Symantec Endpoint Protection 12.1 Does Not Stealth Ports?
Created: 10 Dec 2011 | 11 comments
Hello,
I recently conducted a port scan of my system using GRC ShieldsUP! and it appears that my ports are either closed or open with very few being stealthed. Here's the report of the test:
|
----------------------------------------------------------------------
GRC Port Authority Report created on UTC: 2011-12-10 at 18:29:05
Results from scan of ports: 0-1055
2 Ports Open
1047 Ports Closed
7 Ports Stealth
---------------------
1056 Ports Tested
Ports found to be OPEN were: 21, 80
Ports found to be STEALTH were: 135, 137, 138, 139, 445, 593,
1023
Other than what is listed above, all ports are CLOSED.
TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- A PING REPLY (ICMP Echo) WAS RECEIVED.
----------------------------------------------------------------------
|
In my settings, I have enabled the detection of port scan on my settings, but it still does not work. I have Norton Internet Security 2012 and it stealths all ports, and I were told that SEP has similar firewall to that of NIS 2012.
Thanks.
Discussion Filed Under:
Comments
Firewall rule needed
Port scan detection does not block port scans; that's the job of a firewall rule. To stop the port scan completely, Active Response should drop the connection (which is enabled in your setting).
If a port scan has been detected, it will be logged in the client's security log.
See here:
Detecting potential attacks and spoofing attempts
http://www.symantec.com/docs/HOWTO55408
Thank you for your reply.The
Thank you for your reply.
The thing is, I'm not using a seperate managment console, just the self-managed SEP without any seperate management. So is there a way for me to implement the protection and stealthing of ports? Or is it mandatory that I install the seperate management client. Just note that my office has only about 4 PCs, so I didn't set up a management and additionally, I'm not familiar with the firewall polices, etc. so I can't workout this on my own. I do see some messages in the protection log while the port scan is being carried out.
Thank you.
It's not mandatory to install
It's not mandatory to install a management console. I think your settings are perfectly fine and should work.
To check this, I tried a standard port scan with nmap against a self-managed 12.1 client with your settings.
Result: After one or two seconds that SEP needed to recognize the port scan pattern, the complete connection was interrupted for 10 minutes so that nmap wasn't able to finish the scan. It discovered only two ports.
What's your network environment? Are you sure ShieldsUP is hammering directly against your PC?
BTW: Why are HTTP and FTP open? Is your SEP client a web server?
Thank you for your reply.I
Thank you for your reply.
I don't know if ShieldsUP is hammering directly against my PC, but it works fine with NIS 2012 - meaning NIS 2012 stealths all ports since the beginning of the scan, and my SEP wasn't able to detect the port scan and I didn't get any notification either. And no my SEP client is not a web server, and I'm not quite sure as to why they are open, I just installed them using default settings and changed certain AV settings and checked some options on Firewall as shown by the snapshot.
Update: I did a nmap test on my computer and this time SEP did block the test (I got notification saying that) and here is the report from "Regular Scan":
Are you behind a DSL router
Are you behind a DSL router that performs Network Address Translation (NAT)?
I believe that is true.
That is correct.
If you are behind a router
If you are behind a router with NAT, ShieldsUP should never detect any open or closed port ... all should be "stealth" if the router firewall is enabled and doesn't forward all traffic to the client.
OK, suppose your router firewall is open. To block a port scan, you have to add a new firewall rule at the bottom of the rule list (Status > NTP > Configure firewall rules). This rule blocks all the traffic which isn't allowed by other rules.
Click Add..., name the rule (e.g., "Block traffic"), go to the Ports and Protocols tab, traffic direction: Incoming, then click OK.
This rule should block the port scan.
Port scan detection can be activated. As you know, in combination with Active Response this can drop a connection to a PC performing a port scan.
To summarize:
P.S.: NTP has an internal, hard-coded rule "Block_all". Perhaps you can see it in your traffic log. Unfortunately, I have no clue how it works and when it is triggered.
I just checked my router's
I just checked my router's settings and it has NAT feature, but it's not configured or is disabled, so my firewall is probably open. About the rule, I created it, and this time a few other ports were on stealth mode, about 5 of them and rest were either closed or open. I followed your steps exactly as mentioned, but it doesn't work.
Type ipconfig /all in your
Type ipconfig /all in your command prompt window to check your IP address. If your computer has an IP address something like this
which are so called private addresses, your DSL router probably uses NAT to couple its external IP address with these private internal addresses (which aren't routed in the internet).
In this case, it could be that you are not testing your SEP client but your router. Most routers can be configured to circumvent NAT firewall (in my router configuration it is called "DMZ"). Perhaps you have just to change these settings to make a valid test.
Yes there is actually an IP
Yes there is actually an IP like 192.168.x.x
I just managed to enable Stateful Inspection Firewall on my router and it did the trick.
Thanks for all your help and expertise.
Hi, The answers above were
Hi,
The answers above were partially correct, if you create a firewall rule to block all ports (and then allow a few) as I believe is the default for NIS, then they should show up as Stealth.
However, The port scan detection does not work that way, what it does is it will not block anything until it had made the detection ( IIRC it should be like 4 or 5 consecutive connections on different ports within 20 seconds, there are other was it is triggered though), it will trigger Active Response which will block the scanning host completely for 10 minutes which I believe will list ports as being closed ( have not tested it but it makes sense).
Hope this helps.
--
Symantec Support
MCSE / CCNA
Would you like to reply?
Login or Register to post your comment.