Question About SEPM Manager Logs - Network Attack?
So, It seems I have a "trojan" on my computer that SEP is not picking up on one of my local computers, but SEPM is logging and notifying me regarding the attack. Eventually the continuous probing / scanning of ports blocks the client computer out of existance for awhile, then back online-- unfortunately this annoyance blocks the client computer from accessing network features + shared resources (printers network drives etc) -- here is a log detail generated by sepm monitor.
| Event Description: | Somebody is scanning your computer. Your computer's UDP ports: 1900, 3702, 50809, 45507 and 42659 have been scanned from 192.168.100.201. |
| Attack Type: | Port Scan |
| Event Time: | 03/19/2010 21:06:52 |
| Remote Host IP: | 192.168.100.201 |
| Occurrence: | 1 |
| Alert: | 1 |
| Begin Time: | 03/19/2010 21:07:06 |
| End Time: | 03/19/2010 21:07:06 |
| Domain Name: | Default |
| Site Name: | Symantec Media Vault |
| Server Name: | HomeServer |
| Group Name: | Global\Symantec Media Vault |
| Computer Name | |
| Current: | HomeServer |
| When event occurred: | HomeServer |
| IP Address | |
| Current: | 192.168.100.200 |
| When event occurred: | 229.157.60.79 |
| Operating system: | Windows Server 2003 Family Standard Edition |
| Location Name: | Default |
| User Name: | Administrator |
| Severity: | Minor |
| Local MAC: | 01005E**** |
| Remote MAC: | 001D60**** |
| Hardware Key: | BF6956C1A8429*************** |
| Network Protocol: | UDP |
| Traffic Direction: | Inbound |
| Send SNMP trap: | 1 |
| Remote Host Name: | |
| Hack Type: | 0 |
| Application Name: | |
Of course there is little to any information as to what is scanning the computers in local subnet, but at least i've narrowed it down to one computer -- but sep, full virus scan, nothing has come up... is there a method i can use within SEP on the local computer thats "infected" to monitor what program is causing this port scanning issue? Thanks, any help will be appreciated
Comments
First I would try running
First I would try running Malwarebytes or Hitman Pro on it to see if these pick up something.
You can also try running Process Explorer from the Sysinternals suite to look for "unusual" processes and go from there.
A scan is harmless but it could obviously lead to more. Have you identified the 192.168.100.201 address? Run an Nmap scan on it to see what it is.....I'm assuming it's a PC on your internal network?
Endpoint Knowledge Base
Security Best Practices
First remove the
First remove the PC 192.168.100.201 from network ,turn off system restore,scan in safe mode with latest defs.Also check for any suspicious activity .Refer this article also.
How to find Suspected Threats on your computer.
Assure both PCs are having all patches installed.Put back it to network...
Please don't forget to mark your thread solved with whatever answer helped you : ) Thanks & Regards Aravind
I ran Proccess Explorer and
I ran Proccess Explorer and couldnt find one entry that sounds "fishy" --SEP is up to date with the latest v.11.0.5002.333 and latest defs.. Hmmm annoying -- any other scanners i should try?
Try an anitrootkit tool such
Try an anitrootkit tool such as
GMER
http://www.gmer.net/
or IceSword
http://www.antirootkit.com/software/IceSword.htm
Endpoint Knowledge Base
Security Best Practices
First I would suggest
First I would suggest contacting support if you can't find the process. You might also try using a better process monitor than the default "Windows Task Manager", google should provide some pretty good free alternatives.
Also in the future you might want to consider bumping up the level of protection against Trojan Horses key loggers ect. Just remember there is always a trade off between performance and protection.
Specifying the actions and sensitivity levels for detecting Trojan horses, worms, and keyloggers
http://seer.entsupport.symantec.com/docs/331065.htm
Cheers
Grant
Please don't forget to mark your thread solved with whatever answer helped you : )
Would you like to reply?
Login or Register to post your comment.