Virtual machine protection status

You can view information about the protection status of the virtual machines as follows:

• In Kaspersky Security Center using the statuses of client devices.
• In Kaspersky Security Center, using the statuses of Light Agent functional components on virtual machines.
• On a protected virtual machine:
  • For Light Agent for Linux: using the Kaspersky Endpoint Security for Linux command kesl-control --app-info. The command displays information about the operation of the application and the state of the application's functional components. For details, see the Kaspersky Endpoint Security for Linux Help of the relevant version.
  • For Light Agent for Windows: using the Protection status widget in the local interface of Kaspersky Endpoint Security for Windows.
• In infrastructure based on the VMware vSphere platform: using security tags, which Kaspersky Security can assign to a protected virtual machine.

Statuses of client devices in Kaspersky Security Center

The protected virtual machine (the virtual machine on which the Light Agent component is installed) and the SVM are client devices for Kaspersky Security Center. Information about the state of a client device in Kaspersky Security Center is displayed by the client device status (OK, Critical, or Warning).

The client device status changes to Critical or Warning for the following reasons:

• According to the rules defined in Kaspersky Security Center. For example, the status changes if a security application is not installed on the device, a virus scan has not been performed in a long time, anti-virus databases are outdated, or the license has expired. For more details about the reasons for status changes and configuring status assignment conditions, please refer to the Kaspersky Security Center help.
• Kaspersky Security Center receives the device status from the managed application, i.e. from Kaspersky Security solution components.

  Receipt of the device status from the managed application must be enabled in Kaspersky Security Center in the lists of conditions for assigning the Critical and Warning statuses. Conditions for assigning device statuses are configured in the properties window of an administration group.

  The SVM status changes in the following cases:

  • No connection to the Integration Server
  • No connection to the virtual infrastructure

  The status of a protected virtual machine changes in the following cases:

  • No connection to the Integration Server
  • No connection to the SVM
  • A modification of files or modification of the registry was detected on the virtual machine

For details on client device statuses, please refer to the Kaspersky Security Center help.

Statuses of Light Agent functional components on virtual machines

Information about keys added to the SVM can be viewed in the Kaspersky Security Center Administration Console or in the Web Console.

• The properties of the application running in Light Agent mode on a virtual machine display a list of functional components of Light Agent. For each component, its status is displayed.
• The Kaspersky Security Center report on the status of application components displays information about the Light Agent functional components that are installed or not installed on the virtual machines. For each of the installed components, the report displays the number of virtual machines on which this component is installed and the number of administration groups to which these virtual machines belong.

  The report on the status of application components is available in the list of report templates in Kaspersky Security Center Administration Console (on the Reports tab in the workspace of the Administration Server <server name> node), and in the Kaspersky Security Center Web Console (in the Monitoring and reporting → Reports section).

• You can create selections of virtual machines by specifying as a selection condition the status of components and/or the version number of the application running in Light Agent mode.

For more information about working with tasks and configuring device selections, see the Kaspersky Security Center Help.

About security tags

If the Kaspersky Security solution is running in a virtual infrastructure on the VMware vSphere platform and uses VMware NSX Manager, Kaspersky Security may assign the following security tags to the protected virtual machine:

• ANTI_VIRUS.VirusFound.threat=high. This tag is assigned to a virtual machine on which viruses or other malicious programs were detected.
• IDS_IPS.threat=high. This tag is assigned to a virtual machine whose inbound traffic displayed activity that is typical for network attacks.

Kaspersky Security can assign security tags only if you have enabled the use of VMware NSX Manager and configured the settings for connecting the Integration Server to VMware NSX Manager in Integration Server Web Console or Integration Server Console.

You can view the security tags assigned to the virtual machine in the properties of the virtual machine:

• In the VMware vSphere Client console, in the Hosts and Clusters section of the Summary tab.
• In VMware NSX Manager web console, in the Inventory → Virtual Machines section.

The ANTI_VIRUS.VirusFound.threat=high security tag that Kaspersky Security assigned to the virtual machine is removed automatically if running a Full Scan task on the virtual machine detects no viruses or other malicious programs. If the ANTI_VIRUS.VirusFound.threat=high security tag is manually assigned to a virtual machine using virtual infrastructure, it can be removed only manually.

An IDS_IPS.threat=high security tag assigned to the virtual machine either by Kaspersky Security or manually using virtual infrastructure tools can be removed only manually.

After manually removing the tag, you need to restart the Light Agent on the virtual machine.

For more information on how to manually remove and assign security tags, refer to the Knowledge Base.