While the Network Threat Protection task is running, the application scans inbound network traffic for activity that is typical for network attacks. Kaspersky Endpoint Security receives TCP port numbers from the current application databases and scans incoming traffic for these ports. When the task starts, the current connections for intercepted TCP ports are reset.
To scan network traffic, the Network Threat Protection task receives port numbers from the application databases and accepts connections via all these ports. During the network scan process, it may look like an open port on the device, even if no application on the system is listening to this port. It is recommended to close unused ports by means of a firewall.
Upon detecting an attempted network attack that targets your device, the application blocks network activity from the attacking device and logs a corresponding event. The application blocks network traffic from the attacking device for one hour. You can change the block duration in the task settings. You can view the list of devices blocked by the Network Threat Protection task using the --get-blocked-hosts
command and manually unblock these devices using the --allow-hosts
command.
Kaspersky Endpoint Security adds a special chain of allowing rules (kesl_bypass) to the list in the mangle table of the iptables and ip6tables utilities. This chain of allowing rules makes it possible to exclude traffic from scans by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Network Threat Protection task. For example, to exclude outgoing HTTP traffic, you need to add the following command: iptables -t mangle -I kesl_bypass -m tcp -p tcp --dport http -j ACCEPT
.
The table describes all available values and the default values of all the settings that you can specify for the Network Threat Protection task.
Network Threat Protection task settings
Setting |
Description |
Values |
---|---|---|
|
Actions performed upon detection of network activity that is typical of network attacks. Changing the value of this setting from |
|
|
Blocking network activity from attacking devices. |
|
|
Specifies how long attacking devices will be blocked (in minutes). |
1 – 32768 Default value: 60. |
|
The usage of a list of IP addresses whose network activity will not be blocked when a network attack is detected. The application will only log information about dangerous activity from these devices. You can add IP addresses to the exclusion list by using the |
|
|
Specifies an IP address whose network activity will not be blocked by the application. |
The default value is not defined. |