Kaspersky Endpoint Security 12 for Windows

Network Threat Protection

25 April 2024

ID 176737

The Network Threat Protection component (also called Intrusion Detection System) monitors inbound network traffic for activity characteristic of network attacks. When Kaspersky Endpoint Security detects an attempted network attack on the user's computer, it blocks the network connection with the attacking computer. Descriptions of currently known types of network attacks and ways to counteract them are provided in Kaspersky Endpoint Security databases. The list of network attacks that the Network Threat Protection component detects is updated during database and application module updates.

Network Threat Protection component settings



Treat port scanning and network flooding as attacks

Network Flooding is an attack on network resources of an organization (such as web servers). This attack consists of sending a large number of requests to overload the bandwidth of network resources. When this happens, users are unable to access the network resources of the organization.

A Port Scanning attack consists of scanning UDP ports, TCP ports, and network services on the computer. This attack allows the attacker to identify the degree of vulnerability of the computer before conducting more dangerous types of network attacks. Port Scanning also enables the attacker to identify the operating system on the computer and select the appropriate network attacks for this operating system.

If this check box is selected, Kaspersky Endpoint Security monitors network traffic to detect these attacks. If an attack is detected, the application notifies the user and sends the corresponding event to Kaspersky Security Center. The application provides information about the attacking computer, which is required for timely threat response actions.

You can disable detection of these types of attacks in case some of your allowed applications perform operations that are typical for these types of attacks. This will help avoid false alarms.

Block attacking devices for N min

If the option is enabled, the Network Threat Protection component adds the attacking computer to the blocked list. This means that the Network Threat Protection component blocks the network connection with the attacking computer after the first network attack attempt for the specified amount of time. This block automatically protects the user's computer against possible future network attacks from the same address. The minimum time an attacking computer must spend in the block list is one minute. The maximum time is 999 minutes.

You can view the block list in the Network Monitor tool window.

Kaspersky Endpoint Security clears the block list when the application is restarted and when the Network Threat Protection settings are changed.


The list contains IP addresses from which Network Threat Protection does not block network attacks.

You can add an IP address with port and protocol specified.

The application does not log information on network attacks from the IP addresses that are in the list of exclusions.

MAC Spoofing Protection

A MAC spoofing attack consists of changing the MAC address of a network device (network card). As a result, an attacker can redirect data sent to a device to another device and gain access to this data. Kaspersky Endpoint Security lets you block MAC Spoofing attacks and receive notifications about the attacks.

See also: Managing the application via the local interface

Enabling and disabling Network Threat Protection

Blocking an attacking computer

Configuring addresses of exclusions from blocking

Configuring protection against network attacks by type

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.