ThreatHunter Service

ddasal · Post by **ddasal** » Jan 23, 2025 5:21 pm this post

After upgrading to 12.3, our scan indicate the new ThreatHunter service is using tcp port 6175. There is no reflection of this in the documentation for ports required. I have a case open (07580196) where the engineer has informed us that this port will be used between various components for this new feature. If there is documentation on these new port(s), can someone point me to it, otherwise, when do we expect this to be added? Like all the other ports and port ranges used between infrastructure components, we need this change to also be reflected so we can make the proper changes and have justification for it.

Thanks!

Jan 24, 2025 8:45 am

Hello Dustin

I'm checking with our RnD team the purpose of port 6175.
And we will update the port list in our help center when I got the answer.

Best,
Fabian

ddasal · Post by **ddasal** » Jan 24, 2025 12:59 pm this post

Thank you!

Jan 28, 2025 12:22 pm

Hello Dustin,

We have added port 6175 to our help center documentation. This port is used locally by the Veeam Threat Hunter Service.
When you initiate a antivirus scan with Veeam Thread Hunter (Scan Backup, Secure Restore), we start a small executable that runs the scan of your backup content.
This executable will communicate with the Veeam Threat Hunter Service through port 6175.

Please note that this connection is entirely local on the mount server machine, and no remote machine will need to connect to port 6175.

Best regards,
Fabian

jeremyrogers · Post by **jeremyrogers** » Jan 28, 2025 3:09 pm this post

Thanks for the clarification. So if the mount server "trusts" the veeam components on a local scope (from a FW persective) there's no additional port rule requirement?

ddasal · Post by **ddasal** » Jan 28, 2025 3:47 pm this post

I appreciate the update and documentation!

Post by **Mildur** » Jan 28, 2025 4:09 pm this post

there's no additional port rule requirement?

Correct. No external firewall ports to open. Traffic stays local on the mount server between two Veeam components.

Best,
Fabian

Jan 28, 2025 5:18 pm

@Mildur in this case let's remove it from the documentation ASAP, as it is meant to document external ports that need to be open in firewalls. Otherwise customers will just open it along with all other ports, and every open port increases attack surface.

Jan 29, 2025 4:24 pm

Hi Anton

As discussed yesterday, we will review all "local-only ports" and remove them from the documentation.

Best,
Fabian

R&D Forums

ThreatHunter Service

Re: ThreatHunter Service

Re: ThreatHunter Service

Re: ThreatHunter Service

Re: ThreatHunter Service

Re: ThreatHunter Service

Re: ThreatHunter Service

Re: ThreatHunter Service

Re: ThreatHunter Service

Who is online