Does sw patch management scan the entire network on port 135?

kjstech

Got a Dell secure works incident today opened by our SW Patch management server.  Firewall seeing a bunch of DROP's to port 135, non existent IP's in our IP range.

Noticed a netstat -a on sw patch mgmt server there was a lot of open connections for sure.  In resmon.exe > Network tab > TCP connections, I see a lot of SWJobEngineWorker2.exe on various IP's but not that port 135.  I see a lot of svchost.exe (RPCSS) to various IP's port 135.

I just want to verify this is normal and the server isn't compromised.

kjstech

Actually tried to kill svchost.exe (RPCSS) and it said "Your PC ran into a problem and needs to restart.  We're just collecting some error info and then we'll restart for you. (0% Complete).

If you'd like to know more, you can search online later for this error: 0xc000021a