Endpoint Protection

 View Only

  • 1.  SEP detecting port scan for application /mach_kernel

    Posted Jul 01, 2014 09:16 AM

    Hi

    I've recently upgraded to SEP 12.1.4. Since installing the upgraded Mac client on a few machines, they're all seeing intermittant port scan attacks from various IP addresses around my network, all using the application /mach_kernel

    I'm fairly sure these are spurious, i've checked the machines on some of the IP's listed, and can't find any trace of malware or viruses, so my thoughts are that its something else, probably a monitoring tool or something like Bonjour traffic, that is being detected

    My question is, what can i do to prevent it happening? I don't really want to block the notification, as it would be nice to know of other IPS events, but i would like to create an exception or similar to suppress this particular alert

    Has anyone else experienced this before, and if so, what have you done to try and resolve it?



  • 2.  RE: SEP detecting port scan for application /mach_kernel
    Best Answer

    Posted Jul 01, 2014 09:18 AM

    Try adding an exception

    https://www-secure.symantec.com/connect/forums/mac-os-109-scans-w-network-threat#comment-9622201



  • 3.  RE: SEP detecting port scan for application /mach_kernel

    Posted Jul 01, 2014 10:10 AM

    Thanks. I've had a look, and the exceptions aren't particularly granular, port scanning is something i'd like to continue to block in most situations, its a shame that you can't write an exception to exclude anything originating from an IP range, or some other way to focus it down onto particular alerts

    I guess the other option might be to block the user notification, so that at least the threat is still blocked



  • 4.  RE: SEP detecting port scan for application /mach_kernel

    Posted Jul 24, 2014 02:12 PM

    Hi FenderEuro,

    I'm experiencing the exact same thing. Mac clients appear to only partially honor the IP policy "excluded host" list. In my case the scan isn't blocked, but a user dialogue on the client is launched that a "Vulneralbility Decected" and the SEP log records a "Vunerabilty Protection Vulnerabiity (Brute Force Remote login) dected". The scan itself doesn't appear to get blocked, but as you can imagine this notification can create alot of calls to the local help desk.

    As you've probably discovered there is no IP rule defined by this to alter SEP's response and even excluding the built-in "Port Scan" rule does not resolve the problem.

    The only way I know of resolving the issue while still maintaining a level of security is to disable Network Threat Protection User Notification. While this will work to remove false positive events (as in the case of authorirzed port scanners) it will leave the user blind to real attacks.

    With the user notification disabled, the SEPM servers still collect the events and log them on the server.

    In my mind, this issue is a serious flaw in behaviour and Symantec should work to resolve it.