Endpoint Protection

 View Only

  • 1.  PortScans are being detected quite often from various sites

    Posted Feb 10, 2010 02:49 AM
    It started to appear last week. It only happens when browsing with IE8 (not happening with Mozilla). Sites appear to be pretty random, one was an IT forum site, last one is an official Canon site in Lithuania.

    Somebody is scanning your computer.
    Your computer's TCP ports:
    3266, 3268, 3267, 3269 and 3271 have been scanned from 212.108.98.162.

    This IP belongs to www.canon.lt. I doubt they are scanning ports. Usually if i go to such site from another PC i don't get such warning. So, i wanted to find out if someone else is experiencing same issue. Or maybe this is some kind of error in SEP?

    All our PC's are in an internal LAN and go out to the Internet from one external IP. Fortigate firewall is monitoring all incoming/outgoing traffic and we don't see anything suspicious in the logs.


  • 2.  RE: PortScans are being detected quite often from various sites

    Posted Feb 10, 2010 02:57 AM
    Assure that your PC having latest patches installed.. 


  • 3.  RE: PortScans are being detected quite often from various sites

    Broadcom Employee
    Posted Feb 10, 2010 05:05 AM
    apply required OS and application ptaches. Try enabling firewall rules to block the traffic.


  • 4.  RE: PortScans are being detected quite often from various sites

    Posted Feb 10, 2010 05:49 AM

    You can check the port scanning logs and we can further narrow down on the issue.

    Open SEPM console

    Go to Monitors Tab >> Logs >> Network Threat Protection >> Attack.

    The port scan logs are listed here.


  • 5.  RE: PortScans are being detected quite often from various sites

    Posted Feb 10, 2010 08:17 AM
    It's a Windows XP SP3 with IE8 and latest operating system and office security and critical updates provided via WSUS.

    What other patches may i need if i only open a site in IE8 and SEP warns that i'm being portscanned from that site (not the same site, it's always different sites so far). Windows Firewall is turned on and set to Domain Policy. As i said there is also Fotigate firewall on the way to Internet, but i can't say much about it configuration, though i'm sure it should at least detect such "attacks".

    sandip_sali, what should i find there? It has the same information as it was in the popup. What i do see is that this is not related to one PC and a bunch of our users should be getting such popups. Variuos sites, some of them are government ones. Also i see that SEP is somehow detecting users connections to an internal jabber server as security risk (Intrusion Prevention). Wonder why.


  • 6.  RE: PortScans are being detected quite often from various sites

    Posted Feb 11, 2010 05:47 AM
    Scan in safe mode and see  any malicious code is present in the PC..


  • 7.  RE: PortScans are being detected quite often from various sites

    Posted Feb 18, 2010 02:55 AM
    Check this IP - 89.253.195.244. SEP is reporting PortScan everytime i load http://www.online.1c.ru site (now with Firefox too).