Port 2967: Symantec's Ghost — the antivirus port that became an attack surface

What This Port Does

Port 2967 (TCP and UDP) was used by Symantec security products for internal enterprise communications. Specifically:

• Symantec AntiVirus Corporate Edition (SAVCE) — client-server update distribution
• Symantec Endpoint Protection (SEP) — the Group Update Provider (GUP) proxy listens here, acting as a local relay that pushes virus definitions to other clients without every machine hitting the central server directly
• Symantec System Center (SSC-AGENT) — management console polling and status reporting

In a corporate deployment, this port carried the most trusted traffic imaginable: security updates from the antivirus server to every protected endpoint on the network. It was how the enterprise kept its defenses current.

The Port Range

Port 2967 falls in the registered ports range (1024–49151). These ports aren't reserved for the operating system like the well-known ports (0–1023), but they're documented with IANA as belonging to specific services. Symantec's use of 2967 was unofficial — IANA lists it as unassigned — but it became a de facto standard across enterprise Symantec deployments through sheer installed base.

This is how many enterprise software ports work: the vendor picks a number, ships millions of installations, and the association becomes real through practice rather than registration.

The Security Incident

In December 2006, a worm called W32.Sagevo exploited a privilege escalation vulnerability in Symantec Client Security and Symantec AntiVirus.¹ The worm spread by scanning for other hosts running the vulnerable Symantec software — over port 2967 — and sending a crafted overflow payload.

Once inside, it lowered the host's security settings, downloaded additional malware, and connected back to IRC servers to receive commands.

The software meant to protect you became the mechanism of infection. Port 2967 wasn't just collateral damage — it was the entry point.

This is worth sitting with: the worm didn't disguise itself as something new. It used the exact channel that administrators had opened and trusted. The update distribution infrastructure, the management heartbeat — that traffic pattern was known, expected, and allowed through the firewall. Sagevo walked in through the front door.

What's Listening Now

Symantec's corporate antivirus products have largely been succeeded by Broadcom's enterprise security offerings. Port 2967 is less common in modern networks, but it can still appear on systems running legacy Symantec deployments.

If you see traffic on port 2967 on a network that doesn't run Symantec products, investigate.

To check what's listening on this port:

# Linux/macOS
sudo ss -tlnp | grep 2967
sudo lsof -i :2967

# Windows
netstat -ano | findstr :2967

The process name associated with Symantec traffic was typically rtvscan.exe. Anything else warrants scrutiny.

Why Unassigned Ports Matter

Port 2967 illustrates something true about how the port system actually works: IANA registration is descriptive, not prescriptive. Software ships, deployments scale, and the association becomes real regardless of what the registry says.

The risk is that unregistered ports exist in a gray zone. Firewall rules get written for them. Traffic gets trusted on them. And when that trust is exploited — as it was in 2006 — the damage is proportional to how deeply the port had been embedded in network policy.

Every port is a promise. Port 2967 was a promise about the source and integrity of security updates. Sagevo broke that promise by speaking the right language on the right port.