HomeSearchMerchandiseAboutMichael HorowitzMy CNET Blog

ZoneAlarm Gripes

   These are OLD gripes on ZoneAlarm. For newer gripes go here.

Running At System Startup

April 18, 2004. Windows XP. ZoneAlarm version 4.5.538. Even when ZoneAlarm is set not to run automatically at startup time, half of it does anyway. Specifically, the vsmon.exe program (the TrueVector service) runs no matter what. When you actually start ZoneAlarm, then the zlcient.exe program runs.

No Warning About Blocking Outbound Traffic

April 17, 2004. Windows XP. ZoneAlarm version 4.5.538. I have ZoneAlarm configured not to warn me about incoming data traffic that it blocks but to warn me about new programs that try to connect to the Internet. When adding a new Windows XP computer to a LAN it had problems seeing shared directories on other machines. This was mostly my fault as I had forgotten to add the range of IP addresses used on the LAN to the ZoneAlarm trusted zone. My gripe however is that ZoneAlarm blocked the outgoing networking traffic from the Windows XP machine without asking or warning.

TextPad

January 28, 2004. Windows 2000 SP4. After upgrading ZoneAlarm from version 3.7.143 to version 4.5.538.000 it did something new and annoying. I often use a text editor called TextPad. When editing a web page, TextPad can invoke a web browser to display the page being edited. I've done this for years with ZoneAlarm and it was never an issue and shouldn't be an issue. The web page is on my computer and is accessed with the "FILE" protocol, not the "HTTP" protocol used on the Internet. This version of ZoneAlarm now prompts me whether or not to allow TextPad to access the local file. A screen shot of the ZoneAlarm Alert is shown here on the right. I was forced to give TextPad Internet access.

FYI: May 31, 2004. A reader of this page had a similar problem with a program called WinBatch.exe that runs other programs in batch scripts. After upgrading from ZoneAlarm v2 to v5 (really 5.0.590.015), previously existing scripts were now being stopped. In this case, programs being called from inside the batch files needed Internet access and they already had it. However, ZA was now asking about program WinBatch itself. This was resolved by giving WinBatch.exe access to the Trusted Zone but not access to the Internet (thanks David). I can't verify this.

Junk Accumulating With Log Files

December 14, 2003.  ZoneAlarm version 3.7.143 on Windows 2000 SP4.

The directory C:\WINNT\Internet Logs is used by ZoneAlarm logs. There are a number of large files in this directory. The largest of them is tvDebug.log at 3.6 MB. I have no idea what it is, the last update date is today. A comment on the Forums at zonelabs.com says it is a debug file for the True Vector component of ZoneAlarm. You can get rid of it by shutting down Zone Alarm, deleting the file and then restarting Zone Alarm. I tried this with no immediately obvious problems. A new version of the file was automatically created.

There are also 25 temporary files. At least I think they are temporary files because the file type is .TMP. The file names are like xDB13.tmp. They all start with "xDB" followed by either a letter or a number. According to the last modified date, these temporary files have been used at various times over many different months.

Version 4.5.530

Update: December 19, 2003. This gripe has been fixed. Version 4.5.538.0 was released today and it now allows manual checking for updates. 

Technical Support

November 25, 2003. Someone who purchased ZoneAlarm Pro version 4 wrote to point out these aspects of technical support from ZoneLabs: 

• There is no free 30-day phone technical support
• There is no Technical Support email address (you submit problems via a web page) 
• In addition to a version number, you need the truvector engine number, a 27 character license number and more to enter a support request
• You get no acknowledgement of receipt of your Support request 
• There is no phone number for Customer Support
• The ZoneLabs web site has in interactive problem solver, but it declines support for IE problems emanating from ZoneAlarm

Outbound Program Control 

September 17, 2003. ZoneAlarm version 3. 7.143. In the Program Control section of ZoneAlarm, on the Main tab, you can set Program Control to Off, Low, Medium or High. High is only available in the paid versions of ZoneAlarm. The low setting means "program control is in learning mode". What that means beats me. Regarding the "Low" setting, the ZoneAlarm help file says: "Programs are learned. No program alerts are shown". I have no idea what it means to "learn" a program. 

Windows 2000 Service Pack 4 

July 12, 2003. For a problem on Windows 2000 after upgrading from SP3 to SP4, see the Windows 2000 gripes. It has to do with the Services and Controller App. In addition to that issue, after the upgrade, I was prompted again about the Spooler SubSystem App. This was already directed never to access the Internet. The Windows 2000 SP4 upgrade changed the version of spoolsv.exe from 5.00.2195.4299 to 5.00.2195.6659 causing ZoneAlarm to treat it as a different program. It was still trying to get to the DNS port on IP address 0.0.0.0. No big deal. 

Patch Forthcoming

FYI: ZoneAlarm "flaw" is a bunch of hooey by Mike Healan July 8, 2003 

FYI: Update: Zone Labs Now Says It Will Patch Free Firewall ExtremeTech July 3, 2003

Spooler Subsystem App  

March 31, 2003. Windows 2000 SP3. I upgraded to version 3.7.143 by un-installing the older version of ZA3 and then installing the new version. As a result, I lost the set of permissions for which programs can access the Internet and which can't. This may or may not be a good thing, but it is annoying. The first time I connected the cable modem to the computer after installing v3.7.143, I was asked about allowing the Spooler SubSystem App to access the Internet. I tried to use the Alert Advisor feature, but it knows nothing about the Spooler Subsystem. Neither do I.  Program spoolsv.exe is from July 22, 2002 11:05:04 AM. It was trying to access remote port 53.  I wrote to ZoneLabs to tell them about this. They never responded. June 24, 2003.   Update: I searched the ZoneLabs web site for "spooler". Nothing. May 31, 2003.  Update: This still happens, only now that my LAN networking has changed, it is trying to access the DNS port on my router (which is also a DHCP server and default gateway). The ZoneAlarm Alert Advisor still knows nothing specifically about this program. I searched the ZoneLabs web site for both "spoolsv" and "spoolsv.exe", neither turned up anything.  The printers installed on the computer included one I had never heard of - The ActiveTouch document loader. It was defined as being connected to my LPT1 port, which had never been used on the computer. I did a web search and found mention that Active Touch is installed by WebEx. I have used WebEx to view online VMware presentations. I set the printer to be off-line, let's see if that works. If not, then I'll delete the printer definition. June 9, 2003.

Update: Disabling the printer did not get rid of this message. With my new network environment, the question has changed, but the basic issue still remains. I verified that the ActiveTouch Document Loader printer was off-line. An interesting wrinkle: While the ZoneAlarm question was un-answered, I could not use the Start button on the computer. It was hung. Clicking an icon on my quick launch toolbar hung until I answered this question from ZoneAlarm. Then the deferred actions happened immediately.   Next, I deleted the Active Touch printer. It seemed to have worked, because there were no new messages from ZoneAlarm. However, after a couple weeks I checked the ZoneAlarm log and the Spooler Subsystem App is still trying to access the Internet just after the computer starts up. Again, it is going after the DNS server of my ISP. I give up. June 25, 2003.  Update: Adding to the mystery, I also got this message on a Windows XP Pro machine that has never had a printer defined to it. July 5, 2003.  Update: After telling ZoneAlarm never to allow this, I got asked it again a few weeks later. No doubt this was because I applied Service Pack 4 to Windows 2000. Program spoolsv.exe is now dated June 19, 2003 and is version 5.00.2195.6659. July 28, 2003.  Update: A reader wrote to say he experienced this with both Windows 2000 and XP. In his case, it related to a printer installed on the network by means of an HP JetDirect 170x. September 8, 2003.  Update: September 13, 2003. Another reader experiences this same problem with Norton Internet Security under Windows 2000 SP4. Every 30 minutes or so, NIS pops up a window saying that spoolsv is trying to access a remote port. The NIS log entry    Outbound UDP packet    Local address,service is (0.0.0.0,1034)    Remote address,service is (x.x.18.27,snmp(161))    Process name is "C:\WINNT\system32\spoolsv.exe" The local port ("1034") changes from time to time, but the remote address/service is always the same (the "x" is a placeholder for privacy purposes). He had installed a printer while at a client's shop, at the remote IP address shown above. The spooler is probably trying to communicate with that printer which is deep inside the client's firewall and inaccessible from the outside).  He tried putting the printer in "Use Offline" mode to no effect. He tried changing the printer properties to print directly (no spooling), also with no effect. He stopped the Printer Spooling Service and got rid of the message but then couldn't print anything. He is still investigating. The program versions on his machine are:     SPOOLSS.DLL 5.00.2195.6704    SPOOLSV.EXE 5.00.2195.6659 Update: April 9, 2004. I don't use Windows XP all that often, but today on an XP Home system, ZoneAlarm warned that the Spooler Subsystem App wanted access to the DNS server of my ISP. I told it no, to no obvious detriment. The program was spoolsv.exe version 5.1.2600.0. ZoneAlarm now has a description of this problem, however it seems to be wrong. They say this message is due to a network printer but the computer in question had no printers defined to it at all.

