Nmap TCP scan mystery

Hi all.

 

First post here, but long time F-Secure user.

Have: F-Secure Client Security 9.31 build 118
FW: iPCop

The other day a user reported a "Intrusion attempt" popup
from F-Secure. "Nmap TCP scan. TCP high ports", and yes, it
looked like some random dsl machine in Finland were probing
a local port.

He had a few, spread over a few days, all from the same IP,
to various high ports, these varied both on target and
source.

No trace in FW logs, and  I did not really believe it was
reasonable to assume something had got through firewall/NAT
to probe a single local address, but I found nothing on the
machine  to indicate it was locally initiated either.

Looking further, I found six other machines on the network,
all had had the same "attack", sporadically for months. days
and weeks between, in from consumerspace, different IP every
time, checking a high port.

A common thing among the six latter machines was that all
had Spotify installed and running but i'm unsure it this is
relevant.

Now, and this baffles me further, looking at the remote
addresses (all different), but all on the same domain too: I
checked the first 15, all in Sweden, all on the form:

xxx-xxx-xxx-xxx-noxx.tbcn.telia.com

Note that this is in a way two cases, the first many
contacts between two specific machines, the second six
different machines here, and several machines in the telia,
com domain. Probably ok, probably some peer-to-peer stuff,
but i'd like to understand it.

I have been googling here, there and everywhere in addition
of checking with my local f-secure supplier, but until now,
none the wiser. Any clues would be appreciated.

Regards, Chrr Rekkedal // Bellona

Accepted Answer

Comments

  • NikK
    NikK Posts: 935 Rock Star

    I noticed the same thing on an XP machine running FS Internet Security 2012 with FS own firewall. Beside Nmap TCP Scans, there was also a lot of Null scan, Fin scan and SYN Fin scan. These might just be Nmap decoys.

     

    I spent a lot of time searching for info about Nmap scans and found people saying that it can't bypass a SOHO Router with SPI, a "NAT" router. Since I had proof they were wrong I got even more curious. I found that the Nmap scans weren't even logged in the Router. When I checked the router log setting it says "Known DoS attacks and Port Scans". Apparently Nmap scans isn't one of them. So without FS I would have no clue and nothing in the logs.

    Here's some information that could explain this:

     

    "Attackers with patience, skill, and the help of certain NMAP options can usually pass by IDS's undetected."

     

    "Occasionally people suggest that Nmap should not offer features for evading firewall rules or sneaking past IDSs. They argue that these features are just as likely to be misused by attackers as used by administrators to enhance security. The problem with this logic is that these methods would still be used by attackers, who would just find other tools or patch the functionality into Nmap."

    Source:  http://nmap.org/book/man-bypass-firewalls-ids.html

     

    As I understand it you can't even trust the information about what IP the scan initiated from. There's options in Nmap for decoy and spoofing addresses.

     

    Since the Nmap scans seemed to target my internal NAT addresses like 192.168.1.2, I decided to change two things in the router:

    - Change my LAN IP's

    - Disable UPnP

     

    I can't know for sure if that helped or not, if one or both changes was needed, but I actually haven't seen any more Nmap scans for 2 months now.

    UPnP often comes pre-activated and most people don't need it. In this case I noticed the router changing UPnP ports every now and them, even to ports not known for any common software. What UPnP does is opening and forwarding traffic by it's own, without you knowing. In this case it forwarded traffic for unknown ports to 192.168.1.2 so I just couldn't trust UPnP anymore.

     

    I don't think an Nmap scan itself can cause any damage other than possibly crash an application. The (legal) purpose with Nmap is mostly to gather information of all devices in large networks, like what OS, application and services is used and version information. It's mostly used by security teams and penetration testers.

     

    To test your FW and/or router for open or not stealthed ports I recommend "ShieldsUp" from GRC. You can't do Nmap scans with it but you can scan for common ports and more.

    https://www.grc.com/x/ne.dll?bh0bkyd2

    If you want to Nmap scan your own machine to see what information the others could get from a Nmap scan, I found this site (haven't tried it myself though):

    http://nmap.online-domain-tools.com/

    Or you can just install Nmap from http://nmap.org/download.html
    But if you do, note that you can't scan your own IP, not even your external public IP. You have to do it from somewhere else, but I'm not sure it's entirely legal or allowed by all ISP's. And to master Nmap seems to be a difficult task.

     

    I hope you got some help from this.

    chrrekkedal
  • Hi NikK

    Thank you for your constructive and long reply.

    Lots to ponder there.

