Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
Hello-
Whenever I open explorer, something was very rapidly opening tons (hundreds) of ports on my PC. I would expect a handful of ports to open & close as I navigate the internet, but not hundreds!Norton Internet Security 2003 (Norton Anti-Virus, Firewall, etc) came pre-installed with my new PC so I decided to keep it. After more investigation, I determined Norton/Symantec’s Proxy Service: ccpxysvc.exe that was opening the ports. If I disable Norton and then go into “services” and stop the Symantec Proxy Service, I only get a few open/used ports (normal behavior). As soon as I turn Norton on, tons of ports are used. I downloaded TCPView from www.sysinternals.com (a good GUI netstat utility) and watched the activity. It is absolutely unreal. As I surf, ccpxysvc.exe rapidly opens tons of ports, uses it very briefly, and then the status changes to “time-wait”. After a minute, the port closes and drops off the netstat listing. When open, almost all ports have a host address of : 127.0.0.1:1027 and a foreign address of: 127.0.0.1:xxxx where xxxx is a sequential number starting the low thousands and going up.
Here is a partial netstat listing:
TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING 272
TCP 127.0.0.1:1027 127.0.0.1:2921 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2923 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2925 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2927 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2929 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2930 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2935 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2939 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2941 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2943 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2949 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2953 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2957 ESTABLISHED 272
TCP 127.0.0.1:1027 127.0.0.1:2959 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2971 TIME_WAIT 0
TCP 127.0.0.1:1027 127.0.0.1:2973 TIME_WAIT 0My question is, why would Norton open so many ports? Is this normal behavior for Norton? Why are the ports going from my PC to my PC? Loopback? What does that mean? Did anyone else notice this? It does not seem right.
My config:
Win XP SP1 Pro running on Intel P4 2.8ghz with 512meg ram.
Connected to D-Link DI-604 router which is connected to Ericcison Cable Modem.
Software: Norton Internet Security 2003 – Internet Explorer 6.0I have updated my virus defs and scanned my system (no virus), gone through windows update to make sure explorer is up to date, and used Spybot to check for bad stuff (everything ok).
By the way, I have a Win98 SE pc with ZoneAlarm connected to the router and it does not show this behavior in 98.
Thanx,
John O
IE will use ports in the range approx 1020-6000 in sequence for each connection, that is for each webpage component - HTML, graphics etc. It's normal behaviour, and nothing to do directly with Norton which is just opening the ports IE tells it to. The list shows NIS proxy is listening to IE on 127.0.0.1:1027, again this is normal for a local proxy, though the port will vary with the software.
ZoneAlarm doesn't show the behaviour because it keeps quiet about it, as it should.
0 
Thanks Rambler for the quick reply.
I still have a feeling that Norton has something to do with the increased port usage.
If I stop Norton Internet Security/ Firewall and disable the Symantec Proxy Service (ccpxysvc.exe), then use explorer to open a web page (ex: router config home page), I only see a handful of ports in netstat (normal). If I start up Norton and all that stuff, then open explorer and go to the exact same page (router config page), I see about 100 ports that have been used briefly and then they go to time-wait status. If I watch tcpview closely, I think it is ccpxysvc.exe that uses the ports, although it happens so fast that it is hard to tell. I will perform this experiment tomorrow night and provide more details (netstat lists) if you are interrested.
...John O.
0
Although I still wouldn't be worried if I were you, I am still interested!
Expert: someone who reads the manual when no-one's looking
0
Ok, here goes the little experiment…
1. Boot up WinXP and Norton Internet Security / Firewall is running.
2. Press “lock” button on cable modem because I don’t want anything bad getting to my Pc when I take the firewall down.
3. Go into internet options and change IE homepage to http://192.168.0.1 which is the router config home page. I cannot access any other sites since the cable modem is locked, but just going to the router page provides a good test.
4. Use TCPView to capture netstat info (not much going on):
svchost.exe:1488 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
System:4 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
System:4 UDP 0.0.0.0:445 *:*
lsass.exe:1192 UDP 0.0.0.0:500 *:*
svchost.exe:1580 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
svchost.exe:1708 UDP 0.0.0.0:1028 *:*
System:4 TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
svchost.exe:1580 UDP 127.0.0.1:123 *:*
CCPXYSVC.EXE:264 TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
ccApp.exe:1892 TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING
svchost.exe:1580 UDP 192.168.0.2:123 *:*
System:4 UDP 192.168.0.2:137 *:*
System:4 UDP 192.168.0.2:138 *:*
System:4 TCP 192.168.0.2:139 0.0.0.0:0 LISTENING5. Open IE and it goes to the router config home page.
