014.50 - Lab Guide - Kaspersky Security For Virtualization. Agentless

Kaspersky Technical Training
KL 014.50
Kaspersky
Security for
Virtualization 5.0.
Agentless
Lab Guide
Kaspersky Lab
www.kaspersky.com
Table of contents
Lab 1. Start the virtual machines .................................................................................................................................. 2
Lab 2. Configure NSX for the file scan service of Kaspersky Security for Virtualization ........................................... 3
Lab 3. Configure NSX for deploying the network protection service of Kaspersky Security for Virtualization ......... 7
Lab 4. Register Kaspersky Security for Virtualization services with NSX ................................................................ 13
Lab 5. Deploy the services of Kaspersky Security for Virtualization ......................................................................... 27
Lab 6. Activate Kaspersky Security for Virtualization ............................................................................................... 30
Lab 7. Configure a protection policy for Kaspersky Security for Virtualization ........................................................ 38
Lab 8. Enable protection ............................................................................................................................................. 45
Lab 9. Test file protection ........................................................................................................................................... 54
Lab 10. Perform on-demand scanning ........................................................................................................................ 57
Lab 11. Test Network Protection ................................................................................................................................ 63
Lab 12. Test Network Monitor ................................................................................................................................... 70
L–2 KASPERSKY LAB™
KL 014.50: Kaspersky Security for Virtualization 5.0 Agentless
Lab 1.
Start the virtual machines
Scenario. Let us prepare for the labs: Connect to vCenter Server and start the virtual machines.
Contents:
1. Connect to the virtual infrastructure

2. Power on the virtual machines
Task A: Connect to the virtual infrastructure
Run Microsoft Remote Desktop and connect to the remote server. Then connect to your virtual environment using Internet
Explorer.
1. Ask the trainer for the IP address of the server and

credentials for connecting to the virtual infrastructure
2. Run Microsoft Remote Desktop Connection, type the
IP address and click Connect
3. Enter the username and password
4. After connecting to the remote server, start Internet

Explorer
5. Connect to vCenter Server at https://vcenter-server/ui
6. In the VMware Enhanced Authentication Plug-in
Access Control window, click Allow
7. Select the Use Windows session authentication check

box and click Login
Task B: Power on the virtual machines
Start the virtual machines DC, vCenter, ESXi, NSX-Mgr, and KSC-Svr.
L–3
Lab 2
8. In the upper part of the page, click Menu

and select VMs and Templates
9. Expand the Greenland node

10. Select the DC machine, then click
ACTIONS | Power | Power On
11. Select the vCenter machine, then click
ACTIONS | Power | Power On
12. Power on the NSX-Mgr and ESXi KSC-
Svr machines in a similar manner
Conclusion
You have powered on the virtual machines and are ready to start the labs.
Lab 2.
Configure NSX for the file scan service of
Kaspersky Security for Virtualization
Scenario. ABC Inc. has a virtual infrastructure on VMware vSphere. The IT department plans to deploy the NSX network
virtualization platform. It will allow the administrators to create new network configurations faster and automate the workflow.
To provide security for such a dynamic environment, the company has decided to deploy Kaspersky Security for
Virtualization | Agentless, a protection solution integrated with NSX.
In this lab, we will prepare the infrastructure for installing the file protection service of Kaspersky Security for Virtualization.
Contents: Install the Guest Introspection service.

Task A: Install the Guest Introspection service
The Guest Introspection service is necessary for various NSX technologies, for example, it provides Kaspersky Security for
Virtualization with the files to be scanned.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, and NSX-Mgr machines must be powered on.
1. Select the KSC-Svr virtual machine

2. Click the Launch Remote Console
link
3. Clear the check box Always ask

before opening this type of
address and click Allow
4. Log on to the KSC-Svr server under

the ABC\Administrator account
with the password Ka5per5Ky
5. Run the Firefox browser
6. Open the vCenter web interface at
https://vcenter.abc.lab/
7. Click LAUNCH VSPHERE
CLIENT (HTML 5)
L–5
Lab 2
8. Enter the username of the server

administrator
Administrator@vsphere.local and
password Ka5per5Ky!
9. Click Login
10. In the upper part of the page, click

Menu and select Networking and
Security
11. Open the Installation and Upgrade

section and switch to the Service
Deployment tab
12. Make sure that NSX Manager:
10.28.0.200 is displayed on the list.
If it is not, wait a bit longer and
refresh the page
13. Click + ADD
14. In the wizard window that opens,

select Guest Introspection. Note
that the service can also be installed
later on schedule
15. Click Next
16. Select Lab Cluster and click Next
17. Select the DS-Mgmt network and

click Next
18. On the last page of the wizard, click

Finish
L–7
Lab 3
19. Wait for the installation to complete

20. Refresh the page in the web browser
(F5). Make sure that the Guest
Introspection service has been
installed and its status is Up
21. Switch to the Hosts and Clusters

view
22. Make sure that a Guest
introspection virtual machine has
appeared on the host in the ESX
Agents resource pool
Conclusion
The Guest Introspection service is a virtual machine and an ESXi module. The NSX Manager installs them (using ESX Agent
Manager) on each node of an ESXi cluster. This service is necessary only for the file protection service of Kaspersky Security
for Virtualization.
Lab 3.
Configure NSX for deploying the network
protection service of Kaspersky Security for
Virtualization
Scenario. In addition to protecting the file system of virtual machines, ABC Inc. plans to scan network traffic. To achieve this,
you need to prepare the virtual network infrastructure. An NSX Advanced or NSX Enterprise license is a must.
To protect the file system, a free NSX for vShield Endpoint license is sufficient, which is included with NSX installation by
default.
Contents:
1. Add an Advanced/Enterprise NSX license