Version 3.7.098 

March 13, 2003. While working on the problem described below, I installed version 3.7.098 under Windows XP Home Edition. This version always checks for product updates automatically. The option to turn this off, which has been in ZoneAlarm from the get-go, has been disabled. I had always turned this option off, especially when installing ZoneAlarm on computers used by non-technical people, who don't understand what the product is, let alone its need for updates. 

March 31, 2003. On a Windows 2000 machine with ZA version 3.7.143, the option to check for product updates manually is back. 

Version 3 on Windows XP 

February 27, 2003. Windows XP Home Edition with SP1. As of February 17, 2003 it has all the latest bug fixes thanks to Windows Update. ZoneAlarm v3.1.395. 

ZoneAlarm starts automatically when the system boots. The computer has two administrative users defined and two restricted users. There are no problems for either administrative class user. However, both restricted users get the error shown below when logging on. It is not obvious where this error is from, as the software is not identified. The event viewer showed errors in ZoneAlarm at the same time. This however, turned out to be a coincidence. The FairCom error has nothing to do with ZoneAlarm.  

Event Log Data:  Event Type: Error  Event Source: True Vector Engine  Event Category: None  Event ID: 1 Date: 2/27/2003 Time: 1:56:51 PM User: N/A Computer: MATXP Description: The description for Event ID ( 1 ) in Source ( True Vector Engine ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event:

The above errors occur every time a restricted logs on. I did some debugging, to no avail. I deleted files in the Internet Logs folder. I stopped logging, stopped the switching of log files daily, deleted the log file, all to no avail. I did manage to wipe out the list of authorized programs so that ZoneAlarm now asks me all over again about the programs I have used previously, whether to allow them to access the Internet or not. 

Who/what is FairCom? What is a status log failure S0000000.FCS (96) ? I searched the ZoneLabs web site for" faircom" and came up with nothing. 

Update: This does not happen on another XP Home Edition machine when logging on as a restricted or limited user (also running ZA 3.1.395). One difference though is that the XP machine where the error does not occur is vanilla. That is, it has had no extra software installed on it. March 8, 2003. 

Update: March 12, 2003. Despite un-installing ZoneAlarm, the problem persists. After un-installing, I deleted the Internet Logs folder with all the suspect files. Then I downloaded and installed version 3.7.098 of ZoneAlarm (free version, not Pro). The next time a restricted user logged on, they got the same Faircom error. As before, there were two identical windows with this error after logon, meaning the user twice has to click OK twice. As before, there were many errors on the event log from the True Vector Engine about files in the Internet Logs folder being corrupt. And finally, as before, the problem only happens with the restricted user logs on. 

Update: March 13, 2003. To avoid having the restricted users see the errors, I tried to prevent ZoneAlarm from running automatically when the user logs on. However, restricted XP users are not allowed to make this change, only Administrative users are allowed. Also, the change applied system wide. This should be something each user can set for themselves, rather than their being a single system wide option for all users. Even without ZA running at start-up time, the Faircom errors persisted. Perhaps they are not ZoneAlarm related?   

Update: March 15, 2003. This is not a ZoneAlarm problem! With the new release of ZoneAlarm installed, there are no longer True Vector Errors being created on the application event log, despite the fact that the FairCom status log failure errors still appear. A word to the wise: don't install more than one software product at a time, if for no other reason than making it easy to track down problems.  

Searching the net, turned up the fact that there is a company called FairCom and that their software is embedded in other software. More searching turned up a similar error in a product that makes virtual CD-ROM drives. I do not have that product installed, but do have a competing one - CD AnyWhere from V Communications. It seems this error has to do with user rights on a folder that contains CDDB information. 

Version 3 on Windows 98 

I installed ZoneAlarm version 3.1.395 on a Windows 98 (first edition) machine that had no prior versions of ZoneAlarm. When I start ZoneAlarm with the computer off-line (you should start ZA before going on-line), the computer tries to dial onto the Internet. I have no idea why. ZoneAlarm is not configured to check for updates automatically. January 29, 2003. 

Services and Controller App 

December 21, 2002. ZoneAlarm version 3.1.395. Windows 2000 SP3. 
A new Windows 2000 computer is occasionally asking whether to allow Services and Controller app to accept connections from the Internet. This is the exact same prompt I wrote up in May 2001 with version 2.6.88 of ZoneAlarm and Windows 2000. That computer was using a dial-up net connection, this one is using a cable modem. The dial-up connection caused this message to be issued every time the computer connected. With the broadband connection, the message appears once or twice a day. As before, the source is one of the DNS servers provided by the ISP for the internet connection. For a while, I kept saying NO while telling ZA not to remember this decision in the hope of finding a pattern. The net connection seems to work fine without granting server rights and if there is a pattern to the message, I couldn't find it. The fewer programs that have server rights the more secure you are, so whenever possible, it is preferable to deny server rights. My experience has been that net surfing works fine when the Services and Controller app does not have server rights. 

Windows XP and ZoneAlarm

Putting XP in the zone by  Brian Livingston in InfoWorld magazine. December 16, 2002 issue. The article discusses the fact that ZoneAlarm's default configuration allows components of Windows XP to silently connect with Microsoft's servers without displaying an alert. On top of this, there are numerous features in Windows XP that report information about you or your activities. According to the article, the problem is with program svchost.exe. 

User Application Problem 

December 13, 2002. ZoneAlarm version 3.1.395. Windows 2000 SP3. 
ZoneAlarm caused me a problem today by blocking an outgoing data transmission. I spent a fair amount of time debugging this because the block was not externalized. Normally, when ZoneAlarm gets an outbound request it asks the user if it is okay to allow it. In this case, I was not asked, ZoneAlarm silently blocked the outgoing transmission. 

The application that was running suffered timeout errors. It is a Java application and when it initially starts, ZoneAlarm asks whether to allow program java.exe to access the Internet. I said yes. Despite this, subsequent attempts at opening an outbound connection by this application were blocked by ZoneAlarm. The ZA log showed that these later attempts had no program associated with them.  

The solution is to add the IP address the application is trying to connect with to the Trusted Zone. You do this from the Firewall function (left side column) and the Add button. 

Version 3 Logs 

December 12, 2002. ZoneAlarm version 3.1.395. Windows 2000 SP3. 
Where is the current log file? Although you can view the log using the ZoneAlarm user interface, sometimes it is preferable to see it in plain text format.  None of this is displayed by ZoneAlarm. The only information about the logs that I could find in the ZA user interface related to archiving the log. The ZA help file said that, by default, the current log is stored in file ZAlog.txt. However, directory C:\WINNT\Internet Logs contains only old log files. The entries in file ZAlog.txt were from two days ago. There were no log files in the ZoneAlarm directory (where the program resides). I searched the C disk for file names starting with ZAlog and found none in any other directories.

How big is the current log file? How big can it grow to be? ZoneAlarm does not say. How big can the archive logs get, if you opt to archive the active log daily? It seems the number of archive log files will grow forever as there is no maximum number of archive log files to keep. Any architecture that accumulates data with no upper limit is not well thought out.  

VSMON Looping and Consuming CPU Cycles

November 25, 2002. ZoneAlarm version 3.1.395. Windows 2000 SP3. 
The computer was sluggish to the point of being non-responsive. It took around 30 seconds to have Ctl-Alt-Delete bring up the Windows Security window so that I could get into Task Manager. It showed that program vsmon.exe (part of ZoneAlarm) was using 99% of the cpu. I tried shutting down ZoneAlarm in the usual manner, but the system was so busy, it took well over a minute just for the right click on the ZA icon to bring up the context menu. Then I used Ctl-Alt-Delete to again bring up the Windows Security window and clicked on the Shut Down button. After a couple minutes, there was a message that ZoneAlarm did not want to shut down. Windows said it was not responding and offered to give up or force it down (End Now). ZoneAlarm waits for True Vector to unload before it shuts down and apparently True Vector was the problem. Eventually the system shut down. After rebooting and starting ZoneAlarm, the alert log was gone, there was no more history of prior alerts. 

March 31, 2003. This same problem happened again. ZoneAlarm version 3.1.395. Windows 2000 SP3. Program vsmon.exe was again consuming 99% of the cpu. It happened while previewing an email message with MailWasher v1.33. Windows Task manager refused to both kill the program and to lower its priority. However, Task Manager was willing to shut the computer down. I upgraded to a newer version of ZoneAlarm.  

Version 3 Alert Notifications

November 19, 2002. Alert Notifications worked better in version 2 of ZoneAlarm than they do in version 3. In v2, if you opted to not have ZA pop up an alert box every time it blocked an inbound connection attempt, you could still tell that there were intrusion attempts because the ZA logo in the task bar changed. However, in version 3, the ZA logo does not change to indicate intrusion attempts. 

Installing Version 3 under Windows 2000

November 17, 2002. As described below with Windows 98, the uninstall of ZA version 2 resulted in about 10 questions about deleting shared files no longer in use. Again, there is no guidance about how to answer these questions. 