    Of scan types, I only see "TCP High ports in", no other Nmap
    scans in the Policy Manager.

    I think I was a little vague in my initial description: I
    don't have a SOHO router, I have a dedicated stateful
    firewall (iPCop). And there everything should be closed,
    apart from one port forwarded to a machine in the DMZ.
    Definitively no UPnP.

    I have scanned the FW with Nmap from the outside, no
    surprises there. My scans show up in the FW logs, unlike
    the logged incidents from the inside.

    I have no other explanation than that this is a mis-report
    from F-Secure, that the connections are initiated from the
    within the network.

    On the other hand, what I don't know about security can fill
    many  books.

    And, if initiated on the inside, I still hold Spotify high on
    the list of suspects, fit with all but one machine. As I
    understand, Spotify do peer-to-peer. Still, why are all
    machines in the same domain? Can this be explained from how
    Spotify works?

    Again. Thank you for taking the time to write.

     

    Christian

  • NikK
    NikK Posts: 935 Rock Star

    Hi again Christian,

     

    The other scans I mentioned are not Nmap scans. I just meant they could be a part of the overall Nmap scan as a bigger picture of an intrusion attempt.

     

    I'm not familiar with iPCop but if it's a stateful firewall I guess it's similar to a router with SPI(Stateful Packet Inspection). It will block any unauthorized connections. However Nmap scans aren't always detected. For example raw fragment packets(from same Nmap source as previous):

    "The idea is to split up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing."

     

    The fact that your own Nmap scans show up in the FW logs could just be because you're not an Nmap expert yet Smiley Wink Neither am I... yet.

     

    Regarding Spotify, I use Spotify myself on a Win 7 PC with windows FW and have disabled the inbound firewall rule for Spotify. Also I've disabled UPnP in this router too. I have no problems at all with Spotify after these changes. Still I found this, indicating that you need both UPnP and FW rules in+out for it: http://community.spotify.com/t5/Newcomers-and-Contribution/Troubleshooting-connection-issues/td-p/104003

    You can always test and see if Spotify works without an inbound FW rule. I have actually disabled all inbound but the Windows Core Networking rules(in windows FW) without any problems. I think outbound is more important. As for Spotify's peer-to-peer connections, check this out: http://mrlithium.blogspot.se/2011/10/spotify-and-opting-out-of-spotify-peer.html

    It describes what to allow and block to opt out of its P2P network. You don't really need to be part of it.

     

    In the case of my Nmap scan detections there is only one computer on that LAN. So it is definitely coming from the outside, not the inside. And I have to correct myself from previous statements: I've had 2 more Nmap TCP scans the last week so I'm now 100% sure the Nmap scan passed the routers Stateful Packet Inspection FW without even being logged. After I disabled UPnP there are no ports open in the router. I have no port forwards, remote management or anything like that. Everything is closed from the outside! Just as in your case almost all seems to come from tbcn.telia.com, and occasionally from business.telia.com. This doesn't say much, only that it seems to come from the telia broadband customer network.

     

    To sum up: it seems difficult to stop Nmap scans, even with a good FW. But the scan itself isn't malicious. You should be more concerned about what the scan might find: any open ports, software exploits due to non-patched use of old versions etc. Basically any information that might trigger the attacker to proceed with malicious attempts. In other words nothing to worry about as long as you have all software updated and control over eventual open ports.

    If the scans continue you could change the setting from pop-up to "block and log". That's what I did, and also the reason why I missed I had 2 new Nmap TCP scans the last week.

     

    It would be really interesting to know from an F-Secure expert how an Nmap TCP scan is detected! I haven't found any info about that. When searching for it I've only found issues about F-Secure detecting it, or ISP versions of F-Secure. Either F-Secure is the only product detecting it(not likely), or more likely the only product detecting it as a "Nmap TCP scan". Maybe it's just named something else in other products?!

     

    /Nikk

  • Hi again Nikk

    Than you for more good discussions.

    I'll look into the possibility of Nmap passing through the
    firewall. As you imply, that I can't sneak through doesn't
    mean it is impossible Smiley Happy


    The Spotify links were interesting. My users with Spotify
    (and FSCS Fierwall) have no special rules for Spotify, only
    the default "office" rules which deny everything.

    It seem to me you think it impossible that these scans in
    reality originates within the machines on the local net, and
    is misreported by F-Secure.

    There is also the intruiging fact that almost every remote machine
    is in the .telia.com domain (15+), only one exception.

