Port 5632: pcANYWHEREstat — The Ghost of Remote Access Past

The Status Channel for a Dead Protocol

Port 5632 is officially registered with IANA for pcANYWHEREstat, the status and discovery component of Symantec's pcAnywhere remote desktop software.¹ This is a registered port (in the 1024-49151 range) with a legitimate IANA assignment, but the software it served has been discontinued since 2014.

When pcAnywhere was alive, port 5632 carried the UDP broadcasts that let hosts announce their presence and let clients discover them. It was the handshake before the handshake: the moment when a technician's computer would ask "is anyone out there?" and a remote host would answer "I'm here, I'm available."

The actual remote desktop data flowed over TCP port 5631. Port 5632 was just for status, for discovery, for that first hello.

How pcAnywhere Used This Port

pcAnywhere was a two-port protocol:

When you launched pcAnywhere's client and it showed you a list of available hosts on your network, that list came from UDP broadcasts on port 5632.² The port handled:

• Host discovery broadcasts
• Status information exchange
• Connection availability announcements
• Initial authentication challenges

Earlier versions of pcAnywhere (before 7.5) used different ports entirely: UDP 22 and TCP 65301. The standardization on 5631/5632 came with version 7.52 in the late 1990s.³

A Brief History of pcAnywhere

pcAnywhere was remote access before remote access was cool. Or dangerous.

1986: Dynamic Microprocessor Associates (DMA) releases pcAnywhere 1.0 for DOS. It let you control one computer from another over a modem, at speeds of 300-1200 baud. This was revolutionary.⁴

1991: Symantec acquires DMA for approximately $22 million. The software becomes Norton pcAnywhere.⁴

1993: Norton pcAnywhere 1.0 for Windows ships, bringing graphical remote access to the masses.

Late 1990s: pcAnywhere becomes the standard tool for IT departments. When you called tech support and they said "let me take a look at your screen," they were probably using pcAnywhere.

2000s: The product expands to Linux, Mac OS X, and mobile platforms. Features like AES-256 encryption get added.⁴

January 2012: Symantec reveals a security breach and tells users to stop using pcAnywhere pending fixes.⁴

February 7, 2012: The source code is leaked via The Pirate Bay. The nightmare scenario for any security software.⁴

May 2014: Symantec officially discontinues pcAnywhere.⁴

November 3, 2015: End of support. The product is truly dead.

Security: Why This Port Is Dangerous

If you see traffic on port 5632 today, something is wrong.

pcAnywhere had serious security vulnerabilities even before its source code was leaked:

CVE-2011-3478: A critical remote code execution vulnerability in the awhost32 component. An attacker could send a malformed authentication request with an oversized username, overflow a buffer, and execute arbitrary code as SYSTEM.⁵ This was bad.

CVE-2011-3479, CVE-2012-0291, CVE-2012-0292: Related vulnerabilities in the same authentication flow.⁶

Credential Exposure: pcAnywhere 11.5.x and 12.0.x stored the most recent login credentials unencrypted in process memory.⁶

The Source Code Leak: After February 2012, attackers had the actual source code. They could find new vulnerabilities faster than Symantec could patch them. This is why Symantec killed the product.

Any system still running pcAnywhere in 2025 is a security incident waiting to happen. There are Metasploit modules specifically designed to exploit pcAnywhere installations.⁵

What Traffic on Port 5632 Means Today

If you see UDP traffic on port 5632:

1. Legacy pcAnywhere installation: Someone is running a 10+ year old remote access tool with known critical vulnerabilities. Find it. Remove it.

2. Scanning activity: Attackers probe this port looking for old, unpatched pcAnywhere hosts. They know these systems exist in forgotten corners of enterprise networks.

3. Custom application: Someone repurposed this port for their own service (unlikely but possible).

To check what's listening on port 5632:

# Linux/macOS
sudo lsof -i :5632
sudo netstat -tulpn | grep 5632
ss -tulpn | grep 5632

# Windows
netstat -ano | findstr "5632"
Get-NetTCPConnection -LocalPort 5632  # PowerShell
Get-NetUDPEndpoint -LocalPort 5632    # PowerShell (for UDP)

The Ghost Port

Port 5632 is officially registered with IANA. The registration lists Jon Rosarky as the assignee, with a Symantec email address.¹ That registration persists even though:

• The software is discontinued
• The company (Symantec) has been acquired and restructured multiple times
• The email address probably doesn't work anymore

This is how ports become ghosts. The protocol dies, but the registration endures. IANA doesn't automatically reclaim ports when software is discontinued. The number 5632 will likely remain assigned to pcANYWHEREstat for years, maybe decades, a memorial to remote access software that helped millions of IT workers do their jobs before modern alternatives existed.

Port Range Context

Port 5632 falls in the registered port range (1024-49151). These ports are:

• Registered with IANA for specific services
• Not privileged (don't require root/administrator to bind)
• Supposed to be used for their registered purpose

The registered range sits between the well-known ports (0-1023, reserved for fundamental protocols like HTTP, SSH, and SMTP) and the ephemeral ports (49152-65535, used for temporary connections).

pcAnywhere followed the rules. It registered its ports properly. It documented how they should be used. And then it died, leaving its port assignments behind like a name on a mailbox at an abandoned house.