AV-FREE-FEED Network scan, local host scanning port 445/TCP on 10.0.4.

11 and 10-0-5-253

AV-FREE-FEED Network scan, local host scanning

port 445/TCP on alienvault
That is correct. it was from a fresh install also. I checked the checksum when I downloaded it so I feel mostly
confident that it's not AV itself. we are doing a slow rollout of agents though. I have 4 theories

1) AlienVault is doing scans and is reporting its own scans as a worm. (False positive)

2) AlienVault is seeing traffic that is suspicious and is putting itself as the source because there is no agent
installed on the real device.

3) Something like IP address spoofing and the real attacking device is using the AlienVault server for that
(Could explain the Wireshark traffic?)

4) AlienVault is compromised (Unlikely when the checksum is good and system is up to date and its been up
for just over a week)

Source https://community.spiceworks.com/topic/2324958-av-free-feed-network-scan-local-host-
scanning-port-445-tcp-on-alienvault

AV-FREE-FEED Network scan, local host scanning port 445/TCP on alienvault

 mitchboer (Customer)
2 years ago
I still think this is some kind of scan, in our environment we have 2 scans running. One is a vulnerability
scan on all asset groups. You can check this under Environment>Vulnerabilities>Scan jobs. The second
scan is an asset discovery scan, you can check this under Environment>Assets&Groups>Schedule scan.
Even the asset discovery scan will do a port scan and service detection by default, which might explain the
events you are seeing.
Selected as BestSelected as BestUpvote

L0lo (Customer)
2 years ago
After doing alot of digging I came to the same conclusion. Thanks for the help.
Source https://success.alienvault.com/s/question/0D53q0000AUP4k6CQD/avfreefeed-network-scan-
local-host-scanning-port-445tcp-on-alienvaultfalse-positive
constant outbound SMB port
445( microsoft-ds) traffic
I have pc on my network that is flooding the network with port 445 traffic, our firewall denies
outbound traffic on this port, I am trying to determine whether the traffic is coming from an app
or service etc but nothing found, how do stop this continuous traffic and what is the reason
behind it

answers

Hi there,

It is not from an app but from Windows services. Port 445 and port 139 are Windows
ports. Port 139 is used for Network Basic Input Output System (NetBIOS) name
resolution and port 445 is used for Server Message Blocks (SMB). They all serve
Windows File and Printer Sharing.

You can also block port 445 using this method.

1. Go Start > Control Panel > Windows Firewall and find Advanced Settings on
the left side.
2. Click Inbound Rules > New rule. Then in the pop-up window, choose Port >
Next >TCP > Specific local ports and type 445 and go Next.
3. Choose to Block the connection > Next. Tick the three checkboxes and click
Next. Specify the name and description at your will and click Finish.

--If the reply is helpful, please Upvote and Accept it as an answer--

Source https://learn.microsoft.com/en-us/answers/questions/656442/constant-outbound-smb-port-
445(-microsoft-ds)-traf
What is an SMB Port? A Detailed Description
of Ports 445 + 139
The Server Message Block Protocol (SMB Protocol) is a client-server communication
protocol used for sharing access to files, printers, serial ports, and data on a network. It
can also carry transaction protocols for authenticated inter-process communication.

In short, the SMB protocol is a way for computers to talk to each other.

How Does the SMB Protocol Work?

SMB works through a client-server approach, where a client makes specific requests
and the server responds accordingly. This is known as a response-request protocol.
This protocol facilitates file shares between networked computers.

Once connected, it enables users or applications to make requests to a file server and
access resources like printer sharing, mail slots, and named pipes on the remote server.
This means a user of the application can open, read, move, create, and update files on
the remote server.

SMB was originally designed by Barry Feigenbaum at IBM in 1983 with the aim of
turning DOS INT 21h local file access into a networked file system and was originally
designed to run on top of NetBIOS over TCP/IP (NBT) using IP port 139 and UDP ports
137 and 138.

Software applications that run on a NetBIOS session service locate and identify each
other via their NetBIOS names over TCP port 139.

Microsoft merged the SMB protocol with their LAN Manager product that it started
developing in 1990 and continues to add features to the protocol in Windows for
Workgroups.

Learn how to respond to the Fortigate SSL VPN vulnerability >

In 1996, Microsoft launched an initiative to rename SMB to Common Internet File

System (CIFS) and added more features, including support for symbolic links, hard
links, larger file sizes, and an initial attempt to support direct connections over TCP port
445 without requiring NetBIOS as a transport (a largely experimental effort that required
further refinement).

By Microsoft Windows 2000, Microsoft had changed SMB to operate over port 445.
SMB still uses port 445.
This proved to be problematic as CIFS was a notoriously chatty protocol that could ruin
network performance due to latency and numerous acknowledgments. While Microsoft
estimates that SMB/CIFS compromised less than 10% of network traffic in the average
Enterprise network, that is still a significant amount of traffic.

Microsoft explained performance issues were primarily because SMB 1.0 is a block-
level rather than streaming protocol that was designed for small LANs.

The next dialect, SMB 2.0, improved the protocol's efficiency by reducing its hundreds
of commands and subcommand down to 19.

