Endpoint Protection

So, It seems I have a "trojan" on my computer that SEP is not picking up on one of my local computers, but SEPM is logging and notifying me regarding the attack.  Eventually the continuous probing / scanning of ports blocks the client computer out of existance for awhile, then back online-- unfortunately this annoyance blocks the client computer from accessing network features + shared resources (printers network drives etc)  -- here is a log detail generated by sepm monitor.

 

Event Description:	Somebody is scanning your computer. Your computer's UDP ports: 1900, 3702, 50809, 45507 and 42659 have been scanned from 192.168.100.201.
Attack Type:	Port Scan
Event Time:	03/19/2010 21:06:52
Remote Host IP:	192.168.100.201
Occurrence:	1
Alert:	1
Begin Time:	03/19/2010 21:07:06
End Time:	03/19/2010 21:07:06
Domain Name:	Default
Site Name:	Symantec Media Vault
Server Name:	HomeServer
Group Name:	Global\Symantec Media Vault
Computer Name
Current:	HomeServer
When event occurred:	HomeServer
IP Address
Current:	192.168.100.200
When event occurred:	229.157.60.79
Operating system:	Windows Server 2003 Family Standard Edition
Location Name:	Default
User Name:	Administrator
Severity:	Minor
Local MAC:	01005E****
Remote MAC:	001D60****
Hardware Key:	BF6956C1A8429***************
Network Protocol:	UDP
Traffic Direction:	Inbound
Send SNMP trap:	1
Remote Host Name:
Hack Type:	0
Application Name:

Of course there is little to any information as to what is scanning the computers in local subnet, but at least i've narrowed it down to one computer --  but sep, full virus scan, nothing has come up... is there a method i can use within SEP on the local computer thats "infected" to monitor what program is causing this port scanning issue?  Thanks, any help will be appreciated

First I would try running Malwarebytes or Hitman Pro on it to see if these pick up something.

You can also try running Process Explorer from the Sysinternals suite to look for "unusual" processes and go from there.

A scan is harmless but it could obviously lead to more. Have you identified the 192.168.100.201 address? Run an Nmap scan on it to see what it is.....I'm assuming it's a PC on your internal network?

First remove the PC 192.168.100.201 from network ,turn off system restore,scan in safe mode with latest defs.Also check for any suspicious  activity .Refer this article also.
How to find Suspected Threats on your computer.
Assure both PCs are having all patches installed.Put back it to network...

I ran Proccess Explorer and couldnt find one entry that sounds "fishy" --SEP is up to date with the latest v.11.0.5002.333 and latest defs..  Hmmm annoying --  any other scanners i should try?

Try an anitrootkit tool such as

GMER

http://www.gmer.net/

or IceSword

http://www.antirootkit.com/software/IceSword.htm

First I would suggest contacting support if you can't find the process. You might also try using a better process monitor than the default "Windows Task Manager", google should provide some pretty good free alternatives. 

Also in the future you might want to consider bumping up the level of protection against Trojan Horses key loggers ect. Just remember there is always a trade off between performance and protection.

Specifying the actions and sensitivity levels for detecting Trojan horses, worms, and keyloggers

http://seer.entsupport.symantec.com/docs/331065.htm

Cheers
Grant