Endpoint Protection Small Business Edition

 View Only

  • 1.  Port Scan Attack is Logged- I suspect it is the router.

    Posted Jan 15, 2015 12:41 PM

    Every 5 minutes or so I get a popup that says port scan attack is logged.

    The popup does not show an IP address, but when I look at the log, the IP address that keeps getting blocked is 192.168.0.1. It looks like that is the IP address of our wireless router. 

    Two other employees at my office are having the same problem. Their computers are running on Windows 8. 

    Does anyone know how we can fix this? Thanks!

     



  • 2.  RE: Port Scan Attack is Logged- I suspect it is the router.

    Posted Jan 15, 2015 12:42 PM

    What's the exact version here? A port scan should not be blocked unless you have active response enabled. You would need to add a firewall rule to allow the router IP and traffic to/from



  • 3.  RE: Port Scan Attack is Logged- I suspect it is the router.

    Posted Jan 15, 2015 01:21 PM

    Create an exception for your router in firewall rule



  • 4.  RE: Port Scan Attack is Logged- I suspect it is the router.

    Posted Apr 24, 2015 07:42 AM

    I don't fully understand your answer. My version is SEP 12.1.5 and I'm getting the same behavior -- and the IPs SEP blocks are the 25 or so that I've assigned as the range on my router.

     

    Are you saying that "active response" should not ordinarily be enabled (I'll have to look that up if so). Or, are you saying, "just go ahead and put the exception in?"

     

    Thanks!



  • 5.  RE: Port Scan Attack is Logged- I suspect it is the router.

    Posted Apr 24, 2015 08:07 AM

    Active response is usually off by default.

    If it is on, then you need to create an allow rule in the firewall for this



  • 6.  RE: Port Scan Attack is Logged- I suspect it is the router.

    Posted Apr 25, 2015 01:53 AM

    It doesn't appear that I can turn off Active Response. I turn it off (using the Client Management Security Log) and it just turns itself back on.

    At this point I'd be happy to create an allow rule in the firewall, but looking under the Firewall tab in Network Threat Protection Settings, there doesn't appear to be any functionality that allows me to create rules of any sort.

    And just now, SEP has decided to start blocking svchost.exe; who knows why.



  • 7.  RE: Port Scan Attack is Logged- I suspect it is the router.

    Posted Apr 25, 2015 08:55 AM

    Are you running a managed client? Those settings could be locked/set by your admin.



  • 8.  RE: Port Scan Attack is Logged- I suspect it is the router.

    Broadcom Employee
    Posted May 14, 2015 12:07 PM

    If it's a managed client create a new firewall rule in the Symantec Endpoint Protection Manager (SEPM). By default managed client blocks an attack for 600 seconds.

    This article can assist to create a new firewall rule: 'Adding a new firewall rule'

    http://www.symantec.com/docs/HOWTO55404

    If it's an unmanaged client this article can assist you.

    Firewall policies on unmanaged Endpoint Protection clients

    http://www.symantec.com/docs/TECH105725

     



  • 9.  RE: Port Scan Attack is Logged- I suspect it is the router.

    Posted Jun 09, 2015 05:50 PM

    I was wondering whether these 'attacks' can safely be ignored? Do they create any problems?



  • 10.  RE: Port Scan Attack is Logged- I suspect it is the router.

    Posted Jun 09, 2015 06:55 PM

    Depends. They could be a precursor to an attack. If you know what the remote IP and trust it then you can safely ignore. Otherwise you may need to investigate further to see what is going on.