How to block advanced ip scanner

Hello William,

Thanks for reaching out to Sophos Community.

If you're looking for a feature that would block this application (Advance IP Scanner) from running on the end machine, your Endpoint Protection of choice should be able to control these kinds of applications from running For example, Sophos EPP has this on App control list. These types of applications usually scan IP network ranges using broadcast addresses to check who's up on the set network addresses (usually pings broadcast IP address of a certain network, say network 192.168.1.0/24, these apps pings 192.168.1.255 to check who's alive and if other end machines allow response on their host-based/software FW (in many cases) Win Firewall, they would respond and let them know they're up.

That being said, If the scanner and FW are in the same broadcast zone on the network level, Firewalls would not be able to prevent scans of these apps. Even FW would respond to the broadcast pings if you run the scanner on a LAN zone and your FW LAN zone is configured to respond to ping unless you explicitly configure Firewall not to. However, you can control them on the endpoint level from ever running using your EPP's app control. 

If this is targeted for the Firewall and a Port Scan/Sweep detection is the one feature you're looking and not IP scanning on the network like on what I'm mentioning above. This is currently under feature request. You may reach out to Support and have this requested and be linked under your account and may refer to this FR: SFSW-I-776

Further, you may also check and refer to this past thread that is similar and could give additional insights on Port Scanning as discussed by other users on Community: Port scan Detection XG18 

Hope this helps. Have a nice day and thank you for choosing Sophos.

Regards,

Hello William,

Thanks for reaching out to Sophos Community.

If you're looking for a feature that would block this application (Advance IP Scanner) from running on the end machine, your Endpoint Protection of choice should be able to control these kinds of applications from running For example, Sophos EPP has this on App control list. These types of applications usually scan IP network ranges using broadcast addresses to check who's up on the set network addresses (usually pings broadcast IP address of a certain network, say network 192.168.1.0/24, these apps pings 192.168.1.255 to check who's alive and if other end machines allow response on their host-based/software FW (in many cases) Win Firewall, they would respond and let them know they're up.

That being said, If the scanner and FW are in the same broadcast zone on the network level, Firewalls would not be able to prevent scans of these apps. Even FW would respond to the broadcast pings if you run the scanner on a LAN zone and your FW LAN zone is configured to respond to ping unless you explicitly configure Firewall not to. However, you can control them on the endpoint level from ever running using your EPP's app control. 

If this is targeted for the Firewall and a Port Scan/Sweep detection is the one feature you're looking and not IP scanning on the network like on what I'm mentioning above. This is currently under feature request. You may reach out to Support and have this requested and be linked under your account and may refer to this FR: SFSW-I-776

Further, you may also check and refer to this past thread that is similar and could give additional insights on Port Scanning as discussed by other users on Community: Port scan Detection XG18 

Hope this helps. Have a nice day and thank you for choosing Sophos.

Regards,