Kaspersky Embedded Systems Security for Linux
3.4.0
English

Contents

Web Threat Protection

The Web Threat Protection component allows you to scan inbound traffic via HTTP, HTTPS, and FTP, websites, and IP addresses, prevent malicious files from being downloaded from the Internet, and block access to phishing, adware, and other malicious websites.

Current connections for intercepted TCP ports are reset when Web Threat Protection is enabled.

By default, the Web Threat Protection task is disabled. However, it is enabled automatically if local management of Web Threat Protection settings has been allowed on the device (a policy is not applied or the "lock" is not set in the policy properties) and one of the following executable browser files, including in snap format, has been detected on the system:

  • chrome
  • chromium
  • chromium-browser
  • firefox
  • firefox-esr
  • google-chrome
  • opera
  • yandex-browser

You can enable or disable Web Threat Protection, and also configure the protection settings:

  • Select action that the application performs on a web resource where a dangerous object is detected.
  • Configure a list of trusted web addresses. The application will not scan the contents of websites whose web addresses are included in this list.
  • Select objects that the application will detect when scanning inbound traffic.
  • Configure the encrypted connections scan to scan HTTPS traffic.

    To scan FTP traffic, control of all network ports must be configured in the settings for the encrypted connections scan.

When a website is opened, the application performs the following actions:

  1. Checks the website security using the downloaded application databases.
  2. Checks the website security using heuristic analysis, if enabled.

    During heuristic analysis, Kaspersky Embedded Systems Security analyzes the activity of applications in the operating system. Heuristic analysis can detect dangerous objects for which there are currently no records in Kaspersky Embedded Systems Security databases.

  3. Checks the trustworthiness of a website using Kaspersky reputation databases if the use of Kaspersky Security Network is enabled.

    You are advised to enable the use of Kaspersky Security Network to help Web Threat Protection work more effectively.

  4. Blocks or allows opening of the website.

On attempt to open a dangerous website, the application performs the following:

  • For HTTP or FTP traffic, the application blocks access and shows a warning message.
  • For HTTPS traffic, a browser displays an error page.

Removing application certificates may cause the Web Threat Protection component to work incorrectly.

Kaspersky Embedded Systems Security adds a special chain of allowing rules (kess_bypass) to the list in the mangle table of the iptables and ip6tables utilities. This chain of allowing rules makes it possible to exclude traffic from scans by the application. If traffic exclusion rules are configured in the chain, they affect the operation of the Web Threat Protection component.

In this Help section

Configuring Web Threat Protection in the Web Console

Configuring Web Threat Protection in the Administration Console

Configuring Web Threat Protection in the command line
Page top
[Topic 264132]

Configuring Web Threat Protection in the Web Console

In the Web Console, you can configure Web Threat Protection settings in the policy properties (Application settings Essential Threat Protection Web Threat Protection).

Web Threat Protection component settings

Setting

Description

Web Threat Protection enabled / disabled

This toggle button enables or disables the Web Threat Protection component.

The toggle button is switched off by default.

Action on threat detection

In this section, you can specify the action that the application performs on the web resource where the dangerous object is detected:

  • Inform the user when a dangerous object is detected in web traffic. Web Threat Protection allows this object to be downloaded to the device. At that, the application logs the information about the dangerous object and adds it to the list of active threats.
  • Block access to all dangerous objects detected in web traffic, display a notification about the blocked access attempts, and log information about the dangerous objects (default value).

Detect malicious objects

This check box enables or disables checking of links against the databases of malicious web addresses.

The check box is selected by default.

Detect phishing links

This check box enables or disables checking of links against the databases of phishing web addresses.

The check box is selected by default.

Use heuristic analysis for detecting phishing links

This check box enables or disables the use of heuristic analysis for detecting phishing links.

This check box is available if the Detect phishing links check box is selected, and is selected by default.

Detect adware

This check box enables or disables checking links against the databases of adware web addresses.

This check box is cleared by default.

Detect legitimate applications that intruders can use to compromise devices or data

This check box enables or disables checking links against the databases of legitimate applications that intruders can use to compromise devices or data.

This check box is cleared by default.

Trusted web addresses

This table contains addresses of URLs and web pages whose content you consider trusted.

You can only add HTTP/HTTPS web addresses to the list of trusted web addresses.

You can use masks to specify web addresses. Masks are not supported to specify IP addresses.

When creating an address mask, use an asterisk (*) as a placeholder for one or more characters. If you enter the *abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/**/page_0-9abcdef.html means www.virus.com/*/page_0-9abcdef.html).

By default, the table is empty.

You can add, edit, and remove web addresses in the table.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 261126]

Web address window

In this window, you can add a web address or a web address mask to the list of trusted web addresses.

You can add only HTTP/HTTPS web addresses to the list of trusted web addresses. You can use masks to specify web addresses. Masks are not supported to specify IP addresses.

When creating an address mask, use an asterisk (*) as a placeholder for one or more characters. If you enter the *abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/**/page_0-9abcdef.html means www.virus.com/*/page_0-9abcdef.html).

Page top
[Topic 202328]

Configuring Web Threat Protection in the Administration Console

In the Administration Console, you can configure Web Threat Protection settings in the policy properties (Essential Threat Protection Web Threat Protection).

Web Threat Protection component settings

Setting

Description

Enable Web Threat Protection

This check box enables or disables Web Threat Protection.

This check box is cleared by default.

Trusted web addresses

This group of settings contains the Configure button, which opens the Trusted web addresses window, where you can specify the list of trusted web addresses. The application will not scan the contents of websites whose web addresses are included in this list.

