Web Addresses Scan

Kaspersky Security can scan web addresses that are requested over the HTTP protocol by a user or application installed on a protected virtual machine. When scanning web addresses, Kaspersky Security can use databases of malicious and phishing web addresses, and information about the reputation of web resources received from Global KSN.

By default, if Web Addresses Scan is enabled, Kaspersky Security scans web addresses to check if they are malicious, phishing, or advertising web addresses. Kaspersky Security can also scan web addresses to check if they belong to the category of web addresses associated with the distribution of legitimate applications that could be exploited to harm a virtual machine or user data. You can specify which categories of web addresses must be detected by the application.

To detect advertising web addresses and web addresses associated with the distribution of legitimate applications that could be exploited to harm a virtual machine or user data, Global KSN must be used by Kaspersky Security. If Global KSN is not being used, the application does not scan web addresses to check if they belong to these web address categories.

If you are using the application in multitenancy mode, Kaspersky Security scans web addresses that are requested from virtual machines but checks them only against the databases of malicious and phishing web addresses.

If this scan is enabled and Kaspersky Security detects a web address that belongs to one or more of the selected web address categories, the application takes the action defined in the application settings, for example, blocks or allows access to the specific web address.

If Kaspersky Security blocks access to a web address that the user tries to access, the browser on the protected virtual machine displays a blocked web address notification.

You can create a list of web addresses to which Kaspersky Security will not block access regardless of the action specified in the application settings.

Kaspersky Security does not scan a web address that is requested from an IP address whose traffic is excluded from scans based on the network threat protection exclusion rules.

Enabling and disabling web address scanning

To enable or disable web address scanning:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Web Addresses Scan subsection.
3. Do one of the following:
   • Select the Scan web addresses check box if you want Kaspersky Security to scan web addresses requested by a user or application to check if those web addresses belong to the web address categories selected for detection. By default, Kaspersky Security scans web addresses to check if they are malicious, phishing, or advertising web addresses. You can select the web address categories for detection in the window that opens by clicking the Settings button.

     When Kaspersky Security detects a web address that belongs to one or more of the selected web address categories, it blocks access to this web address by default. You can change this action, and create a list of web addresses to which Kaspersky Security will not block access if it detects a threat.

   • Clear the Scan web addresses check box if you want to disable web addresses scans.
4. In the Properties: <Policy name> window, click OK.

Configuring web address scan settings

To configure web address scan settings:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Web Addresses Scan subsection.
3. Select the Scan web addresses check box if Web Addresses Scan is disabled.
4. Click the Settings button.

   The Web addresses to detect window opens.

5. Specify the categories of web addresses that you want Kaspersky Security to detect.
   • Malicious

     

     Enable / disable checking web addresses against the database of malicious web addresses.

     If this check box is selected, Kaspersky Security scans web addresses requested by a user or application to check if those web addresses are categorized as malicious web addresses.

     If the check box is cleared, the application does not check if web addresses belong to this category.

     This check box is set by default.

   • Phishing

     

     Enables or disables checking web addresses against the database of phishing web addresses.

     If this check box is selected, Kaspersky Security scans web addresses requested by a user or application to check if those web addresses are categorized as phishing web addresses.

     If the check box is cleared, the application does not check if web addresses belong to this category.

     This check box is set by default.

   • Adware

     

     Enables / disables scanning of web addresses to check if they belong to the category of web addresses that are used for showing advertisements or are associated with the distribution of adware.

     Adware is designed to show advertising information to the user, redirect search queries to advertising websites, and send marketing information about the user to the adware developer. Unlike Trojan-Spy–type programs, adware transmits this information with the user's permission.

     To detect advertising web addresses, Global KSN must be used by Kaspersky Security.

     If the check box is selected and Global KSN is being used, Kaspersky Security scans web addresses requested by a user or application to check if those web addresses are categorized as advertising web addresses.

     If the check box is cleared, Kaspersky Security does not check if web addresses belong to this category.

     This check box is set by default.

   • Other

     

     Enables / disables scanning of web addresses to check if they belong to the category of web addresses associated with the distribution of legitimate applications that could be exploited to harm a virtual machine or user data.

     These applications include file downloaders, remote administration programs, user activity monitoring programs, and password management applications. These programs are normally used for legal purposes. However, if criminals obtain access to such programs, they could use some of the program features to harm a virtual machine or user data.

     To detect web addresses associated with the distribution of legitimate applications that could be exploited to harm a virtual machine or user data, Global KSN must be used by Kaspersky Security.

     If the check box is selected and Global KSN is being used, Kaspersky Security scans web addresses requested by a user or application to check if those web addresses belong to this category.

     If the check box is cleared, Kaspersky Security does not check if web addresses belong to this category.

     This check box is cleared by default.

6. In the Web Addresses to detect window, click OK.
7. Select an action in the drop-down list
   Action on threat detection, if network protection is deployed in standard mode

   

   This drop-down list contains the actions that Kaspersky Security can perform if it detects a web address that belongs to one or more of the web address categories selected for detection, and network protection is deployed in standard mode. You can select one of the following options:

   • Ignore. Kaspersky Security allows access to the web address. In such a case, Kaspersky Security Center generates an event with information stating that access to web address has been provided.
   • Block. Kaspersky Security blocks access to the web address.

     This action is selected by default.

   You can select an action if the Scan web addresses check box is selected.

   .

   If network protection is deployed in monitoring mode, Kaspersky Security performs the Ignore action when it detects a web address that belongs to one or more of the selected categories.

8. In the Do not block access to the following web addresses table, click Add or press INSERT and type a web address in the
   Web address

   

   Web address that Kaspersky Security does not block, regardless of the configured web address scan settings.

   Please take the following considerations into account when specifying web addresses:

   • You can specify web addresses with the network protocol identifier (for example, http://example.org/index.html) or without the protocol identifier (for example, example.org/index.html).
   • Masks are not supported when entering web addresses.
   • You can specify the address of a specific web page or the address of a website. If you specified a website address, all web pages of this website are also excluded from blocking. For example, if the web address http://www.example.org is specified, the web addresses http://example.org/index.html and http://example.org/test/index.html are also excluded.
   • Web addresses with the prefix www and without the prefix www are considered to be different web addresses. For example, if the web address example.org is specified, only the web addresses example.org and http://example.org are excluded from blocking. However, the application may block the web addresses www.example.org and http://www.example.org.
   column.
9. In the Properties: <Policy name> window, click OK.

Configuring the blocked web address notification

After blocking a web address that the user tried to access, Kaspersky Security displays the blocked web address notification in the browser on the protected virtual machine. You can view a sample blocked web address notification and select the notification language.

To select the language of the blocked web address notification and view a sample notification:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Other subsection.
3. Click the View example message link to open an example of the blocked web address notification that is displayed in the browser on the protected virtual machine.

   A sample notification opens in the browser window.

4. In the Localization settings section, in the Language of web address blocking message drop-down list, select the language of the blocked web address notification.

   The language corresponding to the localization of the Kaspersky Security administration plug-in is selected by default.

5. In the Properties: <Policy name> window, click OK.