How to configure Web Threat Protection

The Web Threat Protection component allows you to scan inbound traffic via HTTP, HTTPS, and FTP, websites, and IP addresses, prevent malicious files from being downloaded from the Internet, and block access to phishing, adware, and other malicious websites.

Current connections for intercepted TCP ports are reset when Web Threat Protection is enabled.

By default, Web Threat Protection is disabled. However, the task starts automatically if one of the following browser executable files is found in the system, including in SNAP format:

• chrome
• chromium
• chromium-browser
• firefox
• firefox-esr
• google-chrome
• opera
• yandex-browser

You can enable or disable the Web Threat Protection component at any time.

By modifying the settings of the Web Threat Protection predefined task, you can:

• Select action that the application performs on a web resource where a dangerous object is detected.
• Configure a list of trusted web addresses.

  The application will not scan the contents of websites whose web addresses are included in this list.

• Select objects that the application will detect when scanning inbound traffic.
• Configure the encrypted connections scan to scan HTTPS traffic.

  To scan FTP traffic, control of all network ports must be configured in the settings for the encrypted connections scan.

When a website is opened, the application performs the following actions:

1. Checks the website security using the downloaded application databases.
2. Checks the website security using heuristic analysis, if enabled.

   During heuristic analysis, the Kaspersky application analyzes the activity of applications in the operating system. Heuristic analysis can detect dangerous objects that do not have a record in databases of the Kaspersky application.

3. Looks up the reputation of the website using Kaspersky reputation databases.
4. Blocks or allows opening the website.

The Web Threat Protection component does not scan mail traffic.

On attempt to open a dangerous website, the application performs the following:

• For HTTP or FTP traffic, the application blocks access and shows a warning message.
• For HTTPS traffic, a browser displays an error page.

Removing application certificates may cause the Web Threat Protection component to work incorrectly.

The Kaspersky application adds a special chain of allowing rules (kfl_bypass) to the list of the mangle table of the iptables and ip6tables utilities. This chain of allowing rules makes it possible to exclude traffic from scanning by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Web Threat Protection component.

In the application interface, you can manage Web Threat Protection using the Web Threat Protection component.

The application interface allows you to:

• Enable or disable the Web Threat Protection component.
• Observe the operation of the component.
• View pop-up notifications about detected threats; in these notifications, you can click the Open Reports link to navigate to application component reports and scan task results.
• View reports of the Web Threat Protection component.

  Results of the Web Threat Protection component are displayed in the report in the Web Threat Protection section.

On the command line, you can manage Web Threat Protection using the Web Threat Protection predefined task (Web_Threat_Protection). You can start and stop the task manually.

The task starts automatically if one of the supported browsers is detected on the system.

On the command line, you can view information about detected threats and check the current status of the task.

The task starts with default settings listed in Appendix 3. You can modify task settings.

You must modify the settings of a task before starting the task.

To stop the Web Threat Protection task and enable the output of current events related to this task, run the following command:

kfl-control --stop-task 14 -W

To start the Web Threat Protection task, enable the output of current events related to this task, and display the progress of the task, run the following command:

kfl-control --start-task 14 [-W] [--progress]

The Web Threat Protection task starts with default settings listed in Appendix 3.

You can display the current values of the task settings in one of the following ways:

• To the console using the task settings output command: kfl-control --get-settings 14 [--json]
• To a configuration file using the task settings output command: kfl-control --get-settings 14 --file <path to configuration file> [--json]

If you need to modify the settings of the Web Threat Protection task, you can:

• Modify all task settings using the configuration file. To do so:
  1. Output the task settings to the configuration file: kfl-control --get-settings 14 [--json]

     A configuration file with the current task settings is generated.

  2. Edit task settings in the generated configuration file by choosing values from the following table.
  3. Save the configuration file.
  4. Run the following command: kfl-control --set-settings 14 --file <configuration file path> [--json]
• Modify individual task settings: kfl-control --set-settings 14 <setting name>=<setting value> [<setting name>=<setting value>]
• Restore default task settings: kfl-control --set-settings 14 --set-to-default

For detailed instructions on how to modify the settings of application tasks, see the How to manage task settings on the command line section.

The following table describes all the settings of the Web Threat Protection task and their values.

Web Threat Protection task settings

Setting	Description	Values
ActionOnDetect	Specifies the action to be performed upon detection of an infected object in web traffic.	Notify — Allow the detected object to be downloaded, display a notification about the blocked access attempt, and log information about the infected object. Block (default value) — Block access to the detected object, display a notification about the blocked access attempt, and log information about the infected object.
CheckMalicious	Enables or disables checking of links against the databases of malicious web addresses.	Yes (default value) — Check if the links are listed in the malicious links database. No — Do not check if the links are listed in the malicious links database.
CheckPhishing	Enables or disables checking of links against the databases of phishing web addresses.	Yes (default value) — Check if the links are listed in the phishing links database. No — Do not check if the links are listed in the phishing links database.
UseHeuristicForPhishing	Enables or disables the use of heuristic analysis for scanning web pages for phishing links.	Yes (default value) — Use heuristic analysis to detect phishing links. If this value is specified, the level of heuristic analysis is Light (the least thorough scan with minimal load on the system). You cannot change the heuristic analysis level for the Web Threat Protection task. No — Do not use heuristic analysis to detect phishing links.
CheckAdware	Enables or disables checking of links against the databases of adware web addresses.	Yes — Check if the links are listed in the adware links database. No (default value) — Do not check if the links are listed in the adware links database.
CheckOther	Enables or disables the scanning of links against the database of web addresses containing legitimate applications that intruders can use to compromise the devices or data.	Yes—Check if the links are listed in the database of web addresses that contain legal applications that may be used by intruders to damage your devices or data. No (default value) — Do not check if the links are listed in the database of web addresses that contain legal applications that may be used by intruders to damage your devices or data.
UseTrustedAddresses	Enables or disables the usage of a list of trusted web addresses. The application does not scan trusted web addresses for viruses or other malicious objects. You can specify trusted web addresses using the TrustedAddresses.item_# setting.	Yes (default value) — Use a list of trusted web addresses. No — Do not use a list of trusted web addresses.
TrustedAddresses.item_#	Specifies trusted web addresses.	The default value is not defined. You can use masks to specify web addresses. When creating an address mask, use an asterisk (*) as a placeholder for one or more characters. If you enter the *abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/**/page_0-9abcdef.html means www.virus.com/*/page_0-9abcdef.html). Masks are not supported to specify IP addresses.

Page top