The past two mornings my firewall, Kerio 2.1.5, pops up an alert that someone from 211.161.171.46 port 1084 wants to send a UDP Datagram to port 1027 owned by Norton Antivirus Agent to my navapw32.exe. That one is from yesterday.

Today, one from 211.161.172.37 port 1035 to the same .exe.

I only denied it yesterday, but today I placed a deny rule, Kerio's generic deny rule.

Could these pings just be fly-by's or could I have a trogan or something. I use Norton Antivirus 2002, updated.

The first IP address is a Static one that is seen probing a wide range of systems, most likely a Bot looking for unprotected systems. The second IP address is from a dynamic IP range associated with the first. This IP range is also where a lot of probes are seen from.

Is there some reason you would be expecting to OPEN your system to ANY outside port requests that your system did not initiate, much less ones from Beijing China?

Normally one would have alarms turned off and not worry about all these random probes, and having to writing special rules.

Hum... 211.161.171.46 hit ports 1026-1028 on my firewall just 30 minutes after my prior post. Coincidence or did they get my IP address from this forum some how. But that is the first time that IP address has hit my firewall.

quote JackG "Is there some reason you would be expecting to OPEN your system to ANY outside port requests that your system did not initiate, much less ones from Beijing China?"

Nope. I'm not expecting this and do not allow it.

quote JackG "Normally one would have alarms turned off and not worry about all these random probes, and having to writing special rules."

If I set Kerio to Deny Unknown, I cannot use the update functions for Norton components and Spybot. I have been permitting the connections only when I want to check for updates, clicking permit each time I want to check and not having a specific rule. I have no idea how to apply a rule that would only allow outbound only when requested. Do you think it is safe to set permission rules for these two apps to connect and set Kerio to Deny Unknown? These two are the only ones I need to check regularly for updates.

quote JackG "Hum... 211.161.171.46 hit ports 1026-1028 on my firewall just 30 minutes after my prior post. Coincidence or did they get my IP address from this forum some how. But that is the first time that IP address has hit my firewall"

Yeah....very strange. According to Steve Gibsons Shields Up site, I'm totally stealthed. I shouldn't even see these probes.