Hot Downloads

×

Notice

The forum is in read only mode.
Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Norton Liveupdate musings

Norton Liveupdate musings 14 years 9 months ago #2085

  • sahirh
  • sahirh's Avatar Topic Author
  • Offline
  • Honored Member
  • Honored Member
  • Posts: 1700
  • Thank you received: 0
I'm not a fan of automatic update programs... I'm one of those idiots who has a computer that will do things automatically and I insist on doing it manually... that said... i really don't like automatic update programs.

However when it comes to virus definitions I leave norton's liveupdate on... so every so often it grabs a few 100kb instead of me having to download 3-4 MB files.

Anyway I was bored so I was watching connections in TCPView (I'm on medication that is suppress this urge) and I find lucom~1.exe connecting HTTP to a wierd IP... an Indian IP (yes I can magically look at IP addresses and tell which geographical region they're from.. you can gain access to the cool tutorial that teaches this by voting for us at alexa and writing a five star review).

I figured it wasn't that strange, maybe they have an Indian mirror for the liveupdates.. not that I like the idea of that, because you don't know how secure the mirror you're downloading from is. So I whois'd etc the IP..

It seems to belong to a company called Jasubhai ... all you Indians will know this must be Jasubhai Digital Media the people who publish Chip computer magazine in India...

I hit the webserver and it runs Akamai Ghost (Thats part of the Akamai cacheing system that lotsa big companies like microsoft uses isn't it ?) and the webserver doesn't understand normal HTTP requests...

While this is probably not a security issue, I'm very intrigued in figuring out the liveupdate session and its protocol.. I'm not in a position to capture packets (ppp connection woes :( ) If anyone has a capture of a liveupdate session I'd really like to have a look at it...

If you're from a different geographical region you could lemme know where your liveupdate connects to... if lots of people find regional IPs then I'll be much more at ease.

Sorry about the massive post, I'm just quite intrigued by this.
Sahir Hidayatullah.
Firewall.cx Staff - Associate Editor & Security Advisor
tftfotw.blogspot.com

Re: Norton Liveupdate musings 14 years 9 months ago #2087

  • Neon
  • Neon's Avatar
  • Offline
  • Distinguished Member
  • Distinguished Member
  • Posts: 101
  • Thank you received: 0
I captured a session of live update and it connects to 61.9.129.201. Don't know if its the same IP address which you described.

I would post the captured file, but I'm out on anywhere to store it.
This page got any data dump? :) If not, it should :D

Re: Norton Liveupdate musings 14 years 9 months ago #2088

  • tfs
  • tfs's Avatar
  • Offline
  • Expert Member
  • Expert Member
  • Posts: 521
  • Thank you received: 0
I'm not sure which IP mine is connecting to - where are you finding this?

I only let Live update for Norton work, as you need to make sure the viruses are updated NOW. Could be a problem if you do it manually and forget to do it.

But I don't automatically update anything else. I have been severely screwed before (happened with Sql Server 6.5 - where the update wiped out your data if you were on version 3, I believe). That was not fun. Never again.

:evil: :evil:
Thanks,

Tom

Re: Norton Liveupdate musings 14 years 9 months ago #2089

  • Neon
  • Neon's Avatar
  • Offline
  • Distinguished Member
  • Distinguished Member
  • Posts: 101
  • Thank you received: 0
tfs,

I found the IP it was connecting to through ettercap a capture program. But a more appropriate program would be TCPView posted by sahirh here http://www.firewall.cx/modules.php?name=Forums&file=viewtopic&t=259

It's basically a very nice GUI version of netstat :)

Re: Norton Liveupdate musings 14 years 9 months ago #2091

  • tfs
  • tfs's Avatar
  • Offline
  • Expert Member
  • Expert Member
  • Posts: 521
  • Thank you received: 0
Actually, I used TCPView and when I ran LiveUpdate, it was going to 207.151.118.142.
Thanks,

Tom

Re: Norton Liveupdate musings 14 years 9 months ago #2092

  • Neon
  • Neon's Avatar
  • Offline
  • Distinguished Member
  • Distinguished Member
  • Posts: 101
  • Thank you received: 0
To fix my last post, the IP that LUCOMS~1.EXE was connecting to is 203.134.38.238

not 61.9.129.201 which I posted before :)
  • Page:
  • 1
  • 2
Time to create page: 0.173 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup