Wireless Group Policy WLAN Radius Part 3 WLAN Radius Config WLAN Client Config Linksys BEFSR41 Firmware Linksys BEFSR41 101 Linksys WAP54G config More Linksys BEFSR config Security how-to Writing DNS Zonefiles Is ZoneAlarm Spyware? Linksys Wishlist Sendmail spamblock Bind Privacy Feedback

ZoneAlarm - Spyware or not?

There's been some questions whether or not ZoneAlarm reports data back to "mother". I've tried to determine if there's any truth to this, or if it's just myth.

First off, I have no relationship with ZoneLabs or any other companies which may have an interest in the outcome of this test. I have no personal interest vested in this whatsoever, regardless of the outcome of the test. 

The test environment.

To be able to see what is going on, three things are needed; a computer with ZoneAlarm installed, a computer able to pick up data to/from a specific client, and a hub or preferably, a managed switch.

For the ZoneAlarm computer, I used an old laptop running Windows 2000 SP4. Late in the test, I re-installed Window 2000 and ZoneAlarm only. This did not seem to alter the results of the test, however, when I re-installed Windows 2000, I switched the NetBIOS node type to peer-to-peer, which reduced the amount of broadcast traffic from the computer. Also, the laptop was configured to be in an "always on" mode to prevent it from shutting down or going into suspend mode.

For capturing the packets, I used Ethereal installed on a fresh install of Red Hat 9.0. I used a capture filter (host 192.168.a.b) to capture only packets to/from the test computer. 

The switch used was a Cisco 2912XL. It was configured so that interface Fa0/12 would monitor interface Fa0/11 (Fa0/12 would see all traffic on Fa0/11). The laptop was connected to 11, and the Ethereal computer to 12. Initial test showed that only packets to/from the laptop was being captured by Ethereal.

The Test

Ethereal was running constantly for about one week capturing data. The only time it was not actively capturing packets was when I briefly stopped it to change the log file...

First step was to see what data was sent to ZoneLabs during the installation and registration process. The installation of the software didn't result in any traffic between the computer and ZoneLabs (or anyone else, for that matter). During the registration process, I did volunteer some information, and at the end of the process, this data was sent to ZoneLabs. Here's a copy of the data sent

POST /register.asp HTTP/1.0
Accept: */*
Accept-Language: en
Host: register.zonelabs.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Zone Labs Registration Agent 1.0
Content-Length: 327

ProductVersion=3%2E7%2E202&HU100=ZLN18069648331679%2D1001&RegisteredOwner=
Lars+Hansen&EMailAddr=xxxxxx%40hansenonline%2Enet&WantEmail=No&
FullRegistration=Yes&OperatingSystem=Win+NT&SurveyNumComps=5%2D10&
SurveyConnectType=Cable+modem&SurveySkillLevel=Expert%2FIT+Professional&
SurveyPCtype=Laptop&ProductName=ZoneAlarm&OEM=1001HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Fri, 28 Nov 2003 14:07:01 GMT
Connection: Keep-Alive
Content-Length: 62
Content-Type: text/html
Set-Cookie: ASPSESSIONIDQAQCBSQT=DMFNGOBDFFEKGGFNODIDINKG; path=/
Cache-control: private

Thank you for registering.. ZoneAlarm: registration successful

There's nothing in here that should alarm anyone. This is all information that was volunteered. 

After having captured data for a week, there's no signs of any other traffic going to ZoneLabs.com or any other company that originates from ZoneAlarm. ZoneAlarm does make a DNS lookup for "lockup.zonelabs.com" once every 24 hours, but no connection to that host is ever made. If you have set ZoneAlarm to automatically check for updates, it will make infrequent connections to check for new versions. No data is transmitted to that host other than the product version information. The information returned from this host contains the text that'll show in the popup (when doing manual updates), plus the URL for the update.

I also did a port-scan on the laptop computer (first 180 TCP ports) to see if I could provoke ZoneAlarm into doing something, but nothing happened.

The Conclusion

So, can I categorically state that ZoneAlarm does not send data to ZoneLabs? No, I cannot. One week of collected data may not have been enough to catch it in the act. However, it seems unlikely that spyware would wait for such a long period of time between reports. If indeed the software were tracking browsing habits, it would would either report this fairly frequent, or when a certain amount of data was collected. Waiting for too long a period could result in a large amount of data being transmitted at one time, which could potentially attract the attention of the user...

So, if you're noticing some flashing lights on your cable modem or DSL modem, that's probably just some background noise either on your network or on the internet, and not ZoneAlarm transmitting anything of yours to anyone else.

A couple of qualifiers: 

  1. I was using the free version of ZoneAlarm. 
  2. On Steve Gibson's website, there's a story about ZoneLabs TrueVector technology being used by Media Metrix to collect data. It should be pointed out that this was only done with a sample user-base. More about that here: www.grc.com/zonealarm.htm
  3. The laptop was not used for much browsing, other than a few pages every now and then to generate some traffic for ZoneAlarm to work with.

Other traffic seen:

  1. No matter what, if you have Windows computers on the network there will be NetBIOS broadcasts... After the re-install of Windows 2000 and the change of the node type, the amount of broadcasts were reduced to a minimum. 
  2. The laptop would connect to Microsoft to check for updates.
  3. Some odd connections to Symantec, even after removing Norton Anti-virus. Seems that their LiveUpdate software is very persistent!

© 1999 - 2005 Lars M. Hansen