Help with strange scan results please

Hi guys, I have this strange phenomenon when checking my browser's vulnerability.
First I do a scan at pcFlank and get a mild result, as
shown in the picture.
Then I do some verification by targetting the suspectedly weak ports, and pcflank
confirms
I then go to Steve Gibson's ShieldsUp! to see
what I get, and there I get a perfect stealth result. Same thing when I go over to
Sygate
I don't know what to think! Help!
These differences have been going on for a long while now, but I have absolutely no explanation for
these.
I tried it with several firewalls in turn, and always get the same sets of results.
Any ideas?
Thanks a lot.

Edit: Can't get my attachments to upload.
Basically; the results at pcflank are: all stealthed, except for 135, 137, 138, 139 which are closed.
At GRC: all stealthed, these four included. Stealth again at Sygate.
Thanks

 

Offhand, the only difference I see with the scans is that Sygate and GRC uses ridiculously high port numbers to scan whereas PCFlank uses a more normal 1024 to 5000 range (I'm guessing the range). Your firewalls may be treating the PCFlank scans as normal traffic and letting them through. Your computer isn't responding to them, so that's good.

 

Here's another alternative.

Give Windows Worms Doors Cleaner v1.4.1 a test ride.

 

Hello guys
I ran GRC, and the site scans all ports, one by one, starting from 1 to 1024, which is the "normal range for TCP/IP systems.
Brinn, why would a firewall let some traffic through when it's a scan that's supposed to be stopped?
BTW, GRC has a custom ports probe at disposal at the same adress:
134
Stealth ingres-net
INGRES-NET Service

135
Stealth dcom-scm
DCOM Service Control Manager

136
Stealth profile
PROFILE Naming System

137
Stealth netbios-ns
NetBIOS Name Service

138
Stealth netbios-dgm
NETBIOS Datagram Service

139
Stealth netbios-ssn
NETBIOS Session Service

140
Stealth emfis-data
EMFIS Data Servic

 

That would be the destination ports for the scans (ie. your comp). I'm talking about the packet source ports.

 

Hi. Very interesting thought...
Why would the firewalls treat any site as normal traffic? Any ideas why the firewalls might react in such a way with some sites?

 

Not so much the site but the ports used. And really, a firewall doesn't distinguish between normal traffic and abnormal traffic. It allows and disallows traffic based on its rules. Bad rules = bad results.

Say your computer is communicating with another on a network. Your computer would likely use a port in the 1024 to 5000 range. The firewall may see this as normal network traffic and let it through because of its default rules. It may not let traffic coming from an unusual port through because of those same rules.

When I did those scans you listed, the pcflank site used ports in the 3,000 range to scan me. Sygate used ports in the 30,000 to 60,000 range. GRC used ports that were in the 60,000+ range. All were blocked because of my rules.

This is just a theory I threw together without knowing anything about the firewalls you used and their settings. The ports used by the test sites was the only thing that really stood out at me when I looked at my logs.

 

It's entirely possible that your ISP is blocking those ports as well, and some sites may deal with that differently than others (If EVERYONE on ACME Internet Service has ports "closed", then you're still basically stealthed, right?). I would contact the different websites about the reports and see what they have to say, as they are going to have more detailed knowledge about how their scanners work, and may have better insight about the different results. Please do let us know, I would be interested in hearing what they have to say.

 

Operafox, do you have specific rules for those port ranges.... see my pic... you can always **make sure** they are covered by rules.

However, hardhead's post above gave the ultimate link with WWDC blocking perfectly...

I, and many others here probably, used it to totally block that port range, I did have those rules in place though before I had that tool.

Give that a shot, and try again. Mine all show 'Stealthed' or 'Blocked' whatever the terminology of different sites are.

TAS

PS: Rhetorical question maybe but, you are scanning YOUR IP addy aren't you. I mean sometimes an ISP may be working thru a proxy themselves, and you can get the results of 'their' Port range from their IP. Just that I experienced this once a long time back and I got panicky 'cause I could see all these 'Open' ports, until I realised I was scanning my ISP. Just a thought

 

This is the app which hardhead's link to Windows Worms Door Cleaner is about....very nifty, and totally easy to use.

TAS