Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Endpoint Protection 12.1.2015.2015 "port scan" false positive

Created: 21 Jan 2013 • Updated: 21 Jan 2013 | 8 comments

Running Endpoint Protection 12.1.2015.2015 on Windows 7, and have had the usual tweaks that others have reported that needed to be addressed such as the "traffic from application svchost.exe" fix with IPv6, and that has since gone away for me as well with using the recommendation of turning IPv6 off since it's not being used. However, I've recently run into a snag with this machine since it runs VMware Workstation on it as well to run one of my test asterisk voip virtual machines. When I place calls out from my physical Cisco 7965 IP Phone, on every other call (usually happens with back to back calls) I get:

(screenshot taken at a different occurrance of this, but this is what displays every time)

The 64.x.x based IP is that of my SIP trunk provider, which is not a threat.

Line item from Traffic Log after the event:

1/21/2013 2:31:04 PM    Blocked    10    Incoming    UDP    64.x.x.x    [MAC redacted]   19320    10.0.0.248    [MAC redacted]    11434        drew Default    4    1/21/2013 2:31:06 PM    1/21/2013 2:31:06 PM    Block_all    

Any ideas to filter this without compromising security?
 

Comments 8 CommentsJump to latest comment

.Brian's picture

You can create a firewall rule to allow all traffic to/from the 64.x.x.x address. Makre sure to move it to the top.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

simplydrew's picture

In the "firewall" as in Change Settings > Exceptions > Add > Security Risk Exception > Web Domain? That's the only place where I can find to put in an IP address from within Endpoint.

.Brian's picture

Open up the SEP GUI and next to Network Threat Protection click Options and select Configure Firewall Rules

Firewall Policies on Unmanaged Clients

Article:TECH105725  |  Created: 2008-01-26  |  Updated: 2009-01-17  |  Article URL http://www.symantec.com/docs/TECH105725
untitled.JPG

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

simplydrew's picture

Gotcha. I think that did the trick. I'll do some further testing and see if it comes up again. Wasn't sure if it was the SIP traffic that was making it throw a port scan alert or not.

.Brian's picture

If you check your traffic log, you should see the traffic being allowed from the 64.x.x.x IP address. If so, you should be good to go.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

simplydrew's picture

Having this issue again, but in a related fashion for an external SIP softphone attempting to register to a VMware server that has the 10.0.0.248 IP on my network, connected to Windows host node 10.0.0.100. With Endpoint Protection on, when my iPhone attempts to register from the AT&T cellular network, it doesn't work. When looking at the Network Threat Protection log, I get the following blocks:

symantec_issue.PNG

This shouldn't be happening considering I have a rule that says let everything to 10.0.0.248 just pass, no blocking:

symantec_rule.png

I'm at a loss here. This doesn't make any sense.