Communication ports used by Symantec Antivirus 10 for Mac OS X
|Article:TECH103380|||||Created: 2007-01-29|||||Updated: 2009-01-15|||||Article URL http://www.symantec.com/docs/TECH103380|
You want to know which IP addresses and ports are used for communication in Symantec Antivirus 10 for MAC in order to configure your internal firewalls to allow this traffic
Client - Server communication:
The server sends commands to the client using a multicast address.
By default the destination address is 220.127.116.11 using port 8192 UDP. If you modified this settings during installation, you can find the information in the plist file, located in /Library/Preferences/com.symantec.SMacClient.plist
This is the multicast address where the server sends the commands
8192 UDP (default)
This is the port corresponding to the multicast address above
The client will contact the server using web communications.
To find out what address and port is been used, look for the property NodeCommURL in the client plist file. You will have a value with the following format:
http ://192.0.2.3:80/sacm (http ://IPADDRESS:PORT/path_to_application)
Where IPADDRESS is going to be your web server IP address and PORT is going to be the port number used for web communications
If you are using an internal LiveUpdate server
The client will communicate from a local random port to the internal LiveUpdate server. The destination port would be the one used for ftp or http (21 and 80 respectively).
If you are using Symantec's public LiveUpdate server
The client will communicate from a local random port to the Symantec LiveUpdate server on port 80. The FQDN (fully qualified domain name) of this server is liveupdate.symantec.com
LiveUpdate Administration utility
If you are using an internal LiveUpdate server, you will be using LiveUpdate Administrator Utility for MAC to retrieve updates. This utility connects to update.symantec.com to retrieve the available
SAV MAC updates. This utility will also try to connect to ftp.symantec.com on port 21 to check for the latest version of LiveUpdate Administrator Utility
In LUAdmin, the LiveUpdate packages are downloaded from update.symantec.com; that domain name is hard-coded within the script. The number of and the addresses of ftp connections will vary depending upon what the host command displays.
For example, on my Mac right now:
update.symantec.com is an alias for lb.update.symantec.speedera.net.
lb.update.symantec.speedera.net is an alias for update.symantec.speedera.net.
update.symantec.speedera.net has address 18.104.22.168
update.symantec.speedera.net has address 22.214.171.124
update.symantec.speedera.net has address 126.96.36.199
update.symantec.speedera.net has address 188.8.131.52
LUAU would download livetri.zip from those four addresses and use the server that has the latest livetri.zip. The host command seems to list four addresses most often, but it may show more or less of them sometimes. Due to the way LiveUpdate servers get replicated, the packages on the servers may vary. Having LUAU use just one address per download session helps make sure that the packages match what is listed in livetri.zip.
When checking for updates for the LUAU program itself, LUAU will use whatever address is found for ftp.symantec.com; that domain name is also hard-coded within the script.
Article URL http://www.symantec.com/docs/TECH103380