Why Symantec Brightmail Gateway is connecting to a certain IP on tcp port 80 ?
Last Updated October 25, 2012
You want to know why Symantec Brightmail Gateway(SBG) is trying to connect to a certain IP using tcp port 80.
Sometimes you may find SBG is trying to communicate with a certian server on port 80 but the traffic is blocked by FW. You want know what the purpose of this traffic is so you can decide whether or not to allow the traffic on the FW.
SBG downloads virus definitions or retrives the ThreatCon level information through tcp port 80. The following 2 sites will be used.
The virus definition update server is distributed around the world. When SBG is trying to update virus definitions it will try from the nearest servers, so SBG resides on different region will try to access different set of IPs. When you locate the IPs that are dropped by the FW, you may do a reverse lookup to find the hostname or domain, but somethings it will result in vain if a proper PTR record is not maintained. Instead you can do a nslookup for liveupdate.symantecliveupdate.com. The following is a nslookup result from a PC located in Japan.