Firewall Alert Message - What is Origin?

A general firewall related question. I am using Zone Alarm Pro, and the Alert window says that my computer (port 3374) tried to send a TCP packet (Flag:S) to an external IP address (port 80). ZA blocked it. I've looked up the destination IP address, and it's apparently a major communications company. My question is - how can I tell what application on my computer is trying to send this packet of information? ZA doesn't really say much about it. How frustrating!!

 

Do you know if you already had a connection to this host (or a site that may use it for providing content) at the time of the alert?

Regards,

CrazyM

 

Not that I am aware of. Until I looked up the IP address, I'd never heard of the host before, but it appears to be a large communications (networking) company.

 

Have you checked the Event Log?

 

Yes, but there is nothing more in there that is not displayed on the log window.

 

Without detailed outbound logs it is hard to say. Were you surfing at the time? If so, the fact there was no program alert would suggest it was a permitted program and the firewall just dropped this particular outbound packet while connecting to a site or other server for content for the page you were viewing. I don't think it is anything to worry about.

Regards,

CrazyM

 

I don't believe I was surfing at the time, but think your right, CM. I just find it strange a firewall would tell you that your computer tried to connect to the internet, but there is no way to determine which application tried to do the connecting.

 

Any other Internet application being used, e-mail or IM? Do you have any advanced rules for your applications in ZA Pro, such as restricting your e-mail to remote services SMTP and POP3 only?

Regards,

CrazyM

 

In the newer ZAP the logs are broken down into several sections via that little drop down menu. There is Firewall, and I think Programs and a few others, not sure since I don't have it running now. But you might check each of these, especially the programs/apps section and look for anything that connected out at that time. Or perhaps you've already done this?

 

Guess what! I figured it out, thanks once again to my friends at DCS. This time it was Port Explorer that came to my rescue. I had it running all night long, logging all communications. And sure enough, this morning at 09:30 it happened again. And PE tells me the offender is: C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe, a.k.a. my most least favorite piece of security software. I'm going to have to go over to the ZA forum and find out what vsmon.exe is trying to do. I have it set to check for updates MANUALLY, and to NOT share settings with ZL.


Another mystery solved. Thanks DCS, and all above who tried to assist.