Integration of Kaspersky Security components with VMware virtual infrastructure

Requirements for integration of Kaspersky Security components with VMware virtual infrastructure:

The File Threat Protection component interacts with the VMware virtual infrastructure in the following way:

  1. The user or any application opens, saves, or runs files on a virtual machine that is protected by Kaspersky Security.
  2. The Guest Introspection Thin Agent component intercepts information about these events and sends it to the Guest Introspection service.
  3. The Guest Introspection service relays information about received events to the File Threat Protection component installed on the SVM.
  4. If File Threat Protection is enabled in the active Kaspersky Security policy, the File Threat Protection component scans files that the user or an application opens, saves, or runs on the protected virtual machine:
    • If no viruses or other malware are detected in the files, Kaspersky Security grants access to the files.
    • If the files contain viruses or other malware, Kaspersky Security performs the action that is specified in the settings of the protection profile assigned to this virtual machine. For example, Kaspersky Security disinfects or blocks a file.

Interaction between the Network Threat Protection component and the virtual infrastructure depends on the traffic processing mode of the component. If you use the standard traffic processing mode, the Network Threat Protection component interacts with the VMware virtual infrastructure as follows:

  1. The virtual filter intercepts inbound and outbound network packets in the traffic of protected virtual machines and redirects them to the Network Threat Protection component installed on SVMs.
  2. If Network Threat Protection is enabled in the active Kaspersky Security policy, in accordance with the configured protection settings, the Network Threat Protection component can scan network packets to detect activity typical of network attacks and suspicious network activity that may be a sign of an intrusion into the protected infrastructure, and can also scan all web addresses in the HTTP-requests to check if they belong to the web address categories specified in the Web Addresses Scan settings.

    If Kaspersky Security does not detect a network attack, or suspicious network activity, or a web address belonging to the web address categories selected for detection, it allows transfer of the network packet.

    If a network threat is detected, Kaspersky Security does the following:

    • If activity typical of network attacks is detected, Kaspersky Security will perform the action that is specified in the settings of the policy. For example, Kaspersky Security blocks or allows network packets coming from the IP address from which the network attack originated.
    • If suspicious network activity is detected, Kaspersky Security performs the action that is specified in the policy settings. For example, Kaspersky Security blocks or allows network packets coming from the IP address from which the network attack originated.
    • If a web address belongs to one or more of the web address categories selected for detection, Kaspersky Security performs the action that is specified in the policy settings. For example, Kaspersky Security blocks or allows access to the web address.

If Kaspersky Security is deployed in the infrastructure managed by VMware NSX-V Manager and the network protection is running in the monitoring mode, the Network Threat Protection component interacts with the virtual infrastructure as follows:

  1. The virtual filter passes a copy of virtual machine traffic to the Network Threat Protection component.
  2. If Network Threat Protection is enabled in the active Kaspersky Security policy, in accordance with the configured protection settings, the Network Threat Protection component can scan network packets and web addresses as in the standard mode. When Kaspersky Security detects signs of intrusions or attempts to access dangerous or undesirable web addresses, it does not take any actions to prevent the threats, but only sends information about the detected threats to Kaspersky Security Center Administration Server.
Page top