Solved

Get port scan attack logged in my workstation

Posted on 2009-05-15
5
2,116 Views
Last Modified: 2013-12-09
This is using symantec endpoint 11 on my workstation. Recently, I  found that my symantec endpoint stopped traffic from other workstation.

Pls see attached jpg for info.

What should I do to allow this workstation to communicate with my workstation assumed that it is a false alarm?
0
Comment
Question by:Balack
  • 3
  • 2
5 Comments
 
LVL 15

Accepted Solution

by:
xmachine earned 500 total points
ID: 24393148
Hi,

This means your using an "Intrusion Prevention" policy with default settings.

1) Open SEPM Console > Policies > Intrusion Prevention

2) Uncheck the box "Automatically block an attacker's IP address" and this will solve the problem.

3) I don't see any attached snapshot, because I need to know the logged attack to help you more


A Symantec Certified Specialist @ your service

0
 

Author Comment

by:Balack
ID: 24396714
Hi xmachine,

Pls see the attached snapshot...
Port-Scan.JPG
Port-Scan-2.JPG
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24401451
Port Scan attack detected could be due to one of the following reasons:

1) The source machine is infected by some virus, and is scanning the network for other hosts. Make sure it's already protected by an Antivirus software and is up-to-date.

OR

2) The source machine is running Windows Vista, and "Network Discovery" mode is enabled.

http://windowshelp.microsoft.com/Windows/en-us/help/0e5f2e0c-9906-4518-b7c7-d3632105dcad1033.mspx

http://windowshelp.microsoft.com/Windows/en-us/help/32f3845b-eda0-4168-be8d-90f07250d8101033.mspx

OR

3) The source machine is running a misconfigured application which is generating a lot of noisy packets in the network.
0
 

Author Comment

by:Balack
ID: 24420071
Hi xmachine,

I did a thorough scan in safe mode, no virus found. I made one wrong statement, that is - there is not centralized antivirus server. All PCs are installed with Endpoint separately. All PCs get the updated definitions directly from Internet.

If so, can I apply the policy as described in your first suggestion?
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24465303
No, you can't. Because you need to install the SEP manager (SEPM) to control and update all clients in the network
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
In this video I am going to show you how to back up and restore Office 365 mailboxes using CodeTwo Backup for Office 365. Learn more about the tool used in this video here: http://www.codetwo.com/backup-for-office-365/ (http://www.codetwo.com/ba…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now