Network Threat Detection

In this section, SVM refers to an SVM with the Network Threat Detection component installed.

The Network Threat Detection component of Kaspersky Security performs the following functions:

• Intrusion Prevention. Kaspersky Security can scan the traffic of protected virtual machines and detect activity typical of network attacks and suspicious network activity that may be a sign of an intrusion into the protected infrastructure.

  Kaspersky Security can scan traffic in IPv4 and IPv6 format.

• Web Addresses Scan. Kaspersky Security can scan user-requested web addresses against databases of malicious and phishing web addresses.

The Network Threat Detection component settings depend on the traffic processing mode selected during registration of the network protection service:

• If you selected Standard mode, when Kaspersky Security detects signs of intrusions or attempts to access malicious web addresses, it performs the action that is specified in policy settings and relays information about events to the Kaspersky Security Center Administration Server.
• If you selected Monitoring mode and signs of intrusions or attempts to access malicious web addresses are detected, Kaspersky Security does not take any actions to prevent the threats but only relays information about the events to the Kaspersky Security Center Administration Server.

You can select the traffic processing mode only when registering the network protection service (Kaspersky Network Protection).

Kaspersky Security protects only virtual machines that meet all the conditions for virtual machine protection against network threats.

If you want to protect virtual machines against network threats, after installing the Network Threat Detection component you must configure the network threat protection settings in the active policy. By default, Kaspersky Security does not protect virtual machines against intrusions and does not scan web addresses.

You can configure exclusions from Network Threat Protection as follows:

• Exclude from scanning inbound or outbound traffic of all virtual machines that have been assigned an NSX Security Policy. You can specify which traffic should be scanned in the NSX Security Policy in which the use of the network protection service (Kaspersky Network Protection) is configured. An NSX Security Policy configuration is performed in the VMware vSphere Web Client console.
• Create network threat protection exclusion rules that Kaspersky Security can use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.

Information about events that occur during protection of virtual machines against network threats is transmitted to the Kaspersky Security Center Administration Server and logged in a report.

Descriptions of currently known types of network attacks, signs of intrusions, and the databases of malicious and phishing web addresses are included in the application databases and are updated during application database updates.