Endpoint Protection

 View Only

  • 1.  PORTS for SEPM 12.1.4

    Posted Dec 16, 2015 11:14 AM

    OS: W2K12

     

    I know there are many ports questions asked on this forum, however, I cannot find the answer to my specific scenario.

     

    My security department has run scans on open ports for the IP affixed to my SEPM server.  It  returned ports 2967 and 38292. I know that clients communicate using 8014 and the SEPM uses 8443.  They did not show up in the scan but if I do a netstat -ano I can see ports 8014,8443 established or listening. 

     

    My question is, do I need to keep ports 2967 and 38292 open?  I'm a bit confused.  I am also new to admin'ing Symantec server so this is a learning process for me.

     

    -Brian



  • 2.  RE: PORTS for SEPM 12.1.4
    Best Answer

    Posted Dec 16, 2015 11:17 AM
    Port 2967 is used for GUP to client communications. Doesn't need to be open on SEPM. Not sure what the other one is for, not SEPM related. This article lists all ports used http://www.symantec.com/docs/TECH163787


  • 3.  RE: PORTS for SEPM 12.1.4

    Posted Dec 16, 2015 11:26 AM

    Thanks for the quick reply.

     

    I found this regarding port 38292. http://www.saintcorporation.com/cgi-bin/exploit_info/symantec_ams_iao_msgsys

     

    Doesn't sound like it applies to SEPM but could be wrong.



  • 4.  RE: PORTS for SEPM 12.1.4
    Best Answer

    Posted Dec 16, 2015 11:28 AM

    Port 2967 is used for Group update provider, this is sort of proxy machine which provides updates to clients on behalf of SEPM.

    I dont know why you are seeing this port on SEPM, Ideally it should be listening on GUP machine and not on SEPM.

    38292

    TCP

    LANDesk Managment Agent , check if you have Landesk agent installed.

     

     



  • 5.  RE: PORTS for SEPM 12.1.4

    Posted Dec 16, 2015 11:33 AM
    Don't believe SEPM uses 38292


  • 6.  RE: PORTS for SEPM 12.1.4

    Trusted Advisor
    Posted Dec 16, 2015 11:34 AM

    Hello,

    In reference to the ports - check this article:

    Communication ports used by Symantec Endpoint Protection

    https://support.symantec.com/en_US/article.TECH163787.html

    2967 TCP SEP clients Smc.exe The Group Update Provider (GUP) proxy functionality of SEP client listens on this port.

     

    38292 is not related to Symantec Endpoint Protection.



  • 7.  RE: PORTS for SEPM 12.1.4

    Broadcom Employee
    Posted Dec 16, 2015 11:46 AM

    Hi,

    Port 2967 is used for Group update provider & The Intel Alert Management System (AMS2) is used in Symantec AntiVirus Corporate Edition Server (SAV) ,Symantec System Center(SSC), and Symantec Quarantine Server. AMS2 listens on TCP Port 38292 and allows Administrators to send messages (i.e. email) if a user-specified event occurs.

    There is no harm to block port 38392. Do you have GUP configured in the network?



  • 8.  RE: PORTS for SEPM 12.1.4

    Posted Dec 16, 2015 11:49 AM

    I think it may be possible these ports were left open as rules for these NAT'd IP's for earlier versions of SEP.  I've just migrated 12.1.4 and do not see these in use on the server itself.  Thanks for the input.  I think this gives me enough info that I'm looking for.



  • 9.  RE: PORTS for SEPM 12.1.4

    Posted Dec 16, 2015 02:21 PM

    One possible reason for the port 2967 to be open on the SEPM server is that it is configured as a GUP by mistake.

    Open the following file and check if the IP address of you SEPM server is listed in this file.

    %ProgramFiles%\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\GUP\globallist.xml

    If your SEPM IP is listed in this file, that means that the SEPM is configured as a GUP. Check the live update policy assigned to the group in which the SEP client installed on the SEPM server is reporting and reconfigure is properly.