2. Install the NSX components on the cluster
Task A: Add an Advanced/Enterprise NSX license
With the default NSX license, you can use the file protection of Kaspersky Security for Virtualization. To protect virtual
machines against network attacks, at least NSX Advanced license is required. Let’s add it.
1. Open a new tab in Firefox

3. Click LAUNCH VSPHERE WEB
CLIENT (FLEX)
4. Permit starting Adobe Flash: Select the

check box Remember this decision and
click Allow
5. Click the Home icon in the upper part of

the page and select Administration on
the drop-down menu
L–9
Lab 3
6. Select the Licenses section and switch to

the Licenses tab
7. Make sure that an NSX for vShield
Endpoint license is available by default
8. On the Licenses tab, scroll right to view

more columns
9. Make sure that the license does not put a
limit on either the number of processors
or the use time
10. Click to add a license
11. Ask the instructor for the license code

12. Paste the code to the box and click Next
13. Notice that the license puts a limit on the

number of processors
14. Name the license NSX Ent and click
Next
15. On the last page of the wizard, click
Finish
16. Make sure that the new license is

displayed on the list
17. Switch to the Assets | Solutions tab

18. Make sure that NSX for vSphere uses an
NSX for vShield Endpoint license
19. Select the NSX for vSphere solution
20. Click the Assign License icon
L–11
Lab 3
21. Select the NSX Ent license and click

OK
22. Make sure that NSX for vSphere uses the

NSX for vSphere – Enterprise license
23. Close the VSPHERE WEB CLIENT

(FLEX) tab
Task B: Install the NSX components on the cluster
Now, we have a license and need to install NSX components on the cluster. Kaspersky Security for Virtualization will use
these components to scan the traffic of virtual machines.
24. Switch to the Networking and Security

view
25. Open the Installation and Upgrade

section and switch to the Host
Preparation tab
26. Notice that there is the Not Installed
message under Lab Cluster
27. Click Actions, then Install

28. Confirm that you want to install NSX
components on Lab Cluster
L–13
Lab 4
29. Refresh the page in the web browser (F5).

Make sure that NSX components have
been installed successfully
Conclusion
The cluster is ready for the installation of both Kaspersky Security for Virtualization services now. Prior to being installed, the
services must be registered with NSX. We will do it in the next lab.
Lab 4.
Register Kaspersky Security for Virtualization
services with NSX
Scenario. Kaspersky Security for Virtualization services can be installed only via the NSX interface. You need to register
Kaspersky Security services with NSX using a wizard available in the Integration Server Management Console of Kaspersky
Security for Virtualization. The Integration Server Management Console opens from the Kaspersky Security Center console.
Contents:
1. Create a role for the Integration Server in vCenter

2. Create an account for the Integration Server in vCenter
3. Install the Integration Server of Kaspersky Security for Virtualization and the plug-in for KSC
4. Register Kaspersky Security for Virtualization services with NSX
5. Consult the results of registering the Kaspersky Security for Virtualization services
Task A: Create a role for the Integration Server in vCenter
The Integration Server connects to vCenter server to receive the list of virtual infrastructure objects, including the list of virtual
machines. For this purpose, the Integration Server needs credentials of an account that has Read-Only permissions for vCenter.
To be able to scan drives of templates and powered-off virtual machines, the Integration Server also needs permissions for
changing the settings of the file protection service virtual machine.
Create a new role KsvViis for the Integration Server in vCenter and grant it the following privileges: ESX Agent Manager |
Modify, Virtual machine | Add or remove device, Virtual machine | Add existing disk and Virtual machine | Remove Disk.
1. Click Menu in the upper part of the page

and select Administration
2. Select the Read-only role and click the

icon (Clone role action)
3. Type KsvViis for the name and click OK

L–15
Lab 4
4. Select the created role KsvViis and click

(Edit role action)
5. In the ESX Agent Manager section,

select the Modify privilege
6. In the Virtual machine section, select
the following privileges: Add or remote
device, Add existing disk and Remove
disk
7. Click Next
8. On the last page, click Finish

9. Select the role KsvViis

10. Switch to the Privileges tab
11. Make sure that the role has the privilege
ESX Agent Manager | Modify and three
more privileges in the section Virtual
machine | Change Configuration
Task B: Create an account for the Integration Server in vCenter
The Integration server of Kaspersky Security for Virtualization | Agentless requires a user account with limited permissions.
We created the KsvViis role with these privileges in task A. In this task, we will create an account and grant it the KsvViis
role’s permissions for the vCenter root node.
12. Open the Administration | Users and

Groups section
13. On the Users tab, select the domain
vsphere.local
14. Click ADD USER
L–17
Lab 4
15. Create an account

— Username: Viis
— Password: Ka5per5Ky!
and click OK
16. Switch to Hosts and Clusters
17. Select the root node vcenter.abc.lab

18. Switch to the Permissions tab
19. Click
20. Make sure that the vsphere.local domain

is selected in the User field
21. Under the domain name, type the
username Viis
22. In the Role drop-down list, choose
KsvViis
23. Select the check box Propagate to
children and click OK
Task C: Install the Integration Server of Kaspersky Security for Virtualization

and the plug-in for KSC
Kaspersky Security Center components include a management plug-in for Kaspersky Security Center and an integration server
responsible for interaction with vCenter and NSX. Install these components on the computer where the Kaspersky Security
Center server is installed.
24. Start the installer of management components of Kaspersky

Security for Virtualization. You can find the
SecurityCenterComponents_5.0.x.x_setup.exe
distribution in a folder mounted on KSC-Svr (ask the
instructor to make sure)
25. At the first step that prompts for the language, click Next
26. Accept the License Agreement and the Privacy Policy and
click Next
27. Consult the Integration server settings and click Next.

