0% found this document useful (0 votes)

26 views198 pages

KL 014.50 en Pres v1.4.5

The document discusses Kaspersky Security for Virtualization and NSX. It covers chapters on general concepts, deployment, configuration, how it works, and maintenance. It includes information on NSX, network virtualization, and how Kaspersky Security for Virtualization integrates with NSX to provide security.

Uploaded by

Jason ludovic Nguema ondo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

26 views198 pages

KL 014.50 en Pres v1.4.5

Uploaded by

Jason ludovic Nguema ondo

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 198

Kaspersky Security for Virtualization | Agentless

Technical training KL 014.50

Technical Training KL 014.50

Kaspersky Security for Virtualization 5.0 Agentless
Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 2. Deployment
Prepare guest operating systems
Prepare NSX for installing the File Antimalware Protection component
Prepare NSX for installing the Network Protection component
Register Kaspersky Security for Virtualization with NSX
Install the components of Kaspersky Security for Virtualization
Initial setup
More about deployment

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

How Kaspersky Security for Virtualization scans files
How Kaspersky Security for Virtualization optimizes scanning
If File Protection does not work
How Kaspersky Security for Virtualization protects against network threats

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Software-defined data center

Features Technologies

• Quick load balancing

• Automation
Server virtualization
• Isolation of workloads Network virtualization (NSX)
Storage virtualization

• Hardware abstraction
• …

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Network virtualization

Server virtualization Network virtualization

VM VM VM VM VM VM

vCPU, vRAM, vNIC Switch, Router, LB, FW

Software Automatically
Virtualization

Hardware Manually
Hardware IP transport

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

What is NSX
• A network virtualization and security platform
• It enables the creation of networks in software
• The virtual network is separated from the physical one
• Virtual networks (logical routers) can be created and deleted; snapshots are available (similar to those of
virtual machines)

VM VM VM VM VM VM

Network Hypervisor

NSX vSwitch NSX vSwitch

Hypervisor Hypervisor

Hardware Hardware

Physical network

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Firewall
Chapter 1. General Service Composer
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Network streams in a data center

North-South
— Client-server traffic:
NSX Edge Vertical or
Services North-South traffic
Gateway

VM VM VM VM VM

East-West

— Traffic between the virtual machines—horizontal or

East-West traffic
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Firewalls in NSX

North-South
— NSX Edge firewall
NSX Edge
(vertical traffic, North-
Services
South)
Gateway

VM VM VM VM VM

East-West

— Distributed firewall (horizontal traffic, East-

West)
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Distributed firewall (DFW)
• A part of the ESXi hypervisor • It controls horizontal traffic
• It applies rules at the level of virtual • DFW is isolated from the virtual machine:
network interface card (vNIC) none of its elements reside within a virtual
machine and therefore cannot be
• When a virtual machine migrates
compromised
(vMotion), rules are applied correctly

NSX Manager

VM VM VM VM VM VM

NSX vSwitch DFW NSX vSwitch DFW

Hypervisor Hypervisor

Hardware Hardware

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
NSX services
• Services enhance NSX capabilities
• A service is a virtual machine (Service VM, SVM) and/or a hypervisor module
• Built-in NSX services
— NSX Edge firewall
— Distributed Firewall
— Activity Monitoring
— …
• Types of services by third-party suppliers
— Antivirus
— IDS IPS
—…

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Service Composer
• Centralized interface for managing NSX services
— Service Composer assigns services to virtual machines
— Service Composer automates the use of security policies
— A single integration method for all vendors

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

File scanning via Guest Introspection (GI)
• Thin agent on the guest virtual machines
• ESXi (EPSec Mux) module
• Guest Introspection SVM (Universal SVM, USVM)
• A service virtual machine that scans files (SVM)

Service VM (SVM) Guest Introspection

SVM (USVM)
Guest VM Guest VM Guest VM
VMware Tools VMware Tools VMware Tools
GI Thin Agent GI Thin Agent GI Thin Agent

GI ESXi Module

Hypervisor

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Traffic scanning in NSX: Network Introspection
• Does not require VMware Tools or any agents to be installed on virtual machines
• ESXi hosts need to be prepared

SVM
VM VM VM VM
VMware API

VSIP

Distributed Virtual Switch

Hardware

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Why Kaspersky Security for Virtualization | Agentless
• Kaspersky Security for Virtualization | Agentless integrates with NSX
• Kaspersky Security for Virtualization | Agentless meets the requirements for a contemporary
data center
• NSX:
— Automates installing Kaspersky Security for Virtualization
— Scales protection automatically (protection as a service)
• Kaspersky Security for Virtualization:
— Protects against malware and network threats
— Optimizes the use of resources

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Protection as a service
• Protection is separated from the virtual machine
— No operating system compatibility issues
— Malware that penetrates a virtual machine cannot disable or get around protection

• Virtual machines consume protection as a service

— The service is always accessible and databases are always up-to-date
— The service can be enabled, replaced, scaled seamlessly for a virtual machine

• A service virtual machine is easier to support

— One antivirus engine per host instead of a dedicated engine per each virtual machine on the host

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Components of Kaspersky Security for Virtualization
SVM of Kaspersky Security for Management

Virtualization 5.0
A special virtual machine that
scans files and traffic of the virtual
machines. Includes a pre-installed File scanning Virtual Infrastructure
Network Agent Traffic scanning Management
Integration Server
Builds into KSC and is responsible for
KSC KSC
Agent Agent
connection to the virtual
Virtual infrastructure objects:
SVM SVM Infrastructure ― Registers KSV services with NSX
(File (Network Integration Server
― Upgrades SVM
protection) VM VM VM VM VM VM VM protection) ― Modifies SVM settings
KSC ― Displays vCenter objects in the
Hypervisor Administration Server KSC Console, e.g. in policies and
tasks
Kaspersky Security Center Kaspersky Security Center
Network Agent Administration Server
An ordinary agent, the same as that A single console for managing protection based
of Kaspersky Endpoint Security: on Kaspersky Lab products.
― Receives settings For Kaspersky Security for Virtualization,
― Receives updates Kaspersky Security Center provides:
― Transfers events ― Activation
― Database updates
― Configuration
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
― Monitoring
Protection provided by Kaspersky Security for Virtualization
On-demand scanning
—Running virtual machines
—Powered off virtual machines File scanning
—Virtual machine templates —Objects of the virtual drive are sent to SVM for scanning

VM VM VM VM
Network protection
Hypervisor —The Network Protection module blocks network attacks
Hardware —Analyzes and blocks dangerous network activities (IDS Suricata)

URL scanning
—Blocks malicious and phishing links

Limitations
—The thin agent does not scan memory or boot sectors

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

NSX license

NSX for vShield Endpoint NSX Advanced\Enterprise

KSV, File protection + +
Service Composer + +

Firewall +
KSV, Network Threat Protection +
KSV, URL scanning +

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Kaspersky Security for Virtualization licensing

Per virtual machine Per processor/physical core

VM VM VM VM VM VM VM VM

Hypervisor Hypervisor

Hardware Hardware

— Kaspersky Security for Virtualization uses

licenses of Kaspersky Hybrid Cloud Security

— The number of used licenses does not

depend on the used protection components
(file and/or network protection)

— Subscription licenses can be used

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Protection for virtual machines

Do virtual machines need protection?

— They are isolated and are less vulnerable to threats
— They can be easily recreated or rolled back to a clean state

Protection options
1. Use classic tools: the protection works entirely
— Virtual servers work continuously, it is not easy to recreate or within the virtual machines
roll them back
2. Dedicated Protection Server: protection tools
— In many scenarios, virtual machines are as vulnerable to threats are installed outside the virtual machines
as ordinary computers
3. Hybrid approach: protection partly runs on the
— Contemporary threats may be dangerous even on non-
dedicated server, and partly within the virtual
persistent virtual machines with short lifetime
machines

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Traditional protection

• A classic protection solution is installed

on each virtual machine

• Applications
— Kaspersky Endpoint Security for Windows
KES KES KES KES KES
— Kaspersky Security for Windows Server
VM VM VM VM VM
— Kaspersky Endpoint Security for Linux
Hypervisor

Hardware

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Kaspersky Security for Virtualization | Agentless

• All virtual machines on the host use a

single antivirus engine and a set of
databases located on the SVM (service
VM)

SVM

VM VM VM VM
API
Hypervisor

Hardware

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How files are scanned

Kaspersky Endpoint Security Kaspersky Security for Virtualization 5.0 Agentless

N virtual machines N virtual machines

VM template VM template
SVM

KES KES KES

file.exe file.exe file.exe file.exe file.exe file.exe file.exe

Hypervisor Hypervisor

N virtual machines  N scans

file.exe
file.exe
file.exe
file.exe
— Thanks to the shared cache and a single queue, there file.exe

will be no “storms” when virus scanning starts or when

virtual machines boot simultaneously in VDI scenario
Shared N virtual machines  1 scanning
cache
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Hybrid approach:
Kaspersky Security for Virtualization 5.0 Light Agent

