Network Threat Protection

In this section, SVM refers to an SVM with the Network Threat Protection component installed.

An SVM with the File Threat Protection component installed protects virtual machines on the VMware ESXi hypervisor. The settings that SVMs apply for virtual machine network threat protection are defined by using policies. Kaspersky Security starts protecting virtual machines only after you have configured network threat protection settings in the active policy.

Kaspersky Security protects only virtual machines that meet all the conditions for virtual machine protection against network threats.

The Network Threat Protection component of Kaspersky Security performs the following functions:

• Intrusion Prevention. Kaspersky Security can scan the traffic of protected virtual machines to detect and block activity typical of network attacks and suspicious network activity that may be a sign of an intrusion into the protected infrastructure.

  Kaspersky Security can scan traffic from IP addresses in IPv4 and IPv6 format.

• Web Addresses Scan. Kaspersky Security lets you scan web addresses that are requested by a user or application, and block access to web addresses if a threat is detected.

The Network Threat Protection component settings depend on the traffic processing mode selected during registration of the network protection service:

• If you selected Standard mode, when Kaspersky Security detects signs of intrusions or attempts to access dangerous or undesirable web addresses, it performs the action that is specified in policy settings and relays information about events to the Kaspersky Security Center Administration Server.
• If you selected Monitoring mode and signs of intrusions or attempts to access dangerous or undesirable web addresses are detected, Kaspersky Security does not take any actions to prevent the threats but only relays information about the events to the Kaspersky Security Center Administration Server.

You can select the traffic processing mode only when registering the network protection service (Kaspersky Network Protection).

You can configure exclusions from Network Threat Protection as follows:

• Exclude from scanning inbound or outbound traffic of all virtual machines that have been assigned an NSX Security Policy. You can specify which traffic should be scanned in the NSX Security Policy in which the use of the network protection service (Kaspersky Network Protection) is configured. An NSX Security Policy configuration is performed in the VMware vSphere Web Client console.
• Create network threat protection exclusion rules that Kaspersky Security can use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.

Information about events that occur during protection of virtual machines against network threats is transmitted to the Kaspersky Security Center Administration Server and logged in a report.

Descriptions of currently known types of network attacks, signs of intrusions, and the databases of malicious and phishing web addresses are included in the application databases and are updated during application database updates.

Conditions for protection of virtual machines against network threats

One SVM with the Network Threat Protection component deployed on a VMware ESXi hypervisor protects all the virtual machines on that hypervisor that meet the following conditions:

• The virtual machine is part of an NSX Security Group configured in the VMware vSphere Web Client console.
• This group is assigned an NSX Security Policy in which the use of the network protection service (Kaspersky Network Protection) is configured and redirection of traffic to the network protection service is enabled (Redirect to service setting).

The Network Threat Protection component can scan outbound and/or inbound traffic of virtual machines. You can specify which traffic should be scanned in the NSX Security Policy in which the use of the network protection service (Kaspersky Network Protection) is configured. An NSX Security Policy configuration is performed in the VMware vSphere Web Client console.

Intrusion Prevention

When protecting virtual machines against intrusions, Kaspersky Security can perform the following actions:

• Detect network attacks on protected virtual machines.

  If Network Attack Blocker is enabled, when Kaspersky Security detects an attempted network attack on a protected virtual machine it performs the action defined in policy settings. For example, the application can terminate the connection from the virtual machine to the IP address from which the network attack originated or terminate the connection and block the traffic from this IP address to automatically protect the virtual machine against possible future network attacks from this IP address.

• Detect suspicious network activity in the traffic of protected virtual machines. Suspicious network activity in the traffic of a protected virtual machine may be a sign of an intrusion into the protected infrastructure. The virtual machine traffic analysis applies the suspicious network activity identification rules that are contained in Kaspersky Security application databases.

  If Network Activity Scanner is enabled, when Kaspersky Security detects suspicious network activity it performs the action defined in policy settings. For example, the application can terminate the connection with the IP address showing the suspicious network activity or terminate the connection and block the traffic from this IP address.

If Kaspersky Security is configured to block traffic from an IP address from which a network attack or suspicious network activity originated, the blocking duration is 60 minutes by default. You can change the traffic blocking duration. When the specified time expires, traffic is automatically unblocked.

When determining the source of a network attack or suspicious network activity, the application takes into account whether or not the traffic is from a virtual LAN (VLAN). Kaspersky Security blocks traffic from an IP address only in the VLAN in which a network attack or suspicious network activity was detected.

