Intrusion Prevention

When protecting virtual machines against intrusions, Kaspersky Security can perform the following actions:

• Detect network attacks on protected virtual machines.

  If Network Attack Blocker is enabled, when Kaspersky Security detects an attempted network attack on a protected virtual machine it performs the action defined in policy settings. For example, the application can terminate the connection from the virtual machine to the IP address from which the network attack originated or terminate the connection and block the traffic from this IP address to automatically protect the virtual machine against possible future network attacks from this IP address.

• Detect suspicious network activity in the traffic of protected virtual machines. Suspicious network activity in the traffic of a protected virtual machine may be a sign of an intrusion into the protected infrastructure. The virtual machine traffic analysis applies the suspicious network activity identification rules that are contained in Kaspersky Security application databases.

  If Network Activity Scanner is enabled, when Kaspersky Security detects suspicious network activity it performs the action defined in policy settings. For example, the application can terminate the connection with the IP address showing the suspicious network activity or terminate the connection and block the traffic from this IP address.

If Kaspersky Security is configured to block traffic from an IP address from which a network attack or suspicious network activity originated, the blocking duration is 60 minutes by default. You can change the traffic blocking duration. When the specified time expires, traffic is automatically unblocked.

When determining the source of a network attack or suspicious network activity, the application takes into account whether or not the traffic is from a virtual LAN (VLAN). Kaspersky Security blocks traffic from an IP address only in the VLAN in which a network attack or suspicious network activity was detected.

The list of network threat sources blocked by each SVM hosting the Network Threat Detection component is displayed in the properties of the application installed on this SVM. When the block time defined in the application settings expires, the network threat source is automatically deleted from the list. If necessary, you can unblock traffic from selected IP addresses without waiting for them to be automatically unblocked.

You can configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.

When Kaspersky Security detects a network attack or suspicious network activity, it assigns the security tag IDS_IPS.threat=high to the virtual machine whose traffic displayed activity typical of network attacks or suspicious network activity.

Enabling and disabling the Network Attack Blocker feature

To enable or disable the Network Attack Blocker feature:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Intrusion Prevention subsection.
3. Do one of the following:
   • Select the Detect network attacks check box if you want Kaspersky Security to scan the traffic of protected virtual machines for activity typical of network attacks.

     If the check box is selected, when Kaspersky Security detects an attempted network attack on a protected virtual machine it performs the action defined in application settings. If network protection is deployed in standard mode, by default Kaspersky Security terminates the connection between the protected virtual machine and the IP address from which the network attack originated, and also blocks traffic from this IP address for 60 minutes. You can modify this action and the traffic blocking period. If network protection is deployed in monitoring mode, Kaspersky Security does not perform any actions to prevent a network attack.

   • Clear the Detect network attacks check box if you do not want Kaspersky Security to scan the traffic of protected virtual machines for activity that is typical of network attacks.
4. In the Properties: <Policy name> window, click OK.

Configuring Network Attack Blocker settings

To configure the Network Attack Blocker settings:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Intrusion Prevention subsection.
3. Select the Detect network attacks check box if the network attack detection function is disabled.
4. Select an action in the drop-down list
   Action upon detecting network attack, if the network protection is deployed in standard mode

   

   This drop-down list contains the actions that Kaspersky Security can perform when it detects a network attack on a protected virtual machine, if network protection is deployed in standard mode. You can select one of the following options:

   • Ignore. Kaspersky Security does not perform any actions to prevent the network attack.
   • Terminate connection. Kaspersky Security terminates the connection between the protected virtual machine and the IP address from which the network attack originated.
   • Terminate connection and block traffic from sender's IP address. Kaspersky Security terminates the connection between the protected virtual machine and the IP address from which the network attack originated, and also blocks traffic from this IP address. Traffic is blocked in the specific VLAN in which the attempted network attack was detected. The duration for blocking traffic is configured in the On threat detection, block traffic for N minutes field.

     This action is selected by default.

   Information about detected network attacks and the actions taken is sent to Kaspersky Security Center.

   You can select an action if the Detect network attacks check box is selected.

   .

