The Network Threat Protection component scans inbound network traffic for activity that is typical of network attacks. Upon detecting an attempted network attack that targets your computer, Kaspersky Embedded Systems Security blocks network activity from the attacking computer. Descriptions of currently known types of network attacks and ways to counteract them are provided in the application databases. The list of network attacks that the Network Threat Protection component detects is updated during database and application module updates.
By default, the Network Threat Protection task runs in the Block mode. In this mode, Kaspersky Embedded Systems Security blocks connection to computers that display activity typical of network attacks, and in some cases adds IP addresses of such computers to the list of blocked network sessions.
Kaspersky Embedded Systems Security clears the block list when the application is restarted and when the Network Threat Protection settings are changed.
You can restore access to blocked hosts, and specify the number of days, hours, and minutes after which hosts regain access to network file resources after being blocked by configuring the Blocked Hosts storage settings.
The IP addresses of hosts showing activity typical of network attacks are deleted from the list of blocked hosts in the following cases:
Kaspersky Embedded Systems Security is uninstalled.
The IP address was deleted manually from the list of blocked hosts.
In the Kaspersky Security Center Administration Console tree, expand the Managed devices node.
Select the administration group for which you want to configure the task.
Select the Policies tab.
Double-click the policy name you want to configure.
In the policy properties window, go to the Network activity control section.
In the Network Threat Protection block, click the Settings button.
The Network Threat Protection window opens on the General tab.
Select the Network Threat Protection check box to enable the Network Threat Protection component.
Select the task mode in the Operating mode section:
Block. If this mode is selected, Kaspersky Embedded Systems Security scans inbound network traffic for activity that is typical of network attacks, blocks connection to computers that display such activity, and in some cases adds IP addresses of computers to the list of blocked network sessions. The application also logs events about detected activity typical of network attacks in the component log.
Inform. If this mode is selected, Kaspersky Embedded Systems Security scans inbound network traffic for activity that is typical of network attacks, but does not block connection to computers that display such activity, and does not add IP addresses of computers to the list of blocked network sessions. The application logs events about detected activity typical of network attacks in the component log.
A Port Scanning attack consists of scanning UDP ports, TCP ports, and network services on the computer. This attack allows the attacker to identify the degree of vulnerability of the computer before conducting more dangerous types of network attacks. Port Scanning also enables the attacker to identify the operating system on the computer and select the appropriate network attacks for this operating system.
Network Flooding is an attack on network resources of an organization (such as web servers). This attack consists of sending a large number of requests to overload the bandwidth of network resources. As a result, users are unable to access the network resources of the organization.
If this functionality is enabled, Kaspersky Embedded Systems Security monitors network traffic for port scanning and network flooding. If such behavior is detected, the application notifies the user and sends the corresponding event to Kaspersky Security Center. The application provides information about the computer that is making the requests. This information is necessary for a timely response. However, Kaspersky Embedded Systems Security does not block the computer that is making the requests because such traffic may be a normal occurrence on the corporate network.
If the check box is selected, the Network Threat Protection component blocks the network connection with the attacking computer after the first network attack attempt for the specified amount of time. This block automatically protects the user's computer against possible future network attacks from the same address. The minimum time an attacking computer must spend in the block list is one minute. The maximum time is 999 minutes.
If the Inform mode is selected, Kaspersky Embedded Systems Security does not block the network connection.
A MAC address spoofing attack consists of changing the MAC address of a network device (network card). As a result, an attacker could redirect data sent to a device to another device and gain access to this data.
If the check box is selected, Kaspersky Embedded Systems Security scans incoming network traffic for actions that are typical of MAC address spoofing attacks and performs actions in accordance with the mode, selected for the Network Threat Protection component.
For Kaspersky Embedded Systems Security to work correctly on virtual machines in a Microsoft Hyper-V infrastructure, you need to install Kaspersky Embedded Systems Security before you configure Hyper-V virtual switches.
If the check box is cleared, Kaspersky Embedded Systems Security does not scan incoming network traffic for actions typical of MAC address spoofing attacks.
Kaspersky Embedded Systems Security can recognize a network attack and block an unsecured network connection that is transmitting a large number of packets (for example, from surveillance cameras). To work with trusted devices, you can add the IP addresses of these devices to the list of exclusions. You can also select the protocol and port that are used for communication and allow specific network activities.
