The Network Threat Protection component allows you to scan inbound network traffic for activity that is typical for network attacks.
Kaspersky Endpoint Security receives TCP port numbers from the current application databases and scans incoming traffic for these ports.
To scan network traffic, the Network Threat Protection task receives port numbers from the application databases and accepts connections via all these ports. During the network scan process, it may look like an open port on the device, even if no application on the system is listening to this port. It is recommended to close unused ports by means of a firewall.
Current connections for intercepted TCP ports are reset when Network Threat Protection is enabled.
If Network Threat Protection is enabled, upon detecting an attempted network attack on a protected device, the application blocks network activity from the attacking device and creates the Network attack detected event. The event contains information about the attacking device. By default, network traffic from the attacking device is blocked for one hour. Once the blocking time has expired, the application unblocks the device.
By default, Network Threat Protection is disabled.
You can enable or disable Network Threat Protection, and also configure the protection settings:
You can use the commands for administering blocked devices in the command line to view the list of blocked devices and manually unblock these devices. Kaspersky Security Center does not provide tools for monitoring and managing blocked devices, except for the Network attack detected events.
If you have configured traffic interception exclusions for Kaspersky Endpoint Security, these affect Network Threat Protection.