Jump to content

Network attack detected “Scan.Generic.PortScan.TCP”


Go to solution Solved by Berny,

Recommended Posts

Posted

I know almost nothing about computers, but I recently noticed several notifications from Kaspersky saying “network attack detected”. There are ten of these notifications in all. Each of these notifications was issued at the exact same minute in time. Under “Name”, each of these notifications says “Scan.Generic.PortScan.TCP”, under “User”, they each say “NT AUTHORITY\SYSTEM”, and under “Result”, they each “Not processed”.

In between the ninth and tenth of these notifications, there is a separate notification accompanied by a blue i symbol enclosed within a circle. Under both "Event" and “Result”, this separate notification simply says “Task Started”. It says nothing under name. Like the “network attack detected” notifications, the “Task Started" notification says “NT AUTHORITY\SYSTEM” under “User”. 

I don’t really know what any of this means. People have told me that someone may have tried to hack me, but I was also told that this could have been a false positive. I was told that if I mentioned the problem here, someone might be able to confirm whether or not it was a false positive. Is that possible? 

Thanks!

Flood and Flood's wife
Posted

Hello @JPC

Welcome!

  1. Which KAV version & patch(x) is installed → on the Windows Taskbar or hidden icons, rightclick the Kaspersky icon, select About 
  2. May we have a full screen image of the Reports screen that’s showing the problem, including the data in the blue i = information section? 
  3. Is the software KAV free or Kaspersky Security Cloud free? 
  4. There’s a few similar Community topics, you may wish to read: 

Scan.Generic.PortScan.TCP attack was blocked

Scan.Generic.PortScan/TCP popups

Scan.Generic.PortScan/TCP atack

 

Please post back? 

Thank you🙏

Flood🐳 +🐋

Posted
  1. Kaspersky Free 21.2.16.590 (b)
  2. It will take multiple screenshots to capture the full screen. I will send those to you. 
  3. I don’t actually know how to find this out. It just says “Kaspersky Free”. Probably KAV? But I don’t know how to confirm this.

EDIT: Is it okay to post the screenshots here? There are a few additional blue i notifications on that screen, and a few of those notifications have my own laptop’s name under the “User” column. Is there any risk in sharing that information here on a public forum? I was going to send them you in a private message, but I don’t see an option to include photos in a private message.

Flood and Flood's wife
Posted

Hello @JPC

Thank you for the information & you have confirmed the software name👌

  1. Just for our understanding, may we know why you’re not using Kaspersky Security Cloud Free
  2. Take your time with the images, also, in the Report app, can you see Save → in the top right hand corner? Save the Report as a text file and attach📎 to your reply using the paperclip📎 icon please? 

Thank you🙏

Flood🐳 +🐋

Posted

I’m not familiar with the difference between KAV and Kaspersky Security Cloud - so I’m not sure which one I even have. Is there a way to confirm which one I’m using? 

I’ve attached the report. Should I also share screenshots of the page, or does the attached report have all the info that you need? 

Flood and Flood's wife
Posted

Hello @JPC

Thank you for the information👌

  • You have confirmed the software name, when you open the About screen, above the version & patch is the software name
  • Kaspersky security cloud Free has replaced Kaspersky Free, eventually Kaspersky Free will be discontinued →  no eta known atm. 
  • Allow us some time to review the Report, we may not need the images.
  • The laptop name, published on a Community portal is safe, unless you’ve named your LT with your full name, birthdate, residential address, phone number, bank account number, answer to your secret question, dogs name, grandpa’s name, etc., etc.😉

Thank you🙏

Flood🐳 +🐋

Posted

Okay - thanks! I can share the images, if you need them - just let me know! 

  • Solution
Posted

@JPC The detection  “TCP from 192.168.1.1” in your Log   is probably pointing to your Router which could be related to an IP Spoof attack that Kaspersky has blocked. For these kind of issues we mostly refer to Kaspersky Technical Support which is unfortunately only available for paid versions.

Posted

Thanks for looking into this! I’m not familiar with that term - what is an “IP Spoof attack”? 

Posted

Oh - I actually have one more question if that’s okay. The “task started” event that occurred at the same second in time as the “network attack” events - are you able to explain what that means?

If someone was trying to hack my computer, does a “task started” event mean that they successfully did something to my computer? 

Posted

@JPC All Kaspersky protection modules get enabled at system startup.

Posted

Sorry...I’m not sure I quite follow. I’m still unsure what “task started’ means...

Posted

The “Network Attack Blocker” page of my Kaspersky Free software has several notifications saying “Task started” under the “Event” and “Result” columns. Each of these notifications is accompanied by a blue i symbol enclosed within a circle. I know essentially nothing about computers, and so I have no idea what these notifications mean. 

