About Kaspersky Security policies and protection profiles

To manage the application, you can use a policy for one KSC cluster and a policy for all KSC clusters:

• A policy for one KSC cluster is created in the administration group containing the KSC cluster, and is applied on all SVMs of this KSC cluster. A policy defines the protection settings for all virtual machines within a KSC cluster protected infrastructure, which means all virtual machines managed by the VMware vCenter Server corresponding to the KSC cluster.
• A policy for all KSC clusters is created in the Managed devices administration group and is applied on all SVMs of all KSC clusters. A policy defines the protection settings for all virtual machines within the protected infrastructure of all KSC clusters, which means all virtual machines managed by all VMware vCenter servers.

Virtual machine protection settings within a policy are defined by a protection profile (hereinafter also referred to as simply "profile"). The main protection profile is formed during policy creation.

In a policy for one KSC cluster, by default the main protection profile is assigned to the root object (VMware vCenter Server) within the structure of VMware inventory objects. All VMware inventory objects, including virtual machines within the KSC cluster protected infrastructure, inherit the main protection profile (unless they have been assigned a protection profile of their own) in the order of inheritance of protection profiles. Thus, all virtual machines within the KSC cluster protected infrastructure are assigned identical protection settings.

In a policy for all KSC clusters, the main profile is not assigned to any object by default.

Although the main protection profile cannot be deleted, you can edit its settings.

After creating a policy, you can create additional protection profiles. Additional protection profiles let you flexibly configure different protection settings for different virtual machines.

A policy can include one main protection profile and several additional protection profiles. A protection profile is assigned to VMware inventory objects within the KSC cluster protected infrastructure. Only one protection profile may be assigned to a single VMware inventory object (see the following figure).

Protection profiles

Kaspersky Security protects the virtual machine according to the settings that are specified in the protection profile assigned to the virtual machine.

You can configure the following settings in a protection profile:

• Security level. You can select one of the preset security levels (High, Recommended, Low) or configure your own security level (Custom). The security level defines the following scan settings:
  • Scanning of archives, self-unpacking archives, embedded OLE objects, and compound files
  • Restriction on file scan duration
  • List of objects to detect
• Action that Kaspersky Security performs after detecting infected files.
• Protection scope (scanning of network drives during protection of virtual machines).
• Exclusions from protection (by name, by file extension or path, by file mask or path to the folder containing files to be skipped).

In the properties of a previously created policy, you can configure the following application settings:

• Settings for Network Attack Blocker and detection of suspicious network activity
• Web Addresses Scan settings
• Backup settings
• KSN usage settings

The settings and groups of settings of a policy have the "lock" attribute, which shows whether or not the application blocks modifications to settings in nested policies (for nested administration groups and slave Administration Servers). If a setting or a group of settings in a policy is "locked" (), it is impossible to change the values of these settings in policies of a nested level of the hierarchy (please refer to the Kaspersky Security Center documentation).

Kaspersky Security Center makes it possible to form a complex hierarchy of administration groups and policies (see the Kaspersky Security Center documentation for details). In Kaspersky Security, each policy receives information about the virtual infrastructure from the Integration Server that connects to a specific VMware vCenter Server. If you are using a complex hierarchy of administration groups and policies, a lower-level policy inherits incorrect settings for receiving information about the virtual infrastructure. It is not recommended to create a complex hierarchy of administration groups and policies when configuring Kaspersky Security settings. Instead, you should create an individual policy for the administration group that contains the KSC cluster.