• Some protection components work • Linux is not supported

within the virtual machine and provide
extended protection

• Some protection components run in a

Protection LA LA LA LA
single copy on the host and use a single Server

cache, which helps to avoid rescanning VM VM VM VM

the same files over and over again and Hypervisor

Hardware
saves resources

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Which product to select for protecting a VMware virtual
infrastructure
• Kaspersky Endpoint Security for Windows/Linux
• Kaspersky Security for Windows Servers
• Kaspersky Security for Virtualization. Light Agent
• Kaspersky Security for Virtualization. Agentless

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Features and capabilities
KES 11 for Windows KSWS 10.1 KSV 5.0 Light Agent KSV 5.0 Agentless

Protection

File Threat Protection + + + +

Mail and Web Threat Protection + + +
Network Threat Protection + + +
Network activity analysis +
Malicious URL detection + + + +
Phishing URL detection + + + +
Firewall + (Windows Firewall management) +
Behavior Analysis + +
Exploit Prevention + +
Application Control + + +
Device Control and Web Control + + +
Intrusion prevention (HIPS) + + +
Protection against cryptolockers + + +
File integrity monitor + ?
Log inspector + ?

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Features and capabilities
KES 11 for Windows KSWS 10.1 KSV 5.0 Light Agent KSV 5.0 Agentless

Functionality for data centers

Instant protection for new VMs +

Isolation +/-*

Optimization of resources +** +

Automatic deployment -/+ -/+ -/+ +

High availability of SVM N/A N/A +

Scanning for powered off virtual machines +

Virtualization technologies
Citrix PVS + + +

Citrix XenDesktop + + + +
Citrix XenApp + + +

Horizon View + +

RDS (session-based) + + +

* It is fully implemented only in Network Protection

** To a lesser extent than KSV Agentless
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Objective
• During a deployment / migration in a data center, it is important to provide
— Continuity of processes
— Availability of services
• Plan
— Completely prepare the infrastructure
— Test protection on a small number of virtual machines
— Enable Kaspersky Security for Virtualization protection wherever necessary

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Deployment schema

KSC
Administration
Server
vCenter NSX Manager

Integration Server

Management servers (virtual or physical)

Kaspersky Kaspersky
Kaspersky Guest Kaspersky Guest
File File
Network Introspection Network Introspection
Antimalware Antimalware
Protection Protection
Protection SVM VM VM Protection SVM VM VM
SVM SVM
SVM Thin Agent Thin Agent
SVM Thin Agent Thin Agent

Hypervisor Hypervisor

Hardware Hardware

Protected virtual infrastructure

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 1

Start the virtual machines

1. Connect to the virtual infrastructure

2. Power on the virtual machines

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Plan

1 2 3 4 5 6 7 8 9

Install Guest Configure NSX Configure NSX Register KSV Deploy KSV Activate and Configure policies Configure Make sure that
Introspection for scanning files for scanning Integration Server services update KSV and tasks for KSV policies and everything works
drivers traffic with NSX services in Kaspersky security groups and enable
Security Center in vSphere protection
everywhere

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

What is required
• NSX Manager (one per vCenter)
• ESXi cluster
• NSX license Only for Network Protection (NSX Advanced or higher)

• Datastore for SVM

• Network for SVM
• VMware Tools with Guest Introspection drivers
• Kaspersky Security Center
• Distributions of Kaspersky Security for Virtualization | Agentless
• A license of Kaspersky Security Kaspersky Security for Virtualization | Agentless

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

System requirements
NSX 6.4.1 NSX 6.3.6
vCenter 6.7.0b
6.5 update 2b 6.5 update 2b
6.0 update 3f 6.0 update 3f
ESXi 6.7
6.5 update 2 6.5 update 2
6.0 update 3e 6.0 update 3e
VMware Tools for Windows* 10.2.5 10.2.5
Thin Agent for Linux* 6.3.3.5604684 6.3.3.5604684
Network Adapter** VMXNET3, E1000 VMXNET3, E1000

* For file protection

** For network protection
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Plan

1 2 3 4 5 6 7 8 9

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Supported guest operating systems

Servers Workstations
• Windows Server 2016 LTSC • Windows 10 (x32/x64)**
• Windows Server 2012 R2* • Windows 8.1 (x32/x64)
• Windows Server 2012* • Windows 8 (x32/x64)
• Windows Server 2008 R2 SP1 • Windows 7 SP1 (x32/x64)

File systems Linux

• Windows: FAT, FAT32, NTFS, ISO9660, UDF, CIFS • Ubuntu Server 14.04 LTS (64-bit)
• Linux: EXT2, EXT3, EXT4, XFS, BTRFS, VFAT, ISO9660, • Red Hat Enterprise Linux Server 7 (64-bit)
NFS, CIFS
* Without ReFS support
• SUSE Linux Enterprise Server 12 (64-bit)
** Including Windows 10 Pro for Workstations
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Preparing guest operating systems
for file protection

— VMware Tools
— Complete
— Custom (select VMCI Driver \ NSX File Introspection
Driver)

— Deploy a virtual machine from an image

(template) with pre-installed VMware Tools
— setup.exe /s /v "/qn REBOOT=R
ADDLOCAL=ALL REMOVE=Hgfs"
— You can install the driver when upgrading
VMware Tools on several virtual machines
simultaneously (on the virtual machines’
shortcut menu, click Guest OS\Upgrade
VMware Tools)

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Installing the Thin Agent on Linux
1. Import the VMware public key
https://packages.vmware.com/tools/keys/VMWARE-PACKAGING-GPG-RSA-KEY.pub

2. Add a repository
https://packages.vmware.com/packages/<platform>

3. Install the package vmware-nsx-gi-file

4. (Optional) Run the script /usr/sbin/boost_vsep_cache.sh

• VMware Tools are not necessary

• For details, please refer to
https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.4/com.vmware.nsx.admin.doc/GUID-636788A7-
BB64-483A-A48D-4E62B3AFC0C8.html
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Plan

1 2 3 4 5 6 7 8 9

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

What must be ready prior to registering the
Kaspersky File Antimalware Protection service
• The Guest Introspection service that installs SVM on the cluster hosts. It requires
— Datastore for the SVM (5 GB) on each cluster host
— Network for the SVM (with access to NSX Manager) on each cluster host

• You can specify the datastore and network for the whole cluster as:
— A shared datastore
— A port group on a distributed switch connected to all cluster hosts

• If there is no shared datastore or shared network, you can specify where service virtual
machines including GI SVM are to connect in the properties of cluster hosts
— In the ESXi host properties | Settings | Agent VM settings

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Installing Guest Introspection
— Install from the NSX console: Installation,
Service Deployment
— Guest Introspection is supplied together
with NSX Manager, the GI SVM distribution
is located on the NSX Manager
— Result (on each cluster host)
— GI ESXi Module (EPSec-Mux)
— Guest Introspection virtual machine (Universal Service
Virtual Machine or USVM)

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 2

Configure NSX for the file scan service of

Kaspersky Security for Virtualization
• Install the Guest Introspection service

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Plan

1 2 3 4 5 6 7 8 9

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Prerequisites for registering the service of
Kaspersky Network Protection
• Install the NSX components on the cluster(s):
— Install an Advanced/Enterprise NSX license
— Connect all cluster hosts to a single distributed switch
— Install NSX

• NSX installation does not create any service virtual machines, but installs extensions for
distributed switches on the cluster hosts

• What is not necessary for scanning traffic

— Guest Introspection service
— VMware Tools
— VXLAN

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Installing the NSX components
— Install from the
Networking and Security
console:
Installation and Upgrade,
Host Preparation,
Install NSX
— The NSX installation
enables the Firewall (but
does not create any rules)
— It also installs VMware
Internetworking Service
Insertion Platform—vSIP
— Virtual machines’ network
packets are redirected via
vSIP to third-party services
such as Kaspersky Network
Protection

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 3

Configure NSX for deploying the network protection

service of Kaspersky Security for Virtualization
1. Add an Advanced/Enterprise NSX license
2. Install the NSX components on the cluster

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Plan

1 2 3 4 5 6 7 8 9

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Prerequisites for registering the services of
Kaspersky Security for Virtualization
• Kaspersky Security Center 10 SP2 MR1 or later
• .NET Framework 4.6.1
• Integration Server https://www.kaspersky.com/small-to-medium-business-security/downloads/virtualization-hybrid-cloud

