For every version of ZA I installed under Vista, I had tons of intrusion. The latest beta (254) is no exception.
I've re-installed ZA last week, and I have over 8000 intrusion attemps on my computer. By comparison, I have the latest available release of ZASS for XP installed on another computer for a little while now, and there are 0 intrusions reported.
this is one of the messages I get.ZoneAlarm Security Suite has blocked access to port 49015 on your computer
ZoneAlarm Security Suite has successfully stopped local network or Internet traffic from reaching your computer. No breach in your security has occurred. Your computer is safe.
ZoneAlarm Security Suite blocked traffic to port 49015 on your machine from port 54812 on a remote computer whose IP address is 188.8.131.52. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.
The intrusion attemps occur at a few seconds interval each. Here is a part of the log:
ZoneAlarm Logging Client v7.1.254.000
Windows Vista-6.0.6001-Service Pack 1-SMP
type,date,time,virus name,file name,mode,e-mail id (Anti-Virus)
type,date,time,source,destination,action,service (IM Security)
type,date,time,source,destination,program,action (Malicious Code Protection)
type,date,time,action,product,file,event,subevent, class,data,data,... (OSFirewall)
AV/treatment,2008/04/21,17:38:34 -4:00 GMT,,,,Auto
FWIN,2008/04/21,17:39:16 -4:00 GMT,184.108.40.206:31018,192.168.0.105:49015,TCP (flags:S)
FWIN,2008/04/21,17:39:16 -4:00 GMT,220.127.116.11:59557,192.168.0.105:49015,TCP (flags:S)
FWIN,2008/04/21,17:39:16 -4:00 GMT,18.104.22.168:4853,192.168.0.105:49015,TCP (flags:S)
FWIN,2008/04/21,17:39:18 -4:00 GMT,22.214.171.124:3679,192.168.0.105:49015,TCP (flags:S)
FWIN,2008/04/21,17:39:32 -4:00 GMT,126.96.36.199:1336,192.168.0.105:49015,TCP (flags:S)
FWIN,2008/04/21,17:39:32 -4:00 GMT,188.8.131.52:61018,192.168.0.105:49015,TCP (flags:S)
FWIN,2008/04/21,17:39:32 -4:00 GMT,184.108.40.206:4568,192.168.0.105:49015,TCP (flags:S)
FWIN,2008/04/21,17:39:32 -4:00 GMT,220.127.116.11:55562,192.168.0.105:49015,TCP (flags:S)
FWIN,2008/04/21,17:39:32 -4:00 GMT,18.104.22.168:63924,192.168.0.105:49015,TCP (flags:S)
FWIN,2008/04/21,17:39:32 -4:00 GMT,22.214.171.124:63175,192.168.0.105:49015,TCP (flags:S)
FWIN,2008/04/21,17:39:40 -4:00 GMT,126.96.36.199:55947,192.168.0.105:49015,TCP (flags:S)
FWIN,2008/04/21,17:39:40 -4:00 GMT,188.8.131.52:54159,192.168.0.105:49015,TCP (flags:S)
As far as I can tell, 99% of them are TCP protocol and are targetting the port 49015.
Now, this port was 'forwarded' on my router, as it's the one I'm using for bitorrent applications (Azureus and Utorrent). The rule is now deleted in my firewall configuration (DLink DIR-625), but I still get the intrusion attemps.
The attacks seems to occur more frequently when Utorrent is running, however, I still get logs when the application is not running. Even when they haven't run yet (be either bitorrent or Emule) when I start Windows, I still get these attacks. I was using these softwares before on XP, but I never had such problems.
I have been infected with a few spyware/viruses since I installed Vista a few months ago, and so far, ZA, or my other AV program, has always told the infected file was removed. ZA always rated the security risk at "medium". Latest I got was "win32.trojan.keylogger.454". I cleaned it using ZA, I ran another spyware utility (Spybot) wich did not find anything abnormal, I've deleted my restore points and my cache, I ran Ccleaner in 'regular' mode as well as in 'Safe' mode, but there is no change in the logs, I keep getting these.
Is it just ZA for Vista that is buggy or do I have a problem?
Here is my netstat report, in case it's useful: (while I'm not connected to the internet)
Microsoft(R) Windows DOS
(C)Copyright Microsoft Corp 1990-2001.
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING
TCP 127.0.0.1:49269 127.0.0.1:49270 ESTABLISHED
TCP 127.0.0.1:49270 127.0.0.1:49269 ESTABLISHED
TCP 127.0.0.1:49281 127.0.0.1:49282 ESTABLISHED
TCP 127.0.0.1:49282 127.0.0.1:49281 ESTABLISHED
TCP 192.168.0.105:49553 184.108.40.206:80 ESTABLISHED
TCP 192.168.0.105:49556 220.127.116.11:80 ESTABLISHED
TCP 192.168.0.105:49557 18.104.22.168:7001 TIME_WAIT
TCP 192.168.0.105:49557 22.214.171.124:7001 TIME_WAIT
TCP 192.168.0.105:49583 126.96.36.199:80 ESTABLISHED
TCP [::]:135 [::]:0 LISTENING
TCP [::]:3389 [::]:0 LISTENING
TCP [::]:5357 [::]:0 LISTENING
TCP [::]:49152 [::]:0 LISTENING
TCP [::]:49153 [::]:0 LISTENING
TCP [::]:49154 [::]:0 LISTENING
TCP [::]:49155 [::]:0 LISTENING
TCP [::]:49156 [::]:0 LISTENING
TCP [::]:49157 [::]:0 LISTENING
UDP 0.0.0.0:123 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:3702 *:*
UDP 0.0.0.0:4500 *:*
UDP 0.0.0.0:49152 *:*
UDP 127.0.0.1:1900 *:*
UDP 127.0.0.1:44301 *:*
UDP 127.0.0.1:49156 *:*
UDP 127.0.0.1:56005 *:*
UDP 127.0.0.1:57971 *:*
UDP 127.0.0.1:60962 *:*
UDP [::]:123 *:*
UDP [::]:500 *:*
UDP [::]:3702 *:*
UDP [::]:3702 *:*
UDP [::]:49153 *:*
UDP [::1]:1900 *:*
UDP [::1]:60961 *:*[/quote