Why is there a large amount of Port Scanning Prevention Filter entries in F-Secure firewall blocks.l
This article applies to the following F-Secure products: F-Secure Client Security 14.x, F-Secure PSB Computer Protection, F-Secure Server Security 14.x, F-Secure PSB Server Protection
I am seeing a lot of the following entries in the firewall blocks.log:
[xxxx.xxxx] I: Type: FWPM_NET_EVENT_TYPE_CLASSIFY_DROP. Dropped by filter: Port Scanning Prevention Filter, This filter prevents port scanning. This many times means there are no listeners. If debugging ensure your scenario has one.
The connection parameters vary, with different local/remote ports and IP addresses. Do I need to modify my firewall rules for these massages to disappear?
These log entries are associated to the Stealth mode mechanism in Windows Firewall with Advanced Security. It is a built-in functionality, which silently drops outgoing ICMP unreachable and TCP reset messages, to prevent port scanning. This functionality reacts when there is no process listening on the port, which is targeted by the incoming request/traffic.
You can refer to this Microsoft Technet article for more information about this functionality.
Article no: 000012637