Kaspersky
Solved

Network Attack Detected

  • 12 June 2019
  • 3 replies
  • 530 views

We are currently rolling out endpoint Security for Windows 11.1.0.15919 to our windows desktop estate.

Virtually every windows desktop is swamping the server logs with the following error

code:
Event type:    Network attack detected
Application\Name: Kaspersky Endpoint Security for Windows
User: ******* (Active user)
Component: Network Threat Protection
Result\Description: Allowed
Object: from several different sources
Object\Type: Network packet
Object\Name: from several different sources
Object\Additional:
Suspicious:
Database release date: 6/12/2019 7:17:00 AM


I'm looking through the machine logs and policy but can't identify what's actually triggering the event report or how to either turn it off or mark it as something to ignore!

Can anyone point me in the right direction?
icon

Best answer by intrusus 12 June 2019, 12:27

Hey,

Yes, this also occured in our company and with customers of us. The reason for this could be two things: Kaspersky has removed removed the standard Windows exceptions, which you can re-import manually in the policy:
  1. In the left part of the window, in the General Settings section, select Exclusions.
  2. In the Scan exclusions and trusted applications section, click the Settings button.
  3. Click the Add or Import button.
You can find the exclusions we're using right here.

It could also be the Address Resolution Protocol (ARP). That's the protection against MAC spoofing attacks. You can find the corresponding settings it in the policy of KES:
  1. In the left part of the window, in the Essential Threat Protection section, select Network Threat Protection.
  2. In the MAC spoofing Protection operating mode section, we selected: Notify about all activity characteristic of MAC spoofing attacks.
If that doesn't help, contact technical support or wait for an answer from the experts here in the community. We did not detect any faulty network attacks after we adjusted the policy.

I also reported the problem as a bug (INC000010311196) some time ago, but I couldn't provide logs here (colleague cleaned up). The Incident was then unfortunately closed.

Best regards
Leon
View original

3 replies

Userlevel 4
Badge +3
Hey,

Yes, this also occured in our company and with customers of us. The reason for this could be two things: Kaspersky has removed removed the standard Windows exceptions, which you can re-import manually in the policy:
  1. In the left part of the window, in the General Settings section, select Exclusions.
  2. In the Scan exclusions and trusted applications section, click the Settings button.
  3. Click the Add or Import button.
You can find the exclusions we're using right here.

It could also be the Address Resolution Protocol (ARP). That's the protection against MAC spoofing attacks. You can find the corresponding settings it in the policy of KES:
  1. In the left part of the window, in the Essential Threat Protection section, select Network Threat Protection.
  2. In the MAC spoofing Protection operating mode section, we selected: Notify about all activity characteristic of MAC spoofing attacks.
If that doesn't help, contact technical support or wait for an answer from the experts here in the community. We did not detect any faulty network attacks after we adjusted the policy.

I also reported the problem as a bug (INC000010311196) some time ago, but I couldn't provide logs here (colleague cleaned up). The Incident was then unfortunately closed.

Best regards
Leon
It was the ARP! Once I changed the Notify option about the MAC spoofing, then it all settled down.

Thanks for that
Userlevel 4
Badge +3
It was the ARP! Once I changed the Notify option about the MAC spoofing, then it all settled down.

Thanks for that


I'm glad I could help you. 😄💪🏽

Reply / Ответить