After a reboot, the installation of ZA 3.1.395 detected existing security settings and asked about dealing with them:

There is no option to use the previous settings from ZoneAlarm version 2. So, why ask the user anything? Where are the security settings? It doesn't say. Can I look at the old settings to help me reconfigure the new version of ZA? It doesn't say. Will it save the old settings anywhere? It doesn't say. Training ZA is potentially confusing. Especially to users of Windows NT4, 2000 and (probably) XP that have to deal with the Services and Controller Application. It would be nice to be able to import the previous security settings from ZA2 into ZA3 and avoid the re-training. 

The first time you run ZA 3.1.395, it asks some configuration questions. One has to do with programs that always need to be able to access the Internet. On a Windows 2000 system, ZA said that three programs required access: my web browser (MSIE), services.exe and svchost.exe. Instead of taking these suggested ZA defaults, I opted to set up program permissions myself, something ZA says is for advanced users. 

After selecting this option, there was no going back. The back button was disabled, leaving only Finish and Cancel as options. Finish, by the way, does not finish, it really is a "Next" button, moving on to the next configuration question. I didn't chose any programs in this section and clicked on the Finish button. Despite specifying no programs, ZA gave the three programs just mentioned, permission to access the Internet. This is most likely a good default, but I thought that no programs would have permission. 

At no point during the installation of ZoneAlarm 3.1.395 are you made aware of the fact that there is a Readme file. This despite the fact the Readme file contains the minimum and recommended system requirements for installing ZoneAlarm as well as some installation instructions. Making this inexcusable is that the Readme contains an IMPORTANT NOTE FOR USERS UPGRADING FROM PREVIOUS VERSIONS OF ZONEALARM which says you must uninstall prior versions of ZA before installing version 3. You would think, the software would warn you of this. Nope. 

The Readme file conflicts with itself. First, as noted above, it says you must uninstall prior versions of ZoneAlarm. Then it includes notes on what to do when you install ZoneAlarm over an existing copy of ZoneAlarm.  

October 5, 2002. ZoneAlarm v3.1.291. Windows 2000 SP3. This machine had no previous copy of ZoneAlarm. During the installation, I opted to let ZA set up the default permissions for three programs to access the Internet (IE, services and controller app and svc host). As soon as a dial-up connection was made to the Internet, ZA popped up an alert. It wanted to know whether or not to allow Services and Controller App (program services.exe) to accept connections from the Internet. The source was identified as DNS. I said no and was able to surf the web nonetheless.  

Version 3 and Windows 98 

August 13, 2002. As per Fred Langa's advice (see below) I un-installed v2.6x on a Windows 98 machine in preparation for installing version 3.1.291. The uninstall asked about 10 questions or so regarding the disposition of shared files no longer in use. What to do? Beats me and I'm sure many people would not know how to answer these prompts. On the one hand you want to delete all the ZA v2.6x files so version 3 can start fresh. On the other hand, I don't trust Windows when it says that a file is no longer in use and can be deleted. My best guess was to delete the shared files in the ZA directory and keep the ones in a real shared directory. ZoneAlarm should offer more advice on what to do here. 

After the un-install of v2.6x, ZA required a reboot. The install of v3 started with a question. It found settings from the previous version and warned that they will be deleted. Thanks for nothing. Seems like the uninstall did not fully do its job. Why warn me? There is no option to save the prior settings, no option to view them and no indication where they exist (in what file). Is there a reason for this message? It does not seem so.  

As with previous versions, you have an option to register ZoneAlarm. Previous versions asked you to register at install time and, if you opted not to, that was the end of the story. Version 3 however, will pop-up the user interface with a prod to register embedded in the middle of one of the ZA windows. At first, it was not even obvious why the ZA user interface presented itself after the product was started. 

A reader of this site said the the "-nosplash" option in ZoneAlarm 3.1.395 on Windows XP does work (September 24, 2002). It worked for me too under Windows 2000 (October 5, 2002). 

Fred Langa on Version 3

The August 12, 2002 issue of the Langa List newsletter has reader feedback on the free version of ZoneAlarm 3. It is interesting reading. Based on reader feedback Mr. Langa concluded that it is better to uninstall a previous version of ZA before installing v3. ZoneAlarm offers no advice in this area.  

Using Internet Explorer to Bypass ANY Firewall 

This is not a gripe about ZoneAlarm and not specifically about ZA at all. 

Trojan Horse Technology Exploits IE. PC World Magazine. August 5, 2002. A new technology could let a Trojan horse disguise itself as Internet Explorer and let hackers steal data from your PC by fooling firewalls into thinking it's a trusted Microsoft application. Researchers called on Microsoft to change the IE features that permit it to operate. The Trojan horse exploits a standard feature in IE that lets invisible browser windows open and connect to the Internet. The browser windows open in the background and don't appear on the desktop, so you can't see what they're doing. 

Do your systems need ZoneAlarm? By David Berlind. ZDNet. June 13, 2002. Commenting on the "more info" button in ZoneAlarm that attempts to retrieve additional information from the ZoneLabs' knowledgebase, the author says this additional info is either too difficult to decipher or flat-out uninformative. In a new user experience with ZoneAlarm, the author did not know which applications to block and which to let through, so he ended up blocking too many. As a result he has reboot every couple of hours after his applications start having irrecoverable problems. He also finds that two zones (Trusted and Internet) are not enough and points out that not everything that is not trusted is on the Internet. He says that for business environments with complicated network configurations involving multiple geographic locations that ZoneAlarm desperately needs a third and more granular "zone" for categorizing other systems and networks. (added July 1, 2002) 

Version 3

July 19, 2002. The Ad blocking feature of ZoneAlarm Pro 3 causes problems for the bandwidth test at www.pcpitstop.com/internet/bandwidth.asp. 

June 24, 2002. Scot Finnie's newsletter reports that a free version of ZoneAlarm 3 should be available in early July, 2002. 

June 6, 2002. There are no gripes here yet on version 3 because I have avoided it. As I write this the free version of ZoneAlarm, which I use, has not been upgraded to version 3 yet. Also, the v3 upgrade was a major one, many new features were added and, in my opinion, the smart thing to do is give it a while to shake out. Sure enough, there were a number of issues with v3 initially and ZoneLabs issued four updates to the product in March 2002. In the May 23, 2002 issue of Scot Finnie's newsletter he wrote about problems he is continuing to have with ZA3 that he calls "darned annoying." 

What is the Latest Version?

June 6, 2002. The following used to appear at the top of this web page. Used to, because ZoneLabs redid their web site and the link is no longer valid. There is no excuse for not leaving a referral web page at the old URL. This is disgraceful web site maintenance and hopefully is not indicative of the quality of their products. 

FYI: All security software tries to stay one step ahead of hackers. Whenever possible run the latest version of ZoneAlarm.

I looked for a replacement web page and ran across this page with a ZA release history. However, it does not say anything about ZoneAlarm version 3 and also does not say whether it refers exclusively to the free version or is supposed to be for both versions. The URL also offers no clue. Further subsequent digging, found yet another release history page that specifically says it applies to the Professional version of ZA. 

Microsoft Tech Support Articles on ZoneAlarm

• Cannot Browse the Internet After You Uninstall ZoneAlarm (Q291793) applies to IE 5.5 and 6 and was last modified December 2001. 
• Invalid Vxd Dynamic Call From Vsdata95" Error Message (Q297725) applies to Windows 95,98 and 98SE and was last modified January 2002.

FYI: ZoneAlarm Products and Windows Internet Connection Sharing (ICS). ZoneAlarm Plus and ZoneAlarm Pro fully support Internet Connection Sharing (ICS). ZoneAlarm does not fully support ICS.

Windows 2000 ICS and ZoneAlarm 

January 4, 2002. Windows 2000 Professional SP2. ZoneAlarm 2.6.362.  On the LAN in my living room, I set up a Windows 2000 machine as an ICS gateway and configured a Windows 98 machine as the ICS client. On day one, it worked for two minutes before failing. The Win98 client (which was re-booted a few times) was getting assigned a dynamic IP address by the ICS gateway machine and had the ICS gateway configured as its default TCP/IP gateway. The Win98 client however, could not Ping the ICS gateway, even though the ICS gateway could Ping the Win98 client. 

The next day I narrowed down the problem to ZoneAlarm. When the initial connection was made the first time, the person using the ICS gateway machine had failed to start ZoneAlarm. All the later failures had occurred after ZoneAlarm was running. At no time did I run ZoneAlarm on the Win98 client. 

Without ZoneAlarm running on the ICS gateway both machines can Ping each other just fine. With ZoneAlarm running on the ICS gateway, the Win98 client can no longer Ping the ICS gateway. ZoneAlarm objects. This was my oversight, you have to configure ZoneAlarm and tell it that all the computers on the LAN are part of the local zone. After making this change, Pings work again from the Win98 client to the Windows ICS gateway. 

The first attempted Internet access from the Win98 client generates three pop-up alerts from ZoneAlarm

1. Do you want to allow Generic Host Process for Win32 Services to access the Internet? The file name is svchost.exe. I said yes, trusting that this GHP thing is a good thing. 
2. Do you want to allow Generic Host Process for Win32 Services to accept connections from the local network? I said yes again, trusting again. Interestingly, this message had the source IP address of the Win98 client (192.168.0.15) 
3. Do you want to allow Generic Host Process for Win32 Services to act as a server? This thing wants it all. I said yes. 

