Who else uses Zone Alarm?

[Sparda]

I ask because well... check out my blog. Who else has noticed any suspicious activity?

[melodic]

i use it , but wat do u mean? zone alarm phoning home??

[Sparda]

Esentialy yes, but it's what it might be sending home that is worrying.

[melodic]

Esentialy yes, but it's what it might be sending home that is worrying.

yehh =|

any other open source firewalls?

so we can dump ZA

[Sparda]

Esentialy yes, but it's what it might be sending home that is worrying.

yehh =|

any other open source firewalls?

so we can dump ZA

Agreed, but I realy do need out bound control, and ZA Pro (at least) offers what I have found to be the best.

[melodic]

yeah me 2. i wounder if some one has a hacked version of ZA so it doesnt phone home :S

[melodic]

bit of googleing

No phoning home

By Paul Hales: Friday 10 February 2006, 09:36

JIM BORCK of Infoworld having originally caught Zone Alarm 'phoning home', was kind enouh to send us the following work-around to stop the firewall connecting to four remote servers for whatever reason.

Jim's fix is better than the one we suggested previoulsy, as it only blocks Zone Alarm's connections to those servers which do only Zone Labs knows what.

To implement the fix, add the following to your Hosts file:

127.0.0.1 cm2.zonelabs.com

127.0.0.1 hs2.zonelabs.com

127.0.0.1 ls2.zonelabs.com

127.0.0.1 pa2.zonelabs.com

Thanks Jim. µ

http://www.theinquirer.net/?article=29616

[Sparda]

Yes, thats how I blocked ZA from accessing zonelabs.com (if you had read my blog carfully enogh you would have seen that ;)), and thats what lead me to finding that registar.asp entrie, becasue insted of setting the DNS entrie to point to no where, it points to my web server...

[melodic]

ok cool

so is that now ZA blocked from phoning home??

[Sparda]

yes, but i'm more worryed as to why it did this, if it's sending data that it shouldn't then it could easily be classed as spyware.

[Sparda]

I'v desided to give it some etherreal age and try and find out what data it's trying to send.

[melodic]

nice one mate cool. u got msn? sorry i didnt reply quicker, went down the shop 2 get some dr pepper and cadburys cream eggs :D:D:D

[Sparda]

OMG! Things have got worse, and whats worse, some thing else suspisiuse is happening!

First off, even when zonealarm is OFF, compleatly OFF, my computer still keeps querying my DNS server for Zonelabs.com! And whats worse every so offten my computer keeps sending a TCP packet or two to a ID address some where in russia, notably it was on a bittorrent port, but when i "collected" these packes bittorrent was thougholy off and my bitorrent port range on my router was closed!

I'm going to perform further tests and see what happens.

[melodic]

...BAM!...shit thats bad...wow russia

[Sparda]

The trafic to that IP on the bittorrent port has cessed (residual trafic???), but why was it there when bittorrent was off and ports on router where closed? I admite now that my reation was a bit over the top (i'm not afrade to admite when i get things wrong), it turns out that the querys where not DNS querys but NBNS (NetBIOS naming service) querys, but why is windows trying to use NBNS to resolve zonelabs.com?

[plumbee]

Hey,

My suggestion is to try and find out a few more facts before jumping to conclusions. If you can "sniff the line" (a skill i dont' have - yet) and build a profile of what your actions cause ZA to do, you will know if it is dialing home or just "auto-updating" or whatever.

A few other things to try might be to use some the sysinternal tools (tcpmon, diskmon come to mind) to see what program/process is triggering the network activity. Perhaps look at an outbound firewall connected to your NIC, I know some Nforce boards have them.

I hear Kerio personal FW is good, but i use ZA now, but that may change....

finally, just because a process is called "Zonealarm.exe" doesn't mean it is from ZA.... If i was going to write malware, i wouldn't call it malware.exe, but rather windowsupdate.exe or McAfee.exe or whatever.

Keep us informed, i will probably look at my install tonight..

[moonlit]

grr... Sparda - would've checked out your blog, but I have IE atm, so no go... however, I read this thread with interest...

I've heard lots of funny things about ZA along my 'net travels, but I find it odd that no matter how many times I install ZA on my machine - it disappears... gone... no sign of it...

however, even with no visible sign (no tray icon, no config windows etc... it appears to be uninstalled) it still seems to be active - I used it with my Win XP SP0 fw off because the XP fw was playing at blocking traffic, so I used ZA (which worked)... though since its mysterious disappearance it still seems to be working - and still with the configuration it was last set to - maybe I missed something and turned something off but I don't remember doing so and without touching any related settings after a totally normal reboot it just... well... disappeared...

still, I guess since I don't use it any more it doesn't really matter lol... I'd be interested to hear how your situation ends up though... if you find out what it's sending, do tell!