VIPRE Firewall-Massive amounts of IGMP Requests and Port Scans

Discussion in 'other firewalls' started by whitedragon551, Mar 3, 2010.

Thread Status:
Not open for further replies.
  1. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Im using my 1 year Vipre Antivirus premium. I have it all installed and configured. I did my first deep scan and everything is green. Now in the bottom right corner it says its blocked 1719 risks since the deep scan was done and statistics were reset.

    I checked out the firewall where most of the "risks" come from. In network rules I have several outgoing IGMP attempts per minute that occur every 5 minutes on the dot. Its a system initialized connection attempt to IP 224.0.0.22 all originating from my IPv4 IP address.

    Anyone have any idea what this IGMP connection is?

    I also checked the firewall log for other issues that appear in the masses. I have IDS (Intrusion Detection Systems) turned on. There are multiple port scans that fall under ID 442 (VIPRE classifications I suppose) all coming from different IP addresses. A few of them have tried 10+ times.
     
    Last edited: Mar 3, 2010
  2. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,012
    Location:
    Ontario, Canada
    Re: VIPRE Firewall

    Maybe it would be better to ask your Questions here http://supportforums.sunbeltsoftware.com/default.aspx?forumid=2 Some info here http://www.et.put.poznan.pl/tcpip/igmp/igmp_intro.htm

    TH
     
  3. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    I didnt really want to sign up for another forum, but I may have to. I figured there may be enough knowledgeable people around here.
     
  4. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    IGMP is mostly used for IPTV. So if you are a triple play customer, this should be normal since the same CPE/Modem is used.
    Periodically CPE will send data to your Video Control Server to inform which channels you are watching or that there no channel is in use. This enables precise use of bandwidth.

    Port Scans !! If have no idea what those VIPRE IDs mean. Better check with Sunbelt.
     
  5. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    I have DSL internet through AT&T. I have cable TV through Comcast. I dont have IPTV.
     
  6. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    Wow, this is news indeed
     
  7. s23

    s23 Registered Member

    Joined:
    Feb 22, 2009
    Posts:
    263
    I think is the same type of connection that normal home users not need like SSDP (UDP 1900) and UDP 5355 (LLMNR - connect to the same range you mentioned) not is?
     
  8. NickHSunbelt

    NickHSunbelt Support Specialist

    Joined:
    Apr 13, 2009
    Posts:
    177
    Location:
    Clearwater, Florida
    I also responded to this on our support forums but thought I'd also post this here.

    The 224.0.0.22 is just a multicast address which isn't something you should worry about. You can safely block this with the firewall although this wouldn't leave the local network. Something like UPnP could cause this.

    This IDS rule 442 would fall under the low priority intrusions so definitely isn't something you need to worry about. By default the low and medium priority intrusions are set to allow because they are generally not considered to be serious threats. Port scans can have legitimate uses in managing networks but it can also be from someone looking for an access point to your system. It shouldn't cause any harm to continue blocking this.
     
  9. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    I got it. Thanks.

    I figured I can cut down on the resource usage and the intrusion detection messages if I disable log port scans. Is that something I should do? I havent implemented a port scan and dont think I ever will until I have more than 1 computer in my house hold.
     
  10. NickHSunbelt

    NickHSunbelt Support Specialist

    Joined:
    Apr 13, 2009
    Posts:
    177
    Location:
    Clearwater, Florida
    Disabling the log port scans option would just not log that information. It won't lower your security in any way.
     
  11. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Thats what I was hoping for. Since I wont use that feature and they are probably a low thread Id rather not see them then have 1700+ intrusion detections a day. If I disable the port scan logging I wont miss out on other important risk notices and popups correct?
     
  12. NickHSunbelt

    NickHSunbelt Support Specialist

    Joined:
    Apr 13, 2009
    Posts:
    177
    Location:
    Clearwater, Florida
    You shouldn't see any difference in notifications. This will just not add those entries into the log. In fact, that option is disabled by default. It's only meant to be enabled if you needed/wanted to see that information for some reason.
     
  13. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Ive got a few more questions. In the firewall history what does the PUP tab stand for?

    Also I have an incoming connection thats logged comes up as BACKDOOR NetMetro File List. What is this?
     
  14. NickHSunbelt

    NickHSunbelt Support Specialist

    Joined:
    Apr 13, 2009
    Posts:
    177
    Location:
    Clearwater, Florida
    PUP stands for Packets to Unopened Ports.

    The BACKDOOR NetMetro File List is often a false positive which is why it is listed under the low priority intrusions. This is basically triggered when traffic goes from port 20 or 80 to destination port 5032 and the server responds with content that includes "--".

    Most of the IDS rules in VIPRE Premium are similar to basic Snort rules so you should be able to find a lot of information about any of these rules by doing a search on Google.
     
Loading...
Thread Status:
Not open for further replies.