Despite my giving Generic Host Process full reign to do anything, ICS still did not work. The Win98 client could not get to any web sites using IE and Pings of web sites also failed. ZoneAlarm issued alerts saying that it "blocked net access from your computer." To make sure the problem was not with the Win98 computer, I also tried an NT4 client. The NT4 client could not ping the ICS gateway machine, but the ICS gateway could ping the NT4 client. The NT4 machine did get a dynamically assigned IP address from the ICS gateway, but it too could not get to the web. 

At this point, I opted to read the documentation. On the ZoneLabs web site, they have documentation on networking issues with ZoneAlarm. This web page has documentation for setting up ZoneAlarm Pro for use with ICS. It says nothing about the free version of ZoneAlarm. Screwed again. I sent ZoneLabs a tech support question asking whether the free version works with ICS. Nine days later, I'm still waiting for a response.  

FYI: Someone who should know suggested that the ZoneAlarm security level for the Internet zone should be set at medium rather than at its normal setting of high. I have not yet tried this. According to ZoneAlarm the medium security setting leaves my computer visible on the Internet whereas a high setting hides my computer (stealth mode is the term they use) which is preferable.

FYI: Read Microsoft KB articles: Description of Svchost.exe in Windows 2000 (Q250320) and in Windows XP (Q314056)

January 29, 2002. ZoneLabs replied at length to my question about using the free version of ZoneAlarm with Windows 2000 ICS. The first point they raised is that you should have ICS working before adding ZoneAlarm to the picture. Along this line, they included some links relating to net connection sharing in general, not just on Windows 2000 ICS. Then they said: 

"If you set the security level (for the Internet Zone) to High, the computer running ICS will be protected by the firewall. However, Internet access for the other computers (that access the Internet through the ICS machine), will be blocked. As a workaround, you can set the security level on the ICS machine (for the Internet Zone) to medium. When the security setting is set at medium (on the computer running ICS), the connection should work. You will still be able to use all the application access control features protecting you from Trojan horses and revealing all applications trying to access the Internet. You can set the ZoneAlarm Internet Security level to high on all other computers."

It almost seems as if they are purposely avoiding the issue of how un-protected a computer is when security is set to medium rather than high. They do not discuss the difference between these two security levels in terms of inbound security. Instead, they switch the topic to "application access control" which refers to outbound security. The fact that they bring this up, leads me to suspect that the inbound security is much worse. Next, they mentioned the problem of blocking LAN based computers from seeing each other and offered instructions on how to fix this. 

By default, ZoneAlarm does not include the adapter subnets that correspond to your network cards as part of your Local Zone. Therefore, computers on your Local Area Network will not be visible to each other, and ICS will be prevented from working properly . . . As long as you leave the Local Zone security level at Medium, your computer will have access to network resources.

They also mentioned a couple problems I had not seen: 

If you have resources such as printers attached to your computer that others on the network need access to we recommend that you disable the ZoneAlarm "Automatic Lock" feature. When engaged, the Automatic Lock will block access to these resources from the Local Zone. Also, if the printer has an IP address assigned, be sure that IP is included in the trusted Local Zone. . . If you have a static IP address for your DSL or Cable connection, by adding this IP address to your trusted local zone, you can use high security. 

The message also mentioned that ZoneAlarm Pro allows you to use ICS with high internet security. However, I'm still fuzzy on just what the difference between High and Medium security is, in terms of the firewall protection from unsolicited inbound connections. It might be something worth paying for.

Installing Version 2.6.362

December 11, 2001. Windows 2000. I installed v2.6.362 over v2.6.231. During the installation you are asked about using previous settings. The explanation of what this means and the pros and cons of each choice could be a bit longer. Also, there seems to be no going back. If you opt not to use the previous settings there seems to be no way to inquire into what they were. It would be nice if the previous settings were saved in an easily readable format, just in case. I tried to find a file where these settings are kept, but couldn't. Wherever it is, it does not seem to be in the same directory as ZoneAlarm (C:\Program Files\Zone Labs\ZoneAlarm). 

FYI: The readme file can be viewed at any time via Start -> Programs -> ZoneLabs -> Readme. All ZoneAlarm users should review it. Especially with  security software that you are trusting to protect you, the intelligent approach is to learn all you can about the software, including possible conflicts, flaws, known issues and what is required to maintain it.  December 22, 2001. 

Controlling Outbound Traffic 

November 12, 2001. Recent stories in the press call into question the issue of how well any firewall program (not specifically ZoneAlarm) can prevent unauthorized outbound data transmissions. Some firewalls don't even try to prevent unauthorized outbound data transmissions. ZoneAlarm does try. It turns out that under Windows a program written by a bad person (rogue  program) can start a new instance of Internet Explorer in a hidden window. The user is not aware that this copy of IE is running. The rogue program can then instruct IE to transmit all sorts of files and personal information from your computer to any other computer on the Internet. Since every personal firewall program will, no doubt, be configured to let IE send and receive data from the Internet, there is no protection from this exploit other than to prevent rogue programs from getting on your computer in the first place. 

ZoneLabs has responded to this issue (perhaps the vendors of other firewall programs have as well, I don't know). They view it as a problem with the Windows Operating System that IE can be commanded in such a stealth manner. They suggest using the ZoneAlarm email protection feature as a way to prevent getting rogue programs on your computer from email messages. They also note that by running ZoneAlarm you make it impossible for rogue programs to be installed by other means (other than email attachments) because ZoneAlarm makes your computer invisible to the rest of the Internet. In addition, a firewall should be used in conjunction with an anti-virus program for maximum protection. They also intend to update ZoneAlarm to deal with this specific problem. 

Fred Langa on ZoneAlarm problems 

September 27, 2001. In his newsletter, The Langa List, Fred Langa wrote about problems with ZoneAlarm. He found that people at ZoneLabs were not aware of assorted problems people had written to him about. One reason for this he surmises is that the web page for reporting ZoneAlarm problems is hard to find on the ZoneLabs web site. It's here. The problem discussed in the newsletter is a gotcha involved with upgrading from an old release of ZoneAlarm to a new one on the same computer. 

ZoneAlarm 2.6.231 and Norton Anti-Virus 2001 competing for e-mail 

September 12, 2001. Both ZoneAlarm and Norton Anti-Virus can protect your email. Can you use the features of both programs together?  On the ZoneLabs web site, I searched for "Norton" and none of the resulting hits addressed this. ZoneLabs also has a FAQ with tips on running commonly used programs in conjunction with ZoneAlarm that mentions a potential conflict and that the workaround is to turn off the email feature in either ZoneAlarm or the anti-virus program. This only speaks about anti-virus programs in general though, nothing specific about Norton and nothing specific about the potential conflict. The off-line ZoneAlarm help says that it's email checking can cause a conflict with other mail-checking software which is even more vague.  Undaunted, I opted to give it a try. When virus scanning of email messages was enabled in Norton AntiVirus 2001, ZoneAlarm asked whether NAV should be allowed to act as a server. What to do? Beats me.  When I started my e-mail program, ZoneAlarm asked another question as shown here on the right. I think the correct answer is yes. After saying yes, I could download my email.  The real gripe here is the lack of documentation on this from ZoneLabs. Symantec has an item about this in their Knowledge Base even though it is not their software asking the question. As expected, they say to give their software all the rights it needs. The item does not differentiate or detail the various features and needs of NAV. That is, if you are not getting automatic virus updates, you may not need server rights. Basically, both companies let their customers down.  If forced to run one or the other, I would opt for anti-virus protection of email because the ZoneAlarm protection is limited to just .VBS files and it only renames a file to prevent its running automatically. The question here is can Norton AntiVirus email protection work correctly without server rights?

ZoneAlarm 2.6.231 

August 30, 2001. The release of ZoneAlarm after 2.6.88 should have been called 2.7.  Instead, it's called 2.6.231. The ZoneLabs documentation used to refer to the now old version as 2.6.88. Now they seem to be referring to it as 2.6.088. It's not obvious these are the same thing, but I'm told they are.

When you download version 2.6.231 the file name is zonalm26.exe. This just begs confusion with the downloaded file for version 2.6.x88. Why is ZoneLabs still using 8 character file names when they could have named the file something like ZoneAlarm.2.6.231.exe.
Update:  Someone who should know tells me that the use of 8.3 file names is purposeful. Apparently some people use 32 bit versions of Windows (95, NT4 and 98) that only support the old DOS format for file names. To be compatible with these systems and avoid problems that have already occurred on them, ZoneLabs limits the names of the downloaded file to 8.3 format.  If  you have a copy of zonalm26.exe and are unsure about what version it is, you can right click on the file, pull up the properties and go to the version tab. (September 3, 2001). 

Fred Langa of the Langa List newsletter said on August 23, 2001 that he and some readers of his newsletter experienced problems with version 2.6.231.

