I was wondering if anyone has come across the problem of a brand new Windows XP machine sending IGMP packets to the address of 224.0.0.22.
Any suggestion or links as to how I can stop this from happening?
Thanks.

Virusscan, spyware scan. Try ad-aware and um...spybot S&D. That's what everybody here seems to recommend.

Where did you get this info from? Firewall?

Looks like the system is asking a router for info on other systems in its group. Is the system in the workgroup named "workgroup"?

This is a new Test XP machine, that I built to test a new Internal Firewall on our Domain. This Fireall is blocking the IGMP packets and brought it to my attention.
At least a couple of times a day, the XP machine sends packets to the address of 224.0.0.22, which routes to igmp.mcast.net
We are not using any Multicasting software, and this XP box is pure Windows XP, no other software except for the Virus/Firewall client that I am testing.
Suggestions?

http://www.webopedia.com/TERM/I/IGMP.html
Not exactly a wordy definition.
I can't find what mcast.net is. I haven't been able to ping it or anything. Whois comes up blank. I can't say what that is or what it is doing. What brand of A/V stuff are you using? Firewall?

Thanks Instar.
I am testing TrendMicro OfficeScan Anti-Virus software and Firewall.
There is a couple of references to igmp.mcast.net but not why XP would be attempting to connect to it, once a day.

I used to use Trend Micro. It was good enough.
Anyhow, its a weird thing, trying to contact a non-existant site (unless its an evil government plot! The ILLUMINATTI are coming!)
Its a multicast IP protocol... hmm
No harm in continuing blocking it. I know IE has a toolbar thing that Adaware considers spyware. Get Adaware on disk and see what happens when you run it.

It’s an unassigned IGMP address. I would just block it at the firewall. It’s probably just a multicast from your system (host) looking for members.

Here’s a link to IGMP

http://www.freesoft.org/CIE/RFC/1112/18.htm


As a rule of thumb, you should build a list of what the firewall needs to pass and then lock everything else down. In practice, we lock it all down and then open as needed. Often, we apply filters to the PIX’s on a per machine basis. Allowing all internally originating traffic is no longer seen as acceptable.

PS: TM's antivirus has had some bigtime patch blowups in the past.

"PS: TM's antivirus has had some bigtime patch blowups in the past. "
I didn't notice that when I used it, then again, I had a fast connection to download the patches with, and I had a huge HD anyhow.

I had it on a small net with about 15 clients, two times in a 1 year period it blew up during update installs. Once it needed to be reinstalled and once it forced me to reload the systems. (thank god for ghost) Both times it was a known issue that they pushed the update out with. After that, I only support Norton in the contracts. If they want to skimp on AV, then it's T&M if it goes down.

I'm going to block all IGMP anyway, just wondering why a brand new XP box would be using it.
We've had TM for over 18 months now, with no patch problems.
I have a huge issue with them not detecting old viruses if the file size of the Virus has been changed. We have been hit twice like this, while our other Anti-Virus software detected the Virus.
Their GM was over-heard saying at a lunch meeting, that Anti-Virus software is the Last line of defense so if it is used, then your security is already failed.
Could be true, but it doesn't give them an excuse for their software not working. http://forum.shrapnelgames.com/images/smilies/frown.gif

As a rule of thumb, you should build a list of what the firewall needs to pass and then lock everything else down. In practice, we lock it all down and then open as needed.



That's the only correct way to do it IMHO. Lock it down, watch the logs and look what bounced, then open if you know what service is responsible for the hit.