ZoneAlarm does not investigate alerts, please do not send alerts and log files. However the information below will help explain alerts, and what they mean.
The Alert messages generated by ZA contain information on what is being blocked. Internet traffic is identified by unique IP addresses. When an alert with a blocked IP address displays, you can do a trace route to find out more about the IP address being blocked. An alert with an orange band means that the alert is of a cautious nature, while a red band means that the alert was generated by a possibly problematic source.
For example: 220.127.116.11:40973 belongs to an ISP and it is labeled as authorized- scan.security.isp. This ISP is sending random pings to port 40973 on their client's machine. The reason they do this is to check if your cable modem is active or not. These pings may show up as ICMP in your Alerts.
DNS and DHCP are other ISP server alerts that may show up. These mean that your ISP's server require more access than they currently have, and you will likely need to do one or both of the following:
- add them to the Trusted Zone (which must be set to Medium)
- Antivirus & Firewall -> Advanced Firewall -> Settings
- to add: View Zones -> Add -> IP Address (zone must be Trusted)
Port 0 is not a valid port on a Windows operating system. Traditional hack attempts using Port 0 are focused toward Unix or LINUX systems. With Windows, any attempt to connect to Port 0 is usually re directed to the first available port above 1024. ZoneAlarm and ZoneAlarm Pro handle port 0 as null (where no reply is needed) and therefore, drops the packets instead of routing them.
If you receive many port 80 scans, these are mainly from machines infected with Code Red, BugBear and other viruses and worms. Note that the alerts show that you ARE PROTECTED from these scans (the infected machine is simply searching for other machines to infect, but ZA blocked it and protected your machine.)
To indulge your curiosity with IP addresses, from a command prompt (DOS), type tracert followed by the IP address (i.e. 18.104.22.168). You can also run a reverse IP lookup from here:
Bear in mind, there is a lot of unwanted traffic on the Internet and certainly not all of it is hacker-related. Some examples of this include:
- Routers leak bogus IP addresses, banner ad servers are equipped with load balancing software, which causes return pings to be sent to the wrong target.
- If your ISP uses DHCP to renew the IP addresses of its users, your system may be flooded with traffic that was generated by the previous user of that IP address. This may be seen as (ICMP) or (DHCP) traffic in the ZoneAlarm alerts log.
- Some routers send Multicast packets. Your computer will accept the ones destined for it, but ZAES, ZAAV and ZAP will block packets not destined for your computer. For more information about Multicast, see: https://en.wikipedia.org/wiki/IP_multicast
- When you access a web site with ads, the browser automatically sends a request to an ad server. For example: ads.spammer.com(22.214.171.124:80), sends back a ping looking for the originator of the request and you get an alert because ZoneAlarm is blocking the ping.
Note - Links to sites other than ZoneAlarm.com are provided for the convenience of our users. ZoneAlarm does not provide, and is not responsible for, the content users may find on such sites.