Skip to content
ProtocolPorts

Port reference

Port 5631 (TCP) – pcAnywhere

Symantec pcAnywhere remote-control data channel for legacy graphical remote access to Windows hosts.

tcpRegisteredCommonly attacked

Default state

Open on hosts running the discontinued pcAnywhere host service. Should not be present on modern systems; where it survives it is often unpatched.

Common attacks

  • Pre-auth buffer overflows in the pcAnywhere host service
  • Brute force of weak pcAnywhere authentication
  • Scanning for exposed legacy 5631 hosts to gain remote control
  • Eavesdropping on poorly encrypted sessions

CVE-2011-3478CVE-2012-0292

Hardening

  • Retire pcAnywhere — it is end-of-life and unsupported
  • If it must run, never expose 5631 to the internet; gate behind VPN
  • Restrict source IPs and require strong authentication
  • Apply the final Symantec security patches if still installed
  • Migrate to a maintained remote-access solution

nmap snippet

nmap -p5631 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 5631?

Port 5631 is the data channel for Symantec pcAnywhere, a once-popular remote-control product that gave graphical remote access to Windows hosts. The pcAnywhere host listens on 5631 (with UDP 5632 used for status/discovery), and a remote operator drives the desktop much like VNC or RDP. The product is now discontinued and unsupported.

Why it matters for security

pcAnywhere is legacy software with serious, documented flaws, including buffer-overflow vulnerabilities such as CVE-2011-3478 and CVE-2012-0292. After its source code was exposed in 2012, Symantec itself advised disabling the product until patched. Any host still listening on 5631 is running unmaintained code that attracts scanners and is a prime target for remote compromise.

How it's attacked

Attackers scan for open 5631 and fingerprint the host service via its banner. Against unpatched installs they exploit pre-auth buffer overflows for remote code execution, or brute-force the weak authentication. Sessions with poor encryption can also be sniffed, exposing keystrokes and credentials.

Hardening checklist

The right answer is to retire pcAnywhere entirely — it is end-of-life. If a host must keep running it temporarily, never expose 5631 to the internet, gate it behind a VPN, restrict source IPs, require strong authentication, and apply the final Symantec patches. Plan a migration to a maintained remote-access solution and use the nmap snippet above to find lingering hosts you are authorized to assess.

Related ports

Port 5632Port 3389Port 5900Port 5938

Frequently asked questions

Is pcAnywhere still safe to use?
No. pcAnywhere is end-of-life and has well-documented buffer-overflow vulnerabilities. Source-code exposure in 2012 prompted Symantec to advise disabling it. Migrate to a supported tool.
What is port 5632 used for with pcAnywhere?
pcAnywhere uses TCP 5631 for the data/control channel and UDP 5632 for host discovery (status). Both should be closed on the internet edge.