What triggers a port scan detection in Symantec Endpoint Protection (SEP)?
search cancel

What triggers a port scan detection in Symantec Endpoint Protection (SEP)?

book

Article ID: 154690

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

What behavior triggers a port scan detection?  Is there cause for alarm?

An example of SEP "Security log" in which we can see more than 4 ports being scanned.

Resolution

The SEP firewall detects the behavior as port scan attack if the same IP address accesses more than 4 ports within 200 seconds.

It is not unknown for legitimate software to act in a way which triggers this event. (It all comes down to the way in which the software is designed to function and communicate.) Administrators should monitor their networks and grow to recognize what is expected and unexpected within their domain. 

For more information, please see Handling Port Scan Detections in Symantec Endpoint Protection 14.x