Hello. I've been looking my father's system (with OP Pro 7.5), and it consistently has a number of "detected scan packet" entries in the Attack Detection log, and most -- but not all -- are from known hosts (at least, the IPs resolve to known hosts). On occasion, there is an "Attack SCAN ... [host blocked]" entry, but again -- it's usually from a known host (ie. a website that has been browsed to, one's even a trusted investment site). A few are from hosts that resolve (with WHOIS) to generic domains, like "Internap Network Services Corporation" or "Level 3 Communications". How is one to tell if any of these are of a concern?
From what I've read through the forum here, I'm guessing it's not really a security issue, but I have to make sure I understand when something is an issue, and when it isn't.
Most of the detected scan packets are to an obscure port (eg. 2072, 2194, 2186) and are "[ RST ACK ]". Why would trusted sites (including a bank) be sending these "port scans"? Could these just be acks that have been received after the TCP connection's been closed? The Attack SCAN ports are more like (65029, 64517, 64773, 7676) from one example.
My system (also using OP Pro 7.5) shows absolutely no entries under Attack Detection, and I browse to some of the same sites, so this is what made me curious as to what's going on. One difference between our systems is the modem/router, so I'm wondering if that would account for the different results between us?
I do see that OP is doing its job and the logged items are likely innocuous. But any insight would be welcome, mostly on how to guarantee that nothing fishy is going on.
Systems: WinXP Home SP3 / WinXP Pro SP3
OP Pro 7.5 (both)
Avast Pro 7 (both)