Port Scanning, but Monitoring is Off for Target Device

Follow

DevOps

• May 18, 2023 18:21

My work laptop is connected to my home network that is protected by Firewalla. Security reached out to inform me a few months ago that ESET was detecting a Win32/Botnet.generic attack, which they stated appeared to be a device on my home network doing port scans against my laptop. I triaged this at that time and learned that Firewalla does do port scans and I turned Monitoring off for my work laptop in Firewalla. Which successfully addressed the issue.

As of today, they are reporting that the issue is occurring again. I reviewed Firewalla and logs and confirmed that it's coming from my Firewalla device to my company laptop, but Monitoring for that laptop is still turned off. I have not found any other area that could explain why this is happening again. Does anyone have any insight?

0

• 

  Firewalla

  • May 18, 2023 20:44

  Tap on + button, tap on "device port scan" and turn off on your PC

  May I know if ESET will only send a warning, or will it block firewalla?

  0

  Comment actions Permalink
• 

  DevOps

  • May 22, 2023 16:40
  • Edited

  When you say + button, where exactly is that? I am on Firewalla Blue and if I pull up the device in question it shows Monitoring as disabled. So, I do believe that there should be no port scanning for the device.

  From the Security team's ESET logs it appears it's showing it as a warning, but is being blocked as well as the action.

  0

  Comment actions Permalink
• 

  DevOps

  • May 22, 2023 16:44

  Oops! I see the + button now within the app and located the Device Port Scan option. I was looking on the browser ui from my desktop and could not locate that option. Thanks! Will see how it goes.

  0

  Comment actions Permalink
• 

  DevOps

  • May 22, 2023 16:46

  Also, is Firewalla looking into a way for turning on device port scanning, but being able to opt certain devices out of that?

  0

  Comment actions Permalink
• 

  Firewalla

  • May 22, 2023 17:56

  You should be able to select which device to turn on for the device port scanning feature. did you see the selection Apply To section?

  0

  Comment actions Permalink
• 

  DevOps

  • May 25, 2023 14:09

  Thanks! I guess I should have slowed down a bit and dug into all the options more. When I went there first it didn't show me the additional options right away, so I thought it was a system wide on/off type of thing. I do see it now. I think it might be cool to do an inverse type of selection, like Apply to All except for devices you define. For example, in my case I have around 60 devices and I only wanted to exclude 2 devices from having port scans done. I did not see an easy way to just exclude those two and have it run for all others on my network by default.

  0

  Comment actions Permalink
• 

  Firewalla

  • May 25, 2023 15:51

  Okay, will let the team know this requirement.

  May I know if ESET will block firewalla after detecting the scan? or it just warn you? We have several cases from the consumer side, where the antivirus software will block the router (which is firewalla) and kill internet when detect scanning 

  0

  Comment actions Permalink
• 

  DevOps

  • May 25, 2023 17:58

  From the logs I received it does appear to warn and then block the port scanned. There are even some references in the log to it blocking the router's IP, but I still have network connectivity.

  0

  Comment actions Permalink

Please sign in to leave a comment.