Configuring Network Activity Scanner for virtual machines

The suspicious network activity detection functionality is available only if you are using the application under an enterprise license.

To configure the Network Activity Scanner settings for protected virtual machines:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Intrusion Prevention subsection.
3. Select the Monitor virtual machine network activity check box if virtual machine network activity scanner is disabled.
4. Click the Settings button.

   The Network activity scanner parameters window opens.

5. Specify the application categories whose signs of network activity should be detected by Kaspersky Security:
   • Adware

     Enables / disables detection of network activity that is typical of adware.

     Adware is designed to show advertising information to the user, redirect search queries to advertising websites, and send marketing information about the user to the adware developer. Unlike Trojan-Spy–type programs, adware transmits this information with the user's permission.

     If the check box is selected, Kaspersky Security detects activity that is typical of adware in the traffic of protected virtual machines.

     If the check box is cleared, detection of activity typical of adware is disabled.

     This check box is cleared by default.

   • Other programs

     Enables / disables detection of network activity that is typical of legitimate software that can be exploited by criminals to harm a virtual machine or user data.

     These applications include file downloaders, remote administration programs, user activity monitoring programs, and password management applications. These programs are normally used for legal purposes. However, if criminals obtain access to such programs, they could use some of the program features to harm a virtual machine or user data.

     If the check box is selected, in the traffic of protected virtual machines Kaspersky Security detects activity that is typical of legitimate software that could be exploited by criminals to harm a virtual machine or user data.

     If the check box is cleared, the detection of activity that is typical of such programs is disabled.

     This check box is cleared by default.

   Kaspersky Security always detects network activity that is typical of such malware as viruses, worms and Trojans in the traffic of protected virtual machines.

6. If Kaspersky Security detects network activity that, in your opinion, is not a sign of an intrusion into the protected infrastructure, you can add the rule that detected this activity to the list of exclusions. The listed rules will not be applied by Kaspersky Security to detect suspicious network activity in the traffic of protected virtual machines.

   You can view information about an applied rule in the text of the event that was sent to Kaspersky Security Center when it detected the suspicious network activity.

   To add a rule to the list, click the Add button located above the list, and in the newly added line, enter the rule ID in the following format: <number>:<number>:<number>.

7. In the Network activity scanner parameters window, click OK.
8. Select an action in the drop-down list Action on detection of suspicious activity, if network protection is operating in standard mode.

   This drop-down list contains the actions that Kaspersky Security can perform when it detects suspicious network activity in the traffic of protected virtual machines, if network protection is enabled in standard mode. You can select one of the following options:

   • Ignore. Kaspersky Security does not perform any actions on virtual machines that display suspicious network activity.
   • Terminate connection. Kaspersky Security terminates the connection between a protected virtual machine that displays suspicious network activity and other virtual machines.

     This action is selected by default.

   • Terminate connection and block traffic from sender's IP address. Kaspersky Security terminates the connection between a protected virtual machine that displays suspicious network activity and other virtual machines, and blocks the traffic from the IP address from which the suspicious network activity originated. Traffic is blocked in the specific VLAN in which a network attack or suspicious network activity was detected. The duration for blocking traffic is configured in the On threat detection, block traffic for N minutes field.

   Information about suspicious network activity detection and the actions taken is sent to Kaspersky Security Center.

   You can select an action if the Monitor virtual machine network activity check box is selected.

   If network protection works in the monitoring mode, when Kaspersky Security detects suspicious network activity it performs the Ignore action.

9. If necessary, change the value of the setting On threat detection, block traffic for N minutes.

   The duration for blocking the traffic from IP address from which the network attack or suspicious network activity originated. When determining the source of a network attack or suspicious network activity, the application takes into account whether or not the traffic is from a virtual LAN (VLAN). Kaspersky Security blocks traffic from an IP address only in the VLAN in which a network attack or suspicious network activity was detected.

   The default blocking duration is 60 minutes.

10. If necessary, configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.
11. In the Properties: <Policy name> window, click OK.