When protecting virtual machines against intrusions, Kaspersky Security can perform the following actions:
If Network Attack Blocker is enabled, when Kaspersky Security detects an attempted network attack on a protected virtual machine it performs the action defined in policy settings. For example, the application can terminate the connection to the IP address from which the network attack originated or terminate the connection and block the traffic from this IP address to automatically protect the virtual machine against possible future network attacks from this IP address.
If Network Activity Scanner is enabled, when Kaspersky Security detects suspicious network activity it performs the action defined in policy settings. For example, the application can terminate the connection with the IP address showing the suspicious network activity or terminate the connection and block the traffic from this IP address.
If Kaspersky Security is configured to block traffic from an IP address from which a network attack or suspicious network activity originated, the blocking duration is 60 minutes by default. You can change the traffic blocking duration.
When determining the source of a network attack or suspicious network activity, the application takes into account whether or not the traffic is from a virtual LAN (VLAN). Kaspersky Security blocks traffic from an IP address only in the VLAN in which a network attack or suspicious network activity was detected.
You can configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.
When Kaspersky Security detects a network attack or suspicious network activity, it assigns the security tag IDS_IPS.threat=high to the virtual machine whose traffic displayed activity typical of network attacks or suspicious network activity.