Video Screencast Help

Port Scan from a Networked Printer

Created: 20 Dec 2012 | 2 comments

Hello,

I have some customers who can't access their networked printers because SEP 11.0.7200 is blocking due to what NTP believes is a Port Scan attack.

See below:

 

Event Description:

 

Somebody is scanning your computer. Your computer's TCP ports: 56902, 56899, 56901, 56900 and 56897 have been scanned from IP.

Attack Type:

 

Port Scan

Network Protocol: TCP

Traffic Direction: Inbound

Send SNMP trap: 1

Remote Host Name:

Hack Type: 0

Application Name:

 

I found a couple articles, one suggested disabling the Dell Advanced Networking Service (sadly this service does not exist). Another suggested an issue with UPnP (is there a way to disable UPnP on the printer).

**I do not want to bandaid this by adding an exception for that printer or adding an Intrusion Prevention exception (I found those suggestions as well).

I'd like to figure out what the issue is and either make a global change on the SEPM (that does not leave me unprotected by NTP) or determine if this is a printer configuration issue, and have the field techs remediate all the printers.

Any thoughts from you brilliant SEP/M experts??

Thanks,

-Mike

P.S. Upgrading to SEP 12.1.2 is also an option if it is a suggested fix.

Comments 2 CommentsJump to latest comment

iamadmin's picture

P.S. Just found all kinds of extra features and protocols that are not needed on the printer:

Don't know if these could be the culprit but I disabled:

IPX/SPX - no novell

AppleTalk

DLC/LLC

IPv6

FTP Printing

IPP Printing

Bonjour

Web Services Print

and

WS-Discovery

 

-Mike

.Brian's picture

I haven't seen anything to suggest it may be a bug, yet. Although this was a bug in 11.0.6 but fixed in MP2 I believe. Anything relevant in the traffic logs on an affected client?

Brief article on how a port scan is determined:

http://www.symantec.com/business/support/index?pag...

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.