Configuring Network Activity Scanner for virtual machines
December 13, 2023
The suspicious network activity detection functionality is available only if you are using the application under an enterprise license.
To configure the Network Activity Scanner settings for protected virtual machines:
- In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
- In the console tree, select the folder or administration group in which the policy was created.
- In the workspace, select the Policies tab.
- Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
- In the policy properties window, in the Network threat protection section, select the Intrusion Prevention subsection.
- Select the Monitor virtual machine network activity check box if virtual machine network activity scanner is disabled.
- Click the Settings button.
The Network activity scanner parameters window opens.
- Specify the application categories whose signs of network activity should be detected by Kaspersky Security:
Kaspersky Security always detects network activity that is typical of such malware as viruses, worms and Trojans in the traffic of protected virtual machines.
- If Kaspersky Security detects network activity that, in your opinion, is not a sign of an intrusion into the protected infrastructure, you can add the rule that detected this activity to the list of exclusions. The listed rules will not be applied by Kaspersky Security to detect suspicious network activity in the traffic of protected virtual machines.
You can view information about an applied rule in the text of the event that was sent to Kaspersky Security Center when it detected the suspicious network activity.
To add a rule to the list, click the Add button located above the list, and in the newly added line, enter the rule ID in the following format:
- In the Network activity scanner parameters window, click OK.
- Select an action in the drop-down list Action on detection of suspicious activity, if network protection is operating in standard mode.
If network protection works in the monitoring mode, when Kaspersky Security detects suspicious network activity it performs the Ignore action.
- If necessary, change the value of the setting On threat detection, block traffic for N minutes.
- If necessary, configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.
- In the Properties: <Policy name> window, click OK.