Endpoint Protection

Anyone could help me on this, I've seen on our network monitoring the application and port trying to connect on our SEPM server,some kind of weird scenario because I believe that this is not a part of Symantec application.
can you tell us what application uses this and why is trying to connect on the SEPM server?.

ansoft-lm-1 (TCP 1083)
lmsocialserver (TCP 1111)
cnrprotocol (TCP 1096)
bnetgame (TCP 119)
imyx (TCP 1143)

Thanks for the help in advance

I do not think this traffic could be destined for Symantec Services.

ansoft-lm-1 (TCP 1083)----Anasoft License Manager
lmsocialserver (TCP 1111)--- LM Social Server
cnrprotocol (TCP 1096)-- Common Name Resolution Protocol
bnetgame (TCP 119)--- NNTP
imyx (TCP 1143)-- [BOINC Client Software ] http://www.boinc-wiki.info/Removing_a_BOINC_Client_Software_Installation_With_The_Windows_Control_Panel

Cheers,
Aniket

Sorry for the typographical error with bnetgame its (TCP 1119) 

Why this application are trying to connect to our SEPM Server?  

You can run the TCPVIEW utility  on the client computer originating the traffic and monitor the connections for destination port numbers equals to the ports you mentioned above.

If you have trouble locating the machines sending traffic on these ports, please run TCPVIEW on the server and check the source IP of the machines sending traffic.

On the client machine, you can identify the exe sending the traffic with TCPVIEW.

You may use CPORTS tool as well, if you feel that TCPVIEW is not giving sufficient info.

Cheers,
Aniket

Is your SEPM server a file server as well?
or are there any open shares on your SEPM server?

it is not a file server this server dedicated only for our SEPM server

any other can help us why the said application is trying to connect in our SEPM server?

Hi,

the SEPM 's services are listening on these ports:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007090614430148

and the list of processes and services is this:
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2007102906283148

As you can see, none of the processes and ports listed by you are related to SEP. You shoud ask to their manufactures, what they do and why.
It is not clear if the destination ports of these connections are the ones used by SEPM. I don't think so unless these applications are trying to tamper SEPM.
Can you post more details?

As a security advice, if you don't trust these applications and their network activities, you should stop them and close the related ports on the server.

Regards,

We're having the same exact problem, could we just block that particular ports? or it could impact other applications?

Hi,

You shoud ask to the manufactures of those products, what they do and why.
It is not clear if the destination ports of these connections are the ones used by SEPM. I don't think so unless these applications are trying to tamper SEPM.
Can you post more details?
As a security advice, if you don't trust these applications and their network activities, you should stop them and close the related ports on the server.

Regards,

Check the application related to these files and uninstall it...

U can use Process Explorer and TCPView to find out which file is causing the traffic and where it is residing.

download links
Process Explorer
http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

TCPView for Windows
http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx

If its started as a service just stop the service.
 

The traffic is came from the remote site, it will casusing a network congestion, our enduser experiencing apllication slow down, the application is accessed trru remote site.

Because the below processes are not from Symantec, we have to search for them in Google, cannot you do by yourself? I believe you will find what they are, what are their activities, their manufactures, if they are safe and anything else you need to know.

ansoft-lm-1 (TCP 1083)
lmsocialserver (TCP 1111)
cnrprotocol (TCP 1096)
bnetgame (TCP 119)
imyx (TCP 1143)

Let us know if they are some security threats that require more attention by Symantec or other IT administrators.

Regards,

Thank you for your help I really appreciated, we already done a workaround for this issue, to share to you what i've done to resolve my concern I was enabled the windows firewall of our server and we exclude all the ports that SEPM used and for the network using high utilization I followed the kb http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/9d6ed48564386ee18825741a004c33f8?OpenDocument and our network working fined now. thanks again guys.

Marking Peterpan's last Comment as Solution