Endpoint Protection

The other day, I was working on a friend's computer, when a Symantec error popped up:  "The traffic from IP address xx.xxx.x.xx has been blocked for 600 seconds."  When I investigated, the logs showed it was a port scan attack from another computer on the network (private network, but a lot of people on it).  Further investigation revealed it was actually my computer in the other room that was sending the port scans.  Since then, I've run several anti-spyware or anti-virus programs on my computer, and every one has come out negative (well, some tracking cookies, but nothing big).  I've tried Malwarebytes, Spybot S&D, Avast, Superantisyware, and Hitman Pro (all with completely updated definitions).  Is there another possible, legitimate source for these port scans, or should I keep downloading and running other anti-malware programs?

Thanks

Hi,

Latest version of SEP is SEP 12.1 RU1 MP1, for 11.x it's RU7 MP2

It is recommended to install all the Symantec features AV / PTP/ NTP with latest definitions.Always make sure that your computers are receiving definitions regularly.

You can upgrade your product to latest built.

You windows machines should have all the latest windows updates /Patches.

Disable Autorun if not using SEP 12.1

Please follow best practice guide to handle virus issue.

http://www.symantec.com/business/support/index?pag...

Download and run the Power Eraser and Load Point Analysis Tool (included with the SEP Support Tool).

The Power Eraser Tool eliminates deeply embedded and difficult to remove threats that traditional virus scanning doesn't always detect.

The Load point Analysis Tool generates a detailed report of the programs loaded on your system, and is helpful in listing common loadpoints where threats can live.

http://www.symantec.com/business/support/index?page=content&id=TECH105414&locale=en_US

How to use the Load Point Analysis within the Symantec Support Tool to help locate suspicious files http://www.symantec.com/business/support/index?page=content&id=TECH141402

If possible pls share the screenshot of pop-up because that would be more helpful.

You need to identify what is causing this detection:

 - When does it occur?

 - How often does it occur?

 - Does it match the moment when you run a specific application/program?

 - Is there more machine detecting similar attacks, from your machine or another one?

If the problem can be easily reproduced, you can use WireShark + ProcessMonitor to check what is causing this traffic.

What version are you running? I know version 11.0.6005 caused a false positive, which was fixed in a later release.

Thanks, but my question was asking how to respond if you own the "attacking" computer, not so much the one under attack.

since you have identified the machine in the network, you can check with the user of machine  if he has run port scan or using any application like that?

I downloaded Wireshark + ProcessMonitor.  The first is awesome, the second is a little beyond me, I think.  Here's what I've got:

When does it occur? When I'm logged into Windows.  It does this even though it is locked and hasn't been touched for hours.

How often does it occur?  Several times a second.  From the receiving computer's end, once every ten minutes or so (i.e. shortly after it unblocks the attack)

Does it match the moment you run a specific program?  No, it's constant.

Is there more machine detecting similar attacks, from your machine or another one? I've had another friend mention it before in the past, and now that I'm looking at Wireshark, it's cycling through tons of IPs (all on my network)

Looking at Wireshark, there seems to be one main offender: My computer (under the name LiteonTe_(MACaddress)) is broadcasting using an ARP protocol and are asking "Who has (IP address)?  Tell (my IP address)"  As soon as it receives a reply with a MAC address, it moves on to another IP.  How do I connect this info with process monitor?

I'm not sure how much is a normal amount of traffic for Wireshark and Processmonitor, but I got 10,000 local network entries and close to a million processes in half an hour.  Is that usual or scary?

Since I am the owner, the answer is no, I don't think so.  Not intentionally.

I can check on Monday.  I'm pretty sure it's fully updated, though, and my computer is definitely sending out a lot of weird traffic.

ok, is your machine attacker/attacked?

Attacker

Ahh! okay in that case, do you use any tool? if not i suggest to open a support ticket.

I believe there is some application trying to connect to machine and crossing threshold for port scan hence it is showing up. Did you try to exclude your folder?

To be honest, I'm not exactly sure what you're asking.

Tool?  Using what kind of tool, and for what?

Is there a way I can check to see which application might be trying to connect?  And I'm afraid I've never heard of excluding folders before.

Can you attach your pcap file? What IP address is the request being made to?

The requests are being made to various IP addresses on the network (there's probably 50 or so).

A 30 second pcap is attached.

Attachment(s)

local.zip   1 KB 1 version

Do you use dropbox? Sharing out files? Your PC made a GET request to notify5.dropbox.com.

I'm not familar with dropbox but if you remove the app, you will see this traffic stop and likely the notifications from SEP.

I do use dropbox, but only for backup.  It doesn't communicate directly with other computers at all, only with the dropbox servers, and isn't likely to be sending out the network traffic I'm worried about.  If you really think that it's the only explanation for the port scans, I'll get rid of it and see, but I really doubt it.

There's only internal traffic, other than one dropbox request. If requests are being made to an external, either doing a longer capture and post it or start googling those IP addresses. Many times you can see what piece of malware it is by seeing the command and control servers and than starting the removal process for that specific piece.

Again, not sure what version your running but there was a big in an older version that caused false positives on port scans.

It may or may not be dropbox, I can't say for sure. I know an older version of sep didnt play nice with skype so it very well could be legitimate software and sep is flagging it.

It seems odd to me that you've run all kinds of anti malware products on your system and nothing came up.

Do you have any printer software installed? I've seen issues with these as well.

Have you tried autoruns to find any suspect startup processes?

I asked someone who actually knows how computers work, and they pointed me to looking at the Dell Advanced Networking Service.  I've disabled it, and the flow of ARPs has stopped.  Now my computer actually is asking the server for ARP requests, instead of broadcasting to every computer on the network.  It's had no negative effect on my internet usage.  So, for anyone who has this problem in the future and who has a Dell, try disabling the Advanced Networking Service.

Good information