Detected Port Scanning attack from trusted Zone PC

Discussion in 'ESET Smart Security' started by patch, Dec 17, 2011.

Thread Status:
Not open for further replies.
  1. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    I am getting intermittent Port scan attack from other computers in my home network since upgrading to ESS 5 from ESS4. It mostly occurs during heavy data transfer. Is this normal?

    I have configured ESS5 in Interactive mode
    "IDS and advanced mode" Default except
    Allow UPNP for system services in the trusted zone
    Allow multicast address resolution in the trusted zone
    Log all blocked connections
    Log all blocked incoming worm attacks

    Trusted zone has manually added
    Router (Draytek Vigor2830Vn Firmware Version: 3.3.6) 192.168.0-192.168.1.1
    Usual PC and mobile phones 192.168.20-192.168.1.37

    Note
    This laptop is Asus U50vg running W7-32 sp1 Home premium. Full disk scan run several times a week with ESS5. ShadowProtect backs up from laptop (192.168.1.30) to Desktop (192.168.20). File sharing is via user name and password rather than Windows managed homegroups.

    192.168.20 PC Running W7-32 sp1 Professional, ESS5, used as file server (peer to peer)
    192.168.1.30 This laptops wired Ethernet port
    192.168.1.31 This laptops wireless port
    122.49.191.253 My ISP secondary DNS

