Re: norton AV host discovery scan

["FatFinger" <fatfinger () uol com br>]

Ian,

This port relates to Intel Ping Discovery Service (Intel PDS). It is used by
NAV to scan the network and find NAV Servers/Clients.

When the NAV Server "pings" the network, it tries to ping port 38293 to find
NAV Servers. These NAV Servers has a list of clients that it manages. So,
Symantec System Center (console) can show you all your NAV Domain.

Your server will always receive connections from other NAV Servers because,
every 60 minutes (by default), there's a pooling coming from NAV Clients
(rtvscan.exe) trying to connect to 38293 to pull definitions and
configurations.

'Till the date, I didn't hear any vulns in this service.

Hope it helps


----- Original Message -----
From: "Ian Melven" <imelven () xtremesoft com>
To: <incidents () securityfocus com>
Sent: Thursday, December 06, 2001 1:45 PM
Subject: norton AV host discovery scan


> hi everyone
>
> i was wondering if anyone else has been seeing scans of
> 38293/udp recently ?
>
> they seem to be coming from the same source.. and repeat
> 1-3 times per day.
>
> snort.org's ports db tells me this is Norton AV host discovery ?
>
> i dug around briefly but couldn't find any published holes in this.
>
> i suspect someone may be misconfigured.
>
> thanks
> ian
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com