Not what you were looking for? Ask our experts!
Reply
Newbie
mmann3
Posts: 1
Registered: ‎03-01-2011

Large numbers of UDP packet blocks & other blocks reporting

[ Edited ]

There have been several dozen (if not several hundred) of these hits on Norton's 'Recent Activity' log in the past 3 days. They often occur in groups of 5-15 hits, all within seconds of eachother, and then might not occur for another 2-5 minutes before another burst occurs.

 

Rule "Default Block UPnP Discovery" stealthed (192.168.1.103, Port ssdp(1900) ).
Inbount UDP packet
Local address, service is (239.255.255.250, Port ssdp(1900) ).
Remote address, service is (192.168.1.103, Port (56405) ).
Process name is "C:\\Windows\system32\svchost.exe".

Rule "Default Block UPnP Discovery" stealthed (fe80::a46d:ef9b:16d9:1ad, Port ssdp(1900) ).
Inbound UDP packet.
Local Address, service is (ff02::0c, Port ssdp(1900) ).
Remote address, service is (fe80::a46d:ef9b:16d9:1ad, port (56403) ).
Process name is: "C:\\Windows\system32\svchost.exe".

Rule "Default Block LLMNR" stealthed (192.168.1.103, Port (5355) ).
Inbound UDP packet.
Local address, service is (224.0.0.252, Port (5355) ).
Remote address, service is (192.168.1.103, Port (60023) ).
Process name is: "C:\\Windows\system32\scvhost.exe"

Rule "Default Block LLMNR" stealthed (fe80::a46d:ef9b:16d9:1ad, Port (58452) ).
Inbound UDP packet
Local address, service is (ff02::01:03, Port (5355) ).
Remote address, service is (fe80::a46d:ef9b:16d9:1ad, Port (58452) ).
Process name is "C:\\Windows\system32\svchost.exe".

Rule "Default Block Web Service Discovery" blocked (192.168.1.105, Port (3702) ).
Inbound UDP packet
Local address, service is (239.255.255.250, Port (3702) ).
Remote address, service is (192.168.1.105, Port (56265) ).

Rule "Default Block Web Service Discovery" blocked (fe80::edfc:dd5b:2f0d:a544, Port (3702) ).
Inbound UDP packet
Local address, service is (ff02::0c, Port (3702) ).
Remote address, service is (fe80::edfc:dd5b:2f0d:a544, Port (56266) ).

I'm unsure if these had been happening in the past and I was unaware, but my attention was drawn to them when checking the history because of the following type of notice popping up:

Unauthorized Access Logged (Access Process Data)
Actor: c:\program files (x86)\ca\pprt\bin\imtrtsvc.exe
Actor PID: 2812 (though checking the log i found a bunch of these types in the past with various PIDs)
Target: c:\Program Files (x86)\Norton Security Suite\Engine\3.8.0.41\ccSvcHst.exe
Target PID: 3008
Action: Access Process Data
Reaction: Unauthorized access logged

I connect to the internet via a router that runs from my father's PC, and also runs internet supply to my sister's PC. I have not checked her machine, but Norton on my father's machine reports several blocks on the 'Open Port" (which I believe is our Wireless port.) We are not 'networked' together, according to him. I am unsure if his blackberry/ipod might be using the wireless connection, which is his guess. I'm something of a 'how it works' novice, so I have no clue what's really going on there.

 

Any advice/tips would be greatly appreciated. I would love some peace of mind.

delphinium
Posts: 9,862
Kudos: 2,965
Solutions: 293
Registered: ‎11-21-2008

Re: Large numbers of UDP packet blocks & other blocks reporting

Hi mman3:

 

Because Norton logs everything, you end up with a soup of firewall entries.  The unauthorized access blocked is not a threat to your machine.  Since everything has to access Norton, what you are seeing is Norton limiting or blocking that access to itself.  You can quite cheerfully clear all the items in that log on a regular basis.

 

With the others, UDP is sort of a general call, similar to dear occupant, while your machine checks for other machines on the system, talks to the router, and talks to itself.  This one is used:

 

Rule "Default Block UPnP Discovery" stealthed (fe80::a46d:ef9b:16d9:1ad, Port ssdp(1900) ).
Inbound UDP packet.
Local Address, service is (ff02::0c, Port ssdp(1900) ).
Remote address, service is (fe80::a46d:ef9b:16d9:1ad, port (56403) ).
Process name is: "C:\\Windows\system32\svchost.exe".

 

When UPnP devices wish to announce themselves, or "shout out" to find out what other UPnP devices are hanging around on the network, they issue a UDP message aimed at port 1900 of the special IP address [239.255.255.250]. This special "multicast" broadcast address has been set aside for UPnP devices and will be received by all of them listening on UDP port 1900.

 

This one is used:

 

Rule "Default Block LLMNR" stealthed (192.168.1.103, Port (5355) ).
Inbound UDP packet.
Local address, service is (224.0.0.252, Port (5355) ).
Remote address, service is (192.168.1.103, Port (60023) ).
Process name is: "C:\\Windows\system32\scvhost.exe"


This protocol implements simple exchange of message requests and replies in resolving related system names using IPv6 or IPv4 addressing. The port 5355 lays out the framework for this system.

The items in your log appear to be normal traffic. If the communications are not used or required according to system settings, the ports are stealthed and the messages unanswered.

 

 

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain
SendOfJive
Posts: 10,755
Kudos: 4,795
Solutions: 776
Registered: ‎02-07-2009

Re: Large numbers of UDP packet blocks & other blocks reporting

[ Edited ]

Hi mmann3,

 

These are all normal communications that are confined to your Local Area Network.  They mostly involve multicast shoutouts among the devices on your network to announce their presence to the other devices.  Because you do not have file sharing enabled, Norton blocks these by default.  If you were to use file sharing, where communicating with other computers on your network would be necessary, Norton would allow these in order to make it easier for the devices to find each other.  In any event, these communications all use local addresses that cannot be routed on the internet, and your router prevents unsolicited traffic from the internet from ever reaching your computer.  So you are completely safe and cannot be attacked from outside of your router.

 

The "Unauthorized Access" entry is a Norton Product Tamper Protection event.  Tamper Protection prevents any outside program from accessing Norton files or processes in order to keep your protection from being disrupted or compromised.  These are also normal and do not represent a threat to your system.

 

For an explanation of the protocols seen in your firewall logs, see the following:

 

http://en.wikipedia.org/wiki/Simple_Service_Discovery_Protocol

 

http://en.wikipedia.org/wiki/Universal_Plug_and_Play

 

http://en.wikipedia.org/wiki/Link-local_Multicast_Name_Resolution