I currently use Norton 360 (and have used Norton for well over 10 years now)...
I can see 1, 2, and at times 3 TCP ports held open by the N360.exe (I assume that is normal for pulse updates etc)
But my router logs show hundreds of unsolicited (remotely initiated) inbound traffic on port 80 to my IP address attempted from Symantec IP addresses over the past 20 days. (this has only started happening over the past month)
This has seemed to grow in number over the past month with 35 attempts just yesterday alone... In comparison I have seen single instances of this same thing from 3 other (non-Symantec) IP's in the past 3 days
[DoS Attack: ACK Scan] from source: 143.127.93.109, port 80, Sunday, August 17,2014 02:26:06
[DoS Attack: ACK Scan] from source: 143.127.93.123, port 80, Sunday, August 17,2014 03:03:35
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 06:19:33
[DoS Attack: ACK Scan] from source: 143.127.93.103, port 80, Sunday, August 17,2014 06:20:08
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 06:20:48
[DoS Attack: ACK Scan] from source: 143.127.93.103, port 80, Sunday, August 17,2014 06:21:23
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 06:22:03
[DoS Attack: ACK Scan] from source: 143.127.93.103, port 80, Sunday, August 17,2014 06:22:38
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 06:23:18
[DoS Attack: ACK Scan] from source: 143.127.93.103, port 80, Sunday, August 17,2014 06:23:53
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 06:24:33
[DoS Attack: ACK Scan] from source: 143.127.93.103, port 80, Sunday, August 17,2014 06:25:08
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 06:25:48
[DoS Attack: ACK Scan] from source: 143.127.93.103, port 80, Sunday, August 17,2014 06:26:23
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 06:27:03
[DoS Attack: ACK Scan] from source: 143.127.93.103, port 80, Sunday, August 17,2014 06:27:38
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 06:28:18
[DoS Attack: ACK Scan] from source: 143.127.93.103, port 80, Sunday, August 17,2014 06:28:53
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 06:29:33
[DoS Attack: ACK Scan] from source: 143.127.93.103, port 80, Sunday, August 17,2014 06:30:08
[DoS Attack: ACK Scan] from source: 143.127.93.104, port 80, Sunday, August 17,2014 08:23:38
[DoS Attack: ACK Scan] from source: 143.127.93.105, port 80, Sunday, August 17,2014 08:44:11
[DoS Attack: ACK Scan] from source: 143.127.93.105, port 80, Sunday, August 17,2014 08:46:41
[DoS Attack: ACK Scan] from source: 143.127.93.105, port 80, Sunday, August 17,2014 08:50:26
[DoS Attack: ACK Scan] from source: 143.127.93.105, port 80, Sunday, August 17,2014 08:51:41
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 21:02:38
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 21:05:08
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 21:06:23
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 21:10:08
[DoS Attack: ACK Scan] from source: 143.127.93.106, port 80, Sunday, August 17,2014 21:11:23
[DoS Attack: ACK Scan] from source: 143.127.93.90, port 80, Sunday, August 17,2014 23:17:38
[DoS Attack: ACK Scan] from source: 143.127.93.90, port 80, Sunday, August 17,2014 23:20:08
[DoS Attack: ACK Scan] from source: 143.127.93.90, port 80, Sunday, August 17,2014 23:22:38
[DoS Attack: ACK Scan] from source: 143.127.93.90, port 80, Sunday, August 17,2014 23:25:08
[DoS Attack: ACK Scan] from source: 143.127.93.90, port 80, Sunday, August 17,2014 23:27:38
35 in a single day... come on that gets old fast...
NOTE: varying IPS and some are within 30 seconds of one another...
Why would Symantec be attempting to make new unsolicited connections to my IP at all, when there are already connections established? (and isn't that really a failure to follow basic Internet connectivity security protocols?)
I also attached the reports from Saturday, July 26,2014 10:50:28 through Sunday, August 17,2014 23:27:38