How to set optimum settings in ZA Pro?

Discussion in 'other firewalls' started by Escalader, Apr 23, 2007.

Thread Status:
Not open for further replies.
  1. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    ZA Question:

    I just looked at my ZoneAlarm log and noticed an entry that C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe successfully accessed destination IP 216.73.86.152:53 -- which points to annymegaadvip2.doubleclick.net

    The comments section states:

    Description: Zone Labs Client requested permission to access the internet
    Rating: High

    Why would my ZoneAlarm client be hitting a DoubleClick ad server?

    Operating System: Windows XP Home Edition
    Product Name: ZoneAlarm (Free)


    Why indeed, for some years ZA has been tagged with the phone home issues. The vendor is somewhat less than transparent on this matter.

    I have personally found unwanted calls to sites that had zip to do with maintaining the product in spite of heated posts from the ZA advocates which inhabit these regions. Thanks for the extra IP I will add it to my growing list of computers to block. But I fear it is futile like the myth of the little boy trying to plug holes in the dam.

    Now you know the value of doing trials with software before laying out real $.

    if you are staying with ZA free be aware it has the whole package KAV and all waiting to be activated and it will nag you to buy buy buy.

    My advice would be look at this thread post by post from # 1
    change all your setting in program control to ask and in the case of the internet zone set all of them to a red X if free will allow that. I can't remember.
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Hi!
    ZA is not designed to block itself but to control third party software installed on your system and when you start to work with blocking it via IP lock it will simply behave oddly. Also try to limit the entries in the firewall tab and use more the program control tab to monitor outgoing packets.

    Unless you leave ZA free to work, you will see confused reporting about zlclient.exe or other ZA system files trying to communicate with SS, WEB, whatever programs are installed.

    In this specific case it looks like a DNS lookup while you were browsing the net (probably some advertising within a web page).

    The only way to understand the origin of packets leaving your system (with ZA set to block itself) is to install other sniffer software, like, for example, the one suggested by Cold Pizza.

    Hope this helps.
    Fax
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    FYI, this was a deleted question and answer from the "other" forum:D
     
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    You mean you are not interested anymore on the answer?
    Sorry I can't follow...

    Fax
     
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Further observations , the full site name is report.bitdefender.com, ip is 80.86.106.67 (the site name got bleeped out at ZA user forum)

    Recommend ALL ZA Pro users to add this ip to blocked sites in FW zones ASAP. Since I blocked it after 1 attempt by zlclient then 5 attempts in rapid order with a switch to winlog as access program. All Alerts continues to be turned off on any change in settings or on reboots.

    My ASW, product updates and SmartDefense on manual all work fine with selected blocks and "optimized" settings.

    I am now going to ask BD support if they own the site using their product name.

    Will report back later.
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    You are acting like a virus... :D in fact many viruses add "report.bitdefender.com" to the HOST file in order to block BD functionality...

    report.bitdefender.com is legit...

    But that IP does not correspond to report.bitdefender.com but to:

    % This is the RIPE Whois query server #1.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    % Information related to '80.86.106.0 - 80.86.106.255'

    inetnum: 80.86.106.0 - 80.86.106.255
    netname: INES-DATACENTER-NET
    descr: iNES Group SRL
    descr: Virgil Madgearu 2-4
    descr: Bucharest
    country: RO
    admin-c: INES-RIPE
    tech-c: INES-RIPE
    status: ASSIGNED PA
    notify: hostmaster@ines.ro
    mnt-by: AS12310-MNT
    changed: tbb@ines.ro 20030616
    source: RIPE

