I am the developer of Forte Agent, the Usenet newsreader and email client.
We have received reports from our customers that ZoneAlarm displays alerts when Agent goes online, reporting that Agent is trying to connect to the DNS port of an unrelated server.
Using various TCP/IP monitoring tools, I have determined that the spurious accesses are being made to an akamai server (typically IP address 126.96.36.199) and that the process actually connecting to the server is vsmon.exe. The accesses occur at the moment our program calls the winsock function WSAAsyncGetHostByName() to look up the IP address for the host *it* wants to connect to.
As you probably know, vsmon.exe is part of ZoneAlarm. On further investigation, we determined that ZoneAlarm does not generate the alerts for our program if we turn off ZoneAlarm's own automatic check for updates feature.
So, it looks like ZoneAlarm is using our program's call to WSAAsyncGetHostByName() to trigger its own check-for-update operation. Then, ZoneAlarm reports the attempt to access its own update server as a suspicious access by our program.
To confirm that the problem is not just with Agent, we ran the same experiment with VanDyke Software's SecureCRT telnet program. Same results.
- Why is ZoneAlarm in effect piggy-backing on other program's online operations to do its update checking?
- More importantly, why is it reporting its own online operations as suspicious activity by other programs?
As you can imagine, our own customers are, uh, "alarmed" by the ZoneAlarm alerts. So, we're looking for any information we can provide that will mollify them.
Forte Internet Software, Inc.
Operating System:Windows XP Pro
Product Name:ZoneAlarm Pro