Port 2868: Norman Proprietary Event Protocol — A Registered Ghost

What This Port Is

Port 2868 is a registered port—it has a name and an IANA entry—but you are almost certainly never going to encounter it. It was assigned to the Norman Proprietary Event Protocol (NPEP), an internal communication protocol used by Norman security software to handle event messaging between its components.

Norman was a Norwegian antivirus and endpoint security company founded in 1984, pioneering sandboxing techniques for malware analysis. AVG Technologies acquired Norman Safeground in November 2014. The product line was folded in. The port registration remains.¹

The Registered Ports Range

Port 2868 sits in the registered ports range: 1024 through 49151. Here is what that means:

• Well-known ports (0–1023): Assigned by IANA for foundational Internet services. HTTP, HTTPS, SSH, DNS. These require elevated privileges to bind on most systems.
• Registered ports (1024–49151): Organizations and vendors can register ports with IANA for their specific applications. No privilege required to bind. No guarantee anyone is actually using them.
• Dynamic/ephemeral ports (49152–65535): Used temporarily by client applications for outbound connections. Not registered, not assigned.

Registration in the 1024–49151 range means someone filed the paperwork with IANA and received an official number. It does not mean the protocol is widely used, actively maintained, or that you will ever see it in the wild. There are thousands of registered ports for products that no longer exist.

Is Anything Using It Today?

Probably not, unless you are running very old Norman antivirus software on a legacy system. NPEP was a proprietary protocol for internal component communication—not a general-purpose service that other software adopted. When Norman's products were discontinued, NPEP went with them.

If you are seeing traffic on port 2868 on a modern system, it is worth investigating. It is not a known malware port, but unrecognized open ports always deserve a look.

How to Check What Is Listening on Port 2868

macOS / Linux:

# Show which process is listening on port 2868
sudo lsof -i :2868

# Or with ss (Linux):
sudo ss -tlnp | grep 2868

Windows (Command Prompt):

netstat -ano | findstr :2868

The last column is the process ID (PID). Cross-reference it in Task Manager or with:

tasklist | findstr <PID>

If nothing returns, nothing is listening. That is the expected result on any modern system.

Why Registered-But-Dormant Ports Matter

The registered ports range contains thousands of entries like this one: legitimate at the time of registration, obsolete today. This is not a flaw in the system—it is an artifact of how the Internet grows. Protocols are registered optimistically, companies get acquired or shut down, and the registry preserves the record.

The practical implication: not every registered port number corresponds to active infrastructure. When you see an unfamiliar port open on a system, check what is listening—not just what IANA says should be there.