Firewall Alert Message - What is Origin?

Discussion in 'other firewalls' started by Dazed_and_Confused, Sep 25, 2005.

Thread Status:
Not open for further replies.
  1. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    A general firewall related question. I am using Zone Alarm Pro, and the Alert window says that my computer (port 3374) tried to send a TCP packet (Flag:S) to an external IP address (port 80). ZA blocked it. I've looked up the destination IP address, and it's apparently a major communications company. My question is - how can I tell what application on my computer is trying to send this packet of information? o_O ZA doesn't really say much about it. How frustrating!!
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Do you know if you already had a connection to this host (or a site that may use it for providing content) at the time of the alert?

    Regards,

    CrazyM
     
  3. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Not that I am aware of. Until I looked up the IP address, I'd never heard of the host before, but it appears to be a large communications (networking) company.
     
  4. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Have you checked the Event Log?
     
  5. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Yes, but there is nothing more in there that is not displayed on the log window.
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Without detailed outbound logs it is hard to say. Were you surfing at the time? If so, the fact there was no program alert would suggest it was a permitted program and the firewall just dropped this particular outbound packet while connecting to a site or other server for content for the page you were viewing. I don't think it is anything to worry about.

    Regards,

    CrazyM
     
  7. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    I don't believe I was surfing at the time, but think your right, CM. :) I just find it strange a firewall would tell you that your computer tried to connect to the internet, but there is no way to determine which application tried to do the connecting. :(
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Any other Internet application being used, e-mail or IM? Do you have any advanced rules for your applications in ZA Pro, such as restricting your e-mail to remote services SMTP and POP3 only?

    Regards,

    CrazyM
     
  9. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    In the newer ZAP the logs are broken down into several sections via that little drop down menu. There is Firewall, and I think Programs and a few others, not sure since I don't have it running now. But you might check each of these, especially the programs/apps section and look for anything that connected out at that time. Or perhaps you've already done this?
     
  10. Dazed_and_Confused

    Dazed_and_Confused Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    1,831
    Location:
    USA
    Guess what! I figured it out, thanks once again to my friends at DCS. This time it was Port Explorer that came to my rescue. I had it running all night long, logging all communications. And sure enough, this morning at 09:30 it happened again. And PE tells me the offender is: C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe, a.k.a. my most least favorite piece of security software. I'm going to have to go over to the ZA forum and find out what vsmon.exe is trying to do. I have it set to check for updates MANUALLY, and to NOT share settings with ZL.


    Another mystery solved. Thanks DCS, and all above who tried to assist. :D
     
Loading...
Thread Status:
Not open for further replies.