This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOPHOS INTERCEPT X - PORT SCAN DETECTION

Greetings very good afternoon community!

I have a question.
Is the endpoint capable of detecting and reporting a port scan? That it has been executed on the network and towards computers that have the Endpoint installed? I have seen that the Sophos Firewall does detect them but I have no endpoint alerts



This thread was automatically locked due to age.
Parents
  • If you have XDR (or better yet, MDR), with your Data Lake Uploads enabled, it will appear as a Detection item and be available.

    As for Intercept X Advanced reporting a port scan occuring, it wont. However, if malicious behavior towards a machine over the network occurs, the MTD and IPS components will trigger, but that would not be the same as a port scan.


  • I can confirm the same: I don't see any detections either when port scanning, even with XDR on both endpoints (server and workstation). We have Intercept X advanced XDR with data lake uploads for both server and computer but we don't have Sophos Firewall. Maybe the detection is generated only with the 'detect malicious network traffic' setting active, which can only be set when enabling EAP?

    I would love to know this as well, because a sudden port scan could be a tell tale sign of impending attacks, and it's best to know something is going on early.

  • I can mention it to SophosLabs. I guess the use case would be an insider running a port scan on the office network? I believe PUA and/or Application Control can already block use of common port scanning tools like nmap.

  • What if someone is scanning the network from a device that doesn't have Sophos installed? Being able to detect this from the network perspective is important. This is a capability other solution offer as well. 

Reply Children
No Data