Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Port Scan from a Networked Printer

Created: 20 Dec 2012 | 2 comments


I have some customers who can't access their networked printers because SEP 11.0.7200 is blocking due to what NTP believes is a Port Scan attack.

See below:

Event Description:

Somebody is scanning your computer. Your computer's TCP ports: 56902, 56899, 56901, 56900 and 56897 have been scanned from IP.

Attack Type:

Port Scan

Network Protocol: TCP

Traffic Direction: Inbound

Send SNMP trap: 1

Remote Host Name:

Hack Type: 0

Application Name:

I found a couple articles, one suggested disabling the Dell Advanced Networking Service (sadly this service does not exist). Another suggested an issue with UPnP (is there a way to disable UPnP on the printer).

**I do not want to bandaid this by adding an exception for that printer or adding an Intrusion Prevention exception (I found those suggestions as well).

I'd like to figure out what the issue is and either make a global change on the SEPM (that does not leave me unprotected by NTP) or determine if this is a printer configuration issue, and have the field techs remediate all the printers.

Any thoughts from you brilliant SEP/M experts??



P.S. Upgrading to SEP 12.1.2 is also an option if it is a suggested fix.

Comments 2 CommentsJump to latest comment

iamadmin's picture

P.S. Just found all kinds of extra features and protocols that are not needed on the printer:

Don't know if these could be the culprit but I disabled:

IPX/SPX - no novell




FTP Printing

IPP Printing


Web Services Print




Brɨan's picture

I haven't seen anything to suggest it may be a bug, yet. Although this was a bug in 11.0.6 but fixed in MP2 I believe. Anything relevant in the traffic logs on an affected client?

Brief article on how a port scan is determined:

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.