ZoneAlarm 2.6.231 does not tell you how much disk space it needs before it installs itself.  When I installed it on an NT4 machine on top of  version 2.1.25, the amount of free space on the C disk declined by 2.9 megabytes.  September 8, 2001. 

ZoneAlarm 2.6 and Norton Anti-Virus 2001

August 16, 2001. When ZoneAlarm v.2.6.88 is running (Windows 2000) and Norton Anti-Virus 2001 is started in auto-protect mode, ZoneAlarm pops up the following alert which leaves me unsure what to do. Is Norton Anti-Virus really trying to access the Internet? Why would it set itself up as a server?  Note: I do not use the Norton Anti-Virus email scanning feature.   I clicked on the More Info button. The resultant web page said "Zone Labs has detected an attempted Internet connection by Norton AntiVirus Alert Service...One of your programs is attempting to access the Internet...With the data we've received, we're not even quite sure whether the program is acting as a server or whether it is attempting an outbound connection."  Funny how the alert message says NAV 2001 is asking for server rights, but the More Info web page is not sure.  Then I did some more looking around on the ZoneLabs web site. The knowledgebase section on firewall alert articles has a the table of contents that looks like this: sc100000Pro, sc100001a, sc100001aPro, sc100001b, sc100001bPro, sc100002a, sc100002aPro, sc100002b, etc. This is not a joke, it's an actual excerpt from the list of articles about firewall alerts. Nothing obviously about Norton Anti-Virus 2001.The general FAQ said nothing about Norton Anti-Virus. The Known issues page said nothing about Norton Anti-Virus. The Knowledgebase Program Alert Articles has a table of contents which includes: sc1, sc1Pro, sc2, sc2Pro, sc3, sc3Pro, scS, etc. Nothing obviously about Norton Anti-Virus.   Basically, I struck out at www.zonelabs.com which is surprising considering that Norton Anti-Virus 2001 always causes this alert and that it is a pretty popular program. I've been saying NO, not to allow NAV to act as a server and neither ZoneAlarm or Norton Anti-Virus has complained, but I'm not sure if I'm fully protected this way.   FYI: Someone who should know tells me that there will be information about using anti-virus programs with ZoneAlarm added to the FAQ soon. For now, this is all there is.  Whether an anti-virus program will function correctly without server rights depends on a few different factors.  (Aug. 29, 2001) September 12, 2001.  Version 2.6.231 Since NAV 2001 seemed to work without server rights, I told ZoneAlarm days ago, not to allow it server rights. The screen shot shown here indicates that the Norton AntiVirus Alert service is not allowed to act as a server either on the Internet or the local zone. This is indicated by the red X in the "Allow Server" column. Despite this, the tool tip, yellow popup window, says that the Norton AntiVirus Alert Service is listening to TCP port 1077.  The next day it was listening on TCP port 1028 (shown here). If it can't act as a server, why is it listening on a TCP port?   The option to scan email messages was not enabled in Norton AntiVirus 2001. Also, ZoneAlarm was started before Norton AntiVirus.

IP address 127.0.0.1

ZoneAlarm version 2.6.88 on Windows 2000 SP2.  I was using Cold Fusion Studio (version 4.5.2) which is an IDE for Cold Fusion. One of its functions makes it access a web server running on your computer. It does this by issuing an HTTP request to IP address 127.0.0.1 which is a special IP address that always means my computer. Everyone involved with firewalls knows the special meaning for 127.0.0.1, except ZoneAlarm. It warned me that Cold Fusion Studio was trying to access the Internet. It wasn't, it was accessing a web server on my machine.  July 7, 2001.  FYI: Someone who should know tells me the reason for this is that ZoneAlarm, by default, treats all IP addresses as being untrusted and in the Internet Zone. Users can add specific IP addresses they chose to trust to the Local Zone. (August 29, 2001)

New Q
Sometimes there is a very small letter Q in the ZoneAlarm icon in the task bar.       What is this? Sometimes it blinks too. June 20, 2001. 
FYI:  A reader of this page wrote to say that this is a letter A, not a Q and that it stands for Alerts. I had inadvertently told ZoneAlarm not to display alert messages. The last few weeks the number of alerts has been brutal, especially on TCP/IP port 27374 (used by a zombie attack program). The letter A indicates that there are new alerts. Sounds like a great feature. Poor documentation. June 20, 2001. 
FYI:  I have it on good authority that in the old days, the Sub7 Trojan program always used port 27374. It has since been changed so that it, and other zombie programs can now be set to listen on any port. Also, port scans happen all the time on the Internet, all day, every day. 

Other Opinion

FYI: Scot Finnie's newsletter of June 12, 2001 discusses ZoneAlarm vs. Norton Internet Personal Firewall and also addresses an old vulnerability in ZoneAlarm with a response from ZoneLabs. 

ZoneAlarm vs. Black Ice Defender 

FYI:  Steven Gibson recently tested ZoneAlarm v2.6 vs. BlackICE Defender v2.5 and found that ZoneAlarm protected against very serious intrusions into your computer. BlackICE Defender did not. The page linked to here is long, for details on this subject scroll to the bottom. June 2, 2001.  As luck would have it, a few days later (June 8, 2001) my computer was repeatedly probed on port 27374, the port used by the Sub7 Trojan program that had attacked GRC.COM. ZoneAlarm alerted me (see picture on the right) but fell down on the job when asked for more information. ZoneAlarm is not aware that this port is used by Sub7 and that it is very dangerous (the page says there is not enough information to be concerned and that the KB has no specific article on this alert).

Version 2.6 with Windows 2000 

May 27, 2001.  I installed ZoneAlarm v2.6.88 on a computer running Windows 2000 Service Pack 2. The machine had no prior copies of ZoneAlarm. Every time I dial on to the Internet, I get a bunch of alerts, samples of which are shown below. There is nothing in the ZoneAlarm readme file about these alerts. The tech support section of their web site has a topic devoted to issues that are Operating System specific, but there was nothing in the Windows 2000 section that described the alerts shown here. 

ZoneAlarm Pro 

FYI: Not really a gripe. May 16, 2001.  When you buy ZoneAlarm Pro you get product updates and tech support for one year. This is not obvious if you click on the download now link on the ZoneLabs home page. However, if you click on the more info link there is a link to the ZoneAlarm Pro End-User License Agreement which does mention this. After a year you can continue to use the last version of ZoneAlarm Pro that you downloaded. If you, for example, buy version 2 of a software product, the vendor will try to sell you version 3 when it's released. The only difference here is that you know up-front that the lifespan of ZoneAlarm Pro is one year. With other products, you never really know. (Thanks Steven). 

Logging Alerts 

May 9, 2001.  In Version 2.6 and earlier versions, the Alerts section of the ZoneAlarm user interface lets you delete the log file with a single button click. On the one hand, this is an accident waiting to happen, and, on the other hand, I wish it would let you browse the log file with a single click. 

Someone suggested that I write to ZoneLabs and request this as a new feature. From the ZoneLabs home page, I selected the Contact Us link and there is nothing there about making product suggestions. I also tried the Services and Support page, but it too has nothing about product suggestions. 

May 27, 2001. A person with inside knowledge informs me that you can make product suggestions by e-mail to support@zonelabs.com. Clearly indicate in the subject and at the beginning of the body of the message that it is a suggestion, and not a request for support. You can also use their web based tech support page if you clearly indicate at the beginning of the issue that it is a suggestion rather than a support request. 

Installing Version 2.6 

May 6, 2001. I installed version 2.6 on top of version 2.1.25 on an NT4 machine. I was running 2.1.25 because of a problem with FTP on version 2.1.44. 

The install instructions provided at the beginning of the installation procedure does not directly say anything about whether you should un-install an old version prior to installing v2.6. If you knew to look at this web page then you could read complete instructions on upgrading, installing and uninstalling. The install instructions however, don't mention this web page. 
FYI: There is an equivalent page with full install and uninstall information for ZoneAlarm Pro. 
FYI: There seem to be two web pages that do the same thing on the ZoneLabs site. This page also has installation info. 

At the first boot, the ZoneAlarm splash screen says its version 2.6.88. The vendor says its version 2.6. 
FYI: A reader of this page said the 88 was the build number. This was confirm by a person with inside knowledge. What's a build number? 
Someone suggested looking at the properties of the executable file zonealarm.exe. It has a file version 2.6.0.88 and a product version of 2.6.88. That's three different versions for the same version. 

The following web page on the ZoneLabs site purports to tell you the latest version of ZoneAlarm
    http://www.zonelabs.com/products/za/rel_history.html  
It says the latest version is 2.1. Not true. (re-verified 5/15/2001). This page is linked to from the Contact Us page where it is called the ZoneAlarm release history page. 

May 16, 2001. FYI: A reader of this page claims there is an incompatibility between ZoneAlarm Pro v2.6 and Norton System Works under Windows NT4 SP6a that results in NT4 crashing. According to this person, ZoneLabs tech support mentioned the problem and it is not documented on their web site. I do not run ZoneAlarm with Norton System Works so I can't try to verify this. 

