ATTN ZONE ALARM USERS...

I recently installed port explorer on my computer. One of the first things I noticed was that vsmon.exe/True Vector Service, the main component of Zone Alarm, was connecting to my router on port 0, using the protocol IPv6.

I was wondering if any Zone Alarm users out there noticed any similar activity from vsmon.exe or true vector service, and if anyone knows why this is happening. I was concerned because I once heard something about port 0 being used to circumvent firewalls, and IPv6 is a somewhat unusual protocol.

I contacted Zone Alarm support but they were of little help stating that they would "hopefully" be able to email me an answer some time later next week.

Thanks in advance to anyone who can offer advice!

 

In the new version of ZA Zone Labs has added support for IPv6, PE on my workstation shows 3 vsmon.exe connections.

vsmon.exe IPv6 0.0.0.0:0 192.168.1.1:0 (Status is blank) ...
vsmon.exe UDP 192.168.1.x:491 192.168.1.1:491 Listening ...
vsmon.exe TCP 0.0.0.0:0:1028 0.0.0.0:0 Listening ...

As to why it's using port '0' on the router, no idea ... but I've got it to on both IPv6 and TCP protocols.

I also noticed that ZA causes 'explorer' to connect to AKAMAI Corp on port 80 upon boot up, I added a firewall rule to block the ip range (208.38.45.128-255) they are using, but it still goes out. Maybe you could ask them what that is all about, provided you get it too of course.

 

I contacted Zone Alarm support and they claim that vsmon.exe is NOT supposed to be connecting to my router on port 0 using IPv6. However I have uninstalled and reinstalled Zone Alarm on several machines now and always see the same strange activity from vsmon.exe.

It was weird because Zone Labs at first would not disclose anything about this activity by vsmon.exe. They would neither confirm or deny that this connection was expected by vsmon.exe, citing the need for secrecy as this is a security product. I sent them an email stating that if they could not tell me why their product was creating connections from my computer I would be forced to post to several security/hacking sites to look for an answer. Right away I got a bunch of emails stating that my case had been moved up to a higher level of support, and this morning I got the email stating that this connection to port 0 on my router using IPv6 is NOT expected behaviour for vsmon.exe.

So what gives here? We both have the same "rouge" connections being created by vsmon.exe, but this is NOT expected activity? It would seen that for some reason I am not being told the truth. All I ever wanted to know is if this connection could present a security threat, or indicate that vsmon.exe was corrupted. I really resent the fact that Zone Labs is making me go to all this trouble and waste all this time, just to find out why their product is creating connections out of my computer. As they say at grc.com, "Its MY computer!" and I believe we have the right to know what our computers are really doing, who they are communicating with, and why!

 

Guysmilie,

Have a read of this thread at DSRL. http://www.broadbandreports.com/forum/remark,11818674~mode=flat It starts off talking about privacy then quickly people notice ZA 'calling out' to the Zone Labs servers. Then everyone jumps in(including me) with log files and such showing contact with Zone Labs. My experience was with VSMON.EXE

It's a fascinating read.

muf

 

As a loyal user of Zone Labs products, I must say that I am interested in this thread. I own Port Explorer, but admit that I'm not an expert at using it to its full capabilities. However, I think that PE is capable at "spying" on ports. Has anyone tried spying on the port and seeing what is being transmitted? That may help assess the situation. I wish I knew more about using Port Explorer's spying capability. I think that it only shows hexidecimal data, but I imaging that there is some way to conver the hex to binary or ASCI characters to see what is actually being transmitted. Again, I'm no expert in this field.

Something came to mind...when you are setting up Zone Alarm it asks you if you want to allow Zone Alarm to communicate your settings to aid in the development of future versions. Could this be what's causing the communication?

 

Dallen,

That's correct, it has "packet-sniffing" capabilities where you can actually log the data that is transmitted over ports.

Have a quick peek in the helpfile. It's actually very easy to use, try it once for a few minutes with your email client and you'll get the hang of it very quickly, and from that point on you'll be able to use another investigative weapon in your arsenal.

It shows both the hexadecimal and ASCII versions in the same output. Sample:

Code:

 5061 7373 776F 7264         Password

 

Wayne - DiamondCS,
Sorry for my horrible typos. I didn't realize how bad they were until you quoted me. Anyway, I will take the time to read over the helpfile. I've always known that Port Explorer was one of my best pieces of software, if I'd just take a little time to better understand it. Now I think I will...Thanks.

 

I tried using the packet sniffer, but had little sucess. I believe that this may be due to the protocol, IPv6, which is being used, although I'm really not sure. Perhaps someone from DiamondCS could help here.

Aswell you may be interested to see part of the email I got from Zone Labs support:

"Thank you for your reply Mr. (name removed to protect privacy),

I understand that the issue you are having is the recently installed
port explorer is
reporting that TrueVector is using IPV6 on port 0.

