Hi,
Hoping someone out there will be able to help provide additional information to help track down if these reports are malicious or false positives. Recently we've been getting this notification (TCP Port Scan attack Win32/Botnet.generic). We've looked at one of the machines with process explorer and also checked open network activities and did not spot anything out of the ordinary and there were no known hits from virustotal either on any currently open processes. ESET did not report an application.
The ports being used are mostly consistent and do not align with any known applications on our send. Ports are
7000
660
5985
5986
The last two there I know are used by WinRM2.0 which is being used on a Hyper-V server we have but the IPS computer source and destination reported by ESET are not related to this machine.
ESET itself is showing all of these as "resolved" as it was blocked and the number of occurrences each time is 1 or 2. All systems show no active alerts on ESET and everything seems to be running okay.
I have contacted ESET business support directly as well but have not heard back - any information that may be able to help us identify this would be greatly appreciated!