FYI: Installing any software under any version of Windows is a risky endeavor. Not to pick on ZoneAlarm, but to protect yourself from potential problems with a new release, it would be a good idea to have a version of the prior release ready to install in case of problems with the new release. 

FTP Problems with Version 2.6 

May 6, 2001. I first tried WS_FTP LE v5.08 with ZoneAlarm 2.6 running using a couple FTP sites where I logged on anonymously. It worked fine. Then I tried two different FTP sites where I had to log on with a real FTP userid and password. Neither worked, ZoneAlarm blocked something on each connection attempt. One of the ZoneAlarm alerts is shown here on the right. 

I clicked on the More Info button but the resulting web page failed to load. The page URL was 
    http://fwalerts.zonelabs.com/fwalerts/fwanalyze.jsp?
followed by a very long string of characters. Later when I got another alert having nothing to do with FTP, I again tried the More Info button and again, the resulting web page failed to load. The next day (5/7/2001) when a ZoneAlarm alert popped up, I again tried the More Info button. The resulting web page said: 
Network error.Unable to request URL from host fwalerts.zonelabs.com:80:Connection refused

May 27, 2001. A person with inside information acknowledge that a new Alert Analyzer has been having problems, usually during times of heavy load. Your best course of action is to try the request again later. ZoneLabs is aware of the problem and is working on fixing it.  

Then I went to the ZoneLabs web site looking for technical support on this problem. The web site says that ZoneAlarm is trusted by 9 million users. I couldn't be the first one to ever use non-anonymous FTP. 

I searched the ZoneLabs web site looking for "passive transfer ftp". Nothing found.
Then I searched for "passive transfer". Nothing found.
Then I searched for "passive ftp". Nothing found. 
Then I searched for "passive". Nothing found. 
Then I searched for "ftp" and found 10 hits. None describe my problem. 

However, a web page that has the Readme for version 2.1.25, also lists changes in v2.1.1 which included: 
   FTP active mode is granted permission to act as a server for the duration of a transfer
What does this mean? Sounds like an fix in v2.1.1 that has since been un-fixed. Confirming my suspicion is the below text from a ZoneLabs web page generated in response to clicking the More Info button on an alert message. It does not say FTP, but that's probably what it means. 

At this point, I figured I had to solve the problem. Poking around in the FTP session properties, I found an option to enable passive transfer. With this on, everything worked fine. This is what WS_FTP says about passive transfers: 
    Select this option if you want your PC to establish the data connection to the FTP site instead of the
    site establishing the data connection to your PC. This is necessary for some firewall and gateway
    configurations and when you get failed data channel errors. Not all FTP sites support passive transfers. 
Sounds like the sort of thing a firewall vendor should document. ZoneLabs did not. Ipswitch, the vendor for WS-FTP, has an explanation of the difference between active and passive FTP. 

I filled out a tech support request on the ZoneLabs web site on 5/7/2001. We'll see what they say.  In fairness, you can't expect much in the way of tech support for a free product and a very popular one at that. That a vendor even attempts to provide email support for a free product is beyond the call of duty. As of June 7, 2001 there has been no reply from ZoneLabs to this product support request.  

May 10, 2001. V2.6. Just when I thought my FTP problems were resolved, there was a new alert message today. Fortunately, it appears to be a fluke, after shutting down my FTP program and restarting it, all was well. An FTP client program should not be asking for server privileges. The session was configured to use passive FTP which has been working.   May 27, 2001. A person with inside knowledge said that based on the description provided here it appears that an old bug in active mode FTP has indeed re-surfaced. ZoneLabs is looking into this.  Note: This problem does not occur under Windows 2000 with the same version (2.6.88) of ZoneAlarm.

Netscape Messenger v4.77

April 30, 2001. ZoneAlarm 2.1.44 under Windows NT4 at SP6. While downloading a large file, I try to get my email using Netscape Messenger v4.77. ZoneAlarm asks if I want to allow Netscape to accept connections from the Internet. This should not happen as an email client program (Messenger) is not a server program. This has happened more than once, it is not a fluke. It may however be an NT4 problem that manifests itself in ZoneAlarm, I don't know. NT4 SP6 is very bad at running multiple concurrent Internet connections. Typically this manifests itself with multiple browser windows. This might be another flavor of the same problem. 
May 27, 2001. A person with inside knowledge suggested a solution - add the IP address of the DNS server to the local zone. 

AdSubtract

March 31, 2001. ZoneAlarm 2.1.25 under Windows NT4. AdSubtract is a program that blocks ads in web pages by setting itself up as a proxy server. When ZoneAlarm is running and AdSubtract is started, ZoneAlarm asks if you want to allow AdSubtract to act as a server. Fine. However, when the order of startup is reversed (AdSubtract is already running when ZoneAlarm is started) then ZoneAlarm does not ask about using AdSubtract as a server. It should. 

FYI: A reader of this page has said that ZoneAlarm only protects internet applications that start after ZoneAlarm is already running. (4/28/2001) 
A person with inside knowledge confirms this (5/27/2001). If AdSubtract is running before you start ZoneAlarm, then ZoneAlarm never sees the listen request - so it can't ask you for server permission. In other words, everything is working as it should; the documentation however is not sufficient. 

Halting a download 

February 16, 2001. Windows 2000 at SP1. ZoneAlarm 2.1.44.  I was logged on to the Internet and in the middle of downloading a large file when I realized that I had forgotten to start up ZoneAlarm. I start ZoneAlarm and the download stops. Eventually the download application complains that there is no connection to the Internet. I stop ZoneAlarm and the download picks up immediately.  Thinking it might have been a fluke because this was the first time ZoneAlarm was being run from this particular Windows 2000 userid, I waited a bit and then started ZoneAlarm again. Same thing. The application that was doing the download was not one that ZoneAlarm had run across previously on this same computer (with a different userid). 
Obvious conclusion: do not start ZoneAlarm while other Internet applications are active.

May 27, 2001. A person with inside knowledge informs me that if ZoneAlarm doesn't see the connect request, it can't authorize the traffic on that port. For safety, High security mode blocks the traffic if it is not able to authorize it. 

Windows  2000 

February 16, 2001. A few months ago there were problems with ZoneAlarm and Windows 2000 Service Pack 1. Since today, I installed ZoneAlarm under Windows 2000 for the first time, I went to check out the details (described below). ZoneLabs at the time put out both a work-around and a patch. Both links are no longer valid. Hopefully with v2.1.44 the issues have been resolved. 
FYI: A reader of this web page has told me the problems have been resolved. (5/5/2001) 

Three FYIs (not gripes) 

January 15, 2001. To download version 2.1.25 of ZoneAlarm go to the rocketdownload web site (thanks to Benjamin).  

January 5, 2001.   Get rid of splash screen in v2.1.44 . A reader (Eliott) wrote to say that you can get rid of the splash screen when ZoneAlarm 2.1.44 starts up by adding a "-nosplash" parameter. Under Windows 98, you would invoke ZoneAlarm with:  
  "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe" -nosplash
To find this string, right-click the ZoneAlarm shortcut on the desktop and select Properties. Then locate the Target window and add  -nosplash  at the end.  (This still works with version 2.6 of ZoneAlarm. 5/5/2001)  

March 2, 2001.  ZoneAlarm is not a substitute for an anti-virus program. To be as safe as possible, you should run both. 

December 18, 2000   Netscape v6 acting as a server 

To date, I have not used Netscape Navigator version 6, so this is presented as an FYI. The Langa List of December 18, 2000 has an item explaining why ZoneAlarm detects Netscape v6 acting as a server. 

October 21, 2000   Un-installing Version 2.1.44 

The un-install of ZoneAlarm asks the user a question like the one show here about 8 or 9 times. What to do? Beats me. I said to remove everything because I wanted to uninstall as much of v2.1.44 as I could before re-installing v2.1.25. Turns out it wasn't enough. The uninstall of 2.1.44 does not actually uninstall everything, even if you answer Yes to all these questions about shared files. After re-installing v2.1.25 ZoneAlarm still knew about all the programs on my machine and their profile as to whether or not to let them access the Internet.  

FYI: ZoneLabs documentation about un-installing ZoneAlarm can be found at www.zonelabs.com/support_za_install.htm. Make sure ZoneAlarm is not running before un-installing it. To be sure, disable the "Load ZoneAlarm at Startup" option and re-boot (thanks Wayne).  

FYI:  After re-installing v2.1.25 I went to the configure tab and clicked on the Check For Update button. It worked. The product reported back that an there was indeed an update available. An old problem seems to have been fixed. January 8, 2001. 

FYI: A reader informs me that ZoneAlarm keeps the information about the programs on your computer and whether or not to allow them access to the internet in files that are not deleted when you un-install ZoneAlarm. In his case, these files got corrupted and re-installing ZoneAlarm did not fix the problem because the corrupted files were never deleted. In Windows 9x the files are in the C:\Windows\Internet Logs folder. In NT4 they are in C:\WINNT\Internet Logs. There are two files, one is yourcomputername.ldb, the other is IAMDB.RDB. (thanks Michel. 5/1/2001). 