   If network protection is deployed in monitoring mode, when Kaspersky Security detects a network attack it performs the Ignore action.

5. If necessary, change the value of the setting
   On threat detection, block traffic for N minutes

   

   The duration for blocking the traffic from IP address from which the network attack or suspicious network activity originated. When determining the source of a network attack or suspicious network activity, the application takes into account whether or not the traffic is from a virtual LAN (VLAN). Kaspersky Security blocks traffic from an IP address only in the VLAN in which a network attack or suspicious network activity was detected.

   The default blocking duration is 60 minutes.

   

   The duration for blocking the traffic from IP address from which the network attack or suspicious network activity originated. When determining the source of a network attack or suspicious network activity, the application takes into account whether or not the traffic is from a virtual LAN (VLAN). Kaspersky Security blocks traffic from an IP address only in the VLAN in which a network attack or suspicious network activity was detected.

   The default blocking duration is 60 minutes.

   .
6. If necessary, configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.
7. In the Properties: <Policy name> window, click OK.

Enabling and disabling Network Activity Scanner for virtual machines

The suspicious network activity detection functionality is available only if you are using the application under an enterprise license.

To enable or disable Network Activity Scanner for virtual machines:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Intrusion Prevention subsection.
3. Do one of the following:
   • Select the Monitor virtual machine network activity check box if you want Kaspersky Security to scan the traffic of protected virtual machines to detect suspicious network activity that may be a sign of an intrusion into the protected infrastructure.

     If the check box is selected and Kaspersky Security detects suspicious network activity in the traffic of protected virtual machines, it takes the action defined in the application settings. If network protection is deployed in standard mode, by default Kaspersky Security terminates the connection between a protected virtual machine that displays suspicious network activity and other virtual machines. You can modify this action. If network protection is deployed in monitoring mode, Kaspersky Security does not perform any actions in relation to virtual machines displaying suspicious network activity.

   • Clear the Monitor virtual machine network activity check box if you do not want Kaspersky Security to scan the traffic of protected virtual machines for suspicious network activity.
4. In the Properties: <Policy name> window, click OK.

Configuring Network Activity Scanner for virtual machines

The suspicious network activity detection functionality is available only if you are using the application under an enterprise license.

To configure the Network Activity Scanner settings for protected virtual machines:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Intrusion Prevention subsection.
3. Select the Monitor virtual machine network activity check box if virtual machine network activity scanner is disabled.
4. Click the Settings button.

   The Network activity scanner parameters window opens.

5. Specify the application categories whose signs of network activity should be detected by Kaspersky Security:
   • Adware

     

     Enables / disables detection of network activity that is typical of adware.

     Adware is designed to show advertising information to the user, redirect search queries to advertising websites, and send marketing information about the user to the adware developer. Unlike Trojan-Spy–type programs, adware transmits this information with the user's permission.

     If the check box is selected, Kaspersky Security detects activity that is typical of adware in the traffic of protected virtual machines.

     If the check box is cleared, detection of activity typical of adware is disabled.

     This check box is cleared by default.

   • Other programs

     

     Enables / disables detection of network activity that is typical of legitimate software that can be exploited by criminals to harm a virtual machine or user data.

     These applications include file downloaders, remote administration programs, user activity monitoring programs, and password management applications. These programs are normally used for legal purposes. However, if criminals obtain access to such programs, they could use some of the program features to harm a virtual machine or user data.

     If the check box is selected, in the traffic of protected virtual machines Kaspersky Security detects activity that is typical of legitimate software that could be exploited by criminals to harm a virtual machine or user data.

     If the check box is cleared, the detection of activity that is typical of such programs is disabled.

     This check box is cleared by default.

   Kaspersky Security always detects network activity that is typical of such malware as viruses, worms and Trojans in the traffic of protected virtual machines.

6. If Kaspersky Security detects network activity that you believe is not a sign of an intrusion into the protected infrastructure, you can configure a list of rules that Kaspersky Security will not apply to detect suspicious network activity in the traffic of protected virtual machines.

   To add a network activity detection rule to the list, click the Add button located above the list, and in the string of the list enter the rule ID in the following format: <number>:<number>:<number>.

