Protocol poisoning detected by asset from

We see from time to time an incident popping up with an asset (with agent) which detecting protocol poisoning: netbios from with a random query.

Has anyone any idea how to investigate this and what it exactly means. Help would be appreciated.

Kind regards,


Several possibilities for

  • “any/all interfaces on the local machine” (e.g. many server apps may bind to
  • device not connected to a network
  • DHCP request from a device which hasn’t yet been assigned an IP address
  • maybe other things

A few questions which might help you/someone narrow down what’s going on here:

  • Is it only this one asset where the issue is detected?
  • Does the detection of NetBIOS poisoning coincide with DHCP lease renewal on the asset?
  • What makes you describe the request as random? Could you share any further details?

I have also seen this alert fire many times when an endpoint is connected to a non-managed wifi network that has some misconfigurations in it, was always something I asked the customer “is the asset connected to a public wifi, if it is, have them disconnect”

1 Like