Action on threat detection

Action that the application performs on a web resource where a dangerous object is detected:

  • Block access to all dangerous objects detected in web traffic, display a notification about the blocked access attempts, and log information about the dangerous objects (default value).
  • Inform the user when a dangerous object is detected in web traffic. Web Threat Protection allows this object to be downloaded to the device. At that, the application logs the information about the dangerous object and adds it to the list of active threats.

Scan settings

This group of settings contains the Configure button, which opens the Scan settings window, where you can configure the settings for scanning incoming traffic.

Page top

[Topic 261117]

Trusted web addresses window

In this window, you can add web addresses and web pages whose content you consider trusted.

You can only add HTTP/HTTPS web addresses to the list of trusted web addresses. You can use masks to specify web addresses. Masks are not supported to specify IP addresses. By default, the list is empty.

When creating an address mask, use an asterisk (*) as a placeholder for one or more characters. If you enter the *abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/**/page_0-9abcdef.html means www.virus.com/*/page_0-9abcdef.html).

You can add, edit, and remove web addresses on the list.

Clicking the Delete button removes the selected item from the table.

This button is available if at least one item is selected in the table.

The selected element's settings are changed in a separate window.

Clicking the Add button opens a window where you can specify the new item settings.

Page top

[Topic 210555]

Web address window

In this window, you can add a web address or a web address mask to the list of trusted web addresses.

You can add only HTTP/HTTPS web addresses to the list of trusted web addresses. You can use masks to specify web addresses. Masks are not supported to specify IP addresses.

When creating an address mask, use an asterisk (*) as a placeholder for one or more characters. If you enter the *abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/**/page_0-9abcdef.html means www.virus.com/*/page_0-9abcdef.html).

Page top
[Topic 276436]

Scan settings window

In this window, you can configure the settings for scanning incoming traffic during operation of the Web Threat Protection component.

Web Threat Protection settings

Setting

Description

Detect malicious objects

This check box enables or disables checking of links against the databases of malicious web addresses.

The check box is selected by default.

Detect phishing links

This check box enables or disables checking of links against the databases of phishing web addresses.

The check box is selected by default.

Use heuristic analysis for detecting phishing links

This check box enables or disables the use of heuristic analysis for detecting phishing links.

This check box is available if the Detect phishing links check box is selected, and is selected by default.

Detect adware

This check box enables or disables checking links against the databases of adware web addresses.

This check box is cleared by default.

Detect legitimate applications that intruders can use to compromise devices or data

This check box enables or disables checking links against the databases of legitimate applications that intruders can use to compromise devices or data.

This check box is cleared by default.

Page top

[Topic 273293]

Configuring Web Threat Protection in the command line

In the command line, you can manage Web Threat Protection using the Web Threat Protection predefined task (Web_Threat_Protection).

The task starts automatically if one of the supported browsers is detected in the system and local management of Web Threat Protection settings is allowed on the device (a policy is not applied or the "lock" is not set in the policy properties). You can start and stop the task manually.

You can configure Web Threat Protection settings by editing the settings of the Web Threat Protection predefined task.

Web Threat Protection task settings

Setting

Description

Values

ActionOnDetect

Specifies the action to be performed upon detection of an infected object in web traffic.

Notify — Allow the detected object to be downloaded, display a notification about the blocked access attempt, and log information about the infected object.

Block (default value) — Block access to the detected object, display a notification about the blocked access attempt, and log information about the infected object.

CheckMalicious

Enables or disables checking of links against the databases of malicious web addresses.

Yes (default value) — Check if the links are listed in the malicious links database.

No — Do not check if the links are listed in the malicious links database.

CheckPhishing

Enables or disables checking of links against the databases of phishing web addresses.

Yes (default value) — Check if the links are listed in the phishing links database.

No — Do not check if the links are listed in the phishing links database.

UseHeuristicForPhishing

Enables or disables the use of heuristic analysis for scanning web pages for phishing links.

Yes (default value) — Use heuristic analysis to detect phishing links. If this value is specified, the level of heuristic analysis is Light (the least thorough scan with minimal load on the system). You cannot change the heuristic analysis level for the Web Threat Protection task.

No — Do not use heuristic analysis to detect phishing links.

CheckAdware

Enables or disables checking of links against the databases of adware web addresses.

Yes — Check if the links are listed in the adware links database.

No (default value) — Do not check if the links are listed in the adware links database.

CheckOther

Enables or disables the scanning of links against the database of web addresses containing legitimate applications that intruders can use to compromise the devices or data.

Yes—Check if the links are listed in the database of web addresses that contain legal applications that may be used by intruders to damage your devices or data.

No (default value) — Do not check if the links are listed in the database of web addresses that contain legal applications that may be used by intruders to damage your devices or data.

UseTrustedAddresses

Enables or disables the usage of a list of trusted web addresses. The application does not scan trusted web addresses for viruses or other malicious objects. You can specify trusted web addresses using the TrustedAddresses.item_# setting.

Yes (default value) — Use a list of trusted web addresses.

No — Do not use a list of trusted web addresses.

TrustedAddresses.item_#

Specifies trusted web addresses.

The default value is not defined.

You can use masks to specify web addresses.

When creating an address mask, use an asterisk (*) as a placeholder for one or more characters. If you enter the *abc* address mask, it is applied to all web resources that contain the "abc" sequence (for example, www.virus.com/download_virus/page_0-9abcdef.html). To include the asterisk in the address mask as a character, but not as a mask, enter the * character twice (for example, www.virus.com/**/page_0-9abcdef.html means www.virus.com/*/page_0-9abcdef.html).

Masks are not supported to specify IP addresses.

Page top

[Topic 261127]