Scan.Generic.PortScan.TCP pointing to router IP and MAC Address

[Theophrastus.Bombastus]

 

OS: Windows 11 Version 23H2
Kaspersky: Kaspersky Premium V. 21.18.5.438(a)

Hello. I've receiving notifications for network attack blockers on a daily basis with the following name:

Scan.Generic.PortScan.TCP

On the notification, there's the Mac Address. Upon inspecting it, I have figured that's the highlighted Mac Address is the router's MAC Address.

A few days ago, there was also another network attack name, also being pointed to the router's MAC address:

DoS.Generic.Flood.TCPSYN, the same minute as one of the Scan.Generic.PortScan.TCP notifications. 

I've reseted the modem to factory defaults and changed passwords. Ever since this DoS.Generic.Flood.TCPSYN hasn't came up again.

But I still receive the Scan.Generic.PortScan.TCP on a daily basis.

What could this mean? Is it likely, due to it being the routers MAC Address that it's a false positive?

[Wesly.Zhang]

Hello，

In the Network Attack Blocker Settings, you can disable this setting to fix this. In most cases, this detection occurs when using downloaded software, and will be incorrectly activated due to the number of connection from outside or inside.

Regards.

[KarDip]

Hello @Theophrastus.Bombastus

Receiving notifications for potential network threats, like Scan.Generic.PortScan.TCP and DoS.Generic.Flood.TCPSYN, both targeting your router’s MAC address, can be unsettling, but let’s analyze this carefully.

Understanding the Notifications

1. Scan.Generic.PortScan.TCP: This notification indicates that Kaspersky detected what it interprets as a port scan. Port scans are commonly used to check which ports are open and listening for incoming connections on a device. This action in itself is not necessarily malicious, as some network processes (especially legitimate ones within your own network) might trigger this alert.

2. DoS.Generic.Flood.TCPSYN: A DoS (Denial of Service) flood attack notification means that Kaspersky detected a surge in SYN (synchronization) packets. A SYN flood attack typically involves an attacker trying to overwhelm a device by sending a high volume of connection requests. Since resetting your router to factory defaults and updating passwords, this particular notification hasn’t returned, which is a good sign.

Analysis of Your Situation

Given that both notifications refer to your router’s MAC address and you've taken steps like factory resetting and changing passwords, here are some possible explanations:

• Router Scanning Internal Network: Some routers have built-in features to scan internal networks for active devices and may periodically query connected devices, which can trigger port scanning alerts. These scans are usually benign.

• Network Monitoring Services: Certain services on the router may actively monitor the network, especially if you have advanced settings enabled, which could trigger TCP scans. Some routers may do this to detect devices on the network or check connectivity and traffic flow.

• False Positives: It’s possible that Kaspersky is misinterpreting regular network behavior as a port scan. Many antivirus and security software suites may flag standard network activities as potentially suspicious, especially on a local network where a device (in this case, the router) frequently communicates with multiple devices.

Steps to Address the Issue

1. Check Router Logs: Access your router’s admin interface and look at the log settings to see if there are any scans or active network monitoring events that might correspond with the timestamps of the notifications.

2. Disable Unnecessary Router Features: If your router has network management or scanning features, try disabling them temporarily to see if the notifications stop. Look for settings related to Network Discovery, Diagnostics, or Intrusion Detection.

3. Adjust Kaspersky’s Network Settings: Also as Wesly.Zhang says to In Kaspersky Premium, you can customize the settings for Network Attack Blocker. Adding your router to a trusted devices list or lowering the sensitivity of attack detection for the local network could reduce these alerts if they are indeed false positives.

4. Run a Manual Security Scan: If you haven’t already, run a full security scan on all devices connected to the network to ensure there aren’t any infected devices that could be inadvertently sending out suspicious packets.

5. Observe and Monitor: Since you’ve already taken effective measures (resetting and updating passwords), keep an eye on the notifications. If the frequency decreases or the alerts stop altogether, it’s likely that these were routine scans or a temporary anomaly.

When to Take Additional Action

If these notifications continue and you notice any unusual network behavior—such as significantly reduced performance, new unknown devices appearing on your network, or more attack alerts targeting different MAC addresses—then it might be worth deeper investigation.

Thank you

Edited November 8 by KarDip
console sources error