Author Topic: CLEANUP Security Issue - Corporate FW warns about Port Scan  (Read 646 times)

0 Members and 1 Guest are viewing this topic.

Offline yavuzacar

  • Newbie
  • *
  • Posts: 1
CLEANUP Security Issue - Corporate FW warns about Port Scan
« on: January 14, 2019, 12:41:33 PM »
Hello,

When Avast Cleanup Premium has been installed in our laptops, our Fortinet Firewall creates the following Port Scan alerts :

2019-01-11 14:17:46
Source.Position EQUAL in
EventMap.Type EQUAL Session
Source.IP BEHAVIOR Port Scanner Hosts

...

Destination
•   Country : Reserved
•   Interface : unknown-0
•   Port : 138
•   IP : 192.168.1.255
•   NatISP : noop
•   Location : Unknown
•   Position : in
Session
•   ID : 5551432
Application
•   Name : netbios forward
•   Category : unscanned
Service
•   Name : udp/138
Protocol
•   ID : 17
•   Name : UDP

...

I don't know whether it is a feature of Cleanup tool. It may do this scan for finding all the servers in LAN (by scanning NETBIOS service port 138 for all of LAN). I am just trying to understand whether it is a standard behavior of the tool or some malicious code has been injected into the tool (thus scanning Windows LAN MANAGER/NETBIOS server services). We had uninstalled all installations of this product due to this suspicious behavior. After uninstalling, alerts have been disappeared.

I couldn't find another related topic in my search. If you think it should be posted to some other entry, please forward it or inform me. Thanks for your cooperation and kind support in this issue.

Regards,

Yavuz Acar

Offline catlin_mc

  • Jr. Member
  • **
  • Posts: 23
Re: CLEANUP Security Issue - Corporate FW warns about Port Scan
« Reply #1 on: January 15, 2019, 04:33:14 AM »
I would be interested in learning about this too, cos' I'd like to know if this is normal behavior or if I'm somehow infected with something.
Thank you