Yatse Polling Detected As "port Scan"

Yatse, an Android app for controlling Kodi remotely, will periodically poll hosts for which it has been configured by attempting to connect to the host's remote access port (typically 8080). Bitdefender IS 2016 detects this behavior as a port scan; a false positive.


What particularly concerns me is that I had to break out Wireshark and leave it capturing for a while to even get a clue what was triggering Bitdefender's detection. This really should be logged as an event, with the potential attacker's IP and MAC address and what ports were probed. Most home machines these days are behind some form of NAT, so a port scan that actually reaches a home system is very likely to be originating in or near the user's house, and therefore, their network likely has already been breached. Who and what has broken in is very critical information.

Comments

  • NOW I'm getting events in the log. Strange.


    They still give only an IP and nothing else, but that's a start.