Defender Remote Port Connection Sequence

Brass Contributor

Why does Defender regularly attempt to connect devices within the same subnet, using this port sequence:

106, 111, 515, 623, 660, 808, 1433, 1434, 1521, 1720, 2049, 2869, 3283, 3306, 5040, 5357, 5000


The connection attempts fail and the source is Defender, running from elevated powershell


powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -File "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{GUIDGUID-GUID-GUID-GUID-GUIDGUIDGUID}.ps1"


Does anyone know what this mechanism is?  Is it testing local devices?  Different machines do this - they aren't configured as local discovery electives (AFAIK).


4 Replies
best response confirmed by CodnChips (Brass Contributor)
By default, all devices run device discovery.
If you want to limit the devices that run this, you need to specify a device-tag to use and then set it on the devices you want.
Yeah that's it - I've mapped the ports to the services and it makes sense, looking at the variety of services it attempts to "discover".
Thanks Jonhed - I've confirmed the setting is Standard and also saw the Tag function you mention. Thanks for your input & contribution.
1 best response

Accepted Solutions