SVCHOST, Windows Update, Anyone heard of "Savvis"?

Hello all:

I have posted a related yet separate issue yesterday, here, below within this forum section.

Upon reinstall of everything, first thing after Outpost Pro and NOD32 install I goto Windows Update. Download the upload program.

I am reviewing packets and traffic with a fine tooth comb using Port Explorer from DiamondCS and am being signaled by ProcessGuard by what appears a genuine Windows Update.

I have been selecting "Proceed". Until a few later...........


I noticed originally checking "Who Is" for info on all the damn ports I am connecting to as I am concerned I may have , although I can;t believe it, some malware....


A PACKET, several in fact, being received from a WHO IS search by Savvis telecommunications.

Please tell me this is a Windows router or something, I think I will commit suicide otherwise.


Anyone heard of it?

Doing a google search revealed little.

Please advise...I would be most appreciative!!!
H

 

One more note:

I use Outpost Pro.

Must have DNS access svchost I realize.

But, reviewing logs I see several accepted connections from high remote ports 31xxx etc.

I have sinced blocked everything over 2000 in and out and allow only specified dns connect with svchost.

I block, while in learning mode, everything i can. I get many 1027 and 1026 port blips which research shows are remote Messenger spam or something.

Related?

 

So, I answered my own question and hopefully someone elses.

It required quite a bit of searching (for somoen who is not "in the know")..

..and many other forum memebers I viewed did not seem to know and were scratching their heads?!

But Savvis (although recently slapped in the face due to lean spam policies) is a router for Microsoft updates. H@ll if I knew......

regards.
Z

 

If you wish to tighten up your Outpost configuration, you may find the Outpost forum FAQ A Guide to Producing a Secure Configuration for Outpost useful - it is aimed at advanced users though.

You can also get Windows security updates from the Microsoft Security Bulletins page without having to use Windows Update. If you do use Windows Update then I would suggest applying updates manually and rebuilding Outpost's Component Control database afterwards (Options/Applications/Components/Shared Components/Edit List/Rebuild Database) - that way you should avoid receiving Component Control Alerts due to the update.

 

I made the same experience, Desktop Firewall warned of outgoing packet to download.windowsupdate.m.nsatc.org, which points at addresses from SAVVIS Comm. who provide security services!? The packet's remote port was 80 and remote address 208.175.188.61, where some "Footprint" Webserver is running and returning a "404 Not Found" message - really strange!
If this is Microsoft's work it's bad security policy to connect to unknown domains for updating Windows, I'm quite sure it has nothing to do with "sniffing IP-adresses" of Windows clients ;-)

 

A domain lookup of nsatc.org returns:

Domain ID: D77843138-LROR
Domain Name:NSATC.ORG
Created On:27-Sep-2001 00:25:53 UTC
Last Updated On:29-Sep-2005 20:14:23 UTC
Expiration Date:27-Sep-2007 00:25:53 UTC
Sponsoring Registrar:Register.com Inc. (R71-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:C19320084-RCOM
Registrant Name:Accounts Payable
Registrant Organization: Digital Island, Inc
Registrant Street1:45 Fremont St, Suite 1200
Registrant Street2:
Registrant Street3:
Registrant City:San Francisco
Registrant State/Province:CA
Registrant Postal Code:94105
Registrant Country:US
Registrant Phone:+1.4157384100
Registrant Phone Ext.:
Registrant FAX:+1.4157384141
Registrant FAX Ext.:
Registrant ****************@digisle.net
Admin ID:C45899094-RCOM
Admin Name:nsatc host
Admin Organization:SAVVIS Communications
Admin Street1:225 W Hillcrest Dr, Ste 250
Admin Street2:
Admin Street3:
Admin City:Thousand Oaks
Admin State/Province:CA
Admin Postal Code:91360
Admin Country:US
Admin Phone:+1.8053702100
Admin Phone Ext.:
Admin FAX:+1.8053702101
Admin FAX Ext.:
Admin ****************@savvis.net
Tech ID:C45899093-RCOM
Tech Name:nsatc host
Tech Organization:SAVVIS Communications
Tech Street1:225 W Hillcrest Dr, Ste 250
Tech Street2:
Tech Street3:
Tech City:Thousand Oaks
Tech State/Province:CA
Tech Postal Code:91360
Tech Country:US
Tech Phone:+1.8053702100
Tech Phone Ext.:
Tech FAX:+1.8053702101
Tech FAX Ext.:
Tech ****************@savvis.net
Name Server: A.NS.NSATC.ORG
Name Server: B.NS.NSATC.ORG
Name Server: C.NS.NSATC.ORG
Name Server: D.NS.NSATC.ORG
Name Server: G.NS.NSATC.ORG
Name Server: F.NS.NSATC.ORG

This would seem legitimate - but yes, with some spyware trying to connect to "authentic sounding" update domains, it is irresponsible of MS not to use the proper WindowsUpdate domain.