Configuring Network Activity Scanner for virtual machines

The suspicious network activity detection functionality is available only if you are using the application under an enterprise license.

To configure the Network Activity Scanner settings for protected virtual machines:

1. Open the Administration Console of Kaspersky Security Center.
2. In the console tree, perform one of the following actions:
   • If you want to configure the operating settings of SVMs of one KSC cluster, in the Managed devices folder of the console tree select the administration group containing the KSC cluster.
   • If you want to configure the operating settings of SVMs of all KSC clusters, select the Managed devices folder.
3. In the workspace, select the Policies tab.
4. Select a policy in the list of policies and double-click the policy to open the Properties: <Policy name> window.
5. In the policy properties window, select the Intrusion Prevention section and click the Settings button.

   The Network activity scanner parameters window opens.

6. Specify the application categories whose signs of network activity should be detected by Kaspersky Security:
   • Adware
     

     Enables / disables detection of network activity that is typical of adware.

     Adware is designed to show advertising information to the user, redirect search queries to advertising websites, and send marketing information about the user to the adware developer. Unlike Trojan-Spy–type programs, adware transmits this information with the user's permission.

     If the check box is selected, Kaspersky Security detects activity that is typical of adware in the traffic of protected virtual machines.

     If the check box is cleared, detection of activity typical of adware is disabled.

     This check box is cleared by default.

   • Other programs
     

     Enables / disables detection of network activity that is typical of legitimate software that can be exploited by criminals to harm a virtual machine or user data.

     These programs include file downloaders, remote administration programs, user activity monitoring programs. These programs are normally used for legal purposes. However, if criminals obtain access to such programs, they could use some of the program features to harm a virtual machine or user data.

     If the check box is selected, in the traffic of protected virtual machines Kaspersky Security detects activity that is typical of legitimate software that could be exploited by criminals to harm a virtual machine or user data.

     If the check box is cleared, the detection of activity that is typical of such programs is disabled.

     This check box is cleared by default.

   Kaspersky Security always detects network activity that is typical of such malware as viruses, worms and Trojans in the traffic of protected virtual machines.

7. If Kaspersky Security detects network activity that you believe is not a sign of an intrusion into the protected infrastructure, you can configure a list of rules that Kaspersky Security will not apply to detect suspicious network activity in the traffic of protected virtual machines.

   To add a network activity detection rule to the list, click the Add button located above the list, and in the string of the list enter the rule ID in the following format: <number>:<number>:<number>.

   You can view information about an applied rule in the text of the event that was sent to Kaspersky Security Center when it detected the suspicious network activity.

8. In the Network activity scanner parameters window, click OK.
9. Select an action in the Action upon detecting suspicious activity list.
   

   Action that Kaspersky Security performs when it detects suspicious network activity in the traffic of protected virtual machines. You can select one of the following options:

   • Choose action automatically. Kaspersky Security performs the default action specified by Kaspersky Lab specialists. If network protection is deployed in standard mode, the Terminate connection action is automatically selected. If network protection is deployed in monitoring mode, the Ignore action is automatically selected.

     This option is selected by default.

   • Ignore. Kaspersky Security does not perform any actions on virtual machines that display suspicious network activity.
   • Terminate connection. Kaspersky Security terminates the connection between a protected virtual machine that displays suspicious network activity and other virtual machines.
   • Terminate connection and block traffic from sender's IP address. Kaspersky Security terminates the connection between a protected virtual machine that displays suspicious network activity and other virtual machines, and blocks the traffic from the IP address from which the suspicious network activity originated. Traffic is blocked in the specific VLAN in which a network attack or suspicious network activity was detected. The duration for blocking the traffic is configured in the On detection of a network attack or suspicious network activity, block traffic from IP address for N minutes field.

   Information about suspicious network activity detection and the actions taken is sent to Kaspersky Security Center.

   You can select an action if the Monitor virtual machine network activity check box is selected.

   If network protection is deployed in monitoring mode, the Ignore action is applied when suspicious network activity is detected, regardless of the selected action.

10. If required, change the value of the setting On detection of a network attack or suspicious network activity, block traffic from IP address for N minutes.
    

    The duration for blocking the traffic from IP address from which the network attack or suspicious network activity originated. When determining the source of a network attack or suspicious network activity, the application takes into account whether or not the traffic is from a virtual LAN (VLAN). Kaspersky Security blocks traffic from an IP address only in the VLAN in which a network attack or suspicious network activity was detected.

    The default blocking duration is 60 minutes.

11. If necessary, configure network threat protection exclusion rules that Kaspersky Security will use to exclude traffic of specific IP addresses from scans or apply special actions when processing such traffic.
12. In the Properties: <Policy name> window, click OK.