• Publish KSV distributions on the web server*

• Find out credentials of the following accounts:
— Read-Only** vCenter user
— NSX Manager administrator

* vCenter 6.7 requires the HTTP HEAD method support on the web server. Use Apache, IIS
** For scanning powered off virtual machines and templates, additional rights are required on the virtual machines: Add or remove device, Add existing disk, Remove disk
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 2. Deployment
Prepare guest operating systems Integration Server
Prepare NSX for installing the File Antimalware Protection component Registration
Prepare NSX for installing the Network Protection component
Register Kaspersky Security for Virtualization with NSX
Install the components of Kaspersky Security for Virtualization
Initial setup
More about deployment

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Virtual Infrastructure Integration Server (VIIS)
• Is included with Kaspersky Security for Virtualization components for KSC
• Manages services of Kaspersky Security for Virtualization in NSX
— Registers /deletes services with/from NSX
— Modifies settings on service virtual machines
• Notifies NSX about detected threats
• Stores vCenter / NSX Manager access parameters to be able to:
— Manage KSV services in NSX
— Display the vSphere infrastructure objects in policies and on-demand scan tasks
• Correlates VM IDs with virtual machine names to
— Correctly display a virtual machine name and path in the KSC Console events

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

System requirements for the Integration Server
— Windows Server 2016 Datacenter / Standard
— Windows Server 2012 R2 Datacenter / Standard / Essentials
— Windows Server 2012 Datacenter / Standard / Essentials
— Windows Server 2008 R2 Datacenter / Enterprise / Standard Service Pack 1

— .NET Framework 4.6.1

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Installing KSV components for KSC. Selecting the language

— You can download the Integration Server distribution from Kaspersky Lab website
— https://www.kaspersky.com/small-to-medium-business-security/downloads/virtualization-hybrid-cloud
— https://support.kaspersky.com/ksv4nola#downloads

— The installer does not identify the language of Kaspersky Security Center; instead, it
prompts the administrator to select the language for the Integration Server console

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Installation overview
— KSV components for KSC include:
— Virtual Infrastructure Integration Server (VIIS)
— Integration Server Management Console
— Kaspersky Security for Virtualization administration plug-in for the KSC console

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

The Quick Start Wizard of
Kaspersky Security for Virtualization
— After the installation, a link that
opens the KSV Integration Server
console appears on the Monitoring
page in the Deployment area

— When the user logs on to the KSC

console next time, the Quick Start
Wizard of Kaspersky Security for
Virtualization opens, which creates:
— Policy
— Update task
— Full scan task

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
How Kaspersky Security for Virtualization integrates with NSX
1. The Integration Server connects to vCenter and NSX Manager

2. The Integration Server registers with NSX Manager as a service manager

3. The Integration Server registers the services of Kaspersky Security for Virtualization with
NSX Manager

• The Integration Server stores additional SVM parameters required for their initial setup:
— Address and port for connecting to the KSC Server
— Address, port, username, and password for connecting to the Integration Server
— Password of the klconfig user for connecting to the SVM and changing its parameters

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Integration Server certificate
— The Integration Server is installed with a
self-signed certificate
— At the first start of the Integration Server
console, confirm that you trust the
certificate
— For security, click the link and compare the
certificate data with the Integration Server
certificate*

* Learn more about the Integration Server certificate at

https://support.kaspersky.com/13207
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Connection to vCenter
— The Integration Server connects to vCenter and stores the
connection parameters
— To add vCenter and register the services of Kaspersky Security
for Virtualization, the Read-Only role is sufficient
— To be able to scan powered off virtual machines and templates,
additional rights are required:
— Virtual Machines\Add or remove device
— Virtual Machines\Add existing disk
— Virtual Machines\Remove disk
— ESX Agent Manager\Modify

— The Integration Server checks whether NSX is used*

* Starting with Kaspersky Security for Virtualization 5.0 Agentless, integration via VMware
vShield Manager is not supported. Only NSX is supported
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Connection to vCenter.
A self-signed certificate

— If the vCenter server certificate is self-

signed (which is the case by default), the
administrator must confirm using it

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Connection to NSX Manager

— When registering the services, the Integration Server connects to NSX

Manager and saves the connection parameters for the future
— The Integration Server address and port for reverse communications from
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless NSX Manager are also specified here
Connection to NSX Manager.
A self-signed certificate

— To register services, specify an account that has permissions

of one of the following NSX roles:
— System Administrator
— Enterprise Administrator
— NSX Administrator
— Security Administrator

— The Auditor role permissions are not enough

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Connection to NSX Manager.
A self-signed certificate

— If the NSX Manager certificate is self-signed (which is the

case by default), the administrator must confirm using it

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

File protection virtual machine image
— Specify the link to the xml file or an ovf file from the file scan service
distribution (all files must be located in the same folder on the web
server)

— vCenter Server must be able to access the SVM image through this link

— vCenter Server 6.7 uses the HTTP HEAD method, which is not
supported by some HTTP servers

— The built-in web server of Kaspersky Security Center does not support
this method

— Publish security virtual machine images on a full-fledged HTTP server,

for example, Apache or Microsoft IIS

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Network protection virtual machine image
— You cannot modify Traffic processing mode after the service is
registered
— Standard mode permits blocking dangerous traffic
— Monitoring mode analyzes traffic copy and only informs about threats
— To modify Traffic processing mode
1. Delete Kaspersky Network Protection SVM from NSX
2. Delete registration of Kaspersky Network Protection service from NSX
3. Re-register the Kaspersky Network Protection service with NSX with the other Traffic
processing mode
4. Deploy Kaspersky Network Protection SVM in NSX

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Settings for SVM connection
to the Integration Server and KSC
— After NSX Manager installs SVMs, the Integration server sends them
the connection parameters of:

— KSC, to enable the Network Agent to receive settings and send events

— Integration Server, to enable them to receive the list of vCenter objects

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

SVM access passwords
— The Integration Server uses the klconfig account when the
administrator modifies SVM settings via the Integration Server console

— You can use the root account to log on to service virtual machines for
diagnostics via the console; it not used for day-to-day work

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Time zone for security virtual machines
— The time zone influences the
timestamps that service
machines specify when
logging events

— Prior to registering the

services, double-check all the
parameters

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Further steps
— After the services are
registered, deploy them in
the Networking and Security
console on vCenter

— Create a security policy and

apply it to the virtual
machines via Service
Composer in the Networking
and Security console

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

SVM reconfiguration and upgrade

— Use the console to modify:

— Mutual connection settings of the
Integration Server and NSX Manager
— Links to SVM images (when a new
version is released)
— Settings for SVM connection to the
Integration Server and KSC
— Passwords of SVM access accounts

— Use the console to delete service

registration from NSX Manager

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Registration results: Kaspersky Service Manager
— The Integration Server registers as a Service
Manager with NSX

— NSX Manager uses the API URL and

Credentials attributes to inform the
Integration Server about SVM-related
operations (deployment)

— After SVM is deployed and started, the

Integration Server connects to it under
klconfig and specifies the settings to
connect to itself and Kaspersky Security
Center

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Registration results: Service definitions in NSX
— The Integration Server registers two
services:
— Kaspersky File Antimalware Protection
— Kaspersky Network Protection

— The Integration Server acts as the Service

Manager

— Service Manager properties contain the settings to

connect NSX Manager to the Integration Server:
Address and account

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Deployment attributes of
Kaspersky Network Protection service
— default-action specifies the traffic
interception mode:
— ACTION_ACCEPT means the standard mode when
the service can block and modify traffic (substitute
a warning for the requested web page)

— ACCTION_COPY means the monitoring mode,

when the service analyzes a traffic copy and only
informs about threats

— agentName—Kaspersky Network
Protection service identifier in NSX
— It is formed as follows: serviceinstance-<number>

— This identifier helps to recognize the service in the

output of the summarize-dvfilter utility that shows
which services participate in processing packets of
virtual network adapters

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 4

Register the services of Kaspersky Security for

Virtualization with NSX
1. Create a role for the Integration Server in vCenter
2. Create an account for the Integration Server in vCenter
3. Install the Integration Server of Kaspersky Security for
Virtualization and the plug-in for KSC
4. Register Kaspersky Security for Virtualization services
with NSX
5. Consult the results of registering the Kaspersky Security
for Virtualization services

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Plan

1 2 3 4 5 6 7 8 9

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Service virtual machine parameters

File Antimalware Protection Network Protection

• 2 4 8 4 8 GB RAM • 1 2 4 GB RAM
• 2 2 2 4 4 vCPU • 2 4 8 vCPU
• 32 34 38 34 38 GB on the drive • 9 10 12 GB on the drive

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Select the services to be installed
— After the services of
Kaspersky Security for
Virtualization have been
registered, you can select
them on the list and deploy
in the Networking and
Security console

— The services can be

deployed immediately or at
the specified time

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Specify the deployment parameters
— Services can be deployed only on
clusters in NSX; individual ESXi hosts
cannot be selected

— If there is no DHCP, you can use pools

of IP addresses. NSX Manager will
allocate a static address from the pool
to an SVM
— The datastore and the network must
be accessible on all cluster hosts
— A shared datastore
— Virtual Distributed Switch (VDS) port group

— Specified on-host—take the datastore

or network settings from the ESXi
host settings for the Agent VM
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
How to set SVM parameters on an ESXi host
— Configure each ESXi host independently
(Configure, Virtual Machines, Agent VM
Settings)
— Specify a local datastore and/or standard
virtual switch

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Installation results
— Installation progress:
— NSX Manager sends URLs of SVM images and the
specified datastore and network parameters to ESX
Agent Manager (EAM)
— EAM deploys service virtual machines, starts them, and
sends their IP addresses to NSX Manager
— NSX Manager sets the Installation Status to
Succeeded, informs the Integration Server about this
using Service Manager URL, and sends SVMs’ IP
addresses to the Integration Server
— Integration Server connects to SVM via SSH under the
klconfig account with the default password, configures
the settings to connect to KSC and itself, changes
passwords of accounts
— Integration Server informs NSX Manager that the setup
is completed
— NSX Manager sets Service Status to Up

— The status of Kaspersky Security for

Virtualization services is displayed on the
Service Deployment tab

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Installation results
— When the first SVM connects to the KSC
Administration Server, it creates a node
named VMware vCenter (<vCenter
address>) under Managed devices
— All SVMs of this vCenter are placed into this
group

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 5

Deploy the services of Kaspersky Security for Virtualization

• Deploy the file protection and network protection services

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Plan

1 2 3 4 5 6 7 8 9

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Activation and updates
• When the user logs on to the console next time after the plug-in of Kaspersky Security for
Virtualization has been installed, KSC starts the Quick Start Wizard

• The Quick Start Wizard of Kaspersky Security for Virtualization creates

— Policy
— Update task
— Full scan task Kaspersky Security Center

Activation KSC components

• To enable protection, distribute
SVM Console Plugin
the license of Kaspersky Security Updates
Integration Server
for Virtualization to SVMs

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How to activate Kaspersky Security for Virtualization
— Add a license to the Kaspersky Lab Licenses
node
— Distribute the license using the activation
task. Automatic distribution does not work
— If you have separate licenses for virtual
servers and workstations, install both of
them as active

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Merged licenses
— From the viewpoint of Kaspersky Security
Center, an endpoint cannot have two active
licenses
— For this reason, licenses for workstations
and servers are merged into one in the KSC
Console
— An SVM treats these licenses as individual
entities

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Key usage report
— Names of the protected machines are
displayed only:
— For per-node licenses
— After a KSV policy is created in KSC

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Update task
— The Quick Start wizard creates an Update
task for the Managed devices group
— Kaspersky Security for Virtualization can
download updates only from the KSC
Administration Server

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 6

Activate Kaspersky Security for Virtualization

• Study the update task
• Activate Kaspersky Security for Virtualization
• Consult the license details

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 2. Deployment
Prepare guest operating systems
Prepare NSX for installing the File Antimalware Protection component
Prepare NSX for installing the Network Protection component
Automatic deployment of protection on a new ESXi
Register Kaspersky Security for Virtualization with NSX
Updating services
Install the components of Kaspersky Security for Virtualization
Initial setup
More about deployment

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Deploying protection on new cluster hosts
— ESX Agent Manager (EAM) automatically
deploys the services installed on the cluster
to the new hosts
— The administrator:
— Checks which network and which datastores are
selected for service installation
— Makes these datastores and networks available on the
host
— Adds the host to the cluster

— ESX Agent Manager automatically:

— Installs modules and virtual machines of the services
deployed in the cluster on the new host

— EAM clones service virtual machines from

other cluster hosts or installs from the URLs
specified in service definitions
— If the administrator removes a host from the
cluster, EAM deletes all NSX service related
modules and virtual machines from it

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Activating protection on new cluster nodes
— New SVMs of Kaspersky Security for
Virtualization are automatically placed into
the administration group of their vCenter
— Kaspersky Security Center will start an
activation task on new nodes if its schedule
is configured to Run missed tasks

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 2. Deployment
Prepare guest operating systems
Prepare NSX for installing the File Antimalware Protection component
Prepare NSX for installing the Network Protection component Automatic deployment of protection on a new ESXi
Register Kaspersky Security for Virtualization with NSX
Updating services
Install the components of Kaspersky Security for Virtualization
Initial setup
More about deployment

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
If a new version of Kaspersky Security for Virtualization has
been released

1. Install the new version of Integration

Server and KSC plug-in
2. Publish the new versions of Kaspersky
Security for Virtualization services
3. Modify the links to the security virtual
machines’ images in the Integration
Server console
4. Initiate Service Upgrade in the NSX
Console

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How to register the new versions of services
— In the Integration Server Console, you can:
— Adjust the settings of Kaspersky Security for
Virtualization services
— Adjust the settings of the deployed SVMs
— Delete the services of Kaspersky Security for
Virtualization from NSX

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How to register the new versions of services

— Simply specify the new HTTP(S) links to

the distributions
— You cannot change the network traffic
processing mode
— To modify the traffic processing mode
— Remove the service from NSX
— Delete the service’s registration
— Re-register the service with the other traffic
processing mode
— Deploy the service on the protected clusters

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How to initiate service upgrade in the NSX console
— One-click upgrade
— The datastore must have enough space for
deploying the service virtual machine image
— The previous version of SVM will be deleted
after the new one is ready for use

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Plan

1 2 3 4 5 6 7 8 9

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Kaspersky Security for Virtualization policy
Apply to...

— The policy is applied to service virtual machines,

not to the protected machines
— To provide different protection settings for
VM
different virtual machines, the policy has: VM
VM
— vCenter object tree
vCenter containers Protection Profiles
— The capability to create several protection profiles
— The capability to assign protection profiles to vCenter
objects

— Data Center
— Resource Pool — Security level
— ESXi — Exclusions
— vApp — Actions
— Host and Cluster Folder — Protection scope
— Virtual Machine

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Virtual infrastructure representation in the policy
— The Quick Start wizard creates a
Kaspersky Security for Virtualization
policy
— When the administrator opens the
Protected infrastructure section for
the first time, the policy prompts for
the Integration Server access
parameters to download the virtual
infrastructure objects

— Use one of the following

accounts:
— Windows administrator or a
member of the KLAdmins group
— admin, whose password you can
specify in the Integration Server
console

— The access parameters are

stored in the policy

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Connecting to the vCenter server
— A policy can connect to:
— (By default) the Integration Server: All vCenters to
which the Integration server is connected are
displayed; no protection profiles are assigned by
default
— A specific vCenter: The main protection profile is
assigned by default

— When you switch between the

infrastructure sources, the
assigned protection profiles will
be reset

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Main protection profile
— A profile that does not need to be created
and cannot be deleted
— You can apply it to virtual machines
immediately

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Additional protection profiles

— Have the same set of settings as

the main profile
— There can be as many profiles as
you wish
— If the Active column is empty,
the profile is not applied to any
infrastructure object

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Protection profile settings
— The protection settings are typical of Kaspersky Lab products
— Archive scanning is disabled by default
— File scan time is limited to 60 seconds
— Size of compound files is limited to 8 MB (it makes sense to increase it)

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Exclusions
— You can exclude folders and files
— Additionally, you can exclude extensions, or
scan only the specified extensions
— Environment variables are not supported
— * and ? wildcards are supported

— The main profile contains recommended

exclusions by default
— Additional profiles do not have any default
exclusions
— Valid exclusions:
— Exclusions can be exported and imported
— C:\Windows\Temp\install.log
— C:\Windows\Temp\*.log — The default exclusions are stored in the file
— ?:\Windows\Temp\*.log
— \\share\events.db
%ProgramFiles(x86)%\Kaspersky Security
Center\Plugins\KSV2.plg\microsoft_file_excl
— Invalid exclusions:
usions.xml
— %systemroot%\Temp\install.log
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Actions

— When detecting a threat, the — Deleted files are stored in the backup on SVM
Integration server assigns the
ANTI_VIRUS.VirusFound.Threat= — Its size is limited to 1 GB
High tag to the machine via NSX — By default, the files are stored for 30 days
manager

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Kaspersky Security Network
— Kaspersky Security for Virtualization supports the Kaspersky Security Network
technology to the same extent as Kaspersky Endpoint Security, i.e. permits
— Connecting Private KSN
— Disabling Extended mode to stop sending extra1 information to the “cloud” (GDPR support)

— The use of KSN is disabled by default, and needs to be enabled

— In Kaspersky Security for Virtualization, KSN works only via KSN proxy of
Kaspersky Security Center

1Without the extended mode, only the file checksum is sent to KSN that replies whether the file is
dangerous. In the extended mode, additional information can be sent, which is necessary for analyzing
potential threats

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Why on-demand scanning is necessary
• It detects threats in archives and rarely started files

• Scans files more thoroughly than real-time protection

• Does not use cache, and detects threats that might be cached as clean files

• Fills the cache of clean files, which permits real-time protection to consume less resources

• Can scan templates and powered off machines

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

On-demand scan task:
Differences from KES for Windows
— 4 machines or less are scanned simultaneously (by a single file protection service machine)
— Workload is balanced for on-demand scanning

— RAM is not scanned

— Powered off virtual machines are scanned
— Supported file systems
— FAT
— FAT32
— NTFS
SVM
— EXT2 VM VM VM VM VM
— EXT3
— EXT4 Thin Agent Thin Agent Thin Agent Thin Agent Thin Agent
— XFS
— BTRFS
— VFAT
GI ESXi Module
— ISO9660 Hypervisor
— UDF
— CIFS
— NFS
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Full and custom scanning
— Custom scan
— You can select the vCenter server and the virtual
machines where the task will run

— Full Scan
— Runs on all virtual machines of all vCenter servers to
which the task is assigned in Kaspersky Security Center

— The Quick Start wizard creates a full scan

task for the Managed devices group
(meaning, for all vCenter servers)
— Create scan tasks as group tasks in Kaspersky
Security Center (for the VMware vCenter
<address> Agentless group)
— Tasks for specific computers do not add
flexibility and are error-prone: It is easy to
create a task that would apply to the
network protection service machine. It will
not scan anything at all

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Custom scan
— Scans virtual machines of only one vCenter
server
— It is important that the task must be applied
to the group of the same vCenter (the
Devices section) that is connected in the
Task scope section

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Custom scan
— The task does not show which machines are
powered on and off
— You can select the machines from among the
infrastructure tree objects or specify as NSX
security groups

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Scanning parameters: What to scan
— The task can scan the drives of templates
and powered off virtual machines
— Optical drives are scanned only on powered
on virtual machines
— By default, archives are not scanned

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Scanning parameters: Actions
— The default action for powered off machines
is Block
— The file will remain blocked after the
machine is powered on
— To delete files from powered off machines,
select Disinfect, delete if disinfection fails

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Scanning parameters: Schedule
— The task supports all standard schedules
— The task completes either
— When all machines of the scan scope are scanned

— or
— When the specified timespan is over

— Time-limited scanning:
— Does not stop when all
machines have been scanned
already
— Stops even if not all of the
machines have been scanned
yet

— Machines are scanned

randomly every time
rather than in any
specific order; this way,
all machines are scanned
regularly
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Scanning parameters: Scope
— The task can scan all files and folders except
for the specified folders, or only the selected
folders
— If the task scans all files and folders except
for the specified, you can additionally
indicate the file extensions to be scanned or
skipped

— The
ANTI_VIRUS.VirusFound.*
security tag is removed by
any on-demand scan task
that is configured to Scan
all files and folders except
for those specified

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Network threat protection
— Is disabled by default
— Scans IPv4 and IPv6 traffic
— Can disrupt a connection and block the
attacking computer for the specified period
of time

— Requires an Enterprise license of Kaspersky

Security for Virtualization
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
URL scanning — Is disabled by default
— Detects malicious and phishing links
— The automatic action blocks the web page
and replaces it with a warning
— In the monitoring mode, it only sends an
event to Kaspersky Security Center

— You can add web addresses to

exclusions:
— http://www.example.org and
www.example.org are equivalent
— Example.org and www.example.org are
considered to be different
— www.example.org covers
www.example.org/data/index.html
— www.example.org/index.html does not
cover www.example.org/login.html

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Warning language
— The administrator can change the language
of the warning that will be displayed when
a malicious or phishing URL is blocked
— The same warning is used for both threat
types

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Exclusions by addresses — Apply to all traffic analysis
methods
— The first matching rule is applied
— Format of the Scope field:
— <network address or mask> novlan—
excludes traffic without VLAN ID
— <network address or mask> vlan <ID>—
excludes traffic with the specified VLAN
ID
— <network address or mask> vlan 4095 —
excludes traffic with any VLAN ID
— <network address or mask> vlan *—
excludes all traffic at the specified
address (with any VLAN ID or without it)

— Format of the Rule field:

— Default—apply the action configured for
this threat type
— Do not block—apply the configured
action, but do not block traffic
— Ignore—only inform about threats
— Do not check—do not scan traffic or
inform about threats

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 7

Configure a protection policy for Kaspersky Security for

Virtualization
1. Configure a policy for Kaspersky Security for Virtualization
2. Export exclusions from the main protection profile
3. Create a protection profile for servers
4. Assign the Servers protection profile to Windows-Svr

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Plan

1 2 3 4 5 6 7 8 9

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How to enable protection on a virtual machine
1. Create an NSX security policy
2. Create an NSX security group
3. Apply the policy to the groups

VM
VM
VM
Security groups: Security policies:
What to protect How to protect

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Security policies
— Policies and security groups are configured
in the Networking and Security console in
the Service Composer section
— A policy can be applied to several groups,
and several policies can be applied to a
single group

Firewall

Guest Introspection
Security policy 1

Network Introspection

Security Group 1 Security Group 2 Security Group 3

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Configuring a security policy
— The higher weight, the higher the priority of
the policy

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How to enable file scanning
— To enable file scanning, add the Kaspersky File
Antimalware Protection service to the Guest
Introspection Services section

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How to enable scanning for inbound traffic
— To enable traffic scanning, add the Kaspersky
Network Protection service to the Network
Introspection Services section
— To scan inbound traffic, select Source: Any and
Destination: Policy’s Security Groups

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How to enable scanning for inbound traffic
— To scan outbound traffic, select Source: Policy’s
Security Groups and Destination: Any
— You cannot scan all traffic using a single record in
the policy; you must create two records for the
Kaspersky Network Protection service

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Network Introspection service. Monitored ports
— To scan traffic only on some of the ports, configure
a filter in the Services section: select from among
the existing services or add custom ones

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Security groups
VM
VM
VM
Security groups

— Dynamic criteria
— vCenter containers
— Security tags
— AD groups
— Regular expressions for names of computers and
virtual machines

— Static criteria
— A limited list of objects

— If a virtual machine meets the specified

criteria, it is instantly moved to the
respective group

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Dynamic criteria for groups
— You can specify several criteria
— You can specify several conditions in each
criterion
— Conditions within a criterion as well as
criteria can be combined using OR (any) or
AND (all)

— To add VMware
vSphere objects,
select the Entity
condition type
— Other conditions are
specified as masks
— OS name
— Virtual machine name
— Computer name
— Security tag

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How to add required objects
— In addition to the dynamic criteria, you can
specify the objects to be always included in
the group or excluded from it
— Only VMware vSphere objects

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How to apply a policy to groups
— To apply the policy, open the list of groups,
and move the target groups from Available
objects to Selected objects

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Security tags
• Kaspersky Security for Virtualization assigns NSX security tags to virtual machines
— File Protection service: ANTI_VIRUS.VirusFound.threat=*
— Network Protection service: IDS_IPS.threat=*

• You can create security groups based on tags

• Tags can be removed manually

• The ANTI_VIRUS.VirusFound.* tag is removed by the on-demand scan task automatically if

— The task scans all files and folders except for those specified
— No threats have been detected

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 8

Enable protection
1. Create a security group in NSX
2. Create a security policy in NSX
3. Consult reports in Kaspersky Security Center

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Plan

1 2 3 4 5 6 7 8 9

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Guest Introspection and Kaspersky Security for Virtualization

— The Thin agent driver informs the ESXi module of Guest

Kaspersky Security
Introspection about files accessed via the VMCI interface Center
— Network connections are not used
NSX Manager vCenter Server
— The Guest Introspection module informs the Kaspersky File TCP:443 TCP:443
Integration Server
Antimalware Protection service machine about files accessed at TCP:7271
169.254.1.60 on port 48651
TCP:5671 TCP:5671 TCP:13000 TCP:7271
— These address and port are in vmservice-vshield-pg network
— The IP address and port are reserved for Kaspersky Security for Virtualization
Kaspersky File
Antimalware Protection
SVM
Guest Introspection
SVM
VM VM Network Agent

Thin Agent Thin Agent EPSecLib

VMCI VMCI 169.254.1.24:48655 169.254.1.60:48651

GI ESXi Module 169.254.1.1

ESXi

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

File scan technologies
Put the file back to the scan queue

Harmless Signature & Dangerous

Heuristic — Signature analysis
analysis
— Heuristic analysis
Dangerous Harmless Harmless Local Dangerous
Local
KSN cache KSN cache — KSN requests
No entry No entry — Can be sent only through KSN proxy in Kaspersky
Update the Security Center
record in the
local KSN Harmless Harmless Synchronous Dangerous
cache KSN request

No KSN record, or
no connection
Dangerous Asynchronous
KSN request

— Left branch: — Right branch:

— Covers most of the files, since the majority of files are safe — Applies to comparatively rare dangerous files
— An asynchronous request is sent to the KSN (the user is allowed to access — A request sent to KSN suspends the action (synchronous request)
the file immediately) — If the file is clean according to KSN, the action will not be applied
— If KSN answers that the file is dangerous, it will be blocked (protection against false positives)
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless
Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Scanning algorithm
Yes OAS disabled
for VM?

