Not what you were looking for? Ask our experts!
Reply
Visitor
ryan1
Posts: 6
Registered: ‎05-17-2013

Blocking ccsvchst.exe from internet access, Mass Norton Outbound TCP connection's?

From what I know :

ccsvchst.exe is a file necessary to open the graphical user interface that lets you interact with the Norton program.

 

With that said , I have blocked ccsvchst.exe from internet access on my pc. 

 

ccsvchst.exe does not need internet access on my pc it seems because I have tested the firewall and antivirus and it works well even with blocking ccsvchst.exe from internet access.

 

 

In my Norton recent history Norton is trying to access dozens of ip's every minute or two.

I have several Norton ip's blocked.


In my opinion there should be a better way to stop sending request all day long to different servers 
since I am the type of person that likes to be in control of who my computer is talking to in the background. I used a program called Currports to display the list of all currently opened TCP/IP and UDP ports on my desktop PC to figure out the list below over a course of time.

 

Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
5/17/2013 5:57 PM,Info,"Rule \"Norton things\" blocked (www.mynortonaccount.com
(206.204.54.252), Port https(443) ). Outbound TCP connection.",Detected,No Action
Required,Firewall - Activities


Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
5/16/2013 4:41 PM,Info,"Rule \"Norton things\" blocked (hb.lifecycle.norton.com
(67.134.208.160), Port www-http(80) ). Outbound TCP connection.",Detected,No Action
Required,Firewall - Activities


Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
5/16/2013 4:20 PM,Info,"Rule \"Norton things\" blocked (shasta-rrs.symantec.com
(143.127.102.25), Port https(443) ). Outbound TCP connection.",Detected,No Action
Required,Firewall - Activities


Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
5/16/2013 4:38 PM,Info,"Rule \"Norton things\" blocked (lcsitemain.symantec.com
(206.204.54.103), Port www-http(80) ). Outbound TCP connection.",Detected,No Action
Required,Firewall - Activities


Category: Firewall - Activities
Date & Time,Risk,Activity,Status,Recommended Action,Category
5/17/2013 4:37 PM,Info,"Rule \"Norton things\" blocked (www.mynortonaccount.com
(206.204.54.252), Port https(443) ). Outbound TCP connection.",Detected,No Action
Required,Firewall - Activities

 


67.134.208.160 norton.stats 67.134.208.128 - 67.134.208.255 Symantec Corp
Swapdrive Norton Data Services
206.204.54.252 mynortonaccount.conxion.com 206.204.54.0 - 206.204.54.255


www.stats.norton.com

www.mynortonaccount.com
mynortonaccount.conxion.com
www.mynortonaccount.com.gtm.symantec.com
lcsitemain.conxion.com 206.204.54.103
lc1alt.symantec.com 216.12.144.16
subsync.symantec.com 206.204.52.31

sosftp.symantec.com (206.204.54.249)
sluplist.symantec.com (206.204.54.248)
sshomemain.symantec.com (206.204.54.240)
service1.symantec.com
166.98.6.31

 

I mean is it really necessary to try and make all these connections when I have Norton Insight Protection, Community Watch, Special Offer Notification, Live updates, Pulse Updates, Automatic download of New Version, Download intelligence and Safe Surfing turned off.    (A tip to limit the Norton thrashing) (Added bonus of turning all these off is Norton is very quiet, activating Live Updates once a week is sufficient for me) 

 

I realize that after a virus scan or after bootup Norton makes a call to check the Norton AntiVirus database.

Even if I let Norton Live Update and I Un-block my Custom General Rules for Norton it goes right back to making dozens of tcp request.

 

There should be a button to shut off all Norton Outgoing Tcp request to Norton data centers or Norton should respect the settings

I have, and not make so many Outgoing Tcp request.

 

Also I don't know where to put this request to the developers of Norton but adding Turn on Silent Mode for 1 week would be a big 

plus in my book because turning on silent mode for 1 day really helps from thrashing away at my windows system32 folder during background activities.

 

I have had Norton for the last 8 years and it works really well as a Firewall and as a Antivirus with the settings I have.

 

 

 

Thank you.

 

SendOfJive
Posts: 10,755
Kudos: 4,795
Solutions: 776
Registered: ‎02-07-2009

Re: Blocking ccsvchst.exe from internet access, Mass Norton Outbound TCP connection's?


ryan1 wrote:

From what I know :

ccsvchst.exe is a file necessary to open the graphical user interface that lets you interact with the Norton program.

