I have traffic from the Norton Antivirus (NA) port. NA seems to be systematically cycling through IP addresses within a certain range. The station is a workstation and not a server. This was all in one subnet (sortof). The subnet was much smaller than the range of IP addresses. The next thing I saw was NAT translation Denies to traffic that should be local. It sounds like a virus or a scan. Any suggestions? This is really bizarre. The only thing they did on that box is switch DNS servers just before that. Any explinations? It is in an AD domain.