    Firewall log from just before most recent Power on is:
    Code:
    18/12/2011 9:21:36 AM	TCP packet not belonging to any open connection	74.125.79.16:993	192.168.1.30:49340	TCP			
    18/12/2011 9:21:35 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:35 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:32 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:32 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:29 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:29 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:25 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:25 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:22 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:22 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:19 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:19 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:18 AM	TCP packet not belonging to any open connection	74.125.79.16:993	192.168.1.30:49338	TCP			
    18/12/2011 9:21:15 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:15 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:12 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:12 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:09 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:09 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:05 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:05 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:10 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:10 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:07 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:07 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:03 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:03 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:00 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:21:00 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:57 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:57 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:53 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:53 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:51 AM	TCP packet not belonging to any open connection	74.125.79.16:993	192.168.1.30:49332	TCP			
    18/12/2011 9:20:50 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:50 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:47 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:47 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:43 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:43 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:40 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:40 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:39 AM	TCP packet not belonging to any open connection	74.125.79.16:993	192.168.1.30:49331	TCP			
    18/12/2011 9:20:37 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:36 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:35 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:33 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:33 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:33 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:32 AM	Communication denied by rule	192.168.1.30:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:30 AM	Communication denied by rule	192.168.1.30:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:30 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:30 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:29 AM	Communication denied by rule	192.168.1.30:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:27 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:27 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:27 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:26 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:24 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:23 AM	Communication denied by rule	192.168.1.30:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:23 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:23 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:21 AM	Communication denied by rule	192.168.1.30:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:20 AM	Communication denied by rule	192.168.1.30:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:20 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:20 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:18 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:17 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:17 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:17 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:15 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:20:13 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:13 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:10 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:10 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:07 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:07 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:03 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:03 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:00 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:20:00 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:19:57 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:19:57 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:19:53 AM	Address temporarily blocked by active defense (IDS)	192.168.1.20:5355	192.168.1.31:59680	UDP			
    18/12/2011 9:19:53 AM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:59680	UDP			
    18/12/2011 9:19:53 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:64473	UDP			
    18/12/2011 9:19:53 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:64473	UDP			
    18/12/2011 9:19:53 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:64371	UDP			
    18/12/2011 9:19:53 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:64371	UDP			
    18/12/2011 9:19:53 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:65352	UDP			
    18/12/2011 9:19:53 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:65352	UDP			
    18/12/2011 9:19:53 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:65468	UDP			
    18/12/2011 9:19:53 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:65468	UDP			
    18/12/2011 9:19:51 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:53450	UDP			
    18/12/2011 9:19:51 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:53450	UDP			
    18/12/2011 9:19:42 AM	TCP packet not belonging to any open connection	74.125.79.16:993	192.168.1.30:49298	TCP			
    18/12/2011 9:19:41 AM	TCP packet not belonging to any open connection	74.125.79.16:993	192.168.1.30:49293	TCP			
    18/12/2011 9:19:40 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:58797	UDP			
    18/12/2011 9:19:39 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:58797	UDP			
    18/12/2011 9:19:39 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:52635	UDP			
    18/12/2011 9:19:39 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:52635	UDP			
    18/12/2011 9:19:39 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:51597	UDP			
    18/12/2011 9:19:39 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:51597	UDP			
    18/12/2011 9:19:39 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:60548	UDP			
    18/12/2011 9:19:38 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:60548	UDP			
    18/12/2011 9:19:37 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:50191	UDP			
    18/12/2011 9:19:37 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:50191	UDP			
    18/12/2011 9:19:37 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:59545	UDP			
    18/12/2011 9:19:37 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:59545	UDP			
    18/12/2011 9:19:17 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:60135	UDP			
    18/12/2011 9:19:17 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:60135	UDP			
    18/12/2011 9:19:17 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:57183	UDP			
    18/12/2011 9:19:17 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:57183	UDP			
    18/12/2011 9:19:17 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:60272	UDP			
    18/12/2011 9:19:17 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:60272	UDP			
