Issue:
This article applies to the following products: Client Security 15 and 16 , Server Security 15 and 16 and Elements Endpoint Protection products
I am seeing a lot of the following entries in the firewall blocks.log:
[xxxx.xxxx] I: Type: FWPM_NET_EVENT_TYPE_CLASSIFY_DROP. Dropped by filter: Port Scanning Prevention Filter, This filter prevents port scanning. This many times means there are no listeners. If debugging ensure your scenario has one.
The connection parameters vary, with different local/remote ports and IP addresses. Do I need to modify my firewall rules for these massages to disappear?
Resolution:
These log entries are associated to the Stealth mode mechanism in Windows Firewall with Advanced Security. It is a built-in functionality, which silently drops outgoing ICMP unreachable and TCP reset messages, to prevent port scanning. This functionality reacts when there is no process listening on the port, which is targeted by the incoming request/traffic.
You can refer to this Microsoft Technet article for more information about this functionality.
Article no: 000012637