    role: iNES Internet NOC
    address: 2-6 Virgil Madgearu st.
    address: sector 1
    address: Bucharest / ROMANIA
    phone: +40 21 232 2112
    fax-no: +40 21 232 3461
    e-mail: hostmaster@ines.ro
    admin-c: INES-RIPE
    tech-c: TU790-RIPE
    tech-c: DC1119-RIPE
    tech-c: AG5625-RIPE
    tech-c: BP1868-RIPE
    tech-c: BC2200-RIPE
    nic-hdl: INES-RIPE
    remarks: -------------------------------
    remarks: abuse reports: abuse@ines.ro
    remarks: NOC Phone 24x7: +40 21 232 2112
    remarks: NOC E-mail: support@ines.ro
    remarks: -------------------------------
    notify: hostmaster@ines.ro
    mnt-by: AS12310-MNT
    changed: tbb@ines.ro 20030314
    changed: tbb@ines.ro 20031126
    changed: tbb@ines.ro 20051015
    changed: adi@ines.ro 20060519
    source: RIPE

    % Information related to '80.86.96.0/20AS12310'

    route: 80.86.96.0/20
    descr: iNES Group
    descr: ro.ines local registry
    origin: AS12310
    mnt-by: AS12310-MNT
    changed: hostmaster@ines.ro 20030801
    source: RIPE

    And as said previously you can't use ZA logs to base your analysis since ZA is not functioning properly... (I am not surprised)

    Fax
     
  7. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    As promised I am reporting back:

    Here is the latest information I have on this:

    1) As Chris suggested I turned off the "Send virus reports and Enable BitDefender Outbreak Detection" options in BD setup. The repeated connections to 80.86.106.67 continue unabated.
    2) I ran a Whois Server Version 1.3 here is the result.

    Domain names in the .com and .net domains can now be registered
    with many different competing registrars. Go to http://www.internic.net
    for detailed information.

    No match for domain "REPORT.BITDEFENDER.COM".

    Conclusion, it is another case of phone home by ZA.

    Recommendation: Everybody should block this site and the ip ASAP.
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Did a whois and reverse dns and got the information that the site 80.86.106.67 is in Bucherest , Romania. No firm listed. Data base indicates whole country as having a high fraud profile. Great.

    ip range for Romania 80.86.96.0 to 80.86.127.255.

    I'm done with this but loading the blocker sites where ever I can.

    Someone else should work on this as well.

    More damn questions than answers.

    What I would like is a way of saying which sites to connect to and EXCLUDE all other sites.
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Looks normal to me....
    Complete dossier for report.bitdefender.com

    Cheers,
    Fax

    --------------------------
    canonical name report.bitdefender.com.
    aliases
    addresses 80.86.106.67


    Domain Whois record
    Queried whois.internic.net with "dom bitdefender.com"...

    Whois Server Version 1.3

    Domain names in the .com and .net domains can now be registered
    with many different competing registrars. Go to http://www.internic.net
    for detailed information.

    Domain Name: BITDEFENDER.COM
    Registrar: REGISTER.COM, INC.
    Whois Server: whois.register.com
    Referral URL: http://www.register.com
    Name Server: NS.BITDEFENDER.COM
    Name Server: HORIZON.BITDEFENDER.RO
    Status: clientTransferProhibited
    Updated Date: 13-feb-2007
    Creation Date: 08-jun-2001
    Expiration Date: 08-jun-2012


    >>> Last update of whois database: Tue, 29 May 2007 21:45:50 UTC <<<

    NOTICE: The expiration date displayed in this record is the date the
    registrar's sponsorship of the domain name registration in the registry is
    currently set to expire. This date does not necessarily reflect the expiration
    date of the domain name registrant's agreement with the sponsoring
    registrar. Users may consult the sponsoring registrar's Whois database to
    view the registrar's reported date of expiration for this registration.

