Virtually every windows desktop is swamping the server logs with the following error
Event type: Network attack detected
Application\Name: Kaspersky Endpoint Security for Windows
User: ******* (Active user)
Component: Network Threat Protection
Object: from several different sources
Object\Type: Network packet
Object\Name: from several different sources
Database release date: 6/12/2019 7:17:00 AM
I'm looking through the machine logs and policy but can't identify what's actually triggering the event report or how to either turn it off or mark it as something to ignore!
Can anyone point me in the right direction?
Best answer by intrusus
Yes, this also occured in our company and with customers of us. The reason for this could be two things: Kaspersky has removed removed the standard Windows exceptions, which you can re-import manually in the policy:
- In the left part of the window, in the General Settings section, select Exclusions.
- In the Scan exclusions and trusted applications section, click the Settings button.
- Click the Add or Import button.
It could also be the Address Resolution Protocol (ARP). That's the protection against MAC spoofing attacks. You can find the corresponding settings it in the policy of KES:
- In the left part of the window, in the Essential Threat Protection section, select Network Threat Protection.
- In the MAC spoofing Protection operating mode section, we selected: Notify about all activity characteristic of MAC spoofing attacks.
I also reported the problem as a bug (INC000010311196) some time ago, but I couldn't provide logs here (colleague cleaned up). The Incident was then unfortunately closed.