I am using ZoneAlarm 7 and have it configured so that I have to grant permission to an application to have network/Internet access.
I just downloaded and installed Windows Defender -- MS anti-spyware ap.

Somehow, Windows Defender was able to check for updates without my granting it permission to access the net.
It apparently used the Generic Host, which does have access rights approved in ZA.
How can this be?
Should I be concerned?
In other words, what stops any ol' malware-trojan that somehow sneaks through my AV software doing its thing via the Generic Host without triggering ZA?

Help with this would be appreciated.