Video Screencast Help

PortScans are being detected quite often from various sites

Created: 10 Feb 2010 • Updated: 19 Aug 2010 | 6 comments

It started to appear last week. It only happens when browsing with IE8 (not happening with Mozilla). Sites appear to be pretty random, one was an IT forum site, last one is an official Canon site in Lithuania.

Somebody is scanning your computer.
Your computer's TCP ports:
3266, 3268, 3267, 3269 and 3271 have been scanned from 212.108.98.162.

This IP belongs to www.canon.lt. I doubt they are scanning ports. Usually if i go to such site from another PC i don't get such warning. So, i wanted to find out if someone else is experiencing same issue. Or maybe this is some kind of error in SEP?

All our PC's are in an internal LAN and go out to the Internet from one external IP. Fortigate firewall is monitoring all incoming/outgoing traffic and we don't see anything suspicious in the logs.

Comments 6 CommentsJump to latest comment

AravindKM's picture

Assure that your PC having latest patches installed.. 

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

pete_4u2002's picture

apply required OS and application ptaches. Try enabling firewall rules to block the traffic.

sandeep_sali's picture

You can check the port scanning logs and we can further narrow down on the issue.

Open SEPM console

Go to Monitors Tab >> Logs >> Network Threat Protection >> Attack.

The port scan logs are listed here.

Thanks & Regards

Sandeep C Sali

wroot's picture

It's a Windows XP SP3 with IE8 and latest operating system and office security and critical updates provided via WSUS.

What other patches may i need if i only open a site in IE8 and SEP warns that i'm being portscanned from that site (not the same site, it's always different sites so far). Windows Firewall is turned on and set to Domain Policy. As i said there is also Fotigate firewall on the way to Internet, but i can't say much about it configuration, though i'm sure it should at least detect such "attacks".

sandip_sali, what should i find there? It has the same information as it was in the popup. What i do see is that this is not related to one PC and a bunch of our users should be getting such popups. Variuos sites, some of them are government ones. Also i see that SEP is somehow detecting users connections to an internal jabber server as security risk (Intrusion Prevention). Wonder why.

AravindKM's picture

Scan in safe mode and see  any malicious code is present in the PC..

Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind

wroot's picture

Check this IP - 89.253.195.244. SEP is reporting PortScan everytime i load http://www.online.1c.ru site (now with Firefox too).