Kaspersky Security for Virtualization Light Agent provides measurable performance benefits while delivering the latest security technologies and multi-layered protection for virtual servers and/or VDI in hybrid environments. This is achieved by designating a central virtual machine (SVM) to keep the malware databases and produce file threat level verdicts to all the VMs on the host. Through smart optimization, such as shared caching, and the elimination of redundant information, Kaspersky Security for Virtualization cuts the amount of data and number of operations, dramatically reducing IOPS, CPU cycles, memory and disk footprints to help achieve high consolidation ratios, protecting investments in virtualization projects.
The solution supports VMware vSphere, NSX, Horizon, Microsoft Hyper-V, Citrix Hypervisor, Virtual Apps and Desktops, KVM, Proxmox VE, Huawei FusionSphere and other virtualization environments.
Kaspersky Security for Virtualization Light Agent is part of Kaspersky Hybrid Cloud Security.
Kaspersky Security for Virtualization Light Agent features patented architecture that offloads redundant operations and data to a central Secure Virtual Machine (SVM). An optimized agent with reduced footprint and resource requirements – a ‘Light Agent’ – is then deployed to each VM for protection.
The Light Agent combines Kaspersky’s most advanced anti-malware and network protection technologies to match the agent-based security while delivering substantial virtualization environment performance benefits.
Virtual environments – especially VDIs – often include many similar VMs, each containing identical files. Full agent-based solutions waste time and resources running multiple scans of the same file on different VMs. Kaspersky’s Shared Cache feature shares the results of file scans, which minimizes the overall load on the IT infrastructure.
Whenever a file is accessed on a VM, Kaspersky Security for Virtualization Light Agent checks against the shared cash if a verdict has already been issued for the file. If the verdict exists, it’s returned to the requesting VM instantly without wasting an extra cycle. The file is only scanned again if it has been modified or a user manually requests a scan.
Dynamic tagging saves time in the event of an incident and can even completely prevent an incident by automating the response to specific events. For example, a machine can be isolated from the network if protection is disabled, or remediation efforts can be initiated if a machine is infected. Light Agent can apply the “VIRUS FOUND” tag to VMs with a parameter to indicate the threat level so that the virtualization platform can react to the event.
The solution is designed so that Light Agents can use a SVM on another host if the local SVM in unavailable or overloaded. This eliminates single points-of-failure in infrastructures of any size. If there’s significant stress on the virtualized infrastructure, the Light Agents can locate and reconnect to the optimal SVM almost immediately. This ensures uninterrupted real-time protection for the entire virtualized environment.
This feature allows the Light Agent to operate in autonomous mode for a short period. In this mode, technologies including Self Defense, Automatic Exploit Prevention and other behavioral-based defensive mechanisms continue to protect the VM. In addition, a local queue of files to be checked for malware is created, ready for when normal operation resumes. This approach ensures that every single object, such as files, scripts, pages, etc. - is inspected, regardless of circumstances.
This built-in mechanism protects Kaspersky Security for Virtualization itself against malware that may try to modify or block its functions, delete components (e.g. antivirus databases, quarantined files, trace files), strip the application of its services or uninstall them. Self-Defense also prevents Kaspersky Security for Virtualization Light Agent’s system registry keys from being modified or deleted inside the guest OS.
The Security Virtual Machine (SVM) constantly and autonomously monitors its own operation, automatically restarting its scan server service if it’s disrupted or stopped for any reason. This ensures that the scanning engine is available and ready to handle anti-malware scans at all times.
The cloud-based Kaspersky Security Network (KSN) identifies new threats and provides automatic updates to the security solution. Identifying new malware in as little as 0.02 seconds, KSN helps Kaspersky Security for Virtualization Light Agent to protect business-critical environments against even most sophisticated threats, such as zero-day vulnerability exploits.
Kaspersky Hybrid Cloud Security can save up to 30% of virtualization hardware resources compared to a traditional endpoint security solution. The solution is designed and built specifically for the use in virtualized environments to eliminate redundant operations and data. After learning the environment, the solution is in most cases able to instantly produce a verdict, without wasting a single extra cycle. Rich and flexible system hardening functionality drastically reduces the attack surface, eliminates arbitrary code execution on servers and blocks exploits – all without any noticeable increase in resource consumption. Memory and data control algorithms detect and defuse ransomware attacks, both host and network-borne. The solution supports VMWare NSX, Microsoft HyperV, Citrix Hypervisor, KVM, Huawei FusionSphere and Proxmox VE virtualization platforms.