The list of network threat sources blocked by each SVM hosting the Network Threat Detection component is displayed in the properties of the application installed on this SVM. When the block time defined in the application settings expires, the network threat source is automatically deleted from the list. If necessary, you can unblock traffic from selected IP addresses without waiting for them to be automatically unblocked.

You can configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.

When Kaspersky Security detects a network attack or suspicious network activity, it assigns the security tag IDS_IPS.threat=high to the virtual machine whose traffic displayed activity typical of network attacks or suspicious network activity.

Enabling and disabling the Network Attack Blocker feature

To enable or disable the Network Attack Blocker feature:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Intrusion Prevention subsection.
3. Do one of the following:
   • Select the Detect network attacks check box if you want Kaspersky Security to scan the traffic of protected virtual machines for activity typical of network attacks.

     If the check box is selected, when Kaspersky Security detects an attempted network attack on a protected virtual machine it performs the action defined in application settings. If network protection is deployed in standard mode, by default Kaspersky Security terminates the connection between the protected virtual machine and the IP address from which the network attack originated, and also blocks traffic from this IP address for 60 minutes. You can modify this action and the traffic blocking period. If network protection is deployed in monitoring mode, Kaspersky Security does not perform any actions to prevent a network attack.

   • Clear the Detect network attacks check box if you do not want Kaspersky Security to scan the traffic of protected virtual machines for activity that is typical of network attacks.
4. In the Properties: <Policy name> window, click OK.

Configuring Network Attack Blocker settings

To configure the Network Attack Blocker settings:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Intrusion Prevention subsection.
3. Select the Detect network attacks check box if the network attack detection function is disabled.
4. Select an action in the drop-down list
   Action upon detecting network attack, if the network protection is deployed in standard mode

   

   This drop-down list contains the actions that Kaspersky Security can perform when it detects a network attack on a protected virtual machine, if network protection is deployed in standard mode. You can select one of the following options:

   • Ignore. Kaspersky Security does not perform any actions to prevent the network attack.
   • Terminate connection. Kaspersky Security terminates the connection between the protected virtual machine and the IP address from which the network attack originated.
   • Terminate connection and block traffic from sender's IP address. Kaspersky Security terminates the connection between the protected virtual machine and the IP address from which the network attack originated, and also blocks traffic from this IP address. Traffic is blocked in the specific VLAN in which the attempted network attack was detected. The duration for blocking traffic is configured in the On threat detection, block traffic for N minutes field.

     This action is selected by default.

   Information about detected network attacks and the actions taken is sent to Kaspersky Security Center.

   You can select an action if the Detect network attacks check box is selected.

   .

   If network protection is deployed in monitoring mode, when Kaspersky Security detects a network attack it performs the Ignore action.

5. If necessary, change the value of the setting
   On threat detection, block traffic for N minutes

   

   The duration for blocking the traffic from IP address from which the network attack or suspicious network activity originated. When determining the source of a network attack or suspicious network activity, the application takes into account whether or not the traffic is from a virtual LAN (VLAN). Kaspersky Security blocks traffic from an IP address only in the VLAN in which a network attack or suspicious network activity was detected.

   The default blocking duration is 60 minutes.

   

   The duration for blocking the traffic from IP address from which the network attack or suspicious network activity originated. When determining the source of a network attack or suspicious network activity, the application takes into account whether or not the traffic is from a virtual LAN (VLAN). Kaspersky Security blocks traffic from an IP address only in the VLAN in which a network attack or suspicious network activity was detected.

   The default blocking duration is 60 minutes.

   .
6. If necessary, configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.
7. In the Properties: <Policy name> window, click OK.

Enabling and disabling Network Activity Scanner for virtual machines

The suspicious network activity detection functionality is available only if you are using the application under an enterprise license.

To enable or disable Network Activity Scanner for virtual machines:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Intrusion Prevention subsection.
3. Do one of the following:
   • Select the Monitor virtual machine network activity check box if you want Kaspersky Security to scan the traffic of protected virtual machines to detect suspicious network activity that may be a sign of an intrusion into the protected infrastructure.

     If the check box is selected and Kaspersky Security detects suspicious network activity in the traffic of protected virtual machines, it takes the action defined in the application settings. If network protection is deployed in standard mode, by default Kaspersky Security terminates the connection between a protected virtual machine that displays suspicious network activity and other virtual machines. You can modify this action. If network protection is deployed in monitoring mode, Kaspersky Security does not perform any actions in relation to virtual machines displaying suspicious network activity.

