Endpoint Protection

A tips pops out from SEP icon shows the client will stop the communication from IP address x.x.x.x for the next 600 seconds, a port scan attack is detected.

What make me confused is the IP address show on the tips is the IP address of this client, which means the client attack itself? how come?

hello,

Try to disable IPv6.

check this thread

https://www-secure.symantec.com/connect/forums/port-scan-attack

Is their any application runing on system which is installed on that ip?

https://www-secure.symantec.com/connect/forums/endpoint-protection-blocks-ip-my-router

Thanks for your answer, the client is running Win XP, there is no IP v6 on it.

I 've checked the thread, found no helpful info for my issue.

:-(

can you check the logs and see what application is blocked/

There are hundreds of PCs in my company, just a few PCs got this tips. And All the PCs install no port scanning software.

And I wonder why the attacker is itself?

No application is blocked, just block the traffic from IP x.x.x.x and this IP address is the client aquired.

I also see the log from SEPM NTP attack log. There are someting strange.

Normally, the IP address of the PC was attacked will show in the "local machine IP" column, but the log show it in the "remote machine IP" column.

Leo a screen shot would be helpful can you post it plz

Is the machine infected and perhaps scanning for other hosts on the network to try and attack?

Have you verified the machine is clean?

Hi,

Thank you for posting in Symantec community.

All the machine's are showing same client IP address or showing their own IP addresses in the notificaiton?

It seems to me as a internal attack.

Please provide the asked info.

Hi Leo,

Are you running any virtuallization software (for example, VMware Workstation) on this machine? Is there any reason the NIC might be in promiscuous mode (for example, running a packet capture software)?

I've seen this issue before, but only when the NIC was in promiscuous mode (which some virtualization softwares will do when you put the virtual NIC into bridged mode).

I've only noticed this issue on Windows 7, though, so I'm not sure if you're experiencing what I've seen or not.

James

All the machine's are showing  their own IP addresses in the notificaiton.

I upload the screen shot of NTP log. My SEPM is Chinese version, I've translated some words into English, may it helpful for understanding.

No virtuallization software was installed. The client OS is Win XP.

I don't know whether the client's NIC is in promiscuous mode or not, but I know they don't have privilege to change any network setting.

I upload a screen shot of NTP log above, may it helpful for you to analyse.

I post the screen shot above.

Thanks for help, I upload a screen shot above. May it helpful for you to analyse.

what  version of sep you are using, could be a false positive

Thanks for help.

SEPM 12.1 RU2, client sep 12.1

All the PCs intalled only OA/ERP softwares needed, and they don't have privilege to install any softwares.

Hi Leo,

Can you attach a screenshot of the popup notification which is having the problem, too?

In the screenshot above, can you confirm that the machine which received those detections has an IP address of 10.32.73.62?

James

Hi,

Please provide the info asked by James.

Also you can run the Symhelp tool on the affected computer.

Symantec Help (SymHelp) is a utility designed to quickly and efficiently diagnose common issues encountered on multiple Symantec products. SymHelp can identify most of the problems that you might run into when installing the client, and provide instructions on how to solve them. If SymHelp cannot identify the problem, it can create a detailed report that you can submit to Technical Support to identify the problem.

Download Symhelp tool from here

Sorry for the late reply. I post the warnning screen shot of the PC which has the IP address 10.32.73.62.

Thanks for help, the screen shot was posted.

I run the tool on the PC got the warnning to check running state. Just reports the version of client is old (12.1), no error detected.

Hi,

Can you take this machine (10.32.73.62) offline and monitor the status?

thanks for reply.

no other machine has the IP address 10.32.73.62. no arp attack. and port scan has nothing to do with arp attack. why should i take this machine offline?

normally ,if someone scan your PC, his IP address will be shown in the warning message as remote IP. but to my issue, seems the ip of whose PC was scanned is shown as remote IP. this is a quite strange thing.

Start - run

ncpa.cpl

how many network cards do you see? can you do a ipconfig /all and see how many ips it lists?

EDIT: and also can you reconfirm if its saying it as below in the NTP logs not local remote client.

Current IP Address 

Historical IP Address

Hi,

Can you test with the latest SEP version?

Latest SEP client version is SEP 12.1 RU3 (12.1.3001.165)

I think it is a compatible issue with different version between server and client. now i upgrade the client to the newest. all is well.

thanks everyone above. 

Hi,

Thanks for the update.