Jump to content
Kaspersky Support Forum

Network Attack Detected

SIIL-IT1
 Share
Go to solution Solved by intrusus,

Recommended Posts

SIIL-IT1

SIIL-IT1

Posted
  • Author
Posted
We are currently rolling out endpoint Security for Windows 11.1.0.15919 to our windows desktop estate. Virtually every windows desktop is swamping the server logs with the following error Event type: Network attack detected Application\Name: Kaspersky Endpoint Security for Windows User: ******* (Active user) Component: Network Threat Protection Result\Description: Allowed Object: from several different sources Object\Type: Network packet Object\Name: from several different sources Object\Additional: Suspicious: Database release date: 6/12/2019 7:17:00 AM I'm looking through the machine logs and policy but can't identify what's actually triggering the event report or how to either turn it off or mark it as something to ignore! Can anyone point me in the right direction?
Link to comment
Share on other sites
  • Solution
intrusus

intrusus

Posted
  • Solution
Posted
Hey, Yes, this also occured in our company and with customers of us. The reason for this could be two things: Kaspersky has removed removed the standard Windows exceptions, which you can re-import manually in the policy:
  1. In the left part of the window, in the General Settings section, select Exclusions.
  2. In the Scan exclusions and trusted applications section, click the Settings button.
  3. Click the Add or Import button.
You can find the exclusions we're using right here. It could also be the Address Resolution Protocol (ARP). That's the protection against MAC spoofing attacks. You can find the corresponding settings it in the policy of KES:
  1. In the left part of the window, in the Essential Threat Protection section, select Network Threat Protection.
  2. In the MAC spoofing Protection operating mode section, we selected: Notify about all activity characteristic of MAC spoofing attacks.
If that doesn't help, contact technical support or wait for an answer from the experts here in the community. We did not detect any faulty network attacks after we adjusted the policy. I also reported the problem as a bug (INC000010311196) some time ago, but I couldn't provide logs here (colleague cleaned up). The Incident was then unfortunately closed. Best regards Leon
Link to comment
Share on other sites
  • 1 year later...
SecureNetwork

SecureNetwork

Posted
Posted

I have facing the same issue and I have enable the Notify about all activity characteristic of MAC spoofing attacks but after that I am getting thousands of notification on several Pc's and SIEM is sending alerts.

 

Kindly provide support on this :

 

 

Link to comment
Share on other sites
  • 2 weeks later...
Stephen B

Stephen B

Posted
Posted

I am using 11.4.0.233 on some of our servers with agent 12.0.0.7734 and I am getting these reports from a single device.  The item being identified is a UPS that is monitored.  We added the IP Address to the “Exclusions” but the reports still come through.  We could change it to “Do not track MAC spoofing attacks” but I don’t think that is the safest thing to do.  The preference would be for the Exclusion to work.  

 

Any ideas? 

 

Event "Network attack detected" occurred on device MILESTONEE1 in Windows domain ##### on Tuesday, 14 July 2020 11:30:56 AM (GMT+10:00)
Event type:     Network attack detected
Application:     Kaspersky Endpoint Security for Windows
Application\Path:     C:\Program Files (x86)\Kaspersky Lab\Kaspersky Endpoint Security for Windows\
User:     NT AUTHORITY\SYSTEM (System user)
Component:     Network Threat Protection
Result\Description:     Allowed
Object:     ARP from unexpected source
Object\Type:     Network packet
Object\Name:     ARP from unexpected source
Object\Additional:     
Suspicious: 14/07/2020 11:30:56 AM: 00-20-85-DF-19-CE -> 172.17.2.44

Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing


×
×
  • Create New...