   • Clear the Monitor virtual machine network activity check box if you do not want Kaspersky Security to scan the traffic of protected virtual machines for suspicious network activity.
4. In the Properties: <Policy name> window, click OK.

Configuring Network Activity Scanner for virtual machines

The suspicious network activity detection functionality is available only if you are using the application under an enterprise license.

To configure the Network Activity Scanner settings for protected virtual machines:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Intrusion Prevention subsection.
3. Select the Monitor virtual machine network activity check box if virtual machine network activity scanner is disabled.
4. Click the Settings button.

   The Network activity scanner parameters window opens.

5. Specify the application categories whose signs of network activity should be detected by Kaspersky Security:
   • Adware

     

     Enables / disables detection of network activity that is typical of adware.

     Adware is designed to show advertising information to the user, redirect search queries to advertising websites, and send marketing information about the user to the adware developer. Unlike Trojan-Spy–type programs, adware transmits this information with the user's permission.

     If the check box is selected, Kaspersky Security detects activity that is typical of adware in the traffic of protected virtual machines.

     If the check box is cleared, detection of activity typical of adware is disabled.

     This check box is cleared by default.

   • Other programs

     

     Enables / disables detection of network activity that is typical of legitimate software that can be exploited by criminals to harm a virtual machine or user data.

     These applications include file downloaders, remote administration programs, user activity monitoring programs, and password management applications. These programs are normally used for legal purposes. However, if criminals obtain access to such programs, they could use some of the program features to harm a virtual machine or user data.

     If the check box is selected, in the traffic of protected virtual machines Kaspersky Security detects activity that is typical of legitimate software that could be exploited by criminals to harm a virtual machine or user data.

     If the check box is cleared, the detection of activity that is typical of such programs is disabled.

     This check box is cleared by default.

   Kaspersky Security always detects network activity that is typical of such malware as viruses, worms and Trojans in the traffic of protected virtual machines.

6. If Kaspersky Security detects network activity that you believe is not a sign of an intrusion into the protected infrastructure, you can configure a list of rules that Kaspersky Security will not apply to detect suspicious network activity in the traffic of protected virtual machines.

   To add a network activity detection rule to the list, click the Add button located above the list, and in the string of the list enter the rule ID in the following format: <number>:<number>:<number>.

   You can view information about an applied rule in the text of the event that was sent to Kaspersky Security Center when it detected the suspicious network activity.

7. In the Network activity scanner parameters window, click OK.
8. Select an action in the drop-down list
   Action upon detecting suspicious activity, if the network protection is deployed in standard mode

   

   This drop-down list contains the actions that Kaspersky Security can perform when it detects suspicious network activity in the traffic of protected virtual machines, if network protection is deployed in standard mode. You can select one of the following options:

   • Ignore. Kaspersky Security does not perform any actions on virtual machines that display suspicious network activity.
   • Terminate connection. Kaspersky Security terminates the connection between a protected virtual machine that displays suspicious network activity and other virtual machines.

     This action is selected by default.

   • Terminate connection and block traffic from sender's IP address. Kaspersky Security terminates the connection between a protected virtual machine that displays suspicious network activity and other virtual machines, and blocks the traffic from the IP address from which the suspicious network activity originated. Traffic is blocked in the specific VLAN in which a network attack or suspicious network activity was detected. The duration for blocking traffic is configured in the On threat detection, block traffic for N minutes field.

   Information about suspicious network activity detection and the actions taken is sent to Kaspersky Security Center.

   You can select an action if the Monitor virtual machine network activity check box is selected.

   .

   If network protection is deployed in monitoring mode, when Kaspersky Security detects suspicious network activity it performs the Ignore action.

9. If necessary, change the value of the setting On threat detection, block traffic for N minutes.
10. If necessary, configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.
11. In the Properties: <Policy name> window, click OK.

Viewing the list of blocked network threat sources

In the properties of the application installed on SVMs with the Network Threat Protection component, you can view the list of network threat sources that were blocked as a result of this SVM.

To view a list of blocked network threat sources on SVMs:

1. In the Kaspersky Security Center Administration Console, open the SVM properties window:
   1. Select the administration group containing the KSC cluster that includes the relevant SVM.
   2. In the workspace, select the Devices tab.
   3. In the list, select the SVM and open the SVM properties window by double-clicking or by selecting Properties in the context menu.

