Firewall – Symantec Endpoint Protection “portscan attack” false alarms

firewallport-scanningsymantecsymantec-endpoint-protectiontorrent

On two Windows 7 machines in my LAN I have Symantec Endpoint Protection 12.1 installed. Things work fine, but several time per day I get to see the following warning:

portscan

I had a thorough look at the machine that is running on 192.168.1.111, but I am quite sure there is no malicious software on there. What could be triggering this alarm? The only thing I can think of is utorrent local peer discovery, although I that is not exactly a "port scan".

Best Answer

A great tool that might help your situation is Wire Shark. This will let you see exactly whats going on in your network to see what might be hitting those machines and if it trully is a port scan.

Related Solutions

Symantec Endpoint Protection Manager Console looks strange — installed correctly

This happened to me once before, and I believe it was a Java version issue.

Installing Symantec Endpoint Protection clients via group policy in a mixed environment

This may be accomplished by putting a WMI filter on your deployment GPO objects. The Group Policy engine on the client machines will check this filter to see if the specific GPO applies to them. It does impact performance, but it'll do what you need.

A good filter could be:

select * from Win32_OperatingSystem where OSArchitecture='64-bit'

It won't catch any XP-64 you may have around, but should catch the 64-bit Vista and Win7 installs. The inverse of this should catch your 32-bit installs:

select * from Win32_OperatingSystem where OSArchitecture<>'64-bit'

If it isn't explicitly 64-bit, install the 32-bit version. Alternately, you could just put '32-bit' in there if you'd rather go that route.

Best Answer

Related Solutions

Symantec Endpoint Protection Manager Console looks strange — installed correctly

Installing Symantec Endpoint Protection clients via group policy in a mixed environment

Related Topic