Got a reply from Christine.
Since this could be of interest for more than me, I'm posting the reply here:
Here is a list of domains and urls used by Immunet. Most of them use ports 80, 443.
These domains mostly useport 443/ssl, but may fall back to 80/http, and also occasionally use 32137 tcp & udp.
update.immunet.com
cloud-consumer-asn.immunet.com
cloud-nfm.immunet.com
fmd.immunet.com
submit.immunet.com
console.amp.cisco.com
https://crash.immunet.com
cloud-consumer-est.immunet.com
https://consumer-event.immunet.com
https://consumer-mgmt.immunet.com
https://policy.amp.cisco.com
50.16.57.96
50.16.120.26
50.16.122.1
50.16.157.87
67.202.39.9
174.129.187.1
184.72.79.33
184.72.92.143
public-cloud.immunet.com
ws.immunet.com
http://www.immunet.com/
http://support.immunet.com/
https://enterprise-m....sourcefire.com
current.cvd.win.clamav.net is accessed via a dns query (port 53), and returns the ip of the nearest least busy clam AV definitions server. Keep an eye on the Up to date icon in the bottom right of Immunity’s interface and if it’s not a green checkmark click update now and if it still doesn’t change to a green checkmark after the update finishes then likely immunet can’t reach the appropriate clamAV definitions sever.
Unfortunately the direct ip addresses immunet connects to aren’t necessarily long lived can’t reliably be whitelisted. There generally only used in the case of dns lookups failing continuously.