   The Properties: <SVM name> window opens.

2. In the SVM properties window in the list on the left, select the Applications section.

   A list of applications that are installed on this SVM appears in the right part of the window.

3. Select Kaspersky Security for Virtualization 6.0 Agentless and open the application settings window by double-clicking or by selecting Properties in the context menu.

   The Kaspersky Security for Virtualization 6.0 Agentless settings window opens.

4. In the application settings window, in the list on the left, select the List of blocked network threat sources section.

The right part of the window displays a table containing a list of sources of network threats that were blocked as a result of this SVM, which is essentially a list of IP addresses whose traffic was blocked by Kaspersky Security when it detected a network attack or suspicious network activity.

The table displays the following information for each network threat source:

• IP address. IP address whose traffic was blocked by Kaspersky Security when it detected a network attack or suspicious network activity.
• VLAN ID. ID of the VLAN associated with the blocked traffic.
• Blocked at. Date and time when Kaspersky Security blocked traffic from the IP address.
• Blocked until. Date and time when traffic from the IP address will be automatically unblocked.

In the list of blocked network threat sources, you can do the following:

• Search blocked network threat sources based on values of the IP address column. By default the table displays information only about the last 100 blocked sources of network threats. If the table is not showing a network threat source whose information you want to view, you can use the search. To do so, you need to enter the IP address, beginning of the IP address, or subnet mask into the search string and click the Find button. As a result, the table displays no more than 100 blocked sources of network threats that match the search criteria.
• Sort the list by any column of the table. If the search query is not defined, the sorting is applied to the full list of blocked sources of network threats. If you performed a search, the sorting is applied to the list of the blocked sources of network threats that match the search criteria.
• Update the information by clicking the Refresh button.

When the block time defined in the application settings expires, the network threat source is automatically deleted from the list. If necessary, you can unblock traffic from selected IP addresses without waiting for their automatic deletion.

To unlock traffic from an IP address that was recognized as a network threat source,

Select one or multiple network threat sources in the list and click the Unblock button located in the lower part of the window.

Web Addresses Scan

Kaspersky Security can scan web addresses that are requested over the HTTP protocol by a user or application installed on a protected virtual machine. When scanning web addresses, Kaspersky Security can use databases of malicious and phishing web addresses, and information about the reputation of web resources received from Global KSN.

By default, if Web Addresses Scan is enabled, Kaspersky Security scans web addresses to check if they are malicious, phishing, or advertising web addresses. Kaspersky Security can also scan web addresses to check if they belong to the category of web addresses associated with the distribution of legitimate applications that could be exploited to harm a virtual machine or user data. You can specify which categories of web addresses must be detected by the application.

To detect advertising web addresses and web addresses associated with the distribution of legitimate applications that could be exploited to harm a virtual machine or user data, Global KSN must be used by Kaspersky Security. If Global KSN is not being used, the application does not scan web addresses to check if they belong to these web address categories.

If you are using the application in multitenancy mode, Kaspersky Security scans web addresses that are requested from virtual machines but checks them only against the databases of malicious and phishing web addresses.

If this scan is enabled and Kaspersky Security detects a web address that belongs to one or more of the selected web address categories, the application takes the action defined in the application settings, for example, blocks or allows access to the specific web address.

If Kaspersky Security blocks access to a web address that the user tries to access, the browser on the protected virtual machine displays a blocked web address notification.

You can create a list of web addresses to which Kaspersky Security will not block access regardless of the action specified in the application settings.

Kaspersky Security does not scan a web address that is requested from an IP address whose traffic is excluded from scans based on the network threat protection exclusion rules.

Enabling and disabling web address scanning

To enable or disable web address scanning:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Web Addresses Scan subsection.
3. Do one of the following:
   • Select the Scan web addresses check box if you want Kaspersky Security to scan web addresses requested by a user or application to check if those web addresses belong to the web address categories selected for detection. By default, Kaspersky Security scans web addresses to check if they are malicious, phishing, or advertising web addresses. You can select the web address categories for detection in the window that opens by clicking the Settings button.

     When Kaspersky Security detects a web address that belongs to one or more of the selected web address categories, it blocks access to this web address by default. You can change this action, and create a list of web addresses to which Kaspersky Security will not block access if it detects a threat.

   • Clear the Scan web addresses check box if you want to disable web addresses scans.
4. In the Properties: <Policy name> window, click OK.

