Not what you were looking for? Ask our experts!
Reply
Regular Contributor
mike852
Posts: 66
Registered: ‎07-07-2009
Accepted Solution

Risk name:Portscan. What kind of risk is this and why is notify disabled.

I just noticed this IPS signature tried to attack my system and was baffled why the setting to notify me was disabled(see below). I never messed with any of these settings, so is it off by default? Also, I searched everywhere on Norton and could not find any info on this attack sig, and it is not even listed as an attack on Norton's list on the website. Can someone tell me if I need to be concerned about this. 

 

 

 

 

 

notify.PNGport.PNG

floplot
Posts: 10,576
Topics: 215
Kudos: 2,051
Solutions: 365
Registered: ‎04-11-2009

Re: Risk name:Portscan. What kind of risk is this and why is notify disabled.

Hello mike852

 

The IPS definitions were just updated a little while ago. Maybe they haven't updated the website yet. A port scan is when another computer is trying to find open or unprotected ports in your computer. Norton's blocked the port scan. Norton's notified you of the action it took. If you don't want to be notified of the same action again, then you can click Stop Notifying Me and you won't get notified again if that same portscan happens again.

Success always occurs in private and failure in full view.




SendOfJive
Posts: 10,754
Kudos: 4,794
Solutions: 776
Registered: ‎02-07-2009

Re: Risk name:Portscan. What kind of risk is this and why is notify disabled.

Hi mike852,

 

This appears to be a common type of false positive.  Port 53 is for DNS communications and the address you show appears to be a Roadrunner DNS server address.  Often an application will make a DNS request, but the response will be late and the application will have already timed out the communication.  So when your firewall sees the delayed UDP packets arrive on Port 53, it cannot match them up to the original request and so will interpret them as an unsolicited portscan.  The default setting for portscans detected by Norton is to not alert the user.  I think this is probably because of the great number of instances of situations like yours, as well as the fact that real portscans are a constant occurrence on the internet which are routinely blocked by your firewall.  The number of alerts would be very annoying, and there is nothing you can do about them anyway.  A firewall's job is to block such portscans and it really isn't necessary or desirable that it make a formal announcement every time it happens, although you can change the configuration from the default if you really want to be notified each time.

Regular Contributor
mike852
Posts: 66
Registered: ‎07-07-2009

Re: Risk name:Portscan. What kind of risk is this and why is notify disabled.

Thanks for the fast reply. I thought it may have been a false positive, but I wanted to make sure. It makes sense because I use roadrunner. As for the option, "to notify me of this signature" being off by default, is probably a good idea. Thanks.

SendOfJive
Posts: 10,754
Kudos: 4,794
Solutions: 776
Registered: ‎02-07-2009

Re: Risk name:Portscan. What kind of risk is this and why is notify disabled.

[ Edited ]

You're welcome.  Just as a point of information, this type of portscan detection is a frequent occurrence for users of Google Chrome.  That browser has a DNS prefetching feature that does a DNS look-up of every link on each web page you visit.  This often results in orphaned DNS replies that the firewall will interpret as portscans.  The feature can be turned off in the browser's preference settings if desired.