    I'll think a bit more, see if I can get my local supplier
    interested, and if/when learn what this is, I'll come back
    and post it here.

    Have a nice weekend!

    Christian

  • NikK
    NikK Posts: 935 Rock Star

    You're welcome!

     

    Yes, I believe they come from the outside. In my case I'm sure they do.

     

    Perhaps I should stop this info bombing, but I can't. So here's some more Smiley Wink

     

    "Detecting NMAP is not an easy task to do. NMAP has many switches available for a person to use"

     

    "Another common signature of NMAP are the high source ports. Normally, NMAP's source ports are above 20000 (this feature can be changed with the -p switch). The thought process behind setting the port so high is that some IDS and firewall programs will not flag these scans because of this. That thought process still holds true today in some cases, many times the high source ports alert an IDS analyst or firewall administrator that they are being scanned."

    http://www.symantec.com/connect/articles/intrusion-detection-level-analysis-nmap-and-queso

     

    "You can use nmap to penetrate firewalls as well. nmap can perform scans useful for determining whether a firewall uses stateful filtering or not; and which ports a firewall allows through. You can scan targets behind the firewall with this and discover the firewall rules, allowing more targeted scans and possibly evading firewall logging."

    http://en.wikibooks.org/wiki/Hacking/Tools/Network/Nmap

     

    Scary reading perhaps, but the good thing is that we can do this too, to be able to better secure our networks. We just have to make the time needed to learn and master Nmap better.

     

    I'll close with some funny facts: Nmap the movie star Smiley Wink In movies Nmap is usually associated with hacking, for example in The Matrix Reloaded, Bourne Ultimatum, The Girl with the Dragon Tattoo. http://nmap.org/movies/

     

    Nice weekend to you too!

    /Nikk

  • Hi Nikk

    I did not see your last reply, thank you again.

    As I can't say I understand what is going on. I'll for now
    must settle for possible F-Secure Error or thwarted probe.

    Not happy with this , though, so I'll study NMAP some more
    to see if it is really possible to penetrate my FW in this
    way.

    But still, very low intensity, days or weeks between F-S
    flag anything. Single machines, out of a group of six-seven
    affected. Source many different machines in Sweden, on the
    same network; tbcn.telia.com (telia broadband customer
    network).

    I maintain this is a mystery Smiley Happy

    Christian

  • NikK
    NikK Posts: 935 Rock Star

    Hi Christian

     

    Since no one else(including F-Secure) wants to take part in this discussion, I'll go on Smiley Wink

     

    If the F-Secure product alerts Nmap TCP scan for TCP High ports(which is significant for Nmap scans), I see no reason not to trust that alert. If it isn't coming from outside your firewall then the only explanation I see is that someone inside your network is doing these NMAP scans. I suggest you ask all people in your IT-department just to be sure. And I assume you're not a Telia broadband customer.

    My intrusions are also mostly from tbcn.telia.com. Most likely the people/computers doing this are scanning a large number of computers at random, maybe several hundred thousands or millions at a time.

     

    I'm not an NMAP expert but I've read a lot about it, so I'll share some notes I've made although it's a bit technical. It helps if you understand how TCP connections work and what packets are:

    A normal TCP connection does a 3-way handshake:

    1. Client sends a TCP SYNchronize packet

    2. Server receives it and responds with a SYNchronize-ACKnowledgement

    3. Client receives it and responds with a ACKnowledgement

    When Server has received it the TCP connection is established. NMAP has options that skips some of these steps to try and confuse firewalls etc.

     

    Then there's packets that contain a header, payload, address of where the data is to be sent etc. NMAP has options to break the rules for how packets are sent in order to confuse firewalls etc.

     

    Here are some NMAP options you could try(outside your firewall) that tweaks handshakes and packets:

    • Fragment packets: Splits up into several packets to try to bypass firewall packet inspections. NMAP option: -f or -ff for extra fragment packets.
    • Maximum Transmission Unit(MTU): Changes the packets size to confuse firewalls. NMAP option: –mtu [number]. Example: –mtu 24
    • Source Port: Takes advantage of not properly configured firewalls that allow all incoming traffic from a specific port. NMAP option: –source-port [port] 
    • Random Data: Changes the packet sizes to try and avoid detection by adding random bytes. NMAP option: –data-length [number]. Example –data-length 25
    • Bad checksums: Send packets with incorrect checksums to try to avoid firewall detection. NMAP option: –badsum
    • TCP SYN scan: a half-open scan as it doesn't do a full 3-way-handshake. NMAP option: -sS
    • TCP ACK Scan: is treated by firewalls as a response to a SYN packet(which was never sent), maybe causing a firewall not to log it. NMAP option: -sA
    • Null scan: -sN
    • FIN scan: -sF
    • Xmas scan: -sX

    (the last 3 scan types doesn't send any of the control bits included in a normal 3-way handshake)

    There's much much more you can do with NMAP, and you can also combine options. 

     

    I suggest you try these scans a few minutes apart and take notes of the time for every NMAP option, so you easily can compare them to the firewall log later. If you don't get successful with the above NMAP options and you don't wanna spend more time on this but you still are concerned about it, you could always hire a professional penetration tester. As mastering NMAP is difficult, this might save time = money

     

    And if you haven't already, you could also post about this in a community/support for IPCop. Also as mentioned before you can change the setting for this alert from pop-up to "block and log", and it won't alert anymore but still block.

     

    Lycka till!

    /Nikk

  • Hi again Nikk

    Again, thank you for your NMAP input. Very instructive.

    I have tried several of your suggestions, and have not been
    able to get through the FW, every attempt is rejected and
    logged.

    I managed to get the FSDIAG file looked at by F-Secure, and they
    said:

    "With regards to your enquiry, the alert was triggered by a Port Scan, this alone is not really an attack however it is way a possible attacker will find open ports on their target. Once an open port is found, the attacker might then attempt an attack.

    In this particular case, it seems the workstation is somehow exposed to an external IP address 81.233.192.177. This might be because of a port forwarding on the router/gateway or the workstation is on a DMZ.

    Nevertheless, the port scan was blocked and the workstation protected."

    This did not tell me anything new, and the second paragraph assume wrong.

    I have only had one incident the last month. While all other  sources have
    been various machines in the tbcn.telia.com domain, the last one was in
    the inet.dsl.telianet.dk domain.

    What is it with Telia dsl is one question, another is the trustworthiness
    of the firewall, so I'll investigate further on the iPCop forums.

    >Lycka till!

    Thank you. btw, it is "Lykke til" (Norwegian) Smiley Happy

    Regards, Christian

  • NikK
    NikK Posts: 935 Rock Star

    Hi Christian

     

    Great with some input from F-Secure, finally Smiley Wink

     

    I guess what they mean is that IP was the IP who did the port scan. But they could be correct that this is happening because you have a port forward to a DMZ, which I remember you mentioned was the only open port.

     

    Either this is an advanced NMAP scan that can go through the iPCop without being logged, or they are taking advantage of the open port to be able to scan inside your network. But I guess the port forward machine in the DMZ is NOT on the same LAN as the computers that have detected the NMAP scans? Otherwise I've misunderstood.

     

    Now, the problem with reporting this to an iPCop forum is that there is a risk that they will say: it's just not possible to penetrate iPCop.

    The reason is: if an NMAP scan can go through the iPCop firewall without being logged, then the problem is that most iPCop users wouldn't know about it. They need to have a software firewall like F-Secure's that is able to detect a NMAP TCP scan to know about it. I mean, if you've had another product than F-Secure's, it's possible that the NMAP scan have not been detected at all, right? Or perhaps detected but with another name without NMAP in it.

     

    For home users, F-Secure removed it's own firewall solution in Internet Security 2013. So the only F-Secure products able to detect NMAP scans nowadays is business versions and older home versions that still have the F-Secure firewall in it.

     

    I've searched the internet for detections of NMAP TCP scans and all I can find is people using an F-Secure product. And when I found a product with a different name it turned out they're just renamed ISP versions of F-Secure products, for example the french product Securitoo. So unless you're using a F-Secure firewall product you're probably not aware of any NMAP scans. If other products detect NMAP scans it is probably named something else, perhaps just a TCP Scan.

     

    Two common searches on Google about it:

    • nmap tcp scan telia
    • nmap tcp scan f-secure

    That to me suggests that the scans are coming from telia network and people are searching about it, and that the people who received an alert about nmap tcp scan have an F-Secure product installed.

     

    These scans are most likely random scans and not targeted. And the fact that most are coming from Telia could be becuase they have most broadband customers. Just a guess.

     

    ps. "Lycka till" was my silly way of saying good luck from your neighbor country as our languages are rather similar Smiley Wink

  • Hi, Thanks for raising this discussion. I am still running a F-secure Internet security 2011 on one of my computers in a LAN. Spotify was installed on that computer and very shortly after that I got the alert on the Nmap port scanning with an external IP address referring to telia. The internal IP was of that PC with a recently installed Spotify. The port scan was clearly associated with the installation of Spotify. I have a firewall with NAT. What I do not clearly get from this discssion is if there is a security issue or not. I do not understand why Spotify should perform a port scan in my network. Can I block it ? I have been a long term user of F-secure for many years already but I must say I do not like some of their recent decisions to strip down the software. I do not trust the Windows firewall - it is too easy to manipulate by malicious software and installation packages. My sons F-secure (2013) did not detect the port scan on their computers (with Spotify installed) BR Mika
  • NikK
    NikK Posts: 935 Rock Star

    An NMAP scan itself isn't harmful. "Someone" is scanning for security stuff like open ports, unpatched programs etc. If the scan finds something, then it's a security issue and the hacker can come back and abuse what he found in the scan. So keep all programs updated including windows update and service packs. But as the F-Secure firewall detects and blocks the NMAP scan you should be fine.

     

    As for your sons computers not "detecting" it, that may not be the case because it's the windows firewall's job to detect it in this case, and it doesn't alert when it blocks. You can enable logging for windows firewall if you want, but the log is not that user friendly to read. Options for logging are: Dropped packets and Successful connections.

     

    There's no proof that I know of that Spotify is the cause of this. If you're concerned about Spotify's peer-to-peer network, check out the link in previous posts on how to opt out of the P2P network. Note: It requires firewall filtering and can be difficult to set up.

     

    I posted some information on F-Secure's dropped firewall and thoughts about it, you can find it here

     

    About not trusting Windows firewall, my advice is to scan all downloads and software before installing and running them. On VirusTotal the files are scanned with 40-50 different anti-virus engines, giving you a better result than to scan with only one. Be aware of the increased risk of false-positives when scanning with that many engines.

  • Hi Manttila, Nikk

    Happy New year!

    I  got a lot of interesting pointers re NMAP from Nikk, and thought I better
    change my focus to our own Firawall.

    However, just before Christmas I looked at the logs again and asked some
    questions: Turn out this is not only happening at the office, it can
    happen on public wifi or at home behind some router too. So i shelved
    the plans to suspect our firewall, at least for now.

    Another track; I have been slowly upgrading Client Security from 9.31 to
    11.00 after updating the server. Now, I am not completely sure, but I
    suspect the NMAP High Port in scan only registers on the old version of
    CS, not the new. (Not 100% sure because have installed, deinstalled and
    re-installed on some machines, not kept not on what versions when an
    attack was reported.

    Now, back from a deserved Christmas Vacation, I have started a policy
    based upgrade which should be concluded sometimes next week. I wait until
    then, as I still have a hunch this is not what it look like, but a local
    error of F-Secure.

    Anyway, to sum up:

    * I have  40+ machines.

    * About ten has flagged a "High port scal" event.

    * Nothing common between the machines (laptops of different make, desktops).

    * All originationg IP's from *.tbcn.telia.com, not two the same.

    * No signs of any of those IP's in tfe Firewall logs.

    * No other incidents logged on any of the machines (except the usual).

    * Long time between events per machine, some once, others a week between.

    * One or only a few ports scanned each time.

    * High percent of Spotify users, maybe all (havent been able to check all machines,
      my users travel a lot).

    * Until recently, all clinets had 9.31 installed.

    * Updating server/Policu manager just before Christias.

    * Some clients updated to 11.00 before that, a few  after.

    * Deploying 11.00 to all from this morning.

    I'll come back if/when  I have more


    Thank you very much for your input, it is  appreciated!


    Christian

  • NikK
    NikK Posts: 935 Rock Star

    Hi Christian,

     

    Any news after completing the upgrades?

  • Hi

     

    Well, negative news only.

     

    All clients were updated by the beginning of 2014. Since then two more cases, same as before. Both users also Spotify users btw, both sources telia.com as before.  (217.210.196.156    217-210-196-156-no30.tbcn.telia.com and 81.235.186.197  81-235-186-197-no207.tbcn.telia.com)  I have seen both these addresses  before.

     

    So, while it is not good to abadone all theories but Spotify, this is still my main suspect.  I'm fairly sure that whatever is happening, it is not random machines in  tbcn.telia.com portscanning a random machine here once in a long while.

     

    Anyhow, slightly OT: While trying to understand Spotify a little better I came across this paper "Spotify - Large Scale, Low Latency, P2P Music-on-Demand Streaming" . It was quite interesting; I surly did not know  that  music served by Spotify was largly  peer to peer.

