NMap and EDR

Gian666 · 2025-05-05T09:12:35+00:00

There was an error rendering this rich post.

Gian666

Hello

it is normal for a client protected with EDR to not signal and block that NMap has been used?

Thank yoi

Etsi lisää viestejä, jotka on merkitty

Windows

Client Security

EDR

Elements security center

Accepted answers

All comments

Sethu Laks

Hi @Gian666

Thank you for raising this question. It's a great point and one that often comes up when evaluating EDR effectiveness in detecting reconnaissance tools like Nmap.

Is it normal for Nmap to go undetected or unblocked?

Yes, in many cases, it is normal behavior. WithSecure Elements EDR is primarily designed to detect and respond to malicious or suspicious behavior rather than block legitimate administrative tools by default. Nmap, being a widely used network scanning tool, may not trigger alerts unless its usage aligns with known threat patterns or aggressive scanning behavior.

What can trigger alerts?
EDR solutions typically generate alerts for:

High-volume or rapid port scanning
Suspicious command-line usage (e.g., nmap -sS -p- 192.168.1.0/24)
Unusual process behavior (e.g., Nmap running from a non-standard location)
Reconnaissance activity consistent with MITRE ATT&CK techniques

How to improve detection?
To enhance visibility and detection:

Enable advanced behavioral rules in the EDR policy.
Use custom detection rules to flag specific command-line patterns.
Monitor for network anomalies or lateral movement indicators.
Leverage the Event Search features to proactively identify scanning activity.

Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™ https://www.withsecure.com/en/home

Gian666

Hi,

I understand but nmap could be used by a malicious person looking for information

JamesC

Hi @Gian666 ,

Thank you for contacting WithSecure.

Port scans ran from NMAP don't trigger any alert or list it in BCD dashboard. As this will unpurposely increase the volume of false positives.