Here’s a netstat listing now: (tons of ports opened, used, and waiting to close going from 1027 to 10xx:
svchost.exe:1488 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
System:4 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
System:4 UDP 0.0.0.0:445 *:*
lsass.exe:1192 UDP 0.0.0.0:500 *:*
svchost.exe:1580 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
svchost.exe:1708 UDP 0.0.0.0:1028 *:*
System:4 TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
svchost.exe:1580 UDP 127.0.0.1:123 *:*
CCPXYSVC.EXE:264 TCP 127.0.0.1:1027 0.0.0.0:0 LISTENING
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1032 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1036 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1038 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1034 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1046 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1050 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1054 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1056 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1052 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1048 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1042 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1060 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1063 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1066 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1062 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1058 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1070 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1074 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1067 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1075 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1027 127.0.0.1:1078 TIME_WAIT
ccApp.exe:1892 TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING
IEXPLORE.EXE:4080 UDP 127.0.0.1:1031 *:*
[System Process]:0 TCP 127.0.0.1:1040 127.0.0.1:1027 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1044 127.0.0.1:1027 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1048 127.0.0.1:1027 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1063 127.0.0.1:1027 TIME_WAIT
[System Process]:0 TCP 127.0.0.1:1071 127.0.0.1:1027 TIME_WAIT
svchost.exe:1580 UDP 192.168.0.2:123 *:*
System:4 UDP 192.168.0.2:137 *:*
System:4 UDP 192.168.0.2:138 *:*
System:4 TCP 192.168.0.2:139 0.0.0.0:0 LISTENING6. Exit explorer and wait two minutes – all time_wait ports disappear.
7. Turn off Norton Internet Security/firewall, and stop Symantec Proxy Service and Symantec Event Mgr using start->run->services.msc
8. Do a netstat and get a quiet list:
svchost.exe:1488 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
System:4 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
System:4 UDP 0.0.0.0:445 *:*
lsass.exe:1192 UDP 0.0.0.0:500 *:*
svchost.exe:1580 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
svchost.exe:1708 UDP 0.0.0.0:1028 *:*
System:4 TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
svchost.exe:1580 UDP 127.0.0.1:123 *:*
ccApp.exe:1892 TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING
svchost.exe:1580 UDP 192.168.0.2:123 *:*
System:4 UDP 192.168.0.2:137 *:*
System:4 UDP 192.168.0.2:138 *:*
System:4 TCP 192.168.0.2:139 0.0.0.0:0 LISTENING9. Open IE and goes to the router config home page (same as before).
I see one port explorer opened, but that’s it.
Here’s a netstat listing now:
svchost.exe:1488 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
System:4 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
System:4 UDP 0.0.0.0:445 *:*
lsass.exe:1192 UDP 0.0.0.0:500 *:*
svchost.exe:1580 TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
svchost.exe:1708 UDP 0.0.0.0:1028 *:*
System:4 TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
svchost.exe:1580 UDP 127.0.0.1:123 *:*
ccApp.exe:1892 TCP 127.0.0.1:1030 0.0.0.0:0 LISTENING
IEXPLORE.EXE:972 UDP 127.0.0.1:1285 *:*
svchost.exe:1580 UDP 192.168.0.2:123 *:*
System:4 UDP 192.168.0.2:137 *:*
System:4 UDP 192.168.0.2:138 *:*
System:4 TCP 192.168.0.2:139 0.0.0.0:0 LISTENINGAm I crazy? The longer I surf (with norton running), the more ports that get opened to a point where I have hundreds open or waiting to close. It just seems nuts. As best as I can tell, it is ccpxysvc.exe (Symantec Proxy Service) that is opening them.
Sorry this was soo long,
John O.
0
I've done some tests, and what you see seems to be normal behavior. I've just refreshed a page, and NETSTAT shows 21 ports TIME_WAIT. After several minutes, they disappear.
My research shows that what's happening is that the TCP connection is kept open in TIME_WAIT state for a default 4 minutes even after the remote server has sent a FIN (close) packet. Perhaps it's designed to catch a late "PS. I forgot to send this" packet!! God knows why FOUR minutes is the default.
There's quite a lot on the 'net on this subject - this shows how to decrease the wait value - I'm off to experiment!
0
Thanx Rambler for checking this out for me. In searching the web, I came across that registry change to decrease the time_wait on the ports, so I'll have to try that modification. Good idea. I didn't see any hits related to Norton though, so I'm kind of surprised no one else complained about Nortons port usage. I guess I'll just accept this as normal behavior for Norton and won't worry about it. Everything seems to be working fine.
The original reason I was going over my network config with a fine tooth comb was to try and troubleshoot problems with my Linksys BEFSR41 router loosing connectivity to the internet whenever I use my XP box. I couldn't figure out what the problem was with the Linksys, so I purchased a DLink DI-604 router and the DLink works fine. I wonder if the Linksys couldn't deal with Nortons port usage where the DLink is OK. When I get time, I'll go back and fool with the Linksys again, or maybe I'll just return it since the DLink is working!
Thanks again Rambler
...John O.
0
Although I'm not an expert on Internet subjects, I've verified an substantial increase in latency and diminished bandwidth with ccPxySvc.exe active. By disabling it in "settings/control panel/adm. tools/services"(I don't know if these are the correct terms in English), the tests results at Numion Max Speed are much better!
0
Your english is fine valdir! Thanks for the observation. I don't use NIS, but I'll research your finding further. If it seems that ccPxySvc.exe DOES slow the connection down, I'm sure there are many NIS users who would want to know that.
