Monitoring network traffic
When Kaspersky Security is running, the Mail Anti-Virus, Web Anti-Virus, and Web Control components monitor the network traffic of the protected virtual machines.
You can configure the following general network traffic monitoring settings:
- settings for monitoring of TCP and UDP ports, open on the protected virtual machine
- settings for scanning the traffic, transmitted through secure connections
This section describes how to configure Network traffic monitoring settings using the Administration Console and the Light Agent for Windows local interface. You can also configure Network traffic monitoring settings using the Web Console when creating or modifying the Light Agent for Windows policy settings (Application Settings → Other settings → Network traffic monitoring).
Network ports monitoring
When Kaspersky Security is running, the Mail Anti-Virus, Web Anti-Virus, and Web Control components can monitor data streams that are transmitted over specific protocols and that pass through specific open TCP and UDP ports on the protected virtual machine. For example, Mail Anti-Virus scans data that is transmitted via SMTP, while Web Anti-Virus scans data that is transmitted via HTTP and FTP.
Kaspersky Security divides TCP and UDP ports of the operating system into several groups, depending on the likelihood of their being compromised. Some network ports are reserved for vulnerable services. You are advised to monitor these ports more thoroughly, because the likelihood that they are attacked is greater. If you use non-standard services that rely on non-standard network ports, these network ports may also be targeted by an attacking device. You can specify a list of network ports and a list of applications that request network access. These ports and applications then receive special attention from the Mail Anti-Virus and Web Anti-Virus components as they monitor network traffic.
You can perform the following actions to configure the settings of network ports control:
- Select the network ports monitoring mode.
- Create a list of monitored network ports.
- Create a list of applications for which all network ports are monitored.
Selecting the network ports monitoring mode
To select the network port monitoring mode in Kaspersky Security Center:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
- In the policy properties window, select the Network traffic monitoring section in the list on the left.
- In the right part of the window, in the Monitored ports section, select the network ports monitoring mode:
- If you want Kaspersky Security components to monitor data streams, that are transmitted over any open TCP- and UDP ports on the virtual machine, select the Monitor all network ports variant.
- If you want Kaspersky Security components to monitor data streams, that are transmitted over default and selected by you ports on the virtual machine, select the Monitor selected ports only variant. You can configure the list of monitored ports and / or list of applications for which ports are monitored, in the Network ports window. The Network ports window can be opened by clicking the Settings button.
This network ports monitoring mode is used by default.
- Click the Apply button.
To select the network port monitoring mode in the local interface:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Other settings section, select Network traffic monitoring.
In the right part of the window the settings for Network Ports Monitoring and for Scanning Secure Connections are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
- Complete step 6 of the previous instructions.
- To save changes, click the Save button.
Creating a list of monitored network ports
If the "Monitor selected ports only" network port monitoring mode is used, you can configure the list of monitored ports. The default list is configured according to the recommendations of the Kaspersky experts.
To create the list of monitored network ports in Kaspersky Security Center:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
- In the policy properties window, select the Network traffic monitoring section in the list on the left.
- In the right part of the window, in the Monitored ports section, select Monitor selected ports only.
- Click the Settings button.
The Network ports window opens. The Network ports window displays a list of network ports that are normally used for transmission of email and network traffic.
- In the list of network ports, perform the following:
- Set the check boxes opposite those network ports that you want to include in the list of monitored network ports.
By default, the check boxes are set opposite all network ports that are listed in the Network ports window.
- Clear the check boxes opposite those network ports that you want to exclude from the list of monitored network ports.
- Set the check boxes opposite those network ports that you want to include in the list of monitored network ports.
- If the required network port is not shown in the list of network ports, you can add it. To do this, perform the following actions:
- Under the list of network ports, click the Add link to open the Network port window.
- Enter the network port number in the Port field.
- Enter the name of the network port in the Description field.
- In the Network port window, click OK.
The newly added network port is shown at the end of the list of network ports.
- In the Network ports window, click OK.
- Click the Apply button.