    TERMS OF USE: You are not authorized to access or query our Whois
    database through the use of electronic processes that are high-volume and
    automated except as reasonably necessary to register domain names or
    modify existing registrations; the Data in VeriSign Global Registry
    Services' ("VeriSign") Whois database is provided by VeriSign for
    information purposes only, and to assist persons in obtaining information
    about or related to a domain name registration record. VeriSign does not
    guarantee its accuracy. By submitting a Whois query, you agree to abide
    by the following terms of use: You agree that you may use this Data only
    for lawful purposes and that under no circumstances will you use this Data
    to: (1) allow, enable, or otherwise support the transmission of mass
    unsolicited, commercial advertising or solicitations via e-mail, telephone,
    or facsimile; or (2) enable high volume, automated, electronic processes
    that apply to VeriSign (or its computer systems). The compilation,
    repackaging, dissemination or other use of this Data is expressly
    prohibited without the prior written consent of VeriSign. You agree not to
    use electronic processes that are automated and high-volume to access or
    query the Whois database except as reasonably necessary to register
    domain names or modify existing registrations. VeriSign reserves the right
    to restrict your access to the Whois database in its sole discretion to ensure
    operational stability. VeriSign may restrict or terminate your access to the
    Whois database for failure to abide by these terms of use. VeriSign
    reserves the right to modify these terms at any time.

    The Registry database contains ONLY .COM, .NET, .EDU domains and
    Registrars.

    Queried whois.register.com with "bitdefender.com"...

    The data in Register.com's WHOIS database is provided to you by
    Register.com for information purposes only, that is, to assist you in
    obtaining information about or related to a domain name registration
    record. Register.com makes this information available "as is," and
    does not guarantee its accuracy. By submitting a WHOIS query, you
    agree that you will use this data only for lawful purposes and that,
    under no circumstances will you use this data to: (1) allow, enable,
    or otherwise support the transmission of mass unsolicited, commercial
    advertising or solicitations via direct mail, electronic mail, or by
    telephone; or (2) enable high volume, automated, electronic processes
    that apply to Register.com (or its systems). The compilation,
    repackaging, dissemination or other use of this data is expressly
    prohibited without the prior written consent of Register.com.
    Register.com reserves the right to modify these terms at any time.
    By submitting this query, you agree to abide by these terms.

    Registrant:
    SOFTWIN SRL
    Mihai Radu
    5 Fabrica de Glucoza
    Bucharest, 3 020331
    RO
    Email: aanescu@bitdefender.com

    Registrar Name....: REGISTER.COM, INC.
    Registrar Whois...: whois.register.com
    Registrar Homepage: www.register.com

    Domain Name: bitdefender.com

    Created on..............: Fri, Jun 08, 2001
    Expires on..............: Fri, Jun 08, 2012
    Record last updated on..: Tue, Feb 13, 2007

    Administrative Contact:
    SOFTWIN SRL
    Razvan DITA
    5 Fabrica de Glucoza
    Bucharest, 3 72322
    RO
    Phone: +40 21 233 07 80
    Email: domains-admin@bitdefender.com

    Technical Contact:
    SOFTWIN SRL
    Razvan DITA
    5 Fabrica de Glucoza
    Bucharest, 3 72322
    RO
    Phone: +40 21 233 07 80
    Email: domains-admin@bitdefender.com

    DNS Servers:

    ns.bitdefender.com
    horizon.bitdefender.ro


    Visit AboutUs.org for more information about bitdefender.com

    <A HREF="http://www.aboutus.org/bitdefender.com">AboutUs: bitdefender.com</A>

    Register your domain name at http://www.register.com


    Network Whois record
    Queried whois.ripe.net with "-B 80.86.106.67"...

    % This is the RIPE Whois query server #1.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    % Information related to '80.86.106.0 - 80.86.106.255'

    inetnum: 80.86.106.0 - 80.86.106.255
    netname: INES-DATACENTER-NET
    descr: iNES Group SRL
    descr: Virgil Madgearu 2-4
    descr: Bucharest
    country: RO
    admin-c: INES-RIPE
    tech-c: INES-RIPE
    status: ASSIGNED PA
    notify: hostmaster@ines.ro
    mnt-by: AS12310-MNT
    changed: tbb@ines.ro 20030616
    source: RIPE

