10-14-2008 06:09 AM - edited 10-14-2008 06:11 AM
Hi all. Somewhat new here so if this issue has been dealt with already, sorry.
I use Norton Antivirus 2008. I will probably upgrade, but not right now. In my history I show
attempt by my ISP address (you know the 192.XXX.X.X that we all seem to have) as an attacking computer towards my own PC
UDP traffic, port 53. It was blocked so all that is cool. It was noted as "portscan"
Attempted Intrusion "Portscan" against your machine was detected and blocked.
Risk Level: Medium.
Attacked IP: My PC.
Attacked Port: xx3x6.
I have done some reading. Is this what they call a false positive? That there was maybe an overload of information and Norton took it as a possible intrusion? My wife was web surfing at the time.
10-14-2008 08:25 AM
In the real world -- it's dangerous out there <s> -- attackers are continually scanning for ports they can use to get into your computer for reasons of their own. That's why we need firewalls and security software.
So my guess is that it was a real warning of a real situation .... and the good news is that NIS blocked it.
See if anyone has any specific suggestions
10-14-2008 08:46 AM
10-14-2008 10:10 AM - last edited on 10-15-2008 01:22 PM by Tony_Weiss
I have checked the Intrusion Detection Signatures on the Web Site, and no Port Scan is there, as far as I am aware.
[edit: corrected link]
10-14-2008 10:15 AM
10-14-2008 04:04 PM - edited 10-14-2008 04:05 PM
The link from Floating_Red is to a thread with one of my posts (it didn't display correctly for me but I figured out how to view it.) Floating_Red was probably correct about it being a false positive.
Symantec is currently working on resolving the false positives that occur with the port scan signature. The false positive cases that I see most often are from people's DNS servers. These trigger the port scan detection when users open web pages that embed content from many different sites. For each site, a DNS request is made from a unique local port. Each of the responses to those requests comes back to the same unique port. By sending packets to many different ports, it appears as if the DNS server is performing a port scan when in reality it's simply responding to the requests that were made to it.
In general this false positive detection is harmless and just adds a warning to the logs.
If the detection is from an address other than a DNS server or is not from port 53, though, it is probably a true positive detection.
10-14-2008 04:08 PM
Looks like Myles uses Norton AntiVirus 2008 not Norton Internet Security
But it seems anyway you look at it, he (and all of us who use Norton- AntiVirus or internet security) is safe sine it blocked, false positive or real thing. Thansk Norton, it is blocked :)