Can Windows XP Internet Connection Firewall prevent clients from receiving virus definitions updates?

Article:TECH100525  |  Created: 2003-01-11  |  Updated: 2005-01-11  |  Article URL
Article Type
Technical Solution



You have Windows XP clients running Norton AntiVirus Corporate Edition or Symantec AntiVirus Corporate Edition. You want to know whether the Internet Connection Firewall (ICF) that is built into Windows XP will interfere with the clients' ability to receive virus definitions updates from their parent server or by using LiveUpdate.


ICF will not block communications initiated by the computer on which it is installed. It will block inbound communications that were not requested by the client and have not been explicitly allowed. ICF does not prevent a client from receiving virus definitions updates, but it can limit some types of communication.

Antivirus clients
Unmanaged clients will initiate the download of virus definitions through LiveUpdate. ICF does not block this communication.

Managed clients check in with their parent server periodically to check for configuration changes and virus definitions updates. ICF does not block this communication.

In Symantec AntiVirus, a parent server proactively pushes virus definitions to its clients after receiving a virus definitions update. ICF blocks this inbound communication by default, since the communication is not requested by the client. A managed client still communicates with its parent server during its regularly scheduled check-in time, after which a virus definition download may be initiated. To allow a parent server to push definitions to a managed client proactively, open the port being used by Rtvscan.exe in ICF. By default, this is UDP port 2967.

Antivirus servers
When ICF is installed on a parent server, the server can update its own virus definitions via LiveUpdate and send out configuration changes and virus definitions to its clients. However, clients will not be able to check in with the parent server and may disappear from the Symantec System Center. To allow this communication, open UDP ports 2967 and 38293 in ICF.

For assistance in opening ports in ICF, see the article How to Manually Open Ports in Internet Connection Firewall in Windows XP.

For information about topics related to Windows XP Service Pack 2, see the article Documents relating to Symantec Client Security and Windows XP Service Pack 2.

Related articles for Symantec AntiVirus Corporate Edition
Ports used for communication in Symantec AntiVirus Corporate Edition 8.x and 9.x
How to troubleshoot Symantec AntiVirus Corporate Edition 8 communication problems
Rtvscan does not use port 2967 in Symantec AntiVirus Corporate Edition 8.0
How to use the Virus Definitions Transport Method (VDTM) in Symantec AntiVirus Corporate Edition

Related articles for Norton AntiVirus Corporate Edition 7.x
Which ports are used for communication in Norton AntiVirus Corporate Edition?
How to troubleshoot Norton AntiVirus Corporate Edition 7 communication problems
How to use the Virus Definitions Transport Method (VDTM) in Norton AntiVirus Corporate Edition 7.x

Technical Information
From the Microsoft document Use the Internet Connection Firewall:

"You should not enable Internet Connection Firewall on virtual private networking (VPN) connections, which are typically used to securely log in to a corporate network. You should not enable ICF on client computers that are part of a large company or school network with a server-client structure. ICF will interfere with file and printer sharing in these scenarios."

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices