Scanning virtual machines
December 13, 2023
In this section, SVM refers to an SVM with the File Threat Protection component.
An SVM with the File Threat Protection component lets you perform virus scan of the files on virtual machines on the VMware ESXi hypervisor. Virtual machine files need to be scanned regularly with new anti-virus databases to prevent the spread of malicious objects.
The settings that SVMs apply while scanning virtual machines are defined by using scan tasks. Kaspersky Security uses the following scan tasks:
- Full Scan. This task lets you run a virus scan on the files of all virtual machines within the task scope. The scope of a task depends on where the task is located within the hierarchy of administration groups of Kaspersky Security Center, and depends on the Kaspersky Security administration plug-in that you use to create the task.
A Full Scan task is automatically created after installing the Kaspersky Security main administration plug-in in the Managed devices folder of the main Administration Server of Kaspersky Security Center. This task lets you perform virus scan of all virtual machines that are protected by all SVMs and are not part of a Cloud Director organization. You can manually run this task.
- Custom Scan. This task lets you run a virus scan on files of specified virtual machines from the task scope. The scope of a task depends on where the task is located within the hierarchy of administration groups of Kaspersky Security Center, and depends on the Kaspersky Security administration plug-in that you use to create the task. In the selected scope, you need to indicate the virtual machines that need to be scanned. You can specify individual virtual machines, VMware virtual infrastructure objects of a higher hierarchy level, or NSX Groups that include the desired virtual machines.
You can start scan tasks manually, define a scan task run schedule, and view information about the progress and results of tasks.
Kaspersky Security scans only virtual machines that meet all the conditions for scanning virtual machines.
If viruses or other malware are detected in a file during scanning of virtual machine files, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.
The Signature analysis and machine learning scan method is used when scanning virtual machines. Scanning using signature analysis and machine learning provides the minimum acceptable security level. Kaspersky Security uses application databases containing information about known threats and about the methods to neutralize them. Based on the recommendations of Kaspersky experts, the Signature analysis and machine learning scan method is always enabled.
When scanning virtual machines, Heuristic analysis is used. This is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.
The deep heuristic analysis level is always used during virtual machine scanning irrespective of the selected security level. Heuristic Analyzer performs the maximum number of instructions in executable file, which raises the probability of threat detection.
If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from the scan scope.
Special considerations for scanning virtual machines:
- When performing scan tasks, Kaspersky Security can scan powered-off virtual machines that have the following file systems: NTFS, FAT32, EXT2, EXT3, EXT4, XFS, BTRFS.
- When performing scan tasks, Kaspersky Security can scan virtual machine templates.
- When scanning virtual machines running Windows operating systems, Kaspersky Security does not scan files in network folders. Kaspersky Security is able to scan files in network folders only when the user or an application accesses those files. If you want to regularly scan files in network folders, you must configure a scan task for virtual machines that have open network access to files and folders, and include those files and folders into the task scan scope.
When scanning virtual machines running Linux operating systems, Kaspersky Security scans files in CIFS network file systems if the directories in which the CIFS network file systems are mounted are included in the task scan scope. Scanning files in NFS network file systems is not supported.
- During execution of the scan task, one SVM with the File Threat Protection component simultaneously scans files on no more than four virtual machines.
Information on the scan results and on events that occurred during scan tasks execution is logged in a report.
After a scan task finishes, you are advised to view the list of files that are blocked as a result of the scan task and manage them manually. For example, you can save file copies in a location that is inaccessible for a virtual machine user or delete the files. You must first exclude the blocked files from protection in the settings of the protection profile assigned to the virtual machines, or temporarily disable protection of the virtual machines on which these files were blocked. You can view the details of blocked files in the threats report or by filtering events by the File blocked event (please refer to the Kaspersky Security Center documentation).