John O - I've discovered also that the "usual" way to handle high port usage is to increase MaxFreeTcbs - this would seems to just skirt round the problem, as it would seem that reducing TIME_WAIT would be a better option. There's lots here for study.
Expert: someone who reads the manual when no-one's looking
0
Ok, here are 2 examples of what a proxy does...
Improve Performance: Proxy servers can dramatically improve performance for groups of users. This is because it saves the results of all requests for a certain amount of time. Consider the case where both user X and user Y access the World Wide Web through a proxy server. First user X requests a certain Web page, which we'll call Page 1. Sometime later, user Y requests the same page. Instead of forwarding the request to the Web server where Page 1 resides, which can be a time-consuming operation, the proxy server simply returns the Page 1 that it already fetched for user X. Since the proxy server is often on the same network as the user, this is a much faster operation. Real proxy servers support hundreds or thousands of users. The major online services such as Compuserve and America Online, for example, employ an array of proxy servers.
Filter Requests: Proxy servers can also be used to filter requests. For example, a company might use a proxy server to prevent its employees from accessing a specific set of Web sites.
Now that you have read and understand the above, it is opening multipule ports to download the page faster. You probably don't notice this because you're already on Fastaccess with just a few machines. I assume that since your router only has a built in 4 port switch and you didn't mention any other hardware... If you were on a bigger network you may see a difference or if you were on dialup... It's up to you if you want to run it or not because your router, either one you use, has a NAT which shows you as one and block's certain ports on the internet and you have NIS as a firewall. I would say you're good to go as a home or small business PC.
Mike
0
Hello,
The explanation given by Floratech is a very informative and clarifying one,however, I'd like to add some comments on it:
1- The key words are " for groups of users":
- The "first" user of any Web page will be impaired to some extent by the very existence of a proxy.
- How many "first" users exist in small hours or are accessing a "first" requested Web page at any moment?
- Some ISP (more than we can imagine) use proxies as a way of saving on money by not having big enough internet connections delivering fast access,and the common user suffers.
2-With regard to my observations about NIS\ccPxySvc.exe, I'd like to make some comments more:
- By disabling it, every download I make (PC Pitstop, Numion, SpeedGuide.net, McAfee, Broadband, etc) is faster than with it enabled.
-The effect is much more noticeable at Numion MaxSpeed, where accuracy, latency (or delay) and speed are substantially better with it disabled.
-The subjective speed of downloading a heavy Webpage {(amazon, submarino(br), americanas(br)} is also much better without it.
-Perhaps these facts are correlated with what John O. is experiencing.
-Finally,excuse me for being so long and does someone know what really ccPxySvc.exe is and its purpose besides slowing my computer down?Regards,
V.
PS: I disabled it one week ago and everything runs smoothly so far.
0
The "proxy server" Floratech talks about is more usually called a WebCache, because it caches pages. I haven't been able to find out what "Norton Internet Security Proxy Service" (ccPxySvc.exe) actually DOES.
0
Thanks Floratech for the explanation of what a proxy server does. I also want to know exactly what purpose the NIS ccPxySvc has on an individual PC and if it is potentially slowing down my connection.
I understand how a proxy server can improve performance for a group of users, but I am not using my new WinXP PC as a server. I have two PCs directly connected to the router (new WinXP PC and old Win98 PC). Since both are directly connected to the router, I don't see the benefit of having a proxy server running on one PC, unless I was using that PC as a local server.
I wonder if the NIS ccPxySvc is used for the second purpose Floratech mentioned - to filter/check/or protect you as you surf. I think NIS has parental control features, but I have these turned off since I do not have kids. But still, I wonder if that's just the way Norton works - installs a software proxy service/server on the PC and forces all internet activity to go through the Norton Proxy Service so it can monitor everything.
Valdir - Since you disabled ccPxySvc, did any of the NIS features become disabled or do you feel that you have reduced the capabilities of the NIS firewall / security protection in any way? My concern here is that if Norton is using this and now it is stopped, perhaps Norton is no longer protecting the PC.
...John O.
0
- No, since I disabled NIS Pxy I haven't noticied anything anomalous in its behavior.
- The configuration of NIS in my PC is the default settings unless for:
LiveUpdate automatic - disabled
Pop-up and advertising blocking - disabled- Trying to know what NIS Pxy is and does I've consulted Symantec today; if I get an answer I'll inform you.
V.
PS: Pop-up and advertising blocking are disabled because with them ON I lose some functionalities from my ISP and NASA Webpages.
0
Answer from Symantec-BR:
"This service is responsible, for example, for the Firewall's activation and Emails protection."Well, I'm not entirely satisfied with this answer with regard to 3 facts:
- NIS has recently and correctly detected and blocked one Trojan attack on my PC.
- When I send or receive Emails, NIS makes the protection, as signaled by it.
Both facts ocurred with NIS Pxy disabled.-Most interestlingly, NIS does not warn anything about something going wrong with it disabled, although it gets hysterical with another service (ccPwdSvc),or one of its major components disabled!
This service is still an open question to me.
V.
0
Thanks Valdir for pushing the issue with Symantec and providing their response.
I'll agree that they gave a very poor answer. I wish they would have provided more details. It seems like the ccpxysvc is not essential.
John O.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