Microsoft continues to invest in improving SMB performance and security. SMB 3.0
which was introduced with Windows 8 and Windows Server 2012 brought several
significant changes that added functionality and improved SMB2 performance, notably
in virtualized data centers.

Additionally, it introduced several security enhancements such as end-to-end

encryption and a new AES-based signing algorithm.

Learn how to respond to the MOVEit Transfer zero-day >

What are the SMB Protocol Dialects?

The SMB protocol was created in the 1980s by IBM and has spawned multiple dialects
designed to meet evolving network requirements. For example, the Common Internet
File System (CIFS) mentioned above is a specific implementation of SMB that enables
file sharing.

Important SMB implementations include:

SMB 1.0 (1984)

‍ reated by IBM for file sharing in DOS. It introduced opportunistic locking as a client-
C
side caching mechanism designed to reduce network traffic.

Samba (1992)

‍ amba is an open-source implementation of the SMB protocol and Microsoft Active

S
Directory for Unix systems and Linux distributions that supports file sharing and print
services, authentication and authorization, name resolution, and service
announcements between Linux/Unix servers and Windows clients.

CIFS (1996)

‍ icrosoft-developed SMB dialect that debuted in Windows 95 and added support for
M
larger file sizes, transport directly over TCP/IP, symbolic links, and hard links.
NQ (1998)

‍ Q is a family of portable SMB client and server implementations developed by

N
Visuality Systems. NQ is portable to non-Windows platforms such as Linux, iOS, and
Android and supports SMB 3.1.1 dialect.

Netsmb (2004)

‍ etsmb is a family of in-kernel SMB client and server implementations in BSD operating
N
systems.

SMB 2.0 (2006)

‍ eleased with Windows Vista and Windows Server 2008, SMB v2 reduced chattiness to
R
improve performance, enhance scalability and resiliency, and added support for WAN
acceleration.

Tuxera SMB (2009)

‍ uxera is also a proprietary SMB implementation that runs in either kernel or user-
T
space.

Likewise (2009)

‍ ikewise developed a CIFS/SMB implementation that provided a multiprotocol, identity-

L
aware platform for network access to files in OEM storage products built on Linux/Unix
based platforms.

SMB 2.1 (2010)

I‍ntroduced with Windows Server 2008 R2 and Windows 7. The client oplock leasing
model replaced opportunistic locking to enhance caching and improve performance. It
also introduced large maximum transmission unit (MTU) support and improved energy
efficiency, enabling clients to open files from an SMB server to enter sleep mode.

SMB 3.0 (2012)

‍ ebuted in Windows 8 and Windows Server 2012. It introduced several significant

D
improvements to availability, performance, backup, security, and management.

MoSMB (2012)

‍ oSMB is a proprietary SMB implementation for Linux and other Unix-like systems,
M
developed by Ryussi Technologies. It supports only SMB 2.x and SMB 3.x.‍
SMB 3.02 (2014)

I‍ntroduced in Windows 8.1 and Windows Server 2012 R2 and included performance
updates and the ability to disable CIFS/SMB 1.0 support, including the removal of
related binaries.

SMB 3.1.1 (2015)

‍ eleased with Windows 10 and Windows Server 2016 and added support for advanced
R
encryption, preauthentication integrity to prevent man-in-the-middle attacks and cluster
dialect fencing.

What are Ports 139 and 445?

SMB is a network file sharing protocol that requires an open port on a computer or
server to communicate with other systems. SMB ports are generally port numbers 139
and 445.

Port 139 is used by SMB dialects that communicate over NetBIOS. It operates as an
application layer network protocol for device communication in Windows operating
systems over a network. For example, printers and serials ports communicate via Port
139.

Port 445 is used by newer versions of SMB (after Windows 2000) on top of a TCP
stack, allowing SMB to communicate over the Internet. This also means you can use IP
addresses in order to use SMB like file sharing.

Are Open Ports Dangerous?

While port 139 and 445 aren't inherently dangerous, there are known issues with
exposing these ports to the Internet. You can check if a port is open by using the netstat
command.

There is a common misconception that an open port is dangerous. This is largely driven
by a lack of understanding of how open ports work, why they are open, and which ones
shouldn't be open.

Open ports are necessary to communicate across the Internet. However, an open port
can become a security risk when the service listening to the port is misconfigured,
unpatched, vulnerable to exploits, or has poor network security rules.

The most dangerous open ports are wormable ports, like the one that the SMB protocol
uses, which are open by default in some operating systems.

Early versions of the SMB protocol were exploited during the WannaCry ransomware
attack through a zero-day exploit called EternalBlue.
WannaCry exploited legacy versions of Windows computers that used an outdated
version of the SMB protocol. WannaCry is a network worm with a transport mechanism
designed to spread itself automatically. The transport code scans for systems
vulnerable to the EternalBlue exploit and then installs DoublePulsar, a backdoor tool,
and executes a copy of itself.

An infected computer will search its Windows network for devices accepting traffic on
TCP ports 135-139 or 445, indicating the system is configured to run SMB.

It will then initiate an SMBv1 connection to the device and use buffer overflow to take
control of the system and install the ransomware component of the attack.

