Hi,

I use ZoneAlarm Free Version 7.0.302. I basically have ZA set to ask me for permission for everything except for Firefox, but I'm always getting these weird entries in the Log Viewer under Firewall in the DESTINATION DNS column.

When Outlook Express (msimn.exe) asks for permission and I allow it, the DESTINATION IP column and the DESTINATION DNS column in the ZoneAlarm Program Log Viewer will show things like the following:

DESTINATION IP / DESTINATION DNS
209.85.171.97:53 / ssl-google-analytics.google
72.14.253.91:53 / sb.l
64.191.219.3:53 / referencecollect.247realmedia
8.255.49.251:53 / cdn.specificmail.com.c.footprint.net
67.15.48.168:53 / thedigitalbits.com
209.85.171.164:53 / pagead.l.google
64.62.216.443:53 / a1521.x.akamai

And sometimes it says: (IP address here):53 / ns3.mindspring.com (and mindspring is my dial-up, which is Earthlink)

And when either I allow AVG Free (avginet.exe -- I guess that's when I check for updates to the a/v?) and I guess when AVG scans the incoming email (avgemc.exe) -- (Or could this be accessing without my knowledge?) -- I get things like the following in the DNS column:

DESTINATION IP / DESTINATION DNS
72.21.206.84:53 / www.assoc-amazon.com
209.85.147.104:53 / wa-in-f104.google.com
209.85.171.97:53 / ssl-google-analytics.google

And sometimes it says, for example: (IP address here): (port# here - not 53) / pop.mindspring.com

The DIRECTION on all these listed is OUTGOING (CONNECT) and the ACTION TAKEN is listed as ALLOWED.

There is nothing listed in the SOURCE IP or SOURCE DNS columns for these entries.

1. What are those things that are listed?

2. Why are they listed like that in the DNS column? (Note that sometimes what's listed in the DNS column makes sense, like something for mindspring or Earthlink when OE is being allowed... but a lot of the times it's weird stuff...)

3. Does this imply I'm got something "bad" on my system or that something is wrong/screwy?

Please note: I am not having any issues with my laptop at all (that I know of).

I have posted this on a thread on the Zone Alarm board, but haven't got the specific answers I'm looking for yet, so I was hoping that someone here might know what the deal is with all this.

ADDED: Below is a .jpg showing many of the ZA log entries in question. This is not a complete log, but edited to only show the stuff I'm talking about (and with a few things blacked out, just to be safe). Please take a look at it -- thanks!



Thanks very much, as always! Looking forward to hearing back!

Bloomcounty,
I haven't checked all your entries, as you can google them out or check dnsstuff, which I suspect you did already.
Port 53 is for communication with the DNS server of your ISP or mail account.
Akamai servers are used by ZA and other companies for upgrades.
Many things do look odd.

I have a hunch you do not have DNS servers in the trusted zone, why else would there be requests to so many places, including requests from outlook express. Forgive me if I'm wrong. Just guessing.
If the router is your DNS server, put that in the trusted zone.
Do you have your Firewall/Zones set up properly? Network, Loopback 127.0.0.1, DHCP server, DNS servers all trusted?
Do you have Generic Host Process with 3 checks from the left and everything else at most two? (I don't recall whether ZA free has a place to check send mail, do so if it does).
Don't give Windows Explorer internet access, it does not need it. Do give IE internet access but no server rights.

If you do the edits above and the problem persists (it shouldn't), then I'd be clearing out the bad settings, because it just does not look right (sometimes Windows errors cause the ZA database to be mangled). Go back to the ZA forum and do a Search for "reset database". Yes you will loose your current settings, but I think you should want to drop them. It's just few simple steps.

What I wanna know is how did you put the big black blocks on that screen shot?

Thanks for the reply! I'm almost positive things are set up wrong. Do you mind helping me get it all set up right? I really need a dummy's step-by-step, over-explained, version of instructions, I think...

I got a reply from the ZA board, and I will post their instructions further below, but I have some more questions about what you posted, and I really don't understand any of this stuff (and, believe me, I tried reading all the links about all this stuff, and my eyes glaze over), so feel free to reply with instructions/answers as if I were three years old!

Note that I have/use dial-up, though my laptop does have a wireless modem (I only occasionally use at a friend's house) and a high-speed internet line, which I don't really ever use.

1. The first important questions is, has my computer been at risk for anything by how it's set right now? Am I sending any information or allowing access to my computer (or access to my incoming email) to something...?



2. I'm 99.9% sure you are correct. So how do I do this exactly?

2a. So what exactly are all these requests that are being sent out, and is it bad that it's been doing this? (I guess that goes back to #1 above...)



3. I don't know if this is the case, as I don't understand what that means. How can I check?

3a. And if that's the case, how do I put it in the trusted zone?



4. Again, I don't know... But I'm attaching a screen cap of Firewall > Zones from ZA below so you can take a look... What do I need to do?





5. I do have it set that way for Generic Host Process. Everything else, for the most part, I have set to "?-Ask" for everything. Some of that is probably wrong, but for stuff that it doesn't matter, I prefer to be asked each time (if that's okay). I'm attaching an image below that shows everything from Program Control > Programs. Take a look and let me know what I should do...





6. As you can see, I've got Windows Explorer set to all "Ask-?'s" -- should I put any of those columns to "X-Block"? Which columns exactly? (I don't understand Internet Access vs. Server Rights exactly, as there are four columns there, two for Access and two for Server, so let me know which specifically of the four... thanks!)

6a. Why does IE need internet access? I only use it for Windows Updates, and I let it ask me to give it permission each time. Is that bad for some reason?



7. Here's the instructions I got from the ZA board on how to completely restart (my comments to you are in BOLD CAPS throughout), but I'm uncertain about a lot of it:

Boot your computer into the Safe Mode

Navigate to the c:\windows\internet logs folder

Delete the backup.rdb and iamdb.rdb files in the folder

Clean the Recycle Bin

Reboot into the normal mode

The Zone Alarm will be cleaned of all previous settings and data and it will appear as when it was first installed

THIS IS THE PART WHERE I START TO GET CONFUSED...
On the restart or reboot into the Normal Mode, the ZA will ask whcih for the new network found. I assume you are home so select the Trusted. Then make sure the DNS and the DHCP server's IP are listed as Trusted in the Zones of the Firewall of the ZA. Like this:

1. Go to Run type in command, hit OK, and type ipconfig /all then press enter. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side
2. In ZA on your machine on the Firewall>Zones tab click Add and then select IP Address. Make sure the Zone is set to Trusted
3. Click OK and then Apply for each one.
4. The loopback must be listed as Trusted. It has the address of 127.0.0.1
5 The Generic Host Process or the svchost.exe listed in the Program list must have both Trusted and Internet access and it must have server rights for the Trusted Zone, but not the Internet Zone.
...AS I DON'T REALLY KNOW EXACTLY WHAT I'M DOING

Then:

By not clearing the database and by not setting up the correct DNS servers, it seems things right now are a mess!

Second, only allow the Generic Host Process (svchost.exe) and maybe the AV updater should have server rights for the Trusted Zone and do not have anything with any server rights for the Internet Zone. I'D RATHER HAVE ANYTHING THAT CAN ASK ME FOR PERMISSION TO ASK. AND I DON'T KNOW WHAT THIS MEANS EXACTLY WITH REGARDS TO WHAT GETS A GREEN CHECK, WHAT GETS A QUESTION MARK AND WHAT GETS A RED X -- AND IN WHAT COLUMN(S).

