Note: This article was originally published in 2006. Some steps, commands, or software versions may have changed. Check the current General documentation for the latest information.
obtained from: http://service1.symantec.com/SUPPORT/ent-security.nsf/pfdocs/2005033011582148?Open&dtype=corp
!(http://www.symantec.com/techsupp/images/enterprise/headers/kb_doc.gif)
(http://www.symantec.com/images/us.logo.symantec.gif)](http://www.symantec.com/)| Document ID: 2005033011582148
Last Modified: 05/08/2006
---|---
**
Ports used for communication in Symantec AntiVirus 10.x and Symantec Client Security 3.x**
Situation:
This document discusses the ports that Symantec AntiVirus 10.x and Symantec Client Security 3.x use for communication between servers and clients.
Solution:
Installation ports
The following table describes the network protocols and ports that must to be available to perform network installations of the product:
| Function | Location | Protocol | Port range |
|---|---|---|---|
| Client deployment | Symantec System Center | TCP | local ports |
| 1024–4999 | |||
| Client deployment | Target clients | TCP | local ports |
| 1024–5000 | |||
| Client deployment | Management server and target clients | TCP | 139 |
| Server deployment | Target servers | TCP | local ports |
| 1024–5000 | |||
| Server deployment | Management server and target servers | TCP | 139, 38293 |
Remote installation
Remote installation tools such as ClientRemote Install and AV Server Rollout use TCP port 139 on the targeted computers. If you plan to install Symantec Client Security or Symantec AntiVirus onto a computer running Windows 2003/XP, then read (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2004070817071248?Open&src=&docid=2005033011582148&nsf=ent-security.nsf&view=pfdocs&dtype=corp&prod=&ver=&osv=&osv_lvl=&seg=).
Client/server communication ports
The following table describes the network protocols and ports that must be available to perform the standard functions of the product. Configurable ports are marked with an asterisk (*).
| Function | Location | Protocol | Port range |
|---|---|---|---|
| General communication | Symantec System Center, servers | TCP | local ports |
| 1024–4999 | |||
| General communication | Symantec System Center, servers, clients | TCP | 2967* |
| General communication | NetWare servers | TCP | 2968* |
| General communication | Clients | TCP | local ports |
| 1024–5000 |
Rtvscan
Rtvscan makes a request to Winsock for TCP port 2967 on IP-based networks. This is the only port needed for default client-to-server communication. On NetWare servers, Rtvscan.nlm listens on TCP port 2968.
Note: Some versions of the Administrator’s Guide erroneously state that Symantec AntiVirus uses port 2043. It actually uses port 2967.
On Windows computers, this value can be configured by using the following registry key:
HKEY_LOCAL_MACHINESOFTWAREINTELLANDeskVirusProtect6CurrentVersionAgentIPPort
If the request for the static port fails, then Rtvscan uses a dynamic TCP port. This port is assigned by Winsock on that server and can be different each time that Rtvscan requests a port.
Roaming clients
The SAVRoam service used by roaming clients connects to the server TCP port 2967 with a random port.
Central management ports
The following table describes the network protocols and ports required to be available in order to manage the product centrally:
| Function | Location | Protocol | Port range |
|---|---|---|---|
| Discovery | Servers | UDP | 38293 |
| Discovery | Symantec System Center | UDP | local ports 1024–4999 |
Intel PDS Service
A Windows-based computer running a Symantec AntiVirus server installation runs the Intel PDS Service. Intel PDS listens for ping packets from servers. It responds with a pong packet containing information on how to communicate with RTVScan. Intel PDS listens on UDP port 38293 for ping packets. This value cannot be configured.
Other server-to-server communications
In server-to-server communication, the sending Symantec AntiVirus server picks a random port, starting at TCP 1025 and moving up from that point. From that point, traffic is returned on that random port. To allow communication to pass through a firewall or gateway, create rules to allow any port to accept TCP communication on 2967 and 38293 and to allow outbound TCP communication from ports 2967 and 38293:
| TCP | Allow 2967 to * |
|---|---|
| UDP | Allow 38293 to * |
| TCP | Allow * to 2967 |
| UDP | Allow * to 38293 |
On NetWare servers, Rtvscan.nlm listens on TCP port 2968. If you have NetWare servers, create the following rules:
| TCP | Allow 2968 to * |
|---|---|
| TCP | Allow * to 2968 |
Ports for specific components and features
The following table describes the network protocols and ports required for certain optional components of the product:
| Component | Location | Protocol | Port range |
|---|---|---|---|
| Quarantine | Central Quarantine Server | TCP | 2847 (HTTP) |
| 2848 (HTTPS) | |||
| Msgsys | Servers | UDP | 38037 |
| Msgsys | Servers | TCP | 38292 |
| Legacy management | Servers and clients; see below | UDP | 2967, 2968 |
Quarantine
Quarantine servers connect to the Digital Immune System by using HTTP on TCP port 2847 and HTTPS on TCP port 2848. For information about general configuration of Quarantine server and how to modify the TCP ports, see the document (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005033118471548?Open&src=&docid=2005033011582148&nsf=ent-security.nsf&view=pfdocs&dtype=corp&prod=&ver=&osv=&osv_lvl=&seg=).
Msgsys
Msgsys is an Alert Management System (AMS) process for generating and sending configured AMS alerts. Msgsys communications uses UDP port 38037 and TCP port 38292.
Communication with legacy clients
To allow a Symantec AntiVirus 10.x server to communicate with clients running Symantec AntiVirus 9.x or earlier, you must set the Server Tuning Options in Symantec System Center. For help with this, read the document (http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2005033012303348?Open&src=&docid=2005033011582148&nsf=ent-security.nsf&view=pfdocs&dtype=corp&prod=&ver=&osv=&osv_lvl=&seg=).
Because legacy clients use UDP communication, you must create rules to allow any port to accept UDP communication on 2967 and to allow outbound UDP communication from port 2967:
| UDP | Allow 2967 to * |
|---|---|
| UDP | Allow * to 2967 |
Configuring ports to protect clients
Because these ports are listening for incoming traffic, they should be protected from being accessed from computers that are outside of the network. To do so, do the following:
- On the network, block external access to these ports with a perimeter firewall.
- On mobile computers, close the ports when the computer is not on the corporate network. This can be accomplished by blocking any unauthorized network traffic with a firewall rule or by using Location Awareness in Symantec Client Security to differentiate between corporate network traffic and other insecure communication.
References:
For a list of ports that are used in Windows 2003/2000/NT, see the Microsoft document (http://support.microsoft.com/kb/179442/en-us).
For information about the deployment of Windows Firewall settings, see the Microsoft document (http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/depfwset/default.mspx).