Detected Port Scanning attack from trusted Zone PC

Discussion in 'ESET Smart Security' started by patch, Dec 17, 2011.

Thread Status:
Not open for further replies.
  1. patch

    patch Registered Member

    Joined:
    May 14, 2007
    Posts:
    178
    Did you mean the double negative there Marcos?
    I find it confusing, so rephrasing with out the double negative are you saying: "It's highly likely to be a true positive." or am I confused?
    That sounds like I'm disabling some of the protection ESET offers. Seems like a bad idea if true positives can happen within the trusted zone.

    Assuming the desktop computer (which runs ESET full disk scans daily) is not infected, the "port scanning" it is doing on the laptop is likely to be running Microsofts Link-local Multicast Name Resolution (LLMNR) while the link is under load.
    Either that or we have to blame ShadowProtects remote file writing protocol. I'm hesitant to do that as I'm sure I have seen it when loading the link with other traffic, just not as consistently. I suppose it is still possible though.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,423
    I meant that the chance the detection of the port scan attack is not real is very low. I apologize for the wording that might have confused you, English is not my mother tongue :)

    Unfortunately, it's not currently possible to disable just a particular IDS detection for a specific IP address. For instance, some network printers scan ports remotely which triggers an attack detection.
    Computers and devices in the Trusted zone are not automatically excluded from IDS (active protection). If you trust the devices in the TZ and receive IDS detections, you can disable IDS in the TZ.
     
  3. benny_chapman

    benny_chapman Registered Member

    Joined:
    Jun 18, 2010
    Posts:
    3
    I have found Spiceworks to cause this error on a corporate network, at least I am pretty sure it is Spiceworks as it is also a DC and also running GoverLAN (the other three DC's on the network dont trigger these alerts). It would be good to be able to configure "ultra-Trusted" IP addresses for corporate networks (eg DC's, network managment systems etc) that are exempt from IPS and push these settings out via RA.

    Regards
    Ben
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.