Deep Security's reconnaissance scan detection feature serves as an early warning of a potential attack or intelligence gathering effort against a network. This feature will be triggered if any of the Network Modules (IPS, , or WRS) are enabled and a source IP attempts to perform a reconnaissance scan on the affected computer.
Suggested actions
When you receive a Reconnaissance Detected alert, double-click it to display more detailed information, including the IP address that is performing the scan. Then, you can try one of these suggested actions:
-
The alert may be caused by a scan that is not malicious. If the IP address listed in the alert is known to you and the traffic is okay, you can add the IP address to the reconnaissance allow list:
-
In the Computer or Policy editor
, go to Firewall > Reconnaissance.
-
The Do not perform detection on traffic coming from list should contain a list name. If a list name hasn't already been specified, select one.
-
You can edit the list by going to Policies > Common Objects > Lists > IP Lists. Double-click the list you want to edit and add the IP address.
-
You can instruct the agents and appliances to block traffic from the source IP for a period of time. To set the number of minutes, open the Computer or Policy editor
, go to Firewall > Reconnaissance and change the Block Traffic value for the appropriate scan type.
-
You can use a firewall or Security Group to block the incoming IP address.
Deep Security Manager does not automatically clear the "Reconnaissance Detected" alerts, but you can manually clear the issue from Deep Security Manager.