In this section, SVM refers to an SVM with the File Threat Protection component.
An SVM with the File Threat Protection component lets you perform virus scan of the files on virtual machines on the VMware ESXi hypervisor. Virtual machine files need to be scanned regularly with new anti-virus databases to prevent the spread of malicious objects.
The settings that SVMs apply while scanning virtual machines are defined by using scan tasks. Kaspersky Security uses the following scan tasks:
A Full Scan task is automatically created after installing the Kaspersky Security main administration plug-in in the Managed devices folder of the main Administration Server of Kaspersky Security Center. This task lets you perform virus scan of all virtual machines that are protected by all SVMs and are not part of a Cloud Director organization. You can manually run this task.
You can start scan tasks manually, define a scan task run schedule, and view information about the progress and results of tasks.
Kaspersky Security scans only virtual machines that meet all the conditions for scanning virtual machines.
If viruses or other malware are detected in a file during scanning of virtual machine files, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.
The Signature analysis and machine learning scan method is used when scanning virtual machines. Scanning using signature analysis and machine learning provides the minimum acceptable security level. Kaspersky Security uses application databases containing information about known threats and about the methods to neutralize them. Based on the recommendations of Kaspersky experts, the Signature analysis and machine learning scan method is always enabled.
When scanning virtual machines, Heuristic analysis is used. This is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.
The deep heuristic analysis level is always used during virtual machine scanning irrespective of the selected security level. Heuristic Analyzer performs the maximum number of instructions in executable file, which raises the probability of threat detection.
If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from the scan scope.
Special considerations for scanning virtual machines:
When scanning virtual machines running Linux operating systems, Kaspersky Security scans files in CIFS network file systems if the directories in which the CIFS network file systems are mounted are included in the task scan scope. Scanning files in NFS network file systems is not supported.
Information on the scan results and on events that occurred during scan tasks execution is logged in a report.
After a scan task finishes, you are advised to view the list of files that are blocked as a result of the scan task and manage them manually. For example, you can save file copies in a location that is inaccessible for a virtual machine user or delete the files. You must first exclude the blocked files from protection in the settings of the protection profile assigned to the virtual machines, or temporarily disable protection of the virtual machines on which these files were blocked. You can view the details of blocked files in the threats report or by filtering events by the File blocked event (please refer to the Kaspersky Security Center documentation).