That's called a WAF, web application firewall, a separate piece of software (or server module) where paths in the web applications hosted are defined, often variables and variable types can be validated, etc. to prevent the kind of attacks these scans are often doing.
Because they are hunting for vulnerable devices and the requests' existence are unique to an application. Like a VoIP appliance for example.
They usually request something deep like /foo/bar/login.html as part of their reconnaissance.
I'm up to 4 pages of filter rules after the massive IP blacklist.
These assholes are also scanning every address on the IPv4 internet and hoovering up the content.
To answer your first question: No, that's the OS's job. But some clever rules could be setup for filtering invalid requests depending on your web server.