ZoneAlarm does not support or use any form of IPV6.

Should you need support again at any point, for fastest results
please be sure to use the web-based support systems:
http://www.zonelabs.com/store/content/support/form.jsp

--------------------------------------
This Information Applies to:

All ZoneAlarm Products"

So what is really going on here? How could we all have this connection from vsmon.exe using IPv6 if Zone Alarm "does not support or use any form of IPV6."(an exact quote from Zone Labs support email) I suspect this may be a type of data mining. When you set up Zone Alarm it gives you the option to share your settings "anonymously" with Zone Labs. This probably tells them what programs you use that interact with Zone Alarm so that they can try to improve their product. This in itself could pose a security risk, for if an attacker was able to see all programs which have been given internet access (arp redirect/packet sniffing) he/she could use this information to attack a specific application or port which has already been granted internet access.

When I set up Zone Alarm I chose NOT to share my settings, to see if this connection would disappear, but it is still there. If my suspicions are correct then it would appear that Zone Alarm shares your settings regardless of wether you choose to opt out or not! If this is the case then shame on you Zone Labs. Perhaps this is why support was so wishy washy about giving me a straight answer on this subject.

The other possiblities that have been suggested are: Automatic updates, Email monitoring, AV monitoring, Privacy control, or the advanced option "automatically check the gateway for security enforcement". However I have tried disabling each of these features and the connection by vsmon.exe on port 0, using IPv6 persists.

Either everybodys copy of vsmon.exe has somehow been corruped, or Zone Labs is not telling the truth about what their product is doing. I suspect if we dig deep enough we will discover the truth! I urge readers to email Zone Labs support and demand to know what this connecton is. I would be very interested to hear the repLIES Zone Labs support sends out.

Remember its YOUR computer. You have the right to know what information is being collected from, and sent by, YOUR computer! ;-\

 

Hi guysmilie, As this is not a Port Explorer support question I have moved the thread to a mor appropriate forum where it may receive better attention.

Thanks. Pilli

 

Hi, folks--

I'm hip-deep in the discussion at DSL Reports, referenced above. To save you time, I've copied below the official statements from Zone Labs. To sum up, we're not spyware. You can disable any communication between our clients and our servers. (Some people have followed the instructions below incorrectly--following all the steps below DOES disable all communication.) If you read the DSL Reports thread, focus in on page 17 and later, with my latest posts, and people agreeing that the behavior matches what Zone Labs says.

Thanks!

Corey

Corey Bridges
Senior Manager, Corporate Communications
Zone Labs, A Check Point Company


***
Q: Why does Zone Labs software contact Zone Labs?
A: The ZoneAlarm family of products offers a number of features and services that enhance your security by providing specific information about threats, configurations, and programs. To enable these services, ZoneAlarm security products communicate periodically with Zone Labs servers. Of course, this communication is done on an "opt in" basis; it is your choice to decide to take advantage of these features and services.

Zone Labs is committed to your privacy, and never collects any personally identifiable information about our users. Any information that does come to Zone Labs servers is used in aggregate form. For Zone Labs' full legal statement on privacy, please refer to http://www.zonelabs.com/store/content/company/privacy.jsp The information that is exchanged with the servers below is stripped of identifying data, and is not saved.

Each one of these features and services is voluntary; you can easily choose not to use any or all of them.

Following is a list of the servers that your client might contact, and the functionality they provide.

cm2.zonelabs.com assists in the functioning of various services including the AlertAdvisor, antivirus updates, and antivirus monitoring.

hs2.zonelabs.com helps your client keep its services up to date.

ls2.zonelabs.com manages information relating to program configuration.

pa2.zonelabs.com manages the Program Advisor functionality.

ps2.zonelabs.com helps with updates to services and client functionality.

update.zonelabs.com supports the "Check for Update" functionality.

register.zonelabs.com handles product registration.

****
The ZoneAlarm family of products offers a number of features and services that enhance your security by providing specific information about threats, configurations, and programs. To enable these services, ZoneAlarm security products communicate periodically with Zone Labs servers. Of course, this communication is done on an "opt in" basis; it is your choice to decide to take advantage of these features and services.

Here are the steps to take to disable any contact between your ZoneAlarm product and Zone Labs servers. NOTE: Disabling these features will limit the functionality of the security product, in the ways described below.

Turn off Antivirus monitoring found in ZoneAlarm, ZoneAlarm with Antivirus, ZoneAlarm Pro, and ZoneAlarm Security Suite. Choose Antivirus Monitoring (or Antivirus) | Main, and set Monitoring to Off. Disabling this feature will prevent the program from informing you when your antivirus solution from vendors like Norton, McAfee, Trend or CA is out of date or disabled.

