Jump to content

Network Attack Detected


Go to solution Solved by Flood and Flood's wife,

Recommended Posts

always_working
Posted

I have a simple home network with two work PC's behind an unmanaged switch.

Security Cloud Network Attack Blocker detected a Scan.Generic.Portscan.TCP (Protocol TCP, Local Port 458) from my primary PC to my secondary PC.

Could this be something innocuous such as SoftPerfect Wifi Guard scanning the network or might it be something malicious?  The Object type was a Network packet which was blocked.  If it isn't malicious, what might this mean for the communication between these two devices?

Also, is there a way to be notified in Security Cloud in real-time when this happens?  I would never have known unless I specifically examined the Network Attack Blocker report and think it's crucial to be notified when such attacks are detected.

Any insight appreciated!

Flood and Flood's wife
Posted

Hello @always_working

Welcome back!

To be notified of the events, open the application, select Settings⚙, select Interface, select Notification settings, select Network Attack Blocker, check Notify on screen, select OK

image.thumb.png.126ce9b2d0975b218073cd57a3dd0bb7.png

  1. https://encyclopedia.kaspersky.com/glossary/port-scanning/
  2. https://threats.kaspersky.com/en/threat/Scan.Generic.TCP/
  3. https://threats.kaspersky.com/en/class/Scan/

This can be either a real attack or a false positive if the same conditions are present in the traffic that are suitable for the attack. The attack should be perceived in a different way than usual - it is simply scanning for what network services are installed on the computer and running, from which the attacker can conclude which services may be vulnerable and take further action. By itself, this attack does nothing wrong.
These attacks can come from a single computer or from multiple computers (hosts) if the scan port is launched from multiple machines. The application blocks these attacks (packets).

  1. Are you using SoftPerfect Wifi Guard? 
  2. ?To answer the query about the Scan.Generic.PortScan.TCP alert, save the Report as a text file, by selecting Save - at the top right of the Report window, upload the Report to any cloud server of your choice & post the share link - we need to see what you see? 

Thank you?
Flood?+?

always_working
Posted

Hi Flood,

Thanks so much for the reply and offer to help!

Although I respect that the report might offer more clarity, I guess I'd rather not post the it publicly on the forum since it does include IP addresses.  It seems that you can't be too careful these days.

However, the event is listed as "Network attack detected" with a name of Scan.Generic.Portscan.TCP (Protocol TCP, Local Port 458) from my primary PC to my secondary PC.

I do use SoftPerfect Wifi Guard but I haven't been able to recreate the event with further scans using the software (even selecting that I don't know the device).

Also, I "Notify on screen" was selected but I never did see the notification.  Perhaps I missed it somehow.  I do get desktop alerts from Kaspersky as well and think that one of those would also be generated?

Thanks again! 

P.S. If the report is crucial, perhaps I can send it to you via PM.

Posted

@always_working

If the IP number in the report is showing 192.168.x.x then the alert is pointing to your local network. To confirm or deny a FP your best option is to submit a  WireShark log  to Kasperksy Technical Support.


PS : This community is not providing suggestions via PM.

 

Flood and Flood's wife
Posted (edited)
2 hours ago, always_working said:
  1. The event is listed as "Network attack detected" with a name of Scan.Generic.Portscan.TCP (Protocol TCP, Local Port 458) from my primary PC to my secondary PC.
  2. "Notify on screen" was selected but I never did see the notification. 

Hello @always_working

Thank you for posting back & the information!

  1. Check the Network Attack Blocker Report, does it show Detected object is added to exclusions”? 
  2. We are checking with Kaspersky regarding the Network Attack BlockerNotify on screen issue - we will update this topic when their advice is available. 
  3. Technical Support is not available to users of Kaspersky Free, Trial or Beta software versions. 

Thank you?
Flood?+?

Edited by Flood and Flood's wife
always_working
Posted
3 hours ago, Berny said:

@always_working

If the IP number in the report is showing 192.168.x.x then the alert is pointing to your local network. To confirm or deny a FP your best option is to submit a  WireShark log  to Kasperksy Technical Support.


PS : This community is not providing suggestions via PM.

 

Yes, it is in the range and point from my primary pc to my secondary one.  I don't have Wireshark.

always_working
Posted
2 hours ago, Flood and Flood's wife said:

Hello @always_working

Thank you for posting back & the information!

  1. Check the Network Attack Blocker Report, does it show Detected object is added to exclusions”? 
  2. We are checking with Kaspersky regarding the Network Attack BlockerNotify on screen issue - we will update this topic when their advice is available. 
  3. Technical Support is not available to users of Kaspersky Free, Trial or Beta software versions. 

Thank you?
Flood?+?

No, the result shows as blocked.  No mention in the report of exclusions.

I appreciate your assistance via this forum and look forward to getting to the bottom of these issues!

Posted

@always_working

The IP range 192.168.x.x is pointing to a private address and is not routed over the internet, please proceed with a Kaspersky scan on both PCs ?

Also , Kaspersky blocked the detection …

Flood and Flood's wife
Posted
4 hours ago, always_working said:

No, the result shows as blocked.  No mention in the report of exclusions.

I appreciate your assistance via this forum and look forward to getting to the bottom of these issues!

Hello @always_working

You're most welcome!

Thank you for posting back & the information!

Kaspersky's previous advice for Scan.Generic.PortScan.TCP events, has been:

"To fully identify that Scan.Generic.PortScan.TCP is the known issue, one needs to check the report and make sure the string: “Detected object is added to exclusions” is present. If the attack is blocked and there is no “Detected object is added to exclusions” - Kaspersky need to further investigate."

We're following up with Kaspersky, we will update this topic when their advice is available. 

Thank you?
Flood?+?

Posted

@Flood and Flood's wife

In some specific cases (e.g. malicious object) the Moderator Team knows perfectly how to deal with a Topic and eventually interact with Kaspersky Virus Lab. Also, after analysis the verdict is mostly shared with the community (not via PM).

always_working
Posted
17 hours ago, always_working said:

Yes, it is in the range and point from my primary pc to my secondary one.  I don't have Wireshark.

Would a log still be useful (if I install and learn Wireshark) or would it have to have been from the time when the potential attack was blocked? 

always_working
Posted
13 hours ago, Flood and Flood's wife said:

Hello @always_working

You're most welcome!

Thank you for posting back & the information!

Kaspersky's previous advice for Scan.Generic.PortScan.TCP events, has been:

"To fully identify that Scan.Generic.PortScan.TCP is the known issue, one needs to check the report and make sure the string: “Detected object is added to exclusions” is present. If the attack is blocked and there is no “Detected object is added to exclusions” - Kaspersky need to further investigate."

We're following up with Kaspersky, we will update this topic when their advice is available. 

Thank you?
Flood?+?

I have run a full scan on both computers with no detected malware.  If it wasn't added to exclusions as referenced, does that mean that Kaspersky wasn't able to identify with certainty that it wasn't a malicious attack?

I'm not sure what my next step should be.

Posted

@always_working Thank you for your feedback

  1. You don't need to install Wireshark and create a Log.
  2. A Kaspersky scan without detections means your system is clean.
always_working
Posted
1 hour ago, Berny said:

@always_working Thank you for your feedback

  1. You don't need to install Wireshark and create a Log.
  2. A Kaspersky scan without detections means your system is clean.

Thanks again for your help.

While I'm glad the system is clean, this will always bother me.

I don't even have Apple QuickTime installed on the computer that initiated the attempted port scan and will always wonder!  Any idea what can cause such a port scan if it's not malicious in nature?

Flood and Flood's wife
Posted (edited)
23 hours ago, always_working said:

I have run a full scan on both computers with no detected malware.  If it wasn't added to exclusions as referenced, does that mean that Kaspersky wasn't able to identify with certainty that it wasn't a malicious attack?

I'm not sure what my next step should be.

Hello @always_working

Thank you for posting back!

We were just waiting for the traffic to die down.

  1. Kaspersky expert support have confirmed the Network Attack Blocker events do notify on screen, if the app is correctly configured.
  2. Most likely the detect of Scan.Generic.Portscan.TCP occurred because of SoftPerfect Wifi Guard scanning the network. Scan.Generic.Portscan.TCP is not exactly an attack, but only checking whether the ports are available. If you disable the option, the Network Attack blocker still protects against any other real attacks. Go to Settings⚙, Protection, Network Attack Blocker, toggle OFF Treat port scanning and network flooding as attacks, select Save, select Yes, to the confirmation prompt. 

Thank you?
Flood?+?

Edited by Flood and Flood's wife
Flood and Flood's wife
Posted
On 10/31/2022 at 3:02 AM, always_working said:

"Notify on screen" was selected but I never did see the notification.

Hello @always_working

How the Network attack blocked event looks when it pops on screen

image.png.6fa62556ed881ed21dc826659882be4f.png

Thank you?
Flood?+?

  • Like 1
always_working
Posted

This is extremely helpful and useful information - thanks again!

Still not sure why I never received the notification but that was on KSC so hopefully it won't be an issue with the Free version.  I will also be upgrading from that for further network security at some point.

I was also going to ask if you had any idea why the Network Attack Blocker task would have been started by NT Authority\System instead of the active user?  This happened twice on a different PC (running KSC) but I've never logged into any other user account.

Having a hard time figuring that one out as well!

After this, I'll leave you be for a while ;]

  • Like 1
  • Solution
Flood and Flood's wife
Posted
13 hours ago, always_working said:

This is extremely helpful and useful information - thanks again!

  1. Why the Network Attack Blocker task would have been started by NT Authority\System instead of the active user? 
  2. This happened twice on a different PC (running KSC) but I've never logged into any other user account.

Hello @always_working

You're more than welcome?!

Thank you for posting back & the additional question!

  1. NT AUTHORITY\System = is a built-in user - Local System account, with unrestricted access to all local system resources. It's a member of the Windows Administrators group on the local computer.
  2. The Kaspersky application intermittently has privileges to use this account. 

image.thumb.png.2ac4f18867783ef2233a9690a4d5b8f5.png

Thank you?
Flood?+?

  • Like 1
Posted

Hi @always_working

To add to what Flood has posted, the Kaspersky service processes start under system account, this ensures all users of the PC are protected. The graphical interface part of the program is started under the active user account. 

In Task Manager on my PC:

image.png.ce4c7443f7c54d6bda85423d14cd8e52.png

  • Like 1
  • Thanks 1

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now


×
×
  • Create New...