Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Norton Liveupdate musings

Norton Liveupdate musings 12 years 11 months ago #2085

  • sahirh
  • sahirh's Avatar
  • Offline
  • Honored Member
  • Posts: 1700
  • Karma: 0
I'm not a fan of automatic update programs... I'm one of those idiots who has a computer that will do things automatically and I insist on doing it manually... that said... i really don't like automatic update programs.

However when it comes to virus definitions I leave norton's liveupdate on... so every so often it grabs a few 100kb instead of me having to download 3-4 MB files.

Anyway I was bored so I was watching connections in TCPView (I'm on medication that is suppress this urge) and I find lucom~1.exe connecting HTTP to a wierd IP... an Indian IP (yes I can magically look at IP addresses and tell which geographical region they're from.. you can gain access to the cool tutorial that teaches this by voting for us at alexa and writing a five star review).

I figured it wasn't that strange, maybe they have an Indian mirror for the liveupdates.. not that I like the idea of that, because you don't know how secure the mirror you're downloading from is. So I whois'd etc the IP..

It seems to belong to a company called Jasubhai ... all you Indians will know this must be Jasubhai Digital Media the people who publish Chip computer magazine in India...

I hit the webserver and it runs Akamai Ghost (Thats part of the Akamai cacheing system that lotsa big companies like microsoft uses isn't it ?) and the webserver doesn't understand normal HTTP requests...

While this is probably not a security issue, I'm very intrigued in figuring out the liveupdate session and its protocol.. I'm not in a position to capture packets (ppp connection woes :( ) If anyone has a capture of a liveupdate session I'd really like to have a look at it...

If you're from a different geographical region you could lemme know where your liveupdate connects to... if lots of people find regional IPs then I'll be much more at ease.

Sorry about the massive post, I'm just quite intrigued by this.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com
The administrator has disabled public write access.

Re: Norton Liveupdate musings 12 years 11 months ago #2087

  • Neon
  • Neon's Avatar
  • Offline
  • Distinguished Member
  • Posts: 101
  • Karma: 0
I captured a session of live update and it connects to 61.9.129.201. Don't know if its the same IP address which you described.

I would post the captured file, but I'm out on anywhere to store it.
This page got any data dump? :) If not, it should :D
The administrator has disabled public write access.

Re: Norton Liveupdate musings 12 years 11 months ago #2088

  • tfs
  • tfs's Avatar
  • Offline
  • Expert Member
  • Posts: 521
  • Karma: 0
I'm not sure which IP mine is connecting to - where are you finding this?

I only let Live update for Norton work, as you need to make sure the viruses are updated NOW. Could be a problem if you do it manually and forget to do it.

But I don't automatically update anything else. I have been severely screwed before (happened with Sql Server 6.5 - where the update wiped out your data if you were on version 3, I believe). That was not fun. Never again.

:evil: :evil:
Thanks,

Tom
The administrator has disabled public write access.

Re: Norton Liveupdate musings 12 years 11 months ago #2089

  • Neon
  • Neon's Avatar
  • Offline
  • Distinguished Member
  • Posts: 101
  • Karma: 0
tfs,

I found the IP it was connecting to through ettercap a capture program. But a more appropriate program would be TCPView posted by sahirh here http://www.firewall.cx/modules.php?name=Forums&file=viewtopic&t=259

It's basically a very nice GUI version of netstat :)
The administrator has disabled public write access.

Re: Norton Liveupdate musings 12 years 11 months ago #2091

  • tfs
  • tfs's Avatar
  • Offline
  • Expert Member
  • Posts: 521
  • Karma: 0
Actually, I used TCPView and when I ran LiveUpdate, it was going to 207.151.118.142.
Thanks,

Tom
The administrator has disabled public write access.

Re: Norton Liveupdate musings 12 years 11 months ago #2092

  • Neon
  • Neon's Avatar
  • Offline
  • Distinguished Member
  • Posts: 101
  • Karma: 0
To fix my last post, the IP that LUCOMS~1.EXE was connecting to is 203.134.38.238

not 61.9.129.201 which I posted before :)
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.083 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup