Web Threat Protection

The Web Threat Protection component allows you to scan inbound traffic via HTTP, HTTPS, and FTP, websites, and IP addresses, prevent malicious files from being downloaded from the Internet, and block access to phishing, adware, and other malicious websites.

This feature is not supported in the KESL container.

Current connections for intercepted TCP ports are reset when Network Threat Protection is enabled.

By default, the Web Threat Protection task is disabled. However, it is enabled automatically if local management of Web Threat Protection settings has been allowed on the device (a policy is not applied or the "lock" is not set in the policy properties) and one of the following executable browser files, including in snap format, has been detected on the system:

• chrome
• chromium
• chromium-browser
• firefox
• firefox-esr
• google-chrome
• opera
• yandex-browser

You can enable or disable Web Threat Protection, and also configure the protection settings:

• Select action that the application performs on a web resource where a dangerous object is detected.
• Configure a list of trusted web addresses. The application will not scan the contents of websites whose web addresses are included in this list.
• Select objects that the application will detect when scanning inbound traffic.
• Configure the encrypted connections scan to scan HTTPS traffic.

  To scan FTP traffic, control of all network ports must be configured in the settings for the encrypted connections scan.

When a website is opened, the application performs the following actions:

1. Checks the website security using the downloaded application databases.
2. Checks the website security using heuristic analysis, if enabled.

   During heuristic analysis, Kaspersky Endpoint Security analyzes the activity of applications in the operating system. Heuristic analysis can detect dangerous objects for which there are currently no records in Kaspersky Endpoint Security databases.

3. Checks the trustworthiness of a website using Kaspersky reputation databases if the use of Kaspersky Security Network is enabled.

   You are advised to enable the use of Kaspersky Security Network to help Web Threat Protection work more effectively.

4. Blocks or allows opening of the website.

On attempt to open a dangerous website, the application performs the following:

• For HTTP or FTP traffic, the application blocks access and shows a warning message.
• For HTTPS traffic, a browser displays an error page.

Removing application certificates may cause the Web Threat Protection component to work incorrectly.

Kaspersky Endpoint Security adds a special chain of allowing rules (kesl_bypass) to the list in the mangle table of the iptables and ip6tables utilities. This chain of allowing rules makes it possible to exclude traffic from scans by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Web Threat Protection component.