OT - IGMP Protocol query
 

I was wondering if anyone has come across the problem of a brand new Windows XP machine sending IGMP packets to the address of 224.0.0.22.
Any suggestion or links as to how I can stop this from happening?
Thanks.

Re: OT - IGMP Protocol query
 

Virusscan, spyware scan. Try ad-aware and um...spybot S&D. That's what everybody here seems to recommend.

Re: OT - IGMP Protocol query
 

Where did you get this info from? Firewall?

Looks like the system is asking a router for info on other systems in its group. Is the system in the workgroup named "workgroup"?

Re: OT - IGMP Protocol query
 

This is a new Test XP machine, that I built to test a new Internal Firewall on our Domain. This Fireall is blocking the IGMP packets and brought it to my attention.
At least a couple of times a day, the XP machine sends packets to the address of 224.0.0.22, which routes to igmp.mcast.net
We are not using any Multicasting software, and this XP box is pure Windows XP, no other software except for the Virus/Firewall client that I am testing.
Suggestions?

Re: OT - IGMP Protocol query
 

http://www.webopedia.com/TERM/I/IGMP.html
Not exactly a wordy definition.
I can't find what mcast.net is. I haven't been able to ping it or anything. Whois comes up blank. I can't say what that is or what it is doing. What brand of A/V stuff are you using? Firewall?

Re: OT - IGMP Protocol query
 

Thanks Instar.
I am testing TrendMicro OfficeScan Anti-Virus software and Firewall.
There is a couple of references to igmp.mcast.net but not why XP would be attempting to connect to it, once a day.

Re: OT - IGMP Protocol query
 

I used to use Trend Micro. It was good enough.
Anyhow, its a weird thing, trying to contact a non-existant site (unless its an evil government plot! The ILLUMINATTI are coming!)
Its a multicast IP protocol... hmm
No harm in continuing blocking it. I know IE has a toolbar thing that Adaware considers spyware. Get Adaware on disk and see what happens when you run it.

Re: OT - IGMP Protocol query
 

It’s an unassigned IGMP address. I would just block it at the firewall. It’s probably just a multicast from your system (host) looking for members.

Here’s a link to IGMP

http://www.freesoft.org/CIE/RFC/1112/18.htm


As a rule of thumb, you should build a list of what the firewall needs to pass and then lock everything else down. In practice, we lock it all down and then open as needed. Often, we apply filters to the PIX’s on a per machine basis. Allowing all internally originating traffic is no longer seen as acceptable.

PS: TM's antivirus has had some bigtime patch blowups in the past.

Re: OT - IGMP Protocol query
 

"PS: TM's antivirus has had some bigtime patch blowups in the past. "
I didn't notice that when I used it, then again, I had a fast connection to download the patches with, and I had a huge HD anyhow.

Re: OT - IGMP Protocol query
 

I had it on a small net with about 15 clients, two times in a 1 year period it blew up during update installs. Once it needed to be reinstalled and once it forced me to reload the systems. (thank god for ghost) Both times it was a known issue that they pushed the update out with. After that, I only support Norton in the contracts. If they want to skimp on AV, then it's T&M if it goes down.

Re: OT - IGMP Protocol query
 

I'm going to block all IGMP anyway, just wondering why a brand new XP box would be using it.
We've had TM for over 18 months now, with no patch problems.
I have a huge issue with them not detecting old viruses if the file size of the Virus has been changed. We have been hit twice like this, while our other Anti-Virus software detected the Virus.
Their GM was over-heard saying at a lunch meeting, that Anti-Virus software is the Last line of defense so if it is used, then your security is already failed.
Could be true, but it doesn't give them an excuse for their software not working. http://forum.shrapnelgames.com/images/smilies/frown.gif

Re: OT - IGMP Protocol query
 

That's the only correct way to do it IMHO. Lock it down, watch the logs and look what bounced, then open if you know what service is responsible for the hit.