Port Scan detections are being triggered for no apparent reason, causing network disruption. Disengaging IPS Active Response resolves the issue for a time.
Port Scan detections are triggered when a series of packets are blocked on unique ports within a short time window. See What triggers a port scan detection in Symantec Endpoint Protection (SEP)? for more information.
Some applications in the network may generate traffic patterns which trigger port scan detections. These generally include software designed for discovery, monitoring, or security testing.
To troubleshoot a Port Scan attack, review the following logs:
Highlight the first log entry for the Port Scan detection. Review the details and note the remote IP and local ports associated with the detection, including if they are UDP or TCP. Repeat this for multiple Port Scan detection log entries until you have a good sample of the ports and IPs involved.
Determine the identity of the remote IP. If the machine is unknown, it should be located and assessed for any security risk. If the remote IP is deemed safe, use the following steps to remediate the Port Scan detection:
For a managed client, update the policy locally and ensure it matches the new policy serial number of its group in the manager. Unmanaged clients will immediately enforce new rules.