FYI: Another reader wrote to say that it is standard Windows convention for an uninstall program to ask this question when deleting files in the Windows system folder. (5/5/2001) 

October 20, 2000   Installing Version 2.1.44 

The installation was very much like prior releases. As before, it insists on running ZoneAlarm when the computer starts up, but this can easily be changed after the required re-boot. This version introduces a splash screen that displays for a few seconds when you start ZoneAlarm. Considering it's a free product, you can't blame ZoneLabs.  

New bug! Version 2.1.44 does not seem to work well with WS_FTP. Two times I tried to connect to an FTP site with ZoneAlarm running and  WS_FTP hung. I shut down ZoneAlarm and it could connect. I start up ZoneAlarm and WS_FTP again cannot connect. The last message that it puts out during the connection process is: 
    150 Opening ASCII mode data connection for /bin/ls 

I then tried connecting to a different FTP site with ZoneAlarm 2.1.44 running. This also failed, but with a receive error. Shut down ZoneAlarm and connecting works fine. Start ZoneAlarm and connection fails again. It's a bug all right. I emailed ZoneLabs about it today. 

I am using the Limited Edition of WS_FTP, version 5.08 2000.02.23. Both FTP sites are password protected. One is hosted on an NT4 machine, the other on Unix. 

January 5, 20001. A reader of this site named Eliott pointed me to an Ipswitch (vendor of WS_FTP) Knowledge Base article called Cannot connect when using Zone Alarm and dial-up. This may or may not be my problem. It discusses a ZoneAlarm problem that effects all versions of ZoneAlarm. My problem is specific to v2.1.44. The prior version of ZoneAlarm worked just fine.  

I would have searched for other ZoneAlarm items at the Ipswitch web site, but I could not. At support.ipswitch.com I got an HTTP 403 Error. Specifically a 403.6 error which is "Forbidden: IP address rejected". My randomly assigned dial-up modem IP address was on a list of IP addresses the web server won't talk to. 

Nuisance:  December 16, 2000.  I installed v2.1.44 on a Windows 98 SE machine with no prior version of ZoneAlarm on it. One of the windows you see at installation time is called "User Info". When I tried to move past it by clicking on the NEXT button, it did nothing. No error messages, no warnings. It was as if I never clicked on the button at all. Turns out that you are required to enter all fields on this window. It wants your email address even if you opt not to register this copy of ZoneAlarm and you do not want to be informed of updates. 

October 19, 2000   Are they ever going to fix this? 

Version 2.1.25, which I am running on multiple machines, is no longer the latest and greatest. There is now a version 2.1.44. I read about this in the Langa List. Of course, I fire up v2.1.25 and click on the button to check for an upgrade. It says that no upgrade is available. This is the third release (that I know of) to have this bug and is made worse because even if you register the free version of ZoneAlarm, the vendor does not email notification of new releases. 

 September 20, 2000   More experiences with version 2.1.25

I installed v2.1.25 on an NT4 machine (SP6a) that had no prior instances of ZoneAlarm. 

As part of the initial install it asks you, if you are a business, how many people work at the company. I am not a business, so I blanked out the answer. That is, I deleted every character in the box where you are supposed to enter a number. It didn't like that -- the NEXT button would not work. It was not disabled, rather it just does nothing. Why fight it? I entered a number and it was happy. The NEXT button took me to the next part of the installation process. This is still true with v2.1.44. 

After connecting to the Internet, ZoneAlarm asks if I want to allow "remote access connection service" to access the Internet. What is it? I said no, and seem to be able to surf just fine. 

Until I get some email with Netscape Messenger (4.72) that is. One HTML formatted email message caused ZoneAlarm to ask if I wanted to allow Netscape Navigator to accept connections from the Internet. Navigator is the browser, not the email program, so I'm confused how it came into play in the first place. Nonetheless, how or why would it want to act as a server and accept connections from the Internet? I said no, figuring it was the safer answer. 

More surfing with IE 5.5 and after about 20 web pages or so, ZoneAlarm asks if I want to allow IE to accept connections from the Internet. I said no. What does this mean? Beats me, so I went to look it up at the Zonelabs web site. 

The fourth question in the Quick Support section addresses this issue in general, but does not say anything about why a web browser might request server privileges. 

September 7, 2000   Only on NT4 Server  

Someone I know runs ZoneAlarm v2.1.25 on a computer running Windows NT4 Server. Shortly after dialing onto the Internet, ZoneAlarm asks if the "services and controller" application can connect to the Internet. Saying no to this does not hinder web surfing.  No one knows what the "services and controller" application is. I have never seen this on machines running Windows NT4 workstation. 

ZoneAlarm does a good job of identifying the executable that wants to connect to the Internet. In this case the file was: 
    c:\winnt\system32\services.exe 
ZoneAlarm also reported the product version as being 4.00. The properties of this file (right click in windows explorer) show that it is from Microsoft and is part of the NT operating system.  

FYI:  A reader wrote to say this can also happen on Windows 2000. Sometimes it works if you don't allow "services and controller" to access the Internet, but sometimes you have to allow it. A mystery. (5/5/2001). 

August 28, 2000   Analyze the ugly file below 

FYI (not a gripe): The August 28, issue of the Langa List newsletter mentioned a free utility that analyzes the log file from ZoneAlarm. It is called ZoneLog Analyser and is from  Matt's Computer Solutions. Currently it is beta and I have not tried it. 

It was also brought up in the Focus on Windows Forum at about.com on January 19, 2001. This posting gave a different URL but said its still in beta. I have not reviewed the web site or the software. 

August 13, 2000   Why is everybody always picking on me? 

FYI (not a gripe): Sometimes it's nice to remember why we run firewalls in the first place. Below is the log file from an online session that I had today. Dial-up modem users are quite susceptible to intrusion attempts. The first three lines are attempts to connect to port 6970 which is used the GateCrasher Trojan horse program. I don't know why the computer at 63.161.176.2 was trying repeatedly to contact my computer on UDP port 1074, but it wasn't for my health. 

  I also tried the MoreInfo button again, still with v2.1.25. As before, it was not very helpful. See for yourself:  

August 3, 2000   Windows 2000 Service Pack 1

I have read that ZoneAlarm does not work with Windows 2000 Service Pack 1, but have no personal experience with this. The vendor, ZoneLabs, initially had a work-around for this, now they have a patch for it.  I have also read that installing SP1 while ZoneAlarm is running will break your network connection after reboot. Again, I have no experience with this but the release notes for SP1 mention it.  

July 29, 2000   V2.1.25  Install   

I installed v2.1.25 on a Windows 98 computer that had no prior version of ZoneAlarm. 

In line with the above gripe from a few days ago, I made note of the disk freespace that ZoneAlarm claimed would be available after the product was installed. It said the freespace would be 720,952K which multiplies out to 738,254,848 bytes. In reality it was 739,336,192 bytes, roughly 1.1 meg larger. Both for new and upgrade installs they don't know how large their software is. On this machine, ZoneAlarm consumed 1,888,256 bytes of disk space. 

At the first system boot after installing ZoneAlarm it provides instructions to activate the toolbar. What toolbar? The instructions actually are for activating the ZoneAlarm deskband. 

If you click on the title bar in the ZoneAlarm user interface, the minimize and close buttons in the top right corner of the window change from the ZoneAlarm style to normal Windows 98 style (the maximize button in the middle is grayed out). Sometimes moving the mouse over these buttons, without clicking, returns them back to the ZoneAlarm style. This does not happen with v2.1.25 under NT4.  

July 23, 2000   Freespace  

Today I installed version 2.1.25 of ZoneAlarm on top of version 2.0.26 on an NT4 machine. As part of the installation process, you are told the current freespace and the freespace available after ZoneAlarm is installed. I decided to look into these numbers in detail. 

The machine in question has a C, D, E, F and G disk. Despite this, when the product reports the currently available freespace, it does not indicate which disk it is referring to or whether, perhaps, it's for all disks. It turns out to be referring to the C disk, which is where the product was being installed. 

ZoneAlarm reports freespace, both before and after, in kilobytes (K). Windows NT4 reports freespace in megabytes and bytes, when you ask for the properties of a drive letter. Multiplying the kilobytes reported by ZoneAlarm by 1024 resulted in the freespace on the C disk (except for a trivial rounding error). 

The ZoneAlarm indication of available freespace after the product was installed turned out to be way off. On this particular machine it predicted 958,906K which calculates out to 981,919,744 bytes. The actual freespace reported by Windows NT4 after installation and reboot was 984,757,760. ZoneAlarm was off by 2.8 meg (2,838,016 bytes). The additional disk space used by installing v2.1.25 over version 2.0.26 turned out to be only 132,096 bytes. 

July 17, 2000   Counting (version 2.1.25) 

Today I was getting probed a lot. As soon as I established a dial-up modem connection, the probing started. I watched it for a while on the pop-up warning window, but then closed it. The probing started up soon thereafter and again I closed the warning window. However, the next time the probing started up, the warning window said that it was reporting probe number 1 of 6. That is, it lost track of the first couple bunches of probes. Well, it did and it did not. Bringing up the full user interface, it said I had been probed 41 times. This was all during the same dial-up session and spanned about 15 minutes. 

