Configuring protection against network attacks by type
Kaspersky Endpoint Security lets you manage protection against the following types of network attacks:
Network Flooding is an attack on network resources of an organization (such as web servers). This attack consists of sending a large number of requests to overload the bandwidth of network resources. When this happens, users are unable to access the network resources of the organization.
A Port Scanning attack consists of scanning UDP ports, TCP ports, and network services on the computer. This attack allows the attacker to identify the degree of vulnerability of the computer before conducting more dangerous types of network attacks. Port Scanning also enables the attacker to identify the operating system on the computer and select the appropriate network attacks for this operating system.
A MAC spoofing attack consists of changing the MAC address of a network device (network card). As a result, an attacker can redirect data sent to a device to another device and gain access to this data. Kaspersky Endpoint Security lets you block MAC Spoofing attacks and receive notifications about the attacks.
You can disable detection of these types of attacks in case some of your allowed applications perform operations that are typical for these types of attacks. This will help avoid false alarms.
By default, Kaspersky Endpoint Security does not monitor Network Flooding, Port Scanning, and MAC spoofing attacks.
We do not recommend enabling MAC spoofing protection on virtual machines in the Microsoft Hyper-V infrastructure. Due to the specifics of the Microsoft Hyper-V platform, Kaspersky Industrial CyberSecurity for Nodes may block the hypervisor due to false positive results.
Open the Kaspersky Security Center Administration Console.
In the console tree, select Policies.
Select the necessary policy and double-click to open the policy properties.
In the policy window, select Essential Threat Protection → Network Threat Protection.
Use the Treat port scanning and network flooding as attacks check box to enable or disable the detection of these attacks.
If this functionality is enabled, Kaspersky Endpoint Security monitors network traffic for port scanning and network flooding. If such behavior is detected, the application notifies the user and sends the corresponding event to Kaspersky Security Center. The application provides information about the computer that is making the requests. This information is necessary for a timely response. However, Kaspersky Endpoint Security does not block the computer that is making the requests because such traffic may be a normal occurrence on the corporate network.
In the MAC spoofing protection mode block, select one of the following options:
In the main window of the Web Console, select Assets (Devices) → Policies & profiles.
Click the name of the Kaspersky Endpoint Security policy.
The policy properties window opens.
Select the Application settings tab.
Go to Essential Threat Protection → Network Threat Protection.
Use the Treat port scanning and network flooding as attacks check box to enable or disable the detection of these attacks.
If this functionality is enabled, Kaspersky Endpoint Security monitors network traffic for port scanning and network flooding. If such behavior is detected, the application notifies the user and sends the corresponding event to Kaspersky Security Center. The application provides information about the computer that is making the requests. This information is necessary for a timely response. However, Kaspersky Endpoint Security does not block the computer that is making the requests because such traffic may be a normal occurrence on the corporate network.
Use the Network Threat Protection ENABLED toggle switch to enable the detection of these attacks. Select one of the following options:
In the application settings window, select Essential Threat Protection → Network Threat Protection.
Network Threat Protection settings
Use the toggle Treat port scanning and network flooding as attacks to enable or disable the detection of these attacks.
If this functionality is enabled, Kaspersky Endpoint Security monitors network traffic for port scanning and network flooding. If such behavior is detected, the application notifies the user and sends the corresponding event to Kaspersky Security Center. The application provides information about the computer that is making the requests. This information is necessary for a timely response. However, Kaspersky Endpoint Security does not block the computer that is making the requests because such traffic may be a normal occurrence on the corporate network.
Use the toggle MAC spoofing protection to enable or disable the detection of these attacks.
In the Action on detecting a MAC spoofing attack block, select one of the following options:
button.