Note that the Integration server uses port 7271. It must be
opened on the firewall
L–19
Lab 4
28. Click Finish
Task D: Register Kaspersky Security for Virtualization services with NSX
Add the vcenter.abc.lab vCenter to the integration server and register the services of Kaspersky Security for Virtualization
with NSX.
29. Start the Kaspersky Security Center

Administration Console
30. The Quick Start wizard of Kaspersky
Security for Virtualization 5.0 Agentless
will open. Click Next
31. The wizard will create an update task, a
virus scan task, and a policy. Click Finish
in the end
32. Select the Administration Server node and

switch to the Monitoring tab
33. In the Deployment area, click the link
Manage Kaspersky Security for
Virtualization 5.0 Agentless
34. In the certificate verification window,

click Consider certificate to be trusted
35. In the Virtual infrastructure protection

section of the Integration Server
Management Console, click Add
36. Specify vCenter Server connection

parameters:
— Address: vcenter.abc.lab
— User name: Viis@vsphere.local
— Password: Ka5per5Ky!
And click Add
37. Click the Certificate validation link to

agree to use an untrusted certificate
L–21
Lab 4
38. Click Install certificate
39. Click Register Kaspersky Security

services
40. Specify the NSX Manager access

parameters:
— Address: nsx-mgr.abc.lab
— User name: admin
— Password: Ka5per5Ky
And click Next
41. Click Install certificate
42. In the browser, open a new tab and go to

http://10.68.18.4/kl_014.50/ksv/
43. Copy the link to the XML file
44. Return to the Integration Server

Management Console
45. Paste the link to the XML file of the file
protection service machine and click
Validate
46. Click Next
L–23
Lab 4
47. Switch to the web browser window and go

to http://10.68.18.4/kl_014.50/ksvns/
48. Copy the link to the XML file
49. Return to the Integration Server

Management Console
50. Paste the link to the XML file of the
network protection service machine and
click Validate
51. In the SVM image configuration drop-
down list, select 2CPU 1GB
52. Click Next
53. At this step, you can edit the settings for

service virtual machine connection to
KSC Administration Server and
Integration Server.
Do not change anything, click Next
54. Specify the Ka5per5Ky password for

both the klconfig and root accounts and
click Next
55. Select your local time zone and click Next
56. Check the parameters and click Next

L–25
Lab 4
57. Click Next

58. Close the wizard window
59. Close the Integration Server Management
Console
Task E: Consult the results of registering the Kaspersky Security for

Virtualization services
In the previous task, the Integration Server of Kaspersky Security for Virtualization registered itself as a Service Manager with
NSX, which is responsible for two services: File Antimalware Protection and Network Protection. Let’s make sure of that.
60. Open a new tab in Firefox

62. Click LAUNCH VSPHERE WEB
CLIENT (FLEX)
63. Click the Home icon in the upper part of

the page and select Networking and
Security
64. Select the Service Definitions section

65. Make sure that both services of
Kaspersky Security for Virtualization are
registered with NSX Manager
66. Switch to the Service Managers tab

67. Select Kaspersky Service Manager and
click the icon to open its properties
L–27
Lab 5
68. Pay attention to the Base API URL

string. It contains the address of the
Integration Server, which is required for
correct operation of Kaspersky Security
for Virtualization
69. Select Cancel
70. Close the VSPHERE WEB CLIENT
(FLEX) tab
●
Conclusion
In this lab, we have installed the management components of Kaspersky Security for Virtualization, which include the
Integration Server, Integration Server Management Console, and also a plug-in for Kaspersky Security Center. We used the
Integration Server to register the Kaspersky Security for Virtualization services with NSX.
Lab 5.
Deploy the services of Kaspersky Security for
Virtualization
Scenario. You registered the Kaspersky Security for Virtualization services with NSX. Now they will be available in the list of
NSX services, and you will be able to deploy them in a few simple steps.
Contents. Deploy the file protection and network protection services.
Deploy the file protection and network protection services
Install the services of Kaspersky Security for Virtualization: File Antimalware Protection and Network Protection.
1. Click Menu in the upper part of

the page and select Networking and
Security
2. Select the Installation and Upgrade

section and switch to the Service
Deployment tab
3. Click + ADD
4. In the service installation wizard,

select both services of Kaspersky
Security for Virtualization.
Note that the services can also be
deployed later, on schedule
5. Click Next
L–29
Lab 5
6. Select Lab Cluster and click Next
7. Select the DS-Mgmt network for both

services and click Next
8. Click Finish
9. Wait for the installation to complete
10. Make sure that the protection

components have installed
successfully:
— Installation Status: Succeeded
— Service Status: Up

view
12. Expand the ESX Agents node
13. Make sure that two new virtual
machines have appeared in the
resource pool
Conclusion
In this lab, we deployed two services of Kaspersky Security for Virtualization on the ESXi host. These are virtual machines
that will protect the infrastructure from various threats using the APIs provided by VMware.
The protection does not work yet: Kaspersky Security for Virtualization must be activated and databases must be updated first.
Lab 6.
Activate Kaspersky Security for Virtualization
Scenario. When deploying service virtual machines, the Integration Server automatically connects them to the KSC Server. To
activate a license and update databases on the service virtual machines, configure tasks in Kaspersky Security Center.
Contents:
1. Study the update task

2. Activate Kaspersky Security for Virtualization
3. Consult the license details
Task A: Study the update task
You installed management components of Kaspersky Security for Virtualization, including the plug-in for Kaspersky Security
Center. When Kaspersky Security Center finds a new plug-in, it starts the Quick Start wizard. This wizard created an update
task for the Managed devices group in Lab 3.
Let’s study the task settings.