To create the list of monitored network ports in the local interface:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Other settings section, select Network traffic monitoring.
In the right part of the window the settings for Network Ports Monitoring and for Scanning Secure Connections are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
- Complete steps 6–10 of the previous instructions.
- To save changes, click the Save button.
When the FTP protocol runs in passive mode, the connection can be established via a random network port that is not added to the list of monitored network ports. To protect such connections, enable the monitoring of all network ports or configure the monitoring of all network ports for applications that establish the FTP connection.
Page topCreating a list of applications for which all network ports are monitored
If the "Monitor selected ports only" network port monitoring mode is used, you can create a list of applications for which Kaspersky Security monitors all network ports.
We recommend including applications that receive or transmit data via the FTP protocol in the list of applications for which Kaspersky Security monitors all network ports.
To use Kaspersky Security Center to create a list of applications for which all network ports are monitored:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
- In the policy properties window, select the Network traffic monitoring section in the list on the left.
- In the right part of the window, in the Monitored ports section, select Monitor selected ports only.
- Click the Settings button.
- In the Network ports window that opens, select the Monitor all ports for specified applications check box.
- In the list of applications under the Monitor all ports for specified applications check box, do the following:
- Set the check boxes next to the names of applications for which you want to monitor all network ports.
By default, the check boxes are set next to all applications that are listed in the Network ports window.
- Clear the check boxes next to the names of applications for which you do not want to monitor network ports.
- Set the check boxes next to the names of applications for which you want to monitor all network ports.
- If the required application is not shown in the list of applications, you can add it. To do this, perform the following actions:
- Click the Add link under the list of applications and open the Application window.
- In the Path field, enter the path to the executable file of the application.
- In the Name field, enter an application name.
- In the Application window, click OK.
The application that you have added appears at the end of the list of applications in the Network ports window.
- In the Network ports window, click OK.
- Click the Apply button.
To use the local interface to create a list of applications for which all network ports are monitored:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Other settings section, select Network traffic monitoring.
In the right part of the window the settings for Network Ports Monitoring and for Scanning Secure Connections are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
- In the Monitored ports section, select Monitor selected ports only.
- Complete steps 6–9 of the previous instructions.
- If the required application is not shown in the list of applications, you can add it. To do this, perform the following actions:
- Click the Add link under the list of applications and open the context menu.
- Select the way in which to add the application to the list of applications:
- To select an application from the list of applications that are installed on the protected virtual machine, select the Applications command.
A window opens, letting you specify the name of the application.
- To specify the location of the application's executable file, select the Browse command.
A window opens, letting you specify the path to the executable file of the application.
- To select an application from the list of applications that are installed on the protected virtual machine, select the Applications command.
- The Application window opens after you select the application.
- In the Name field, enter a name for the selected application.
- Click OK.
The application that you have added appears at the end of the list of applications in the Network ports window.
- In the Network ports window, click OK.
- To save changes, click the Save button.
Scanning secure connections
Kaspersky Security can scan the traffic transmitted over secure connections that were established using the following protocols: TLS 1.3, TLS 1.2, TLS 1.1, TLS 1.0 and SSL 3.0.
The application does not monitor traffic that is transmitted over encrypted connections using the TLS 1.3 protocol, if the Encrypted Server Name Indication technology is used in TLS 1.3.
The application does not monitor traffic that is transmitted over encrypted connections using the SSL 2.0 protocol.
By default, Kaspersky Security intercepts the traffic, transmitted through the secure connections, decrypts it and sends it for scanning to the Mail Anti-Virus, the Web Anti-Virus, and the Web Control components. Kaspersky Security components process the traffic according to the configured settings.
If secure connections scan is disabled, application components have the following limitations:
- Mail Anti-Virus does not scan messages that are sent or received via the protocols that ensure encrypted data transfer.
- Web Anti-Virus does not scan web pages and files that are accessed over encrypted connections.
- While monitoring access to web resources over encrypted connections, Web Control does not apply access rules that use content filtering.
