Network Threat Protection task (Network_Threat_Protection, ID:17)

While the Network Threat Protection task is running, the application scans inbound network traffic for activity that is typical for network attacks. Kaspersky Endpoint Security receives TCP port numbers from the current application databases and scans incoming traffic for these ports. When the task starts, the current connections for intercepted TCP ports are reset.

To scan network traffic, the Network Threat Protection task receives port numbers from the application databases and accepts connections via all these ports. During the network scan process, it may look like an open port on the device, even if no application on the system is listening to this port. It is recommended to close unused ports by means of a firewall.

Upon detecting an attempted network attack that targets your device, the application blocks network activity from the attacking device and logs a corresponding event. The application blocks network traffic from the attacking device for one hour. You can change the block duration in the task settings. You can view the list of devices blocked by the Network Threat Protection task using the --get-blocked-hosts command and manually unblock these devices using the --allow-hosts command.

Kaspersky Endpoint Security adds a special chain of allowing rules (kesl_bypass) to the list in the mangle table of the iptables and ip6tables utilities. This chain of allowing rules makes it possible to exclude traffic from scans by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Network Threat Protection task. For example, to exclude outgoing HTTP traffic, you need to add the following command: iptables -t mangle -I kesl_bypass -m tcp -p tcp --dport http -j ACCEPT.

The table describes all available values and the default values of all the settings that you can specify for the Network Threat Protection task.

Network Threat Protection task settings

Setting

Description

Values

ActionOnDetect

Actions performed upon detection of network activity that is typical of network attacks.

Changing the value of this setting from Block to Notify clears the list of blocked devices.

Notify – allow network activity, log information about detected network activity. If this value is specified, the value of the BlockAttackingHosts parameter is ignored.

Block (default value) – block network activity and log information about it.

BlockAttackingHosts

Blocking network activity from attacking devices.

Yes (default value) — Block network activity of an attacking device.

No – Do not block network activity of the attacking device. If this value is specified and the ActionOnDetect parameter is set to Block, the application blocks network activity from the attacking device, but does not add the device to the list of blocked devices.

BlockDurationMinutes

Specifies how long attacking devices will be blocked (in minutes).

1 – 32768

Default value: 60.

UseExcludeIPs

The usage of a list of IP addresses whose network activity will not be blocked when a network attack is detected. The application will only log information about dangerous activity from these devices.

You can add IP addresses to the exclusion list by using the ExcludeIPs.item_# setting. By default, the list is empty.

Yes — Use the list of excluded IP addresses.

No (default value) — Do not use the list of excluded IP addresses.

ExcludeIPs.item_#

Specifies an IP address whose network activity will not be blocked by the application.

d.d.d.d — IPv4 address, where d is a decimal number from 0 to 255.

d.d.d.d/p — Subnet of IPv4 addresses, where p is a number from 0 to 32.

x:x:x:x:x:x:x:x — IPv6 address, where x is a hexadecimal number from 0 to ffff.

x:x:x:x::0/p — Subnet of IPv6 addresses, where p is a number from 0 to 64.

The default value is not defined.

Page top