Solved

Get port scan attack logged in my workstation

Posted on 2009-05-15
5
2,115 Views
Last Modified: 2013-12-09
This is using symantec endpoint 11 on my workstation. Recently, I  found that my symantec endpoint stopped traffic from other workstation.

Pls see attached jpg for info.

What should I do to allow this workstation to communicate with my workstation assumed that it is a false alarm?
0
Comment
Question by:Balack
  • 3
  • 2
5 Comments
 
LVL 15

Accepted Solution

by:
xmachine earned 500 total points
ID: 24393148
Hi,

This means your using an "Intrusion Prevention" policy with default settings.

1) Open SEPM Console > Policies > Intrusion Prevention

2) Uncheck the box "Automatically block an attacker's IP address" and this will solve the problem.

3) I don't see any attached snapshot, because I need to know the logged attack to help you more


A Symantec Certified Specialist @ your service

0
 

Author Comment

by:Balack
ID: 24396714
Hi xmachine,

Pls see the attached snapshot...
Port-Scan.JPG
Port-Scan-2.JPG
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24401451
Port Scan attack detected could be due to one of the following reasons:

1) The source machine is infected by some virus, and is scanning the network for other hosts. Make sure it's already protected by an Antivirus software and is up-to-date.

OR

2) The source machine is running Windows Vista, and "Network Discovery" mode is enabled.

http://windowshelp.microsoft.com/Windows/en-us/help/0e5f2e0c-9906-4518-b7c7-d3632105dcad1033.mspx

http://windowshelp.microsoft.com/Windows/en-us/help/32f3845b-eda0-4168-be8d-90f07250d8101033.mspx

OR

3) The source machine is running a misconfigured application which is generating a lot of noisy packets in the network.
0
 

Author Comment

by:Balack
ID: 24420071
Hi xmachine,

I did a thorough scan in safe mode, no virus found. I made one wrong statement, that is - there is not centralized antivirus server. All PCs are installed with Endpoint separately. All PCs get the updated definitions directly from Internet.

If so, can I apply the policy as described in your first suggestion?
0
 
LVL 15

Expert Comment

by:xmachine
ID: 24465303
No, you can't. Because you need to install the SEP manager (SEPM) to control and update all clients in the network
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
I recently had to create a utility which aim is to update McAfee's Virusscan and that had to be launched from a command line. I thought I’d share my experience with you. Why is it useful to be able to update an Antivirus from the command line?…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now