Scan.Generic.PortScan and DoS.Generic.Flood events in Kaspersky Endpoint Security for Windows
Latest update: May 24, 2024
ID: 16054
Show applications and versions that this article concerns
- Kaspersky Endpoint Security 12.5 for Windows (version 12.5.0.539)
- Kaspersky Endpoint Security 12.4 for Windows (version 12.4.0.467)
- Kaspersky Endpoint Security 12.3 for Windows (version 12.3.0.493)
- Kaspersky Endpoint Security 12.2 for Windows (version 12.2.0.462)
- Kaspersky Endpoint Security 12.1 for Windows (version 12.1.0.506)
- Kaspersky Endpoint Security 12 for Windows (version 12.0.0.465)
- Kaspersky Endpoint Security 11.11 for Windows (version 11.11.0.452)
- Kaspersky Endpoint Security 11.10 for Windows (version 11.10.0.399)
- Kaspersky Endpoint Security 11.9 for Windows (version 11.9.0.351)
- Kaspersky Endpoint Security 11.8 for Windows (version 11.8.0.384)
- Kaspersky Endpoint Security 11.7 for Windows (version 11.7.0.669)
Issue
While Kaspersky Endpoint Security for Windows is running, blocking events from the Network Threat Protection component may occur.
Examples of such events:
- Scan.Generic.TCP network threat detection
The Network attack detected event occurred on the COMPUTER device in the Windows domain EXAMPLE.COM on January 27, 2024 6:33:18 (GMT+03:00)
User: EXAMPLE.COM\User (Active user)
Component: Network Threat Protection
Result description: Blocked
Name: Scan.Generic.PortScan.TCP
Object: TCP from 192.0.2.34 at 192.0.2.46:41698 Object type: Network packet Object name: TCP from 192.0.2.34 at 192.0.2.46:41698
Additional: 192.0.2.46
Database release date: 1/26/2024 10:45:00 PM
User: EXAMPLE.COM\User (Active user)
Component: Network Threat Protection
Result description: Blocked
Name: Scan.Generic.PortScan.TCP
Object: TCP from 192.0.2.34 at 192.0.2.46:41698 Object type: Network packet Object name: TCP from 192.0.2.34 at 192.0.2.46:41698
Additional: 192.0.2.46
Database release date: 1/26/2024 10:45:00 PM
- Scan.Generic.UDP network threat detection
The Network attack detected event occurred on the COMPUTER device in the Windows domain EXAMPLE.COM on January 28, 2024 7:52:31 (GMT+03:00)
User: EXAMPLE.COM\User (Active user)
Component: Network Threat Protection
Result description: Blocked
Name: Scan.Generic.PortScan.UDP
Object: UDP from 192.0.2.45 at 198.51.100.148:53855 Object type: Network packet Object name: UDP from 192.0.2.45 at 198.51.100.148:53855
Additional: 198.51.100.148
Database release date: 1/28/2024 04:06:00 AM
User: EXAMPLE.COM\User (Active user)
Component: Network Threat Protection
Result description: Blocked
Name: Scan.Generic.PortScan.UDP
Object: UDP from 192.0.2.45 at 198.51.100.148:53855 Object type: Network packet Object name: UDP from 192.0.2.45 at 198.51.100.148:53855
Additional: 198.51.100.148
Database release date: 1/28/2024 04:06:00 AM
- DoS.Generic.Flood.TCPSYN network threat detection
The Network attack detected event occurred on the COMPUTER device in the Windows domain EXAMPLE.COM on March 11, 2024 12:14:05 (GMT+03:00)
User: NT AUTHORITY\SYSTEM (System user)
Component: Network Threat Protection
Result description: Blocked
Name: DoS.Generic.Flood.TCPSYN
Object: TCP from 192.0.2.247 at 192.0.2.19:84
Object type: Network packet
Object name: TCP from 192.0.2.247 at 192.0.2.19:84
Additional: 192.0.2.19
Database release date: 4/03/2024 05:03:00 AM
User: NT AUTHORITY\SYSTEM (System user)
Component: Network Threat Protection
Result description: Blocked
Name: DoS.Generic.Flood.TCPSYN
Object: TCP from 192.0.2.247 at 192.0.2.19:84
Object type: Network packet
Object name: TCP from 192.0.2.247 at 192.0.2.19:84
Additional: 192.0.2.19
Database release date: 4/03/2024 05:03:00 AM
To learn more about threat types, see Kaspersky Threats:
Cause
Blocking events can occur for the following reasons:
- Routers, switches and firewalls are incorrectly configured.
- DDoS attacks are conducted against the protected device.
- Attacks are conducted against vulnerable services or protocols.
- The specifics of the application or equipment being used, such as MFPs, are not taken into account.
- An outdated version of Kaspersky Endpoint Security for Windows or outdated anti-virus databases are used.
Solution
- Check that the anti-virus databases on the affected device are up-to-date.
- Install the latest version of Kaspersky Endpoint Security for Windows with the available cumulative patch.
If you can identify the source of the problem and are sure that it is not a threat, you can add it to the Network Threat Protection exclusions:
- On the Administration Server, open the properties of the Kaspersky Endpoint Security for Windows policy.
- Go to Essential Threat Protection → Network Threat Protection → Network Threat Protection settings.
- Select Exclusions.
- Add the remote source address, local port and connection protocol to the exclusions list.
You can verify the legitimacy of third-party software or device behavior triggered by the anti-virus protection by contacting the software or device manufacturer's technical support.
What to do if the issue persists
To identify the source of the problem, use these recommendations and submit a request to Kaspersky Technical Support via Kaspersky CompanyAccount.
