Communication ports used by Symantec Antivirus 10 for Mac OS X

Article:TECH103380  |  Created: 2007-01-29  |  Updated: 2009-01-15  |  Article URL
Article Type
Technical Solution


You want to know which IP addresses and ports are used for communication in Symantec Antivirus 10 for MAC in order to configure your internal firewalls to allow this traffic


Client - Server communication:

The server sends commands to the client using a multicast address.
By default the destination address is using port 8192 UDP. If you modified this settings during installation, you can find the information in the plist file, located in /Library/Preferences/




MulticastAddress (default)

This is the multicast address where the server sends the commands


8192 UDP (default)

This is the port corresponding to the multicast address above

The client will contact the server using web communications.
To find out what address and port is been used, look for the property NodeCommURL in the client plist file. You will have a value with the following format:




http :// (http ://IPADDRESS:PORT/path_to_application)

Where IPADDRESS is going to be your web server IP address and PORT is going to be the port number used for web communications
If you are using an internal LiveUpdate server

The client will communicate from a local random port to the internal LiveUpdate server. The destination port would be the one used for ftp or http (21 and 80 respectively).

If you are using Symantec's public LiveUpdate server

The client will communicate from a local random port to the Symantec LiveUpdate server on port 80. The FQDN (fully qualified domain name) of this server is

LiveUpdate Administration utility
If you are using an internal LiveUpdate server, you will be using LiveUpdate Administrator Utility for MAC to retrieve updates. This utility connects to to retrieve the available
SAV MAC updates. This utility will also try to connect to on port 21 to check for the latest version of LiveUpdate Administrator Utility

In LUAdmin, the LiveUpdate packages are downloaded from; that domain name is hard-coded within the script. The number of and the addresses of ftp connections will vary depending upon what the host command displays.
For example, on my Mac right now:


yields: is an alias for is an alias for has address has address has address has address

LUAU would download from those four addresses and use the server that has the latest The host command seems to list four addresses most often, but it may show more or less of them sometimes. Due to the way LiveUpdate servers get replicated, the packages on the servers may vary. Having LUAU use just one address per download session helps make sure that the packages match what is listed in
When checking for updates for the LUAU program itself, LUAU will use whatever address is found for; that domain name is also hard-coded within the script.

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices