Results 1 to 7 of 7

Thread: Why is zlclient contacting websites?

  1. #1
    pyewhacket Guest

    Default Why is zlclient contacting websites?

    Hello all

    I've been using the free version of ZoneAlarm for several years but have never tinkered with it much as it has worked so well. I am currently using 6.5.722.000. Google told me my question was asked in this thread back in July:
    http://forum.zonelabs.org/zonelabs/b...ssage.id=15718
    It didn't seem to be answered so I hope you don't mind my raising it again.

    I noticed in the log that zlclient.exe is accessing various websites every few days. Some are ones I use regularly (one's my home page) but some I don't recognise. I'd understand if the program were contacting Zone Labs (which doesn't appear in the log) but why these other websites? What is it doing?

    The log entries all say "Allowed (once)" as if I have given permission, but it has never asked me! It did have permission to access the Trusted and Internet zones but now I've set all four columns in Program Control to Ask. It doesn't seem to be a malware problem; I checked and there is only one zlclient.exe on my disk and it is in the program folder. Here's a sample entry from tonight:

    [Rating] High [Date/Time] 2006/09/21 21:09:52+1.00 GMT [Type] Repeat Program [Program] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe [Source IP] (blank) [Destination IP] 207.46.248.249:53 [Direction] Outgoing (connect)[Action taken] Allowed (once) [Count] 1 [Source DNS] (blank) [Destination DNS] sa.windows.com

    I did a Whois lookup and that seems to be a Microsoft site. Some of the others are: news.zen.co.uk (my news server); a369.g.akamai; a802.g.akamai; www.crochetville.org (forum I regularly visit) and www.anniesattic.com (my home page). All the connections are on port 53. Someone in the other thread suggested zlclient might be checking sites in my trusted zone, but none of these are in there.

    Has anyone any idea what might be happening, please?

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm (Free)
    Software Version:6.5

  2. #2
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Re: Why is zlclient contacting websites?

    Does this appear to happen just prior or just after you go to these sites?
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  3. #3
    pyewhacket Guest

    Default Re: Why is zlclient contacting websites?

    Hoov, thanks for the reply. The answer is, I can't tell. . . there are log entries for today and yesterday, but prior to that these contacts seem to be happening only every few days, no matter how often I visit a site. Crochetville.org is a forum I help with and I generally keep that open in the background all the time, but zlclient last contacted it on the 7th. anniesattic.com is my home page so I see it every day; zlclient last accessed it on the 16th. The other sites I mentioned I don't recognise at all.

    I set all zlclient's permissions to Block just before my first post at 1:42am my time. The log shows that between 3:49 and 3:50am it then tried to contact: a369.g.akamai (5 times), dns.hq.svc.zen.net.uk (8 times), dns.wh.svc.zen.net.uk (6 times), mail.virgin.net.securehostedmail.com (5 times). The Zen addresses are my ISP's DNS servers and Virgin is another ISP I have a mail account with; I've no idea what akamai is.

    All the sites contacted so far seem to be legit, sa.windows.com belonging to Microsoft, for example, though I don't think I've ever been there. I'm just very puzzled as to what zlclient is doing, why it's doing it and why it gives itself permission (before I blocked it, it had permission to access any Internet and Trusted addresses it liked, but the fact that the log records the contacts at all, and says "Allowed (once)" implies permission has been asked and granted).

  4. #4
    Join Date
    Dec 2002
    Location
    Mikado Michigan
    Posts
    2,596

    Default Re: Why is zlclient contacting websites?

    Akamai is probably legitimate, they have servers that host software downloads, updates, they also serve as load balancers for other servers. Suffice it to say its common, and probably isn'tanything to worry about. Looks like something was set to do an update, and your e-mail client is set to check the e-mail automatically.
    My homes are SpywareHammer.com and DonHoover.net and BleepingComputer.com


    Consumer Security - 2011 & 2012

    Tilting at windmills hurts you more than the windmills.
    -From the Notebooks of Lazarus Long
    Senior of the Howard Families

  5. #5
    pyewhacket Guest

    Default Re: Why is zlclient contacting websites?

    Thanks for that, Hoov. Yes, my email client checks for mail every 10 minutes. I still wonder why zlclient is accessing these sites, though.

  6. #6
    webmanaks Guest

    Default Re: Why is zlclient contacting websites?

    Hi. I am finding a similar problem. I too have been using ZoneAlarm (free) for years. I have the latest version installed, and by chance just decided to look at the logs.

    I also saw the ZoneAlarm client's alert logs mention it was trying to reach destination host yealink.com -- a skype software and hardware site from China. Another type it accessed google-analytics (I know this is a google site analysis site). A day earlier it accessed c18-ssa-xw-lb.cnet -- what the **bleep** is that?

    I am running a few things e.g. Firefox with a lot of tabs open, Skype, and some other things that might access the internet (to check for updates -- or so I thought).

    I have only seen this in the last week. However, the other sites also look like ad sites. One is even to bloglines (not an add, but a firefox extension I use accesses it to check for updated RSS feeds.)

    It does seem that this is a web browser thing (not an issue though!) I would be okay if this was just ads being served because of browsing, but why the ZoneAlarm client would be reporting this and not the browser, I don't understand?

  7. #7
    webmanaks Guest

    Default Re: Why is zlclient contacting websites?

    I just found out how to reproduce this.

    In the ZoneAlarm client, Go to Overview --> Preferences and click Check for Updates.

    The client now seems to pop up a new window (usually says up to date!).

    Now go back to the logs and there is a new entry where the client log says the destination DNS for the client itself was some ad server (in my particular case).

    You need to shut down zone alarm client (do that with care!) and restart it to be able to run the Check for Updates again. When/if you do that, I find that I get another entry in the log -- each time.

    Now here is another odd thing:

    While I was trying this, a Firefox extension, WeatherFox just happened to update itself with latest weather info (I know coz it pops up a small window in the background saying so). This was just as the client was checking for updates. But the alert logs showed that the *Zone Alarm client* was accessing the weather fox site, not Firefox...

    So, I am a bit relieved to assume that this might be a bug in the Zone Alarm client, saying it was the client requesting this URL, rather than the browser? And, that these are likely just sites (including ads that the sites use) that are being accessed at that time.

    Can someone confirm this and alay the fears

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •