Jump to content

TCP Port Scanning Attack Detections


Pabs
 Share

Recommended Posts

Hello,

I am seeing a large number of TCP Port Scanning Detections in the ESET Protect Cloud portal, all of which *alarmingly* are coming from my machine's private IP address. My question is, how can I drill down / troubleshoot on my machine to figure out what the root cause of this is? 

Thank you in advance for any assistance. 

Link to comment
Share on other sites

Hi Marcos,

I've attached the logs from today, please let me know if I missed anything or if you need anything additional. Also, thank you kindly for the help. 

ees_logs.zip

Link to comment
Share on other sites

  • Administrators

On this machine the Network protection log is empty, ie. no attacks were detected.

I see in the logs that Win32/NetTool.Nbtscan.A potentially unsafe application was detected. It's a command line tool that scans for open NetBIOS nameservers on a local or remote TCP/IP network.

However, what is not ok is that LiveGrid doesn't work. Probably ekrn cannot communicate with ESET's LigeGrid servers on port 53535 and the communication is blocked by a firewall. To test LiveGrid, download the CloudCar test file from http://amtso.eicar.org/cloudcar.exe. It should be detected as Suspicious object.

Link to comment
Share on other sites

I did have issues with connecting to livegrid yesterday, when I configured GEO-IP filtering on my perimeter firewall appliance. Afterwards, I made a few exceptions for IP ranges related to the livegrid servers so that should be OK now and ESET endpoint security no longer displays the connection issues warning related to livegrid.

To test the file download I had to make a quick exception since the IP resolves to Germany, but I was able to do that and it did show up as suspicious and was blocked. 

I think I might know what caused the TCP port scanning... I was messing around with spiceworks inventory system and I think it tried to scan things on the network. I'll uninstall that and keep a close eye to see if anything else happens that may not be related, and thank you for all your help! 

ESET_TEST2021-01-28_10-08-48.png.c81628ae97c049bbb334374d011e6c01.png

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...