The explorer does not need a green check for either internet access or any server- it should be permanently allowed access to the Trusted Zone and an Ask for the Internet Access and no server rights either for the Trusted or Internet Server. No mail rights. DOES THIS MEAN WINDOWS EXPLORER? SO A GREEN CHECK IN ACCESS-TRUSTED COLUMN, A "?" IN THE ACCESS-INTERNET COLUMN AND RED X'S IN THE TWO SERVER COLUMNS? AND IF THAT'S CORRECT, WHY A GREEN CHECK AT ALL? CAN'T I JUST LET IT ASK FOR PERMISSION IF IT NEEDS IT? OR IS THING SOMETHING THAT GOES ON BEHIND THE SCENES THAT NEEDS TO BE ALLOWED?

The outloook could be the same as the explorer, but with mail rights. By using the correct dns server at least your outlook would go to the correct mail server that you should be using. THERE ARE NO MAIL RIGHTS THAT I KNOW OF IN ZA FREE.

But if you do not put the proper DSHCP or DNS servers in the Zones, then the firewalling is still out of whack. I THINK THAT'S WHAT THE INSTRUCTIONS FURTHER ABOVE WERE FOR, BUT I'M STILL A BIT IFFY ON THEM...


8. So do you think I should just start from scratch, or just try what you're saying first? Either way, are you up for giving me a dummy's step-by-step on what to do (not using just names of stuff, but things like "put a checkmark in the Access-Internet column", etc.?



I did multiple screen captures and put them together in Photoshop, then blacked out the various things in Photoshop as well. A total pain in the butt, and very time consuming, but I figure it's worth it to provide good images for the kind people like yourself that are taking the time to help me!

Looking forward to hearing back -- thanks!

Bloomcounty,
I can't do any better than the advice you got from the ZA forum. I use'm too.
Perhaps some of the key-by-key suggestions in this thread will help.
http://www.bleepingcomputer.com/forums/topic93868
It includes a reference to the official ZA instructions which explains how to do what you want to do, and I would prefer not to have to repeat.

I'm not familiar with how to setup ZA with dialup, you might post at ZA forum again. Or keep looking at ipconfig /all and see if things are stable or change with every use. I really don't know.

I would give couple more programs checkmarks in Access column. ZA instructions will tell you where. And/or when the alert comes up, just allow and remember.

Re your specific points
1 - I don't think so
2 - see above
2a - I don't think so
3 - see above, specifically the ipconfig command
3a - see above
4 - see above, specifically ZA instructions and my thread. Adapter subnet needs to be trusted. When wireless is used (those zeros will change), that should stay Internet.
5 - few examples: AVG update can have two checks, Creator classic doesn't need internet access, so one check, Firefox is ok, Generic Host is ok, IE needs two checks, jre probably none, possibly trusted access only, MS help - 2 checks, MS Word one check unless you insist on always using their help, but then ? is better, Outlook 2 checks, Spybot, Windows explorer both 2 checks and take it from here.
6 - see above. Access=go for information. Server is when you allow your computer to be a server to things such as Trojans or p2p.
6a - well if you don't give IE access how will it go for the updates? ? is ok though. The purpose of IE is internet access. Same for Firefox.

Thanks for how you worked the bitmaps. PITA

The link doesn't work. Can you repost? I'd really like to use it. Thanks!



If it's a ?, it'll ask me each time for IE (which I prefer, since I only use it for Windows Updates, and that way I know it's not doing anything else without my knowledge). Or is there some reason that's not okay? (I do allow Firefox access to Trusted and Internet.)

Re http://www.bleepingcomputer.com/forums/topic93868.html
Hang in there. Something is wrong. I'll ask to be fixed.

No reason for IE asking. You'l get bored with it, but I think that's the best way to learn.

Bloomcounty,
I see now why the original link didn't work. I dropped the ".html" part. No idea how
I hope you do get through to the ZA setup instructions from the link there. Good luck!

I'm dealing with Oldsod at the ZA forum... very nice, but, man, am I having hard time understanding what he/she is saying! (And he/she doesn't exactly respond to my specific questions directly... I kind of have to ask a bunch of times.) But I think I'm getting there. Are you up for taking a look at the thread? Here's the link:

http://forums.zonealarm.com/zonelabs/board...essage.id=16593

I'm going to do the database reset now and then add the two DNS servers from Earthlink to the trusted zone and make sure the WAN thing (which I guess is my dial-up) is once again set as "Internet".

I'm more than a little concerned about my computer all these months going to these random sites for DNS lookup (whatever that is), and I'm trying to get a definitive answer on what the deal is with that...

Since I'm doing a database reset, I assume my Program Control will be gone... I'm uncertain what I am supposed to allow the first time I do the reset though... I'm going to just deny everything at first and see what happens I guess...

Any thoughts? Thanks!

Okay, I did the database reset. But there are MANY issues... I hope you can help me!

1. Please look at this new .jpg of my firewall > zones:
http://attachments.techguy.org/attachments...allzonesnew.jpg

...as you can see, I have added the two Earthlink DNS IP #'s, but the loopback adapter is gone! What do I do? Why does it now show up?

2. Here's a .jpg of my new program log:
http://attachments.techguy.org/attachments...aproglognew.jpg

The same exact thing is still happening, even though I added those two DNS entries to the trusted zone! I have marked the examples with red circles. Why is this still happening? What is going on?

3. Under FIREWALL > MAIN, I have the Internet Security Zone set to HIGH and the Trusted Zone Security set to MEDIUM. Is this correct and safe?

3a. I notice that with Trusted Zone Security set to MEDIUM, that the blocked entries marked with BLUE CIRCLES in the .jpg linked above do not show up anymore. Is that good?

4. I have EMAIL PROTECTION turned OFF (since I have AVG A/V, which has an email scanner) and I have ANTI-VIRUS MONITORING turned OFF (since it does not recognize AVG Free). Are these both correct settings? (I think that's how I had it set before...)

5. Before I did the reset, when I'd check my email, BOTH Outlook Express AND AVG Free Email Scanner would ask for permission (since I had it set to "?-Ask"). Now that I did the reset, the AVG Email Scanner only OCCASIONALLY asks for permission (which seems to imply it's not always running, you think?). Why would this be happening?

6. Please look at the .jpg of my new Program Control settings list:
http://attachments.techguy.org/attachments...rogcntrlnew.jpg

Is this all correct so far?

Man, I am starting to wish I had never started messing with this stuff... Everytime I mess with anything on my computer to "fix" something, it just leads to more problems. But I'm pretty stressed out about all this and am hoping you don't mind helping me as much as you can…? I really appreciate it!

Reply to post #8
When I copied and pasted your link, it was abbreviated
http://forums.zonealarm.com/zonelabs/board...essage.id=16593
For others reading this thread: it's in the Alerts and Messages forum section,
after "board" add this: /message?board.id=win_za_msgs&message.id=16593

Quick answers based on quick review of that thread
1. Great advice for your specific setup. Do take time to read it.
2. No reason to panic. Until you allow DNS servers, the computer goes all over creation to find them. Pointless.

In that thread, you got instructions how to preserve your settings. I can't improve on any of what's said there.
No, I would not make everything Deny, because then your connections will fail.
"?" are appropriate, but, for the programs, just follow the list you got on the forum.

to post#9
I haven't looked at jpgs yet - I'll try when time permits.
Have your read the instructions that ZA provides?
Have you read Help screens?

1. add it in
3. correct
3a. most likely correct
4. sounds correct to me
5. without knowing exact detail what AVG was asking before or now, I can't tell. Likely related to the dns servers now being permitted, or mail client being permitted
6. If you followed the advice ZA forum provided and I scanned, you're ok
Take it easy

ok, I looked at your pictures.
1. Adapter subnet whole thing, both sides of / should be trusted if you use a router, but with DSL - reread what ZA forum told you
2,3,4,5,6 are all related. ZA is doing what you asked it to do which is to ASK. If you change both AVG and Outlook lines to two checks, it'll stop asking. Remember, both outlook and avg are looking at the mail. And Kissmyip did the same when you asked it to report what settings are visible. Finally, you can put red X in the Server column, except for Generic Host (svchost) which needs trusted server rights.

