F-secure Firewall intrusion detection - source 0.0.0.0

We are running F-secure Firewall in several departments. Several times now we have seen an intrusion warning with a source of remote address 0.0.0.0, local address 255.255.255.255. On each occasion it is an intrusion attempt with a scan range of "137 < protocol < 224", and usually it is detected on port 139.

Has anyone else seen this? Any idea what is doing this and why the IPs are so generic?

We are running F-Secure Client Security Premium 11.61; the affected PCs are Windows 7.

Find more posts tagged with

Comments

Ben

Hi Tamas,

We are discontinuing IPS in new version, that should allow to avoid such false-positives.

Disabling the function on older installations should help resolve this issue.

etomcat

Dear F-Secure Developers,

Would it be possible to factory-whitelist the Kaspersky "anti-piracy" traffic from F-Secure alerting? More customers are complaining about the pop-up warnings produced by FSAV CS and PSB, as Kaspersky software are gaining foothold at more and more companies and the two protection suites must co-exist.

To summarize the problem:

"The NDIS wrapper which is installed by Kaspersky is sending out HIP (Host Identification Protocol / Protocol number 139 / RFC 7401) packets at boot time. Apparently, this effort is meant to assess if the number of KAV-protected computers within the local network is compliant with the licence keyfile. Regrettably different brands of personal firewalls at the company trigger a scan or intrusion attempt alert on that traffic cast, which means quite a lot of people are getting a warning every time a KAV-protected system boots."

Thanks in advance, Yours Sincerely:

Tamas Feher, 2F 2000, Hungary.

****************************************

etomcat

Hello,

I would like to add some clarifications here, which I found out today. The alerts depicted in this thread apparently do not com from IP port number 139 (Netbios), but IP protocol number 139.

That would mean "Host Identity Protocol" (RFC 7401), which is a relatively new kind of cryptographic network authentication method.

It seems Kaspersky products use that method to talk to each other over a network broadcast and collectively enumerate the number of computers using the same licence key. In case a non-negligible overuse situation is detected, the licence becomes blacklisted.

Best regards: Tamas Feher, 2F 2000 Kft., Hungary.

Ben

Hello Sa,

Did you introduce or test a new software recently in your network?

It might be the source of such Netbios broadcast traffic.

i have e same problem...anyone know what is the root ...

@Austin1 wrote:

We are running F-secure Firewall in several departments. Several times now we have seen an intrusion warning with a source of remote address 0.0.0.0, local address 255.255.255.255. On each occasion it is an intrusion attempt with a scan range of "137 < protocol < 224", and usually it is detected on port 139.

Has anyone else seen this? Any idea what is doing this and why the IPs are so generic?

We are running F-Secure Client Security Premium 11.61; the affected PCs are Windows 7.

Ben

Hello Lahi,

Please see Tamas reply above. This is most likely due to a licence/ subscription check made by the newly installed antivirus.

Lahi

After installing Kaspersky Internet Security 2016 [16.0.0.614.0.17.0] to one Lenovo laptop, we started to get same intrusion detection alerts to all computers in the same subnet (running F-Secure Client Security Premium 12.00 build 648).

After uninstalling Kaspersky, there have not been alerts anymore.

f-secure intrusion detection

etomcat

Hello,

I have seen something like that caused by the software licence legality check broadcast LAN traffic that was created by a certain large russian brand of antivirus, whose name cannot be written here.

Best regards: Tamas Feher, Hungary.