Note: Do not enter anything into the local IP or the remote ports.Note: The custom list will have no Service Name, but it will be checked upon creation. Double-click the Service column and check off the services matching the identified ports, or add a custom port list, setting the protocol to TCP or UDP to match what was recorded from the log, with the local ports separated by commas (no spaces), then click OK to return to the rules.
Double-click the Host column, set the mode Local/Remote and enter the remote IP(s), then click OK.Double-click the name (Rule 0) and rename it similar to "Fix Port Scan".Click Add Blank Rule to create a new firewall rule.SEPM Console > Policies > Firewall > Firewall policy (The one used by the affected client(s)) > Edit the policy > Rules.Change protocol to TCP or UDP to match what was recorded from the log and enter the list of Local ports, separating each port with a comma and space.Set the Hosts option to IP addresses and input the remote IP(s) you noted above.SEP Client (Unmanaged) > Status > Network Threat Protection (Options) > Configure Firewall Rules.If the remote IP is deemed safe, use the following steps to remediate the Port Scan detection: If the machine is unknown, it should be located and assessed for any security risk. Repeat this for multiple Port Scan detection log entries until you have a good sample of the ports and IPs involved.ĭetermine the identity of the remote IP. Review the details and note the remote IP and local ports associated with the detection, including if they are UDP or TCP. Highlight the first log entry for the Port Scan detection. SEPM Console > Monitors > Logs > Network Threat Protection > Attacks.SEP Client > View Logs > Client Management (View Logs) > Security Log.To troubleshoot a Port Scan attack, review the following logs:
0 kommentar(er)
