IDFAQ: What Do These PC Anywhere Reports Mean?

PC Anywhere ports are clearly being targeted, but analysts are having a hard time sorting the benign from the malicious. Education is on part of this. Matt Scarborough has done a write up on PC Anywhere as shown below. If you have network traces that show the normal behavior of PC Anywhere that would be very helpful!

pcANYWHERE and network scans

Symantec's pcAnywhere client versions 7.5x and higher can scan a entire subnet for a host by setting the last octet of its host's TCP/IP address to 255. Entering multiple subnets is possible. Multiple subnets will be scanned. Trial versions of pcAnywhere are available for download from Symantec. This makes for an attractive hacking tool, and might account for some of the increased scans on the following ports.

pcAnywhere versions use the following ports by default.

ver - TCP - UDP

2.0 - 65301 - 22

7.0 - 65301 - 22

7.5 - 65301 - 22

7.52 - 5631 - 5632

8.x9.x - 5631 - 5632

Changing the default ports within the pcAnywhere client/host is possible. You can prevent a pcAnywhere host from answering a remote scan by creating and setting this Registry DWORD value to 0 HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\pcANYWHERE\CurrentVersion\
System\DisplayHostInList

References:

http://service1.symantec.com/SUPPORT/pca.nsf/pfdocs/199732093939
http://service1.symantec.com/SUPPORT/pca.nsf/pfdocs/1998122810210812
\http://service1.symantec.com/SUPPORT/pca.nsf/pfdocs/1997471006

---