Kaspersky Security for Virtualization is the ideal solution for hybrid data centers, delivering advanced security capabilities to virtualized Windows and Linux server workloads.
Application control for Windows Server featuring dynamic allowlist (or Default Deny) mode has also been enhanced to include a denylist (or Default Allow) mode that allows applications to execute unless the software has been found on the denylist. This mode is useful in controlled environments to further harden the server workload by disallowing selected programs permitted by general policies.
Exploit Prevention specifically targets malware that exploits software vulnerabilities in popular applications, by recognizing typical or suspicious behavior patterns, stopping the exploit in its tracks, and preventing any downloaded malicious code from executing.
These features work alongside application control and exploit prevention technologies, and can be used to monitor VMs for state changes and configuration drift. These are also often required for compliance reasons.
System Integrity Assurance technologies include File Integrity Monitoring (FIM), Registry Integrity Monitoring and Baseline Management for virtualized Windows Servers.
Centralizes and automates essential security, system configuration and management tasks, such as vulnerability assessment, patch and update distribution, inventory management and application rollouts.
Ransomware takes many forms, relies on different propagation techniques, targets different objects from disk MBR to user files and can be commanded by a command and control (C&C) server or work completely autonomously. Some ransomware (so-called ‘wipers’) corrupts data irreversibly.
Consequently, protection from ransomware must also be multi-layered. Kaspersky Security for Virtualization Light Agent prevents infection by monitoring the environment for ransomware-like behavior, blocking communications to C&C servers and restoring originals of the modified files to nullify the damage. There’s also a protection layer for shared data that raises a red flag if shared files are being corrupted over network, blocks attacker’s access to the share and notifies the administrator.
AMSI Protection allows Microsoft and third-party programs to send requests for scanning objects for viruses and other threats using Windows Antimalware Scan Interface (AMSI).
Host Intrusion Prevention (HIPS) uses Kaspersky Security Network data to define the level of privilege a program will be running on, efficiently reducing the area of attack.
The Remediation Engine rolls back malicious changes to the operating system.
Kaspersky Security for Virtualization Light Agent delivers on-access and on-demand anti-malware protection for VMs. Kaspersky’s dedicated SVM combines signature-based technologies and heuristic analysis for rigorous protection of VM file systems, including protection against complex, memory-resident malware.
Kaspersky Hybrid Cloud Security drastically cuts login time for virtual desktops while eliminating hiccups and choke points when scaling and pushing the limits of the virtualization host, compared to a traditional endpoint security solution. The solution is designed and built specifically for use in virtualized environments to eliminate redundant operations and data. After learning the environment, the solution is in most cases able to instantly produce a verdict, without wasting a single extra cycle. Featuring the same extensive endpoint security feature set as traditional solutions, Kaspersky Hybrid Cloud Security creates a secure and responsive user environment, allowing users to focus on their job without risking becoming a victim of fileless malware, ransomware, exploits and the like. The solution supports VMWare Horizon, Microsoft HyperV and Citrix Virtual Desktops VDI platforms.
Deep integration with platform APIs leverages the deployment, configuration, management and reporting mechanisms of the VDI platforms to ensure high levels of security and control over the user environment.
A wide range of Windows and Linux guest operating systems are supported in VMWare Horizon, Citrix Virtual Apps and Desktops as well as HyperV VDI environments.
To deal with the risks from exploitation of unpatched vulnerabilities, Kaspersky Hybrid Cloud Security incudes a range of Exploit Prevention technologies.
The Exploit Prevention mechanism specifically monitors the most frequently targeted applications – including Adobe Reader, Internet Explorer, Microsoft Office, Java and many more – delivering an extra layer of security monitoring and protection against unknown threats.
Behavior Detection does not rely on signatures of known threats; instead, it leverages techniques including Machine Learning to identify and extract suspicious behavior patterns during execution. This means that even never-before seen threats can be reliably blocked based simply on the presence of malicious actions.
Configurable Application Control tools let you to specify which applications are allowed to run on which VMs. This reduces exposure to risk and wasted resources due to running unnecessary software.
There’s a choice of a Default Allow policy, that allows the execution of all applications except the specifically denylisted ones, or a Default Deny policy, that blocks all programs except those on the allowlist.
Kaspersky’s Application Control consists of:
Kaspersky Security for Virtualization Light Agent fully supports linked and full cloning. Thanks to the pre-installed lightweight agent, provisioning a new VM simply involves cloning a template. Once cloning is complete, the new machine is automatically protected by the SVM. This simplifies VDI management, eliminating the need to update security products on the VDI image.
System Watcher technology built into Kaspersky Security for Virtualization Light Agent monitors the behavior of applications running inside each virtual desktop. If suspicious behavior is detected - such as cryptor or locker activity - it’s immediately blocked and any malicious changes are automatically rolled back, keeping your critical data secure.
Web Control helps manage Internet use, blocking VM access to specific websites or automatically updated categories such as social networks, music, videos and personal web email. Different control policies can be set for different job roles, blocking access around the clock or during specific times during the day.
Because users can connect to their VDI machine from anywhere, on any device, it’s important to ensure that VMs aren’t exposed to threats from unsecured USB devices. With Device Control, administrators can specify exactly which removable devices can be accessed in each individual VM. It’s easy to apply control policies to a range of devices, including removable drives, printers and non-corporate network connections. For VMware installations, this technology complements and enhances existing Horizon USB Redirection capabilities.
AMSI Protection allows Microsoft Office applications and other third-party programs to send requests for scanning objects for viruses and other threats using Windows Antimalware Scan Interface (AMSI).
The Kaspersky Security for Virtualization Light Agent user interface can be disabled (by unloading it) on any or all VMs for additional performance optimization.
This functionality allows Light Agent to analyze secure connections for threats and prevent the malicious object from reaching the end user’s browser. This can often stop an exploitation attempt before it even begins.
Kaspersky Security for Virtualization Light Agent protects against external and internal network attacks – including threats that may be hiding in encrypted traffic. Every VM is protected by host-based network security which includes Kaspersky’s HIPS, firewall and Network Attack Blocker technologies.
HIPS – working together with Kaspersky’s two-way firewall – controls inbound and outbound network traffic. Flexible tools enable granular control over security according to a policy containing a wide range of parameters, including settings for particular ports, individual IP addresses or specific applications’ network activity.
Kaspersky’s Network Attack Blocker technology monitors hypervisor network traffic and checks for the presence of any activity which may signify a network attack. As soon as it’s detected, the network attack is blocked.
Kaspersky Security Center features Role-Based Access Control (RBAC) that facilitates duty separation, task delegation and audits of security–related organizational functions.
This feature is highly relevant for organizations with a developed information security function, branched infrastructures or large complex infrastructures where there are usually multiple management servers and different people being responsible for security administration, policies and audits.
Kaspersky Security for Virtualization Light Agent is deployed using the single product installer wizard. The wizard has been improved to include agent installers and SVM image downloaders. Remote installation packages for agents are also added to Kaspersky Security Center for streamlined deployment.
Kaspersky Security for Virtualization Light Agent for Linux can now be remotely deployed, simplifying rollout.
Security administrators can use deployment improvements to automate the rollout of security agents and optimize infrastructure protection.
SVM discovery and selection is enhanced to optimize deployments in large-scale environments.
Protection Server can now be deployed and configured via the API, making it possible to deploy the protection server using hypervisor deployment capabilities.
With these latest improvements, Kaspersky Security for Virtualization Light Agent operates seamlessly in complex enterprise infrastructures running multiple logical networks on different hypervisor hosts and platforms.
SVMs can be deployed onto several virtualization hosts simultaneously. This significantly reduces the time it takes to get the security solution up and running within a virtualized infrastructure, regardless of size.
Kaspersky Security for Virtualization Light Agent now offers a wider list of applications from different software vendors for use when specifying exceptions or configuring an enforced scanning policy.
Kaspersky Security for Virtualization Light Agent is managed by Kaspersky Security Center – Kaspersky’s management interface that lets you granularly configure and control a wide range of Kaspersky’s applications protecting mobile devices as well as server and desktop workloads on-premise, in a datacenter or in a public cloud.