kaboomcanuck 0 Posted June 27, 2023 Share Posted June 27, 2023 Hi, Hoping someone out there will be able to help provide additional information to help track down if these reports are malicious or false positives. Recently we've been getting this notification (TCP Port Scan attack Win32/Botnet.generic). We've looked at one of the machines with process explorer and also checked open network activities and did not spot anything out of the ordinary and there were no known hits from virustotal either on any currently open processes. ESET did not report an application. The ports being used are mostly consistent and do not align with any known applications on our send. Ports are 7000 660 5985 5986 The last two there I know are used by WinRM2.0 which is being used on a Hyper-V server we have but the IPS computer source and destination reported by ESET are not related to this machine. ESET itself is showing all of these as "resolved" as it was blocked and the number of occurrences each time is 1 or 2. All systems show no active alerts on ESET and everything seems to be running okay. I have contacted ESET business support directly as well but have not heard back - any information that may be able to help us identify this would be greatly appreciated! Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted June 28, 2023 Administrators Share Posted June 28, 2023 I assume the question is not whether the detection is correct or if it's a false positive but you want to identify the process that generates port scans on particular machines? Did you run "netstat -abo -p TCP" and try to find a suspicious process in the list? You can also provide logs for perusal: 1, Enable advanced network protection logging under Tools -> Diagnostics before a port scan occurs (shortly before port scan detection occurs) 2, After port scan detection disable logging 3, Collect logs with ESET Log Collector and upload the generated archive here. Link to comment Share on other sites More sharing options...
itman 1,707 Posted June 28, 2023 Share Posted June 28, 2023 22 hours ago, kaboomcanuck said: but the IPS computer source and destination reported by ESET are not related to this machine. This is expected when IDS protection is detecting TCP port scan. The attack is being done from device/s external to the local subnet. Do you have a network perimeter firewall/etc. appliance installed? It should be blocking this type of external network traffic from being passed to the local subnet. Ditto for just a router protecting the local subnet. Most have a firewall/IDS that blocks this type port scanning network traffic. Link to comment Share on other sites More sharing options...
ESET Staff JamesR 58 Posted June 28, 2023 ESET Staff Share Posted June 28, 2023 @kaboomcanuck Unfortunately your description of the issue does not allow us to identify the source of the TCP Port Scan (Win32/Botnet.generic) detections. This means we cannot yet state if these are being performed by an internal or external IP Address. The best way for us to see what was detected, would be to gather ESET Log Collector logs and provide them to us. At a minimum, please perform step 3 of Marcos' steps. 5 hours ago, Marcos said: 1, Enable advanced network protection logging under Tools -> Diagnostics before a port scan occurs (shortly before port scan detection occurs) 2, After port scan detection disable logging3, Collect logs with ESET Log Collector and upload the generated archive here. If the source IPs are public IP addresses, and the local ports are not needed to be exposed to the internet, you should close off these ports from the internet (disable port forwarding, place device behind a NAT/Firewall, etc). Any services that can be used to administer a network, should not be exposed to all public IPs on the internet and should be restricted to only IPs which are trusted and allowed to connect. It would be best to block any and all public IPs to administrative services/ports and only allow access to these via private IPs and/or a VPN. If the source IPs are private IPs, you will need to locate the devices with these private IPs and identify if they are devices intended to be performing port scans of the network. If they are not intended to be performing port scans, you will want to ensure endpoint protection is installed and any AV scans have been performed to help rule out malware as the cause. Keep in mind that some software will actively scan a network to identify other devices and that it may not be malware performing the TCP Port scans. Peter Randziak 1 Link to comment Share on other sites More sharing options...
pstoric 0 Posted September 7, 2023 Share Posted September 7, 2023 Did you ever figure this out? I'm seeing something similar Link to comment Share on other sites More sharing options...
Administrators Marcos 5,143 Posted September 7, 2023 Administrators Share Posted September 7, 2023 We haven't been provided logs yet as requested above. Link to comment Share on other sites More sharing options...
itman 1,707 Posted September 7, 2023 Share Posted September 7, 2023 (edited) Another thing to note here is Eset IDS protection can detect non-specific port scanning activities and will display an alert as shown in this knowledge base article: https://support.eset.com/en/kb2951-resolve-detected-port-scanning-attack-notifications . However in regards to this posting, Eset appears to be detecting port scanning related to botnet activity and alerting as such. This leads me to believe that Eset Botnet protection was the primary activity detector. Related article: https://support.eset.com/en/kb7487-resolve-the-incomingattackgeneric-or-botnetcncgeneric-network-protection-alert . Edited September 7, 2023 by itman Link to comment Share on other sites More sharing options...
Recommended Posts