of their respective owners.
Apache is either a registered trademark or a trademark of the Apache Software Foundation.
Arm is a registered trademark of Arm Limited (or its subsidiaries) in the US and/or elsewhere.
Ubuntu and LTS are registered trademarks of Canonical Ltd.
Citrix, Citrix Provisioning, Citrix Provisioning Services, Citrix Virtual Apps and Desktop, XenApp, XenDesktop, and XenServer are either registered trademarks or trademarks of Cloud Software Group, Inc., and/or its subsidiaries in the United States and/or other countries.
HUAWEI, FusionCompute and FusionSphere are trademarks of Huawei Technologies Co., Ltd.
Core is a trademark of Intel Corporation or its subsidiaries.
Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.
Microsoft, Active Directory, Excel, Hyper-V, PowerShell, Windows, and Windows Server are trademarks of the Microsoft group of companies.
OpenStack is a registered trademark of the OpenStack Foundation in the United States and other countries.
Red Hat Enterprise Linux and CentOS are trademarks or registered trademarks of Red Hat, Inc. or its subsidiaries in the United States and other countries.
Debian is a registered trademark of Software in the Public Interest, Inc.
OpenAPI is a trademark of The Linux Foundation.
Page top