Zone Alarm help. Please!!

[emy80]

Out of desperation I'm writing here hoping for your help. Sorry.
I first discovered Zone Alarm Free in the forum seeing that lots of users recommended it. I have the version 6.1.744.000, while in the past I had the previous one.
Since i'm monitoring everything that goes in and out of my pc I noticed a strange behaviour.
I set the rules for the programs i have. I let all the Avast .exe files to access the net but as for the Zone Alarm client zlclient.exe I set a rule where it should ask me for every action. Meaning it has all question marks showing in the rule. But reading the logs it seems that this client is accesing the net regardless of me giving permission or not.  :'(
In the programs log in the Events and Log tab I see that zlclient.exe is being allowed the outgoing connection on port 53 for different Destination DSN. Since it was a ZA application I wasn't worried in the beginning. but then i noticed that this application was connecting to different DSN, not only the zonelabs.com ones.
For example today, after my connection was open it connected to a DSN called pagead.l and in the past I got other DSN like update.ewido.net, pic.greatestjournal.com and other i don't remeber now.
I left the number of action shown in the log of the program as default. Meaning the last 50. but in program logs sometime they disappear so that only the last 4 or five will shown. I'm getting very frustrated over this. Avast didn't detect anything. But a scan in safemode told me that a zlcomdb.dll was damaged and that Avast wasn't able to scan it.
After I was back in normal mode I scanned the file again and avast reported everyhting was ok and the life was not infected.
Scanning the zlclient.exe with Jotti the report was this:

MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)

I'd like to know if it's normal behaviour. the scans with the softwares on my signature didn't reported anything. But I'm worried.  :'(
Please help. Thanks!!

[bob3160]

Here's what Winpatrol has to say:

Zone Alarm - ZLCLIENT.EXE

ZoneAlarm is a very popular Software firewall protection program. This program works well with WinPatrol and is something we use here at BillP Studios as well. If you connect to the Internet using a broadband (cable or DSL) connection, we'd recommend installing some sort of firewall.

ZLClient.exe appears to have been added to ZoneAlarm in their version 4.5 update.

The program comes in both a free and paid (professional) version. More information is available at http://www.zonealarm.com.


Safe
Recommended

Zone Labs

Hope that put's your mind at easy.

[emy80]

Here's what Winpatrol has to say:

Zone Alarm - ZLCLIENT.EXE

ZoneAlarm is a very popular Software firewall protection program. This program works well with WinPatrol and is something we use here at BillP Studios as well. If you connect to the Internet using a broadband (cable or DSL) connection, we'd recommend installing some sort of firewall.

ZLClient.exe appears to have been added to ZoneAlarm in their version 4.5 update.

The program comes in both a free and paid (professional) version. More information is available at http://www.zonealarm.com.


Safe
Recommended

Zone Labs

Hope that put's your mind at easy.

The problem is not the zlclient.exe itself. it's more of why is it connecting to those DSN. If i read a string in my program log I see this:

Rating: Hight
Date and time: today date and time of the access
Type: new program (I guess it's new right now beacuse I tried uninstalling and installing it again)
Program: c:\programmi\Zone Labs\ZoneAlarm\zlclient.exe
source IP: blank
destination IP: an Ip that's not mine and the port is 53
Direction: outgoing (connected)
action: allowed
count: 1
Source DNS: blank
Destination DNS: update.ewido.net

Why is it connecting to ewido? Shouldn't it be zonelab.com. if I try blocking it it freezes the pc and it says that Zone Alarm will not be able to check for update. Right now I installed an old version 6.0.631.003 because the version 6.1.744.000 deleted all the logs in the program tab. No matter if I tried increasing the number of logs. they were not showing.  :'(
the matter for me was to know if someone using this software had noticed the zlclient.exe connecting to other DNS other than zonealarm.com or zonelab.com. if it's a common thing I'll not worry over it.
I have so many program to fight spyware. It would be a paradox that my firewall is spying on me.  :'(

[bob3160]

Are you using ewido. Which most like you are, then this is ewideo checking for updates.

[emy80]

I'm really sorry for bothering you so much. but I don't understand very much how the pc works so i'd like to trust the softwares to protect me. If it was ewido checking for updates why the zlclient.exe did an outgoing connection to that DNS? Was it checking to see if it was legitimate?
Does it means that if a program is trying to access the net, like Ewido did for the updates, ZA will launch the zlclient.exe too to see if that software is legitimate? or if the destination is? Thanks!

[bob3160]

I'll try to make this as simple as possible:
zlclient.exe is the heart of ZoneAlarm Firewall.
It's what asks you if it's OK to allow a program access to the net and,
grants or denies permission according to your answers.
There are 4 ways to answer each request.
1. allow (only allows for this instance)
2. check the remember box and allow (will always allow and not ask for permission in the future)
3. block (only block for this instance)
4. check the remember box and block (will always block and not ask for permission in the future)

Be careful with answers 2 and 4.  I've had times where the only way to reverse this answer
is to uninstall ZA, reboot and the re-install ZA

[DavidR]

I'm really sorry for bothering you so much. but I don't understand very much how the pc works so i'd like to trust the softwares to protect me. If it was ewido checking for updates why the zlclient.exe did an outgoing connection to that DNS? Was it checking to see if it was legitimate?
Does it means that if a program is trying to access the net, like Ewido did for the updates, ZA will launch the zlclient.exe too to see if that software is legitimate? or if the destination is? Thanks!

Zone Alarm is probably no different to other firewalls in that it connects to Domain Name Servers (DNS) to resolve domain names (the friendly name , e.g. ewido.com) into the IP address (the real internet address, 123.123.123.123, etc.) so it can go an get the information, etc. requested.

My firewall Outpost Pro also can cache this DNS information for the last xx addresses to speed things up as it doesn't have to go to a DNS server for the information twice or more often.

I hope this explains why ZA is connecting to a DNS server.

[emy80]

Thanks both of you for the kind answers you gave me. I was getting anxious about this since i didn't noticed this behaviour before.
Thanks for taking the time to help me. I really appreciated it. Thanks a lot.

[DavidR]

Your welcome.

[bob3160]

Your welcome. 

[CharleyO]

***

As a long time user of ZA ( since version 3.x), I was going to post information about ZA and what zlclient.exe was doing after reading your first 2 posts.
But, Bob and David have posted the info you need and have probably done it better than I would have.   


***

[polonus]

Hello emy80,

To actually see all the activities in this spectrum, you install TdiMon to let it run under zonealarm. You can get it from here:
http://www.sysinternals.com/Utilities/TdiMon.html

polonus

[emy80]

Hello emy80,

To actually see all the activities in this spectrum, you install TdiMon to let it run under zonealarm. You can get it from here:
http://www.sysinternals.com/Utilities/TdiMon.html

polonus

Thanks for the info. but i think I will pass on this software. I'd find myself looking anxiously at any IP or other info to see if I'm safe or not. I relay more on Avast, ZA and the other softwares to keep my pc secure. That's because they are easy to use and as seen in this post, Avast forum is the best place to ask for some help. I will keep this link in case i'll decide to install it in the future. but for now I think I am ok. Thanks a lot for the info.

***

As a long time user of ZA ( since version 3.x), I was going to post information about ZA and what zlclient.exe was doing after reading your first 2 posts.
But, Bob and David have posted the info you need and have probably done it better than I would have.   


***

I had ZA version 6.0.631.003 before my pc problems and the reformatting. Once I got the pc back I installed the version 6.1.744.000 but decided to hold the last update, the version 6.1.744.001 at a later time. I think i was luck since this update is giving lots of problems. ZA is the best firewall I tried, jetico kept freezing my pc at startup, Comodo  was always popping out the control panel, and Kerio left me with a port open and two closed but visible so i uninstalled it. I wouldn't know what to use aside from ZA. Thanks for the offer of help. 
I hope I haven't bother you all too much in this forum.

[CharleyO]

***

It is no bother, emy80. We are glad to help when we can.   


***

[BILL G]

   I hate to ruin the Party but I think You have Malware. All of My Programs Update using there Own Updater. ZLclient has not been on My Program List for Months. I hit Manual Update to put it on Program List . I Ran 4 Security Updates. all used there Own Updater including  Ewido.