Port Scan detections are being triggered for no apparent reason, causing network disruption. Disengaging IPS Active Response resolves the issue for a time.

Port Scan detections are triggered when a series of packets are blocked on unique ports within a short time window. See What triggers a port scan detection in Symantec Endpoint Protection (SEP)? for more information.

Some applications in the network may generate traffic patterns which trigger port scan detections. These generally include software designed for discovery, monitoring, or security testing.

To troubleshoot a Port Scan attack, review the following logs:

• SEP Client > View Logs > Client Management (View Logs) > Security Log
  -or-
• SEPM Console > Monitors > Logs > Log type: Network and Host Exploit Mitigation > Log content: Attacks

Highlight the first log entry for the Port Scan detection.  Review the details and note the remote IP and local ports associated with the detection, including if they are UDP or TCP. Repeat this for multiple Port Scan detection log entries until you have a good sample of the ports and IPs involved.

Determine the identity of the remote IP. If the machine is unknown, it should be located and assessed for any security risk. If the remote IP is deemed safe, use the following steps to remediate the Port Scan detection:

• SEP Client (Unmanaged) > Status > Network Threat Protection (Options) > Configure Firewall Rules
  1. Click Add... to create a new firewall rule.
  2. Set the action to Allow this traffic.
  3. Set the Hosts option to IP addresses and input the remote IP(s) you noted above.
  4. Change protocol to TCP or UDP to match what was recorded from the log and enter the list of Local ports, separating each port with a comma and space.
  5. Save the rule.
      
• SEPM Console > Policies > Firewall > Firewall policy (The one used by the affected client(s)) > Edit the policy > Rules
  1. Click Add Blank Rule to create a new firewall rule.
  2. Double-click the name (Rule 0) and rename it similar to "Fix Port Scan".
  3. Double-click the Host column, set the mode Local/Remote and enter the remote IP(s), then click OK.
  4. Double-click the Service column and check off the services matching the identified ports, or add a custom port list, setting the protocol to TCP or UDP to match what was recorded from the log, with the local ports separated by commas (no spaces), then click OK to return to the rules.
     Note: The custom list will have no Service Name, but it will be checked upon creation.
  5. Click OK to save the policy changes.
      
• Note: Do not enter anything into the local IP or the remote ports. This can break the rule.

For a managed client, update the policy locally and ensure it matches the new policy serial number of its group in the manager. Unmanaged clients will immediately enforce new rules.