Updating Kaspersky Security from the previous version

Upgrading the solution

You can upgrade Kaspersky Security for Virtualization 6.1 Light Agent to Kaspersky Security for Virtualization 6.2 Light Agent.

Upgrading of earlier Kaspersky Security versions to version 6.2 is not provided.

Before you begin the upgrade, you need to prepare the files required to install the solution and complete the steps necessary to prepare the virtual infrastructure for installation of the solution.

Updating the version of the solution to Kaspersky Security to Kaspersky Security for Virtualization 6.2 Light Agent involves the following steps:

1. Updating the Integration Server

   When upgrading the solution, you can switch to the Linux-based Integration Server or continue using the Windows-based Integration Server.

   If you want to continue using the Windows-based Integration Server, you need to update the Integration Server and Integration Server Console. The procedure for updating the Windows-based Integration Server depends on which version of Kaspersky Security Center you are using to manage the Kaspersky Security solution (Kaspersky Security Center Windows or Kaspersky Security Center Linux).

2. Updating Kaspersky Security management plug-ins
   • Depending on the Kaspersky Security Center management console you use, you need to update the management web plug-ins or management MMC plug-ins of the previous version of the Protection Server and Light Agent for Linux.
   • If you want to use Integration Server Web Console to manage the Integration Server, you need to install the Integration Server web plug-in.
   • If you want to protect virtual machines with Windows guest operating systems, you need to install the management web plug-in or management MMC plug-in for Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode).
3. Updating the Protection Servers

   Deploy SVMs with the new version of the Protection Server on your hypervisors.

4. Preparing the Protection Servers for operation

   You must follow the steps to prepare the updated SVMs and Protection Servers for operation.

5. Updating Light Agent for Linux and Network Agent for Linux

   To protect virtual machines with Linux guest operating systems, you need to update Light Agent for Linux (Kaspersky Endpoint Security for Linux running in Light Agent mode) and Network Agent on virtual machines and virtual machine templates with Linux guest operating systems.

   For a description of the process of updating Kaspersky Endpoint Security for Linux and Network Agent for Linux, see the Kaspersky Endpoint Security for Linux Help of the relevant version.

6. Installing/updating Light Agent for Windows and Network Agent for Windows

   To protect virtual machines with Windows guest operating systems, you need to install Light Agent for Windows (Kaspersky Endpoint Security for Windows running in Light Agent mode) and Network Agent on virtual machines and virtual machine templates with Windows guest operating systems.

   You can use the following versions of Light Agent for Windows: Kaspersky Endpoint Security for Windows 12.8 or Kaspersky Endpoint Security for Windows 12.9.

   Make sure you are downloading database updates for the correct version of Light Agent to the SVM. If you have different versions of Light Agent for Windows installed on protected devices, updates for all installed versions must be downloaded to the SVM.

   If you were using the Light Agent for Windows component included in Kaspersky Security for Virtualization 5.2 Light Agent, you need to switch to using the Light Agent for Windows that is part of the Kaspersky Security for Virtualization 6.2 Light Agent solution.

7. Preparing Light Agents for operation

   You need to perform the actions required to prepare Light Agents for operation.

Upgrading Light Agent for Windows

Kaspersky Security 6.2 supports two versions of Light Agent for Windows: Kaspersky Endpoint Security for Windows 12.8 and Kaspersky Endpoint Security for Windows 12.9. If you have Kaspersky Security 6.2 and Kaspersky Endpoint Security for Windows 12.8 in Light Agent mode installed, you can upgrade the Light Agent version for Windows as follows:

1. Upgrade Kaspersky Endpoint Security for Windows 12.8 to version 12.9. For a description of the update process of the Kaspersky Endpoint Security for Windows application, see the application Help of the relevant version.
2. Specify the new version of Light Agent for Windows in the update settings in your Protection Server policy.

   The Administration Server needs some time to download database updates for Light Agents. We recommend starting the database update process after completing the synchronization of the Network Agent on the SVM with the Administration Server (by default, the synchronization period is 15 minutes after changing the policy settings).

3. Manually run the Download updates to the repository task.
4. Download the update packages to the SVM. To download update packages to the SVM, you can use an automatically created Protection Server task, Updating databases and solution modules. As a result of the update task, the Protection Server gets database updates for the specified version of Light Agent.
5. Upgrade the management web plug-in or MMC management plug-in of the previous version of Light Agent for Windows.