I'm not sure why you think you broke something or that the setup is unsafe. It's overcautious, IMO, but good to learn from while you're experimenting. However, I think learning by reading the instructions is also a good thing.

Thanks for the reply, tos226!



I read everything Oldsod posted and followed his instructions. I reset the database, as instructed. I have put red X's in the Server-Internet column as instructed (and all across for Application Layer Gateway Service, as it seems I don't even use this?). As far as I know, I have added the two DNS entries. But like I said in #2 in my last post, I am still having the same exact issue. No change in this issue.

Re: Adding in Loopback Adapter...
I chose ADD > IP ADDRESS (*not* HOST/SITE), called it "Loopback Adapter" and made it "Trusted". Here's a new .jpg:
http://attachments.techguy.org/attachments...llzonesnew2.jpg

Did I do this correct?

1. But why did I have to add it manually this time when the first time I installed ZA months ago, it was added automatically? (I can tell there is a difference because before I did the database reset, if I tried to EDIT the Loopback Adapter, it would not let me. But because I have added it myself now, I can actually go in and edit it if I wanted to...)



Except for #2 above, which shows that I'm not, because I'm still having the same exact issue despite all the changes I've made per instructions...

2. As you can see, it is still happening, as shown by the entries with a red circle shown in this .jpg:
http://attachments.techguy.org/attachments...aproglognew.jpg

It happens *randomly/sometimes* when I either check my email in OE (msimn.exe), check for AVG updates (avginet.exe), Firefox (firefox.exe), and SpyBot Updates (SpybotSD.exe). Sometimes it looks like it goes to the right DNS, sometimes it does not. I have created a .jpgs for each program (man, that took a long time!) that shows examples of both the correct DNS and what I assume is the wrong one. Please look at these to see what I mean:

Outlook Express:
http://attachments.techguy.org/attachments...73792/za-oe.jpg

AVG Updater:
http://attachments.techguy.org/attachments...3706/za-avg.jpg

Spybot:
http://attachments.techguy.org/attachments...0/za-spybot.jpg

Firefox:
http://attachments.techguy.org/attachments.../za-firefox.jpg

See how some Destination IP/DNS look "correct" but most look wrong...? Many of these are older examples, but as you can see in the .jpg with the red circles further above, it is still happening.

Let me know what you think -- thanks for the help! Looking forward to hearing back!

A. Are you talking about the second line in this link?
http://attachments.techguy.org/attachments...allzonesnew.jpg

Both sides of "/" -- what does that mean? And Oldsod said that since I have DIAL-UP with no router (just my laptop - everybody forgets that! ;)), that this line should be INTERNET, not TRUSTED.



B. I don't have a problem with it asking me, that's what I want it to do. The issue is that it's still going to weird DESTINATION DNS IP/ADDRESSES, you know? I think we crossed posted, and I just posted to you detailed examples. Please take a look at my previous post here:
http://www.bleepingcomputer.com/forums/ind...st&p=544166

B2. I don't understand what you're saying about Kissmyip... Why did it even got to that IP address? It has nothing to do with the program that was accessing the internet at that time. Isn't that an example of the exact issue that started this all? I don't understand...



I have been reading the instructions and the posts you and Oldsod made, but I'm still having the same issue. Maybe I'm not explaining the situation well enough? I don't know how much more I can explain all the details beyond what I'm already doing... I'm doing everything I'm told, but I'm not getting results, and I'm not getting the point across that I'm still having the same issue that started this whole thing...

Please stay with me on this -- I appreciate the help and time! But I have to make sure I get the information across to you... Am I doing that?

Thanks!

Bloomcounty, I've reached the limits of my knowledge. I do not know nor understand dial-up vs. security. that said, few more attempts
A. Correct. INTERNET zone if you have no router (I did hint at that in post #11)
B. I hear you. Perhaps the applications you run use multiple DNS servers besides yours from ISP? I'd think that Outlook would go into only one place for mail. I don't know.
B2. Somebody on the ZoneLabs forum has, in the signature, kissmyip. Harmless display of your IP address, though if you had a router, only the public side would show.

I'll watch the thread, but I hope someone more knowledgable will pitch in. Or go back to the ZA forum. Don't overwhelm them with many screen shots, I think the first one with the dots, is sufficient to ask the question.

I appreciate the posts -- thanks!

I already posted my links to the .jpgs for Oldsod on that thread over in the ZA forums (but if I end up posting a new thread, I'll only post the .jpg you suggested), and am waiting to hear back. I appreciate that person's help as well, and I know they're knowledgeable and are offering their time to help (as you are), and I DO appreciate that, but it's really frustrating when they ignore the specific questions you're asking and give you a bunch of information you don't need. I think that stems from not really reading the questions and guessing at what the problem is, then pasting a preset answer into the post. I mean, I said I had dial-up in every post I made over there, and it was only halfway through the thread that they starting acknowledging that aspect. I certainly don't mean to be ungrateful, but other people come on message boards asking for help and provide no information and don't take any time to try to do so. I take a lot of time (probably more than I should, but I try to make everything as easy as possible for those kind enough to help me) to prepare the screen shots and type in the info, etc. And it's frustrating when that's all ignored... Plus, I think it can lead to people following bad advice on occasion...

Sorry for the little rant there... (It's just something I notice about message boards in general...) And, again, I appreciate ANY AND ALL the help anyone's ever given me on any message board... And I always learn something in the process...

Thanks again!

So is there anyone out there who knows more about dial-up and ZA that can help with this? Should I maybe PM quietman7 and/or tg1911 and see if they can help? They've both also kindly helped me in the past... And maybe I should just post a new thread on ZA with DIAL-UP as part of the subject...?

I hear your frustration, but don't worry you'll get there and learn a lot in the process.
The canned answers are often used because it's quick and fits. It's when it doesn't that it's a problem.
Broadband use is so widespread, that unless someone is really using dial-up, it's rough to imagine how it works.

DNS servers - I think you got an answer in the first paragraph of message 16616, the stuff in (brackets).
Why? Well, I don't know how you use Outlook. But to see several DNS servers when Outlook runs, suggests, for instance, that a preview pane is open, therefore every item needs a lookup from someplace. Close the preview pane (I don't recall how, I've shut it off ages ago to keep crap out).
Ditto in IE or FF or Opera. If you permit third-party cookies, I guess, based on post 16616 over at ZA forum, that's what you'll see. Again, I'm guessing.
Perhaps something similar is going on with the AV updater, though that one is stranger than others.
See, life is totally different with a fairly constant DNS servers of a broadband provider (and behind a router).

You have a screen shot of what you called avg updater. ARE YOU SURE avginet.exe is the updater. Based on the destination, my guess is that it's AVG watching you going over to various sites, CastleCops, ZA, few others, which is its job. Am I guessing wrong?
Put a cursor on each line and read the bottom Date/Time. I bet it changes a lot. So, if it's like I think it is, when you allow AVG two checks, this will stop.
Perhaps that's an idea to follow with the others. Remember, Firefox is your browser, and AVG is supposed to watch where you go and to stop trash from coming in ... ok, end of wild guessing.

Tweek things a bit. Watch it some more. Perhaps you won't need a new "How to deal with dial-up" post nor help here from the moderators.

Thanks for the reply and hanging in there!

I've never used the preview pane in OE -- too risky!

I also don't allow cookies in Firefox, generally speaking...

