Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

Scanning ATtacker Blocked? Not sure what could be doing this.

Created: 12 Jul 2010 | 4 comments
kristopherjturner's picture

Today and a few times last week one of our development systems (Production for some... long story) has been being blocked on our Gateway due to a Scanning Attacker.

I have talked to the developers but none of them are working on any product that will be doing a scan of our network.  I have scanned the system with SEP 11 but it hasn't found anything.  Any ideas?

Thanks,

Kris Turner

1 Scanning Attacker

Discussion Filed Under:

Comments 4 CommentsJump to latest comment

KevK76's picture

Hi Kris,

I'm not really clear on what's happening here, so is the Web Gateway blocking some kind of traffic from this system?  Can you give details on what the Web Gateway is logging and where?

Cheers,

Kevin

kristopherjturner's picture

I will get a screen shot.  it is under Potential Attacks and then under IP Scanning.  The last event was 7/12/2010.  The Scanning Attacker was a local Development Server on our network. 

Sergi Isasi's picture

Kristopher,

That machine is definitely scanning those ranges, SWG knows that for sure.  A points of clarification though:

SWG will not block an IP scan it's own.  Anything in Potential Attacks is not blocked by default as these signatures/patterns are called 'Potential' for a reason - they could also be non-malicious depending on the circumstance.  There are definitely legitimate or coincidental reasons for machines to do IP scans, so we don't call that malicious on it's own.

Senior Product Manager - Web Gateway

kristopherjturner's picture

The scary thing is this machine shouldn't be scanning...  :)  I see nothing on it that would or should scan our network.