Web Threat Protection task (Web_Threat_Protection, ID:14)

While the Web Threat Protection task is running, the application scans inbound traffic and prevents download of malicious files from the Internet and also blocks access to phishing, adware, and other dangerous websites. The application scans HTTP, HTTPS, and FTP traffic. Also, the application scans websites and IP addresses. You can specify network ports or network port ranges to be monitored.

Removing application certificates may cause the Web Threat Protection task to work incorrectly.

By default, the Web Threat Protection task does not run. The task starts automatically if one of the following browser executable files is found in the system:

chrome
chromium
chromium-browser
firefox
firefox-esr
google-chrome
opera
yandex-browser

To monitor HTTPS traffic, enable secure connection scan.

To monitor FTP traffic, specify the following setting value: MonitorNetworkPorts=All.

Kaspersky Industrial CyberSecurity for Linux Nodes adds a special chain of allowing rules (kics_bypass) to the list of the mangle table of the iptables and ip6tables utilities. This chain of allowing rules allows excluding traffic from scan by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Web Threat Protection task.

When a website is opened, the Web Threat Protection task can perform the following actions:

Check the website security using the downloaded application databases.
Check the website security using heuristic analysis, if enabled.
During heuristic analysis, Kaspersky Industrial CyberSecurity for Linux Nodes analyzes the activity of applications in the operating system. Heuristic analysis can detect dangerous objects for which there are currently no records in the Kaspersky Industrial CyberSecurity for Linux Nodes databases.
Check the website security using Kaspersky Security Network, if it is enabled.
You are advised to participate in Kaspersky Security Network to help Web Threat Protection work more effectively.
Block or allow opening of the website.

On attempt to open a dangerous website, the application can perform the following actions:

For HTTP or FTP traffic – block access and display a warning.
For HTTPS traffic – display an error page in the browser.

The table describes all available values and default values of all the settings that you can specify for the Web Threat Protection task.

Web Threat Protection task settings

Setting	Description	Values
`ActionOnDetect`	Specifies the action to be performed upon detection of an infected object in web traffic.	`Notify` (default value) – allow the detected object to be downloaded, display a notification about the blocked access attempt, and log information about the infected object. `Block` – block access to the detected object, display a notification about the blocked access attempt, and make a log entry with information about the infected object.
`CheckMalicious`	Specifies whether links will be checked against the database of malicious web addresses.	`Yes` (default value) — Check if the links are listed in the malicious links database. `No` — Do not check if the links are listed in the malicious links database.
`CheckPhishing`	Specifies whether links will be checked against the database of phishing web addresses.	`Yes` (default value) — Check if the links are listed in the phishing links database. `No` — Do not check if the links are listed in the phishing links database.
`UseHeuristicForPhishing`	Specifies whether heuristic analysis must be used to scan web pages for phishing links.	`Yes` (default value) — Use heuristic analysis to detect phishing links. If this value is specified, the level of heuristic analysis is `Light` (the least thorough scan with minimal load on the system). You cannot change the heuristic analysis level for the Web Threat Protection task. `No` — Do not use heuristic analysis to detect phishing links.
`CheckAdware`	Specifies whether links must be checked against the database of adware web addresses.	`Yes` — Check if the links are listed in the adware links database. `No` (default value) — Do not check if the links are listed in the adware links database.
`CheckOther`	Specifies whether links must be checked against the database of web addresses that contain legal software that may be used by criminals to damage your computer or personal data.	`Yes` — Check if the links are listed in the database of web addresses that contain legal software that may be used by intruders to damage your computer or personal data. `No` (default value) — Do not check if the links are listed in the database of web addresses that contain legal software that may be used by intruders to damage your computer or personal data.
`UseTrustedAddresses`	Enables or disables the usage of a list of trusted web addresses. The application does not analyze information from trusted web addresses to check them for viruses or other dangerous objects. You can specify trusted web addresses using the `TrustedAddresses.item_#` parameter.	`Yes` (default value) — Use a list of trusted web addresses. `No` — Do not use a list of trusted web addresses.
`TrustedAddresses.item_#`	Specifies trusted web addresses.	The default value is not defined. You can use masks to specify web addresses. Masks are not supported to specify IP addresses. When creating an address mask, use an asterisk () as a placeholder for one or more characters. If you enter the abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/*/page_0-9abcdef.html means www.virus.com//page_0-9abcdef.html).

Page top