Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Port Scan Attack

Created: 17 May 2012 • Updated: 26 May 2012 | 21 comments
This issue has been solved. See solution.

The other day, I was working on a friend's computer, when a Symantec error popped up:  "The traffic from IP address xx.xxx.x.xx has been blocked for 600 seconds."  When I investigated, the logs showed it was a port scan attack from another computer on the network (private network, but a lot of people on it).  Further investigation revealed it was actually my computer in the other room that was sending the port scans.  Since then, I've run several anti-spyware or anti-virus programs on my computer, and every one has come out negative (well, some tracking cookies, but nothing big).  I've tried Malwarebytes, Spybot S&D, Avast, Superantisyware, and Hitman Pro (all with completely updated definitions).  Is there another possible, legitimate source for these port scans, or should I keep downloading and running other anti-malware programs?

Thanks

Comments 21 CommentsJump to latest comment

W007's picture

Hi,

In the SEPM you can crate a firewall rule to block an attacker address or you can increase the default time limit 10 minutes.

By default attacker IP address is blocked for 10 minutes. You can maximize this time through policies. Set it to maximum.

I don't see any concern to create exception for single IP address becauase attackers are smart enough they will start with new IP address.

Machine is receiving an attack means there must be some loophole in the system.

Patch the system with all the system updates. Use all the SEP features i.e AV/AS, PTP & NTP with latest definitions.

Check this article:

http://www.symantec.com/business/security_response/attacksignatures/detail.jsp?asid=23179

Check this Link for all the Updates which needs to be installed.

http://www.securityfocus.com/bid/31874/solution

you can check this forums.

 https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out-1

https://www-secure.symantec.com/connect/forums/constant-traffic-ip-address-xxxxxxxx-blocked-message-popping-out

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

cheesypuffs's picture

Thanks, but my question was asking how to respond if you own the "attacking" computer, not so much the one under attack.

pete_4u2002's picture

since you have identified the machine in the network, you can check with the user of machine  if he has run port scan or using any application like that?

cheesypuffs's picture

Since I am the owner, the answer is no, I don't think so.  Not intentionally.

Chetan Savade's picture

Hi,

Latest version of SEP is SEP 12.1 RU1 MP1, for 11.x it's RU7 MP2

It is recommended to install all the Symantec features AV / PTP/ NTP with latest definitions.Always make sure that your computers are receiving definitions regularly.

You can upgrade your product to latest built.

You windows machines should have all the latest windows updates /Patches.

Disable Autorun if not using SEP 12.1

Please follow best practice guide to handle virus issue.

http://www.symantec.com/business/support/index?pag...

Download and run the Power Eraser and Load Point Analysis Tool (included with the SEP Support Tool).

The Power Eraser Tool eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect.

The Load point Analysis Tool generates a detailed report of the programs loaded on your system, and is helpful in listing common loadpoints where threats can live.

http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US

How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402

If possible pls share the screenshot of pop-up because that would be more helpful.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

John Q.'s picture

You need to identify what is causing this detection:

 - When does it occur?

 - How often does it occur?

 - Does it match the moment when you run a specific application/program?

 - Is there more machine detecting similar attacks, from your machine or another one?

If the problem can be easily reproduced, you can use WireShark + ProcessMonitor to check what is causing this traffic.

Please remember to mark the proper comment as SOLUTION:
 - to identify threads that do not require further assistance
 - to let other visitors know how to fix such issue

cheesypuffs's picture

I downloaded Wireshark + ProcessMonitor.  The first is awesome, the second is a little beyond me, I think.  Here's what I've got:

When does it occur? When I'm logged into Windows.  It does this even though it is locked and hasn't been touched for hours.

How often does it occur?  Several times a second.  From the receiving computer's end, once every ten minutes or so (i.e. shortly after it unblocks the attack)

Does it match the moment you run a specific program?  No, it's constant.

Is there more machine detecting similar attacks, from your machine or another one? I've had another friend mention it before in the past, and now that I'm looking at Wireshark, it's cycling through tons of IPs (all on my network)

Looking at Wireshark, there seems to be one main offender: My computer (under the name LiteonTe_(MACaddress)) is broadcasting using an ARP protocol and are asking "Who has (IP address)?  Tell (my IP address)"  As soon as it receives a reply with a MAC address, it moves on to another IP.  How do I connect this info with process monitor?

I'm not sure how much is a normal amount of traffic for Wireshark and Processmonitor, but I got 10,000 local network entries and close to a million processes in half an hour.  Is that usual or scary?

.Brian's picture

What version are you running? I know version 11.0.6005 caused a false positive, which was fixed in a later release.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

cheesypuffs's picture

I can check on Monday.  I'm pretty sure it's fully updated, though, and my computer is definitely sending out a lot of weird traffic.

pete_4u2002's picture

ok, is your machine attacker/attacked?

pete_4u2002's picture

Ahh! okay in that case, do you use any tool? if not i suggest to open a support ticket.

I believe there is some application trying to connect to machine and crossing threshold for port scan hence it is showing up. Did you try to exclude your folder?

cheesypuffs's picture

To be honest, I'm not exactly sure what you're asking.

Tool?  Using what kind of tool, and for what?

Is there a way I can check to see which application might be trying to connect?  And I'm afraid I've never heard of excluding folders before.

cheesypuffs's picture
So, here's the full situation as it stands: I believe my computer is compromised.  It is SENDING out port scans across the network I'm on.  These are constant requests for the MAC addresses associated with different IP address.  It is sending multiple requests per second, and occur at all hours of the day (whenever the computer is on).  I have verified this with Wireshark  I (the owner and only user of this computer) have not run any programs or processes that, to my knowledge, would create these requests. 
 
So far I've run: Symantec Load Point Analysis, Symantec Power Eraser, Avast Antivirus, Malewarebytes, Spybot S&D, Superantispyware, Hitman Pro, Prevx, and Adaware.  None of them have found anything connected with the outbound port scan attacks.
 
My goal: discover if these attacks are malicious or benign, and turn them off in either case.
 
I believe this is all the relevant information so far.  My main question right now is: is there any safe program that sends out these messages, and if so, how would I go about discovering that it is the source?  I'm familiar with computers, but I'm not much of a techy, so any help is really appreciated.
.Brian's picture

Can you attach your pcap file? What IP address is the request being made to?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

cheesypuffs's picture

The requests are being made to various IP addresses on the network (there's probably 50 or so).

A 30 second pcap is attached.

AttachmentSize
local.zip 1.63 KB
.Brian's picture

Do you use dropbox? Sharing out files? Your PC made a GET request to notify5.dropbox.com.

I'm not familar with dropbox but if you remove the app, you will see this traffic stop and likely the notifications from SEP.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

cheesypuffs's picture

I do use dropbox, but only for backup.  It doesn't communicate directly with other computers at all, only with the dropbox servers, and isn't likely to be sending out the network traffic I'm worried about.  If you really think that it's the only explanation for the port scans, I'll get rid of it and see, but I really doubt it.

.Brian's picture

There's only internal traffic, other than one dropbox request. If requests are being made to an external, either doing a longer capture and post it or start googling those IP addresses. Many times you can see what piece of malware it is by seeing the command and control servers and than starting the removal process for that specific piece.

Again, not sure what version your running but there was a big in an older version that caused false positives on port scans.

It may or may not be dropbox, I can't say for sure. I know an older version of sep didnt play nice with skype so it very well could be legitimate software and sep is flagging it.

It seems odd to me that you've run all kinds of anti malware products on your system and nothing came up.

Do you have any printer software installed? I've seen issues with these as well.

Have you tried autoruns to find any suspect startup processes?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

cheesypuffs's picture

I asked someone who actually knows how computers work, and they pointed me to looking at the Dell Advanced Networking Service.  I've disabled it, and the flow of ARPs has stopped.  Now my computer actually is asking the server for ARP requests, instead of broadcasting to every computer on the network.  It's had no negative effect on my internet usage.  So, for anyone who has this problem in the future and who has a Dell, try disabling the Advanced Networking Service.

SOLUTION