Do you mean this part of the ZA board post:



But I did the reset... and I'm still getting dns lookups from everywhere for OE and AVG...

avginet.exe is just about positively the updater. That one only pops up when I update. Also, see this:
http://www.fileresearchcenter.com/A/AVGINET.EXE-1187.html

So I'm kind of back in the same boat again... I'll give it a day to see if anyone else posts, then I'll PM the mods here for help -- but I'll post a updated/consolidated post for them to read to keep it easy!

Thanks again... And let me know if you've got any more thoughts!

No more thoughts. But I discovered something. I posted yesterday, but looks like BC recovery blew it away
There's a dialup user on the ZA forums, so try to post your "too many DNS with dialup, attention that user" message if you still need advice
http://forums.zonealarm.com/zonelabs/board...essage.id=16271
In case the full address isn't pasting well, it's here - Off-Topic&message.id=16271

I may give that a shot... But I'm REALLY close to just letting it go as is (unless I hit the Mads, I mean the Mods up for some help). The main thing to determine first is is something "bad" is going on or if there's a bad reason for what is going on. I don't *think* that's the case, based on what Oldsod has posted... But, then again, with those wacky posts, who knows for sure!

I may test a couple more things too...

Thanks!

Thanks again, tos226, for the help. Sorry to have bothered you with so many questions...

So here's the updated, consolidated, revised issue at hand:

I recently did a database reset (per a suggestion here on the board) for this issue, but it was not resolved.

I have ZoneAlarm 7.0.302 FREE

I use DIAL-UP (not DSL or wireless)

I use Firefox for Internet Browsing

I use Outlook Express for Email

I have Windows XP SP2 Home Edition

I do not have a router. Just a laptop with a phone chord into the wall for dial-up.

First let me show you how I have ZA set up currently:
-------------------------------------
Under Firewall>Main:
I have Internet Zone Security Set to HIGH
I have Trusted Zone Security set to MEDIUM (set as such per a suggestion from this board)

My Firewall>Zones are set like this:
http://attachments.techguy.org/attachments...llzonesnew2.jpg

Please note:
I had to add the 127.0.0.1 MANUALLY after doing the database reset, since ZA did not add it automatically like when I fist installed ZA months ago.
The two Earthlink DNS entries were added by me based on what was listed when I did an "ipconfig /all" -- done per a suggestion on this board. There were no DHCP servers listed.
--------------------------------------
My Program Control > Programs are set like this:
http://attachments.techguy.org/attachments...ogcntrlnew2.jpg

Program Control is set to MEDIUM (which is what is available in ZA Free)
---------------------------------------
This is my Program Log from the Log Viewer:
http://attachments.techguy.org/attachments...aprglognew2.jpg
(Entries marked with a BLUE CIRCLE seem "normal", those with a RED CIRCLE seem "weird".)

I do not open any news from Outlook Express, but I do click on links from emails I receive from message boards to open Fifefox and go to the thread at the message board, etc., when a new post is made. HOWEVER, these are not the times in question when I get these weird DESTINATION IP/DNS entries shown with RED CIRCLES above. This seems to happen if I close OE and reopen, then check my email. There will be a new entry in the log (sometimes two, one for AVG and one for OE).

The strange DNS entry also seems to happen for when I update AVG and Spybot (sometimes seems right, most often is weird), as well as when OE (msimn.exe) checks my email.

HOWEVER, anytime the AVG email scanner (avegmc.exe) does a DNS lookup, it seems to always be the correct DNS (mindspring/earthlink).

So conerning the OE email stuff, it seems like the AVG email scanner is going to the right DNS, but OE only sometimes does...?
---------------------------------------
Questions:

1. Are all my settings correct and safe?

2a. Why am I getting these weird/odd DNS IP/DESTINATION listings in the Program Log?

2b. Is this normal?

2c. If so, what exactly is happening here?

2d. If it's not normal, why is it happening and what can I do about it?

Any help is appreciated! If you need any more info, just ask and I'll provide! Thanks!

I didnt read through the entire topic. Too much to read.

What is the main problem, that DNS requests are showing in your log? Looks like all of these DNS servers are legitimate. Btw, mindspring and earthlink are the same company.

I am just not sure I understand the problem here.

Thanks for stopping by, Grinler. No need to read the entire topic! Just Post #20 above -- it's all summarized and laid out there.



I was told that these random Destination DNS/IP entries are not normal. I use earthlink/mindspring (I know they're the same thing ), so those DNS lookups by OE and AVG make sense (right?), and AVG Email Scanner always calls an earthlink/mindspring DNS, but OE (and AVG Updater and SpyBot, etc.) more often then not call up weird DNS entries (as shown with the RED CIRCLES).

If you can read Post #20, that really explains it all! Can you give that a read and let me know your thoughts?

(BTW, another recent Destination DNS entry showed bleepingcomputer.com after I had visited the site, then closed my OE and reopened it and checked my mail, and that's the Destination IP/DNS that came up in the log when OE checked my email... So that seemed to be related to the fact that I had visited this board recently in Firefox, though I don't know why that should have anything to do with OE checking my email... However, that's not the scenario that causes the rest of the "odd" entries... as I didn't visit most other of those DNS's listed, except Google, I guess, as that's my default page in Firefox... But, again, I don't see what that has to do with me checking my mail with OE...)

Thanks!

Have you contacted zonealarm directly (not their forums) about this? I do not use this program so can not even begin to help you with whether or not it is setup correctly.

It feels like Zonealarm ic checking links or items in your emails and looking up the dns for the host record. Why it is doing that I really dont know. Are you using any spam filtering software?

Can I do that if I'm only using the ZA Free version? I didn't know it was even possible to contact ZA directly... How do I do that?



I only use AVG Free Edition. What does that mean, "looking up the dns for the host record"?

Is what it's doing "bad" in any way? Am I at risk somehow? Spyware? Are my emails getting read/received somewhere else?

And I'm not even sure if it's even doing what you're thinking... Here's what just happened:

1. I restarted my computer and opened OE and connected to the internet (dial-up) to check email. When I check my email, it checks five different email accounts in OE -- four are mindspring email addresses and one is an Earthlink email address (the second one it checks).

2. In ZA Program Alert, OE asked for permission to connect to the internet, and the Destination DNS was NS3.mindspring.com (so that makes sense, right?) But this time, this was a Port 53.

3. In ZA Program Alert, AVG Email Scanner asked for permission to connect to the internet, and the Destination DNS was pop.mindspring.com (it's always a mindspring/earthlink dns for AVG Email Scanner, *when* it connects, which it doesn't always ask me to -- and sometimes it's a smpt mindspring/earthlink DNS). But this time, this was a Port 53 -- sometimes this is Port 110 (why the difference?).

4. The first of my email addresses checked for email -- there was none.

5. Then when the second account (the Earthlink one) checked for email, ZA Program Alert showed that OE was asking for permission to connect to the internet again, and this time the Destination DNS was listed as ZoneLabs! (IP: 209.87.209.44:53). I allowed that and it checked that email -- BUT NO EMAIL CAME THROUGH (so there was nothing coming in from ZoneLabs at all).

6. Then it continued to check the rest of the email accounts.

7. In addition, when I just did an AVG Free Update (which I allowed, as I manually triggered the update), the Destination DNS that came up was ssl-google-analytics.l.google (IP: 209.85.197.97:53) -- but the update occured just fine (as usual). But updating this always goes to shows some Destination IP/DNS like this... never anything that says AVG or Grisoft.

Any thoughts?

My first concern is whether or not something is going on that's indicative of a problem or security risk or any kind. Then, I'd like to figure out what the heck is going on and if it's normal...

Thanks for the help! Looking forward to hearing back!

No you probably can't get support for ZA Free.



