Jump to content

TCP Port Scanning Attack Detections


Recommended Posts

Hello,

I am seeing a large number of TCP Port Scanning Detections in the ESET Protect Cloud portal, all of which *alarmingly* are coming from my machine's private IP address. My question is, how can I drill down / troubleshoot on my machine to figure out what the root cause of this is? 

Thank you in advance for any assistance. 

Link to post
Share on other sites
  • Administrators

On this machine the Network protection log is empty, ie. no attacks were detected.

I see in the logs that Win32/NetTool.Nbtscan.A potentially unsafe application was detected. It's a command line tool that scans for open NetBIOS nameservers on a local or remote TCP/IP network.

However, what is not ok is that LiveGrid doesn't work. Probably ekrn cannot communicate with ESET's LigeGrid servers on port 53535 and the communication is blocked by a firewall. To test LiveGrid, download the CloudCar test file from http://amtso.eicar.org/cloudcar.exe. It should be detected as Suspicious object.

Link to post
Share on other sites

I did have issues with connecting to livegrid yesterday, when I configured GEO-IP filtering on my perimeter firewall appliance. Afterwards, I made a few exceptions for IP ranges related to the livegrid servers so that should be OK now and ESET endpoint security no longer displays the connection issues warning related to livegrid.

To test the file download I had to make a quick exception since the IP resolves to Germany, but I was able to do that and it did show up as suspicious and was blocked. 

I think I might know what caused the TCP port scanning... I was messing around with spiceworks inventory system and I think it tried to scan things on the network. I'll uninstall that and keep a close eye to see if anything else happens that may not be related, and thank you for all your help! 

ESET_TEST2021-01-28_10-08-48.png.c81628ae97c049bbb334374d011e6c01.png

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...