Network attack from printer

[Chris B]

I have just installed a new printer (HP Officejet 9010) and Kaspersky Internet Security is blocking a network attack from the printer. The printer is on my local network and so I kn ow it is OK. How do I set an exclusion to the Network Attack blocker? I can see instructions for a Mac but not for Windows. I am using version 20.0.14.1085.

I have a screen shot, but I can’t see where I can post it on this forum.

[andrew75]

@Chris B, check that the type of your local network is set to trusted in the firewall settings

https://support.kaspersky.com/13630#block1

[Flood and Flood's wife]

Hello @Chris B,

Also:

• To upload the screenshot, select the tiny picture icon:

• Post KIS Detailed Report → open KIS, select More Tools, select Reports, select Detailed Reports, select All events, select 24hrs, select Export, save the Report as a .txt file, attach📎 to your reply please? 

Please post back?

Thank you🙏

Flood🐳

[Chris B]

The network is Trusted, and I can print to the printer and access other devices on the network. However, the only IP address shown on the Network Properties window is the IP address of my PC, and I can’t see how to expand it to cover the full IP range - if indeed I need to. 

 

[Chris B]

@FLOOD - yes thanks. I found it just before your post!

[Flood and Flood's wife]

Hello @Chris B,

That’s super, well done☺ ! 

Thank you for the image and the information👌

• May we have the KIS Detailed Report please → open KIS, select More Tools, select Reports, select Detailed Reports, select All events, select 24hrs, select Export, save the Report as a .txt file, attach📎 to your reply please? 

Please post back?

Thank you🙏

Flood🐳

[Chris B]

@FLOOD the report is attached. FYI - the printer was installed on 27/6/20 but the network attack warnings only started on 30/6. Same symptoms on all 3 PCs on my network using Kspersky Internet Security.

[Berny]

@Chris B Also , to confirm or deny a  False Positive (FP) please contact K-Lab Technical Support https://center.kaspersky.com
 

[andrew75]

@Chris B, create a packet rule (Settings - Protection - Firewall - Configure packet rules) and place it at the top of the list:

 

 

[Chris B]

@andrew75 Thanks, but should the rule say Block or Allow? Given it is my printer that is sending the packet, and the printer control app is on my PC, I would have thought I should allow the packets?

[Berny]

@Chris B Maybe it’s a FP 🤔

[Chris B]

@Benny forgive my ignorance, but what is an FP?

[Berny]

@Chris B You are welcome. Please scroll up in this Topic, this “could” be  a false alarm.

[Chris B]

@Benny Sorry for my inconsistent replies - I have been jumping around on topics this morning. I certainly agree it must be a false positive, because I cannot see that my own printer would be sending anything malicious to a PC on my own network, which it has every reason to be communicating with. (I have also reported the FP to Support as you suggested). @Andrew75’s suggestion on a rule to let the traffic through looks a good approach, but I am still a little confused as to why his suggestion is set to block the traffic, not allow it.

[Flood and Flood's wife]

Hello @Chris B,

Also, a couple of other things to possibly consider:

• Why the “The network attack DoS.Generic.Flood.TCPSYN has been blocked” events for Tcp from 192.168.1.254 to port 5357 & Tcp from 192.168.1.17 to port 5357 started: 30.06.2020 21.24.29 ? 

1. Have there been any configuration changes to KIS - in the 24hrs preceding 30.06.2020 21.24.29 ? 
2. Any other changes, in the same time frame: network, hardware, software, environmental, anything at all ?
3. Has the printer been reset/uninstalled and reinstalled ?
4. Has KIS been (2) Restored to default settings ? If “no”, and if you decide to do this, first (1) Export KIS settings, so they can be (3) Imported after performing a KIS Restore

 

Thank you🙏

Flood🐳

[andrew75]

@Chris B, read this article

[Chris B]

@Andrew75 Thanks - I’ll go through this article, but re your previous suggestion, did you mean to Block or Allow the packets in your packet rule?

[Chris B]

@FLOOD Yes - my first thoughts were “What’s changed” and I can’t think of anything. On your specific questions:

1 No obvious reason

2 No,  unless KIS automatic updating changed something.

3 No

4 Not since the printer was installed on 27/6

5 No

 

[andrew75]

@Chris B, “block”.  Or disable WSD on the printer. The article explains what this is and why this problem occurred.

[Chris B]

@asndrew75 Despite the fact I am not running a server? This is a home network.

[andrew75]

I understand. I could not find anything better about these services.

The point is that these printer requests are not needed for work, so you can block them. Or disable these services on the printer.

[Chris B]

@andrew75 Thanks. I’ll try it ans see what happens!

[Chris B]

@andrew75  @flood

Mysteriously, the symptoms have gone away, which makes it impossible to find out what has been happening, but they went away at different times on different PCs, which make me wonder whether they are related to updates of KIS at different times on different machines. The specifics are:

On PC-C (my machine) the blocks came from startup today (1/7) at 9:11 about every 2 mins (but not consistently so) until I turned off Network Attack Blocker at 13:15. The last NAB event was 13:07 and there are no events of any type between the two. I put in @andrew75’s suggested rule and restarted NAB at 15:47, since when there have been no block events. Given the experience on the other two machines, that may have been a coincidence.

On PC-A, the first block was at 10:06, probably when the PC was switched on, recommenced at 11:06 (presumably the 60 min grace period in KIS’s standard settings) and continued every 2 mins until 13:05. No apparent reason for the change at 13:05.

On PC-J, the blocks started at 20:46 on 30/6 and continued until 20:53. None since.

I will pass these notes to Kaspersky Support, who have responded to my report of a False Positive, but there does not seem to be any point in putting in any more work on the issue unless the symptoms reappear.

Many thanks both of you for your help.