Question : UDP ssc-agent traffic seems excessive

I started monitoring the traffic on my network using Network Probe. It's given me some insights into which machines are taking a great deal of bandwidth and where some unusual protocols might be coming from. But one Win 2k machine seems to be generating an extreme amount of ssc-agent traffic (UDP port 2967).

I have a Windows network connected mostly by hubs with no established domain controller or formal Microsoft networking servers managing the network. We use different workgroups but that's about it. This machine is usually the master browser for the network. Also, this machine runs as server for Symantic AntiVirus Corporate.

The ssc-agent traffic is about 10x my http traffic, and shows constant activity throughout a several hour sample. 2 GB of traffic in two hours...most other traffic is around 100-200 MB.

So...

What's the ssc-agent protocol used for? Is it a Symantic fuction or a Windows networking issue? Is there a reason this should be commanding so much activity? And is it something I can disable or schedule to run at a specific time?

Thanks for any help.

Answer : UDP ssc-agent traffic seems excessive

It's from Symantec. Here's a bit of info from the site:

"RTVScan makes a request to Winsock for port 2967 for IP and port 33345 for IPX. These values can be configured by using the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AgentIPPort
HKEY_LOCAL_MACHINE\SOFTWARE\INTEL\LANDesk\VirusProtect6\CurrentVersion\AgentIPXPort

If the request for the static port fails, then RTVScan will use a dynamic port. This port will be assigned by Winsock on that server and can be different each time that you request a port."

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2002091816450048?Open&src=plat_hot&docid=2002112108541748&nsf=ent-security.nsf&view=docid_p&dtype=&prod=&ver=&osv=&osv_lvl=

Solution:
To change the frequency of NAVCE client keepalive packets

Right-click a server or server group in the Symantec System Center console, point to All Tasks, point to Norton AntiVirus, and then click Virus Definition Manager.
Select "Update Virus Definitions From Parent Server."
Click Settings.
Select "Set Client Configuration From Parent Server" box.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000041209270248?Open&src=ent_hot&docid=2000032009080948&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

and

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/1999120813251448?Open&src=ent_hot&docid=2000032009080948&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

and

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2000032009080948?Open&src=ent_hot&docid=2002091210045148&nsf=ent-security.nsf&view=docid&dtype=corp&prod=Symantec%20AntiVirus%20Corporate%20Edition&ver=8.x&osv=&osv_lvl=

Random Solutions

Compaq C310 WLAN button is not working

Linksys WAP & WinXP, Broadcast and WPA TKIP

MailMarshall - Version 6 - Add users emails to safe sender list

Veritas Backup exec 9.1 reporting corrupt Outlook PST file

How to connect a D-Link Modem to a Draytek Vigor Firewall

External DNS server address - where is it?

How to connect 2 computers on DSL modem

How do I measure or detect network/subnet saturation?

Wireless Edimax router & wireless dlink router