Wednesday, April 06, 2005

Faked port 25 from symantec antivirus software

Symantec antivirus software gives me lots of trouble recently. To check if an email contains virus, it somehow creates a fake port 25 to intercept the traffic. So if you have Symentec antivirus software installed on your desktop, whenever you telnet or call connect() to a port 25, it will always succeed regardless the state of the remote host, even if the host is down.

So port scan using tcp connect will give lots of false positives unless you stop symentec antivirus service. To avoid that you have to bypass compromised tcp/ip stack. For example, synscan with pcap can give you better result, since there is no actual SYN/ACK back from the faked port.


Post a Comment

<< Home