Does KES v11.0 installed on Hyper-V servers check all (including VMs) network traffic?

  • 11 May 2019
  • 4 replies

  • Community Citizen
  • 6 replies

We noticed KES for Windows v 11.0 installed on W2k12 R2 servers with Hyper-V roles installed detects and blocks attacks to virtual web-servers running on those Hyper-V machines.
No traffic is allowed from outside to the host machines, only web-traffic is allowed to virtual web-servers. Network Threat Protection on the host machines shows attacks detected and blocked at host level destined to ports TCP 80 and 443. On the web-servers level nothing is detected, like attacks does not reach them, they are stopped on the host.
Again, on the boarder firewall TCP 80 and 443 are allowed only for virtual web-servers, but not underlying hardware machines, but attacks to those ports are detected and blocked on the Hyper-V servers. (No externally initiated traffic is allowed for hardware servers at all)

Is this an expected and officially supported behavior? Is it documented anywhere?

P.S. This is very useful, but we are not sure it's not something undocumented, which will disappear one day.

Thank you.

4 replies

Userlevel 5
Badge +4

Is it possible to use KSVLA or KSV to protect virtual hosts?
Well, KES was already paid for, besides we are pretty satisfied with its work, so have no desire to switch to anything else. Why?
Can you answer the questions?

P.S. Found Kaspersky Security for Virtualization datasheet and some other docs, reading, will consider for future deployments.
Yesterday I installed KES v11.0 on another server, which had Sophos. Removed Sophos and installed KES for Windows.

Inside VMs on that server we have Symantec Endpoint Security installed. On one of the VMs, which is a publicly available web-server , SEP was detecting network attacks, so I thought if I install KES on the host machine, then it will block the attacks on the host level, like it does on other Hyper-V servers.
But unfortunately when attacks repeated, KES did not detect anything!?
Why? Is it somehow dependent on AV installed inside VMs?
Concerning my last message, yesterday KES blocked a generic network attack over port 80 on the hardware server, so it seems it works indeed. Probably KES IPS is less effective against specialized web-services attacks, than Symantec EP, and simply does not detect them.

So it works, it blocks attacks going to VMs on the Hyper-V host level. I am still interested to hear from Kaspersky if that is an official behavior or just an undocumented feature?