   You can view information about an applied rule in the text of the event that was sent to Kaspersky Security Center when it detected the suspicious network activity.

7. In the Network activity scanner parameters window, click OK.
8. Select an action in the drop-down list
   Action upon detecting suspicious activity, if the network protection is deployed in standard mode

   

   This drop-down list contains the actions that Kaspersky Security can perform when it detects suspicious network activity in the traffic of protected virtual machines, if network protection is deployed in standard mode. You can select one of the following options:

   • Ignore. Kaspersky Security does not perform any actions on virtual machines that display suspicious network activity.
   • Terminate connection. Kaspersky Security terminates the connection between a protected virtual machine that displays suspicious network activity and other virtual machines.

     This action is selected by default.

   • Terminate connection and block traffic from sender's IP address. Kaspersky Security terminates the connection between a protected virtual machine that displays suspicious network activity and other virtual machines, and blocks the traffic from the IP address from which the suspicious network activity originated. Traffic is blocked in the specific VLAN in which a network attack or suspicious network activity was detected. The duration for blocking traffic is configured in the On threat detection, block traffic for N minutes field.

   Information about suspicious network activity detection and the actions taken is sent to Kaspersky Security Center.

   You can select an action if the Monitor virtual machine network activity check box is selected.

   .

   If network protection is deployed in monitoring mode, when Kaspersky Security detects suspicious network activity it performs the Ignore action.

9. If necessary, change the value of the setting On threat detection, block traffic for N minutes.
10. If necessary, configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.
11. In the Properties: <Policy name> window, click OK.

Viewing the list of blocked network threat sources

In the properties of the application installed on SVMs with the Network Threat Protection component, you can view the list of network threat sources that were blocked as a result of this SVM.

To view a list of blocked network threat sources on SVMs:

1. In the Kaspersky Security Center Administration Console, open the SVM properties window:
   1. Select the administration group containing the KSC cluster that includes the relevant SVM.
   2. In the workspace, select the Devices tab.
   3. In the list, select the SVM and open the SVM properties window by double-clicking or by selecting Properties in the context menu.

   The Properties: <SVM name> window opens.

2. In the SVM properties window in the list on the left, select the Applications section.

   A list of applications that are installed on this SVM appears in the right part of the window.

3. Select Kaspersky Security for Virtualization 6.0 Agentless and open the application settings window by double-clicking or by selecting Properties in the context menu.

   The Kaspersky Security for Virtualization 6.0 Agentless settings window opens.

4. In the application settings window, in the list on the left, select the List of blocked network threat sources section.

The right part of the window displays a table containing a list of sources of network threats that were blocked as a result of this SVM, which is essentially a list of IP addresses whose traffic was blocked by Kaspersky Security when it detected a network attack or suspicious network activity.

The table displays the following information for each network threat source:

• IP address. IP address whose traffic was blocked by Kaspersky Security when it detected a network attack or suspicious network activity.
• VLAN ID. ID of the VLAN associated with the blocked traffic.
• Blocked at. Date and time when Kaspersky Security blocked traffic from the IP address.
• Blocked until. Date and time when traffic from the IP address will be automatically unblocked.

In the list of blocked network threat sources, you can do the following:

• Search blocked network threat sources based on values of the IP address column. By default the table displays information only about the last 100 blocked sources of network threats. If the table is not showing a network threat source whose information you want to view, you can use the search. To do so, you need to enter the IP address, beginning of the IP address, or subnet mask into the search string and click the Find button. As a result, the table displays no more than 100 blocked sources of network threats that match the search criteria.
• Sort the list by any column of the table. If the search query is not defined, the sorting is applied to the full list of blocked sources of network threats. If you performed a search, the sorting is applied to the list of the blocked sources of network threats that match the search criteria.
• Update the information by clicking the Refresh button.

When the block time defined in the application settings expires, the network threat source is automatically deleted from the list. If necessary, you can unblock traffic from selected IP addresses without waiting for their automatic deletion.

To unlock traffic from an IP address that was recognized as a network threat source,

Select one or multiple network threat sources in the list and click the Unblock button located in the lower part of the window.