    role: iNES Internet NOC
    address: 2-6 Virgil Madgearu st.
    address: sector 1
    address: Bucharest / ROMANIA
    phone: +40 21 232 2112
    fax-no: +40 21 232 3461
    e-mail: hostmaster@ines.ro
    admin-c: INES-RIPE
    tech-c: TU790-RIPE
    tech-c: DC1119-RIPE
    tech-c: AG5625-RIPE
    tech-c: BP1868-RIPE
    tech-c: BC2200-RIPE
    nic-hdl: INES-RIPE
    remarks: -------------------------------
    remarks: abuse reports: abuse@ines.ro
    remarks: NOC Phone 24x7: +40 21 232 2112
    remarks: NOC E-mail: support@ines.ro
    remarks: -------------------------------
    notify: hostmaster@ines.ro
    mnt-by: AS12310-MNT
    changed: tbb@ines.ro 20030314
    changed: tbb@ines.ro 20031126
    changed: tbb@ines.ro 20051015
    changed: adi@ines.ro 20060519
    source: RIPE

    % Information related to '80.86.96.0/20AS12310'

    route: 80.86.96.0/20
    descr: iNES Group
    descr: ro.ines local registry
    origin: AS12310
    mnt-by: AS12310-MNT
    changed: hostmaster@ines.ro 20030801
    source: RIPE



    DNS records
    DNS query for 67.106.86.80.in-addr.arpa returned an error from the server: NameError

    name class type data time to live
    report.bitdefender.com IN A 80.86.106.67 3600s (01:00:00)
    bitdefender.com IN SOA server: ns.bitdefender.com
    email: gvoicu.bitdefender.com
    serial: 2007041700
    refresh: 28800
    retry: 900
    expire: 604800
    minimum ttl: 1800
    86400s (1.00:00:00)
    bitdefender.com IN NS nemesis.bitdefender.com 3600s (01:00:00)
    bitdefender.com IN NS ns.bitdefender.com 3600s (01:00:00)
    bitdefender.com IN NS horizon.bitdefender.ro 3600s (01:00:00)
    bitdefender.com IN MX preference: 10
    exchange: mail.bitdefender.com
    3600s (01:00:00)
    bitdefender.com IN MX preference: 20
    exchange: horizon.bitdefender.ro
    3600s (01:00:00)
    bitdefender.com IN A 66.223.50.102 3600s (01:00:00)

    -- end --
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I have confirmed from 2 BD sources that report.bitdefender.com is in fact a BD server. The database sources are poorly documented causing FUD. It is used by their virus and spam outbreak control service. It is also used in their mobile device AV service.

    What I'm still working on is why BD "phone home" accesses still try to access when the user turns off these BD10 options.

    Apart from the one log entry I got from zlclient trying to access this BD site it no longer does that. So ZA is not doing now on my PC this as far as I can tell.

    So it seems that BD 10 also ignores user options, and I'm going with that assumption for now. It may be a bug. They responded to questions in hours and were very helpful.

    I'm leaving the site blocked since I can still update the product with hourly AV updates and in principal I don't want unsolciated outgoing packets leave the PC.

    If I get more I will report back.
     
  11. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I'm following advice now to ignore some posts.
    Blocking the sources works well and avoids being diverted from forum/ thread work !

    1st and this is important, backup the ZA settings to a flash memory or cd daily. When you mess with settings as I have you get some surprises and need to revert back a level. So if you start using some of the finding here back up your current settings now!

    For the members here, I have attached my current FW page showing blocked ip's and sites of doubtful purposes, more than you would ever have believed!

    Note that my router/ Lan is set to internet NOT TRUSTED and the PC works fine. This point has been shown correct by Stem and others so that matter is over for me.

    For ZA Pro users who want to try tighter settings (at their own risk of course) I have also attached my ZA Pro program settings.

    Set SmartDefenseAdvisor to medium, you get the advice BUT you decide what is best setting for your PC with that application. Don't join the share setting league on install.

