Network Threat Protection task (Network_Threat_Protection, ID:17)

While the Network Threat Protection task is running, the application scans inbound network traffic for activity that is typical for network attacks. Kaspersky Endpoint Security receives TCP port numbers from the current application databases and scans incoming traffic for these ports. When the task starts, the current connections for intercepted TCP ports are reset.

To scan network traffic, the Network Threat Protection task receives port numbers from the application databases and accepts connections via all these ports. During the network scan process, it may look like an open port on the device, even if no application on the system is listening to this port. It is recommended to close unused ports by means of a firewall.

Upon detecting an attempted network attack that targets your device, the application blocks network activity from the attacking device and logs a corresponding event. The application blocks network traffic from the attacking device for one hour. You can change the block duration in the task settings.

Kaspersky Endpoint Security adds a special chain of allowing rules (kesl_bypass) to the list in the mangle table of the iptables and ip6tables utilities. This chain of allowing rules makes it possible to exclude traffic from scans by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Network Threat Protection task.

The table describes all available values and the default values of all the settings that you can specify for the Network Threat Protection task.

Network Threat Protection task settings





Actions performed upon detection of network activity that is typical of network attacks.

Notify – allow network activity, log information about detected network activity.

Block (default value) – block network activity and log information about it.


Blocking network activity from attacking devices.

Yes (default value) — Block network activity from an attacking device.

No — Allow network activity from an attacking computer.


Specifies how long attacking devices will be blocked (in minutes).

1 – 32768

Default value: 60.


The usage of a list of IP addresses whose network activity will not be blocked when a network attack is detected. The application will only log information about dangerous activity from these devices.

You can add IP addresses to the exclusion list by using the ExcludeIPs.item_# setting. By default, the list is empty.

Yes — Use the list of excluded IP addresses.

No (default value) — Do not use the list of excluded IP addresses.


Specifies an IP address whose network activity will not be blocked by the application.

d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64.

The default value is not defined.

Page top