dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
396
share rss forum feed


Anonymos11

@71.222.148.x

Established Connections With Hardware Disabled

Hello,

I just did a few netstat runs and came across 2 connections that are able to stay on with my hardware turned off.(firewall blocked/software disconnected/laptop switch turned off)

The addresses have changed a few times. Here they are.

166.98.7.11https
166.98.7.11https

166.98.7.20https
166.98.7.20https

166.98.7.11https
166.98.7.19https

Can someone tell me a way to block them.

Thank you


Chubbzie

join:2014-02-11
Greenville, NC
Is your system running a Symantec or HP software of some sort?


dib22

join:2002-01-27
Kansas City, MO
reply to Anonymos11
How do you perform a netstat with the hardware turned off?


norwegian
Premium
join:2005-02-15
Outback
reply to Chubbzie
said by Chubbzie:

Is your system running a Symantec or HP software of some sort?

Symantec product?
I would think these would be hard-coded into the product for updates.

A log would help too, not just typed addresses.
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke


BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3
reply to Anonymos11
They can try to establish the connection, it might be something as simple as checking for updates, and not having an active connection isn't going to stop them from trying.

Now you could just use the command prompt, and run the command netstat -ano then match the pid to the program in the task manager, otherwise software like TcpView will show you the program with the netstat information.

I found limited information on the owner of the ip address block, but as mentioned it might be hp if you have an hp computer, so they have some utility checking for updates for something. It might even be part of their bloated printer drivers.

Your best bet is to find the program, or sometimes it's setup as service, then disable it, otherwise disable checking for updates. Be careful using this software, it will help you disable, even delete entries for things running on startup, including services instead of having to dig through the registry manually. Autoruns It's better to uninstall software properly instead of just ripping it out, even just disabling entries is better than ripping them out without being properly uninstalled.
--
I distrust those people who know so well what god wants them to do because I notice it always coincides with their own desires- Susan B. Anthony
Yesterday we obeyed kings, and bent our necks before emperors. But today we kneel only to the truth- Kahlil G.

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

2 recommendations

reply to Anonymos11
Did these appear after the 'hardware' was turned off, or were they there before?

It is a feature -- it is part of the point of having a routing layer -- that existing connections don't go away just because you can't get there from here right now. For all IP knows, the hardware will come back up in the next 3 seconds, and it can carry right on where it left off.

TCP connections that are actively transferring data at the time of the outage will figure it out, typically in a couple of minutes, due to ack timeouts.

TCP connections that are not actively transferring data at the time may not figure it out (because who cares whether a connection that's not transferring data can transfer data?)


Chubbzie

join:2014-02-11
Greenville, NC
reply to norwegian
Click for full size
said by norwegian:

Symantec product?

Checkout the cert when attaching to »166.98.7.19

redwolfe_98
Premium
join:2001-06-11
kudos:1

1 edit
reply to Anonymos11
for what it is worth, the ip addresses belong to "symantec":

»whois.arin.net/rest/net/NET-166-98-0-0-1/pft

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to BlitzenZeus
Agree - they could be connection attempts in the process of failing to connect, too. The OP didn't see fit to post the state part of the netstat output, so we can but guess.


norwegian
Premium
join:2005-02-15
Outback
reply to Chubbzie

My browser tells me it is secure but untrusted due to not being able to validate.

If you follow 'spoc' to mean it such as the police term, I'd wager the cloud detection servers.
It is a guess at best though, as I've not played with Norton to be able to give a definitive answer.

The cert does say who it belongs to, so it should be question answered.
Unless there is more to this story?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



Chubbzie

join:2014-02-11
Greenville, NC
said by norwegian:

My browser tells me it is secure but untrusted due to not being able to validate.

More than likely thats due to going via IP to the server. The certs are bound to its DNS name not its IP. If you decide to go to »spoc-pool.norton.com instead you should not receive the untrusted cert error.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Anonymos11
a) can you post the full netstat output?

b) what exactly are you trying to do / why are you trying to block this?

Otherwise 2nd this

said by dave:

Agree - they could be connection attempts in the process of failing to connect, too. The OP didn't see fit to post the state part of the netstat output, so we can but guess.

My 00000010bits

Regards


Chubbzie

join:2014-02-11
Greenville, NC
reply to Anonymos11
And Anonymos11 was never to be heard from again...