Strange TCP Rule
Page 1 of 6 123 ... LastLast
Results 1 to 10 of 52

Thread: Strange TCP Rule

  1. #1
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003

    Strange TCP Rule

    Hi,
    I use norton internet security 2004, i have a tendency of reading the rules of the firewall after the rules are updated using liveupdate. I went through an article on symatec's website informing all norton internet security users to download a program update after 10 og aug in response to microsoft's XP2 for windows XP. As usual after i updated the definition i observed that a strange rule was added to the firewall allowing a certain IP to establish a TCP connection to my computer on any port on any adapter. I edited the rule and added a security alert to pop us when this rule was exicuted and i find that IP (who's DNS is security.symantec.com). after this my windows update is not working, please i would like to know if there is threat to my pc because of this rule and also i if some else has abserved the same problem.


    P.S.
    1. The IP repeteadly tries to connect to msnmsg.exe on several port's.
    2. I do not know the policy of disclouser and hence i have not disclosed the IP. please let me know if i can disclose the IP.

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    That's odd. My guess (if it's from symantec) that it's something trying to update a definition, or make a change to your application. Either sense, as of right now I don't think it's anything legit to worry about. If you feel it doesn't belong, then block it.
    Space For Rent.. =]

  3. #3
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    May be worth letting it connect once and see what, if anything, happens.
    Drugs have taught an entire generation of kids the metric system.

    http://tazforum.**********.com/

  4. #4
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    It looks like Symantec change is policy from "User Update Software Manually" so "Symantec Update Software Automatically over Internet"
    -Simon \"SDK\"

  5. #5
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    hey Spyder32, Nokia and SDK thanks for replying, but as far as the update policy of Symantec goes i dont think it needs to connect to my Yahoo messanger (Ypager.exe) and Msn Messager. the IP i am talking about continiously tried to connect to above application and also tries to connect to iexplorer.exe. the strange part when i blocked the connection i used to get alerts one every 3 minuts, now when i have authorised the connection but still i conf. my firewall to creat an security alert there is no ALERT. "ALTHOUGH THERE IS AN ACTIVE (ESTABLISHED) CONNECTION FROM THAT IP ON PORT 9027". Ill keep you updated. I'll capture data and if permitted ill put it on the site. please let me know if i can.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #6
    Junior Member
    Join Date
    Mar 2003
    Posts
    22
    have you tried to check for any malware or trojans? it could help if u try checking... its strange to come from symantec. its strange though, i never experienced it when i updated...

    anyway, just be carefull.consider it worth the precaution until u know what it really is.
    If your curious, your probably interested.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Put a packet sniffer like Ethereal on it and see what you capture. You may be able to determine what it's doing directly. If not you could PM it to someone you trust here to look at it, (it will show your IP address both in decimal and in the hex).
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    That's beyond me why it's connecting to your yahoo and msn messenging program's. It has nothing really to do with it and shouldn't be sending anything to it. Tiger Shark's idea seem's like it might work, that way you could possibly determine what it's doing and possibly motives, etc.
    Space For Rent.. =]

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I don't use Symantec much anymore but my best guess for these kind of connections would be that they would send you a warning that something needs to be updated via the IM client. That's why it tries to connect to the different systems since the remote box wouldn't know which one you would be using at any given time without acting like spyware and calling home with the info on your IM every time you open one up. Thus it takes the opposite approach and tries each one till it finds one working.

    Speculation? Yes.....Reasonable.... probably....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    Umm.. wild guess here but could it be direct ads that go on the MSN/Yahoo clients? If the IM client is calling to Symantec to get info for the active irritating ads, could this be the reply?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •