Virtual machine file threat protection

In this section, SVM refers to an SVM with the File Threat Protection component.

An SVM with the File Threat Protection component protects virtual machines on the VMware ESXi hypervisor. Kaspersky Security protects only powered-on virtual machines that meet all the conditions for virtual machine protection.

If the application is not activated or the application databases are missing on SVMs, Kaspersky Security does not protect the virtual machines.

Kaspersky Security starts protecting virtual machines only after you have enabled protection by using a policy. The policy defines the settings that SVMs apply when protecting virtual machines from file threats.

File Threat Protection is enabled for virtual machines if a protection profile is assigned to these virtual machines. You can assign the main protection profile that is generated automatically when a policy is created, or create and assign additional protection profiles if you want to use different protection settings for different virtual infrastructure objects.

You can assign protection profiles directly to virtual machines and other virtual infrastructure objects. In a policy that defines protection settings for a virtual infrastructure managed by a single VMware vCenter Server, you can also assign protection profiles to the virtual machines by mapping protection profiles to NSX Vendor Templates / NSX Profile Configurations (depending on VMware NSX Manager type you use: VMware NSX-T Manager or VMware NSX-V Manager).

When a user or program attempts to access a virtual machine file, Kaspersky Security scans this file.

• If no viruses or other malware are detected in the file, Kaspersky Security grants access to this file.
• If viruses or other malware is detected in a file, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.

  Kaspersky Security then performs the action that is specified in the protection profile of the virtual machine; for example, it disinfects or blocks the file.

If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from protection. The list of exclusions is configured in the protection profile settings.

The Signature analysis and machine learning scan method is used for protection of virtual machines. Protection using signature analysis and machine learning provides the minimum acceptable security level. Kaspersky Security uses application databases containing information about known threats and about the methods to neutralize them. Based on the recommendations of Kaspersky experts, the Signature analysis and machine learning scan method is always enabled.

Additionally, during virtual machines protection, the Heuristic analysis is used. This is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.

The heuristic analysis level depends on the selected security level:

• If the security level is set to Low, the superficial heuristic analysis level is applied. Heuristic Analyzer does not perform all instructions in executable files while scanning executable files for malicious code. At this heuristic analysis level, the probability of detecting a threat is lower than at the medium heuristic analysis level. Scanning is faster and consumes less resources of the SVM.
• If the security level is set to Recommended, High, or Custom, the medium heuristic analysis level is applied. While scanning files for malicious code, Heuristic Analyzer performs the number of instructions in executable files that is recommended by Kaspersky experts.

Information about all events that occur during protection of virtual machines is logged in a report.

You are advised to regularly view the list of files blocked in the course of virtual machine protection and manage them. For example, you can save file copies to a location that is inaccessible to a virtual machine user or delete the files. You can view the details of blocked files in the threats report or by filtering events by the File blocked event (please refer to the Kaspersky Security Center documentation).

To gain access to files that were blocked as a result of virtual machine protection, you must exclude these files from protection in the settings of the protection profile assigned to the virtual machines, or temporarily disable the protection of these virtual machines.