Endpoint Protection

somebody is scanning your computer. Your computer's UDP ports: 60213,60214,60208,54703 and 60215 have been scanned from 192.168.2.100, which is a printer on our network. Traffic Direction - Inbound

Are you trying to ask a questions?

Hi Brendon,

Whats the version of SEP you are running?

Does the printer have a setting configured which causes it to scan? I've seen this for some printers.

This is due to the IPS policy, you can set it as an excluded host per here:

http://www.symantec.com/docs/HOWTO81159

What is the 192.168.2.100 machine? Is this on your local LAN?

Determine what it is and if it's legit and if so, you can set it as an excluded host.

I am running Version 12.1.4013.  I don't think there is any setting configured in the printer.  The printer just started printing pages with the printer owner's name on it yesterday.  I connected to the printer to troubleshoot and that is when the port scanning started. :(

if its printer, can you check the MAC address and compare that with printer.

if its printer exclude it from SEP scanning, 

compare the ip and mac to be sure thats its indeed the printer... 

The 192.168.2.100 is a printer on our local LAN.  I will check the MAC address

If its legitimate ( I'm sure it is as IPS have good false positive rates) follow these steps to exclude

1.  Open your Intrusion Prevention Policy.

2.  Choose to Settings on the left. 

3.  Check the box for Enable excluded hosts and then click the Excluded Hosts... button.  

4.  Add the IP address of your printer and choose Okay.  

The IP and MAC address from the port scan are the same as the printer, so it looks legitimate.  I connected the printer to the network again, and the odd printing stopped and my PC is not being scanned now.

I can't seem to find a place that has a "enable excluded hosts".

are you using enterprise or small business edition? its under overview section

If the port scanning has stopped and you are no longer getting alerted, for security sake maybe excluding the printer at this time is not a good idea.  I would first try to determine why this printer was performing port scans ( is this normal behavior for this type printer...). I would leave it as is and monitor the behavior for a while.  Printers have been used as entry points into networks before.  

Just my 2cents.

Hi,

Thank you for posting in Symantec community.

 

I don't think I will exclude the printer just yet.  I agree that I should just wait and see what happens next.