The ability to select protocols and ports for exclusions was added in Kaspersky Embedded Systems Security 4.0. Make sure the application and the management plug-in are updated to version 4.0 or later. If you are using an earlier version of the application or the management plug-in, Kaspersky Embedded Systems Security can allow network activities only by IP address.
Select the Exclusions tab.
Select the Do not control excluded addresses check box to prevent Kaspersky Embedded Systems Security from scanning inbound network traffic for excluded IP addresses.
Click Add.
In the Exclusions window, enter the IP address of the computer from which network attacks must not be blocked.
If required, select the protocol and ports through which data is transmitted.
In the Application Console tree, select the Real-Time Computer Protection → Network Threat Protection node.
Click the Properties link in the results pane.
The Properties: Network Threat Protection window opens.
Select the Network Threat Protection check box to enable the Network Threat Protection component.
Select the task mode in the Operation mode section:
Block. If this mode is selected, Kaspersky Embedded Systems Security scans inbound network traffic for activity that is typical of network attacks, blocks connection to computers that display such activity, and in some cases adds IP addresses of computers to the list of blocked network sessions. The application also logs events about detected activity typical of network attacks in the component log.
Inform. If this mode is selected, Kaspersky Embedded Systems Security scans inbound network traffic for activity that is typical of network attacks, but does not block connection to computers that display such activity, and does not add IP addresses of computers to the list of blocked network sessions. The application logs events about detected activity typical of network attacks in the component log.
Kaspersky Embedded Systems Security can recognize a network attack and block an unsecured network connection that is transmitting a large number of packets (for example, from surveillance cameras). To work with trusted devices, you can add the IP addresses of these devices to the list of exclusions. You can also select the protocol and port that are used for communication and allow specific network activities.
The ability to select protocols and ports for exclusions was added in Kaspersky Embedded Systems Security 4.0. Make sure the application and the management plug-in are updated to version 4.0 or later. If you are using an earlier version of the application or the management plug-in, Kaspersky Embedded Systems Security can allow network activities only by IP address.
Select the Exclusions tab.
Select the Do not control excluded addresses check box to prevent Kaspersky Embedded Systems Security from scanning inbound network traffic for excluded IP addresses.
Click Add.
In the Exclusions window, enter the IP address of the computer from which network attacks must not be blocked.
If required, select the protocol and ports through which data is transmitted.
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Embedded Systems Security policy.
The policy properties window opens.
Select the Application settings tab.
Select Network activity control → Network Threat Protection.
Select the Enable Network Threat Protection check box on the General tab to enable the Network Threat Protection component.
Select the task operating mode:
Block. If this mode is selected, Kaspersky Embedded Systems Security scans inbound network traffic for activity that is typical of network attacks, blocks connection to computers that display such activity, and in some cases adds IP addresses of computers to the list of blocked network sessions. The application also logs events about detected activity typical of network attacks in the component log.
Inform. If this mode is selected, Kaspersky Embedded Systems Security scans inbound network traffic for activity that is typical of network attacks, but does not block connection to computers that display such activity, and does not add IP addresses of computers to the list of blocked network sessions. The application logs events about detected activity typical of network attacks in the component log.
Use the Treat port scanning and network flooding as attacks check box to enable or disable the detection of the corresponding attacks.
Kaspersky Embedded Systems Security can recognize a network attack and block an unsecured network connection that is transmitting a large number of packets (for example, from surveillance cameras). To work with trusted devices, you can add the IP addresses of these devices to the list of exclusions. You can also select the protocol and port that are used for communication and allow specific network activities.
The ability to select protocols and ports for exclusions was added in Kaspersky Embedded Systems Security 4.0. Make sure the application and the management plug-in are updated to version 4.0 or later. If you are using an earlier version of the application or the management plug-in, Kaspersky Embedded Systems Security can allow network activities only by IP address.
Select the Exclusions tab.
Select the Do not control excluded addresses check box to prevent Kaspersky Embedded Systems Security from scanning inbound network traffic for excluded IP addresses.
Click Add.
In the Exclusions window, enter the IP address of the computer from which network attacks must not be blocked.
If required, select the protocol and ports through which data is transmitted.
