[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 259
  • Last Modified:

Strange Syslog Traffic - Norton Antivirus - NAT

I have traffic from the Norton Antivirus (NA) port.  NA seems to be systematically cycling through IP addresses within a certain range.  The station is a workstation and not a server.  This was all in one subnet (sortof).  The subnet was much smaller than the range of IP addresses.  The next thing I saw was NAT translation Denies to traffic that should be local.  It sounds like a virus or a scan.  Any suggestions?  This is really bizarre. The only thing they did on that box is switch DNS servers just before that.  Any explinations?  It is in an AD domain.
0
awakenings
Asked:
awakenings
  • 3
  • 2
1 Solution
 
awakeningsAuthor Commented:
Okay...  Something else they neglected to tell me.  It was a NA server.  Why would it scan random IPs?
0
 
awakeningsAuthor Commented:
well sequentially ordered IP's?
0
 
r-kCommented:
Are these IP's in your subnet?

If not, maybe they belong to Symantec (you can check at http://www.arin.net/) and the program may be trying to contact a server for updates.

0
 
awakeningsAuthor Commented:
Hey r-k...  I forgot I solved it.  I'll give you points for trying, but it is the AV server sending out network queries to IPs in our own subnet.  It worried me as it looked like it may have been a scan or virus as some operate in those ways.
0
 
r-kCommented:
Thanks for the points and the update :)
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now