How to exclude network scanners in Symantec Endpoint Protection (SEP)
Article ID: 173612
Updated On:
Products
Control Compliance Suite Vendor Risk Manager
Issue/Introduction
You are running Control Compliance Suite Vulnerability Scanner (CCSVM) and scanning machines running SEP Client
In SEP you might get notification like these
Risk Detected
| Event Time: | 01/02/2019 05:48:56 |
| Begin Time: | 01/02/2019 05:47:54 |
| End Time: | 01/02/2019 05:47:55 |
| Number: | 5 |
| Event Description: | Somebody is scanning your computer. Your computer's TCP ports: 64071, 4572, 9928, 22943 and 23626 have been scanned from x.x.x.x. |
| Event Type: | Port Scan |
| Hack Type: | 0 |
| Severity: | Minor and above |
| Application Name: | N\A |
| Network Protocol: | TCP |
| Traffic Direction: | Inbound |
| Remote IP: | x.x.x.x |
| Remote MAC: | xxxxx |
| Remote Host Name: | N/A |
| Alert: | 1 |
| Local Port: | 0 |
| Remote Port: | 0 |
Resolution
In SEP configuration you need to exclude the IP of the CCSVM scanner (using SEP Console):
Go to Policies -> Intrusion Prevention : Select your policy and right click Edit.
In the Intrusion Prevention section, click to Enabled excluded hosts and open "Excluded Hosts" Section
Click Add and enter the IP of the scanner(s), then click ok to save.
Once policy is saved, assign the policy to the relevant client group.
Feedback
Yes
No
Powered by
