Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

port scan comes from itself?

Created: 19 Jun 2013 • Updated: 27 Jun 2013 | 27 comments
This issue has been solved. See solution.

A tips pops out from SEP icon shows the client will stop the communication from IP address x.x.x.x for the next 600 seconds, a port scan attack is detected.

What make me confused is the IP address show on the tips is the IP address of this client, which means the client attack itself? how come?

 

 

Operating Systems:

Comments 27 CommentsJump to latest comment

W007's picture

hello,

Try to disable IPv6.

check this thread

https://www-secure.symantec.com/connect/forums/port-scan-attack

 

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

Leo Young's picture

Thanks for your answer, the client is running Win XP, there is no IP v6 on it.

I 've checked the thread, found no helpful info for my issue.

:-(

Leo Young's picture

There are hundreds of PCs in my company, just a few PCs got this tips. And All the PCs install no port scanning software.

And I wonder why the attacker is itself?

Chetan Savade's picture

Hi,

Thank you for posting in Symantec community.

All the machine's are showing same client IP address or showing their own IP addresses in the notificaiton?

It seems to me as a internal attack.

Please provide the asked info.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Leo Young's picture

All the machine's are showing  their own IP addresses in the notificaiton.

I upload the screen shot of NTP log. My SEPM is Chinese version, I've translated some words into English, may it helpful for understanding.

NTP screen shot.JPG
James-x's picture

Hi Leo,

Can you attach a screenshot of the popup notification which is having the problem, too?

In the screenshot above, can you confirm that the machine which received those detections has an IP address of 10.32.73.62?

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

Chetan Savade's picture

Hi,

Please provide the info asked by James.

Also you can run the Symhelp tool on the affected computer.

Symantec Help (SymHelp) is a utility designed to quickly and efficiently diagnose common issues encountered on multiple Symantec products. SymHelp can identify most of the problems that you might run into when installing the client, and provide instructions on how to solve them. If SymHelp cannot identify the problem, it can create a detailed report that you can submit to Technical Support to identify the problem.

Download Symhelp tool from here

 

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Leo Young's picture

Thanks for help, the screen shot was posted.

I run the tool on the PC got the warnning to check running state. Just reports the version of client is old (12.1), no error detected.

Leo Young's picture

Sorry for the late reply. I post the warnning screen shot of the PC which has the IP address 10.32.73.62.

 

warning.JPG
pete_4u2002's picture

can you check the logs and see what application is blocked/

Leo Young's picture

No application is blocked, just block the traffic from IP x.x.x.x and this IP address is the client aquired.

I also see the log from SEPM NTP attack log. There are someting strange.

Normally, the IP address of the PC was attacked will show in the "local machine IP" column, but the log show it in the "remote machine IP" column.

 

Leo Young's picture

Thanks for help, I upload a screen shot above. May it helpful for you to analyse.

Rafeeq's picture

Leo a screen shot would be helpful can you post it plz

.Brian's picture

Is the machine infected and perhaps scanning for other hosts on the network to try and attack?

Have you verified the machine is clean?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Leo Young's picture

All the PCs intalled only OA/ERP softwares needed, and they don't have privilege to install any softwares.

James-x's picture

Hi Leo,

Are you running any virtuallization software (for example, VMware Workstation) on this machine? Is there any reason the NIC might be in promiscuous mode (for example, running a packet capture software)?

I've seen this issue before, but only when the NIC was in promiscuous mode (which some virtualization softwares will do when you put the virtual NIC into bridged mode).

I've only noticed this issue on Windows 7, though, so I'm not sure if you're experiencing what I've seen or not.

James

The Symantec Endpoint Protection Knowledgebase

Please remember to mark the post which resolved your issue as the solution!

Leo Young's picture

No virtuallization software was installed. The client OS is Win XP.

I don't know whether the client's NIC is in promiscuous mode or not, but I know they don't have privilege to change any network setting.

I upload a screen shot of NTP log above, may it helpful for you to analyse.

Rafeeq's picture

what  version of sep you are using, could be a false positive

Resolved a UDP flood attack false positive
Fix ID: 2058022
Symptom: After upgrading to Symantec Endpoint Protection 11.0 RU6, the client detects a UDP flood attack.
Solution: The UDP flood detection thresholds were modified to reduce the occurrence of false positive flood attacks.
Leo Young's picture

Thanks for help.

SEPM 12.1 RU2, client sep 12.1

Chetan Savade's picture

Hi,

Can you take this machine (10.32.73.62) offline and monitor the status?

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Leo Young's picture

thanks for reply.

no other machine has the IP address 10.32.73.62. no arp attack. and port scan has nothing to do with arp attack. why should i take this machine offline?

normally ,if someone scan your PC, his IP address will be shown in the warning message as remote IP. but to my issue, seems the ip of whose PC was scanned is shown as remote IP. this is a quite strange thing.

Rafeeq's picture

Start - run

ncpa.cpl

how many network cards do you see? can you do a ipconfig /all and see how many ips it lists?

EDIT: and also can you reconfirm if its saying it as below in the NTP logs not local remote client.

Current IP Address 

Historical IP Address

Remote Host IP

 

 

Chetan Savade's picture

Hi,

Can you test with the latest SEP version?

Latest SEP client version is SEP 12.1 RU3 (12.1.3001.165)

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

SOLUTION
Leo Young's picture

I think it is a compatible issue with different version between server and client. now i upgrade the client to the newest. all is well.

thanks everyone above. 

Chetan Savade's picture

Hi,

Thanks for the update.

Chetan Savade
Sr.Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<