NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

steveoelliott's avatar
steveoelliott
Luminary
Nov 01, 2016

Symantec Endpoint Protection ReadyNAS Port Scan

Hi all,

 

Earlier I had an issue with lost network access: https://community.netgear.com/t5/Using-your-ReadyNAS/Readynas-526X-Network-Access-Whilst-Resync/m-p/1164297#M118852

 

I now know this to be due to the ReadyNAS being flagged as carrying out a Port Scan from Symantec logs:

 

It seems Symantec Endpoint Detection blocks the device due to a suspect port scan. See this in logs:

 

Somebody is scanning your computer.
Your computer's UDP ports:
61393, 61783, 50935, 57172 and 64028 have been scanned from 192.168.10.21.

 

Somebody is scanning your computer.
Your computer's UDP ports:
54855, 58387, 56777, 60113 and 54196 have been scanned from 192.168.10.21.

 

The client will block traffic from IP address 192.168.10.21 for the next 600 seconds (from 01/11/2016 17:03:22 to 01/11/2016 17:13:22).

 

According to: https://support.symantec.com/en_US/article.tech165237.html

 

The SEP firewall detects the behavior as port scan attack if the same IP address accesses more than 4 ports within 200 seconds.

It is not unknown for legitimate software to act in a way which triggers this event. (It all comes down to the way in which the software is designed to function and communicate.) Administrators should monitor their networks and grow to recognize what is expected and unexpected within their domain. 

 

I raised case 27614721 for this issue... They are keeping it in monitoring with a view to closing it. However, I feel there is value in this being investigated as this has the potential to affect many users. Ideally the port scan activity should be halted.

 

Thanks...

Installation & Upgrade
Other Discussions

10 Replies

Replies have been turned off for this discussion
  • StephenB's avatar
    StephenB
    Guru - Experienced User
    Nov 01, 2016

    SEP runs on my work laptop, I'll take a look at its logs.  I haven't lost network access (at least I didn't notice it).  

     

    What services are running?  What apps are installed?

    • steveoelliott's avatar
      steveoelliott
      Luminary
      Nov 01, 2016

      Thanks... It took me by surprise.

       

      My version is SEP 12.1RU6 (12.1.6608.6300)

       

      I am surprised at that activity from the NAS.... It is pretty standard, no applications or anything fancy going on. Just plain old SMB and that's it.

      • StephenB's avatar
        StephenB
        Guru - Experienced User
        Nov 02, 2016

        I installed plex, so some traffic may be coming from there.  SEP version 12.1.7061.6600

         

        I am not seeing SEP block the NAS, though I am seeing some blocked traffic.  Here's a log snippet - the NAS is 10.0.0.47, the laptop is 10.0.0.26 (wifi) and 10.0.0.46 (ethernet)

        Time Allow/Block Severity Directon Protocol Remote Host Remote Port Local Host Local Port Occurences Rule
        49:43.0 Blocked 15 Incoming UDP 10.0.0.47 42546 10.0.0.255 32412 8 Block broadcast and multicast traffic and don't log
        49:43.0 Blocked 15 Incoming UDP 10.0.0.47 37028 10.0.0.255 32414 8 Block broadcast and multicast traffic and don't log
        49:49.0 Blocked 15 Incoming UDP 10.0.0.47 42546 10.0.0.255 32412 2 Block broadcast and multicast traffic and don't log
        49:49.0 Blocked 15 Incoming UDP 10.0.0.47 37028 10.0.0.255 32414 2 Block broadcast and multicast traffic and don't log
        49:54.0 Blocked 15 Incoming UDP 10.0.0.47 42546 10.0.0.255 32412 3 Block all other IP traffic and log
        49:54.0 Blocked 15 Incoming UDP 10.0.0.47 37028 10.0.0.255 32414 3 Block all other IP traffic and log
        49:54.0 Blocked 15 Incoming UDP 10.0.0.47 45419 10.0.0.26 58457 4 Block all other IP traffic and log
        49:54.0 Blocked 15 Incoming UDP 10.0.0.47 57273 10.0.0.26 56600 2 Block all other IP traffic and log
        49:54.0 Blocked 15 Incoming UDP 10.0.0.47 58434 10.0.0.46 58456 2 Block all other IP traffic and log
        49:54.0 Blocked 15 Incoming UDP 10.0.0.47 60342 10.0.0.46 54142 2 Block broadcast and multicast traffic and don't log
        49:54.0 Blocked 15 Incoming UDP 10.0.0.47 39474 10.0.0.46 56599 2 Block broadcast and multicast traffic and don't log

        I usually do see some issues when I bring the PC out of sleep. Our corporate policies require the corporate VPN connection to be up and running before they allow my laptop to access a network share. The log snippet is about the time I docked the laptop and started it up again.  Note I'm not in IT, so I have limited visibility into the app details, and no control over policy settings.

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More