Detected port scanning

Eset smart security 5.0.95.0

I have router with lan adress 10.0.0.1

Code:

PC1 - 10.0.0.2
PC2 - 10.0.0.3
other stuff - 10.0.0.4 ....

when I run total commander and when I click to NET than I see all connected computer

but when I try acces from PC2 to PC1 than i see Detected port scanning with IP from PC1 (10.0.0.2)

trusted zone -on PC2 - same for PC1

Code:

IP -127.0.0.1
Subnet - 10.0.0.0 / 255.255.255.0 
IPv6 adress - ::1
IPv6 subnet - fe80::/64

from personal firewall log

Code:

1.2.2012 11:32:22	No application listening on the port	10.0.0.2:17500	10.0.0.255:17500	UDP

port 17500 is used by dropbox only on pc 1 - from Network 0.0.0.0:17500 listening

how to solve this isue?

 

bump.

 

Good luck. I let my subscription expire 10 days ago because of this problem. Whenever I would try to share files on my home network I would get a port scan warning and then they would stop communicating. Adding to trusted zone, whatever, the only thing that worked was to disable the firewall on both computers. If they can figure out how to fix these issues I may come back some day, but when I, as an IT director cannot figure out how to get a firewall to allow sharing files on 2 computers on the same local network... maybe someone will reply with a working answer. I will be watching as well.

 

Port scan attacks are likely reported correctly; there has been no FP with this detection. The question is why they are occurring in this case. Please continue as follows:
1, enable packet logging as per the instructions here
2, enable logging of blocked connections in the IDS setup
3, reproduce the issue
4, collect the following stuff and submit it to Customer care:

• firewall log
• pcap log (per the KB article)
• ESS configuration exported to xml
• network toppology (list devices with their IP addresses)

5, disable the logging

 

I don't want to hijack this thread but for clarification of what is happening here...
I am sure it is not a false positive. From what I can determine when I try to access a share on my local network, Windows itself from the other PC attempts to locate any shares on the other machine. I believe this to be normal behavior. There literally is a port scan coming from the other machine. It is a function of file sharing. That said (for the purpose of comparison, not to promote any particular product) Norton does the same thing. However, the difference is that with that product, you can add affected PCs to the Trust Control and that is the end of the problem if you set it to "Full Trust". With ESS I cannot find ANY exclusion that stops communication from being blocked. At that point I have to disable the firewall on both ends to get files moved around. Even at that point the transfer is painfully slow as though something is still interfering.

That said I would love to love ESS, I would even like to renew IF I can find a resolution to this issue. I like the simplicity and speed of ESS, and get tired of the extra bloated features of other suites. It's interface is second to none. This one issue is a deal breaker however. I cannot test it myself at this point without renewing as my license is expired but if I see anyone can resolve this situation I will renew for another year.

 

What about adding your trusted zone subnet to the list of addresses excluded from active protection (IDS)?

 

Thanks for the reply. I have tried excluding the subnet of 255.255.255.0, I have tried excluding the specific IP address of the PC being blocked, I have tried excluding the entire 192.168.1.* range of IPs, none of it has worked. I have tried all of these both individually and all together on both PCs with no luck. Sometimes after a clean install of ESS they would work for a couple of minutes, and then it would stop working and I get not get it to work again without uninstalling and reinstalling and repeating the entire process, only to end up in the same place.

 

Could you please collect the stuff listed above in post #4, upload it somewhere and PM me the download link? I assume we should be able to figure out the cause then. In the mean time, try disabling address blocking after attack detection in the IDS setup.

 

If that was directed at me, I can't do anything with the expired license I have now, and I am not willing to spend the $60 to renew if I can't verify the issue can be resolved.

 

Any new progress? Or it is now fixed?

how to recreate

needed: router + 2 PC
router IP 10.0.0.1
pc1 windows 7 with dropbox 10.0.0.2
pc2 windows 7 without dropbox 10.0.0.3
try acces from PC2 to PC1

 

Actually I got it to stop. Add your entire subnet to both the trusted zone and as an exclusion to intrusion detection and that should stop it.

 

We have published a new article in the ESET Knowledgebase for the specific "Detected Port Scanning" issue.

• How do I resolve "Detected Port Scanning Attack" notifications?

 

Which basically says to update, scan, and then disable the notification. Fine for those that just don't want to be notified. It will do nothing to stop it from blocking the connection. Not only will the user still be blocked they now will get no notification as to why. The user will still need to set up exclusions if they want to be able to share files on their local network.

 

Thanks for the feedback. From what we can determine from users, including how we interpreted the issue from the original post in this thread, these notifications don't cause connectivity issues with applications or a network.

For users who are receiving the "Detected port scanning" notices AND experiencing connectivity issues with a program or network resource, then these instructions are not applicable. In that case, ESET would request a firewall log because it is a different issue. We will update the article to make this more clear.