 With that said , I have blocked ccsvchst.exe from internet access on my pc. 


Ccsvchst.exe is the Symantec Service Framework, which hosts the processes of all of the protection components of Norton.  Those protection components are dependent upon frequent updates and the ability to query backend servers about new files and processes that Norton finds on your system.  It's great that you are in control of your PC, but I don't see that blocking Norton from access to the internet accomplishes anything other than negating the new technologies that have been developed to deal with the highly advanced forms of malware that exist today.  Yes, Norton connects out frequently - but the game has changed dramatically since the days when weekly virus signature updates offered adequate protection. 

Visitor
ryan1
Posts: 6
Registered: ‎05-17-2013

Re: Blocking ccsvchst.exe from internet access, Mass Norton Outbound TCP connection's?

 I know that Ccsvchst.exe is the Symantec Service Framework files.

 

Can you explain more about this comment? " the ability to query backend servers about new files and processes that Norton finds on your system".

Does Norton send a list of all file names to these servers to compare against? 

 

 

 

How does blocking Norton from sending anything back to the Norton servers "negate the new technologies"?

 

Thanks for the reply.

Regular Contributor
Gorg
Posts: 68
Registered: ‎12-11-2008

Re: Blocking ccsvchst.exe from internet access, Mass Norton Outbound TCP connection's?

"I mean is it really necessary to try and make all these connections when I have Norton Insight Protection, Community Watch, Special Offer Notification, Live updates, Pulse Updates, Automatic download of New Version, Download intelligence and Safe Surfing turned off.    (A tip to limit the Norton thrashing) (Added bonus of turning all these off is Norton is very quiet, activating Live Updates once a week is sufficient for me) "

------------------------------------------------------------------------------------------------------------------------------------------------------

 

 

I have to ask, why even bother having Norton installed at this point? You have most systems in Norton disabled. They all work in harmony together to keep your computer safe. And by blocking ccsvchst you are crippling Norton.

 

Norton needs to query the backend for updates to all its systems. That's what its doing with all those outbound requests. But you've crippled Norton to such an extent, it really doesn't matter with all those systems turned off.

 

 

SendOfJive
Posts: 10,755
Kudos: 4,795
Solutions: 776
Registered: ‎02-07-2009

Re: Blocking ccsvchst.exe from internet access, Mass Norton Outbound TCP connection's?


ryan1 wrote:

 

Can you explain more about this comment? " the ability to query backend servers about new files and processes that Norton finds on your system".

Does Norton send a list of all file names to these servers to compare against? 


Please see the following article:

 

http://community.norton.com/t5/Norton-Protection-Blog/New-Feature-for-Norton-Internet-Security-2010-...

Visitor
ryan1
Posts: 6
Registered: ‎05-17-2013

Re: Blocking ccsvchst.exe from internet access, Mass Norton Outbound TCP connection's?

[ Edited ]

"I have to ask, why even bother having Norton installed at this point?"


Here is your answer, I have these turned on.
Insight Protection, Antivirus, Antispyware, SONAR Protection, Smart Firewall, Intrusion Prevention, Browser Protection.
I use malwarebytes often.
When I rarely download something I scan it with Norton and Malwarebytes after I'm done before opening it.
I am not logged in as the Admin on Windows, I created a User account to keep privileges low.
I set Norton boot scan to Aggressive in the Norton computer settings.
I am also behind a configured Cisco NAT Router.

I don't use local based email(Outlook). I use yahoo email once in a blue moon and only open things that I am expecting a reply from. So I don't need the email scanner.
I don't use Facebook or Twitter so I don't need to scan my facebook or twitter wall.
I don't download many things other then a few programs from reputable source's like Percona database server,WAMP, or Firefox plugins from the actual Mozilla website, I would never download anything from Cnet.com because they use a downloader every time you want to download stuff that is full of Toolbars,Spyware and other junk.
I also don't store any personal info on my PC (auto-fillers ,password- storage).

 

In Norton I use Network/advanced settings/ "Automatic Program Control" off because I know what programs need internet access and which ones don't. This does not lower your security if you know what should have internet access and what should not. For an un-experienced Windows user like your Grandma I would keep program control to Automatic,
because she will undoubtedly block necessary programs from accessing the internet.



If one was to get infected with a rootkit then these help alot I put them in order of most effective: Unhackme ,TDSSKiller, AVG’s Rootkit Scanner, Trend Micro rootkit buster, SuperAntiSpyware, Norton power Eraser. SpybotSD.

Malwarebytes Anti-Rootkit, it is beta and I haven't tried this one yet but I might give it a whirl.
Norton FixTdss(be careful with FixTdss, from reading on forums it has BSOD'd a few people's PC's)

(always create a current restore disk before using FixTdss).

If you run TDSS Killer with enable signature verification, it will usually pick up 1 or more unsigned files therefore scan the file before deletion with one of your favorite antiviruses like Norton or http://www.virustotal.com to see if it is a false positive.

 

ZeroAccess rootkit removal
http://www.bitdefender.com/VIRUS-1000654-en--Rootkit-Sirefef-Gen.html

More info on rootkits
http://www.symantec.com/connect/articles/rootkit-intruder-living-your-kernel

Another way to detect rootkit's is by booting from a clean source such as a clean rescue usb or clean rescue cd.
The rootkit normally won't be able to hide itself if it's not running on your system at boot.

If all else fails the only real way to ever trust a computer again is to backup cleaned data,
wipe the hard-drive, re-format it and reinstall the Operating system.  (How to do that properly below).

Clear the CMOS
Delete all partitions on your hard disk(s) and reformat using DBAN
Turn your computer off after deleting the partition(s) and reformatting the disk(s) for about 5 minutes.
Turn your computer on and reinstall using a legal Windows CD/DVD.
Links on how to clear the CMOS and Wipe the hard-drive:
http://pcsupport.about.com/od/fixtheproblem/tp/clearcmos.htm
http://www.dban.org/

 

 


More on NAT From https://www.grc.com/nat/nat.htm
Here is a quick good read too, it's under Security and Administration
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml#secadmin

"When any incoming packets arrive at the router from the Internet, the router scans its
"current connections" table to see whether this data is expected by looking for the remote IP
and port number in the current connections table. If a match is found, the table entry also
tells the router which computer in the private LAN is expecting to receive the incoming traffic
from that remote address. So the router re-addresses (translates) the packet to that
internal machine and sends it into the LAN.
And here's the really good part:
If the arriving packet does not exactly match traffic that is currently expected by the router,
the router figures that it's just unwanted "Internet noise" and discards the unsolicited packet
of data.
With a NAT router protecting your connection to the Internet — even if you only have
one computer on the LAN behind the router — none of the Internet scanning and worms and
hackers and other annoying and malicious Internet nonsense can get to your computer or
computers.
If the NAT router isn't already expecting the incoming data, because one of the machines on
the LAN asked for it from the Internet, the router silently discards it and your private
network is never bothered."


And to answer your last statement I get to choose when Norton Updates not Norton.
Norton is quite stable and very effective on "my" system and I do not believe it to be
crippling for me to let Norton update once a week.

Visitor
ryan1
Posts: 6
Registered: ‎05-17-2013

Re: Blocking ccsvchst.exe from internet access, Mass Norton Outbound TCP connection's?

[ Edited ]

Thanks for the help Mr. 

 

  The Norton help file on my PC for most of the settings mirrors the article you pointed too.

I do not have Download Insights turned on and the aforementioned article is irrelevant to my settings.

 

  Unfortunately, this does not solve the problem of the things gone awry(unexpected behavior) of Norton having updates turned off and all settings that are related to Norton accessing the internet turned off.  What is it trying to update if its told not to update.

Any program that is told not to do something should do exactly that, not do it.  If I turn off Live Updates and it still tries to make TCP connections to Norton servers then a simple statement and Boolean value of   " if User LUpdates = var Off then return null "   or   " if User _Settings = var Off then return null " would do the trick for outbound connection limiting.

 

I am afraid only someone with system internal knowledge could answer my question correctly it seems.

 

Who do I email as a developer of Norton that would be able to make changes to the source code to respect setting changes that would lower outbound TCP connections.

 

Thanks for the help anyway.

Bot Obliterator
Quads
Posts: 16,530
Registered: ‎07-21-2008

Re: Blocking ccsvchst.exe from internet access, Mass Norton Outbound TCP connection's?

This thread just makes me say

 

OUCH  POOR SYSTEM!

 

 

Quads

Visitor
ryan1
Posts: 6
Registered: ‎05-17-2013

Re: Blocking ccsvchst.exe from internet access, Mass Norton Outbound TCP connection's?

This comment just makes me say

 

OUCH POOR COMMENT!