Port scan detections are being triggered for no apparent reason, causing network disruptions. Disengaging IPS active response resolves the issue for a time.
Port scan attack logged.
Port scan detections are triggered when a series of packets are blocked on unique ports within a short time window. See What triggers a port scan detection in Symantec Endpoint Protection (SEP)? for more information.
Some applications in the network may generate traffic patterns which trigger port scan detections. These generally include software designed for discovery, monitoring or security testing.
To troubleshoot a port scan attack, review the following logs:
Locate the first log entry for the Port Scan detection and highlight it. Look at the details to determine the remote IP and local ports associated with the detection, taking note if they are UDP or TCP. Write these down and locate a second log entry for Port Scan Detection. Verify the IP and if it is different write it down. Write down any ports that were not listed previously. Locate a third log entry and repeat the steps to ensure you have a good sample of the ports and/or IPs involved.
Determine the identity of the remote IP. If the machine is unknown it should be located and assessed for any security risk. If the remote IP is deemed safe, use the following steps to remediate the port scan detection:
For a managed client, update the policy and ensure it matches the new policy serial number of its group in the manager. Unmanaged clients will put new rules into effect immediately.