Configuring web address scan settings

To configure web address scan settings:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Web Addresses Scan subsection.
3. Select the Scan web addresses check box if Web Addresses Scan is disabled.
4. Click the Settings button.

   The Web addresses to detect window opens.

5. Specify the categories of web addresses that you want Kaspersky Security to detect.
   • Malicious

     

     Enable / disable checking web addresses against the database of malicious web addresses.

     If this check box is selected, Kaspersky Security scans web addresses requested by a user or application to check if those web addresses are categorized as malicious web addresses.

     If the check box is cleared, the application does not check if web addresses belong to this category.

     This check box is set by default.

   • Phishing

     

     Enables or disables checking web addresses against the database of phishing web addresses.

     If this check box is selected, Kaspersky Security scans web addresses requested by a user or application to check if those web addresses are categorized as phishing web addresses.

     If the check box is cleared, the application does not check if web addresses belong to this category.

     This check box is set by default.

   • Adware

     

     Enables / disables scanning of web addresses to check if they belong to the category of web addresses that are used for showing advertisements or are associated with the distribution of adware.

     Adware is designed to show advertising information to the user, redirect search queries to advertising websites, and send marketing information about the user to the adware developer. Unlike Trojan-Spy–type programs, adware transmits this information with the user's permission.

     To detect advertising web addresses, Global KSN must be used by Kaspersky Security.

     If the check box is selected and Global KSN is being used, Kaspersky Security scans web addresses requested by a user or application to check if those web addresses are categorized as advertising web addresses.

     If the check box is cleared, Kaspersky Security does not check if web addresses belong to this category.

     This check box is set by default.

   • Other

     

     Enables / disables scanning of web addresses to check if they belong to the category of web addresses associated with the distribution of legitimate applications that could be exploited to harm a virtual machine or user data.

     These applications include file downloaders, remote administration programs, user activity monitoring programs, and password management applications. These programs are normally used for legal purposes. However, if criminals obtain access to such programs, they could use some of the program features to harm a virtual machine or user data.

     To detect web addresses associated with the distribution of legitimate applications that could be exploited to harm a virtual machine or user data, Global KSN must be used by Kaspersky Security.

     If the check box is selected and Global KSN is being used, Kaspersky Security scans web addresses requested by a user or application to check if those web addresses belong to this category.

     If the check box is cleared, Kaspersky Security does not check if web addresses belong to this category.

     This check box is cleared by default.

6. In the Web Addresses to detect window, click OK.
7. Select an action in the drop-down list
   Action on threat detection, if network protection is deployed in standard mode

   

   This drop-down list contains the actions that Kaspersky Security can perform if it detects a web address that belongs to one or more of the web address categories selected for detection, and network protection is deployed in standard mode. You can select one of the following options:

   • Ignore. Kaspersky Security allows access to the web address. In such a case, Kaspersky Security Center generates an event with information stating that access to web address has been provided.
   • Block. Kaspersky Security blocks access to the web address.

     This action is selected by default.

   You can select an action if the Scan web addresses check box is selected.

   .

   If network protection is deployed in monitoring mode, Kaspersky Security performs the Ignore action when it detects a web address that belongs to one or more of the selected categories.

8. In the Do not block access to the following web addresses table, click Add or press INSERT and type a web address in the
   Web address

   

   Web address that Kaspersky Security does not block, regardless of the configured web address scan settings.

   Please take the following considerations into account when specifying web addresses:

   • You can specify web addresses with the network protocol identifier (for example, http://example.org/index.html) or without the protocol identifier (for example, example.org/index.html).
   • Masks are not supported when entering web addresses.
   • You can specify the address of a specific web page or the address of a website. If you specified a website address, all web pages of this website are also excluded from blocking. For example, if the web address http://www.example.org is specified, the web addresses http://example.org/index.html and http://example.org/test/index.html are also excluded.
   • Web addresses with the prefix www and without the prefix www are considered to be different web addresses. For example, if the web address example.org is specified, only the web addresses example.org and http://example.org are excluded from blocking. However, the application may block the web addresses www.example.org and http://www.example.org.
   column.
9. In the Properties: <Policy name> window, click OK.

Configuring the blocked web address notification

After blocking a web address that the user tried to access, Kaspersky Security displays the blocked web address notification in the browser on the protected virtual machine. You can view a sample blocked web address notification and select the notification language.

