Strange TCP Rule

[ByTeWrangler]

Hi,
I use norton internet security 2004, i have a tendency of reading the rules of the firewall after the rules are updated using liveupdate. I went through an article on symatec's website informing all norton internet security users to download a program update after 10 og aug in response to microsoft's XP2 for windows XP. As usual after i updated the definition i observed that a strange rule was added to the firewall allowing a certain IP to establish a TCP connection to my computer on any port on any adapter. I edited the rule and added a security alert to pop us when this rule was exicuted and i find that IP (who's DNS is security.symantec.com). after this my windows update is not working, please i would like to know if there is threat to my pc because of this rule and also i if some else has abserved the same problem.


P.S.
1. The IP repeteadly tries to connect to msnmsg.exe on several port's.
2. I do not know the policy of disclouser and hence i have not disclosed the IP. please let me know if i can disclose the IP.

[Spyder32]

That's odd. My guess (if it's from symantec) that it's something trying to update a definition, or make a change to your application. Either sense, as of right now I don't think it's anything legit to worry about. If you feel it doesn't belong, then block it.

[Nokia]

May be worth letting it connect once and see what, if anything, happens.

[SDK]

It looks like Symantec change is policy from "User Update Software Manually" so "Symantec Update Software Automatically over Internet"

[ByTeWrangler]

hey Spyder32, Nokia and SDK thanks for replying, but as far as the update policy of Symantec goes i dont think it needs to connect to my Yahoo messanger (Ypager.exe) and Msn Messager. the IP i am talking about continiously tried to connect to above application and also tries to connect to iexplorer.exe. the strange part when i blocked the connection i used to get alerts one every 3 minuts, now when i have authorised the connection but still i conf. my firewall to creat an security alert there is no ALERT. "ALTHOUGH THERE IS AN ACTIVE (ESTABLISHED) CONNECTION FROM THAT IP ON PORT 9027". Ill keep you updated. I'll capture data and if permitted ill put it on the site. please let me know if i can.

[Ushema]

have you tried to check for any malware or trojans? it could help if u try checking... its strange to come from symantec. its strange though, i never experienced it when i updated...

anyway, just be carefull.consider it worth the precaution until u know what it really is.

[Tiger Shark]

Put a packet sniffer like Ethereal on it and see what you capture. You may be able to determine what it's doing directly. If not you could PM it to someone you trust here to look at it, (it will show your IP address both in decimal and in the hex).

[Spyder32]

That's beyond me why it's connecting to your yahoo and msn messenging program's. It has nothing really to do with it and shouldn't be sending anything to it. Tiger Shark's idea seem's like it might work, that way you could possibly determine what it's doing and possibly motives, etc.

[Tiger Shark]

I don't use Symantec much anymore but my best guess for these kind of connections would be that they would send you a warning that something needs to be updated via the IM client. That's why it tries to connect to the different systems since the remote box wouldn't know which one you would be using at any given time without acting like spyware and calling home with the info on your IM every time you open one up. Thus it takes the opposite approach and tries each one till it finds one working.

Speculation? Yes.....Reasonable.... probably....

[MrLinus]

Umm.. wild guess here but could it be direct ads that go on the MSN/Yahoo clients? If the IM client is calling to Symantec to get info for the active irritating ads, could this be the reply?