Out of desperation I’m writing here hoping for your help. Sorry.
I first discovered Zone Alarm Free in the forum seeing that lots of users recommended it. I have the version 6.1.744.000, while in the past I had the previous one.
Since i’m monitoring everything that goes in and out of my pc I noticed a strange behaviour.
I set the rules for the programs i have. I let all the Avast .exe files to access the net but as for the Zone Alarm client zlclient.exe I set a rule where it should ask me for every action. Meaning it has all question marks showing in the rule. But reading the logs it seems that this client is accesing the net regardless of me giving permission or not.
In the programs log in the Events and Log tab I see that zlclient.exe is being allowed the outgoing connection on port 53 for different Destination DSN. Since it was a ZA application I wasn’t worried in the beginning. but then i noticed that this application was connecting to different DSN, not only the zonelabs.com ones.
For example today, after my connection was open it connected to a DSN called pagead.l and in the past I got other DSN like update.ewido.net, pic.greatestjournal.com and other i don’t remeber now.
I left the number of action shown in the log of the program as default. Meaning the last 50. but in program logs sometime they disappear so that only the last 4 or five will shown. I’m getting very frustrated over this. Avast didn’t detect anything. But a scan in safemode told me that a zlcomdb.dll was damaged and that Avast wasn’t able to scan it.
After I was back in normal mode I scanned the file again and avast reported everyhting was ok and the life was not infected.
Scanning the zlclient.exe with Jotti the report was this:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren’t packed and don’t force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file’s scan results will not be stored in the database)
I’d like to know if it’s normal behaviour. the scans with the softwares on my signature didn’t reported anything. But I’m worried.
Please help. Thanks!!
ZoneAlarm is a very popular Software firewall protection program. This program works well with WinPatrol and is something we use here at BillP Studios as well. If you connect to the Internet using a broadband (cable or DSL) connection, we’d recommend installing some sort of firewall.
ZLClient.exe appears to have been added to ZoneAlarm in their version 4.5 update.
The program comes in both a free and paid (professional) version. More information is available at http://www.zonealarm.com.
The problem is not the zlclient.exe itself. it’s more of why is it connecting to those DSN. If i read a string in my program log I see this:
Rating: Hight
Date and time: today date and time of the access
Type: new program (I guess it’s new right now beacuse I tried uninstalling and installing it again)
Program: c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe
source IP: blank
destination IP: an Ip that’s not mine and the port is 53
Direction: outgoing (connected)
action: allowed
count: 1
Source DNS: blank
Destination DNS: update.ewido.net
Why is it connecting to ewido? Shouldn’t it be zonelab.com. if I try blocking it it freezes the pc and it says that Zone Alarm will not be able to check for update. Right now I installed an old version 6.0.631.003 because the version 6.1.744.000 deleted all the logs in the program tab. No matter if I tried increasing the number of logs. they were not showing. :‘(
the matter for me was to know if someone using this software had noticed the zlclient.exe connecting to other DNS other than zonealarm.com or zonelab.com. if it’s a common thing I’ll not worry over it.
I have so many program to fight spyware. It would be a paradox that my firewall is spying on me. :’(
I’m really sorry for bothering you so much. but I don’t understand very much how the pc works so i’d like to trust the softwares to protect me. If it was ewido checking for updates why the zlclient.exe did an outgoing connection to that DNS? Was it checking to see if it was legitimate?
Does it means that if a program is trying to access the net, like Ewido did for the updates, ZA will launch the zlclient.exe too to see if that software is legitimate? or if the destination is? Thanks!
I’ll try to make this as simple as possible:
zlclient.exe is the heart of ZoneAlarm Firewall.
It’s what asks you if it’s OK to allow a program access to the net and,
grants or denies permission according to your answers.
There are 4 ways to answer each request.
allow (only allows for this instance)
check the remember box and allow (will always allow and not ask for permission in the future)
block (only block for this instance)
check the remember box and block (will always block and not ask for permission in the future)
Be careful with answers 2 and 4. I’ve had times where the only way to reverse this answer
is to uninstall ZA, reboot and the re-install ZA
Zone Alarm is probably no different to other firewalls in that it connects to Domain Name Servers (DNS) to resolve domain names (the friendly name , e.g. ewido.com) into the IP address (the real internet address, 123.123.123.123, etc.) so it can go an get the information, etc. requested.
My firewall Outpost Pro also can cache this DNS information for the last xx addresses to speed things up as it doesn’t have to go to a DNS server for the information twice or more often.
I hope this explains why ZA is connecting to a DNS server.
Thanks both of you for the kind answers you gave me. I was getting anxious about this since i didn’t noticed this behaviour before.
Thanks for taking the time to help me. I really appreciated it. Thanks a lot.
As a long time user of ZA ( since version 3.x), I was going to post information about ZA and what zlclient.exe was doing after reading your first 2 posts.
But, Bob and David have posted the info you need and have probably done it better than I would have.
Thanks for the info. but i think I will pass on this software. I’d find myself looking anxiously at any IP or other info to see if I’m safe or not. I relay more on Avast, ZA and the other softwares to keep my pc secure. That’s because they are easy to use and as seen in this post, Avast forum is the best place to ask for some help. I will keep this link in case i’ll decide to install it in the future. but for now I think I am ok. Thanks a lot for the info.
I had ZA version 6.0.631.003 before my pc problems and the reformatting. Once I got the pc back I installed the version 6.1.744.000 but decided to hold the last update, the version 6.1.744.001 at a later time. I think i was luck since this update is giving lots of problems. ZA is the best firewall I tried, jetico kept freezing my pc at startup, Comodo was always popping out the control panel, and Kerio left me with a port open and two closed but visible so i uninstalled it. I wouldn’t know what to use aside from ZA. Thanks for the offer of help.
I hope I haven’t bother you all too much in this forum.
I hate to ruin the Party but I think You have Malware. All of My Programs Update using there Own Updater. ZLclient has not been on My Program List for Months. I hit Manual Update to put it on Program List . I Ran 4 Security Updates. all used there Own Updater including Ewido.
Of course they do but, they are still monitored by ZA or what ever other Firewall you're using.
ZA controls wether or not the programs update server is allowed to connect to the net.
ZLclient isn’t doing the updates, it is getting the DNS IP address information. The only reason emy80 is seeing this activity is because she has created a rule to have all activity reported.
I set the rules for the programs i have. I let all the Avast .exe files to access the net but as for the Zone Alarm client zlclient.exe I set a rule where it should ask me for every action.
A google search as has also be said returns many hit and a quick look shows this to be a part of zone alarm.
emy80 also comes to this thread having done an extensive malware search in the recent past.
ZLclient isn’t doing the updates, it is getting the DNS IP address information. The only reason emy80 is seeing this activity is because she has created a rule to have all activity reported.
Did I created a rule? I didn’t know. i just left the default setting of ZA. the only thing i touched is not to notify me of every attempt of access (it would be difficoult to work with a pop out asking me for an action every five seconds) and putting on hight the setting in the Firewall → Trusted Zone Security.
Do I need to be worried? I did a Symantec security check and it says all my port are Stealthed so I don’t think there is something bad accessing the net using my firewall. On the contrary, it seems like ZA is working.
As for the ewido.net DNS this doesn’t concern me. but Is it normal to have other DNS that are not linked to the programs I have on the pc? For example pic.greatestjournal.com? I don’t even know when I visited it. must be an image linked in a page I was visiting.
I still have Ewido in is trial version, meaning I still have the real time protection enabled. So if it was a malware i think it would have detected it.
As for the scans, yes, I used all the softwares I have to scan my pc. i did an on-line scan yesterday morning with Trend Micro too. it’s the only on-line scanner that works with firefox. All it got where some adw_se.123482 or other numbers. After cleaning those I redid the scan and it didn’t detect anything.
Thanks for the help.
I have another question. I swear that I’ll stop after this.
After reading the word “malware” I did a new scan, in normal mode. And with the on-line Trend Micro scan. This time I disabled the Standard Sheld while doing the scan. nothing detected. Then, after an hour or so I tried to use Trillian. As expected ZA asked me the permission to access the net and I said yes and checked Remember this action. Then I checked the Programs log and Trillian connected to a DNS of a site I have linked in my blog but I still have to visit since having the pc back from the reformatting last friday. Why? :‘(
I understand that the firewall will check the DNS so if i see the zlclient connecting to a DNS I’ll feel secure because it means it’s working. but why other DNS will appear in the string of other programs? For Example, another one is the Apple iTune software I have installed. when i launched it it asked to connect and I blocked it. But looking to the DNS I see that it was blocked 5 time to connect to a DNS called livejournal.com. That’s the site where my blog is hosted. but why iTunes would want to conncte to that DNS? Sorry I’m asking so many questions. But I’d like to understand this. if it’s normal that random softwares will connect to random DNS I will fell ok with it. if on the contrary it’s strange then I don’t know what can it be. Thanks. :’(
