dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
516

Anonymos11
@71.222.148.x

Anonymos11

Anon

Established Connections With Hardware Disabled

Hello,

I just did a few netstat runs and came across 2 connections that are able to stay on with my hardware turned off.(firewall blocked/software disconnected/laptop switch turned off)

The addresses have changed a few times. Here they are.

166.98.7.11https
166.98.7.11https

166.98.7.20https
166.98.7.20https

166.98.7.11https
166.98.7.19https

Can someone tell me a way to block them.

Thank you

Chubbzie
join:2014-02-11
Greenville, NC

Chubbzie

Member

Is your system running a Symantec or HP software of some sort?

dib22
join:2002-01-27
Kansas City, MO

dib22 to Anonymos11

Member

to Anonymos11
How do you perform a netstat with the hardware turned off?

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to Chubbzie

Premium Member

to Chubbzie
said by Chubbzie:

Is your system running a Symantec or HP software of some sort?

Symantec product?
I would think these would be hard-coded into the product for updates.

A log would help too, not just typed addresses.
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus to Anonymos11

Premium Member

to Anonymos11
They can try to establish the connection, it might be something as simple as checking for updates, and not having an active connection isn't going to stop them from trying.

Now you could just use the command prompt, and run the command netstat -ano then match the pid to the program in the task manager, otherwise software like TcpView will show you the program with the netstat information.

I found limited information on the owner of the ip address block, but as mentioned it might be hp if you have an hp computer, so they have some utility checking for updates for something. It might even be part of their bloated printer drivers.

Your best bet is to find the program, or sometimes it's setup as service, then disable it, otherwise disable checking for updates. Be careful using this software, it will help you disable, even delete entries for things running on startup, including services instead of having to dig through the registry manually. Autoruns It's better to uninstall software properly instead of just ripping it out, even just disabling entries is better than ripping them out without being properly uninstalled.
dave
Premium Member
join:2000-05-04
not in ohio

2 recommendations

dave to Anonymos11

Premium Member

to Anonymos11
Did these appear after the 'hardware' was turned off, or were they there before?

It is a feature -- it is part of the point of having a routing layer -- that existing connections don't go away just because you can't get there from here right now. For all IP knows, the hardware will come back up in the next 3 seconds, and it can carry right on where it left off.

TCP connections that are actively transferring data at the time of the outage will figure it out, typically in a couple of minutes, due to ack timeouts.

TCP connections that are not actively transferring data at the time may not figure it out (because who cares whether a connection that's not transferring data can transfer data?)

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

Chubbzie to norwegian

Member

to norwegian
Click for full size
said by norwegian:

Symantec product?

Checkout the cert when attaching to »166.98.7.19
redwolfe_98
Premium Member
join:2001-06-11

1 edit

redwolfe_98 to Anonymos11

Premium Member

to Anonymos11
for what it is worth, the ip addresses belong to "symantec":

»whois.arin.net/rest/net/ ··· -0-1/pft
dave
Premium Member
join:2000-05-04
not in ohio

dave to BlitzenZeus

Premium Member

to BlitzenZeus
Agree - they could be connection attempts in the process of failing to connect, too. The OP didn't see fit to post the state part of the netstat output, so we can but guess.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian to Chubbzie

Premium Member

to Chubbzie

My browser tells me it is secure but untrusted due to not being able to validate.

If you follow 'spoc' to mean it such as the police term, I'd wager the cloud detection servers.
It is a guess at best though, as I've not played with Norton to be able to give a definitive answer.

The cert does say who it belongs to, so it should be question answered.
Unless there is more to this story?

Chubbzie
join:2014-02-11
Greenville, NC
Hitron CDA3
(Software) OpenBSD + pf

Chubbzie

Member

said by norwegian:

My browser tells me it is secure but untrusted due to not being able to validate.

More than likely thats due to going via IP to the server. The certs are bound to its DNS name not its IP. If you decide to go to »spoc-pool.norton.com instead you should not receive the untrusted cert error.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Anonymos11

MVM

to Anonymos11
a) can you post the full netstat output?

b) what exactly are you trying to do / why are you trying to block this?

Otherwise 2nd this
said by dave:

Agree - they could be connection attempts in the process of failing to connect, too. The OP didn't see fit to post the state part of the netstat output, so we can but guess.

My 00000010bits

Regards

Chubbzie
join:2014-02-11
Greenville, NC

Chubbzie to Anonymos11

Member

to Anonymos11
And Anonymos11 was never to be heard from again...