Question/Issue:
This document discusses the ports that Symantec AntiVirus Corporate Edition uses for communication between servers and clients.


Solution:
Intel PDS Service
A Windows-based computer running a Symantec AntiVirus server installation runs the Intel PDS Service. Intel PDS listens for ping packets from servers. It responds with a pong packet containing information on how to communicate with RTVScan. Intel PDS listens on UDP port 38293 for ping packets. This value cannot be configured.

Roaming Clients
The SAVRoam service used by roaming clients connects to the server UDP port 2967 with a random port.

RTVScan
RTVScan makes a request to Winsock for UDP port 2967 on IP-based networks and port 33345 on IPX networks. This is the only port needed for client-to-server communication.

These values can be configured by using the following registry values:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AgentIPPort
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AgentIPXPort

If the request for the static port fails, then RTVScan uses a dynamic port. This port is assigned by Winsock on that server and can be different each time that you request a port.

Quarantine
See the document Setting up the Symantec Central Quarantine for Symantec AntiVirus Corporate Edition 8.x and 9.x for information about general configuration of Quarantine server and how to modify the TCP ports. Quarantine servers connect to the Digital Immune System using HTTP on TCP port 2847 and HTTPS on TCP port 2848.

Msgsys
Msgsys is an Alert Management System (AMS) process for generating and sending configured AMS alerts. Msgsys communications uses port 38037 and 38292 for both TCP and UDP communication.

Other server-to-server communications
In server-to-server communication, the sending Symantec AntiVirus picks a random port, starting at 1025 and moving up from that point. From that point, traffic is returned on that random port. To allow communication to pass through a firewall or gateway, create rules to allow any port to accept UDP communication on 2967 and 38293, and to allow outbound UDP communication from ports 2967 and 38293:

UDP Allow 2967 to *
UDP Allow 38293 to *
UDP Allow * to 2967
UDP Allow * to 38293

Remote installation
Remote installation tools such as NT Client Install and AV Server Rollout use UDP ports 137 and 138 on the targeted computers. If you are trying to install Symantec AntiVirus onto a computer running Windows XP or Windows 2003, then read the document Windows XP Service Pack 2 or Windows Server 2003 firewall prevents remote installation.

Configuring ports to protect clients
Because these ports are listening for incoming traffic, they should be protected from being accessed from computers that are outside the network. To do so, do the following:

• On the network, block external access to these ports with a perimeter firewall.
• On mobile computers, close the ports when the computer is not on the corporate network. This can be accomplished by blocking any unauthorized network traffic with a firewall rule or by using Location Awareness in Symantec Client Security to differentiate between corporate network traffic and other nonsecure communication.

• Unless otherwise specified, all of these ports use UDP communication.
• See the Microsoft Knowledge Base Article How to Configure a Firewall for Domains and Trusts: Article 179442 for a list of ports used in Windows NT/2000/2003.

Document ID: 2002091816450048
Last Modified: 06/06/2006
Date Created: 09/18/2002
Operating System(s): Windows 98, Windows Me, Windows NT 4.0 SP6a, Windows 2000 Professional, Windows XP Home, Windows XP Professional Edition, NetWare 5.0, NetWare 6.0, NetWare 6.5, Windows Server 2003 32-bit Edition, Windows 2000 Server, Windows XP Media Center Edition 2005
Product(s): Symantec AntiVirus Corporate Edition 8.0, Symantec AntiVirus Corporate Edition 9.0
Release(s): SAV 8.0 [All Releases], SAV 9.0 [All Releases]