    AntiSpyware turn off, doesn't fit with a FW, UNLESS you don't have any ASW from top group, then use ZA's.

    Leave spysite blocking on, does no harm, only site it ever found for me was pcflanktest which provides evaluations of ZA and other tools

    AV monitor leave off unless it accepts your AV, it doesn't recognize BD 10 among others. So I leave it off.

    Email, leave it off, it is not the job IMO of a FW to scan email. BD10 does that for me. UNLESS you have no email in/out scanner then turn ZA's on.

    Privacy: This one I am not finished with but here is my status

    Clean cache daily, don't use auto.

    id protection, block ebay and paypal if you don't use them
    put nothing in trusted sites, except perhaps your own online bank.

    MyVault: Well it is quite a misnomer, I had some fun by putting my legal ZA license number in the vault, plus BD 10. On ZA product updates ZA blocked the license # from being sent. Updates worked fine anyway. On ASW updates it doesn't ask for license #, inconsistent logic. Why ask for data not needed?

    With BD 10 on updates it doesn't ask for license #, so that not an issue for them.

    There are bugs/issues with Alerts and logs set on High. ZA keeps turning mine off. When you ask? If I add a block site, it immediately turns it off! I turn it on and guess what? it logs 5 rapid order attempts to connect to the new blocked site! As to why? Well it can't be a bug can it?

    zlclient and BD both tried to send packets from my PC to the site called report.bitdefender.com. This is in Romania. I contacted BD and they told me it was their world wide collection site for spam and data from users on malware outbreaks. It is not their site for product updates. So I promptly blocked it and the rest of that country. My BD updates continue to work fine because BD told me all their update sites lie outside Romania.

    That's it guys, I'm done with this thread (unless someone wants to ask me a question)
     

    Attached Files:

  12. Cold Pizza

    Cold Pizza Guest

    I know this is an old thread, but I do have some questions for you, if you don't mind answering them?

    Did you ever have Bit Defender installed on your computer? If not, why would ZA be trying to send packets from your PC to the site called report.bitdefender.com? Something is very strange here!

    Have a nice day!
     
  13. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    If you read the post again and look at my signature you will see BD is active on my PC.

    BitDefender confirmed that report.bitdefender.com is their collection site worldwide for collection of data on spam and virus outbreaks.
    They also told me that if I was worried about security I could block that site as the support and update sites are outside of Romania. At least they were honest about it!

    I have the auto send off for bitdefender but it continued to try to send packets anyway. The turn off features for sending information are NOT reliable.

    On ZA, I had one reported connect to report.bitdefender.com but that is one too many right?

    As to why? I could only speculate and that would just add fuel to the great conspiracy theory !

    But ask Fax, 12fw (Oldsod at ZA), or gre87y (Greb49er at ZA) to explain it either here or over at their forum.

    I have now got dozens of collection sites blocked and more on the way.
    There is the one from BD, others from ZA and from M$.

    If posters doubt any or all of this put the sites in your own block lists and track the attempts.:D
     
  14. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Already explained above somewhere... most of them where DNS:53 calls... with all the blocking on ZA that Escalader did, I think ZA was not correctly reporting "who did what"...

    A simple sniffer could have been useful to clarify origin/destination of the connections...

    Cheers,
    Fax
     
    Last edited: Jun 17, 2007
  15. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Cold Pizza (=?Fax) never on line at same time! Fax answers for Cold Pizza:D

    But anyway, wrong again.

    Thread learners

    Stem already dealt with these hardcoded call homes in ZA in the past. So that matter is over. He did all the sniffing work for us.

    The issue for ZA Pro users is to block its hard coded collection sites.
    ZA does it sure, no news there, but BD was news but they were honest and said go ahead an block that site so I did. That ZA also trys to send there is well, what to say... interesting:cool:

    For anyone who wants to KNOW put my blocks in your own set up, updates all work fine as does Smart advice.... qed

    Privacy: This one I was not finished with but here is was the status

    Clean cache daily, don't use auto.

    id protection, block ebay and paypal if you don't use them
    put nothing in trusted sites, except perhaps your own online bank.

