Kaspersky Endpoint Security 12.1 for Windows

Network Threat Protection

The Network Threat Protection component scans inbound network traffic for activity that is typical of network attacks. When Kaspersky Endpoint Security detects an attempted network attack on the user's computer, it blocks the network connection with the attacking computer. Descriptions of currently known types of network attacks and ways to counteract them are provided in Kaspersky Endpoint Security databases. The list of network attacks that the Network Threat Protection component detects is updated during database and application module updates.

In this section

Enabling and disabling Network Threat Protection

Blocking an attacking computer

Configuring addresses of exclusions from blocking

Exporting and importing the list of exclusions from blocking

Configuring protection against network attacks by type

Page top
[Topic 34430]

Enabling and disabling Network Threat Protection

By default, Network Threat Protection is enabled and running in the optimal mode. You can disable Network Threat Protection if necessary.

To enable or disable Network Threat Protection:

  1. In the main application window, click the Application settings icon in the form of a gear wheel. button.
  2. In the application settings window, select Essential Threat ProtectionNetwork Threat Protection.
  3. Use the Network Threat Protection toggle to enable or disable the component.
  4. Save your changes.

As a result, if Network Threat Protection is enabled, Kaspersky Endpoint Security scans inbound network traffic for activity that is typical of network attacks. When Kaspersky Endpoint Security detects an attempted network attack on the user's computer, it blocks the network connection with the attacking computer.

Page top
[Topic 128211]

Blocking an attacking computer

To block an attacking computer:

  1. In the main application window, click the Application settings icon in the form of a gear wheel. button.
  2. In the application settings window, select Essential Threat ProtectionNetwork Threat Protection.
  3. Select the Block attacking devices for N min check box.

    If the check box is selected, the Network Threat Protection component adds the attacking computer to the blocked list. This means that the Network Threat Protection component blocks the network connection with the attacking computer after the first network attack attempt for the specified amount of time. This block automatically protects the user's computer against possible future network attacks from the same address. The minimum time an attacking computer must spend in the block list is one minute. The maximum time is 999 minutes.

    You can view the block list in the Network Monitor tool window.

    Kaspersky Endpoint Security clears the block list when the application is restarted and when the Network Threat Protection settings are changed.

  4. Set a different blocking duration for an attacking computer in the field to the right of the Block attacking devices for N min check box.
  5. Save your changes.

As a result, when Kaspersky Endpoint Security detects an attempted network attack launched against the user's computer, it will block all connections with the attacking computer.

Page top
[Topic 133746]

Configuring addresses of exclusions from blocking

Kaspersky Endpoint Security can recognize a network attack and block an unsecured network connection that is transmitting a large number of packets (for example, from surveillance cameras). To work with trusted devices, you can add the IP addresses of these devices to the list of exclusions.

To configure addresses of exclusions from blocking:

  1. In the main application window, click the Application settings icon in the form of a gear wheel. button.
  2. In the application settings window, select Essential Threat ProtectionNetwork Threat Protection.
  3. Click the Manage exclusions link.
  4. In the window that opens, click the Add button.
  5. Enter the IP address of the computer from which network attacks must not be blocked.
  6. Save your changes.

As a result, Kaspersky Endpoint Security does not track the activity from devices on the list of exclusions.

Page top
[Topic 130879]

Exporting and importing the list of exclusions from blocking

You can export the list of exclusions to an XML file. Then you can modify the file to, for example, add a large number of addresses of the same type. You can also use the export/import function to back up the list of exclusions or to migrate the list to a different server.

How to export and import a list of exclusions in the Administration Console (MMC)

  1. Open the Kaspersky Security Center Administration Console.
  2. In the console tree, select Policies.
  3. Select the necessary policy and double-click to open the policy properties.
  4. In the policy window, select Essential Threat ProtectionNetwork Threat Protection.
  5. In the Network Threat Protection settings block, click the Exclusions button.
  6. To export the list of rules:
    1. Select the exclusions that you want to export. To select multiple ports, use the CTRL or SHIFT keys.

      If you did not select any exclusion, Kaspersky Endpoint Security will export all exclusions.

    2. Click the Export link.
    3. In the window that opens, specify the name of the XML file to which you want to export the list of exclusions, and select the folder in which you want to save this file.
    4. Save the file.

      Kaspersky Endpoint Security exports the entire list of exclusions to the XML file.

  7. To import the list of exclusions:
    1. Click Import.
    2. In the window that opens, select the XML file from which you want to import the list of exclusions.
    3. Open the file.

      If the computer already has a list of exclusions, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.

  8. Save your changes.

How to export and import a list of exclusions in the Web Console and Cloud Console

  1. In the main window of the Web Console, select DevicesPolicies & Profiles.
  2. Click the name of the Kaspersky Endpoint Security policy.

    The policy properties window opens.

  3. Select the Application settings tab.
  4. Go to Essential Threat ProtectionNetwork Threat Protection.
  5. In the Network Threat Protection settings block, click the Exclusions and types of detected objects link.

    The list of exclusions opens.

  6. To export the list of rules:
    1. Select the exclusions that you want to export.
    2. Click Export.
    3. Confirm that you want to export only the selected exclusions, or export the entire list of exclusions.
    4. In the window that opens, specify the name of the XML file to which you want to export the list of exclusions, and select the folder in which you want to save this file.
    5. Save the file.

      Kaspersky Endpoint Security exports the entire list of exclusions to the XML file.

  7. To import the list of exclusions:
    1. Click Import.
    2. In the window that opens, select the XML file from which you want to import the list of exclusions.
    3. Open the file.

      If the computer already has a list of exclusions, Kaspersky Endpoint Security will prompt you to delete the existing list or add new entries to it from the XML file.

  8. Save your changes.
Page top
[Topic 202434]

Configuring protection against network attacks by type

Kaspersky Endpoint Security lets you manage protection against the following types of network attacks:

  • Network Flooding is an attack on network resources of an organization (such as web servers). This attack consists of sending a large number of requests to overload the bandwidth of network resources. When this happens, users are unable to access the network resources of the organization.
  • A Port Scanning attack consists of scanning UDP ports, TCP ports, and network services on the computer. This attack allows the attacker to identify the degree of vulnerability of the computer before conducting more dangerous types of network attacks. Port Scanning also enables the attacker to identify the operating system on the computer and select the appropriate network attacks for this operating system.
  • A MAC spoofing attack consists of changing the MAC address of a network device (network card). As a result, an attacker can redirect data sent to a device to another device and gain access to this data. Kaspersky Endpoint Security lets you block MAC Spoofing attacks and receive notifications about the attacks.

You can disable detection of these types of attacks in case some of your allowed applications perform operations that are typical for these types of attacks. This will help avoid false alarms.

By default, Kaspersky Endpoint Security does not monitor Network Flooding, Port Scanning, and MAC spoofing attacks.

To configure protection against network attacks by type:

  1. In the main application window, click the Application settings icon in the form of a gear wheel. button.
  2. In the application settings window, select Essential Threat ProtectionNetwork Threat Protection.
  3. Use the toggle Treat port scanning and network flooding as attacks to enable or disable the detection of these attacks.
  4. If this functionality is enabled, Kaspersky Endpoint Security monitors network traffic for port scanning and network flooding. If such behavior is detected, the application notifies the user and sends the corresponding event to Kaspersky Security Center. The application provides information about the computer that is making the requests. This information is necessary for a timely response. However, Kaspersky Endpoint Security does not block the computer that is making the requests because such traffic may be a normal occurrence on the corporate network.

  5. Use the MAC Spoofing Protection toggle.
  6. In the On detecting a MAC spoofing attack block, select one of the following options:
    • Inform.
    • Block.
  7. Save your changes.
Page top
[Topic 174954]