The Anti-Virus security engine scans network traffic and prevents the download of malicious files from the internet, while also blocking access to malicious and phishing websites.
Kaspersky NGFW controls TCP traffic transmitted over the following protocols, including encrypted versions:
To control encrypted traffic, you need to enable encrypted connection scanning. Traffic transmitted via other protocols is not scanned by Anti-Virus
The scan is performed using the following components:
This component analyzes objects directly detected in traffic based on their SHA2 hashes and compares the values of the SHA2 hashes with the values in the database and in cloud services (if enabled and if the SHA2 hash of the object cannot be found in the local database).
Stream Anti-Virus analyzes objects based on their SHA2 hashes only and does not scan objects in their entirety.
This component scans objects directly detected in the analyzed traffic for malware using heuristic analysis methods based on machine learning and artificial intelligence algorithms. Object Anti-Virus can look up scanned objects in the local database as well as the cloud service.
Object Anti-Virus can scan the contents of archives if the corresponding command line option is specified. Object Anti-Virus does not run executable files or PE files.
This component prevents attempts to navigate to compromised URLs. URL scanning can be performed using the local database of malicious and phishing sites, or using the cloud service. URL reputation checking against the local database is enabled by default and cannot be disabled. In addition to scanning malicious and phishing websites, you can enable the scanning of advertising resources, as well as other resources that do not fit into other categories.
If necessary, you can configure a list of exclusions for URLs. Addresses added to the list are not taken into account when checking URL reputation.
We strongly recommend enabling cloud service scanning when using the URL reputation checker. This helps improve the quality of anti-virus scanning and increase the level of network security.
For the Anti-Virus security profile, you can enable one or more traffic scanning components. The components scan traffic in the following order:
The action selected in the Anti-Virus security profile is performed if at least one of the components included in the security profile detects malware in traffic or if an URL fails the reputation check.
In the default Anti-Virus profile, the Stream Anti-Virus and URL reputation checking are enabled and use the local database. Local Anti-Virus databases are updated automatically as part of the general update task.
When an attempt is made to download a malicious object or visit a compromised website, Kaspersky NGFW blocks access and, if you have selected the corresponding action, displays a warning page telling the user about the block and offering further instructions.