If an error occurs while scanning an encrypted connection, the connection with the web resource is terminated. By default, Kaspersky Security also adds the domain name of the web resource to the list of domains whose secure connections result in a scan error. All web resources of domains in this list are excluded from secure connections scans. When there is another attempt to access web resources of this domain, Kaspersky Security allows the connection to be established but does not decrypt and scan the traffic. You can configure the action that is taken by Kaspersky Security when a secure connection scan error occurs.
When decrypting the traffic, Kaspersky Security validates the certificate of the web resource, secure connection to which is being established. By default, Kaspersky Security allows a connection to be established when a certificate error is detected. However, if the connection is being established through a browser, a certificate error warning is displayed on the screen. You can configure the action that is taken by Kaspersky Security when a web resource certificate error is detected.
Kaspersky Security does not scan secure connections that are included in the list of predefined exclusions from secure connections scan. The list of predefined exclusions is generated by Kaspersky experts, is included into the Kaspersky Security application distribution kit, and is updated automatically when application databases are updated. You can view the list of predefined exclusions in the local interface of Light Agent for Windows.
You can also configure the following exclusions from secure connections scan:
- Exclusion of web resources of trusted domains. Kaspersky Security does not decrypt traffic and does not scan certificates of web resources if an encrypted connection is established with a web resource of a domain that has been added to the list of trusted domains.
- Exclusion of trusted applications. Kaspersky Security does not decrypt traffic and does not scan certificates of web resources if an encrypted connection is initiated by an application for which an encrypted traffic scan exclusion is configured.
When scanning secure connections, Kaspersky certificate is used. This certificate is automatically installed to the trusted certificates storage on the protected virtual machine when Kaspersky Security is installed, and is deleted when the application is removed.
Kaspersky Security changes the Mozilla Firefox browser settings on the protected virtual machine, for browser to use the system trusted certificates storage.
Enabling or disabling secure connections scan
By default, secure connections scan is enabled and runs in the mode that Kaspersky experts recommend. You can disable secure connections scan, if necessary.
To enable or disable secure connections scanning using Kaspersky Security Center:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
- In the policy properties window, select the Network traffic monitoring section in the list on the left.
- In the right part of the window, in the Secure connections scan section, do one of the following:
- Select the Scan secure connections check box, if you want Kaspersky Security components to scan the traffic, transmitted through secure connections.
- Clear the Scan secure connections check box, if the traffic transmitted through secure connections is not to be decrypted and scanned.
- Click the Apply button.
To enable or disable secure connections scanning in the local interface:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Other settings section, select Network traffic monitoring.
In the right part of the window the settings for Network Ports Monitoring and for Scanning Secure Connections are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
- Complete step 6 of the previous instructions.
- To save changes, click the Save button.
Viewing the list of predefined exclusions
The list of predefined exclusions contains the connections that can be established between applications and web resources of domains. There is no capability to decrypt traffic for these connections, therefore Kaspersky Security does not scan these connections during a secure connections scan.
You can view the list of predefined exclusions from secure connections scan in the local interface of Light Agent for Windows. The list is generated by Kaspersky experts and is updated automatically when the application databases are updated.
To view the list of predefined exclusions from secure connections scan:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Other settings section, select Network traffic monitoring.
In the right part of the window the settings for Network Ports Monitoring and for Scanning Secure Connections are displayed.
- In the Secure connections scan section, click the link to open the Pre-determined exclusions for secure connections scan window.
The connections in the list are defined using the following conditions:
- Domain with which the connection is established. A domain may be defined using a mask. The
*
character in a mask replaces any sequence that contains zero or more characters. If a domain is not specified or the Domain column contains the*
mask, connections with any domain are excluded from scans. - Name of the executable file of a program that establishes a connection. If a program is not specified, connections initiated by programs with any executable file name are excluded from scans.
- Publisher of a program that establishes a connection. If no publisher is specified, connections initiated by programs from any publisher are excluded from scans.
- Owner of the digital signature of a program that establishes a connection. If no digital signature owner is specified, connections initiated by programs are excluded from scans regardless of their digital signature.
