What triggers a port scan detection in Symantec Endpoint Protection (SEP)

Article:TECH165237  |  Created: 2011-07-22  |  Updated: 2013-06-24  |  Article URL http://www.symantec.com/docs/TECH165237
Article Type
Technical Solution


Issue



Customer would like to know if a port scan detection is real and what behavior is detected


Solution



SEP firewall detects the behavior as port scan attack if the same IP address accesses more than 4 ports within 200 secs.

As Designed.

Example of SEP "Security log" in which we can see more than 4 ports being scanned.

 





Article URL http://www.symantec.com/docs/TECH165237


Terms of use for this information are found in Legal Notices