This means WannaCry can spread automatically without victim participation.

The good news is that the Windows has since released a security update to Windows
XP, Windows Server 2003, Windows 8, Windows Vista, Windows 7, Windows 8.1,
Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012
and Windows Server 2016 to prevent this exploit.

How to Keep Ports 139 and 445 Secure

Here are some other ways you can keep ports 139 and 445 secure from hackers.

Avoid Exposing SMB Ports

‍Ports 135-139 and 445 are not safe to publicly expose and have not been for a decade.

Patch Everything

‍ eep your systems up-to-date to avoid exploits of known vulnerabilities and

K
cyberattacks such as NetBIOS name service (NBNS) spoofing and Main-in-the-Middle
(MITM) attacks.

No Single Point of Failure

‍ hether it's ransomware, malware, hardware failure, database error, or something else.
W
If your data is important, then it should be backed up, at least one other secure
location. ‍

Use a Firewall or Endpoint Protection

‍ ost solutions will include a blacklist of known attacker IP addresses and their most
M
used ports during attacks.
Use a Virtual Private Network (VPN)

‍VPNs encypt and protect network traffic.

Implement Virtual Local Area Networks (VLANs)

‍VLANs can be used to isolate internal network traffic

Use MAC Address Filtering

‍This can prevent unknown systems from accessing your network.

UpGuard Can Secure Your Open Ports

UpGuard can protect your business from data breaches, identify all of your data leaks,
and help you continuously monitor the security posture of all your vendors.

UpGuard also supports compliance across a myriad of security frameworks, including

the new requirements set by Biden's Cybersecurity Executive Order.

Get a preliminary evaluation of your organization’s data breach risk. Click here to
request your free instant security score now.

Source https://www.upguard.com/blog/smb-port

What is an SMB Port + Ports 445

and 139 Explained
The SMB protocol enables “inter-process communication,” which is the protocol that
allows applications and services on networked computers to talk to each other. SMB
enables the core set of network services such as file, print, and device sharing.

How Does The SMB Protocol Work?

In early versions of Windows, SMB ran on top of the NetBIOS network architecture. Microsoft
changed SMB in Windows 2000 to operate on top of TCP and use a dedicated IP port. Current
versions of Windows continue to use that same port.
Microsoft continues to make advancements to SMB for performance and security: SMB2
reduced the overall chattiness of the protocol, while SMB3 included performance enhancements
for virtualized environments and support for strong end-to-end encryption.

SMB Protocol Dialects

Just like any language, computer programmers have created different SMB dialects use for
different purposes. For example, Common Internet File System (CIFS) is a specific
implementation of SMB that enables file sharing. Many people mistake CIFS as a different
protocol than SMB, when in fact they use the same basic architecture.

Important SMB implementations include:

 CIFS: CIFS is a common file sharing protocol used by Windows servers and compatible

NAS devices.

 Samba: Samba is an open-source implementation of Microsoft Active Directory that

allows non-Windows machines to communicate with a Windows network.

 NQ: NQ is another portable file sharing SMB implementation developed by Visuality

Systems.

 MoSMB: MoSMB is a proprietary SMB implementation by Ryussi Technologies.

 Tuxera SMB: Tuxera is also a proprietary SMB implementation that runs in either kernel

or user-space.

 Likewise: Likewise is a multi-protocol, identity aware network file sharing protocol that

was purchased by EMC in 2012.

What Are Ports 139 And 445?

SMB has always been a network file sharing protocol. As such, SMB requires network ports on a
computer or server to enable communication to other systems. SMB uses either IP port 139 or
445.

 Port 139: SMB originally ran on top of NetBIOS using port 139. NetBIOS is an older

transport layer that allows Windows computers to talk to each other on the same

network.
  Port 445: Later versions of SMB (after Windows 2000) began to use port 445 on top of a

TCP stack. Using TCP allows SMB to work over the internet.

How To Keep These Ports Secure

Leaving network ports open to enable applications to function is a security risk. So how do we
manage to keep our networks secure and maintain application functionality and uptime? Here are
some options to secure these two important and well-known ports.

1. Enable a firewall or endpoint protection to protect these ports from attackers. Most

solutions include a blacklist to prevent connections from known attackers IP addresses.

2. Install a VPN to encrypt and protect network traffic.

3. Implement VLANs to isolate internal network traffic.

4. Use MAC address filtering to keep unknown systems from accessing the network. This

tactic requires significant management to keep the list maintained.

In addition to the network specific protections above, you can implement a data centric security
plan to protect your most important resource – the data that lives on your SMB file shares.

Understanding who has access to your sensitive data across your SMB shares is a monumental
task. Varonis maps your data and access rights and discovers your sensitive data on your SMB
shares. Monitoring your data is essential to detect attacks in progress and protect your data from
breaches. Varonis can show you where data is at-risk on your SMB shares and monitor those
shares for abnormal access and potential cyberattacks. Get a 1:1 demo to see how Varonis
monitors CIFS on NetApp, EMC, Windows, and Samba shares to keep your data safe.

Source https://www.varonis.com/blog/smb-port