Some environments may observe Security Intelligence reporting flows from specific VMs — commonly scanner or security appliances — as “unprotected.” The flows show unexpected source IP patterns such as:

• The actual scanner VM IP

• 127.0.0.1 (loopback)

• The destination IP itself

This behavior may appear inconsistent across ports or sessions, often seen on TCP 135 or similar.

The behavior can occur when:

• A security scanning or network probing tool is configured to send traffic with spoofed or non-standard source IPs as part of its inspection logic

• Custom scripts or test tools on the VM generate packets with intentionally manipulated headers

• Loopback-bound traffic is exposed due to misconfigured routing or application behavior

Security Intelligence inspects raw packet headers and logs traffic exactly as observed. If the source IP appears unusual or mismatched, Security Intelligence may flag these flows as "unprotected" — even if the traffic originates from a known and safe source.

If intentional scanning or testing is being performed:

• Review the tool or script generating the traffic to confirm whether IP spoofing or header manipulation is expected.

• No further action is needed if the traffic behavior is intentional and originates from a trusted source.

If no vulnerability scanner is in use please contact Broadcom Support for further assistance.