File Anti-Virus. Protecting virtual machines

In this section, SVM refers to an SVM with the File Anti-Virus component installed.

An SVM with the File Anti-Virus component installed protects virtual machines on the VMware ESXi hypervisor. Kaspersky Security starts protecting virtual machines only after you have enabled protection by using a policy.

If the application is not activated or the application databases are missing on SVMs, Kaspersky Security does not protect the virtual machines.

Kaspersky Security protects only powered on virtual machines that meet all the conditions for virtual machine protection.

When a user or program attempts to access a virtual machine file, Kaspersky Security scans this file.

• If no viruses or other malware are detected in the file, Kaspersky Security grants access to this file.
• If viruses or other malware is detected in a file, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.

  Kaspersky Security then performs the action that is specified in the protection profile of the virtual machine; for example, it disinfects or blocks the file.

If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from protection. The list of exclusions is configured in the protection profile settings.

Signature and heuristic analysis is used during protection of virtual machines. Signature analysis uses Kaspersky Security databases that contain information about known threats and ways to neutralize them. Protection that uses signature analysis provides a minimally acceptable security level. In accordance with the recommendations of Kaspersky Lab experts, this method is always enabled.

Heuristic analysis is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky Lab application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.

The heuristic analysis level depends on the selected security level:

• If the security level is set to Low, the superficial heuristic analysis level is applied. Heuristic Analyzer does not perform all instructions in executable files while scanning executable files for malicious code. At this heuristic analysis level, the probability of detecting a threat is lower than at the medium heuristic analysis level. Scanning is faster and consumes less resources of the SVM.
• If the security level is set to Recommended, High, or Custom, the medium heuristic analysis level is applied. While scanning files for malicious code, Heuristic Analyzer performs the number of instructions in executable files that is recommended by Kaspersky Lab.

Information about all events that occur during protection of virtual machines is logged in a report.

You are advised to regularly view the list of files blocked in the course of virtual machine protection and manage them. For example, you can save file copies to a location that is inaccessible to a virtual machine user or delete the files. You can view the details of blocked files in the threats report or by filtering events by the File blocked event (please refer to the Kaspersky Security Center documentation).

To gain access to files that were blocked as a result of virtual machine protection, you must exclude these files from protection in the settings of the profile assigned to the virtual machines, or temporarily disable the protection of these virtual machines.