Migrating from the Windows-based Integration Server to the Linux-based Integration Server

If you previously had the Windows-based Integration Server installed in your virtual infrastructure, you need to do the following to switch to using the Linux-based Integration Server:

1. Install the Linux-based Integration Server.
2. Install the Integration Server Web Console.
3. In Integration Server Web Console, configure the settings for connecting to the virtual infrastructures to which the Windows-based Integration Server connected.
4. Update the Integration Server address in all configured Protection Server polices and Light Agent policies.
5. Make sure that the SVMs are connected to the Linux-based Integration Server.
6. Ensure that Light Agents are connected to the Linux-based Integration Server and to the SVMs.
7. Uninstall the Windows-based Integration Server (see the solution help for the corresponding version for more details).

   Uninstalling the Integration Server will delete the data used in the operation of the Integration Server, including the list of registered tenants and information about the time that virtual machines have been protected by the solution. If necessary, save tenant protection reports.

If you are using Kaspersky Security in multi-tenancy mode, after completing the procedure for switching to using the Linux-based Integration Server, you need to redeploy the tenant protection structure or register existing tenants and their virtual machines (depending on the scenario for using Kaspersky Security in multi-tenancy mode).

Updating the Windows-based Integration Server and Integration Server Console

The Windows-based Integration Server and Integration Server Console must be updated under an account that belongs to local administrator group.

Close the Integration Server Console before starting the update.

The procedure for installing the Windows-based Integration Server depends on which version of Kaspersky Security Center you are using to manage the Kaspersky Security solution:

• If you use Kaspersky Security Center Windows to manage Kaspersky Security, and in accordance with the recommendations of Kaspersky specialists, you used the Kaspersky Security Components Installation Wizard to install the Integration Server and Integration Server Console, we recommend to also perform the update using the wizard.

  You can update the Integration Server and Integration Server Console by using the Kaspersky Security Components Installation Wizard in interactive mode or in silent mode.

  The update is performed by installing the new version of the Integration Server and the Integration Server Console.

  During the upgrade, you can save a backup copy of the database, settings, and certificate of the previous version of the Integration Server. If errors occur in the operation of the Integration Server after an update, you can use the backup copy to restore the previous version of the Integration Server.

  If you want to save a backup copy of the database and settings of the Integration Server of the previous version, the upgrade requires additional space on the drive containing the %ProgramData% folder.

• If you use Kaspersky Security Center Linux to manage Kaspersky Security, the Kaspersky Security Components Installation Wizard cannot be used to update the Integration Server and Integration Server Console. The update is performed by manually installing the new version of the Integration Server and the Integration Server Console.

Updating requires at least 4 GB of free space on the drive containing the %ProgramData% folder on the device where the previous version of the Integration Server and Integration Server Console are installed.

After upgrading the Integration Server, we recommend to replace the self-signed SSL certificate of the Integration Server with a more secure certificate. You can create a new certificate and install it using the certificate management tool included with the solution.

Updating in interactive mode using the wizard

To update the Integration Server and Integration Server Console in interactive mode using the wizard:

1. On the device where Administration Console and Kaspersky Security Center Administration Server are installed, run the ksvla-components_<solution version number>_mlg.exe file. This file is included in the distribution kit.

   Kaspersky Security components installation Wizard starts.

2. Select the localization language of the Wizard and of the Kaspersky Security components and proceed to the next step of the Wizard.

   By default, the localization language of the operating system installed on the device where the Wizard was started is used.

3. Make sure that the Install management components option is selected and proceed to the next step of the Wizard.
4. If you want to save a backup copy of the database and settings and certificate of a previously installed Integration Server, select the Create a backup copy of the Integration Server database, settings, and certificate check box. The default path is %ProgramData%\Kaspersky Lab\VIISLA_Backup\VIISData(1). The number in the folder name is incremented with each subsequent update attempt.

   The Wizard checks the amount of free space on the drive that contains the %ProgramData% folder. If there is insufficient free space on the drive, the Wizard displays an error message and you cannot proceed to the next step of the Wizard. If this is the case, close the Wizard, free up space on the drive, and restart the Kaspersky Security Components Installation Wizard.

5. In the next step, read the Kaspersky Security End User License Agreement, which is concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transmission of data.

   To continue the installation, you must confirm that you have fully read and accept the terms of the End User License Agreement and the Privacy Policy. To confirm, select both check boxes in the window of the Wizard.

   Proceed to the next step of the wizard.