L–31
Lab 6
1. Open Kaspersky Security Center

2. Select the group VMware
vCenter (vcenter.abc.lab)
Agentless. It has appeared when
KSC Agents that run on the
service machines of Kaspersky
Security for Virtualization
connected to the KSC Server
3. Open the Devices tab and make
sure that two virtual machines
have connected to Kaspersky
Security Center
4. Switch to the Tasks tab

5. Make sure that there are two
tasks for Kaspersky Security for
Virtualization on the list: Full
Scan and Program Database
update created by the Quick
Start Wizard of Kaspersky
6. Open the properties of the

update task
7. Switch to the Schedule section
8. Make sure that the task starts as
soon as KSC Administration
Server downloads recent updates
9. Close the window
Task B: Activate Kaspersky Security for Virtualization
Add activation codes to the licenses repository of Kaspersky Security Center and activate the application with activation keys.
10. Select the Kaspersky Lab Licenses node

11. Click Add activation code or key
12. Click Activate application with

activation code
13. Copy the activation code for workstations

from the file located in a mounted shared
folder (ask the instructor to make sure)
14. Click Next
15. Click Finish

L–33
Lab 6
16. Make sure that KSC has successfully

received the key from the activation
servers
17. Add the activation code for virtual servers

in a similar manner
18. Open the VMware vCenter

(vcenter.abc.lab) node and switch to
the Tasks tab
19. On the Tasks tab, click the button Create
a task
20. Select Application activation for the task

type
21. Click Select
22. Select the key that activates workstations

(a key has hyphens in the Key field,
unlike an activation code) and click OK
23. Click Next

L–35
Lab 6
24. Leave the default schedule, Manually.

Select the Run missed tasks check box
and click Next
25. Specify KSV Activation—Workstations for

the task name and click Next
26. Select the Run task after Wizard

finishes check box and click Finish
27. Create a task for activating virtual servers
in a similar manner
— Name: KSV Activation—Servers
— Schedule: Manually, Run missed
tasks
28. Make sure that both tasks have completed

successfully
Task C: Consult the license details
Unlike most Kaspersky Lab products, Kaspersky Security for Virtualization can use two active licenses simultaneously: for
servers and for workstations. Kaspersky Security Center interface does not permit displaying two active licenses for a single
product on a managed device. For this reason, Kaspersky Security for Virtualization transfers a dummy license for the total
number of protected nodes to the KSC Console.
In this task, we will consult the activation data.
29. Select the Kaspersky Lab

Licenses node
30. Note that a new key with a gray
icon has appeared in the
repository. The key restriction is
the sum of server and
workstation restrictions, 10 + 15
in this case
L–37
Lab 6
31. Open the key properties

32. The Service information field
specifies that this key includes
licenses for servers and
workstations. This is a limitation
of Kaspersky Security Center,
which cannot work with two
active licenses assigned to the
same endpoint. Kaspersky
Security for Virtualization |
Agentless regards these licenses
as two different entities
33. Close the window
34. Select the root node of

Kaspersky Security Center and
switch to the Reports tab
35. Open the Key usage report
36. Make sure that the report shows

a single license
37. The license is not used so far,
since there is no security policy
on vCenter that applies the
services of Kaspersky Security
for Virtualization to the virtual
machines
38. Close the report
Conclusion
Kaspersky Security for Virtualization has two types of licensing: Per processor on ESXi hosts and per protected virtual
machine. A virtual machine is considered to be protected if it is running, the services of Kaspersky Security for Virtualization
are applied to it via a security policy on vCenter, and a security profile is applied via a Kaspersky Security Center policy.
This lab demonstrates how Kaspersky Security Center works with virtual machine licenses.
Lab 7.
Configure a protection policy for Kaspersky
Scenario. Prior to enabling protection, you need to configure a policy for Kaspersky Security for Virtualization in Kaspersky
Security Center. This way, you can be sure that virtual machines have proper security settings from the very beginning.
You want protection to have minimal impact on the servers’ performance, and for this reason you have decided to create an
individual profile for them.
Contents:
1. Configure a policy for Kaspersky Security for Virtualization

2. Export exclusions from the main protection profile
3. Create a protection profile for servers
4. Assign the Servers protection profile to Windows-Svr
Task A: Configure a policy for Kaspersky Security for Virtualization
The Quick Start wizard creates a policy for Kaspersky Security for Virtualization. In this task, we will modify its settings. We
will disable network drive scanning in the policy, since we will protect not only workstations but also servers. Double scanning
is undesirable.
Network Protection is disabled by default, and we will enable it.
1. Select the Managed devices node and

switch to the Policies tab
2. Select the Kaspersky Security Center
for Virtualization 5.0 Agentless policy
L–39
Lab 7
3. Right-click the Kaspersky Security

Center for Virtualization 5.0 Agentless
policy and choose Cut
4. Select the Managed devices | VMware

vCenter (vcenter.abc.lab) node and
switch to the Policies tab
5. Paste the policy
6. Open the policy properties

7. Delete symbol (1) from the policy name
(it has appeared as a result of pasting)
8. Activate the policy
9. Switch to the Main protection profile

section
10. Disable network drives’ scanning
11. Note that the main protection profile
contains pre-configured recommended
exclusions
12. Switch to the section KSN Settings

13. Select the check box Use KSN
14. Accept the license agreement
15. Switch to the section Intrusion

Prevention
16. Select the check box Detect network
attacks
17. Change the blocking time to 1 minute
18. Switch to the Web addresses scan section

19. Select the check boxes
— Scan web addresses based on the
database of malicious web
addresses
— Scan web addresses based on the
database of phishing web addresses
L–41
Lab 7
Task B: Export exclusions from the main protection profile
To configure a new profile for servers, we will need the standard Microsoft exclusions, which are to be exported from the
default protection profile.
20. Switch to the Main protection profile section

21. In the Exclusions from protection area, click the
Settings button
22. Click Export
23. Save the exclusions to the default_exсlusions.xml file

on the desktop
24. In the window with the list of exclusions, click Cansel
Task C: Create a protection profile for servers
Create a protection profile with recommended exclusions for servers.

