File Anti-Virus. Scanning virtual machines

In this section, SVM refers to an SVM with the File Anti-Virus component installed.

Kaspersky Security lets you perform a virus scan on files of virtual machines. Virtual machine files need to be scanned regularly with new anti-virus databases to prevent the spread of malicious objects.

Kaspersky Security scans only virtual machines that meet all the conditions for scanning virtual machines.

If viruses or other malware are detected in a file during scanning of virtual machine files, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.

Signature and heuristic analysis is used during scanning of virtual machines. Signature analysis uses Kaspersky Security databases that contain information about known threats and ways to neutralize them. Scanning while using signature analysis ensures the minimum acceptable security level. In accordance with the recommendations of Kaspersky Lab experts, this method is always enabled.

Heuristic analysis is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky Lab application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.

The deep heuristic analysis level is always used during virtual machine scanning irrespective of the selected security level. Heuristic Analyzer performs the maximum number of instructions in executable file, which raises the probability of threat detection.

Kaspersky Security uses the following scan tasks:

• Full Scan. This task is started on SVMs that you selected when creating the task, and lets you perform a virus scan on all virtual machines that are protected by those SVMs. You can create a full scan task for all SVMs of one KSC cluster, for all SVMs of all KSC clusters, or for an individual SVM. Depending on this, the task scope includes all virtual machines within the protected infrastructure of one KSC cluster, all virtual machines within the protected infrastructure of all KSC clusters, or all virtual machines under the protection of a specific SVM.

  After Kaspersky Security plug-ins are installed, the Full Scan task is automatically created for the Managed devices administration group. This task lets you perform a virus scan on all virtual machines that are protected by all SVMs. You can manually run this task.

• Custom Scan. This task is started on all SVMs of one KSC cluster that you selected when creating the task, and lets you run a virus scan of specified virtual machines within the protected infrastructure of the selected KSC cluster. The Custom Scan task scope includes the virtual machines that you specified in the task settings. You can specify individual virtual machines and their combinations or specify NSX Security Groups whose virtual machines need to be scanned.

If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from the task scan scope.

Special considerations for scanning virtual machines:

• When performing scan tasks, Kaspersky Security can scan powered off virtual machines that have the following file systems: NTFS, FAT32, EXT2, EXT3, EXT4, XFS, BTRFS.
• When performing scan tasks, Kaspersky Security can scan virtual machine templates.
• When scanning virtual machines running Windows operating systems, Kaspersky Security does not scan files in network folders. Kaspersky Security is able to scan files in network folders only when the user or an application accesses those files. If you want to regularly scan files in network folders, you must configure a scan task for virtual machines that have open network access to files and folders, and include those files and folders into the task scan scope.

  When scanning virtual machines running Linux operating systems, Kaspersky Security scans files in CIFS network file systems if the directories in which the CIFS network file systems are mounted are included in the task scan scope. Scanning files in NFS network file systems is not supported.

• During execution of a scan task, one SVM with the File Anti-Virus component simultaneously scans the files of no more than four virtual machines.

You can start scan tasks manually or schedule it.

The progress of a scan is shown on the Tasks tab in the workspace of the folder with the name of the KSC cluster for whose SVMs you have started the scan task.

Information on the scan results and on events that occurred during scan tasks execution is logged in a report.

After a scan task finishes, you are advised to view the list of files that are blocked as a result of the scan task and manage them manually. For example, you can save file copies in a location that is inaccessible for a virtual machine user or delete the files. You must preliminarily exclude the blocked files from protection in the settings of the profile assigned to the virtual machines, or temporarily disable protection of the virtual machines on which these files were blocked. You can view the details of blocked files in the threats report or by filtering events by the File blocked event (please refer to the Kaspersky Security Center documentation).