Is someone able to help me understand this?

Thanks! 

 

//cross posted topic was merged. 

Flood and Flood's wife
Posted

The “Network Attack Blocker” page of my Kaspersky Free software has several notifications saying “Task started” under the “Event” and “Result” columns. Each of these notifications is accompanied by a blue i symbol enclosed within a circle. I have no idea what these notifications mean. Is someone able to help me understand this? Thanks! 

Hello @JPC

Network Attack Blocker loads at operating system startup and tracks incoming network traffic for activities characteristic of network attacks. When KFree detects a network attack attempt on a user's computer, it blocks the network connection with the attacking computer.

The Network Attack Blocker module runs in the background, if an attack happens, the blocker is ready to protect the computer. The Task started”, Task stopped, shows Kaspersky is doing what it should, the processes are running as designed. 

Blue i enclosed in a circle = information

⚠ = Alert, information as well but always good to investigate. 

Red box with ! = , problem - information as well, investigate! 

 

 

 

 

You actually know a lot @JPC, other people don’t even know how to look up or at the Reports👌

Thank you🙏

Flood🐳 +🐋

Posted

I’m not sure how I even came across the “Reports” page, haha. I think I found myself there somehow while trying to do an update on my Kaspersky software. 

 

I’m still a little confused about what “Task started” means. Are you saying that the Network Attack Blocker issues a “Task started” notification every time the operating system starts up? 

Flood and Flood's wife
Posted

I’m not sure how I even came across the “Reports” page, haha. I think I found myself there somehow while trying to do an update on my Kaspersky software. 

I’m still a little confused about what “Task started” means. Are you saying that the Network Attack Blocker issues a “Task started” notification every time the operating system starts up? 

Hello @JPC

You’re most welcome!

It doesn’t matter how you got there, you did, and you’re providing clear information, that’s gold, it makes our life easier; don’t undersell your IT knowledge/skills… You’re doing fine!

Network Attack Blocker loads at operating system startup and tracks incoming network traffic for activities characteristic of network attacks

Yes, Task started tells you the engine is running - exactly as it is meant to. If the Network Attack Blocker Task was not running & an attack happened, KFree would not respond. 

Thank you🙏

Flood🐳 +🐋

  • 4 weeks later...
Posted

@JPCThe detection  “TCP from 192.168.1.1” in your Log   is probably pointing to your Router which could be related to an IP Spoof attack that Kaspersky has blocked. For these kind of issues we mostly refer to Kaspersky Technical Support which is unfortunately only available for paid versions.

 

Sorry - I know that this thread is super old, but I have one last question. Something I forgot to mention is that the “Network Attack Detected” notifications popped up while I was using my laptop at a relative’s apartment. And I just recently learned that my relative had actually gotten a new router right around the same time that I received these notifications.

 

So the router in question would be my relative’s router, not my own. Is it hypothetically possible that connecting my laptop to a new router for the first time could have triggered a false positive? 

Posted

@JPC Welcome back. Only Kaspersky Lab can confirm or deny a FP after analyzing  Logs
that they have obtained in a request.

Posted

I wasn't asking for confirmation. I was just asking whether connecting my laptop to a new router for the first time is the sort of thing that could cause a false positive? 

Posted

@JPC The list of insecure routers is long , what is the router’s security protocol , is it a safe ISP router …. and much more.  A FP is however never excluded.

 

Posted

I’m just wanting to know, in general, whether connecting any laptop to a new router for the first time is the sort of thing that could potentially trigger a false positive. 

I’m just looking for a “yes” or “no” answer. 

EDIT: Oops, sorry - I missed the last sentence of your post on first reading it. So it sounds like the answer is “yes”, a false positive could have potentially been triggered by connecting my laptop to a new router, is that correct? 

Posted

@JPC Please see the post above your post “a FP is however never excluded”  which means a “YES”

Posted

Right, sorry about that. I edited my comment to explain that when I first read your reply, I failed to notice the last sentence. I guess I read too quickly. Again, sorry about that.

Thank you for your help!

Posted

@JPCWelcome back. Only Kaspersky Lab can confirm or deny a FP after analyzing  Logs
that they have obtained in a request.

 

I went ahead and upgraded to Kaspersky Internet Security. I’d be curious to know if it was simply my relative’s new router causing a false positive - if Kaspersky Lab analyzes my logs, they would be able to tell me if it was a false positive? How do I file a request with Kaspersky Lab? 

Guest
This topic is now closed to further replies.


×
×
  • Create New...