25. Switch to the Additional protection profiles section

26. Click Add
27. Type Servers for the profile name and click OK
28. Set the security level to Low

29. Disable network drive scanning
30. In the Exclusions from protection area, click Settings
31. Click Import

L–43
Lab 7
32. On the desktop, select the default_exclusions.xml file

that contains exclusions, and click Open
33. Click OK to save the exclusions, and then OK again to

save the protection profile
34. The Servers profile is displayed as inactive (the Active

column is empty), because it has not yet been applied to
any object
Task D: Assign the Servers protection profile to Windows-Svr
In the policy, connect to the virtual infrastructure and assign the main protection profile to it, and the Servers protection profile
to the Windows-Svr virtual machine.
35. Switch to the Protected infrastructure section

36. In the Certificate verification window, select the check box
Install the received certificate and stop showing warnings
for ksc-svr.abc.lab and click Continue
37. In the message that opens, click OK
38. Note that the policy displays the infrastructure of all VMware
vCenter servers, and no protection profile is assigned by
default
39. Select the Integration Server object in the infrastructure
40. Click Assign protection profile above the infrastructure list
41. Select the Main protection profile and click OK
42. Expand the tree of infrastructure objects and select Windows-

Svr
43. Note that all objects inherit the protection profile of the parent
node by default
44. Click Assign protection profile
45. Select the Servers profile and click OK

L–45
Lab 8
46. Click OK to save the policy
Conclusion
In this lab, we have configured the policy of Kaspersky Security for Virtualization. We created a protection profile and
assigned it to a virtual machine. Profiles can also be assigned to vApp, hosts, clusters, and datacenters.
Lab 8.
Enable protection
Scenario. You have completely prepared the infrastructure: deployed both services of Kaspersky Security for Virtualization,
created a policy, and activated the application. Create an NSX security policy to enable protection for virtual machines.
Contents:
1. Create a security group in NSX

2. Create a security policy in NSX
3. Consult reports in Kaspersky Security Center
Preparation
1. Switch to the Hosts and Clusters view

2. Right-click the Windows-Svr virtual machine
and select Power | Power On
3. Right-click the Windows-Wks virtual machine
and select Power | Power On
Task A: Create a security group in NSX
Create a security group that will include all virtual machines of Lab Cluster.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and Windows-Wks machines must
be powered on.
4. Switch to the Networking

and Security view
5. Open the Service Composer
section
6. On the Security Groups tab,
click + ADD
7. Type All VMs for the group

name
8. Click Next
9. On the drop-down lists, select

Entity and Belongs to
10. Click the third field in the
condition
11. Select Object Type Cluster

12. Select Lab Cluster
13. Click OK
L–47
Lab 8
14. Click Finish
Task B: Create a security policy in NSX
Create an NSX policy; specify both services of Kaspersky Security for Virtualization in the policy.
be powered on.
15. Switch to the Security

Policies tab
16. Click +ADD
17. Type KSV Security Policy

for the policy name and click
Next
18. At the Guest Introspection

Services step, click +ADD
to add a service
19. Name the service Kaspersky

File Antimalware
Protection
20. On the Service Name drop-
down list, select Kaspersky
File Antimalware
Protection and click OK
21. Select step 4 Network

Introspection Services in the
left pane
L–49
Lab 8
22. Click +ADD to add a service
23. Name the service NI –

KSVNS Out
24. Make sure that the Redirect
to service parameter is set to
Yes
25. Make sure that the service is
named Kaspersky Network
Protection
26. Make sure that the service
will receive outbound traffic
from the virtual machines of
the security group
— Source: Policy’s
Security Groups
— Destination: Any
27. Click OK
28. Add another record and

name it NI – KSVNS In
29. Enable the option Redirect
to service
30. In the Source area, choose
Any
31. Note that the Destination
field has automatically
changed its value to Policy’s
Security Groups; meaning,
KSV will receive for
analysis the inbound traffic
of the virtual machines that
belong to the security group
32. Click OK
33. Click Finish
34. Wait for the policy to

synchronize (Sync Status: In
Sync)
35. Select the policy
36. Click APPLY
37. In the Available Objects

area, select the All VMs
group
38. Move All VMs from the
Available Objects list to the
Selected Objects list and
click APPLY
L–51
Lab 8
39. Wait for the policy to be

applied
Task C: Consult reports in Kaspersky Security Center
Now the virtual machines are protected and can be monitored via Kaspersky Security Center. Open the reports about the
protection status and keys to consult information about the virtual machines.
be powered on.
40. In Kaspersky Security Center, select

the Administration Server node and
switch to the Reports tab
41. Open the Protection status report
42. Scroll the window down to see the

details
43. Make sure that the list displays both
protected virtual machines.
Their status is critical, because the
on-demand scan task has not been
started yet
45. Select the Key usage report and

click the Properties link
46. Switch to the Detail fields section

L–53
Lab 8
47. Delete the following fields:

— Virtual Administration Server
— Last visible time
— IP address
— Windows domain
— DNS domain
— NetBIOS name
48. Click Add and add the following
fields:
— Licensing units covered for
workstations
— Licensing units covered for
servers
49. Click OK
50. Open the Key usage report
51. Two licenses are used now, since

two virtual machines are running
52. Scroll the window down to see the

details
53. The list displays the service virtual
machines of Kaspersky Security for
Virtualization along with the
protected virtual machines
Conclusion
Finally, after a long preparation, the virtual machines have been protected. We created a single policy for our cluster. In real
life, you can create two different policies for File Antimalware Protection and Network Protection for greater flexibility.
Lab 9.
Test file protection
Scenario. The virtual machines are protected in the cluster. Now we can use a test malicious file to make sure that everything
works as expected.
Contents:
1. Run a test virus and consult reports in Kaspersky Security Center