6. Create the password of the Integration Server administrator (admin) account. The admin account is used for the following purposes:
   • To connect the Integration Server Console to the Integration Server if the device on which the Integration Server Console is installed is not part of a Microsoft Windows domain.
   • To connect the Integration Server Web Console to the Integration Server.

   Enter a password in the Password and Confirm password fields. The account name cannot be edited.

   A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

   Proceed to the next step of the wizard.

7. Review the information about the actions that the wizard will perform and click the Install button to begin performing the listed actions.
8. Wait for the wizard to finish.

   If an error occurs during wizard operation, the wizard rolls back the changes made.

9. Click Finish to close the Wizard window.

Information about the work of the Wizard is written to trace files of the Kaspersky Security Components Installation Wizard. If the wizard completed with an error, you can use these files when contacting Technical Support.

Updating from the command line

To update the Integration Server and Integration Server Console from the command line,

Run the following command:

ksvla-components_<solution version numbe>_mlg.exe -q --lang=<language ID> --accept-EulaAndPrivacyPolicy=yes --viisPass=<password> [--log-path=<file path>] [--createBackup] [--backupFolder=<folder path>]

where:

• <solution version number> is the version number of the solution in X.X.X.X format.
• -q is an option specifying that the update is performed in silent mode. If you want to run the update interactively from the command line, do not specify this option.
• --lang=<language ID> is the identifier of the language of the components to install.

  The language ID must be indicated in the following format: ru, en, de, fr, zh-Hans, zh-Hant, ja. It is case-sensitive.

• --accept-EulaAndPrivacyPolicy=yes means that you accept the terms of the Kaspersky Security End User License Agreement, concluded between you and Kaspersky, and the Privacy Policy, which describes the processing and transmission of data. By setting this parameter to yes, you confirm the following:
  • You have fully read, understood and accept the terms and conditions of the Kaspersky Security End User License Agreement.
  • You have fully read and understood the Privacy Policy, you are aware and agree that your data will be handled and transmitted (including to third countries) as described in the Privacy Policy.

  The text of the End User License Agreement and Privacy Policy is included in the solution's distribution kit. Accepting the terms of the End User License Agreement and Privacy Policy is a prerequisite for updating the Integration Server and Integration Server Console.

  You can read the text of the End User License Agreement and the Privacy Policy by executing the following command:

  ksvla-components_<solution version number>_mlg.exe --lang=<language ID> --show-EulaAndPrivacyPolicy

  The text of the End User License Agreement and the Privacy Policy is output to the license_<language ID>.txt file in the tmp folder.

• --viisPass=<password> is the password of the Integration Server administrator account (admin). The admin account is used for the following purposes:
  • To connect the Integration Server Console to the Integration Server if the device on which the Integration Server Console is installed is not part of a Microsoft Windows domain.
  • To connect the Integration Server Web Console to the Integration Server.

  A password must be no longer than 60 characters. You can use only letters of the Latin alphabet (uppercase and lowercase letters), numerals, and the following special characters: ! # $ % & ' ( ) * " + , - . / \ : ; < = > _ ? @ [ ] ^ ` { | } ~. For security purposes, you are advised to set a password that is at least 8 characters long and use at least three of the four categories of characters: lowercase letters, uppercase letters, numerals, and special characters.

• --log-path=<path to file> is the path to the file where information about update results is saved.

  Optional parameter. By default, update results are logged to trace files saved at %temp%\Kaspersky_Security_for_Virtualization_<version number>_Light_Agent_BundleInitialInstall_logs_<date and time>.zip, where:

  • <version number> refers to the number of the installed version of the Kaspersky Security solution;
  • <date and time> refers to the date and time when the update was completed, in the dd_MM_yyyy_HH_mm_ss format.
• --createBackup

  Optional parameter. Indicates that it is necessary to save a backup copy of the database and settings and the certificate of the previously installed Integration Server. By default, the data is saved in the %ProgramData%\Kaspersky Lab\VIISLA_Backup\VIISData(1) folder. The number in the folder name is incremented each time an update is done. You can select the path for saving this data using the --backupFolder option:

• --backupFolder=<path to folder> is the path to the folder where the backup copy of the database and settings and certificate of the previously installed Integration Server will be saved.

  Optional parameter. If this option is not specified, the data will be saved to the default folder.

To view a description of all available command line parameters for installing and updating Kaspersky Security components, use the --help parameter.

Updating the Integration Server and Integration Server Console takes some time.

