Communication ports used by Symantec Antivirus 10 for Mac OS X

Article:TECH103380  |  Created: 2007-01-29  |  Updated: 2009-01-15  |  Article URL http://www.symantec.com/docs/TECH103380
Article Type
Technical Solution


Issue



You want to know which IP addresses and ports are used for communication in Symantec Antivirus 10 for MAC in order to configure your internal firewalls to allow this traffic


Solution



Client - Server communication:

The server sends commands to the client using a multicast address.
By default the destination address is 239.255.0.127 using port 8192 UDP. If you modified this settings during installation, you can find the information in the plist file, located in /Library/Preferences/com.symantec.SMacClient.plist

Property

Value

Comment

MulticastAddress

239.255.0.127 (default)

This is the multicast address where the server sends the commands

PortNum

8192 UDP (default)

This is the port corresponding to the multicast address above


The client will contact the server using web communications.
To find out what address and port is been used, look for the property NodeCommURL in the client plist file. You will have a value with the following format:


Property

Value

NodeCommURL

http ://192.0.2.3:80/sacm (http ://IPADDRESS:PORT/path_to_application)



Where IPADDRESS is going to be your web server IP address and PORT is going to be the port number used for web communications
LiveUpdate
If you are using an internal LiveUpdate server

The client will communicate from a local random port to the internal LiveUpdate server. The destination port would be the one used for ftp or http (21 and 80 respectively).

If you are using Symantec's public LiveUpdate server

The client will communicate from a local random port to the Symantec LiveUpdate server on port 80. The FQDN (fully qualified domain name) of this server is liveupdate.symantec.com


LiveUpdate Administration utility
If you are using an internal LiveUpdate server, you will be using LiveUpdate Administrator Utility for MAC to retrieve updates. This utility connects to update.symantec.com to retrieve the available
SAV MAC updates. This utility will also try to connect to ftp.symantec.com on port 21 to check for the latest version of LiveUpdate Administrator Utility

In LUAdmin, the LiveUpdate packages are downloaded from update.symantec.com; that domain name is hard-coded within the script. The number of and the addresses of ftp connections will vary depending upon what the host command displays.
For example, on my Mac right now:

host update.symantec.com

yields:

update.symantec.com is an alias for lb.update.symantec.speedera.net.
lb.update.symantec.speedera.net is an alias for update.symantec.speedera.net.
update.symantec.speedera.net has address 63.210.193.12
update.symantec.speedera.net has address 64.124.186.85
update.symantec.speedera.net has address 216.200.68.151
update.symantec.speedera.net has address 216.200.68.152

LUAU would download livetri.zip from those four addresses and use the server that has the latest livetri.zip. The host command seems to list four addresses most often, but it may show more or less of them sometimes. Due to the way LiveUpdate servers get replicated, the packages on the servers may vary. Having LUAU use just one address per download session helps make sure that the packages match what is listed in livetri.zip.
When checking for updates for the LUAU program itself, LUAU will use whatever address is found for ftp.symantec.com; that domain name is also hard-coded within the script.





Legacy ID



2007475681573298


Article URL http://www.symantec.com/docs/TECH103380


Terms of use for this information are found in Legal Notices