    18/12/2011 9:18:54 AM	No application listening on the port	192.168.1.20:5355	192.168.1.31:56148	UDP			
    18/12/2011 9:18:54 AM	No application listening on the port	192.168.1.20:5355	192.168.1.30:56148	UDP			
    18/12/2011 9:18:28 AM	Communication denied by rule	192.168.1.30:49258	192.168.1.20:5357	TCP	Block outgoing Web Services Discovery (WSD Events) requests for svchost.exe	C:\Windows\System32\svchost.exe	NT AUTHORITY\LOCAL SERVICE
    18/12/2011 9:18:27 AM	Communication denied by rule	192.168.1.30:49256	192.168.1.25:5357	TCP	Block outgoing Web Services Discovery (WSD Events) requests for svchost.exe	C:\Windows\System32\svchost.exe	NT AUTHORITY\LOCAL SERVICE
    18/12/2011 9:18:26 AM	No application listening on the port	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:18:26 AM	No application listening on the port	192.168.1.20:56176	239.255.255.250:1900	UDP			
    18/12/2011 9:18:05 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:18:05 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:18:05 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:18:05 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:18:04 AM	No application listening on the port	192.168.1.30:68	255.255.255.255:67	UDP			
    18/12/2011 9:18:04 AM	No application listening on the port	192.168.1.30:68	255.255.255.255:67	UDP			
    18/12/2011 9:18:04 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:18:03 AM	No application listening on the port	122.49.191.253:53	192.168.1.30:61439	UDP			
    18/12/2011 9:18:03 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:18:02 AM	Communication denied by rule	192.168.1.31:137	255.255.255.255:137	UDP	Block NETBIOS Name Service requests	System	
    18/12/2011 9:18:02 AM	No application listening on the port	192.168.1.30:137	255.255.255.255:137	UDP			
    18/12/2011 9:18:02 AM	No application listening on the port	192.168.1.30:137	255.255.255.255:137	UDP			
    18/12/2011 9:18:02 AM	No application listening on the port	192.168.1.30:137	255.255.255.255:137	UDP			
    18/12/2011 9:18:02 AM	No application listening on the port	192.168.1.30:137	255.255.255.255:137	UDP			
    18/12/2011 9:18:02 AM	No application listening on the port	192.168.1.30:137	192.168.1.255:137	UDP			
    18/12/2011 9:18:02 AM	No application listening on the port	192.168.1.30:137	192.168.1.255:137	UDP			
    18/12/2011 9:18:02 AM	No application listening on the port	192.168.1.30:137	192.168.1.255:137	UDP			
    18/12/2011 9:18:02 AM	No application listening on the port	192.168.1.30:68	255.255.255.255:67	UDP			
    18/12/2011 9:18:02 AM	No application listening on the port	192.168.1.30:68	255.255.255.255:67	UDP			
    18/12/2011 9:18:02 AM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    18/12/2011 9:18:00 AM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    18/12/2011 9:17:58 AM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP			
    17/12/2011 11:11:04 PM	Packet blocked by active defense (IDS)	192.168.1.36	192.168.1.36	ARP			
    17/12/2011 11:11:04 PM	Packet blocked by active defense (IDS)	192.168.1.36	192.168.1.36	ARP			
    17/12/2011 11:11:03 PM	Packet blocked by active defense (IDS)	192.168.1.36	192.168.1.36	ARP			
    17/12/2011 11:11:03 PM	No application listening on the port	192.168.1.1:67	255.255.255.255:68	UDP			
    17/12/2011 11:11:03 PM	No application listening on the port	0.0.0.0:68	255.255.255.255:67	UDP
    Filtering for "Port Scanning" gives an idea of its frequency.
    Note ShadowProtect does an incremental backup every 2 hours starting an 7am. So is an example of a high speed data transfer.
    Code:
    18/12/2011 11:00:50 AM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:50225	UDP			
    18/12/2011 9:46:44 AM	Detected Port Scanning attack	192.168.1.25:3702	192.168.1.30:59464	UDP			
    18/12/2011 9:19:53 AM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:59680	UDP			
    17/12/2011 11:00:38 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:65242	UDP			
    17/12/2011 9:00:38 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:59462	UDP			
    17/12/2011 7:00:54 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:55118	UDP			
    17/12/2011 6:12:41 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:61962	UDP			
    17/12/2011 5:00:52 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:54691	UDP			
    17/12/2011 1:00:38 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:49796	UDP			
    17/12/2011 10:58:02 AM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:51919	UDP			
    16/12/2011 9:00:38 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:59529	UDP			
    16/12/2011 7:00:47 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:51246	UDP			
    16/12/2011 5:02:53 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:62825	UDP			
    16/12/2011 3:00:53 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:50945	UDP			
    16/12/2011 1:37:19 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:49744	UDP			
    14/12/2011 10:11:22 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:56572	UDP			
    14/12/2011 9:43:15 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:52537	UDP			
    14/12/2011 9:12:23 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:49456	UDP			
    14/12/2011 9:00:40 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:61836	UDP			
    14/12/2011 8:36:47 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:49776	UDP			
    14/12/2011 8:24:54 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:62139	UDP			
    13/12/2011 9:00:49 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:62995	UDP			
    13/12/2011 7:00:47 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:51723	UDP			
    13/12/2011 6:02:06 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:64301	UDP			
    12/12/2011 11:00:47 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:64405	UDP			
    12/12/2011 9:00:49 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:51012	UDP			
    12/12/2011 8:49:19 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:54632	UDP			
    12/12/2011 7:00:47 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:58832	UDP			
    12/12/2011 5:00:48 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:59666	UDP			
    12/12/2011 3:00:47 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:56828	UDP			
    12/12/2011 1:00:48 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:62581	UDP			
    12/12/2011 11:00:38 AM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:51941	UDP			
    12/12/2011 9:00:53 AM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:62365	UDP			
    12/12/2011 8:14:05 AM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:52448	UDP			
    12/12/2011 7:00:57 AM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:63726	UDP			
    12/12/2011 6:43:34 AM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:50240	UDP			
    11/12/2011 11:00:41 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:51005	UDP			
    11/12/2011 9:00:48 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:62170	UDP			
    11/12/2011 7:00:47 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:61273	UDP			
    11/12/2011 5:14:01 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:64139	UDP			
    11/12/2011 4:59:52 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:62244	UDP			
    11/12/2011 4:46:49 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:58329	UDP			
    11/12/2011 4:34:01 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:54409	UDP			
    11/12/2011 3:00:48 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:64728	UDP			
    11/12/2011 1:21:17 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.31:57644	UDP			
    11/12/2011 1:00:47 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:58533	UDP			
    11/12/2011 12:44:48 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:49295	UDP			
    11/12/2011 12:28:25 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:51097	UDP			
    11/12/2011 12:08:51 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:54013	UDP			
    11/12/2011 11:00:40 AM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:51279	UDP			
    30/11/2011 9:00:39 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:49470	UDP			
    30/11/2011 7:06:47 PM	Detected Port Scanning attack	192.168.1.20:5355	192.168.1.30:50466	UDP
     
    Last edited: Dec 17, 2011
  2. erico

    erico Registered Member

    Joined:
    Feb 21, 2008
    Posts:
    5
    I have been experiencing the very same issue. Port scanning attack from within my network's subnet.

    Is there a setting that we are missing that prevents this? Even leaving settings to default and connecting to the network with another PC causes this. In my case the attack address belongs to my wireless HP PhotoSmart printer.

    regars,
    erico
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you want to disable IDS detections within the TZ, add the TS subnet to the list of addresses excluded from active protection in the zone setup.
     
  4. bilzebub

    bilzebub Registered Member

    Joined:
    Apr 28, 2009
    Posts:
    3
    I could probably do that, but it is a bit of a hassle -- and more importantly, my mother, who also runs eset, would not know how to. Isn't there a more elegant solution?

    Thanks for V5 though: my complaint in no way means that I don't appreciate all the work that has gone into this!
     
  5. kairii

    kairii Registered Member

    Joined:
    Sep 9, 2004
    Posts:
    76
    I also just upgraded to ESET Security Suite V5 and have been getting the "detected port scanning attack" from computers within my network. It is getting very annoying.

    Is this the only work around? I had no problem with V4, therefore the new version is buggy. Please FIX IT.
     
  6. dmaasland

    dmaasland Registered Member

    Joined:
    Nov 10, 2010
    Posts:
    468
    Well if it detects a port scanning attack, there is actually something scanning ports. How can you be sure it's a false positive?
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    No changes have been made regarding port scan detection except that v5 displays alerts after an attack detection. If you haven't changed anything in your network after upgrading to v5, you'd most likely get the same warning in the ESET firewall log after downgrading to v4.

    If you want to make sure, enable special firewall logging as per the instructions here. After booting to normal mode, start capturing the network traffic using Wireshark and reproduce the attack detection. Finally convey the following stuff to customer care for perusal:
    - Wireshark pcap log
    - EpfwLog.pcap
    - ESET firewall log exported to a text file
     
    Last edited: Jan 2, 2012
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Then the only option is to disable the port scan attack detection. Which should not be risky if you're behind a router.
     
  9. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    Thought I should provide and update to this issue, and my attempts to fix it.
    1) Uninstall ESS 5 using the
    a) standard method including deleting the directories described http://kb.eset.com/esetkb/index?page=content&id=SOLN93
    b) Reinstalled ESS 5 on the computer from which the attacks originated
    c) -> no change, attacks still occurred.

    2) Uninstall ESS 5 using the
    a) Standard method again http://kb.eset.com/esetkb/index?page=content&id=SOLN93
    b) then with the manual uninstaller http://kb.eset.com/esetkb/index?page=content&id=SOLN2289
    c) Then remove all registry entries containing the whole word "ESET"
    d) Reinstall ESS 5
    e) -> no more "Port Scanning attacks" from this computer

    I assume ESET was somehow incorrectly configured / installed, the error carrying across installs. Hope this helps others.
    The clean reinstall process could be usefully improved in ESET, but as it is now working for me I'm not that concerned any more.
     
  10. xxJackxx

    xxJackxx Registered Member

    Joined:
    Oct 23, 2008
    Posts:
    4,047
    Location:
    USA
    I solved this problem on my network (finally) by adding my local subnet to BOTH the trusted zone and addresses excluded from IDS. Just another option for anyone looking for a solution.
     
  11. Atul88

    Atul88 Registered Member

    Joined:
    Dec 8, 2011
    Posts:
    259
    Location:
    India
    This is a serious BUG for a reputed company like ESET!!:mad: :mad:
    I myself facing this issue!!!
     
  12. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    Update
    It occurred again.

    Was having problem with slow display of computers in the local workgroup so I enabled ESS -> setup -> Network -> Advanced Personal firewall setup...
    Allow UPNP for system services in the trusted zone
    Allow multicast address resolution in the trusted zone (LLMNR)

    The port scanning from the workgroup computer in the trusted zone started to occur again.
    As before it occurred at times of increased network traffic.
    Reverting the above settings to their default values and the port scanning stopped.

    Seams ESS does not like one of these protocols.
    Hopefully this will help ESET fix it or others work around in.


    Note:
    I have W7sp1 32b on several computers running ESET ESS 5.0.95.0
    and XP on another running ESS 4.2.71.2 (as I haven't upgraded it yet)
    On all computers Windows and ESS are fully up to date.
    ESS is set to "log all blocked connections" and "Log blocked incoming worm attacks"
    Peer to peer file sharing is via password not home groups
     
  13. foneil

    foneil Eset Staff Account

    Joined:
    Dec 7, 2010
    Posts:
    255
    Location:
    San Diego
  14. adza

    adza Registered Member

    Joined:
    Jan 1, 2008
    Posts:
    35
    Same problem here. Unfortunately the KB is not helpful, as it only removes the notification - it does not actually solve the problem with windows shares.

    I'm trying to add the address range to IDS in addition to the already listed trusted zone.

    Unfortunately as a reseller, we have only been able to sell / recommend EAV for most situations unless the user is tech saavy, or it is a single PC installation as most of these changes are too difficult to expect general users to accomplish.
     
  15. mauricev

    mauricev Registered Member

    Joined:
    Apr 15, 2008
    Posts:
    43
    I'm seeing the same issue with 5.0.2126.0 under Windows 7 SP1 x64.
     
  16. BellaBoo

    BellaBoo Registered Member

    Joined:
    May 15, 2009
    Posts:
    114
    Location:
    SydYork, US of Oz
    win7 pro x64, office 2010 sp1, eset 5

    hello! i'm getting the very same:
    all from china: 58.218.199:[58 or 227 or 250]:12200;
    with one generating from germany: 85.214.246.35:61721

    i contacted by email eset au and received a raft of knowledge base articles to read with the first one explaining how to add the ip address to the trusted zone and being so unsure i proceeded thru the rest of the articles, one explained how to log all blocked traffic, which i followed and that then started adding a massive amount of other entries to my log!

    also, these attacks started the day i downloaded ess 5 [on a new computer], prior to which i was running the latest version of 4 on the old computer running winxp, x32, 2003 sp3.

    i don't know how to tell whether it's my own computer speaking to itself [ie, home group, same network !??!] and i'm not terribly gifted with knowledge on current technology, so if someone, anyone, can tell me in plain language what i need to do, then i would be most grateful.


    thanks :)
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Since the IP addresses are from foreign countries and are not trusted, do not add them to the Trusted zone. I assume you must have got port scan attacks even before installing v5, the only difference was that v5 displays alerts about detected attacks instead of just logging them. If you were behind a router, those attacks would not reach the computer.
     
