The Network Threat Protection component allows you to scan inbound network traffic for activity that is typical for network attacks.
This feature is not supported in the KESL container.
Kaspersky Endpoint Security receives TCP port numbers from the current application databases and scans incoming traffic for these ports.
To scan network traffic, the Network Threat Protection task receives port numbers from the application databases and accepts connections via all these ports. During the network scan process, it may look like an open port on the device, even if no application on the system is listening to this port. It is recommended to close unused ports by means of a firewall.
Current connections for intercepted TCP ports are reset when Network Threat Protection is enabled.
If Network Threat Protection is enabled, upon detecting an attempted network attack on a protected device, the application blocks network activity from the attacking device and creates the Network attack detected event. The event contains information about the attacking device.
By default, network traffic from the attacking device is blocked for one hour. Once the blocking time has expired, the application unblocks the device.
Network Threat Protection is enabled by default if the Network Threat Protection settings on the device are defined through a policy. If locally configured settings are applied on the device, Network Threat Protection is disabled by default.
You can enable or disable Network Threat Protection, and also configure the protection settings:
You can use the commands for administering blocked devices in the command line to view the list of blocked devices and manually unblock these devices. Kaspersky Security Center does not provide tools for monitoring and managing blocked devices, except for the Network attack detected events.
Kaspersky Endpoint Security adds a special chain of allowing rules (kesl_bypass) to the list in the mangle table of the iptables and ip6tables utilities. This chain of allowing rules makes it possible to exclude traffic from scans by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Network Threat Protection task. For example, to exclude outgoing HTTP traffic, you need to add the following command: iptables -t mangle -I kesl_bypass -m tcp -p tcp --dport http -j ACCEPT.