June 26, 2000   Less is More 

In the past, clicking on the "More info" button in the ZoneAlarm pop-up alert window did not provide useful information, so I have not used it often. Often, the web page failed to load and when it did load, there was additional technical information that made no sense to me.  Today I tried it again, twice. 

Now (version 2.1.25) it provides less information than the original alert. The pop-up alert window always tells you the source port and IP address in addition to the target port on your computer. The "More info" web page today reported that the source IP address was "Not Available". Ditto for the target IP address (me). As for the additional technical information that it used to report ... gone. Less is More.  

June 2, 2000   Installed version 2.1.25    

Computer is running NT4 at SP6a and already had v2.1.10 installed on it. 

The readme file says "This release works around a bug in Windows NT4 SP6 that can cause a BSOD." My gripe is that this information is not available on the ZoneLabs web site. None of the bug fixes in each release is documented on their web site (but they are in the readme file). 

The installation did not pick up the fact that I had configured the prior version to inform me of important updates and news. Instead it defaulted to having this option turned off. 

One of the installation windows is entitled "Select destination directory." It tells you how much free space is now on the C disk. It told me 411,337k. I checked this against NT which tells me the free space in terms of the actual number of bytes (421,209,088) and megabytes (401). If Windows tells me bytes and megabytes, why does ZoneAlarm tell me kilobytes? 

It said that after the installation there would be 408,437 kilobytes (a.k.a. 418,239,488 bytes) of free space. Not true. There were 422,768,128 free bytes after the installation completed. They were off by over 4 million. 

After the installation, you have to reboot and, yet again, it set itself up to run at boot time. I don't want this, the prior version was configured not to start up at boot time and it never asked about this during the installation. Fortunately, it's easy to change in the CONFIGURE section of the user interface. 

June 1, 2000  Download updates 

FYI: Steve Gibson's newsletter (see bottom of page) include yet another link to download ZoneAlarm:  www.zonelabs.com/download.htm  I took this as an opportunity to verify the links below. The alternate sites mentioned previously, no longer exist, but there are new options.  

• www.zonelabs.com/download_ZA.htm has changed and now links you to a new download site ZoneLabs has set up in concert with ZDNet. It takes you to  www.zdnet.com/downloads/partners/zonealarm/download.html  
• www.zonelabs.com/download.htm also takes you to this new ZDNet download page 
• www.zonelabs.com/download_ZAfree.htm still downloads ZoneAlarm from the ZoneLabs web site. 
• www.zdnet.com/downloads/stories/info/0,,0015P7,.html is still valid although it says that ZoneAlarm is only for DSL and cable modems, which is not true. 
• www.download.com still has ZoneAlarm 

May 23, 2000    Changing Registration   

This is more an FYI, than a gripe. Using ZoneAlarm v2.1.10 while logged on to the Internet, I clicked on the "Change Registration" button in the CONFIGURE section. I changed some of my registration information and clicked on the OK button. It then said my registration was pending. Nothing more. The HELP says that changes made this way take effect automatically. By the time I was done finding and reading the HELP on this subject, ZoneAlarm finished the pending changes to my registration information and was now displaying the date/time of the registration. 

Another FYI. Some articles about ZoneAlarm say that it is targeted for use with cable modems and DSL. It also works great with dial-up modem accounts. Dial-up users are just as susceptible to probes and hacks while online as cable modem and DSL users. Trust me.

May 19, 2000    The Windows NT Event Log  

I just happened to be perusing the Windows NT4 event log today on a computer that runs ZoneAlarm v2.1.10. About a month ago, the True Vector Service (part of ZoneAlarm) made an entry of type "error" in the application log with an Event ID of 1. The log entry said:     Open Process Error 5 on process ID 24 
This occurred two days in a row on a machine that runs ZoneAlarm pretty much every day. ZoneAlarm is manually started on this machine, it does not run automatically at boot time. I wrote to ZoneLabs  at support@zonelabs.com to ask what this means.  

They responded in 2 business days (4 calendar days) with an answer that presumed the problem occurred at system startup. Not true. Having researched this problem a bit on my own, I knew there was a potential timing problem when ZoneAlarm started up at boot time. With this in mind, my email message specifically said that ZoneAlarm is manually started, that it does not start up at boot time. RTFM.  

May 18, 2000    None of my business 

The recent release of version 2.1.25 of ZoneAlarm marks the fifth or sixth release of the product since I first installed it. Not once have I been notified by the vendor (ZoneLabs) of the existence of a new release despite having registered a couple copies of it. In fairness, I do not use the Check for Updates Automatically option, but manually checking for updates does not work so there is no reason to assume this would either. While ZoneLabs is to be commended for constantly upgrading the product, an email notification of new versions/releases would be appreciated.  

May 12, 2000    A not so Perfect 10 

FYI:  ZoneAlarm often reports that it has blocked access to my computer from another computer with an IP address that starts with 10 (10.10.11.250 for example). This should not be possible (having nothing to do with ZoneAlarm).  IP addresses that start with 10 are not allowed on the Internet, they are reserved for internal use only. That is, they can be used on internal LANs but routers on the real Internet are not supposed to every pass along data packets with an IP address that starts with 10. 

But every chunk on data on the Internet (called packets) contains both a source and destination IP address. To the best of my understanding, the reserved, private IP addresses should not be allowed as either a source or destination IP address. They are however being allowed as a source address. Maybe this is a bug in some routers or maybe they don't bother checking because of the performance hit it entails. I don't know.   

May 11, 2000    To Update or Not to Update, That is the Question 

A new version of ZoneAlarm was released on May 9, 2000 - version 2.1.25. From a computer running the prior version (2.1.10) I asked ZoneAlarm to check for an updated version of itself. In the CONFIGURE section, there is a button you can click on labeled "Check for Update". It said there was no update available. Not true. 

May 4, 2000    IE v5.01

I upgraded Internet Explorer from version 5.0 to version 5.01 and had to re-authorize it to access the Internet. ZoneAlarm had been allowing v5.0 to access the Internet. This may be a good thing. 

April 28, 2000    New Message in v2.1.10

Shortly after upgrading to version 2.1.10 I started noticing a new message that appears in the same sort of pop-up window as the warnings about having blocked access. The message appears only on some web sites, not all. It is

The message appears both when using Internet Explorer v5 and Netscape Navigator v4.72. One web site which consistently generates the message is that of Newsweek magazine. I also sometimes get the message when I starting Netscape Messenger (v4.72). In this case, it says "Do you want to allow Netscape Navigator application file to accept connections from the Internet?" Since I start up Messenger, not Navigator, this is puzzling. I say no, but can use Messenger just fine. 

Why would a web browser and an email client program be trying to act as servers? 

I emailed to tech support today (April 28) at support@zonelabs.com. As of May 22, 2000 there was no answer from ZoneLabs so I emailed the same question again. On May 30, 2000 they replied: 

We believe our newest release of ZoneAlarm will resolve the problem you have reported. Please
go to our website to download the new version.   

I'll download it and give it a try. As of May 30, 2000 the newest release is v2.1.25 and it has eliminated these messages.

April 22, 2000

When you click on  HELP  in the ZoneAlarm 2.1.10 user interface, it brings up your default web browser to display
      C:\Program Files\Zone Labs\ZoneAlarm\Help\ZoneAlarmInfo.htm 
On a machine where IE5 was the default browser, this worked fine. On a machine where Netscape Navigator v4.72 was the default browser, this web page did not display correctly. To double check, I looked at this page with Navigator 4.72 on the machine where IE5 was the default browser and again it did not display correctly. Specifically, there is a vertical yellow line thru the top half of the page.  

If you download ZoneAlarm version 2.1 there is no way to determine which sub-version it is. As noted above, there have been, no date, four versions of version 2.1 (2.1.1, 2.1.3, 2.1.9, 2.1.10). The name of the file that you download is called ZONEALM21.EXE and this was probably the same name used for all versions of version 2.1. Usually, right clicking on an EXE file and viewing its properties will include a tab with the program version. This file does not.  

A gripe follow-up: The main user interface can be expanded and compressed using an arrow in the bottom right corner. It used to be that if the compressed window was near the top of the screen, it expanded off the screen, making it impossible to grab the title bar and move the window. This has been fixed in version 2.1.10. Now if the compressed window is near the top of the screen, it expands down and if it's near the bottom of the screen, it expands up. 

However, there also seems to be a new bug in the user interface. The last line, both when it's compressed and when it's expanded, sometimes shows the version number of ZoneAlarm. However, the last line is also used to display informational messages and it does not seem to be refreshed correctly. Today it said that Internet Explorer was connecting to the Internet, when in fact, all instances of IE had been shut down. When I later changed a program so that it could no longer act as a local network server, this message stayed on the bottom even after shutting down the user interface and restarting it. 

April 16, 2000

In installed version 2.1.10 on top of version 2.0.26 without un-installing t