Exclude TCP Port Scanning Attack not working

[mtellefson 0]

I am in the process of upgrading from Eset version 5 to 7.  We use Spiceworks to track inventory of all our computers so when it tries to contact any of the computers, ESET blocks it and records a TCP Port Scanning Attack.  Originally I was receiving ARP Cach Poisoning Attack alerts from the same server and I created an IDS exception and they stopped.  I added the TCP Port Scanning Attack exception in the same place and applied it to all computers but I still have the alerts showing up in the threats.  Any ideas what I am missing?

[Marcos 5,074]

Please collect logs from the client with ESET Log Collector and post the generated archive here. Basically an exception like this should work:

 

[mtellefson 0]

I should have explained a little better.  This is happening on several computers.  I set the exception through a policy that I applied to all computers.  The log files are attached.

ees_logs.zip

[itman 1,659]

Try entering the TCP Port Scanning attack exception w/o an IP address.

If the above doesn't work, you might have to exclude the displaying of IDS after detection alerts as shown in this Eset knowledge base article: http://support.eset.com/kb2951/ . As the article states, only the alerting is being disabled; not the IDS protections.

Also assuming your external network gateway has like WAN side TCP port scanning detection capability and mitigation, you could just disable the Eset IDS TCP Port Scanning attack detection on the endpoints.

Edited August 27, 2019 by itman