2. Find the Windows-Svr security tag in the vCenter console
Task A: Run a test virus and consult reports in Kaspersky Security Center
Unpack an archive with the eicar.com test virus on the Windows-Svr virtual machine and check the detection events in
Kaspersky Security Center.
be powered on.

view
2. Select the Windows-Svr virtual
machine
link
4. In the window Launch
Application, click Open link
5. In the window Invalid Security
Certificate, click Connect Anyway
6. Log on to the Windows-Svr server

under the ABC\Administrator
account with the password
Ka5per5Ky
L–55
Lab 9
7. Open the C:\share folder on

Windows-Svr
8. Unpack the eicar_com.zip archive
9. Make sure that eicar.com has

disappeared from the unpacked
folder
10. Return to the window of the KSC-

Svr virtual machine (one
virtualization level higher)
11. Open the Kaspersky Security Center
12. Switch to the Events tab
13. Click Run selection
14. Open the malware detection event
15. The event shows the file and the

virtual machine where it was
detected
16. Click Next several times to view
other events related to eicar.com
17. The last event informs that

Kaspersky Security for
Virtualization saved the file’s copy
in the Backup storage on SVM
18. Click Close
19. Open the node Advanced |

Repositories | Backup
20. Make sure that eicar.com is there.
The file is stored on the virtual
machine of Kaspersky Security for
Virtualization
Task B: Find the Windows-Svr security tag in the vCenter console
When Kaspersky Security for Virtualization finds a malicious object, it assigns a security tag to the virtual machine via NSX.
Let’s make sure of that.
be powered on.
21. Open the vSphere web console

23. Select Windows-Svr and open the
Summary tab
24. Find the Security Tags area at the
bottom of the page
25. Make sure that the virtual machine has
received the following tag:
ANTI_VIRUS.VirusFound.threat=high
26. Also, pay attention to the Security
Group Membership area. Windows-
Svr belongs to the All VMs group
●
L–57
Lab 10
Conclusion
In this lab, we made sure that protection works, and Kaspersky Security Center receives its events. Kaspersky Security for
Virtualization assigns a special security tag to a virtual machine where it has detected a malicious object. You can use this tag
to move the respective virtual machines to an NSX security group.
Lab 10.
Perform on-demand scanning
Scenario. Real-time protection works with mild settings to reduce the load on the virtual machines. You need to create an on-
demand scan task for thorough scanning.
There is a virtual machine where Kaspersky Security for Virtualization detected a malicious file and to which it assigned a
security tag. If the task shows that this virtual machine is clean, Kaspersky Security for Virtualization will remove the security
tag.
Contents:
1. Create and run a virus scan task

2. Check the tags after the on-demand scanning completes
Preparation
The preparation is performed on Windows-Wks.

2. Select the Windows-Wks virtual
machine
3. Click the Launch Remote Console link
4. In the window Launch Application,
click Open link
6. Log on to Windows-Wks under the

ABC\Alex account with the password
Ka5per5Ky
7. Open the \\Windows-Svr\share shared

folder and copy eicar_com.zip to the
Downloads folder
8. Delete the eicar_com.zip archive from
the shared folder on Windows-Svr
9. Shut down Windows-Wks
Task A: Create and run a virus scan task
Create a task that will scan Windows-Svr and the powered off Windows-Wks virtual machine for viruses. To avoid waiting
for too long, we will configure the task to scan zip archives only.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, and Windows-Svr machines must be powered on.
The Windows-Wks computer must be powered off.

11. Open the group Managed devices |
VMware vCenter (vcenter.abc.lab)
12. Switch to the Tasks tab
13. Click Create a task
L–59
Lab 10
14. Select the Custom Scan task type and

click Next
15. Click Next to connect to the ksc-

svr.abc.lab integration server
16. Select the only vCenter connected to the

Integration Server
17. Select the virtual machines Windows-Svr

and Windows-Wks and click Next
18. Click Settings
19. Enable archive scanning and click OK
20. Select the check box Scan powered

off virtual machines
21. In the area Stop scan, select After
completing scan of files on all protected
virtual machines and click Next
22. Select the option Scan files with the

following extensions only and type zip
(without a dot or an asterisk)
23. Click Next
L–61
Lab 10
24. Select the Weekly schedule for the task

25. Leave the default start time unchanged
and click Next
26. Name the task Virus scan and click Next

28. Wait for the task to complete
29. Select the Administration Server node and

switch to the Events tab
31. Make sure that a malicious object was
found on the powered off Windows-Wks
virtual machine
Task B: Check the tags after the on-demand scanning completes
Check whether the on-demand scan task has changed security tags on Windows-Svr and Windows-Wks.
The task is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, and Windows-Svr machines must be powered on.

34. Select Windows-Wks
35. Make sure that the virtual machine has
received the following tag:
ANTI_VIRUS.VirusFound.threat=high
L–63
Lab 11
36. Select Windows-Svr

37. Make sure that Windows-Svr has lost the
tag ANTI_VIRUS.VirusFound.threat=high
Conclusion
The on-demand scan task has several functions in Kaspersky Security for Virtualization. It thoroughly scans the file system
and removes NSX tags from clean machines thus helping the administrator monitor whether the virtual machines conform to
the security policy. To make the task remove the tags, in the scan scope, select Scan all files and folders except for those
specified (see step 22).
Also, this lab demonstrates how to scan powered off virtual machines.
Lab 11.
Test Network Protection
Scenario. We used the eicar.com test virus to check how File Antimalware Protection works. Now, we need to test the
Network Protection.
Contents:
1. Imitate a network attack

2. Open a test malicious link and a test phishing link
3. Consult network protection events in Kaspersky Security Center
4. Study the Network attack report
Preparation
The preparation is performed on KSC-Svr. The DC, vCenter, ESXi, NSX-Mgr, and Windows-Svr machines must be
powered on.

