Kaspersky
Solved

Network Attack Detected

  • 12 June 2019
  • 5 replies
  • 2847 views

We are currently rolling out endpoint Security for Windows 11.1.0.15919 to our windows desktop estate.

Virtually every windows desktop is swamping the server logs with the following error

code:
Event type:    Network attack detected
Application\Name: Kaspersky Endpoint Security for Windows
User: ******* (Active user)
Component: Network Threat Protection
Result\Description: Allowed
Object: from several different sources
Object\Type: Network packet
Object\Name: from several different sources
Object\Additional:
Suspicious:
Database release date: 6/12/2019 7:17:00 AM


I'm looking through the machine logs and policy but can't identify what's actually triggering the event report or how to either turn it off or mark it as something to ignore!

Can anyone point me in the right direction?
icon

Best answer by intrusus 12 June 2019, 12:27

Hey,

Yes, this also occured in our company and with customers of us. The reason for this could be two things: Kaspersky has removed removed the standard Windows exceptions, which you can re-import manually in the policy:
  1. In the left part of the window, in the General Settings section, select Exclusions.
  2. In the Scan exclusions and trusted applications section, click the Settings button.
  3. Click the Add or Import button.
You can find the exclusions we're using right here.

It could also be the Address Resolution Protocol (ARP). That's the protection against MAC spoofing attacks. You can find the corresponding settings it in the policy of KES:
  1. In the left part of the window, in the Essential Threat Protection section, select Network Threat Protection.
  2. In the MAC spoofing Protection operating mode section, we selected: Notify about all activity characteristic of MAC spoofing attacks.
If that doesn't help, contact technical support or wait for an answer from the experts here in the community. We did not detect any faulty network attacks after we adjusted the policy.

I also reported the problem as a bug (INC000010311196) some time ago, but I couldn't provide logs here (colleague cleaned up). The Incident was then unfortunately closed.

Best regards
Leon
View original

5 replies

Userlevel 4
Badge +3
Hey,

Yes, this also occured in our company and with customers of us. The reason for this could be two things: Kaspersky has removed removed the standard Windows exceptions, which you can re-import manually in the policy:
  1. In the left part of the window, in the General Settings section, select Exclusions.
  2. In the Scan exclusions and trusted applications section, click the Settings button.
  3. Click the Add or Import button.
You can find the exclusions we're using right here.

It could also be the Address Resolution Protocol (ARP). That's the protection against MAC spoofing attacks. You can find the corresponding settings it in the policy of KES:
  1. In the left part of the window, in the Essential Threat Protection section, select Network Threat Protection.
  2. In the MAC spoofing Protection operating mode section, we selected: Notify about all activity characteristic of MAC spoofing attacks.
If that doesn't help, contact technical support or wait for an answer from the experts here in the community. We did not detect any faulty network attacks after we adjusted the policy.

I also reported the problem as a bug (INC000010311196) some time ago, but I couldn't provide logs here (colleague cleaned up). The Incident was then unfortunately closed.

Best regards
Leon
It was the ARP! Once I changed the Notify option about the MAC spoofing, then it all settled down.

Thanks for that
Userlevel 4
Badge +3
It was the ARP! Once I changed the Notify option about the MAC spoofing, then it all settled down.

Thanks for that


I'm glad I could help you. 😄💪🏽

I have facing the same issue and I have enable the Notify about all activity characteristic of MAC spoofing attacks but after that I am getting thousands of notification on several Pc's and SIEM is sending alerts.

 

Kindly provide support on this :

 

 

Userlevel 5
Badge +4

KES 11.1.1 is an old version.
I would recommend an update to the current version 11.3 or the soon available version 11.4.
https://support.kaspersky.com/kes11#downloads
 

please note:
KES11.3 and higher is only supported with KSC/Agent 12 
https://support.kaspersky.com/15406#block4


regards
​​​​​​​alex

Reply / Ответить