  18. BellaBoo

    BellaBoo Registered Member

    Joined:
    May 15, 2009
    Posts:
    114
    Location:
    SydYork, US of Oz
    hello marcos and thanks for your reply :)

    i didn't add them to the trusted zone. in fact, i didn't do any of the things described in the articles i was sent.

    i became so overwhelmed that all i could think to do was come here and i found this thread.

    ok, i may have received port attacks but previous to v5, i wasn't alerted to them! if that's how v4 handled them, how do i switch them off in v5!??!

    seriously, it appears that ess 5 is blocking them outright but the alerts are freaking me out so if v4 handled them *under the radar*, how do i get v5 to do the same? or is that too dangerous?

    k, see, i'm 'puter speak inept and i don't know what behind a router means. i've heard of them but the only thing i have between my computer and cyberworld is a modem.

    i honestly am very grateful for any assistance and advice.
     
  19. BellaBoo

    BellaBoo Registered Member

    Joined:
    May 15, 2009
    Posts:
    114
    Location:
    SydYork, US of Oz
    so, i've been having a look around inside the firewall advanced settings and i came across this:

    http://imageshack.us/a/img839/5897/ess5snip1.jpg

    and when i clicked the highlighted setup button, it revealed this:

    http://imageshack.us/a/img21/8084/ess5snip2.jpg

    i'm on a home computer, shared with one other person [using profiles]. if i were to click the 'allow sharing' radio button, would that make a difference?

    just putting it out there.

    i've received another alert. from china!

    it's not exactly taking over my life, but man, i'm really bothered by these alerts!

    just sayin'
     
  20. Infected1

    Infected1 Registered Member

    Joined:
    Sep 19, 2012
    Posts:
    6
    What you are describing is not a network and has no sharing of that kind going on. Instead you have a single computer (a network consists of 2 or more physical computers) which has personalities or individual desktops setup so that each person can have their own custom desktop such as wallpaper, icons, documents and so on. Changing the setting from strict to allow sharing is a moot issue and will have no effect.

    As for the attacks from the internet which you have mentioned such as China I would be VERY concerned about these. They are people who want to gain access yo your system and either steal info such as personal data or they just want to screw with your system to make you crazy just because it is "Fun" for them. I would be grateful (no offense intended) that ESET has reported these to you. These types of attacks should be made known to you and you need to do something to protect yourself. Attacks like yours and attacks from a persons own internal network are completely different. Attacks from an internal network come from what is called NAT (Network Address Translation) and are strictly generated usually by a router (which is just what it's name is. it controls the routing of network traffic and channels) purely for internal network addressing. NAT addresses do not come from nor are they valid internet addresses. Therefore the other posters getting attack reports from those type such as 192.168.0.x can be 99% sure they are false positives and they do not need to be notified about them. Your case my friend is totally different and if you don't protect yourself better they will find a way in and either wreak havoc on your computer or you will become the next victim of identity theft.

    A software firewall alone nowadays is not enough. Trust me I've been in the IT field for 30 years and specialize in Network/Internet security, You need to get yourself a router. A router is a small box that goes between your computer and your modem. It has a hardware firewall in it and will give you the extra protection we all need on the internet these days. They are not expensive and are very simple to setup.

    Please once again no offense was intended...I am just concerned about your situation and want to help. :)
     
    Last edited: Sep 22, 2012
  21. BellaBoo

    BellaBoo Registered Member

    Joined:
    May 15, 2009
    Posts:
    114
    Location:
    SydYork, US of Oz
    thank you very much Infected1 for your assistance. i am very grateful :)

    last night i received several Detected DNS cache poisoning attacks from 180.153.10.150:xx, and lookip.net reports the following:

    IP Address Details
    IP Address: 180.153.10.150
    Hostname: 180.153.10.150
    Reverse Lookup: 180.153.10.150
    ISP: ChinaNet Shanghai Province Network
    Company: ChinaNet Shanghai Province Network
    City: Beijing
    State/Province: Beijing
    Country: China

    it would seem that i must now research and add a router, when i've never needed one in the past!

    what i do not understand is why i was able to successfully use ess4 for so long without so much as a hitch, no infections, nothing!

    but now with ess5, i'm suddenly beleagured by so many alerts to port scanning and now also DNS cache poisoning attacks! this is all since i downloaded ess5 on 1 sept 2012.
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Did you check firewall logs when you had ESS4 installed? It could be that the attacks were attempted but you simply were not aware of them.
     