2. Right-click the Windows-Wks virtual
machine and select Power | Power On
Task A: Imitate a network attack
Use the kltps utility to imitate a network attack from the Windows-Wks computer on TCP port 445 (SMB service) of KSC-
Svr. In Lab 7, we selected to block an attacking computer for 1 minute. Let’s test this.
The task is performed on Windows-Wks. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and KSC-Svr machines must
be powered on.

view
4. Select the Windows-Wks virtual
machine
link
6. In the window Launch
Application, click Open link
L–65
Lab 11

ABC\Alex account with the
password Ka5per5Ky
9. Open the command line (press

WIN+R, then type cmd and press
ENTER)
10. Make sure that Windows-Wks can
access DC:
ping dc
11. To imitate an attack, enter the

following command:
Desktop\kltps.exe
Windows-Svr –t 445
12. Make sure that network access has

been blocked for Windows-Wks
ping dc
13. Wait for a minute and ping once

again
ping dc
14. Make sure that network activity has
been allowed to Windows-Wks
Task B: Open a test malicious link and a test phishing link
Use a test malicious link and a test phishing link to make sure that web addresses are scanned.
The task is performed on Windows-Wks. The DC, vCenter, ESXi, NSX-Mgr, and KSC-Svr machines must be powered on.
15. Start Microsoft Edge and go to

http://www.kaspersky.com/test/wmuf
16. Make sure that Kaspersky Security for Virtualization has
blocked the page
17. Open another tab and go to

http://www.kaspersky.com/test/aphish_h
18. Make sure that Kaspersky Security for Virtualization has
blocked the page
19. Note that the same message about a blocked web page is
displayed for malicious and phishing web websites
Task C: Consult network protection events in Kaspersky Security Center
Events about attacks and malicious web addresses are sent to Kaspersky Security Center. They contain general information
about the incidents.
L–67
Lab 11
be powered on.

21. In the Administration Server node, open
the Events tab
23. Open the network threat detection event
24. The event contains addresses of the

attacking and victim machines, and also
information about the attack
25. Click Next
26. Proceed until you find the event about a

detected malicious web address. It shows
the source of the request and the IP
address of the web server
27. Click Next
28. Proceed until you find the event about a

detected phishing link
http://www.kaspersky.com/test/aphish_h
29. Pay attention to the event type: Malicious
web address detected. Kaspersky
Security for Virtualization uses the same
event type to inform about malicious and
phishing addresses
30. Close the event
●
Task D: Study the Network attack report
By default, there is no network attack report in Kaspersky Security Center. We will create it in this task.
be powered on.
31. Switch to the Reports tab

32. Click Create a report template
33. Name the report Network attack report

L–69
Lab 11
34. Select the Network attack report type

35. Proceed through the wizard without
changing anything
36. Open the Network attack report
37. The report provides aggregate information

about the number and types of the
detected network attacks. There is also
detailed information: the IP address of the
attacking computer, attack time, and port.
Conclusion
In this lab, we tested Network Protection using a test attack utility and test malicious links. We also created a network attack
report to consult aggregate information.
Lab 12.
Test Network Monitor
Scenario. The Network Protection service of Kaspersky Security for Virtualization can detect advanced network attacks. To
enable enhanced traffic analysis, you need to activate the service with an Enterprise license.
Install an Enterprise license on the service virtual machines and test enhanced network protection.
Contents:
1. Install a KSV Enterprise license on the service virtual machines

2. Enable enhanced traffic analysis in the policy on Kaspersky Security Center
3. Test enhanced workstation protection using a test link
4. Prepare a file with a captured network attack
5. Reproduce the file with the captured network attack on the server and check the results
Task A: Install a KSV Enterprise license on the service virtual machines
Kaspersky Security for Virtualization does not have a license for workstations that supports Enterprise capabilities. To be able
to consume Enterprise capabilities on workstations, use a per-processor license (for hypervisors) rather than a per-node license
(for virtual machines).
Install a per-CPU Enterprise license on the service virtual machines. It enables you to activate enhanced network traffic
scanning on servers and workstations.
be powered on.
1. Open the Kaspersky Security

Center Administration Console
2. Select the group VMware vCenter
(vcenter.abc.lab) Agentless and
switch to the Tasks tab
3. On the Tasks tab, click the button
Create a task
L–71
Lab 12
4. Select Application activation for

the task type
5. Click Select
6. Click Add
7. Click Activate application with

activation code
8. Copy the activation code of a per-

processor enterprise license from a
file located in a mounted shared
folder (ask the instructor about its
location)
9. Click Next
10. Make sure that KSC has

successfully received the key from
the activation servers and click
Finish
11. Select activation key of a per-

processor enterprise license and
click OK
12. Note that the key activates the

Suspicious network activity
detection technology
13. Click Next
L–73
Lab 12
14. Leave the Manually schedule

15. Select the Run missed tasks check
box and click Next
16. Name the task Activation KSV -

CPU and click Next

18. Make sure that the task has
completed successfully
Task B: Enable enhanced traffic analysis in the policy on Kaspersky Security

Center
Modify the policy settings: Enable enhanced traffic analysis.

be powered on.
19. Select the group VMware vCenter

(vcenter.abc.lab) Agentless and switch to
the Policies tab
20. Open the properties of the Kaspersky
Security for Virtualization 5.0 Agentless
policy
21. Switch to the section Network threat

protection | Intrusion Prevention
22. Select the check box Monitor virtual
machine network activity and click OK
Task C: Test enhanced workstation protection using a test link
Open a test malicious link in Internet Explorer and receive a verdict by Network Monitor.
The task is performed on Windows-Wks. The DC, vCenter, ESXi, NSX-Mgr, Windows-Svr, and KSC-Svr machines must
be powered on.

