Integration of Kaspersky Security components with VMware virtual infrastructure

The following components are required for the integration of Kaspersky Security components with a VMware virtual infrastructure:

• VMware vCenter Server. The component performs administration and centralized management of a VMware virtual infrastructure. The component participates in the deployment of Kaspersky Security. VMware vCenter Server sends the Integration Server information about the VMware virtual infrastructure that is required for operation of the application.
• VMware NSX Manager. The component enables registration and deployment of Kaspersky Security services.
• Virtual filter (VMware DVFilter). The component enables interception of network packets in inbound and outbound traffic of protected virtual machines.
• Guest Introspection Thin Agent. The component collects data on virtual machines and transmits files to Kaspersky Security for scanning. To enable Kaspersky Security to protect virtual machines, the Guest Introspection Thin Agent must be installed and enabled on these virtual machines.

  Guest Introspection Thin Agent is included in the VMware Tools distribution kit. For more details on how to install or update VMware Tools please refer to the VMware products documentation.

• Guest Introspection service and Guest Introspection ESXi Module. The components enable the interaction between SVMs and the Guest Introspection Thin Agent, installed on a virtual machine.

The File Anti-Virus component interacts with the VMware virtual infrastructure in the following way:

1. The user or any application opens, saves, or runs files on a virtual machine that is protected by Kaspersky Security.
2. The Guest Introspection Thin Agent intercepts information about these events and relays it to the Guest Introspection service.
3. The Guest Introspection service relays information about received events to the File Anti-Virus component installed on the SVM.
4. The File Anti-Virus component scans files that the user or an application opens, saves, or runs on a protected virtual machine.
   • If no viruses or other malware are detected in the files, Kaspersky Security grants access to the files.
   • If the files contain viruses or other malware, Kaspersky Security performs the action that is specified in the settings of the protection profile assigned to this virtual machine. For example, Kaspersky Security disinfects or blocks a file.

Interaction between the Network Threat Detection component and the VMware virtual infrastructure depends on the traffic processing mode that you selected during registration of the network protection service (Kaspersky Network Protection). If you selected the standard traffic processing mode, the Network Threat Detection component interacts with the VMware virtual infrastructure as follows:

1. The virtual filter (VMware DVFilter) intercepts network packets in inbound and outbound traffic of protected virtual machines and redirects them to the Network Threat Detection component installed on the SVM.
2. The Network Threat Detection component performs the following actions:
   • Scans network packets for activity typical of network attacks:
     • If no network attack is detected, Kaspersky Security allows the network packets to be relayed to the virtual machine.
     • If activity typical of network attacks is detected, Kaspersky Security will perform the action that is specified in the settings of the policy. For example, Kaspersky Security blocks or allows network packets coming from the IP address from which the network attack originated.
   • It scans network packets for suspicious network activity that may be a sign of an intrusion into the protected infrastructure:
     • If no suspicious network activity is detected, Kaspersky Security allows the network packets to be relayed to the virtual machine.
     • If suspicious network activity is detected, Kaspersky Security will perform the action that is specified in the settings of the policy. For example, Kaspersky Security blocks or allows network packets coming from the IP address from which the network attack originated.
   • Checks all web addresses inside network packets against the databases of malicious and phishing web addresses:
     • If the web address is not found in the databases of malicious and phishing web addresses, Kaspersky Security allows access to this web address.
     • If a web address is found in the databases of malicious and phishing web addresses, Kaspersky Security will perform the action that is specified in the settings of the policy. For example, Kaspersky Security blocks or allows access to the web address.

If you selected monitoring mode during registration of the network protection service (Kaspersky Network Protection), the Network Threat Detection component receives a copy of the traffic of virtual machines. When signs of intrusions or attempts to access malicious web addresses are detected, Kaspersky Security does not take any actions to prevent the threats but only relays information about the events to the Kaspersky Security Center Administration Server.