Yes Excluded
by shared
cache?

No
No Yes
Cached?
File scanning:
 Signature analysis
 Heuristic analysis No
 KSN (via KSN proxy)
Matches any Yes
exclusions?
Add the “clean” Yes No Disinfect /
verdict to both File is clean?
Delete
caches File access
interception

SVM Thin Agent

VM VM VM VM VM VM VM VM VM VM VM file.exe
VM VM VM VM VM VM

Hypervisor

Access allowed Access allowed

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

VMware Thin Agent cache
Yes OAS disabled
— The cache is stored on the guest
for VM? virtual machine

No but does not use it

— On-demand scanning fills the cache,

— The cache is clearedYes

when: Excluded
by shared
— The virtual machine is restarted cache?
— The virtual machine is moved toNo another host
No Yes
— Scan settings are changed in the policy Cached?
File scanning:
— Databases are updated  Signature analysis
 Heuristic analysis No
 KSN (via KSN proxy)
Matches any Yes
exclusions?
Add the “clean” Yes No Disinfect /
verdict to both File is clean?
Delete
caches File access
interception

SVM Thin Agent

VM VM VM VM VM VM VM VM VM VM VM file.exe
VM VM VM VM VM VM

Hypervisor

Access allowed Access allowed

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Shared cache on SVM
Yes OAS disabled
— A record in the cache includes file properties and scanning
for VM? data
No
— Cache does not use file checksums and is potentially
Yes Excluded vulnerable to substitutions; for this reason, it is not used:
by shared
cache? — When scanning files in network folders
No — When scanning
No files on removableYes drives
Cached?
File scanning:
— By on-demand scan tasks
 Signature analysis
 Heuristic analysis — Is reset only when Nothe SVM is restarted
 KSN (via KSN proxy)
— Is especially efficient for
Matches anyVDI Yes
exclusions?
Add the “clean” Yes No Disinfect /
verdict to both File is clean?
Delete
caches File access
interception

SVM Thin Agent

VM VM VM VM VM VM VM VM VM VM VM file.exe
VM VM VM VM VM VM

Hypervisor

Access allowed Access allowed

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 9

Test the File Protection

1. Run a test virus and consult reports in Kaspersky
Security Center
2. Find the Windows-Svr security tag in the vCenter
console

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
GI ESXi module connectivity issues
— An example of a service machine error
— A connection between ESX module and Guest Introspection Kaspersky Security
Center
solution, Kaspersky Antimalware Protection, failed

— An example of an ESXi host error NSX Manager vCenter Server

TCP:443 TCP:443
— Lost communication with ESX module Integration Server
TCP:7271

TCP:5671 TCP:5671 TCP:13000 TCP:7271

SVA vmservice-vshield-pg
Guest Introspection
SVM
VM VM Network Agent
1

Thin Agent Thin Agent EPSecLib

VMCI VMCI 169.254.1.24:48655 169.254.1.60:48651 — KB 2094261:

— https://docs.vmware.com/en/VMware-
GI ESXi Module NSX-for-
2 2 vSphere/6.4/com.vmware.nsx.troubleshoot
ESXi ing.doc/GUID-3BEE3028-CF50-4D49-BF0E-
vmservice-vmknic-pg D9FCDC92274D.html

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Thin Agent
— vsepflt driver must be installed and running on
Windows
Kaspersky Security
— On Linux, check the vsep process Center

NSX Manager vCenter Server

TCP:443 TCP:443
Integration Server
TCP:7271

TCP:5671 TCP:5671 TCP:13000 TCP:7271

SVA
Guest Introspection
SVM
VM VM Network Agent

Thin Agent Thin Agent EPSecLib

VMCI VMCI 169.254.1.24:48655 169.254.1.60:48651

Epsec Mux
ESXi

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Integration Server accessibility
— The Integration Server synchronizes information
about the virtual infrastructure with vCenter
Kaspersky Security
Center
— SVMs connect to the Integration Server to receive
data about the vCenter’s virtual machines NSX Manager vCenter Server
TCP:443 TCP:443
— If the Integration Server is inaccessible, protection Integration Server
TCP:7271
will not work on new virtual machines
TCP:5671 TCP:5671 TCP:13000 TCP:7271

Kaspersky File
Guest Introspection Antimalware/Network
SVM
VM VM Protection SVM
Network Agent

Thin Agent Thin Agent EPSecLib

VMCI VMCI 169.254.1.24:48655 169.254.1.60:48651

Guest Introspection ESXi Module

ESXi

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Kaspersky Security for Virtualization issues
— Databases are corrupted
— A wrong license
— The policy has not been applied

— For troubleshooting
— Log on to the SVM under the root account
— Use the utilities from the folder /opt/kaspersky/ksv/bin

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 10

Perform on-demand scanning

1. Create and run a virus scan task
2. Check the tags after the on-demand scanning completes

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Network Introspection and Kaspersky Security for
Virtualization
— SVM receives traffic from virtual machines at Kaspersky Security
the level of virtual network adapters (vNIC) and Center
analyzes it vCenter Server NSX Manager
— Third-party services occupy slots 4-12 in packet processing TCP:443 TCP:443
IOChains on the network adapter Integration Server
TCP:7271
— In the Monitoring mode, SVM analyzes traffic
TCP:13000 TCP:7271 TCP:5671
copy and only informs about threats
— In the standard mode, SVM can interrupt SVA

connections and block access to virtual

Network Agent
machines
VM VM
libdvfilter
— Kaspersky Security for Virtualization scans
— HTTP traffic of virtual machines for malicious and phishing dvfilterklib
links
— All network traffic for dangerous activity patterns VMCI

Slot 4
Slot 4 VSIP VSFWD

Distributed Virtual Switch ESXi

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Troubleshooting
— To view which services receive traffic from virtual machines,
carry out the command summarize-dvfilter on the ESXi host
(or remotely from NSX Manager)
— Kaspersky Network Protection services are marked
serviceinstance-# (you can check the number in the service
attributes in Networking & Security | Service Definitions)
— In the general sections Fastpaths and ServiceVMs
— In vNic slot 4-12 sections on virtual machines

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 11

Test Network Protection

1. Imitate a network attack
2. Open a test malicious link and a test phishing link
3. Consult network protection events in Kaspersky Security
Center
4. Study the Network attack report

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Lab 12

Test Network Monitor

1. Install a KSV Enterprise license on the service virtual
machines
2. Enable enhanced traffic analysis in the policy on
Kaspersky Security Center
3. Test enhanced workstation protection using a test link
4. Prepare a file with a captured network attack
5. Reproduce the file with the captured network attack on
the server and check the results

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Plan

1 2 3 4 5 6 7 8 9

Install Guest Configure NSX Configure NSX Register KSV Deploy KSV Activate and Configure Configure Make sure that
Introspection for scanning for scanning Integration services update KSV policies and policies and everything
drivers files traffic Server with services tasks for KSV in security groups works and
NSX Kaspersky in vSphere enable
Security Center protection
everywhere

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Monitoring Kaspersky Security for Virtualization
• Kaspersky Security for Virtualization is an extension of the NSX platform
• The administrator monitors the protection status in the vSphere console and in the KSC console
• vSphere / NSX is responsible for
— Deployment of protection
— Status of the Guest Introspection/Network Introspection components
— Detection of malware / a network attack (via security tags)

• Kaspersky Security Center is responsible for

— Licenses
— Updates
— Events
— Reports
— Protection status
— Task results

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Critical status of the ESXi host

Critical status of SVM

A critical event

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Status of Guest Introspection components
— All events related to the status of Guest
Introspection components (meaning, to file
protection) are gathered on the Monitor
tab in the properties of the protected
cluster