ABC\Alex account with the password
Ka5per5Ky
24. Start Internet Explorer and go to
http://www.kaspersky.com/antiapt/traf/test
25. Make sure that access to the page has been
blocked
L–75
Lab 12
26. Return to the window of the KSC-Svr

virtual machine
28. In the Administration Server node, open
the Events tab
31. Read the event description. It contains the

address of the protected virtual machine,
address of the malicious server and
identifier of the rule that reacted to the
threat.
You can configure exclusions by IP
addresses and by rule identifiers
Task D: Prepare a file with a captured network attack
Open a file with a captured network attack in the WireEdit editor, and replace the IP address of the attacked computer with the
IP address of Windows-Svr.
The task is performed on Windows-Svr. The DC, vCenter, ESXi, NSX-Mgr, and KSC-Svr machines must be powered on.
33. Log on to the Windows-Svr server

under the ABC\Administrator
account with the password
Ka5per5Ky
34. Open the command line interface
35. Carry out the ipconfig command
36. Write down or memorize the IP
address of the Windows-Svr machine
37. Copy the captured network traffic

yakes.pcap onto the desktop of
Windows-Svr (ask the instructor where
the file is located)
38. Start the WireEdit utility
39. Load the yakes.pcap file with captured
network traffic into the utility: Click File,
Open, and specify the path to the file
40. To replace IP address 10.14.0.2 with the
IP address of your Windows-Svr, press
CTRL+H
41. In the Find what field, type 10.14.0.2

42. In the field Replace with, type the IP
address of your Windows-Svr, and click
Replace All
43. In the Attention message, click OK
44. Close the Replace window
45. Pay attention to the Warnings: 14

indicator in the status bar.
A TCP packet has a checksum, which has
become invalid after we’ve changed the
IP address. To make packets plausible,
let’s correct the checksum
46. On the Edit menu, click Fix Errors
47. In the Attention message, click OK
48. Save the edited file to your desktop with
the name yakes_2.pcap
49. Close the WireEdit application
Task E: Reproduce the file with the captured network attack on the server
and check the results
Use the PlayCap program to replay network traffic on the Windows-Svr computer and receive a verdict in the Kaspersky
Security Center console.
The task is performed on Windows-Svr. The DC, vCenter, ESXi, NSX-Mgr, and KSC-Svr machines must be powered on.
50. Start the PlayCap utility

51. Upload the yakes_2.pcap file with
captured network traffic into the utility:
Click File, Open, and specify the path to
the file
L–77
Lab 12
52. Replay traffic: Click Play

53. PlayCap will select the sole network
interface on the Windows-Svr machine
54. Click Playback and wait for the
reproduction to complete
55. Switch to the window of the KSC-Svr

virtual machine
57. In the Administration Server node,
open the Events tab
60. Read the event description

Conclusion
In this lab, we have tested Network Monitor using a pseudo-malicious link and pre-captured network traffic.
v1.4.5

014.50 - Lab Guide - Kaspersky Security For Virtualization. Agentless

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

014.50 - Lab Guide - Kaspersky Security For Virtualization. Agentless

Uploaded by

Copyright:

Available Formats

Kaspersky Technical Training

1. Connect to the virtual infrastructure

Task A: Connect to the virtual infrastructure

1. Ask the trainer for the IP address of the server and

4. After connecting to the remote server, start Internet

7. Select the Use Windows session authentication check

Task B: Power on the virtual machines

8. In the upper part of the page, click Menu

9. Expand the Greenland node

Contents: Install the Guest Introspection service.

Task A: Install the Guest Introspection service

1. Select the KSC-Svr virtual machine

3. Clear the check box Always ask

4. Log on to the KSC-Svr server under

8. Enter the username of the server

10. In the upper part of the page, click

11. Open the Installation and Upgrade

14. In the wizard window that opens,

16. Select Lab Cluster and click Next

17. Select the DS-Mgmt network and

18. On the last page of the wizard, click

19. Wait for the installation to complete

21. Switch to the Hosts and Clusters

1. Add an Advanced/Enterprise NSX license

Task A: Add an Advanced/Enterprise NSX license

1. Open a new tab in Firefox

4. Permit starting Adobe Flash: Select the

5. Click the Home icon in the upper part of

6. Select the Licenses section and switch to

8. On the Licenses tab, scroll right to view

11. Ask the instructor for the license code

13. Notice that the license puts a limit on the

16. Make sure that the new license is

17. Switch to the Assets | Solutions tab

21. Select the NSX Ent license and click

22. Make sure that NSX for vSphere uses the

23. Close the VSPHERE WEB CLIENT

Task B: Install the NSX components on the cluster

24. Switch to the Networking and Security

25. Open the Installation and Upgrade

27. Click Actions, then Install

29. Refresh the page in the web browser (F5).

1. Create a role for the Integration Server in vCenter

Task A: Create a role for the Integration Server in vCenter

1. Click Menu in the upper part of the page

2. Select the Read-only role and click the

3. Type KsvViis for the name and click OK

4. Select the created role KsvViis and click

5. In the ESX Agent Manager section,

8. On the last page, click Finish

9. Select the role KsvViis

Task B: Create an account for the Integration Server in vCenter

12. Open the Administration | Users and

15. Create an account

16. Switch to Hosts and Clusters

17. Select the root node vcenter.abc.lab

20. Make sure that the vsphere.local domain

Task C: Install the Integration Server of Kaspersky Security for Virtualization

24. Start the installer of management components of Kaspersky

27. Consult the Integration server settings and click Next.

28. Click Finish

Task D: Register Kaspersky Security for Virtualization services with NSX

29. Start the Kaspersky Security Center