Pabs 0 Posted January 27, 2021 Posted January 27, 2021 Hello, I am seeing a large number of TCP Port Scanning Detections in the ESET Protect Cloud portal, all of which *alarmingly* are coming from my machine's private IP address. My question is, how can I drill down / troubleshoot on my machine to figure out what the root cause of this is? Thank you in advance for any assistance.
Administrators Marcos 5,450 Posted January 27, 2021 Administrators Posted January 27, 2021 Please provide logs collected with ESET Log Collector from the machine in question.
Pabs 0 Posted January 27, 2021 Author Posted January 27, 2021 Hi Marcos, I've attached the logs from today, please let me know if I missed anything or if you need anything additional. Also, thank you kindly for the help. ees_logs.zip
Administrators Marcos 5,450 Posted January 28, 2021 Administrators Posted January 28, 2021 On this machine the Network protection log is empty, ie. no attacks were detected. I see in the logs that Win32/NetTool.Nbtscan.A potentially unsafe application was detected. It's a command line tool that scans for open NetBIOS nameservers on a local or remote TCP/IP network. However, what is not ok is that LiveGrid doesn't work. Probably ekrn cannot communicate with ESET's LigeGrid servers on port 53535 and the communication is blocked by a firewall. To test LiveGrid, download the CloudCar test file from http://amtso.eicar.org/cloudcar.exe. It should be detected as Suspicious object.
Pabs 0 Posted January 28, 2021 Author Posted January 28, 2021 I did have issues with connecting to livegrid yesterday, when I configured GEO-IP filtering on my perimeter firewall appliance. Afterwards, I made a few exceptions for IP ranges related to the livegrid servers so that should be OK now and ESET endpoint security no longer displays the connection issues warning related to livegrid. To test the file download I had to make a quick exception since the IP resolves to Germany, but I was able to do that and it did show up as suspicious and was blocked. I think I might know what caused the TCP port scanning... I was messing around with spiceworks inventory system and I think it tried to scan things on the network. I'll uninstall that and keep a close eye to see if anything else happens that may not be related, and thank you for all your help!
Recommended Posts