Endpoint Protection Small Business Edition

Hello.

I'd like to report a very strange behaviour - Windows 8.1 clients with installed SEP software are prety much "killing" Windows Server (2012) with port scanning attacks. At least that's what SEP client on a server is reporting in its' logs.

I'v scanned all computers and server in search of a virus - none. I've disabled "submissions" and "liveupdate" in rules. (http://www.symantec.com/connect/sites/default/files/SEPM_Client_Management_Settings_Submissions_0.jpg)

I've upgraded SEPM, SEP client on a server and a few clients to the latest version 12.1.4 mp1b - no change.
This situation completely disorganizes work in that LAN, clients get cut off from the server for 600 seconds.
From what I've gathered it looks like traffic is generated in search of IP 143.127.102.40 on a variety of ports, mostly very high in numbers like 50000+ but also 5355 and 443.

A new (renewal) license was installed a few days ago, but that problem stared around the end of last month, with only a few days to go on our old license.

That domain doesn't have regular access to the Internet, it's a LAN only environment. SEP Updated via offline file downloads.

Please help.

This looks to be a precursor to an attack and SEP is alerting on it (not blocking anything). You can create a firewall rule to block this IP though.

Adding a new firewall rule

Thank You but I don't think that's an issue here. 143.127.102.40 is Symantec's IP.

Do You suggest Symantec's software is trying to do something fishy?

My users and server are OFFLINE (LAN). Why clients are trying so hard to get to 143.127.102.40? 

Server's SEP client ("full protection") cuts them off because it categorizes this as a port scanning attack on a server.

To me it looks like a very strange software behaviour. Why? What's it trying to do?

As a result clients have no connection to SQL database and it demolishes workflow.