Intrusion Prevention
December 13, 2023
ID 60068
When protecting virtual machines against intrusions, Kaspersky Security can perform the following actions:
- Detect network attacks on protected virtual machines.
If Network Attack Blocker is enabled, when Kaspersky Security detects an attempted network attack on a protected virtual machine it performs the action defined in policy settings. For example, the application can terminate the connection from the virtual machine to the IP address from which the network attack originated or terminate the connection and block the traffic from this IP address to automatically protect the virtual machine against possible future network attacks from this IP address.
- Detect suspicious network activity in the traffic of protected virtual machines. Suspicious network activity in the traffic of a protected virtual machine may be a sign of an intrusion into the protected infrastructure. The virtual machine traffic analysis applies the suspicious network activity identification rules that are contained in Kaspersky Security application databases.
If Network Activity Scanner is enabled, when Kaspersky Security detects suspicious network activity it performs the action defined in policy settings. For example, the application can terminate the connection with the IP address showing the suspicious network activity or terminate the connection and block the traffic from this IP address.
If Kaspersky Security is configured to block traffic from an IP address from which a network attack or suspicious network activity originated, the blocking duration is 60 minutes by default. You can change the traffic blocking duration. When the specified time expires, traffic is automatically unblocked.
When determining the source of a network attack or suspicious network activity, the application takes into account whether or not the traffic is from a virtual LAN (VLAN). Kaspersky Security blocks traffic from an IP address only in the VLAN in which a network attack or suspicious network activity was detected.
The list of network threat sources blocked by each SVM hosting the Network Threat Detection component is displayed in the properties of the application installed on this SVM. When the block time defined in the application settings expires, the network threat source is automatically deleted from the list. If necessary, you can unblock traffic from selected IP addresses without waiting for them to be automatically unblocked.
You can configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.
In the infrastructure managed by VMware NSX-V Manager, when Kaspersky Security detects a network attack or suspicious network activity, it assigns the security tag IDS_IPS.threat=high to the virtual machine whose traffic displayed activity typical of network attacks or suspicious network activity.
