Pabs 0 Posted January 27 Share Posted January 27 Hello, I am seeing a large number of TCP Port Scanning Detections in the ESET Protect Cloud portal, all of which *alarmingly* are coming from my machine's private IP address. My question is, how can I drill down / troubleshoot on my machine to figure out what the root cause of this is? Thank you in advance for any assistance. Quote Link to post Share on other sites
Administrators Marcos 3,591 Posted January 27 Administrators Share Posted January 27 Please provide logs collected with ESET Log Collector from the machine in question. Quote Link to post Share on other sites
Pabs 0 Posted January 27 Author Share Posted January 27 Hi Marcos, I've attached the logs from today, please let me know if I missed anything or if you need anything additional. Also, thank you kindly for the help. ees_logs.zip Quote Link to post Share on other sites
Administrators Marcos 3,591 Posted January 28 Administrators Share Posted January 28 On this machine the Network protection log is empty, ie. no attacks were detected. I see in the logs that Win32/NetTool.Nbtscan.A potentially unsafe application was detected. It's a command line tool that scans for open NetBIOS nameservers on a local or remote TCP/IP network. However, what is not ok is that LiveGrid doesn't work. Probably ekrn cannot communicate with ESET's LigeGrid servers on port 53535 and the communication is blocked by a firewall. To test LiveGrid, download the CloudCar test file from http://amtso.eicar.org/cloudcar.exe. It should be detected as Suspicious object. Quote Link to post Share on other sites
Pabs 0 Posted January 28 Author Share Posted January 28 I did have issues with connecting to livegrid yesterday, when I configured GEO-IP filtering on my perimeter firewall appliance. Afterwards, I made a few exceptions for IP ranges related to the livegrid servers so that should be OK now and ESET endpoint security no longer displays the connection issues warning related to livegrid. To test the file download I had to make a quick exception since the IP resolves to Germany, but I was able to do that and it did show up as suspicious and was blocked. I think I might know what caused the TCP port scanning... I was messing around with spiceworks inventory system and I think it tried to scan things on the network. I'll uninstall that and keep a close eye to see if anything else happens that may not be related, and thank you for all your help! Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.