Ok..this seems normal so far. Port 53 is the port used to lookup DNS entries. When you connect a mailserver, your computer needs to lookup the ip address associated with the name. So this is perfectly valid.



Ok this is making sense as well. Your avg email scanner probably acts as a proxy, sitting between the mail client and the mail server, check your email as it comes down. Port 53 is DNS, so thats ok as well as it may be looking up the name of your mail server. Port 110 is what the POP3 server listens on and is being connected to by the AVG email scanner. Seems valid as well.



I agree...this is kind of strange. I am not sure why zone labs would be contacted.



It's possible when AVG updates itself, it connects to a web page that contains the google analytics code.

I honestly don't think you are having a security risk here. I think this is just the strange nuances of the program that are not fully understood. Nothing is being connected to that is harmful.

Just my five cents
ZA free people can't get support.
The instances of it wanting to connect to ZL server might be because
1. Smart defence goes out for information, and/or
2. Bloomcounty permits ZL client internet access (no reason not to, really)
3. ZA free has a nag for update to ZAPro check, so they might be calling home for that. Set it to 60 days, it might not be checking.
But in context of email it is odd that they'd go at DNS on the ZA servers.

AVG may be using non-AVG servers for updates. Just as in paid versions, ZA updates come from akamai servers.

I see no problems in any of the stuff either, and suspect that earhthlink bounces from one DNS server to another based on the application.

ZA free+Avg (or Antivir or Avast) makes for a pretty tight setup. GRC tests confirm.

I just remembered something.
ZA free version 7, is a huge installation with all the features of a paid product. And while those functions are totally disabled, the mail-check might be doing something.
I don't recall and don't have time to wade through this thread, whether we're talking v6 or v7.

Thanks for the reply, Grinler! I hope you all don't mind sticking with me for just a bit more? I've got some more (hopefully helpful) info and a few more questions verifications... I know this is a LONG post with a lot of info, but I think we're close and your replies to this stuff might put us over the top!

1. MAJOR FIND: Please check out this link which may prove useful: http://kb.earthlink.net/case.asp?article=9782

Right now, for me it's set (by default) to Obtain BOTH the IP Address and DNS Server Address Automatically. This article says to:
# Select Use the following DNS Server Addresses.
# In the preferred DNS server field type 207.217.120.83
# In the Alternate DNS server field type 207.217.126.81

HOWEVER, when I do a "command > ipconfig /all" the DNS Servers that are listed are:
DNS Servers . . . . . . . . . . . : 207.69.188.187, 207.69.188.186

1a. Why aren't these the same pair of numbers?

1b. Should I add DNS Server Addresses like this link says to? If so, WHICH set do I add? The two they say or the two that come up when I do "ipconfig /all"?

1c. As seen in this .jpg: http://attachments.techguy.org/attachments...llzonesnew2.jpg

...I have added DNS Servers 207.69.188.187 and 207.69.188.186 as TRUSTED to ZA Firewall Zones. But, if I end up using the two listed in the Earthlink link, should I REMOVE these two from the ZA Firewall Zones and ADD 207.217.120.83 and 207.217.126.81 as TRUSTED instead?

1d. Or should I follow the Earthlink instructions at that link and BUT instead add the two that come up when I do "ipconfig /all"?

NOTE THAT THE TWO DNS ADDRESSES LISTED IN THE EARTHLINK INSTRUCTIONS AT THAT LINK HAVE *NEVER* COME UP IN MY ZA LOG AS A DESTINATION IP/DNS ADDRESS. (Don't know if that has any bearing...)

ALSO NOTE THAT WHEN I REVERSE LOOK-UP THE TWO ADDRESSES LISTED IN THE SUPPORT CENTER LINK, IT SAYS:

Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

...BUT WHEN I LOOK UP THE TWO ADDRESSES THAT ARE LISTED IN MY "ipconfig /all", IT DOES NOT SAY THIS. DOES THAT HAVE ANY BEARING?

1e. It was suggested to me along the way on the ZA boards to actually try doing what that Earthlink Support Center link is talking about (before I found that like), but to do so with the two addresses that come up in "ipconfig /all". HOWEVER, that person also said to do the following:

Go to Control Panel and open the Administrative Tools and select the Services or right click My Computer and select Manage and select Services and Management and then select Services. In the Services, find the DNS Client and click it and open the Properties. In the drop down, select Disable and okay all that.

HOWEVER, that Earthlink Support Center link does *not* say to do this. So should I do this part? And if so, with what addresses?

1f. Could the difference in the addresses that the Earthlink Support Center lists and why my "ipconfig /all" lists be that technically I use "mindspring"? However, if you look up all four addresses, they all say Earthlink, so maybe that doesn't matter. (Yes, I know they're the same company, but I thought maybe because I'm "mindspring" maybe that was the difference... But probably not...)

So basically I need a course of action here concerning all this stuff in #1, if you don't mind providing one!

2. Under the Networking tab, I have Internet Protocol (TCP/IP) and QoS Packet Scheduler CHECKED and File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks UNCHECKED. Should I also uncheck that QoS Packet Scheduler as well? I ask because I read the following:

A feature exclusive to Windows 2000 and Windows XP is the Quality of Service Packet Scheduler, a component of the TCP/IP stack that's installed by default. QoS, as it's commonly abbreviated, controls the rate of flow for various network services. It's not terribly useful unless you're using apps which are QoS-aware or running a server, so you can gain some network overhead back by turning it off. http://www.extremetech.com/article2/0,1697,1153609,00.asp

So do I need this checked?

3. Could this have something to do with the odd DNS lookups?
http://en.wikipedia.org/wiki/Earthlink#Controversy

4. Sorry if I'm being repetitive here (really!), but just to verify (because I wasn't sure if you meant just that last specific instance or all the DNS lookups), you think there's nothing wrong (especially security-wise) with OE (and other programs) going to these weird Destination IP/DNS lookups (or whatever they are) as seen here:

Most recent ZA Program Log Screen Cap:
http://attachments.techguy.org/attachments...aprglognew2.jpg
(RED CIRCLES are odd entries)

Older entries broken down by program:

Outlook Express:
http://attachments.techguy.org/attachments...73792/za-oe.jpg

AVG Updater:
http://attachments.techguy.org/attachments...3706/za-avg.jpg

Spybot:
http://attachments.techguy.org/attachments...0/za-spybot.jpg

Firefox:
http://attachments.techguy.org/attachments.../za-firefox.jpg

----------------------------------------------

Thanks so much for helping me with all this. I hope you don't mind staying with me here! I think the answers are going to be in your replies to this stuff!

(And thanks tos226 for stopping back! Think we're getting close? Oh, and this is ZA Version 7.0.302.)

Thanks again, folks! Looking forward to hearing back!

1a-b:

No, I do not think it's necessary. The IP address you are being assigned belong to Earthlink and are valid DNS servers. I would go with what you have as it is how the engineers designed it.

1c:

Why do the DNS servers have to be in the trusted zone? So they dont show up in the logs anymore? If so, then there is nothing IMHO wrong with adding the IPS for all 4 of those servers into the trust zone.

1d:

See 1a-1c. As for the non-portable, that just means that another ISP can't use the IP addresses for BGP etc. You can ignore that and has no bearing other than for the basic Internet infrastructure.

1e:

For the first part, I would just add all 4 dns servers to your trusted list.

As for the service, You can disable the service, but I really do not see what bearing that will have on anything. All that means is that Windows wont cache DNS requests and will always ask the upstream provider for the address. Not necessarily a bad thing to do, but I dont see any problems with how it is.

1f:

I don't think it makes a difference. You may be a mindspring legacy customer, under the earthlink umbrella. Remember, when ISPs purchase other ISPs, they typically leave the existing infrastructure in place. So if you are in an area that was originally service by mindspring, these may be their original dns servers. These are all just "ideas" though. Nothing in hard fact.


2. Leave all of that alone. If it's not broken, don't fix it.

3. No. Totally unrelated.

4. I mean there are definitely some strange places for OE to be looking up, but I can't see anything wrong with the sites themselves. Arin is totally legit and though I am not familiar with kissmyip.com, it looks legit to. The more I look at this, the more I think it's not matching up the processes to the entries correctly. Have you recently used the videohelp.com site?

5. Whew..no #5

1a. I'm confused here (sorry!). So you're saying to NOT do what this link http://kb.earthlink.net/case.asp?article=9782 says in regards to setting up dial-up? (I didn't even know about this sort of thing... I just got my new laptop in Feb. and just transferred over my OE account from my old computer. I never looked up how to set anything up like this link describes, I just let it all go "as is".)

So you don't think this is something I'm supposed to do? (And here I was thinking I had solved the problem! )

1b. If not, why do you think they list this as how to set up dial-up? Wouldn't if force the computer to only use those DNS and not use the weird one's it's looking up? (I have no idea if that's how it works, I'm just totally guessing...)

1c. When you say, "The IP address you are being assigned belong to Earthlink and are valid DNS servers." -- which are you talking about? Do you mean the two DNS addresses that come up when I do "ipconfig /all"?

1d. Where do those two DNS addresses in "ipconfig /all" come from exactly?

1e. When you say, "I would go with what you have as it is how the engineers designed it." -- I don't know what this means exactly... What does "it" refer to? And what engineers? Microsoft? Earthlink? ZoneAlarm? Sorry to seem so dumb!



2. I added those two DNS servers from the "ipconfig /all" to the Trusted Zone because that's was what I was told to do by tos226 here and on the ZA boards. However, it made no difference with the weird DNS lookups. But I *think* it stopped me from getting entries in the FIREWALL LOG that showed some kind of traffic from those were getting blocked (or something like that). I was also told to set the security to MEDIUM for the trusted zone, which I did.

2a. So you're saying to add the two DNS IP addresses shown at this link http://kb.earthlink.net/case.asp?article=9782 to ZA Firewall Zones as Trusted? Even though I've never seen any entries in the ZA logs showing anything going to those two IP addresses?

2b. But *don't* actually do what it says to do at http://kb.earthlink.net/case.asp?article=9782? (I guess that's the same as 1a. )



3. I won't mess with disabling any service. I guess that person thought by doing that, it would eliminate the weird DNS lookups?



4. Will do. I did uncheck those two Microsoft Network ones awhile back though because I read it was unsafe to have those checked... Do you agree?



5. I do occasionally go to the videohelp.com site. Why do you ask? I know that was listed in one of the weird DNS entries. And I do find that *sometimes* (but not all the time) after I go to a site, then when I close and reopen OE and check my email, the weird DNS entry is listed as for that site (the Destination DNS name listed). For example, when I just reopened OE and checked my mail, OE went to bleepingcomputer.com for the Destination DNS but AVG email scan went to a mindspring Destination DNS (as it always does). And when I just did my AVG update, the Destination DNS listed in the ZA log was also bleepingcomputer.com! EDIT: Next day now, and when I dialed up for the first time and checked my email, ZA showed OE going to zonelabs.com Destination DNS and AVG Email Scanner went to mindspring.

6. What do you mean by, "The more I look at this, the more I think it's not matching up the processes to the entries correctly."? Is there something I can check for this?



But there is another post... Sorry!

Thanks! Looking forward to hearing back!

THIS IS AN ADDITION TO THE PREVIOUS POST, PLEASE READ THAT FIRST -- THANKS!

7. I've been posting about some errors that are showing up in my log viewer here:
http://www.bleepingcomputer.com/forums/topic96718.html

...and here's something that may be relevant!

I have noticed that when I first boot up my computer, in the EVENT VIEWER > SECURITY LOG, listed among the many entries (fairly early on in the list) for when you first boot up is this error:

Source: Security
Catetgory: Policy Change
Event ID: 615
"IPSec Services:
IPSec Services failed to get the complete list of network interfaces on the machine.
This can be a potential security hazard to the machine since some of the network
interfaces may not get the protection as desired by the applied IPSec filters. Please
run IPSec monitor snap-in to further diagnose the problem."

This is BEFORE I do anything else. So I haven't opened any programs or dialed-up to the internet yet.

When I first dial-up, nothing is added to this Security Log.

HOWEVER, I notice that EVERY TIME I disconnect from the internet and reconnect (while still keeping my laptop on), this error is added to the Security Log. If I disconnect and reconnect five times, this error will show up five times in a row, time-stamped with each time I dialed back up to the internet.

Is this normal? What could cause this? And could this have anything to do with what is going on?

8. I'm also noticing that secure web pages take a really long time to load (like my library log-in page takes almost a minute, it seems). That seems to be relatively recent... (however, this DNS issue at hand has been going on forever, as far as I know, though my log showing that stuff only goes back to May 17).

A small amendment to #5. Here's another clue. I just dialed-up and checked my email (4 mindspring mailboxes/addresses), OE went to a mindspring DNS and so did AVG. THEN, I checked (separately) my one Earthlink mailbox/address, AVG didn't run again, but OE asked for permission again (probably because it's pop.earthlink.net as compared to pop.mindspring.com) and the destination DNS listed in the ZA log is the website I had just visited before checking my email! If that's not some kind of clue, I don't know what is!

Thanks, Grinler! Looking forward to hearing back!

I hope I will not confuse this thread any further by adding few details. Grinler, I hope you don't mind

Re Grinler's answer to the third issue in post 25


Considering this is ZA-free v7 here's the relevant post to which I alluded earlier, it contains a fix for people who got the mail filter they didn't think they got. This maybe the reason for calling home
http://forums.zonealarm.com/zonelabs/board...mp;message.id=1
The background of the story is here
http://forums.zonealarm.com/zonelabs/board...essage.id=42331

Re Grinler's second answer in post 29


Why DNS servers in Trusted zone - I gather mostly to maintain connection, not at all related to multiple DNSs issue here, but safe, secure and harmless
http://forums.zonealarm.com/zonelabs/board...d=468859#M40488
elaborated here with practical reasons
http://forums.zonealarm.com/zonelabs/board...d=468881#M47994

Hi again, tos226... I'm sure Grinler will find that info useful. I'm guessing that guy's probably super busy around here, but I'm hoping he'll be back to check out my last two posts (and your posted info).

Some comments...

Re: The ZA 7 mail filter fix -- I don't think that's an issue here, as that post was posted by a ZA guru that was actually trying to help me with this issue over there (although they couldn't help), and they never mentioned this as a possibility. Plus, I downloaded/installed ZA 7 back in Feb. and that post was made in April. I guess it's possible it took months to find the issue, but I'm still thinking this isn't the problem because it only calls up the Zonelabs Destination DNS once in awhile... and not any different than it calling up any other odd Destination DNS, you know? Just my two-cents...

Re: Placing the DNS servers in the Trusted Zone -- I find those posts by Oldsod interesting because I know I've stated over there on a number of occasions (concerning different issues/posts), that I was NOT having any visible connectivity issues and I did NOT have my two "ipconfig /all" DNS addresses in the Trusted Zone in ZA, and I was consistently told to add them. These links show him saying that you shouldn't add them if you're not having any connectivity issues. As you know, I did add them per his and your actual posts to me on this topic. I never noticed any better connectivity, though (I think I mentioned this a bunch of posts back) I did notice that there were some Firewall log entries showing those DNS servers as being blocked or something that no longer show up. So maybe it helped something that I couldn't actually see/notice. But I'm assuming having added these is 100% safe...

If you look at my newest #5, it really seems like somehow my computer (or whatever would do this) is possible storing DNS addresses for web pages I visit (even after I turn off my computer) and then OE randomly uses those (though sometimes not so random, as *sometimes* it'll be for a webpage I recently visited, like bleepingcomputer.com). Of course, I don't even know if that's possible (as I still don't fully grasp on that all works), but there might be something to that... And if so, then maybe adding DNS addresses to my dial-up like that Earthlink link says would do something (I don't want to try this until I hear back from Grinler as to why he says this is not needed and says not to do it) -- but if I do add them, the question is what pair of addresses do I add...

And I wonder if #6 (which we're discussing in that other thread) has anything to do with all this...

Anyways, thanks for the post.

1a. Leave it alone.

1b. I am unsure why you feel these are weird? They are perfectly valid DNS servers, otherwise you would not be able to use the Internet. The earthlink equipment that you connect to were configured to assign those DNS servers, so they are perfectly valid to use. Otherwise the earthlink engineers would never have configured it this way.

1c. Use the DNS servers assigned automatically. Thats how 99% of the world does it.

1d. Assigned by a earthlink DHCP (assigns ip address) server used for dialup customers.

1e. See the above answers.

2. I can't help you on this..I am unfamiliar with the software. All I can say is that I do not see anything wrong with using those 2 dns servers.

2a. If you are not going to use the DNS servers in the KB article...ignore them. Pretend they don't exist and don't configure anything for them.

2b. See 1a.

3. As I said it can't hurt, but it wont help you either. In some cases.. the DNS client can be a pain in the butt, especially if you use a large hosts replacement. You would know if you that. It can't hurt to disable it though, but as I said won't do anything for these entries in the log.

4. Microsoft network ones? What are you referring to specifically?

5. Because it was listed in your dns lookups. As I said, I don't see these entries as a problem at all... they are just confusing as to why they are being shown this way. Everything shown in the logs is perfeclt ylegit, we just do not know why OE is going to videohelp. This makes me think that the entries are legit, but something funky is going on with how theprogram is reporting it. Is this the latest version?

6. See 5 above.

1a. Re: http://kb.earthlink.net/case.asp?article=9782
Okay, I understand that you're saying to *not* do this, but because I like to understand what I'm doing and not doing (hey, it's all about learning as we go along, right? ), I was wondering *why* you say not to set it up this way even though Earthlink says to set up your dial-up this way? I'm not doubting you (really!), I just want to understand why this is wrong to do and why Earthlink would post a wrong way to set up your dial-up. Thanks!



1b. Just so we're clear. I don't think the two DNS servers that "ipconfig /all" shows are "weird" at all. I understand that's normal and is what is being assigned to me. What I do think is weird (and what I thought everyone else has been saying is weird) are the Destination IP/DNS entries with RED CIRCLES at this link: http://attachments.techguy.org/attachments...aprglognew2.jpg

So you're saying that all those are normal also?



4. In the properties for my dial-up in Network Connections, under the Networking tab, I have *unchecked* "File and Printer Sharing for Microsoft Networks" and "Client for Microsoft Networks" because I believe I read it is unsafe to leave these checked (unless you're actually using them, which I wouldn't be, right?). So that's okay to do, correct?



5a. I do use the videohelp.com board (PM'ing mostly) about once a week or so. So OE going to videohelp.com is the *only* weird one? What about OE going to google, or amazon.com, or akamai, or theplanet.com, or rloe.com? Those are all okay and normal? This whole thing started because I was told this wasn't normal. But maybe it is?

5b. If it is, then why does it go to these non-earthlink/mindspring Destination IP/DNS addresses?

5c. I think this is one back from the newest update to ZA that I have, *but* I've always been told there's really no reason security-wise to update to the newer version, and doing so can actually cause problems, so I don't do that. However, I've also been asking about this on the ZA boards, and have posted my version I have, and no one over there has every mentioned my version being an issue...

5d. Here are a couple examples of recent Destination IP/DNS entries:

When I reopened OE and checked my mail, OE went to bleepingcomputer.com for the Destination DNS but AVG email scan went to a mindspring Destination DNS (as it always does). And when I just did my AVG update, the Destination DNS listed in the ZA log was also bleepingcomputer.com!

After restarting my computer, I dialed-up and checked my email (4 mindspring mailboxes/addresses), OE went to a mindspring DNS and so did AVG. THEN, I checked (separately) my one Earthlink mailbox/address, AVG didn't ask for permission again, but OE asked for permission again (probably because it's pop.earthlink.net as compared to pop.mindspring.com) and the destination DNS listed in the ZA log is the website I had just visited before checking my email!


I posted a #7 & 8, but I think you missed those, so I'll repost below:

7. I've been posting about some errors that are showing up in my log viewer here:
http://www.bleepingcomputer.com/forums/topic96718.html

...and here's something that may be relevant!

I have noticed that when I first boot up my computer, in the EVENT VIEWER > SECURITY LOG, listed among the many entries (fairly early on in the list) for when you first boot up is this error:

Source: Security
Catetgory: Policy Change
Event ID: 615
"IPSec Services:
IPSec Services failed to get the complete list of network interfaces on the machine.
This can be a potential security hazard to the machine since some of the network
interfaces may not get the protection as desired by the applied IPSec filters. Please
run IPSec monitor snap-in to further diagnose the problem."

This is BEFORE I do anything else. So I haven't opened any programs or dialed-up to the internet yet.

When I first dial-up, nothing is added to this Security Log.

HOWEVER, I notice that EVERY TIME I disconnect from the internet and reconnect (while still keeping my laptop on), this error is added to the Security Log. If I disconnect and reconnect five times, this error will show up five times in a row, time-stamped with each time I dialed back up to the internet.

Is this normal? What could cause this? And could this have anything to do with what is going on?

8. I'm also noticing that secure web pages take a really long time to load (like my library log-in page takes almost a minute, it seems). That seems to be relatively recent... (however, this DNS issue at hand has been going on forever, as far as I know, though my log showing that stuff only goes back to May 17).

Thanks, Grinler! Looking forward to hearing back!

1a. The earthlink engineers set it up so that when you connect via dialup you will automatically receive those two dns servers. As it is setup that way, it is safe to think that it is the correct way. The articles all over earthlink contradict in each other:

In this article there is not mention of assigning one. Therefore it will obtain one automatically just like you have it setup. Heck, in this article for Windows 2000 it actually says to obtain the dns servers automatically like you are doing. There is absolutely no difference in how you need to set it up in XP to 2000. Settings should be the same for both.

If you want to go ahead and use the ones in the KB article, please go ahead. It won't change anything at all with your log entries in ZA. I personally think you should leave it as it is so that you are assigned the DNS servers that their network engineers want you to have. That way if they are changed in the future, you will properly get the new ones, instead of using the ones listed in the KB article.

1b. No, I think the desintation/ip addresses are perfectly valid. You said yourself that the places shown are places that you occassionally go to. So I do not find it weird that they are there. What I do find strange is why they are saying certain programs are accessing the site when they are not. For example, videohelp. If it said IE or firefox was connecting there it would be perfectly normal, but OE? That is strange and I agree. I do, though, do not think there is anything nefarious here. I think there is some problem with ZA itself.

4. Yeah, if you do not do network sharing between other computers these can be unchecked and are completely unnecessary. ZA would be blocking access regardless, but no need to have them enabled.

5a. It's either normal and we just don't understand what the logs are saying, or there is a problem with the program/program's database that is mapping the program to the site you visit incorrectly. Thats why I asked if it was an old version where maybe there is a bug.

5b. No idea.

5c. Quite honestly, I do not think people have given you a valid answer as to why programs are stated as going to a site, when in reality it is another program going to it.

5d. This really is starting to look like some sort of corruption in ZA. Whether there is a problem with the program version, or a database it creates and uses to map programs to sites, I honestly do not know. My suggestions as to what to try are below.

7. No comment on that. I honestly do not know the answer on the stuff in that topic. From the other event, I found this:



8. Let's save that for another topic. Let's focus on the DNS and the ZA.

So my suggestions are this, keep the DNS servers you are being assigned automatically. Also, I really really think this is an issue of ZA and nothing else. My suggestion, uninstall ZA, delete all personal settings if it asks. Delete that database that you were told to delete at the ZA forums. Reboot. Delete the C:\Program Files\ZoneAlarm folder. This will give you a clean starting point. Now reinstall ZA and see if the problem keeps ocurring.

Hope this helps!

1a. Okay, I think I get this. But then should OE being connecting to one of those two automatically assigned DNS addresses each time I check my mail, regardless of if I open/close/re-open OE before doing so? Those DNS addresses only show up sometimes in the Program Log in ZA (as shown in the .jpg I posted a link to), and the rest of the time it shoes OE going to the IP/DNS addresses of the websites I've visited (or other sites that I haven't visited -- so it's not ALWAYS a site I've been too... I notice that sometimes the Destination IP listed is some other internet provider (when you do a reverse look-up for the IP address).

1b. HOWEVER... Also note that if I make Firefox ask for permission each time, it will also be listed in the Program Log with each "connection" like OE, and the Destination IP/DNS entries for Firefox are the same "weird" list of addresses (google, or amazon.com, or akamai, or theplanet.com, or rloe.com, etc.). So it's really happening for Firefox as well as OE, but I don't see Firefox because I have it set to "allow". If I set OE the same way, I wouldn't see those log entries (but it would still be happening the same way). So does that mean anything?

1c. Yeah, it's weird that those Earthlink articles contradict each other. The one you linked to is called, "How to Configure Dialup Networking on Windows XP" and the one I lined to is called, "How to Configure DNS for a Dial-Up Network Connection in Windows XP". So I guess there's difference there...? More below...



2. Okay, so THAT'S why you don't think I should actually type in my two assigned DNS addresses (forget about the two listed in that article I linked to) into the Properties box that says to "use these DNS addresses" as described in the Earthlink article I lined to? Because if I do that, then if they change at some point, I wouldn't know? Is that correct?

3. Do you think it's at least worth a shot trying to do it that way, BUT with my two assigned DNS addresses? (Not the two listed in that article...) I could always change it back if it doesn't make any difference. I think you're right that it won't change those Program Log entries, but I'm thinking it doesn't hurt to test it anyways? Any reason not to?



I agree! At least I know I'm not crazy for thinking that all along!



Well, the part about "when connection state changes" sure sound like when it happens for me when I disconnect from the internet! I also heard from another source that this is not a security issue -- so at least that sounds like one less worry! Thanks for finding that quote!



Definitely! Just let me know what you think about the above, and if you agree, then I can test that DNS thing with my assigned DNS addresses for $h1t$ and grins and let you know if it doesn't anything for some strange reason. And when I get the chance, I will probably reinstall ZA (probably an earlier version that's more bare bones) and I'll definitely follow-up at that time with the results. Thanks!

Bloom,

1a. See my other answers where I feel ZA is not showing the correct info.

1b. If you connect with firefox and see other ip addresses this is perfectly normal. THe page you are visiting may be hosting images or java scripts located at other sites. Your browser then needs to look those up as well.

1c. Dialup networking and a dial-up network connection is the same thing.

2. That and if the earthlink equipment was set up in some manner, then that manner is probably the correct way.

3. As I said it won't harm anything but i am almost 100% sure it won't change a thing in ZA.


Go ahead and try the DNS change. It won't hurt anything at all.

I'm still looking into this! (More specifically, I'm getting some input from the boards at AumHa...)

I'll have some more info to post soon... Just didn't want the thread to get closed or anything! Thanks!

More soon!

Hi, guys!

Well, the consensus seems to be that there's something wrong with ZA. I posted some TCPView screen caps for someone over at AumHa, and they didn't see any sign that it would be malware at work, but that ZA is showing stuff in the Program Log that it shouldn't. I've given up on getting a straight answer from the ZA boards, as that person over there said they had explained to me why ZA is doing what it's doing, but refused to actually tell me the explanation (and I can't find it). Plus, one time they say it's normal, the next they say somethings weird. So I'm done with all that inconsistent information that doesn't directly answer the questions at hand and I'm going with uninstalling ZA 7.0.302 and installing ZA 6.1 or 6.5.

So:

1. ZA 6.1 vs. 6.5: It looks like it would either be 6.5.737.000 or 6.1.744.001?
http://download.zonelabs.com/bin/free/info...aseHistory.html

2. Which do you folks think would be better for me? tos, I know you said you use both, so I'm hoping you might have an opinion as to which I should use (and why). What's the difference? (Based on what's listed at that link above, I guess 6.5.737 would be better than 6.1.744.001?)

3. Any advice on the complete uninstall?

Thanks for all the help, folks! Hope you have a fun 4th!

1. Personally I would just install the latest version unless there are known issues with it.

2. Same as above

3. Do an uninstall from Add or Remove programs. Delete the C:\Program Files\Zone Alarm or whatever its folder is. Delete that database directory the person at ZA told you to delete. (I think it was c:\windows\internet logs)

Reboot. Install new version

1. The newest version (which is the one I have) is huge compared to Version 6 because it apparently has *everything*, including all the paid-for features, and they're just turned off (and that's been problematic for some, I guess). Version 6 is just the free stuff (and I think tos recommended that, for that reason). So that's why I was asking about that...

3. I got a few different instructions about uninstalling it that are fairly involved (one of them having you do some deleting of files in safe mode), so I figure if I combine the two instructions, I'll be super-covered!

1. Logs of ZA report what it sees, Earthlink walking a lot of DNS servers. ZA makes a log of incoming/outgoing activities (packets from/to those servers etc). It can't possibly make'm up, nor store'm.
2. Uninstallation using Add/Remove will not work as the True Vector monitor (vsmon) will not be able to stop and you'll end up with a mess, instead,
3. Stop it from runing at startup, then
4. In the standard start menu is a ZA entry for uninstalling. Just add the /clean switch and you're good to go.
5. Reboot and then uninstall. Simple.
6. If you don't do proper uninstallation sequence, then you WILL have to do the safe mode and registry tweaks.
7. However, I would look through the registry for traces of ZA just to be sure, considering it is v7. Please confirm the uninstallation instructions on the ZA forums or the ZL site or perhaps the Help system itself.
8. None of the above will help what ZA sees. It's Earthlink issue and dial-up.
9. I used both 6.1 and 6.5 free. 6.1 is fine, 6.5 is likely better. Last small ZA free. Toss a coin

I'd be interested in seeing the Aumha thread you mentioned.

Grinler - somewhat technical note, based on experience. I know you're the site owner and expert par excellence. But it is my opinion based on observations that security apps such as McAfee, Norton, ZA, and I'm sure others are so deeply imbedded in the system, that the vendor's instructions need to be followed. The old Add/Remove works for simple things, but not firewalls, AV and other such.

Hi, TOS...never fear critiquing me. In my experience uninstall AV software and firewalls, I have never had a problem using add/remove programs to do it. If there is a program that add or remove programs does not uninstall properly then that program has a crappy uninstall routine programmed into it.

I just uninstalled avast, kaspersky, and kerio on two machines via the add or remove programs yesterday and had no problems at all.

Guess ZA has bad method.