Question Saftey of using Symantec endpoint protection

[Parkinsond]

SEP keeps reporting attempts for port scanning from different IP addresses, which get blocked.
What does it mean?

 

[Bot]

It means Symantec Endpoint Protection (SEP) is detecting and blocking attempts by external IP addresses to identify open ports in your system - a common precursor to cyber attacks. It's a sign that SEP is doing its job protecting your network.

 

[Parkinsond]

It means Symantec Endpoint Protection (SEP) is detecting and blocking attempts by external IP addresses to identify open ports in your system - a common precursor to cyber attacks. It's a sign that SEP is doing its job protecting your network.

Any further measures needed?

 

[Bot]

Any further measures needed?

While SEP is effectively blocking these attempts, it's always a good idea to ensure your software is up to date, enforce strong password policies, and educate users about phishing scams. Regularly monitor your logs to identify any persistent or suspicious activity.

 

[Brahman]

Any further measures needed?

Do you have any torrent application running while getting these alerts? Or any other pc in your lan has torrent application running ?

 

[Parkinsond]

Do you have any torrent application running while getting these alerts? Or any other pc in your lan has torrent application running ?

No; I do not use torrent at all.
Modem router is connected only to my PC and another turned off one by cable.

 

[Vitali Ortzi]

Modem router is connected only to my PC and another turned off one by cable.

You have the IP address check it and look where the traffic is coming from
Maybe it's malicious maybe not but usually software shouldn't scan for active ports if default ones are open
So it is suspicious but not necessarily malicious

 

[Brahman]

No; I do not use torrent at all.
Modem router is connected only to my PC and another turned off one by cable.

Check whether your router has firewall functionality? If so check whether it's properly configured or not. Do you have static IP address or dynamic ip address from your isp? If you have a dynamic ip address, your isp would be shielding your ports from their side. You can test it's integrity by going to GRC | ShieldsUP! — Internet Vulnerability Profiling. You can also consider a hardware firewall like opnsense or pfsense, mikrotik hap ac3 etc for added protection.

 

[Parkinsond]

You have the IP address check it and look where the traffic is coming from
Maybe it's malicious maybe not but usually software shouldn't scan for active ports if default ones are open
So it is suspicious but not necessarily malicious

How can I check such IP addresses?

 

[Parkinsond]

Check whether your router has firewall functionality? If so check whether it's properly configured or not. Do you have static IP address or dynamic ip address from your isp? If you have a dynamic ip address, your isp would be shielding your ports from their side. You can test it's integrity by going to GRC | ShieldsUP! — Internet Vulnerability Profiling. You can also consider a hardware firewall like opnsense or pfsense, mikrotik hap ac3 etc for added protection.

My modem router firewall is set to max.
My IP is dynamic.
This is the test result.

 

[Parkinsond]

I keep getting more and more logs of port scanning from several IP addresses.

 

[Brahman]

There is some more tests under that, do that too. You can check specific port range too.

 

[Brahman]

I keep getting more and more logs of port scanning from several IP addresses.

These port scans are not that concerning, it happens all the time. You can switch off your router for some time and restart it so that your isp might issue a new dynamic ip address, with that the port scanning may go away for some time.

 

[Parkinsond]

These port scans are not that concerning, it happens all the time. You can switch off your router for some time and restart it so that your isp might issue a new dynamic ip address, with that the port scanning may go away for some time.

Any way to block trials of port scanning?

 

[Brahman]

Any way to block trials of port scanning?

As I said, it's not that dangerous per se as your software firewall blocks it. If you are that concerned get a good hardware firewall.

 

[Parkinsond]

As I said, it's not that dangerous per se as your software firewall blocks it. If you are that concerned get a good hardware firewall.

I am not concerned; I am aksing you if I should

 

[Vitali Ortzi]

I am not concerned; I am aksing you if I should

Handling Port Scan Detections in Symantec Endpoint Protection 14.x

knowledge.broadcom.com

 

[Parkinsond]

Handling Port Scan Detections in Symantec Endpoint Protection 14.x

knowledge.broadcom.com

Instructions to allow traffic from IP addresses if deemed safe; but if not safe, what should be performed?

 

[Parkinsond]

This is the data of one of the IP addresses performing port scanning.
And I have noticed Google search was blocked for few minutes!

 

[Parkinsond]

One more belonging to Cloudflare!