Ocassionally we have inquiries from concerned customers claiming Symantec was scanning their forward facing IPs for vulnerabilities. As we have many different products and services it's sometimes not readiluy apearant if this is part of our Global inteligence Network, or one of the services we offer, but our experience has been that it always is an opt-in service a customer has request or purchased and perhaps the web team had forgotten to let the Infosec/SOC know what was going on. Sound familiar?
One such service is called Vulnerability Assessment Service and allows the customer to add the Norton Secured seal to their website.
This is now owned by DigiCERT and is not a Symantec product. PTR records and such are still being transfered over but feel free to contact them or look at the following articles on their site for more information
Vulnerability Scan FAQ Which IP addresses does Vulnerability Assessment Service scan from?
Vulnerability Assessment Service can create multiple entries in the customer’s website's logs and could cause alerts from their perimeter IDS/IPS. Its recommended to create rules or filters for these entries to avoid an false positives. Vulnerability Assessment Service uses the following IP addresses and server names: