Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Port Scan Attack. Blocking 3-5 Every Minute.

Created: 26 Apr 2012 | 6 comments

Hello. I have Symantec Endpoint Protection. I'm not very computer savy, but ever since 4/25/2010 since around 10:50 P.M. Eastern Time symantec version 12.1.671.4971 was reporting in my task bar Blocked port scan attacks. I was and still am recieving attempts that are being succesfully blocked every minute.

These scans happen every minute from the same IP Addresses: 192.168.1.3  and others. The maximum KB it would display would fill up so fast I kept clearing the page even though it is blocking them all. How do I block IP addresses and block ports,  Or is there a way to turn off certain ports or hide myself so that I recieve less attacks. They haven't stopped yet and it is making me nervous. I'm running Spybot, AVG, and Symantec. How do I block certain ip addresses from attacking me.

Ive done research at these websites for information. Any help would be appreciated. Thank you.

http://answers.yahoo.com/question/index?qid=200710...

Who do i need to contact to report the scanner to stop recieving port scans and security breach attempts?

Some examples of the messages:

1 4/26/2012 9:08:14 PM Blocked 10 Outgoing ICMP 99.25.96.204 00-1F-90-62-68-7F 3 192.168.1.3 00-26-C6-6F-CF-52 3 2 4/26/2012 9:07:57 PM 

Comments 6 CommentsJump to latest comment

BNH's picture

Is your Symantec Endpoint protection part of any company machine and it is a managed machine ?

By the looks of that log, it is blocking outgoing ICMP. This might be a rule set by your IT administrator.

-- Got new virus ? Try update your defs here : ftp://ftp.symantec.com/AVDEFS/norton_antivirus/rap... --

JTCCKid007's picture

The version of Symantec was a free download from the school I attend. I use it at home on my laptop away and on campus. These message logs have appeared while not at school. I am wondering if it could related to a virus on a USB ?

More of the logs show incomming/outgoing UDP and TCP. These are listed under Network Threat Protection Logs. Including several different remote hosts and ports.

Beppe's picture

Hi,

SEP is protecting you against attacks, it does not necessarilty means that your PC has been already compromised/infected.

Now you have to find whose 192.168.1.3 and investigate on that system to know if it is infected and why it is triggering as port scan detection; you need to shut down the attack, not only focus on the defence.

Regards,

Giuseppe

greg12's picture

Please check the following:

1. SEP version (SEP Client > Help > About)

2. Your IPv4  address (Windows > Start > Run > cmd > ipconfig  )

3. Logs for port scans: SEP Client > View Logs > Client Management/View Logs > Security Log, in the "Event type" column search for "Port Scan"

4. Click on a Port scan event, now you'll see comprehensive info in the left bottom of the window, something like this:

Somebody is scanning your computer.
Your computer's TCP ports:
XX, YYY, ZZZ, AAA and NNN have been scanned from 11.22.333.444.

peter ashley's picture

Normally 192.168.1.XXX addresses are used for local networks like in your home or directly on the same router.  Can you get access to the 192.168.1.3 machine and check it's activity with the netstat command?

Marc_Bzh's picture

Hi JTCCKid007,

could this IP address (99.25.96.204) refer to your DNS server?

Did you come across any IPS detections on this SEP client resulting in losing the internet connection for 600 seconds?

I am asking these questions, because SEP may have detected and blocked some intrusions. If this is the case, by default all connections will be blocked for 10 minutes (600 seconds).

Therefore, this could explain why outgoing ping requests (ICMP) to a DNS server outside of your LAN could be blocked as well.