Forum Discussion
Defender Remote Port Connection Sequence
Why does Defender regularly attempt to connect devices within the same subnet, using this port sequence:
106, 111, 515, 623, 660, 808, 1433, 1434, 1521, 1720, 2049, 2869, 3283, 3306, 5040, 5357, 5000
The connection attempts fail and the source is Defender, running from elevated powershell
powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -File "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{GUIDGUID-GUID-GUID-GUID-GUIDGUIDGUID}.ps1"
Does anyone know what this mechanism is? Is it testing local devices? Different machines do this - they aren't configured as local discovery electives (AFAIK).
- Yeah that's it - I've mapped the ports to the services and it makes sense, looking at the variety of services it attempts to "discover".
- By default, all devices run device discovery.
If you want to limit the devices that run this, you need to specify a device-tag to use and then set it on the devices you want.- Thanks Jonhed - I've confirmed the setting is Standard and also saw the Tag function you mention. Thanks for your input & contribution.
