Intrusion attempt or false positive

Myles08 · ‎10-12-2008

Hi all. Somewhat new here so if this issue has been dealt with already, sorry.

I use Norton Antivirus 2008. I will probably upgrade, but not right now. In my history I show

attempt by my ISP address (you know the 192.XXX.X.X that we all seem to have) as an attacking computer towards my own PC

UDP traffic, port 53. It was blocked so all that is cool. It was noted as "portscan"

Attempted Intrusion "Portscan" against your machine was detected and blocked.
Intruder: 192.XXX.0.X(domain(53)).
Risk Level: Medium.
Protocol: UDP.
Attacked IP: My PC.
Attacked Port: xx3x6.

I have done some reading. Is this what they call a false positive? That there was maybe an overload of information and Norton took it as a possible intrusion? My wife was web surfing at the time.

Message Edited by Myles08 on 10-14-2008 06:11 AM

huwyngr · ‎04-13-2008

In the real world -- it's dangerous out there <s> -- attackers are continually scanning for ports they can use to get into your computer for reasons of their own. That's why we need firewalls and security software.

So my guess is that it was a real warning of a real situation .... and the good news is that NIS blocked it.

See if anyone has any specific suggestions

Hugh

Floating_Red · ‎05-30-2008

This is a False Positive, according to a symantec Employee.

Tuesday, May 21, 2013: The Symantec THREATCON was Changed to Level 1: Normal | Tuesday, May 14, 2013: Microsoft "Patch Tuesday" | Sunday, May 05, 2013: Microsoft Internet Explorer 8 Zero-Day Vulnerability (Update Released)

huwyngr · ‎04-13-2008

Floating_Red wrote:
This is a False Positive, according to a symantec Employee.

Can you provide the link to that please.

Hugh

Floating_Red · ‎05-30-2008

http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=5889

I have checked the Intrusion Detection Signatures on the Web Site, and no Port Scan is there, as far as I am aware.

[edit: corrected link]

Message Edited by Tony_Weiss on 10-15-2008 04:22 PM

Tuesday, May 21, 2013: The Symantec THREATCON was Changed to Level 1: Normal | Tuesday, May 14, 2013: Microsoft "Patch Tuesday" | Sunday, May 05, 2013: Microsoft Internet Explorer 8 Zero-Day Vulnerability (Update Released)

huwyngr · ‎04-13-2008

Thanks for the link -- I would not myself link that thread to this query here and assume that the report is a "false positive" since as I said it could well be a reflection of reality: we are all under attack.

Hugh

Tech0utsider · ‎07-29-2008

It is probably a intrusion attempt unless you are losing functionality with a program or visiting the web.

=\

reese_anschultz · ‎04-08-2008

The link from Floating_Red is to a thread with one of my posts (it didn't display correctly for me but I figured out how to view it.) Floating_Red was probably correct about it being a false positive.

Symantec is currently working on resolving the false positives that occur with the port scan signature. The false positive cases that I see most often are from people's DNS servers. These trigger the port scan detection when users open web pages that embed content from many different sites. For each site, a DNS request is made from a unique local port. Each of the responses to those requests comes back to the same unique port. By sending packets to many different ports, it appears as if the DNS server is performing a port scan when in reality it's simply responding to the requests that were made to it.

In general this false positive detection is harmless and just adds a warning to the logs.

If the detection is from an address other than a DNS server or is not from port 53, though, it is probably a true positive detection.

Message Edited by reese_anschultz on 10-14-2008 04:05 PM

Reese Anschultz
Senior Software Quality Assurance Manager, Symantec Corporation

Notechguy · ‎10-08-2008

Looks like Myles uses Norton AntiVirus 2008 not Norton Internet Security

But it seems anyway you look at it, he (and all of us who use Norton- AntiVirus or internet security) is safe sine it blocked, false positive or real thing. Thansk Norton, it is blocked :)