    MyVault: Well it is quite a misnomer, I had some fun by putting my legal ZA license number in the vault, plus BD 10. On ZA product updates ZA blocked the license # from being sent. Updates worked fine anyway. On ASW updates it doesn't ask for license #, inconsistent logic. Why ask for data not needed?

    With BD 10 on updates it doesn't ask for license #, so that not an issue for them.

    There are bugs/issues with Alerts and logs set on High. ZA keeps turning mine off. When you ask? If I add a block site, it immediately turns it off! I turn it on and guess what? it logs 5 rapid order attempts to connect to the new blocked site! As to why? Well it can't be a bug can it?

    zlclient and BD both tried to send packets from my PC to the site called report.bitdefender.com. This is in Romania. I contacted BD and they told me it was their world wide collection site for spam and data from users on malware outbreaks. It is not their site for product updates. So I promptly blocked it and the rest of that country. My BD updates continue to work fine because BD told me all their update sites lie outside Romania.
     
  16. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Sorry but I am not like you ArrowPilot :p
    Ever thought about Time Zones and different continents?

    Fax
     
  17. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    By the way, if I remember well Stem couldn't really replicate your persistent 'call home' in his setup...
    To be fair to ZA, you should at least state that the ZA call home was "in your set-up"!

    Cheers,
    Fax
     
  18. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Stem speaks for himself as do I.

    Suggesting words for others to speak is silly.

    Of course ZA call homes were in my setupo_O

    All users have to do is make the blocks and log.
     
  19. Berge01

    Berge01 Guest

    I see we are on this kick again about calling home. Well, IMO any type of Security Software Program will call home. No matter what you can try to do to prevent it, some way it will get through. Before attacking the program maker of any type of Security Software Program, perhaps we should look at who is REALLY behind all of this, Big Brother. This has been going on for sometime and now with all the latest events in the world, it has become more intense. You can either do two things IMO, try to block them at your firewall or reach down, pull the plug out of the wall outlet, box up your computer, and find some other way to communicate with the rest of the world.

    Thank you for your time and have a Great Day!
     
  20. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    This sounds better...

    Cheers,
    Fax
     
  21. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    You to Berge01, wondered where you had gone!

    Well, assuming we are not going to pull the plug, and that Big Brother is the cause and forcing these program makers to hard code call home to gathering sites I choose block them as you put it "at the FW".

    So where's the list of sites to block? I'll key every dang one of them in! :D
     
  22. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    That is correct, the only outbound I could not find reason for, was for the HTTPS connection after installation.

    Hello Escalader,
    You keep mentioning BD outbound, have you found the application making these attempts? (and please advise, is "Task Schedular" active on your sysytem? (in windows services))
     
  23. Berge01

    Berge01 Guest

    I don't believe the list I post here would make the Forum Moderators very happy, besides some of the members may not agree, causing more hostile posts, and besides your Firewall can only hold so many Blocks to be effective.
     
  24. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Stem:

    Here is the Q and A posted on the BitDefender forum a few weeks back when I was still running ZA Pro. The application was zlclient first, then when blocked switched to WINLOGON.exe. The spam gathering site is in Romania 80.86.96.0 to 80.86.127.255. The site was report.bitdefender.com.

    post 1..... Since I blocked it after 1 attempt by zlclient then 5 attempts in rapid order with a switch to winlog as access program. All Alerts continues to be turned off on any change in settings or on reboots.

    My ASW, product updates and SmartDefense on manual all work fine with selected blocks and "optimized" settings.

    post 2
    Hi Escalader,

    I might be wrong, but that could be BitDefender trying to send/receive data about viruses as a result of the options Send virus reports and Enable BitDefender Outbreak Detection (General -> Settings)

    Try to disable these options, and see if you have any more attempts.

    .


