ZoneAlarm alerts???

Discussion in 'Backup and Security' started by AAAintheBeltway, Sep 26, 2003.

  1. After I am online using IE for a while, I start getting repeated alerts from ZA. I can't access the web after it starts, but if I reboot it works fine, at least for a while. Doesn't seem to bother QCharts.

    The alert I'm getting says "Generic Host Process for Win32 services could not accept an UDP Port 3391 connection from 207.172.3.9 because internet servers were blocked."

    I have the server permision for Win32 services blocked, but it has always worked ok like that. Any ideas what's happening? And what should I do?
     
  2. Bsulli

    Bsulli

    http://www.linnetsol.co.uk/port-num3.htm#3300

    scroll down to 3391. It is an offically registered port to the website listed. All ports up to 49151 are registered with the IETF standards body.

    Also under the Alerts & Log button click on the Log viewer and scroll down to the one under the column Source IP 207.172.3.9:3391 and click on it once. It will show entry detail below then click on the more info button and za will go off and due a detailed analysis and pull up a web page.

    Also make sure a spybot removal program has been recently run and that the latest ZA is intsalled. Latest freebie one is 3.7.211

    If ZA is allowed to permission automatically it will set Server to have both check along with Access both checked.

    Good luck

    Bsulli
     
  3. Bsulli

    Bsulli

    The actual file that is running in the task manager that represents the Generic Services is called svchost.exe(multiple instances are possible) It is one of the files that the OS must run to offer up services and their dependence in the system. To get a better idea of what it runs the link shows a lot of the services that are running and the MS OS file associated with it. You won't file a service called "Generic services" but you will get the idea from reading thru the list.

    http://www.blackviper.com/WIN2K/servicecfg.htm

    Bsulli
     
  4. Bsulli

    Bsulli

    I checked and theprogrammers.com runs a server farm for there customers. My gut feeling is the farm has been comprised. ZA is probably doing it's job correctly.

    the address range registered to them is 207.172.xxx.xxx with xxx being any number.

    Bsulli
     
  5. Bsulli,

    Thanks for your kind assistance. I tend to agree with your gut feeling for the simple reason that this has worked for months set up this way with no problems. And anyway, why would an application require server privileges?
     
  6. Bsulli

    Bsulli

    For Win 2korXP pro verison

    The most common time server would be checked would be if you have automatic updates enabled under the control panel(may or may not require it to be checked), or if you access a corporate network from home some IPSEC VPN clients require it, any of the RPC(Remote Procedure Call) functions need it( that I don't recommend because your allowing hackers to gain remote access), and half a dozen more services which you would want to provide in a corporate lan environment only for error reporting.

    Only a w2k or XP server however you would have to have it enabled or things like webservers wouldn't work and a whole host of other things.

    Personally on my machines I have the Server unchecked like you because I don't allow remote access or access a corporate lan.

    Hope that helps.

    Have a great weekend.
    Bsulli