About updating management plug-ins

The Protection Server management plug-in is updated by installing a new version of the management plug-in. After installing the Protection Server management plug-in, it is recommended to run the Download updates to the repository task in Kaspersky Security Center and make sure that the task completes successfully. For details, please refer to the Kaspersky Security Center help.

Policies and tasks configured in Kaspersky Security Center for the previous version of Kaspersky Security components are not compatible with the updated version of the solution. If you use the Kaspersky Security Center Administration Console to manage solution components, after updating the management MMC plug-ins, you can migrate previously configured policy and task settings to the policies and tasks for the updated version of solution components. Settings are migrated using the Kaspersky Security Center Policies and Tasks Batch Conversion Wizard (for more details, see the Kaspersky Security Center Help).

The converted policies and tasks use the settings of policies and tasks of the previous version of Kaspersky Security components. The settings that were not configured in the policies and tasks of the previous version take default values in the converted policies and tasks. The converted policies and tasks have names "<Original policy/task name> (converted)".

The policy and task conversion procedure is not available in Kaspersky Security Center Web Console. If you are using the Web Console to manage solution components, you must create new policies and tasks for the updated solution components.

Management plug-ins of the previous version continue to operate after installation of the new version of the Kaspersky Security management plug-ins. You can use them to manage SVMs and Light Agents of the previous version of Kaspersky Security.

After all the application components are updated, you can remove the management plug-ins of the previous version.

About the upgrade of the Protection Server

The Protection Server is updated by deploying SVMs with the new version of the Protection Server in the virtual infrastructure. You can deploy SVMs in the following ways:

• Using the Integration Server Web Console.
• Using the Integration Server Console.
• Without using the Integration Server management consoles, using the Integration Server REST API (open a description of REST API requests).

You can also deploy SVMs using the virtual infrastructure tools and then configure SVM settings using the klconfig script API manually or using automation tools.

If you are using a licensing scheme based on the number of cores in physical processors on the hypervisors, then after the solution is activated on a new SVM, Kaspersky Security may send Kaspersky Security Center an event indicating that the license restriction has been exceeded. You can ignore this event.

SVMs with the previous version of the Protection Server continue to work on hypervisors. They allow legacy Light Agents to run on virtual machines that have not yet been updated.

If you have updated all Light Agents, you can remove the SVM with the previous version of Protection Server.

SVMs that have been removed continue to be displayed in the Administration Console of Kaspersky Security Center. When the period specified in Kaspersky Security Center settings elapses (see Kaspersky Security Center help for details), the SVMs are automatically removed from the Administration Console.

You can manually remove SVMs with the previous version of the Protection Server from the Administration Console of Kaspersky Security Center as soon as the upgrade process has been completed.

About updating Light Agent for Windows 5.2

If you were using the Light Agent for Windows component included in Kaspersky Security for Virtualization 5.2 Light Agent, you need to switch to using the Light Agent for Windows that is part of the Kaspersky Security for Virtualization 6.2 Light Agent solution. To do so:

1. Remove Light Agent for Windows 5.2 from virtual machines and virtual machine templates (for details, see the Kaspersky Security for Virtualization 5.2 Light Agent Help).
2. Install the Kaspersky Endpoint Security for Windows application in Light Agent mode, and Network Agent on virtual machines and virtual machine templates.
3. If you use Kaspersky Security Center Administration Console to manage solution components, you can convert policies and virus scan tasks configured for Light Agent for Windows 5.2. Settings are converted using the Kaspersky Security Center Policies and Tasks Batch Conversion Wizard (for more details, see the Kaspersky Security Center Help).

   Converted policies and tasks use the settings of the policies and tasks for Light Agent for Windows 5.2. Settings not present in policies and tasks in version 5.2 take default values in the converted policies and tasks. The converted policies and tasks have names "<Original policy/task name> (converted)".

   To use a converted policy, change its status to Active.

4. Remove the policies for the Protection Server and Light Agent for Windows 5.2 along with the remaining Kaspersky Security for Virtualization 5.2 Light Agent application components:
   • components for managing Kaspersky Security for Virtualization 5.2 Light Agent
   • SVMs included in Kaspersky Security 5.2

   For more information on removing the components of version 5.2, see the Kaspersky Security for Virtualization 5.2 Light Agent Help.

For more information about migrating from Light Agent for Windows version 5.2 to Kaspersky Endpoint Security for Windows in Light Agent mode, see Kaspersky Endpoint Security for Windows Help of the relevant version.