Jump to content

Network Attack Detected


Go to solution Solved by intrusus,

Recommended Posts

Posted
We are currently rolling out endpoint Security for Windows 11.1.0.15919 to our windows desktop estate. Virtually every windows desktop is swamping the server logs with the following error Event type: Network attack detected Application\Name: Kaspersky Endpoint Security for Windows User: ******* (Active user) Component: Network Threat Protection Result\Description: Allowed Object: from several different sources Object\Type: Network packet Object\Name: from several different sources Object\Additional: Suspicious: Database release date: 6/12/2019 7:17:00 AM I'm looking through the machine logs and policy but can't identify what's actually triggering the event report or how to either turn it off or mark it as something to ignore! Can anyone point me in the right direction?
  • Solution
Posted
Hey, Yes, this also occured in our company and with customers of us. The reason for this could be two things: Kaspersky has removed removed the standard Windows exceptions, which you can re-import manually in the policy:
  1. In the left part of the window, in the General Settings section, select Exclusions.
  2. In the Scan exclusions and trusted applications section, click the Settings button.
  3. Click the Add or Import button.
You can find the exclusions we're using right here. It could also be the Address Resolution Protocol (ARP). That's the protection against MAC spoofing attacks. You can find the corresponding settings it in the policy of KES:
  1. In the left part of the window, in the Essential Threat Protection section, select Network Threat Protection.
  2. In the MAC spoofing Protection operating mode section, we selected: Notify about all activity characteristic of MAC spoofing attacks.
If that doesn't help, contact technical support or wait for an answer from the experts here in the community. We did not detect any faulty network attacks after we adjusted the policy. I also reported the problem as a bug (INC000010311196) some time ago, but I couldn't provide logs here (colleague cleaned up). The Incident was then unfortunately closed. Best regards Leon
Posted
It was the ARP! Once I changed the Notify option about the MAC spoofing, then it all settled down. Thanks for that
Posted
It was the ARP! Once I changed the Notify option about the MAC spoofing, then it all settled down. Thanks for that
I'm glad I could help you. :smile::muscle_tone3:
  • 1 year later...
SecureNetwork
Posted

I have facing the same issue and I have enable the Notify about all activity characteristic of MAC spoofing attacks but after that I am getting thousands of notification on several Pc's and SIEM is sending alerts.

 

Kindly provide support on this :

 

 

  • 2 weeks later...
Posted

I am using 11.4.0.233 on some of our servers with agent 12.0.0.7734 and I am getting these reports from a single device.  The item being identified is a UPS that is monitored.  We added the IP Address to the “Exclusions” but the reports still come through.  We could change it to “Do not track MAC spoofing attacks” but I don’t think that is the safest thing to do.  The preference would be for the Exclusion to work.  

 

Any ideas? 

 

Event "Network attack detected" occurred on device MILESTONEE1 in Windows domain ##### on Tuesday, 14 July 2020 11:30:56 AM (GMT+10:00)
Event type:     Network attack detected
Application:     Kaspersky Endpoint Security for Windows
Application\Path:     C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\
User:     NT AUTHORITY\SYSTEM (System user)
Component:     Network Threat Protection
Result\Description:     Allowed
Object:     ARP from unexpected source
Object\Type:     Network packet
Object\Name:     ARP from unexpected source
Object\Additional:     
Suspicious: 14/07/2020 11:30:56 AM: 00-20-85-DF-19-CE -> 172.17.2.44

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...