-
August 10th, 2004, 08:38 PM
#1
Strange TCP Rule
Hi,
I use norton internet security 2004, i have a tendency of reading the rules of the firewall after the rules are updated using liveupdate. I went through an article on symatec's website informing all norton internet security users to download a program update after 10 og aug in response to microsoft's XP2 for windows XP. As usual after i updated the definition i observed that a strange rule was added to the firewall allowing a certain IP to establish a TCP connection to my computer on any port on any adapter. I edited the rule and added a security alert to pop us when this rule was exicuted and i find that IP (who's DNS is security.symantec.com). after this my windows update is not working, please i would like to know if there is threat to my pc because of this rule and also i if some else has abserved the same problem.
P.S.
1. The IP repeteadly tries to connect to msnmsg.exe on several port's.
2. I do not know the policy of disclouser and hence i have not disclosed the IP. please let me know if i can disclose the IP.
-
August 10th, 2004, 10:22 PM
#2
That's odd. My guess (if it's from symantec) that it's something trying to update a definition, or make a change to your application. Either sense, as of right now I don't think it's anything legit to worry about. If you feel it doesn't belong, then block it.
-
August 10th, 2004, 10:46 PM
#3
May be worth letting it connect once and see what, if anything, happens.
-
August 11th, 2004, 12:11 AM
#4
It looks like Symantec change is policy from "User Update Software Manually" so "Symantec Update Software Automatically over Internet"
-
August 11th, 2004, 07:07 AM
#5
hey Spyder32, Nokia and SDK thanks for replying, but as far as the update policy of Symantec goes i dont think it needs to connect to my Yahoo messanger (Ypager.exe) and Msn Messager. the IP i am talking about continiously tried to connect to above application and also tries to connect to iexplorer.exe. the strange part when i blocked the connection i used to get alerts one every 3 minuts, now when i have authorised the connection but still i conf. my firewall to creat an security alert there is no ALERT. "ALTHOUGH THERE IS AN ACTIVE (ESTABLISHED) CONNECTION FROM THAT IP ON PORT 9027". Ill keep you updated. I'll capture data and if permitted ill put it on the site. please let me know if i can.
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
August 11th, 2004, 08:18 AM
#6
Junior Member
have you tried to check for any malware or trojans? it could help if u try checking... its strange to come from symantec. its strange though, i never experienced it when i updated...
anyway, just be carefull.consider it worth the precaution until u know what it really is.
If your curious, your probably interested.
-
August 11th, 2004, 10:39 AM
#7
Put a packet sniffer like Ethereal on it and see what you capture. You may be able to determine what it's doing directly. If not you could PM it to someone you trust here to look at it, (it will show your IP address both in decimal and in the hex).
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 11th, 2004, 10:44 AM
#8
That's beyond me why it's connecting to your yahoo and msn messenging program's. It has nothing really to do with it and shouldn't be sending anything to it. Tiger Shark's idea seem's like it might work, that way you could possibly determine what it's doing and possibly motives, etc.
-
August 11th, 2004, 01:27 PM
#9
I don't use Symantec much anymore but my best guess for these kind of connections would be that they would send you a warning that something needs to be updated via the IM client. That's why it tries to connect to the different systems since the remote box wouldn't know which one you would be using at any given time without acting like spyware and calling home with the info on your IM every time you open one up. Thus it takes the opposite approach and tries each one till it finds one working.
Speculation? Yes.....Reasonable.... probably....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
August 11th, 2004, 01:31 PM
#10
Umm.. wild guess here but could it be direct ads that go on the MSN/Yahoo clients? If the IM client is calling to Symantec to get info for the active irritating ads, could this be the reply?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|