Kaspersky Security for Virtualization 5.2 Light Agent
5.2
English

Contents

Network Attack Blocker

The Kaspersky Security functionality described in this section is available only if the application is installed on a virtual machine with a Windows desktop or server operating system.

The Network Attack Blocker component scans inbound network traffic for activity that is typical of network attacks. On detecting an attempted network attack that targets the protected virtual machine, Kaspersky Security blocks network activity originating from the attacking device. A warning is then displayed, stating that an attempted network attack has been detected, and showing information about the attacking device.

The Network Attack Blocker component does not block the IP address of the attacking device in the following cases:

  • The attack is conducted over the UDP protocol.
  • Blocking the IP address would lead to failure of a critically important network service (for example, the domain controller service).

Descriptions of currently known types of network attacks and ways to fight them are provided in the application databases. The list of network attacks that the Network Attack Blocker component detects is updated during application database updates.

You can do the following to configure Network Attack Blocker:

This section describes how to configure Network Attack Blocker settings using the Administration Console and the Light Agent for Windows local interface. You can also configure the Network Attack Blocker settings using the Web Console when creating or modifying the Light Agent for Windows policy settings (Application SettingsAnti-Virus protectionNetwork Attack Blocker).

In this Help section

Enabling and disabling Network Attack Blocker

Editing the settings used in blocking an attacking device

Configuring a list of IP addresses excluded from blocking
Page top
[Topic 148849]

Enabling and disabling Network Attack Blocker

By default, the Network Attack Blocker component is enabled and operating in optimal mode. You can disable Network Attack Blocker, if necessary.

To enable or disable Network Attack Blocker in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Network Attack Blocker section in the list on the left.
  6. In the right part of the window, do one of the following:
    • To enable Network Attack Blocker component, select the Network Attack Blocker check box.
    • To disable Network Attack Blocker component, clear the Network Attack Blocker check box.
  7. Click the Apply button.

In the local interface of Light Agent for Windows, you can enable or disable a component in two ways:

To enable or disable Network Attack Blocker on the Protection and Control tab of the main application window:

  1. On the protected virtual machine, open the main application window.
  2. Select the Protection and Control tab.
  3. Open the Manage protection section.
  4. Open the context menu of the Network Attack Blocker item and perform one of the following actions:
    • To enable Network Attack Blocker, select Enable in the menu.

      The component status icon that is displayed on the left in the Network Attack Blocker line changes to the icon.

    • To disable Network Attack Blocker, select Disable in the menu.

      The component status icon that is displayed on the left in the Network Attack Blocker line changes to the icon.

    If this menu item is unavailable, this means that you cannot enable or disable this component because the policy-defined setting is applied to protected virtual machines within the administration group.

To enable or disable Network Attack Blocker in the application settings window:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, under Anti-Virus protection, select Network Attack Blocker.

    The Network Attack Blocker settings are displayed in the right part of the window.

    If component settings are unavailable, this means that you cannot enable or disable this component because the policy-defined setting is applied to protected virtual machines within the administration group.

  3. Do one of the following:
    • To enable Network Attack Blocker component, select the Enable Network Attack Blocker check box.
    • To disable Network Attack Blocker component, clear the Enable Network Attack Blocker check box.
  4. To save changes, click the Save button.
Page top
[Topic 65695]

Editing the settings used in blocking an attacking device

Network traffic from the attacking device is blocked for one hour. You can edit the settings for blocking an attacking device.

To edit the settings for blocking an attacking device in Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Network Attack Blocker section in the list on the left.
  6. In the right part of the window, in the Network Attack Blocker settings section:
    • Select the Add the attacking device to the list of blocked devices for N min check box if you want the Network Attack Blocker component to block the network activity of an attacking device for a specified amount of time, thereby automatically protecting the virtual machine against possible future attacks from this address. In the field on the right, specify the amount of time to block an attacking device.

      By default, network traffic from the attacking device is blocked for one hour.

    • Clear the Add the attacking computer to the list of blocked computers for N min check box if you do not want the Network Attack Blocker component to enable automatic protection against possible future network attacks from this address.
  7. Click the Apply button.

To edit the settings for blocking an attacking device in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, under Anti-Virus protection, select Network Attack Blocker.

    The Network Attack Blocker settings are displayed in the right part of the window.

  3. Do the following:
    • Select the Add the attacking device to the list of blocked devices for N min check box if you want the Network Attack Blocker component to block the network activity of an attacking device for a specified amount of time, thereby automatically protecting the virtual machine against possible future attacks from this address. In the field on the right, specify the amount of time to block an attacking device.

      By default, network traffic from the attacking device is blocked for one hour.

    • Clear the Add the attacking computer to the list of blocked computers for N min checkbox if you do not want the Network Attack Blocker component to enable automatic protection against possible future network attacks from this address.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  4. To save changes, click the Save button. 
Page top
[Topic 65696]

Configuring a list of IP addresses excluded from blocking

You can configure a list of IP addresses from which network attacks will not be blocked. Information about network attacks will be recorded in a report.

To configure a list of IP addresses excluded from blocking using Kaspersky Security Center:

  1. Open Kaspersky Security Center Administration Console.
  2. In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
  3. In the workspace, select the Policies tab.
  4. Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
  5. In the policy properties window, select the Network Attack Blocker section in the list on the left.
  6. In the right part of the window, click the Exclusions button.
  7. In the Exclusions window that opens, do one of the following:
    • If you want to add a new IP address, click the Add button.
    • If you want to edit a previously added IP address, select it in the list of IP addresses and click the Edit button.
  8. In the IP address window that opens, enter the IP address of the device from which network attacks will not be blocked.
  9. In the IP address window, click OK.
  10. Click OK in the Exclusions window.
  11. Click the Apply button.

To configure a list of IP addresses excluded from blocking in the local interface:

  1. On the protected virtual machine, open the application settings window.
  2. In the left part of the window, under Anti-Virus protection, select Network Attack Blocker.

    The Network Attack Blocker settings are displayed in the right part of the window.

  3. Complete steps 6–10 of the previous instructions.

    If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.

  4. To save changes, click the Save button.
Page top
[Topic 149707]