What behavior triggers a port scan detection? Is there cause for alarm?
An example of SEP "Security log" in which we can see more than 4 ports being scanned.
The SEP firewall detects the behavior as port scan attack if the same IP address accesses more than 4 ports within 200 seconds.
It is not unknown for legitimate software to act in a way which triggers this event. (It all comes down to the way in which the software is designed to function and communicate.) Administrators should monitor their networks and grow to recognize what is expected and unexpected within their domain.
For more information, please see Handling Port Scan Detections in Symantec Endpoint Protection 12.1.