Configuring secure connections scan settings
You can configure secure connections scan settings through Kaspersky Security Center or in the local interface of Light Agent for Windows.
To configure secure connections scan settings in Kaspersky Security Center:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
- In the policy properties window, select the Network traffic monitoring section in the list on the left.
- In the right part of the window, in the Secure connections scan section, click the Scan settings button.
- In the Secure connections scan settings window that opens, select the action that Kaspersky Security performs when a web resource certificate error is detected:
- Allow. Kaspersky Security allows a connection to be established with the web resource.
If the connection is established through a browser and you attempt to access a website with a certificate error, you will see an HTML page containing a warning that visiting the website is not recommended, and a description of the detected certificate error. You can click the link on the HTML page to proceed to the requested website. For a period of an hour after clicking the link, Kaspersky Security will not display warnings for the certificate error of this website or when requesting other web resources in the same domain.
This action is selected by default.
- Block. Kaspersky Security blocks the connection with the web resource.
If the connection is established through a browser and you attempt to access a website with a certificate error, you will see an HTML page containing a warning that the website is blocked, and a description of the detected certificate error.
- Allow. Kaspersky Security allows a connection to be established with the web resource.
- Select the action that Kaspersky Security performs when secure connections scan errors occur:
- Exclude domain from scanning. If scan of a secure connection with a web resource ends with an error, Kaspersky Security adds the web resource domain to the list of domains with secure connection errors. All web resources of domains in this list are excluded from secure connections scans. When there is another attempt to access web resources of this domain, Kaspersky Security allows the connection to be established but does not decrypt and scan the traffic.
This action is selected by default.
The list of domains with secure connections scan errors can be viewed in the Secure connections scan settings window in the local interface of Light Agent for Windows.
- Terminate connection. If a scan of a secure connection with a web resource ends with an error, Kaspersky Security blocks all subsequent attempts to connect to this web resource.
If you selected the Terminate connection action, all domains previously added to the list of domains with secure connections scan errors are automatically deleted from this list.
- Exclude domain from scanning. If scan of a secure connection with a web resource ends with an error, Kaspersky Security adds the web resource domain to the list of domains with secure connection errors. All web resources of domains in this list are excluded from secure connections scans. When there is another attempt to access web resources of this domain, Kaspersky Security allows the connection to be established but does not decrypt and scan the traffic.
- If you want Kaspersky Security to block connections that are established using the TLS 1.0, SSL 2.0, and SSL 3.0 protocols, select the Block TLS 1.0, SSL 2.0 and SSL 3.0 connections (recommended) check box.
By default, Kaspersky Security does not block network connections that are established using the TLS 1.0, SSL 2.0 and SSL 3.0 protocols. In this case, Kaspersky Security monitors network traffic transmitted over connections that are established using the TLS 1.0 and SSL 3.0 protocols. Network traffic transmitted using the SSL 2.0 protocol is not monitored.
The TLS 1.0, SSL 2.0, and SSL 3.0 protocols have some flaws affecting the security of data transfer.
- In the Secure connections scan settings window, click OK.
- Click the Apply button.
To configure the secure connections scan settings in the local interface:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Other settings section, select Network traffic monitoring.
In the right part of the window the settings for Network Ports Monitoring and for Scanning Secure Connections are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
- Complete steps 6–10 of the previous instructions.
Click the Domains with scan errors link in the Secure connections scan settings window to view the list of domains whose secure connections result in a scan error.
- To save changes, click the Save button.
Excluding web resources from secure connections scan
Kaspersky Security does not decrypt traffic or check security certificates for web resources of trusted domains. You can generate a list of trusted domains through Kaspersky Security Center or in the local interface of Light Agent for Windows.
To create the list of trusted domains using Kaspersky Security Center:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
- In the policy properties window, select the Network traffic monitoring section in the list on the left.
- In the right part of the window, in the Secure connections scan section, click the Trusted domains button.
- In the Trusted domains window that opens, configure the list of trusted domains:
- To add a domain to the list of trusted domains:
- Click the Add button.
