Author Topic: Port Scanning?  (Read 5909 times)

0 Members and 1 Guest are viewing this topic.

Offline perioddotat

  • Newbie
  • *
  • Posts: 3
Port Scanning?
« on: May 18, 2012, 05:25:48 AM »
The other day, I was working on a friend's computer, when a Symantec error popped up:  "The traffic from IP address xx.xxx.x.xx has been blocked for 600 seconds."  When I investigated, the logs showed it was a port scan attack from another computer on the network (private network, but a lot of people on it).  Further investigation revealed it was actually my computer in the other room that was sending the port scans.  Since then, I've run several anti-malware programs on my computer, and every one has come out negative (well, some tracking cookies, but nothing big).  I've tried Malwarebytes, Spybot S&D, Avast, Superantisyware, and Hitman Pro (all with completely updated definitions).  Is there another possible, legitimate source for these port scans, or should I keep downloading and running other anti-malware programs?

Thanks!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37109
Re: Port Scanning?
« Reply #1 on: May 18, 2012, 06:51:05 AM »
Quote
Is there another possible, legitimate source for these port scans,
yes.......

Quote
or should I keep downloading and running other anti-malware programs?
No......


thats why i like windows firewall.....no mysterious stuff you need to be IT engineer to understand

Offline perioddotat

  • Newbie
  • *
  • Posts: 3
Re: Port Scanning?
« Reply #2 on: May 19, 2012, 06:58:42 PM »
Ok, thanks, but I'd like to stop the port scan attacks from going out, even if there's nothing malicious about them.  You say there is a legitimate source: what should I be looking for?  How can I go about turning it off?  I'm not comfortable ignoring it and have all my friends thinking I'm running attacks against their computers.  I'm going to keep trying other anti-virus programs until I either finds one that stops it, or I am satisfied that it is legit and I can turn it off myself.

A little more info: I ran Wireshark on my computer, and I'm getting a lot of broadcast, outbound traffic from my computer.  Each one is a short message asking "who has (IP address)?  Tell (my IP address)"  After trying to grab one about 10 times, it'll switch to another IP address.  If it receives a reply, it switches immediately (it's only asking for IP addresses on the network I'm on).  I'm probably getting 10-20 of these outbound messages per second.  Possible causes?

Offline Gooob

  • Jr. Member
  • **
  • Posts: 40
Re: Port Scanning?
« Reply #3 on: May 20, 2012, 06:19:32 AM »
It could be as simple as legitimate UPnP traffic or windows file and printer sharing traffic.

Why would Symantec / Norton block it with a warning if it's safe traffic?
Cuz Norton firewall on LAN sometimes auto configures correctly and sometimes not.  I have seen both instances.

Go to the computer with Symantec.  Be sure you are logged into a Windows account with administrative privileges.
Then find your way to something called the Network trust center, or similar name in the firewall.

Now tell Symantec firewall to "Trust" traffic from your PC.
Reboot.
See if the errors go away.

 

Offline bob3160

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 46149
  • 61 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Port Scanning?
« Reply #4 on: May 21, 2012, 05:34:59 PM »
@ perioddotat,
Since you're talking about a Symantec error message, wouldn't you be better off asking Symantec for an answer ???
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v21H2 64bit, 16 Gig Ram, 1TB SSD, AvastOmni 21.6, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline perioddotat

  • Newbie
  • *
  • Posts: 3
Re: Port Scanning?
« Reply #5 on: May 26, 2012, 11:55:29 PM »
I asked someone who knows how computers work, and they pointed me to looking at the Dell Advanced Networking Service.  I've disabled it, and the flow of ARPs has stopped.  Now my computer actually is asking the server for ARP requests, instead of broadcasting to every computer on the network.  It's had no negative effect on my internet usage.  So, for anyone who has this problem in the future and who has a Dell, try disabling the Advanced Networking Service.

So the answer is: yes, there's a legitimate source for the ARP broadcasts (which were being falsely flagged as malicious by symantec), but no, that doesn't actually need to be running.