Issues with PortScan detections
Maybe this is a coincidence and maybe it is related to NTP module 07.04 definitions update. But i will describe whole situations. Our internal network was on SEP 11.0.7101.1056. 2 weeks ago i have installed newest version (11.0.7200.1147) via client install packages on 10 PCs (testing group) varying from Win7 to Vista and XP (all 32 bit). Everything was fine for 2 weeks and today i have pushed this version to all PCs. Also those 10 PCs were moved back to their groups and so install package was applied to them again. But usually this doesn't cause problems and those computers doesn't get to install the same version. Also those 10 PCs didn't get the notification about the upgrade. So maybe this is not related to this new version and only a coincidence, but almost after a 30 minutes PortScan messages started popping up on random computers with random IP addresses and then active response blocking turned on (was enabled by default). But it is blocking whole internet connection, not just one IP which is mentioned in the message. So the user has to restart the PC to get back internet connection. I myself got few such messages and i can't say where those IPs maybe be coming from (e.g. 126.96.36.199, 188.8.131.52). It looks like this is happening only when using IE. Maybe IE updates suggested sites from this IPs or something. Also a while ago it was showing IP address of Canon site in our country (canon.lt) and other legit and trusted sites. It looks to me that SEP is going nuts with those portscans detections and blocks all connections instead of the ones in the messages.
So far i had 7 reports about lost internet connection and all those PCs are now on 11.0.7200.1147. So maybe it is related to this version or maybe this version and today's definitions. I have disabled portscan detections and active response blocking as this feature makes our network unreliable and i doubt about its usefulness.
Can anyone explain what and how is happening here and what's the purpose of portscan detections. Should i leave it disabled? As we already have Fortigate firewall on the edge and everyone is going through it to the internet.
This is not a completely new issue. I have older thread about portscans, which is already locked without any clear answer from Symantec. Though last time it wasn't such a big issue because it wasn't blocking internet connection. Maybe such blocking was introduced in this newer version?