     

    Christian

  • NikK
    NikK Posts: 935 Rock Star

    Ok, so the mystery remains..... You could try reporting it to Telia as abuse. At best they will investigate it for you:

    http://www.telia.se/privat/abuse/anmal_missbruk.page (don't know if there's an equal .no page)

     

    Interesting Spotify link. It says that it uses UPnP to ask routers to open a port for incoming connections Smiley Sad Personally I've disabled UPnP both on my PC and in my router. And I've made a quick fix to block all P2P outgoing connections (TCP/UDP > 4070) You should see the block log after I've listened to Spotify for a couple of hours! I don't have or don't even know of any other program that makes so many connections. And they aren't even necessary!

     

    There is of course a chance that this is something else than NMAP and that F-Secure doesn't identify it correctly. That it's a TCP High Port scan is most certainly accurate, but there are other network scanners out there. Recently I read about a new Norwegian one: https://usikkert.no/  that holds all 15 million IP-addresses used in Norway, and it scans them for vulnerabilities. Don't know what scan techniques is uses though, but it seems similar to http://www.shodanhq.com/  There is also https://zmap.io/ 

    I'm thinking of the port foward to the DMZ, that may be exposed to these kinds of scans.

     

    On my PC with Windows Firewall I've tried both searching online and my logs for any evidence of an NMAP scan, but without luck. It seems strange that only the XP PC(with an F-Secure Firewall) has NMAP scans detected when they are both behind a router with everything blocked. As I've speculated before: maybe it's only the F-Secure Firewall that names it an "NMAP" scan, and other firewalls name it only a TCP scan so it's impossible to know that it's a NMAP scan.

    And Windows Firewall has a nasty habit of sometimes only log "INFO-EVENTS-LOST" which means you can't even be sure it has really logged everything.

    Well, do you have any computer on your network that doesn't have the F-Secure Firewall? If so, any proof of a TCP High Port scan?

     

    I'm just brainstorming here (as usual) Smiley Wink

     

    NikK

  • Hi again.

     

    >Recently I read about a new Norwegian one: https://usikkert.no/  that holds all 15 million IP-addresses used in Norway, and it scans them for vulnerabilities. Don't know what scan techniques is uses though, but it seems similar to http://www.shodanhq.com/ 

     

    Yes, it scan for http servers on certain ports; i.e. "the web of things", routers, TV's etc.

     

    But our mystery since last year seem solved at last; your suggestion to contact Telia abuse payed off. Here is what they replied:

     

    "It has come to our attention that F Secure interprets harmless port calls (against torrent clients, streaming media or other applications) as NMap Scan. We get a lot of complaints from our and other customers in Sweden regarding NMAP scan, and everyone uses F Secure.

     

    Nmap is a tool used to secure a network and check for security holes. Nmap can also be used to scan external networks for open ports, but if someone was using NMap to scan your network, sevral ports (thousands) would be scanned within a few minutes.

     

    In conclusion, this is nothing to worry about. It can be annoying, so one suggestion is that you set your firewall to ignore these reports.

     

    Best regards

    Telia Abuse Team"

     

    So, with this, I let it lie. But thank you for coming along. , I've certainly learned a lot.

     

    Until the next one...

     

    Christian

  • NikK
    NikK Posts: 935 Rock Star

    Interesting! So assuming that Telia is correct about this, that also means that you were correct about the suspicion that this is an F-Secure "error". I never thought F-Secure could make errors like this!

     

    To finally close this issue I think you should mark your post with the reply from Telia as the solution as it may help others (button "Accept as Solution")

     

    And if I were you I'd contact F-Secure support again and attach the reply from Telia Abuse, to see what they have to say about this. To wrongly identify "harmless port calls" as NMAP Scans must be considered a major bug as it will confuse a lot of F-Secure users.

     

    If you won't, I will, so let me know.

  • Hi Nikk

     

    >And if I were you I'd contact F-Secure support again and attach the reply from Telia Abuse, to see what they have to say about this. To wrongly identify "harmless port calls" as NMAP Scans must be considered a major bug as it will confuse a lot of F-Secure users.

     

    I have already  done that. I hope they do something about it.

     

    Christian

  • Popeye
    Popeye Posts: 36

    Just to confirm your discoveries and the Telia Abuse Team message:

     

    I have seen plenty of the same "High TCP Ports" warning from F-Secure Client Security on Windows clients who download files using BitTorrent. Seems like F-Secure has an issue with certain P2P protocols. Haven't seen the warning in relation to media streaming though (I'm a Wimp user myself).

This discussion has been closed.