Port 3489: DTP/DIA — The Registered Ghost

What Port 3489 Is

Port 3489 sits in the registered port range (1024–49151). These are ports that vendors and developers can formally claim with IANA — the Internet Assigned Numbers Authority — to stake territory for their software and prevent collisions.

In theory, claiming a port means you intend to use it. In practice, it means someone filed the paperwork.

The Official Registration

IANA lists port 3489 as assigned to DTP/DIA — Data Transfer Protocol / Distributed Information Access — registered in May 2002 by Alexei V. Soloviev.¹

That registration is the beginning and end of the public record on DTP/DIA. No RFC. No documentation. No open-source implementation. No vendor that ships it. The protocol was registered and then, apparently, never happened.

This is not uncommon. The registered port range contains hundreds of ports claimed by software that was abandoned, acquired, renamed, or never shipped. The port number persists in IANA's registry long after the project disappears.

The Unofficial Use That Matters

Despite the official assignment, port 3489 is better known in network administration circles as a Symantec Endpoint Protection Manager (SEPM) port. Symantec's endpoint security product uses it for communication between the SEPM management console and the SEPM server.²

This is an unofficial use — Symantec never registered it with IANA for this purpose. But if you see port 3489 open on a Windows server running enterprise security software, that's almost certainly what it is.

Scanning Activity

The SANS Internet Storm Center logs occasional scanning activity against port 3489 from external IP addresses.³ This is typical for any registered port — automated scanners probe the full range looking for open services. It does not indicate an active exploit or vulnerability specific to this port.

How to Check What's Listening

If you see port 3489 open on a machine and want to know what's using it:

Linux / macOS:

sudo ss -tlnp | grep 3489
# or
sudo lsof -i :3489

Windows (PowerShell):

netstat -ano | findstr :3489
# Then look up the PID:
Get-Process -Id <PID>

If the process is java.exe or a Symantec service, it's almost certainly SEPM. If it's something else, it's worth investigating — a port with no well-known service is a useful hiding spot for software that doesn't want to be noticed.

Why Unassigned Ports Matter

The 65,535 ports aren't all well-known services. Most of the registered range (1024–49151) is a patchwork of software that came and went, protocols that never shipped, and corporate products that claimed territory and then quietly used it for whatever they needed.

That ambiguity is both useful and dangerous. Useful because software has room to operate without colliding. Dangerous because "I don't recognize this port" is exactly the mental state attackers rely on. An open port that doesn't match any known service is worth investigating — not because it's necessarily malicious, but because unknown should never mean ignored.