- In the Domain window that opens, enter the name, IP address, IP range (for example 198.51.100.0/24), or the web address of the domain.
The scan exclusion is not applied to web resources of subdomains of the specified domain. If you want to exclude web resources of subdomains from secure connections scan, enter the domain mask in the format
*.example.com
. - In the Domain window, click OK.
- To change the name or address of a trusted domain:
- Select the domain in the list and click Edit.
- In the Domain window that opens, enter the new domain name, IP address, IP range (for example 198.51.100.0/24), web address or domain mask in the
*.example.com
format and click OK.
- To remove a domain from the list of trusted domains, select it in the list and click Delete.
- If you want to temporarily cancel scan exclusion for web resources of a domain without removing the domain from the list of trusted domains, clear the check box next to the domain in the list. By default, all web resources of domains added to the list are excluded from secure connections scan.
- To add a domain to the list of trusted domains:
- In the Trusted domains window, click OK.
- Click the Apply button.
To create the list of trusted domains in the local interface:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Other settings section, select Network traffic monitoring.
In the right part of the window the settings for Network Ports Monitoring and for Scanning Secure Connections are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
- Complete steps 6–8 of the previous instructions.
- To save changes, click the Save button.
Exclusion of applications from secure connections scan
You can configure an exclusion from secure connections scan for applications through Kaspersky Security Center or in the local interface of Light Agent for Windows.
To use Kaspersky Security Center to configure application exclusions from secure connections scanning:
- Open Kaspersky Security Center Administration Console.
- In the Managed devices folder of the console tree, open the folder with the name of the administration group to which the relevant protected virtual machines belong.
- In the workspace, select the Policies tab.
- Select a Light Agent for Windows policy in the list of policies and open the Properties: <Policy name> by double-clicking.
- In the policy properties window, select the Network traffic monitoring section in the list on the left.
- In the right part of the window, in the Secure connections scan section, click the Trusted applications button.
- In the Trusted zone window that opens, in the Trusted applications tab, select the application for which you want to configure an exclusion from secure connections scanning in one of the following ways:
- If the application is absent from the list of trusted applications, click Add. In the Exclusions for application window, specify the path to the executable file of the application.
- If the application is on the list of trusted applications, select it and click Edit.
- In the Exclusions for application window, configure the settings for scanning network traffic transmitted for this application by using the Do not scan network traffic check box and the links located in the lower part of the window.
You can configure the following settings for scanning traffic transmitted for this application:
- Exclude all traffic or only encrypted traffic from scans.
- Exclude from scans the traffic transmitted for this application from any IP address or only from specified IP addresses.
- Exclude from scans the traffic transmitted for this application from any or only from specified ports.
You can modify these settings by clicking the link.
- In the Exclusions for application window, click OK.
- In the Trusted zone window, click OK.
- Click the Apply button.
To configure application exclusions from secure connections scanning in the local interface:
- On the protected virtual machine, open the application settings window.
- In the left part of the window, in the Other settings section, select Network traffic monitoring.
In the right part of the window the settings for Network Ports Monitoring and for Scanning Secure Connections are displayed.
If the settings in the local interface are not available, this means that the values of settings defined by the policy are used for all protected virtual machines of the administration group.
- Select the application for which you want to configure an exclusion from secure connections scan in one of the following ways:
- If the application is absent from the list of trusted applications, click Add and select the application using one of the items in the context menu.
- If the application is on the list of trusted applications, select it and click Edit.
- In the Exclusions for application window, configure the settings for scanning network traffic transmitted for this application by using the Do not scan network traffic check box and the links located in the lower part of the window.
You can configure the following settings for scanning traffic transmitted for this application:
- Exclude all traffic or only encrypted traffic from scans.
- Exclude from scans the traffic transmitted for this application from any IP address or only from specified IP addresses.
- Exclude from scans the traffic transmitted for this application from any or only from specified ports.
You can modify these settings by clicking the link.
- In the Exclusions for application window, click OK.
- In the Trusted zone window, click OK.
- To save changes, click the Save button.