Port Scanning Orginating from a Workstation; Virus scan do not show any Malware

Question

A workstation is scanning ports in the LAN; however virus scan have not picked anything up (McAffee, Sophos, MS).

Is the only option to clean the hard drive?

Are there any new malware of this description that have not yet been picked-up for scanning by the anti-virus software vendors.

Answer 1

How did you figure out that it is "scanning ports"? I have seen some hyperactive Windows firewall products go into nuclear war mode and scream bloody murder just by intercepting one ICMP echo (ping) packet.

Answer 2

try to find which process is doing the port scan (maybe using netstat?)

Answer 3

There are other possibilities. I've run port scans at previous jobs for legitimate reasons.

Answer 4

You could use wireshark to find out what exactly is happening.

Answer 5

If no one is running legitimate port scans from it:

1. Pull it off the network immediately.
2. If you have the time, pull it on a dedicated, private loop and watch what it's doing.
3. If you are doing that, have scanning software ready, restart the system in safe mode, and run the scans.
4. If you are doing that, check the typical known locations in the registry for start-up files to see if there's anything unusual.

Whether or not you find anything, wipe the HD and restore from an image. You'll spend more time trying to clean the system than you would re-imaging it and you won't be 100% sure you got the system clean.

Answer 6

Any and all malware can easily be made undetectable to most if not all antivirus/antimalware products. Even a relatively unskilled person could do it with available tools or services.

The only way to clean a machine is to wipe it. Always. A corporate machine should be easy enough and everyone saves time just wiping it. If the problem reappears often however or data loss or theft is suspected - contact professionals.

The antivirus software is just to filter out the general noise of crap, it will not catch directed/real attacks.

But as someone said, are you sure the machine is doing illicit things and not just normal operation? You need some network skill to decide that I'd guess... but if it is misbehaving and you can't find the cause - wipe it. Easy choice.

Even if you did find some kind of virus or malware, you should definately wipe it - as that is sign enough that the machine might be even further compromised which you won't detect.

There's a saying in host security, if a host has been infected, it is no longer your host regardless of what you do to it except for wiping it completely (and even that is way optimistic as there are sometimes ways to store malware in programmable rom like in a vulnerable network card's firmware or some other non-volatile piece of storage in it).