    Hi :

    I will try your idea, what puzzled me was I didn't change any BD options lately and it was zlclient that connected first. Now it is WINLOGON.exe that is attempting the connect. I have it blocked until I know what's happening here.

    post 3

    Here is the latest information I have on this:

    1) As ... suggested I turned off the "Send virus reports and Enable BitDefender Outbreak Detection" options in BD setup. The repeated connections to 80.86.106.67 continue unabated.
    2) I ran a Whois Server Version 1.3 here is the result.

    Domain names in the .com and .net domains can now be registered
    with many different competing registrars. Go to http://www.internic.net
    for detailed information.

    No match for domain "REPORT.BITDEFENDER.COM".

    post 4

    Did a reverse DNS and the ip comes up as Bucerest Romania. No information on organization owning it.

    The whois data base lists this country with a high fraud profile?

    post 5
    Hello,
    Nobody except Bitdefender can register sub-domains of BitDefender.com ,the Head Quarters of BitDefender are in Romania. Once you own a Domain name you can register as many sub-domains as you want for free, that can be done just by the main owner of the domain.The report.bitdefender.com could be a server in the HQ so it's not dangerous at all.

    post 6

    Just to be clear I trust BitDefender or I wouldn't use the product.

    But the way this came to light was very strange.
    First as mentioned a few posts back zlclient was the program that first accessed report.bitdefender.com.

    Next the id of the program attempting access switched to WINLOGON.exe.

    Is report.bitdefender.com a server in HQ? The city and country are right but the whois data base don't confirm BD's ownership of this site.

    Could be a server is not the same as is a server.

    I'm not trying to be difficult, I just want clarity.

    post 7

    The owner you see there is INES , that is one of our Internet Providers. The connection is leading to our internal server.Over this connection are virus and spam statistics send.

    Real Time Virus Report (RTVR) & Real Time Spam Report (RTSR)

    RTVR/RTSR is a system included in BitDefender products deployed all over the Internet that reports virus and spam activity to the BitDefender Labs(report.bitdefender.com) to help isolate and prevent the spreading of malware and spam in an efficient and timely manner.
    So it is our server.


    Hi ...:

    Thank you very much for tracking this down for me. Best to be clear!

    I currently have followed the following idea:

    "....turned off the "Send virus reports and Enable BitDefender Outbreak Detection" options in BD setup"

    The repeated connections attempts to 80.86.106.67 continue anyway.

    This seems to me to mean that the RTVR and RTSR connects occur even if the options are turned off.

    In my set up I have the address blocked, yet updates of the product continue ok as do the attempts to send reports back.

    So updates must use one server and reports on virus and spam must use another?

    Have I described all this correctly?

    Post 8

    The update servers are different from the one with statistic reports. Why?
    Beacuse we need to have good connection to all the users from the World. That's why you will have servers scattered all over the World and only one server that gathers information about viruses and spam in Romania.

    If you are concerned about your security just block report.bitdefender.com although is our server and everything is secured.

    Since I then knew the site was a gatherer, I blocked the whole country.
    BD updates continue unimpeded.

    I checked scheduler and found 2 old McAfee entries. I haven;t had it for 2 years! Should have cleaned it out but didn't. Gone now. Thanks.
    The only scheduled tasks are SpySweeper scans.

    The attempted connects to report.bitdefender.com no longer occur.

    The difference? ZA Pro uninstalled, CFW is installed.

    Observation it wasn't BD continuing to attempt connects but ZA Pro.
     
    Last edited: Jun 18, 2007
  25. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Good heavens what to do? :D

    I guess I'll just max out my FW or just block whole country's.

    Can you post the country ranges to block?

    Then when a valid ip pops up I'll allow it! one by one! Can't be any more than 5 or 6 safe sites left!

    It is a real challenge. Time for Mrk to enter this thread he always has unnique ideas!

    What I really need is a leak proof vault then I could put all my secrets in it and scrap the FW completely!:rolleyes:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.