Endpoint Protection

 View Only

  • 1.  RtvScan is trying to reach restricted IP addresses

    Posted Jan 28, 2012 05:09 AM

    Hi everyone,

     

    I've noticed by using Microsoft Network Monitor 3.4 that on several macines in our company RtvScan is trying to reach IP addresses that have been blocked in our firewall. This is generating a lot of hits so now I need to find out if there is a way to stop RtvScan from trying to reach those IP's or if it is safe for us to allow access for them.

    Here is a list of the IP's we've discovered so far:

    188.111.53.33
    188.111.53.48
    188.111.53.49
    188.111.53.57
    192.221.103.254
    192.221.106.126
    192.221.125.126
    195.50.164.138
    195.50.164.147
    198.78.197.254
    198.78.208.254
    198.78.221.126
    199.93.59.126
    206.33.58.254
    4.23.38.254
    8.12.211.254
    8.27.130.126
    8.27.131.126

    We are using Symantec Endpoint Protection 11 and Symantec Endpoint Protection 11. Most of these machines are Windows 7 x64.

    I'm relatively new to Symantec, so any suggestions are welcome. If there is a way to edit settings so that RtvScan wouldn't try to constantly reach for those IP addresses or if these addresses are considered safe, either way I need a solution for this.



  • 2.  RE: RtvScan is trying to reach restricted IP addresses

    Posted Jan 31, 2012 01:57 AM

    Hi,

    I tried tracing this IP's  as follows, but nothing new.

     

    188.111.53.33 is from Germany(DE) in region Western Europe

    188.111.53.48 is from Germany(DE) in region Western Europe

    192.221.103.254 is from United States(US) in region North America

    195.50.164.138 is from Germany(DE) in region Western Europe

    8.12.211.254 is from United States(US) in region North America

     

    In my point, there is some application present in your machine which is trying to connect to this IP's.

    And that application activity is monitored by Rtvscan.

     

    Check with your IE settings if any internet traffic is trying to get through your proxies to these IP's.

    B'coz i have seen one case, where the issue was simillar & when we tried clearing the proxy settings under IE, then issue seems to be resolved.

     

    Hope this helps you!!



  • 3.  RE: RtvScan is trying to reach restricted IP addresses

    Posted Feb 15, 2012 07:25 AM

    Thanks for the advice.

    It sounds very likely as you suggested that there is a program that is trying to access the web via ie proxy, but it seems to be quite difficult to find out what is the source of this.

    Another idea we had is that since these incidents occur on different machines despite them being servers, Windows 7 or Windows XP platforms it might somehow be related to Group Policy Objects, but we can't really be sure yet (Another area for me that I don't know much about, but my colleque is trying to find out about)

    I'll let you know once we find out more.

    Kind regards ^_^



  • 4.  RE: RtvScan is trying to reach restricted IP addresses

    Posted Feb 22, 2012 01:07 AM

    Any update on this? I have a similar issue.

     

    Thanks



  • 5.  RE: RtvScan is trying to reach restricted IP addresses

    Posted Feb 22, 2012 03:55 AM

    Any Updates?

    I have a similar issue. A lot of my machines try to reach the following Server-IPs:

    192.221.106.126
    207.123.56.254
    207.123.56.126

    This is generating a lot of warnings on our Firewall and out Network-Team is going crazy ;-)

    It seems to be connected to the Rollout of SEP12.1RU1 we are doing at the moment, upgrading from SEP11.5.

    Can this be the Sites the clients try to reach for the WebReputation services and the like?

     

    Regards

    Stephan



  • 6.  RE: RtvScan is trying to reach restricted IP addresses

    Posted Feb 24, 2012 10:39 AM

    I noticed that one of our older XP machines that has Symantec Endpoint Protection Client version 11.0.3001.2224 doesn't get any hits to the IP's I first mentioned. I had the Network monitor on for full 2 days without a single hit. (Current version 11.0.6005.562)

    I wanted to try this package on Windows 7 too to see how it works, but it refuses to install.

    I'll see about installing a newer Client installation package to see if it would make any difference. First I just need to find out where I can get those packages... :P



  • 7.  RE: RtvScan is trying to reach restricted IP addresses
    Best Answer

    Posted Apr 19, 2012 07:09 AM

    This problem has been solved on our account and it wasn't related to Symantec Endpoint Protection in any way.

    Most of our internet traffic is supposed to go through our proxy server which wasn't the case, and the problem was in DNS configuration in our AD server.

    We checked the DNS manager, and found out that we had old Root hints that we had no need for and they were the reason why we were getting these strange hits.

    We removed the Root hints and added new Forward Lookup Zones for systems that required them and vóila, no more strange hits.

    Consult your DNS administrator if you consider this could be a possibility in your systems.

    I hope this article of useful, and will give you the answer you're looking for.