How to remove duplicate virtual machines from the list of managed devices in Kaspersky Security Center
July 3, 2024
ID 99595
In some VDI infrastructures, after a user session ends, the temporary virtual machine is powered off without shutting down the guest operating system or stopping applications. As a result, the Light Agent running on the virtual machine does not transmit information about the shutdown of that virtual machine to Kaspersky Security Center, and the virtual machine is not removed from the list of managed devices in Kaspersky Security Center. At the next startup, the temporary virtual machine is registered in Kaspersky Security Center, causing a duplicate to appear in the list of managed devices, representing the previous session for the virtual machine template. As a result, the list of managed devices contains a large number of temporary virtual machines corresponding to each user session in the VDI infrastructure.
This problem exists, for example, for VDI infrastructures based on Termidesk and Basis.WorkPlace.
You can use one of the following methods to remove a temporary virtual machine from the list of managed devices in Kaspersky Security Center after it is powered off:
- Before powering off the temporary virtual machine, stop the Kaspersky Security Center Network Agent (the 'klnagent' service). To do this, run the following command:
- On a virtual machine with a 64-bit Linux operating system:
systemctl stop klnagent64 - On a virtual machine with a 32-bit Linux operating system:
systemctl stop klnagent - On a virtual machine with a 32-bit Windows operating system:
net stop klnagent
While shutting down, the Network Agent notifies Kaspersky Security Center about the temporary virtual machine shutting down, and the virtual machine is removed from the list of managed devices in Kaspersky Security Center.
- On a virtual machine with a 64-bit Linux operating system:
- After starting the virtual machine and the Network Agent (the 'klnagent' service):
- Take note of the device ID assigned to the virtual machine. The device ID is in the Protection_HostId parameter in the protection information of the client device:
- On a Linux virtual machine, it is in the text files in the "/var/opt/kaspersky/klnagent/1103/1.0.0.0/Statistics/AVState/" directory.
- On a 32-bit Windows virtual machine, it is in the HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState registry key.
- On a 64-bit Windows virtual machine, it is in the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\Components\34\1103\1.0.0.0\Statistics\AVState registry key.
- When the user is done working with the temporary virtual machine, delete the device by ID using the Kaspersky Security Center Open API: HostGroup::RemoveHost (wstring strHostName).
- Take note of the device ID assigned to the virtual machine. The device ID is in the Protection_HostId parameter in the protection information of the client device:
