Virtual Secure Web Gateway

Today and a few times last week one of our development systems (Production for some... long story) has been being blocked on our Gateway due to a Scanning Attacker.

I have talked to the developers but none of them are working on any product that will be doing a scan of our network.  I have scanned the system with SEP 11 but it hasn't found anything.  Any ideas?

Thanks,

Kris Turner

1 Scanning Attacker

Hi Kris,

I'm not really clear on what's happening here, so is the Web Gateway blocking some kind of traffic from this system?  Can you give details on what the Web Gateway is logging and where?

Cheers,

Kevin

I will get a screen shot.  it is under Potential Attacks and then under IP Scanning.  The last event was 7/12/2010.  The Scanning Attacker was a local Development Server on our network. 

Kristopher,

That machine is definitely scanning those ranges, SWG knows that for sure.  A points of clarification though:

SWG will not block an IP scan it's own.  Anything in Potential Attacks is not blocked by default as these signatures/patterns are called 'Potential' for a reason - they could also be non-malicious depending on the circumstance.  There are definitely legitimate or coincidental reasons for machines to do IP scans, so we don't call that malicious on it's own.

The scary thing is this machine shouldn't be scanning...  :)  I see nothing on it that would or should scan our network.