Turn off automatic updates to Antivirus Protection, found in ZoneAlarm with Antivirus, ZoneAlarm Security Suite. Choose Antivirus | Main, and click the Antivirus Options button. The Advanced Antivirus Settings dialog appears. Select Updates from the list on the left, and uncheck "Disable Automatic Updates." Disabling this feature prevents your ZoneAlarm product from automatically updating its antivirus definitions, radically reducing its effectiveness against new viruses.

Disable Program Advisor (security advice from the AlertAdvisor) found in ZoneAlarm Pro and ZoneAlarm Security Suite. Choose Program Control | Main, and set the AlertAdvisor slider to Off. This feature can normally be run in automatic or manual mode. If you shut it off entirely, you won't have program access permissions assigned automatically, and you won't receive recommendations in manual mode. You will instead be asked to manually confirm (without advice) whether each new program, when launched, can access the Internet.

Disable sharing your security settings, found in ZoneAlarm Pro and ZoneAlarm Security Suite. Choose Overview | Preferences, and uncheck "Share my security settings anonymously with Zone Labs." With this feature disabled, you won't be sharing your configuration information with Zone Labs. Zone Labs aggregates and analyzes this anonymous information to improve performance of our products.

Disable automatic Check for Update functionality, found in ZoneAlarm Pro and ZoneAlarm Security Suite. Choose Overview | Preferences, and set the Check for Updates button to Manual. With this feature disabled, you won't be automatically notified when Zone Labs releases a new version of our products. You should make sure you continue to click the manual "Check for Update" button every few weeks, so you don't miss a product update.

 

Or we could just opt for a firewall that doesn't feel the need to Phone Home at all, the purpose of a firewall is to PREVENT unneeded/unsolicited traffic and NOT to generate traffic of it's own.

 

Give Corey the credit for taking the time to post the solution. That said, the ZA 5.x engine is NO GOOD. The darn thing does not remember the last viewed screen after a reboot. The firewall is less responsive (speed wise) when compared to version 4.5. Too many bells and whistles.

I'd like to be able to customize the ADBLOCKER. Cookies manager and cache cleaner should support Firefox. And get rid of the antivirus update detector. Keep the program small, light, and easy to use. Most users DON'T need the complexity of Outpost or Kerio.

 

Well said Nod32_9, I agree. They might need it but don't want it thats for sure.

 

Corey no matter what za says following the instructions you posted does not work. What gives?

 

I ran Zonealarm Pro for years and after all the troubles associated with version 5.xx, I moved on to a pure firewall without all the bells and whistles. Look N Stop is my choice nowadays, as I don't want an all inclusive package, which gives me nothing but problems. The changes that Checkpoint and Symantec have put in place has been their downfall, with many customers moving on to more dependable products.

So far Nod32 and Look N Stop have been the software of choice, and will continue to remain so, as long as they don't attempt to compete with Norton and Zonealarm by adding all those bells and whistles. I don't want nor need all the bells and whistles. I only want dependable products that serve my needs.

My gain is their loss, as they have lost my financial support for their products. Customer satisfaction is more important than greedy profits.

 

I have the free Zone Alarm and I have noticed a frequent request from ZA to "check for updates for ZA". I have chosen not to send each time but the message continues to pop up. It is irritating. How do I stop this in the free ZA?

 

Hi Sue,
I don't have the free version but this may work in the free also. Open up za and under preferences > check for updates> make sure the auto update box isnt checked. Place a checkmark on Manually.
Greg

 

I sure hope marketing and sales departments are listening to this. I am sure it is not just being talked about here at the Wilders! Another thumbs up from me. Less crap for lite and very effective protection is always the better security product. My fear is the competitive nature of the business will cause more poorly functioning stupid stuff to be loaded on forcing those of us who think this way (like the quote above) to make choices that we really would rather not make. Another words we will be forced to chose between the lesser of two evils (less crap but still crap instead of a load of crap). Time will only tell.

 

A better solution is to include a comprehensive installation menu like Office. The user can install all the bells and whistles, selected components, or just the basic firewall.

It's time to send these software engineers back to Design 101!

 

That would be great for ZA... pick and choose the crap you want or don't want.. Just the basic firewall would be very nice...

 

I have read this thread with interest.
Am using ZA Pro 5.5.062.004
Am not a pro but get a bit concerned...
Have followed the instructions given from ZA but the IPv6 -thing is still showing up in my PE v.2.0
I am not able to tell if there is a traffic or not.
Where else is this matter discussed??
Michael

 

On the subject of the latest ZoneAlarm Free I recently tried it on a fresh installation of WindowsXP Pro, P2.60ghz, 512mb RAM and immediately after the internet connected, it Blue-Screened.

It worked fine on my box but I no longer trust it.
Hello Sygate.

 

Did you install the Microsoft TCP/IP version 6 protocol for your NIC?
If so, and you do not need or use it, uninstall it and see if that resolves your issue.

Regards,

CrazyM