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

vSphere alarms
— You can configure an existing alarm
definition or create a new one
— Alarms can trigger various actions, e.g. send
email messages

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

How Kaspersky Security for Virtualization scans files
How Kaspersky Security for Virtualization optimizes scanning
If File Protection does not work VMware vSphere
How Kaspersky Security for Virtualization protects against network threats Kaspersky Security Center
SNMP
Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Protection status
— Kaspersky Security Center considers virtual
machines unprotected since neither Agent
nor Anti-Virus are installed on them
— You can check whether a virtual machine is
protected
— In the properties of vCenter cluster
— In the service machine properties in Kaspersky Security
Center
— Protection status report

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Detailed information about the virtual machines

— Aggregate statistics
— Whether the NSX profile is applied
— Path to the guest virtual machine in vSphere
— Available protection functions
— Operating system type
— Protection profile in the KSC policy
— Key type
— Last update and on-demand scanning timestamps

— Statistics can be exported to XML and CSV

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Protection status report
— Possible statuses
— Virus Scan has not been performed in a long time
— Protection is disabled
— Security application is not running
— Databases are out of date

— Statuses cannot be configured

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Monitoring SVM status via SNMP
— KSV does not send SNMP traps, but informs
about its status by request
— To correctly display information, download the
MIB file https://products.s.kaspersky-
labs.com/multilanguage/administrationkit/ksv4/
ksv-mib.txt
— The MIB file describes the parameters that
Kaspersky Security for Virtualization can report
— Specify the MIB file in the SNMP monitoring tool
— Kaspersky Security for Virtualization uses the
ksvsnmp SNMP community
— /opt/kaspersky/<ksv | ksvns>/config/snmp/snmpd.conf

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Statuses displayed in the NSX console
— The deployment status shows on which
hosts installation of a service virtual
machine failed and whether the Integration
Server service is up
— The Integration Server monitors the status
Deployment
of the service virtual machines of Kaspersky statuses
Security for Virtualization and informs the
NSX Manager accordingly

Integration Server
statuses

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

The Integration Server is inaccessible
— NSX Manager checks whether the Integration Server is
accessible:
— When the service starts
— When the ESXi host starts
— When the ESXi host exits the maintenance mode

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

SVM and Integration Server
— Service machines connect to the Integration server
— On port 7271 and the address specified in the service registration Kaspersky Security
wizard Center
— Under the svm account
NSX Manager vCenter Server
— Every 11 seconds
TCP:443 TCP:443
Integration Server
TCP:7271

TCP:5671 TCP:5671 TCP:13000 TCP:7271

Kaspersky File
Guest Introspection Antimalware/Network
SVM
VM VM Protection SVM
Network Agent

Thin Agent Thin Agent EPSecLib

VMCI VMCI 169.254.1.24:48655 169.254.1.60:48651

GI ESXi Module

ESXi

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Which statuses the Integration Server is responsible for
— WARNING status
— NOT_CONFIGURED
— NOT_RUNNING
— CONNECTION_LOST
— CYCLIC_RESTARTS

— CONNECTION_LOST—the
Integration Server has lost
connection to the service virtual
machine
— The service machine is inaccessible
— Wrong password of the svm user

— See the Integration Server log for

details

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Integration Server log
— The View trace file link is available only on
the computer where the Integration Server
is installed
— By default, logging is
disabled

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

How to enable logging for the Integration Server
— Change the logging level in
the configuration file of the
Integration Server log:
— %ProgramFiles(x86)%\Kaspersky
Lab\Kaspersky VIIS\Nlog.config

— Possible values of the

minlevel variable
— Off (by default)
— Fatal
— Error
— Warn
— Info
— Debug
— Trace

— Log file:
— %Programdata%\Kaspersky Lab\VIIS
\logs\service.log

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Password of the svm account
— The password of the svm account may be
reset because the Server integration has
been reinstalled or because of other
administrator’s actions

— You can change the

password of the svm
account in the
Integration Server
Console, on the
Integration Server
user accounts tab
— The Integration Server
automatically
connects to the
service virtual
machines under the
klconfig account and
changes the password

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

SVM error when accessing the Integration Server
— NOT_CONFIGURED/NOT_RECONFIGURED
— Can not configure SVM: Product can not connect to
VIIS

— Reasons
— A wrong address was specified when registering the
Integration Server
— Certificate error (for example, because of time
difference between the Integration Server and SVM)

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Guest Introspection service machine (USVM) is inaccessible
— An example of a Guest Introspection SVM error
— Heartbeat stops from USVM Kaspersky Security
Center
(com.vmware.vshieldmanager.sam.usvm.heartbeat.stop)
NSX Manager vCenter Server
TCP:443 TCP:443
Integration Server
TCP:7271

TCP:5671 TCP:5671 TCP:13000 TCP:7271

SVA
Guest Introspection
SVM
VM VM Network Agent

Thin Agent Thin Agent EPSecLib

VMCI VMCI 169.254.1.24:48655 169.254.1.60:48651

Epsec Mux
ESXi

KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

Chapter 1. General
What is NSX
NSX as a security platform
Kaspersky Security for Virtualization. Operation principles
Which product to select for protecting a VMware virtual infrastructure

Chapter 3. Configuring protection

Kaspersky Security for Virtualization policy
Real-time protection
On-demand scanning
Network protection
How to enable protection for a virtual machine

Chapter 4. How Kaspersky Security for Virtualization works

Chapter 5. Maintenance
Monitoring
Troubleshooting NSX and Integration Server
Please fill in the feedback form
http://

Ready to take the certification exam?