  23. BellaBoo

    BellaBoo Registered Member

    Joined:
    May 15, 2009
    Posts:
    114
    Location:
    SydYork, US of Oz
    Hi Marcos. I likely had the 'display alert notification...' unchecked in ESS4 and TBH with you, I may have checked the log at various times out of mild curiosity, found some scanning attacks, but disregarded them because ESS had managed them!

    I'm thinking I might do the same with ESS5. I recalled a website [ShieldsUp! grc.com] that I've used in the past and trust implicitly; among other things, it provides a port scanning facility. I ran some scans today and received a 'full stealth mode' report and because I have those fleeting memories of seeing scanning attacks logged when running ESS4, I feel reasonably satisfied that ESS's popup alert notification default is proper in the first instance and that it is then up to the user to uncheck the box if satisfied that their computer is not at risk.

    perhaps... just putting it out there.
     
  24. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    This occurs again with ESS 6.0.308
    I updated computers on my home network to ESS 6.0.308
    Enabled "Allow multicast address resolution in the trusted zone (LLMNR)" so Macbook pro could access Windows 7-64bit peer to peer shared directory.
    Most times there is high traffic load on the intranet (generated by shadow protect backup on my windows 7-32 laptop backing up to a shared directory on the windows 7-64bit desktop), I get Port scanning attack detection.

    Note
    192.168.1.21 is windows 7-64bit desktop, Peer to peer server, storing the backup.
    192.168.1.30 is windows 7-32 laptop which generated this log (wired ethernet interface), and is being backed up by shadowprotect.
    Code:
    28/01/2013 11:00:19 AM	Detected Port Scanning attack	192.168.1.21:5355	192.168.1.30:51387	UDP			
    28/01/2013 10:15:55 AM	Detected Port Scanning attack	192.168.1.21:5355	192.168.1.30:63152	UDP			
    27/01/2013 11:30:18 PM	Detected Port Scanning attack	192.168.1.21:5355	192.168.1.30:61246	UDP			
    27/01/2013 11:00:37 PM	Detected Port Scanning attack	192.168.1.21:5355	192.168.1.30:60205	UDP			
    27/01/2013 9:00:18 PM	Detected Port Scanning attack	192.168.1.21:5355	192.168.1.30:54705	UDP			
    27/01/2013 7:00:17 PM	Detected Port Scanning attack	192.168.1.21:5355	192.168.1.30:63858	UDP			
    27/01/2013 5:00:18 PM	Detected Port Scanning attack	192.168.1.21:5355	192.168.1.30:54246	UDP			
    27/01/2013 3:00:18 PM	Detected Port Scanning attack	192.168.1.21:5355	192.168.1.30:59490	UDP			
    27/01/2013 1:00:19 PM	Detected Port Scanning attack	192.168.1.21:5355	192.168.1.30:57003	UDP			
    27/01/2013 12:03:52 PM	Detected Port Scanning attack	192.168.1.21:5355	192.168.1.30:52728	UDP			
    27/01/2013 11:00:19 AM	Detected Port Scanning attack	192.168.1.21:5355	192.168.1.30:64321	UDP			
    I would like a solution which
    1. Enables mac and windows 7 machines to access a peer to peer server computer
    2. Doesn't get false positives under high traffic
    3. Maintains the protection ESS was designed to offer
    Ideas?
     
  25. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It's highly unlikely to be a false positive. If a device / computer in the TZ performs port scanning, you can exclude its IP address from active protection (IDS).
     
Thread Status:
Not open for further replies.