To select the language of the blocked web address notification and view a sample notification:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Other subsection.
3. Click the View example message link to open an example of the blocked web address notification that is displayed in the browser on the protected virtual machine.

   A sample notification opens in the browser window.

4. In the Localization settings section, in the Language of web address blocking message drop-down list, select the language of the blocked web address notification.

   The language corresponding to the localization of the Kaspersky Security administration plug-in is selected by default.

5. In the Properties: <Policy name> window, click OK.

Configuring exclusions from Network Threat Protection

In a policy, you can configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic. You can define exclusion rules for traffic from specific IP addresses or for traffic from all IP addresses in an IP subnet. When generating the scope of rules, the application takes into account whether or not the traffic is from a virtual LAN (VLAN).

If a group of virtual switch ports is running in Virtual Switch Tagging (VST) mode and exclusion rules are applied to traffic of virtual machines associated with this group of ports, the application does not take into account whether or not the traffic belongs to a virtual local area network (VLAN).

To configure a network threat protection exclusion rule:

1. In the Kaspersky Security Center Administration Console, open the properties of the policy whose scope includes the relevant virtual machines:
   1. In the console tree, select the folder or administration group in which the policy was created.
   2. In the workspace, select the Policies tab.
   3. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
2. In the policy properties window, in the Network threat protection section, select the Exclusions from protection subsection.
3. Click Add or press INSERT and specify the scope of the exclusion rule in the
   Scope

   

   The scope of a network threat protection exclusion rule describes the traffic that Kaspersky Security excludes from scanning or the special actions that Kaspersky Security applies when processing such traffic.

   The column can contain one of the following values:

   • <traffic source> novlan. The exclusion rule is applied to traffic from the specified source not marked with a tag of a specific VLAN.
   • <traffic source> vlan <ID>. The exclusion rule is applied to traffic from the specified source marked with a tag of the VLAN with the specified ID.
   • <traffic source> vlan 4095. The exclusion rule is applied to traffic from the specified source marked with a tag of a VLAN with any ID in the range of 1–4095.
   • <traffic source> vlan *. The exclusion rule is applied to traffic from the specified source regardless of whether there is a VLAN tag.

   where:

   <traffic source> is the IP address of the network device or subnet in IPv4 or IPv6 format, for example: 192.168.0.1, 192.168.0.0/16, fd00::1, fd00::/64

   <ID> is the VLAN ID, which may take a value in the range of 1–4094.

   column.
4. Select an exclusion rule in the
   Rule

   

   This drop-down list lets you select a rule that Kaspersky Security will apply when processing traffic from IP addresses that are included in the exclusion rule scope:

   • Default. When processing traffic from IP addresses that are included in the rule scope, Kaspersky Security applies the action configured in the Intrusion Prevention settings and/or in the web addresses scan settings. This option lets you flexibly configure exclusions for IP subnets. For example, you can define an exclusion rule for traffic of an IP subnet as a whole, while not applying the rule for traffic from specific IP addresses from this IP subnet.
   • Do not scan. Kaspersky Security does not scan traffic from IP addresses that are included in the rule scope. Kaspersky Security does not detect network attacks and suspicious network activity in the traffic of these IP addresses. Kaspersky Security does not scan web addresses requested from these IP addresses.
   • Do not block. Kaspersky Security does not block traffic from IP addresses that are included in the rule scope. If activity typical of network attacks and/or suspicious network activity is detected in the traffic of these IP addresses, Kaspersky Security does not block traffic from these IP addresses, regardless of the configured actions on threat detection. This exclusion rule may be applied if the Terminate connection and block traffic from sender's IP address action is defined in the Intrusion Prevention settings.

     If traffic of IP addresses included in the rule scope had been previously blocked, Kaspersky Security unblocks it after it is excluded from blocking.

   • Ignore. Kaspersky Security detects network attacks and/or suspicious network activity in traffic from IP addresses that are included in the rule scope, but does not take any action on traffic from these IP addresses. Kaspersky Security does not block access to dangerous and unrecommended web addresses requested from these IP addresses, regardless of the configured web address scan settings. This exclusion rule may be applied if the Terminate connection or Terminate connection and block traffic from sender's IP address action is defined in the Intrusion Prevention settings.
   column.
5. If necessary, use the arrows above the list to change the position of the created exclusion rule in the list. The rule priority is determined by its position in the list. If you set multiple rules for the same scope, the rule positioned higher in the list is applied first.
6. In the Properties: <Policy name> window, click OK.