Thank you!
KL 014.50. Kaspersky Security for Virtualization 5.0 Agentless

VMware VSphere Install Configure Manage V8 STUDENT Manual
No ratings yet
VMware VSphere Install Configure Manage V8 STUDENT Manual
626 pages
Vmware NSX-T Data Center: Install, Configure, Manage (V3.2) : Lecture Manual
100% (1)
Vmware NSX-T Data Center: Install, Configure, Manage (V3.2) : Lecture Manual
754 pages
Top 50 Virtualization Security Questions
No ratings yet
Top 50 Virtualization Security Questions
20 pages
Windows 10 - Getting Started With Windows 10
No ratings yet
Windows 10 - Getting Started With Windows 10
6 pages
Vmware NSX Kaspersky Solution Brief
No ratings yet
Vmware NSX Kaspersky Solution Brief
3 pages
How To Install Kaspersky Security For Virtualization 6.x Agentless in An Infrastructure Managed by VMware NSX-V Manager
No ratings yet
How To Install Kaspersky Security For Virtualization 6.x Agentless in An Infrastructure Managed by VMware NSX-V Manager
35 pages
Superior, Flexible and Resource-Efficient Protection For Virtual Servers and VDI
No ratings yet
Superior, Flexible and Resource-Efficient Protection For Virtual Servers and VDI
2 pages
Total Time To Complete This Test Is 35 Minutes, You Have 35 Minutes Remaining Question 1
No ratings yet
Total Time To Complete This Test Is 35 Minutes, You Have 35 Minutes Remaining Question 1
6 pages
Kaspersky Security For Virtualization 4.0 New Features For Even Greater Protection
No ratings yet
Kaspersky Security For Virtualization 4.0 New Features For Even Greater Protection
4 pages
Total Time To Complete This Test Is 35 Minutes, You Have 35 Minutes Remaining
No ratings yet
Total Time To Complete This Test Is 35 Minutes, You Have 35 Minutes Remaining
6 pages
VMware NSX Network Essentials
From Everand
VMware NSX Network Essentials
Sreejith.C
No ratings yet
Cloudguard For NSX: Administration Guide
No ratings yet
Cloudguard For NSX: Administration Guide
45 pages
Security Configuration Guide of NSX-6.4-final-U1 PDF
No ratings yet
Security Configuration Guide of NSX-6.4-final-U1 PDF
13 pages
Vmware Exam NSX T Datacenter Prep Guide
No ratings yet
Vmware Exam NSX T Datacenter Prep Guide
5 pages
VMware Vshield5 Endpoint Datasheet
No ratings yet
VMware Vshield5 Endpoint Datasheet
3 pages
The VMware NSX Handbook: Practical Solutions for Network Virtualization and Security
From Everand
The VMware NSX Handbook: Practical Solutions for Network Virtualization and Security
Robert Johnson
No ratings yet
NSX DFW Architecture
100% (2)
NSX DFW Architecture
65 pages
Install & Running An EMC VNX VSA v2.0
No ratings yet
Install & Running An EMC VNX VSA v2.0
42 pages
SB Move Av Integrated Vmware NSX
No ratings yet
SB Move Av Integrated Vmware NSX
5 pages
VMware Virtualization
From Everand
VMware Virtualization
Henry Codwell
No ratings yet
VMware ESXi 6.7 - Basic ESXi Host Configuration - v3
No ratings yet
VMware ESXi 6.7 - Basic ESXi Host Configuration - v3
27 pages
KVM Virtualization Essentials: Definitive Reference for Developers and Engineers
From Everand
KVM Virtualization Essentials: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Vsphere Security: Update 1 Esxi 5.0 Vcenter Server 5.0
No ratings yet
Vsphere Security: Update 1 Esxi 5.0 Vcenter Server 5.0
100 pages
Vmware & Security: Vmsafe: Bob Van Der Werf Sr. Systems Engineer Vmware
No ratings yet
Vmware & Security: Vmsafe: Bob Van Der Werf Sr. Systems Engineer Vmware
15 pages
TrendMicro Checklist For DeepSecurity
No ratings yet
TrendMicro Checklist For DeepSecurity
2 pages
Vmware NSX Data Center: Product Features Standard Professional Advanced Enterprise Plus Remote Branch Office
No ratings yet
Vmware NSX Data Center: Product Features Standard Professional Advanced Enterprise Plus Remote Branch Office
3 pages
VMware Case Studies For Aggregators On NSX EN
No ratings yet
VMware Case Studies For Aggregators On NSX EN
5 pages
NSX 63 Install
No ratings yet
NSX 63 Install
124 pages
Vmware NSX Comprehensive Guide
No ratings yet
Vmware NSX Comprehensive Guide
5 pages
NSX 60 Install
No ratings yet
NSX 60 Install
56 pages
Vmware NSX Datasheet
No ratings yet
Vmware NSX Datasheet
8 pages
Vmware NSX Datasheet
No ratings yet
Vmware NSX Datasheet
4 pages
Vmware Esxi 3.5: Increase It Efficiency and Reliability With Hardware-Integrated, Thin Hypervisor
No ratings yet
Vmware Esxi 3.5: Increase It Efficiency and Reliability With Hardware-Integrated, Thin Hypervisor
1 page
Mastering KVM Virtualization
From Everand
Mastering KVM Virtualization
Humble Devassy Chirammal
5/5 (1)
ESX Short Presentation
No ratings yet
ESX Short Presentation
19 pages
EDU DATASHEET vSphereInstallConfigureManage V51 BETA
No ratings yet
EDU DATASHEET vSphereInstallConfigureManage V51 BETA
2 pages
NSX Installation and Upgrade Guide
No ratings yet
NSX Installation and Upgrade Guide
56 pages
Edu en Nsxis4 Lec
No ratings yet
Edu en Nsxis4 Lec
649 pages
NSX 62 Admin
No ratings yet
NSX 62 Admin
402 pages
NSX 64 Admin
No ratings yet
NSX 64 Admin
456 pages
The VirtualBox Handbook: Practical Solutions for Setting Up and Managing Virtual Machines
From Everand
The VirtualBox Handbook: Practical Solutions for Setting Up and Managing Virtual Machines
Robert Johnson
No ratings yet
Edu en Nsxtis31 Lec Se
No ratings yet
Edu en Nsxtis31 Lec Se
574 pages
IBM Tivoli Monitoring For Virtual Servers VMware ESX AgentUser's
No ratings yet
IBM Tivoli Monitoring For Virtual Servers VMware ESX AgentUser's
124 pages
Vm-Series On Vmware NSX: Virtual Firewalls Boost Security and Compliance in Software-Defined Environments
No ratings yet
Vm-Series On Vmware NSX: Virtual Firewalls Boost Security and Compliance in Software-Defined Environments
5 pages
Vmware NSX Intelligence Solution Brief
No ratings yet
Vmware NSX Intelligence Solution Brief
3 pages
EDU DATASHEET vSphereInstallConfigureManage V4114
No ratings yet
EDU DATASHEET vSphereInstallConfigureManage V4114
2 pages
Welcome To Vmware Session
No ratings yet
Welcome To Vmware Session
123 pages
Step-By-Step Deep Security Agentless AntiMalware Installation v1.03
No ratings yet
Step-By-Step Deep Security Agentless AntiMalware Installation v1.03
45 pages
Ksvla4.0 Implguideen
No ratings yet
Ksvla4.0 Implguideen
175 pages
Vsphere Install Configure Manage V5
No ratings yet
Vsphere Install Configure Manage V5
2 pages
NSX 62 Install
No ratings yet
NSX 62 Install
132 pages
TN 2040 VMware NSX For VSphere
No ratings yet
TN 2040 VMware NSX For VSphere
23 pages
Operational Best Practices For NSX in Vmware: Environments
No ratings yet
Operational Best Practices For NSX in Vmware: Environments
67 pages
GDCC VMware VSphere V7
No ratings yet
GDCC VMware VSphere V7
112 pages
2020 VMware NSX IDS IPS Benchmark v1.0
No ratings yet
2020 VMware NSX IDS IPS Benchmark v1.0
28 pages
Vsphere Esxi Vcenter Server 551 Security Guide
0% (1)
Vsphere Esxi Vcenter Server 551 Security Guide
182 pages
Module - 4 Vmware Vcenter Server
No ratings yet
Module - 4 Vmware Vcenter Server
33 pages
HardeningGuide Vsphere50 v1.0
No ratings yet
HardeningGuide Vsphere50 v1.0
352 pages
Micro-Segmentation For Dummies (VMware) - Infographic PDF
No ratings yet
Micro-Segmentation For Dummies (VMware) - Infographic PDF
1 page
Top VMware Interview Questions and Answers (2023) - InterviewBit
No ratings yet
Top VMware Interview Questions and Answers (2023) - InterviewBit
22 pages
CP SAML For Remote Access VPN Release Notes
No ratings yet
CP SAML For Remote Access VPN Release Notes
23 pages
2024 March Mrahman What To Expect in Android 15
No ratings yet
2024 March Mrahman What To Expect in Android 15
44 pages
PM Debug Info
No ratings yet
PM Debug Info
6 pages
LaTeX - List of Notations (Nomenclature) - Simon Silk
No ratings yet
LaTeX - List of Notations (Nomenclature) - Simon Silk
2 pages
Rational Perm
No ratings yet
Rational Perm
11 pages
Ict Assignment
No ratings yet
Ict Assignment
2 pages
Learn Enough Text Editor To Be Dangerous
0% (1)
Learn Enough Text Editor To Be Dangerous
1 page
How To Use Netdom
No ratings yet
How To Use Netdom
2 pages
Practice About Computers
No ratings yet
Practice About Computers
3 pages
Lesson 2 Software
No ratings yet
Lesson 2 Software
25 pages
Master Mobile
No ratings yet
Master Mobile
41 pages
Acad - PGP Español
0% (1)
Acad - PGP Español
14 pages
DS28 E07 Data Sheets
No ratings yet
DS28 E07 Data Sheets
9 pages
MS Word Chapter 22
No ratings yet
MS Word Chapter 22
4 pages
CLI NCLI Commands
100% (2)
CLI NCLI Commands
8 pages
E-Book - CARAKASA HITĀ - User Manual
No ratings yet
E-Book - CARAKASA HITĀ - User Manual
18 pages
Patch/Hotfix Installation Instructions: Manual Download
No ratings yet
Patch/Hotfix Installation Instructions: Manual Download
3 pages
GV Convergent Training Manual v3.0
No ratings yet
GV Convergent Training Manual v3.0
73 pages
Arcplan Enterprise 6 Installation and Configuration
No ratings yet
Arcplan Enterprise 6 Installation and Configuration
37 pages
Unclassified Microsoft IE6 V4R2 STIG
No ratings yet
Unclassified Microsoft IE6 V4R2 STIG
49 pages
Imprimir - IDP - Juniper JSRX Wiki
No ratings yet
Imprimir - IDP - Juniper JSRX Wiki
11 pages
Autosar Sws Os
No ratings yet
Autosar Sws Os
335 pages
Andy Swanson
No ratings yet
Andy Swanson
2 pages
How To Run or Install MASM Software On Windows (32 or 64-Bit) Using DOSBox (With Video Tutorial) - TechzClub
No ratings yet
How To Run or Install MASM Software On Windows (32 or 64-Bit) Using DOSBox (With Video Tutorial) - TechzClub
19 pages
Log
No ratings yet
Log
204 pages
Nasgro Release Note
No ratings yet
Nasgro Release Note
6 pages
XNS ActiveX API EN PDF
No ratings yet
XNS ActiveX API EN PDF
342 pages
Communities
No ratings yet
Communities
451 pages
Show Preview: Fig. 1.4 Shows The List
No ratings yet
Show Preview: Fig. 1.4 Shows The List
5 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.