Scanning virtual machines

13 December 2023

ID 186130

Kaspersky Security lets you run a virus scan on the files of virtual machines on a VMware ESXi hypervisor. Virtual machine files need to be scanned regularly with new anti-virus databases to prevent the spread of malicious objects.

The settings that Kaspersky Security applies while scanning virtual machines are defined by using scan tasks. Kaspersky Security uses the following scan tasks:

  • Full Scan. This task lets you run a virus scan on the files of all virtual machines in your virtual infrastructure.
  • Custom Scan. This task lets you run a virus scan on the files of those virtual machines that you specified in the task settings. You can specify individual virtual machines or VMware virtual infrastructure objects of a higher level of the hierarchy.

You can set a schedule for running scan tasks, manually run a scan task, and view information about the progress and results of tasks.

If viruses or other malware are detected in a file during scanning of virtual machine files, Kaspersky Security assigns the Infected status to the file. If the scan cannot conclusively determine whether or not the file is infected (the file may contain a code sequence that is characteristic of viruses or other malware, or contain modified code from a known virus), Kaspersky Security also assigns the Infected status to the file.

The Signature analysis and machine learning scan method is used when scanning virtual machines. Scanning using signature analysis and machine learning provides the minimum acceptable security level. Kaspersky Security uses application databases containing information about known threats and about the methods to neutralize them. Based on the recommendations of Kaspersky experts, the Signature analysis and machine learning scan method is always enabled.

When scanning virtual machines, Heuristic analysis is used. This is a technology designed for detecting threats that cannot be detected with the aid of Kaspersky application databases. Heuristic analysis detects files that could be infected with malware for which there are not yet any database signatures or infected with a new variety of a known virus. Files in which a threat is detected during heuristic analysis are marked as Infected.

The deep heuristic analysis level is always used during virtual machine scanning irrespective of the selected security level. Heuristic Analyzer performs the maximum number of instructions in executable file, which raises the probability of threat detection.

If an application that collects information and sends it to be processed is installed on a virtual machine, Kaspersky Security may classify this application as malware. To avoid this, you can exclude the application from the scan scope.

Special considerations for scanning virtual machines:

  • When performing scan tasks, Kaspersky Security can scan powered-off virtual machines that have the following file systems: NTFS, FAT32, EXT2, EXT3, EXT4, XFS, BTRFS.
  • When performing scan tasks, Kaspersky Security can scan virtual machine templates.
  • When scanning virtual machines running Windows operating systems, Kaspersky Security does not scan files in network folders. Kaspersky Security is able to scan files in network folders only when the user or an application accesses those files. If you want to regularly scan files in network folders, you must configure a scan task for virtual machines that have open network access to files and folders, and include those files and folders into the task scan scope.

    When scanning virtual machines running Linux operating systems, Kaspersky Security scans files in CIFS network file systems if the directories in which the CIFS network file systems are mounted are included in the task scan scope. Scanning files in NFS network file systems is not supported.

After a scan task finishes, you are advised to view the list of files that are blocked as a result of the scan task and manage them manually. For example, you can save file copies in a location that is inaccessible for a virtual machine user or delete the files. You must first exclude the blocked files from protection in the settings of the protection profile assigned to the virtual machines, or temporarily disable protection of the virtual machines on which these files were blocked. You can view the details of blocked files by filtering events by the File blocked event (for more details, please refer to the Kaspersky Security Center documentation).

In this section:

Creating a full scan task

Creating a custom scan task

Configuring virtual machine scan settings in a scan task

Configuring the scan scope in a scan task

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.