Does anybody know where the pulse updates are supposed to originate from?  When I run NIS with pulse updates turned "on",  my port monitoring software says that the updates are coming in over a TCP connection to a foreign country.

Thanks.

Hi Rich

I would say that it is probably right. However, they are probably coming from various places depending where you are located.

From what I believe is probable they won't come from any one country since Symantec is international and has servers all over the world -- in fact support and attack detection is deliberately spread out in 3 time zones to give 24 hour active coverage.

See if Norton Staff are in a position to comment further.

Thank you for your reply.  I would expect that a company like Symantec would have regional update servers.

However, what I am concerned about is that the IP addresses from which my pulse updates are coming are not registered in the name of Symantec.  The registration belongs to some other company that seems to have no relationship at all with Symantec, and which has its headquarters in yet another foreign country.  This makes me wonder whether the updates are real or whether they might be bogus updates spoofed from some kind of decoy update site.  I would have expected to see that the registration of the IP address was with Symantec.  Other antivirus companies have regional update servers, but their server IP addresses are properly registered by their parent companies.

Because of this, I have now switched off both Pulse Updates and Instant Updates, both of which connect routinely to these non-Symantec IP addresses.  Now my system no longer connects to these sites every 5 minutes.  I would be much more confident if the IP addresses for the updates possessed Symantec registration.

This is what I call Paranoid,

A lot, Of companies use servers based all over the world, and even where the I.P. address is registred to the Company that in some instances owns the server(s) or runs / Maintains the servers  

Turning off Updates and not Updating Norton will causes the definitions to become out of date, Thus Norton is not as effective due to not being kept current.

In the user manually running updates you would more than likely connect to the same servers anyway (Same I.P. range).

Found this by a Symantec employee, though things may have changes

Quads 

Quads,

Thank you for your reply and for the quotation you gave from the Symantec employee  It's reassuring to get information from Symantec itself.

The online Help sections on LiveUpdate and Pulse Updates are somewhat general and don't really make it clear how the updating and streaming processes work.

One of the other points for which I would like to get some Symantec feedback or confirmation is the issue of multiple update servers.  In my case, each time the system did a 5-minute update it opened up a new TCP connection  to a different  IP address but within the same subnet  -- all to the same foreign country. In the course of a day (12 pulse updates per hour, for 8 hours) the system accessed around a hundred different IP addresses to carry out the different LiveUpdates and pulse updates.  I don't think it ever re-used the same IP address twice -- at least not that I can recall.  Maybe this is intentional, and by design, perhaps to make the pulse update servers  moving targets that would be less susceptible to denial-of-service attacks or whatever.  I just don't know.  Some clarification on this would be appreciated.  I would just like to be reassured that my system has not somehow been hijacked, with the "updates" coming in from some bogus source.

I looked at the log-file for the automatic update system a while ago and I remember that it said it checked som signatures. Thus I believe the authenticity of the updates are protected with cryptographic signatures, which is way stronger than checking IP-addresses. I’d go so far as to say that checking IP-addresses is useless when it comes to good security, because they can be spoofed.

Rich,

I appreciate your concern and everyone should be cautious but in the security business I think we users have to accept that it would be self-defeating to answer questions about how the security system works!

Symantec have a first class reputation both for home users and enterprise and personally I rely on that. But I'm careful where I go on the internet too!

Please re-enable the updating you have turned off or you are throwing out more than the baby with the bathwater!

If you want some additional assurance about your own system then do run updated versions of Malwarebytes and SuperAntiSpyware to make sure you have not been infected.

Hi Rich

I would think it would be safer to have updates come from different servers all the time. You have to remember that there are millions of computers in the world that are using Symantec servers for updating. Every computer is on a different schedule. Some are on 24/7, some are on at different times, some are on for a hour one day and all day the next day. There are all kinds of conditions. You can't be stuck to one update server since people are using their computers at all different times of the day and night, let alone all the different time zones in the world. The update server you connect to is based also on how busy it is. I'm sure you wouldn't want to have to wait an hour for an update at one particular server when you can get the same update from another one which at that particular second isn't as  busy. These pulse updates are coming out all the time to keep your computer as safe as possible provided you do your part also. Turning off updates and pulse updates isn't doing your part in trying to keep your computer safe. If Symantec didn't have as many update servers you would be waiting for updates for weeks till it got to be your turn for the update. Remember also, that there are always changes in the people who are using Symantec products. You get connected to the one you can get connected to in the least amount of time as possible. It's just like the routing to any other site. It's never constant and always the same.

Thank you for your reply. I have now re-enabled LiveUpdates and now have my virus definitions up-to-date.  I have also run an updated copy of MalwareBytes and it did not find any threats on my system.

My system is still getting its updates from the same subnet overseas, however, but I guess that's OK, given the comments that I have received so far.

I'll wait a day or so more to see if I get any comments from Symantec employees.that might help me determine for sure whether myu system is getting its updates from the proper source.  At this point I understand things a lot better, but my main question still has not really been answered, at least not explicitly:  Why are my Symantec virus updates coming from a subnet that is not registered to Symantec? 

So, I'll check back in a day or so to see if any further insights have been posted.

Thanks again for your helpful comments and explanations.

symantec is a Security Company and the last thing they would be doing is putting users At Risk...