|
Anonymos11
Anon
2014-Aug-13 6:50 pm
Established Connections With Hardware DisabledHello,
I just did a few netstat runs and came across 2 connections that are able to stay on with my hardware turned off.(firewall blocked/software disconnected/laptop switch turned off)
The addresses have changed a few times. Here they are.
166.98.7.11https 166.98.7.11https
166.98.7.20https 166.98.7.20https
166.98.7.11https 166.98.7.19https
Can someone tell me a way to block them.
Thank you |
|
|
Is your system running a Symantec or HP software of some sort? |
|
dib22 join:2002-01-27 Kansas City, MO |
to Anonymos11
How do you perform a netstat with the hardware turned off? |
|
norwegian Premium Member join:2005-02-15 Outback |
to Chubbzie
said by Chubbzie:Is your system running a Symantec or HP software of some sort? Symantec product? I would think these would be hard-coded into the product for updates. A log would help too, not just typed addresses. |
|
BlitzenZeusBurnt Out Cynic Premium Member join:2000-01-13 |
to Anonymos11
They can try to establish the connection, it might be something as simple as checking for updates, and not having an active connection isn't going to stop them from trying. Now you could just use the command prompt, and run the command netstat -ano then match the pid to the program in the task manager, otherwise software like TcpView will show you the program with the netstat information. I found limited information on the owner of the ip address block, but as mentioned it might be hp if you have an hp computer, so they have some utility checking for updates for something. It might even be part of their bloated printer drivers. Your best bet is to find the program, or sometimes it's setup as service, then disable it, otherwise disable checking for updates. Be careful using this software, it will help you disable, even delete entries for things running on startup, including services instead of having to dig through the registry manually. Autoruns It's better to uninstall software properly instead of just ripping it out, even just disabling entries is better than ripping them out without being properly uninstalled. |
|
dave Premium Member join:2000-05-04 not in ohio
2 recommendations |
to Anonymos11
Did these appear after the 'hardware' was turned off, or were they there before?
It is a feature -- it is part of the point of having a routing layer -- that existing connections don't go away just because you can't get there from here right now. For all IP knows, the hardware will come back up in the next 3 seconds, and it can carry right on where it left off.
TCP connections that are actively transferring data at the time of the outage will figure it out, typically in a couple of minutes, due to ack timeouts.
TCP connections that are not actively transferring data at the time may not figure it out (because who cares whether a connection that's not transferring data can transfer data?) |
|
Hitron CDA3 (Software) OpenBSD + pf
|
to norwegian
Checkout the cert when attaching to » 166.98.7.19 |
|
|
1 edit |
to Anonymos11
for what it is worth, the ip addresses belong to "symantec": » whois.arin.net/rest/net/ ··· -0-1/pft |
|
dave Premium Member join:2000-05-04 not in ohio |
to BlitzenZeus
Agree - they could be connection attempts in the process of failing to connect, too. The OP didn't see fit to post the state part of the netstat output, so we can but guess. |
|
norwegian Premium Member join:2005-02-15 Outback |
to Chubbzie
My browser tells me it is secure but untrusted due to not being able to validate.
If you follow 'spoc' to mean it such as the police term, I'd wager the cloud detection servers. It is a guess at best though, as I've not played with Norton to be able to give a definitive answer.
The cert does say who it belongs to, so it should be question answered. Unless there is more to this story?
|
|
Hitron CDA3 (Software) OpenBSD + pf
|
said by norwegian:My browser tells me it is secure but untrusted due to not being able to validate. More than likely thats due to going via IP to the server. The certs are bound to its DNS name not its IP. If you decide to go to » spoc-pool.norton.com instead you should not receive the untrusted cert error. |
|
|
to Anonymos11
a) can you post the full netstat output? b) what exactly are you trying to do / why are you trying to block this? Otherwise 2nd this said by dave:Agree - they could be connection attempts in the process of failing to connect, too. The OP didn't see fit to post the state part of the netstat output, so we can but guess. My 00000010bits Regards |
|
|
to Anonymos11
And Anonymos11 was never to be heard from again... |
|