ZoneAlarm does NOT investigate alerts, please do not send alerts and log files. However the information below will help explain alerts, and what they mean.
The Alert messages generated by ZA contain information on what is being blocked. Internet traffic is identified by unique IP addresses. When an alert with a blocked IP address displays, you can do a trace route to find out more about the IP address being blocked. An alert with an orange band means that the alert is of a cautious nature, while a red band means that the alert was generated by a possibly problematic source.
For example: 220.127.116.11:40973 belongs to an ISP and it is labeled as authorized- scan.security.isp. This ISP is sending random pings to port 40973 on their client's machine. The reason they do this is to check if your cable modem is active or not. These pings may show up as ICMP in your Alerts.
DNS and DHCP are other ISP server alerts that may show up. These mean that your ISP's server require more access than they currently have, and you will likely need to do one or both of the following:
- add them to the Trusted Zone (which must be set to Medium).
- check the DHCP and/or the DNS boxes under Firewall -> Main -> Internet Zone -> Custom
Port 0 is not a valid port on a Windows operating system. Traditional hack attempts using Port 0 are focused toward Unix or LINUX systems. With Windows, any attempt to connect to Port 0 is usually re directed to the first available port above 1024. ZoneAlarm and ZoneAlarm Pro handle port 0 as null (where no reply is needed) and therefore, drops the packets instead of routing them.
If you receive many port 80 scans, these are mainly from machines infected with Code Red, BugBear and other viruses and worms. Note that the alerts show that you ARE PROTECTED from these scans (the infected machine is simply searching for other machines to infect, but ZA blocked it and protected your machine.)
To indulge your curiosity with IP addresses, from a command prompt (DOS), type tracert followed by the IP address (i.e. 18.104.22.168). You can also run a reverse IP lookup from here:
If you are interested in reporting alerts, check out the following website called My NetWatchman. Alerts are gathered together from many users, and submitted to the ISPs:
Bear in mind, there is a lot of unwanted traffic on the Internet and certainly not all of it is hacker-related. Some examples of this include:
- Routers leak bogus IP addresses, banner ad servers are equipped with load balancing software, which causes return pings to be sent to the wrong target.
- If your ISP uses DHCP to renew the IP addresses of its users, your system may be flooded with traffic that was generated by the previous user of that IP address. This may be seen as (ICMP) or (DHCP) traffic in the ZoneAlarm alerts log.
- Some routers send Multicast packets. Your computer will accept the ones destined for it, but ZAISS, ZAP, ZAAV and ZAAS will block packets not destined for your computer. For more information about Multicast, see: http://www.ipmulticast.com/community/whitepapers/introrouting.html
- When you access a web site with ads, the browser automatically sends a request to an ad server. For example: ads.spammer.com(22.214.171.124:80), sends back a ping looking for the originator of the request and you get an alert because ZoneAlarm is blocking the ping.
Updates and on-line service access (for example the AlertAdvisor services) may be included in your purchase of selected ZoneAlarm products. You are entitled to access the on-line services and updates during the period of the support option you chose (this may be 1 or more years depending on the option you bought). The internet is a dynamic place, so, these services might change at ZoneAlarm's discretion depending on our ability to provide them and other conditions beyond our control
Note - Links to sites other than ZoneAlarm.com are provided for the convenience of our users. ZoneAlarm does not provide, and is not responsible for, the content users may find on such sites.