VIPRE Firewall-Massive amounts of IGMP Requests and Port Scans

[whitedragon551]

Im using my 1 year Vipre Antivirus premium. I have it all installed and configured. I did my first deep scan and everything is green. Now in the bottom right corner it says its blocked 1719 risks since the deep scan was done and statistics were reset.

I checked out the firewall where most of the "risks" come from. In network rules I have several outgoing IGMP attempts per minute that occur every 5 minutes on the dot. Its a system initialized connection attempt to IP 224.0.0.22 all originating from my IPv4 IP address.

Anyone have any idea what this IGMP connection is?

I also checked the firewall log for other issues that appear in the masses. I have IDS (Intrusion Detection Systems) turned on. There are multiple port scans that fall under ID 442 (VIPRE classifications I suppose) all coming from different IP addresses. A few of them have tried 10+ times.

[Triple Helix]

Quote:

Originally Posted by whitedragon551

Im using my 1 year Vipre Antivirus premium. I have it all installed and configured. I did my first deep scan and everything is green. Now in the bottom right corner it says its blocked 1719 risks since the deep scan was done and statistics were reset.

I checked out the firewall where most of the "risks" come from. In network rules I have several outgoing IGMP attempts per minute that occur every 5 minutes on the dot. Its a system initialized connection attempt to IP 224.0.22

Anyone have any idea what this IGMP connection is?

Maybe it would be better to ask your Questions here http://supportforums.sunbeltsoftware...aspx?forumid=2 Some info here http://www.et.put.poznan.pl/tcpip/igmp/igmp_intro.htm

TH

[whitedragon551]

I didnt really want to sign up for another forum, but I may have to. I figured there may be enough knowledgeable people around here.

[vijayind]

IGMP is mostly used for IPTV. So if you are a triple play customer, this should be normal since the same CPE/Modem is used.
Periodically CPE will send data to your Video Control Server to inform which channels you are watching or that there no channel is in use. This enables precise use of bandwidth.

Port Scans !! If have no idea what those VIPRE IDs mean. Better check with Sunbelt.

[whitedragon551]

I have DSL internet through AT&T. I have cable TV through Comcast. I dont have IPTV.

[SIR****TMG]

Wow, this is news indeed

[s23]

I think is the same type of connection that normal home users not need like SSDP (UDP 1900) and UDP 5355 (LLMNR - connect to the same range you mentioned) not is?

[NickHSunbelt]

I also responded to this on our support forums but thought I'd also post this here.

The 224.0.0.22 is just a multicast address which isn't something you should worry about. You can safely block this with the firewall although this wouldn't leave the local network. Something like UPnP could cause this.

This IDS rule 442 would fall under the low priority intrusions so definitely isn't something you need to worry about. By default the low and medium priority intrusions are set to allow because they are generally not considered to be serious threats. Port scans can have legitimate uses in managing networks but it can also be from someone looking for an access point to your system. It shouldn't cause any harm to continue blocking this.

[whitedragon551]

I got it. Thanks.

I figured I can cut down on the resource usage and the intrusion detection messages if I disable log port scans. Is that something I should do? I havent implemented a port scan and dont think I ever will until I have more than 1 computer in my house hold.

[NickHSunbelt]

Disabling the log port scans option would just not log that information. It won't lower your security in any way.

[whitedragon551]

Thats what I was hoping for. Since I wont use that feature and they are probably a low thread Id rather not see them then have 1700+ intrusion detections a day. If I disable the port scan logging I wont miss out on other important risk notices and popups correct?

[NickHSunbelt]

You shouldn't see any difference in notifications. This will just not add those entries into the log. In fact, that option is disabled by default. It's only meant to be enabled if you needed/wanted to see that information for some reason.

[whitedragon551]

Ive got a few more questions. In the firewall history what does the PUP tab stand for?

Also I have an incoming connection thats logged comes up as BACKDOOR NetMetro File List. What is this?

[NickHSunbelt]

PUP stands for Packets to Unopened Ports.

The BACKDOOR NetMetro File List is often a false positive which is why it is listed under the low priority intrusions. This is basically triggered when traffic goes from port 20 or 80 to destination port 5032 and the server responds with content that includes "--".

Most of the IDS rules in VIPRE Premium are similar to basic Snort rules so you should be able to find a lot of information about any of these rules by doing a search on Google.