Why does my Windows binary of ClamWin v0.94.1 call out to various IP addresses on the DNS port?

At random times, it attempts to reach an IP such as cf-in-f17.google.com [74.125.19.17], NOT related to the ClamWin database or the ClamWin website.

Whenever I run the manual command "c:\program files\clamwin\bin\clamwin.exe" --mode=checkversion" my version of ClamWin will go to some random IP address also (usually Google, although Roadrunner and others have shown up)

I have ZoneAlarm v7.0.483.000 installed, and it is interrupting the IP callouts by ClamWin.

I have been told by a ClamWin developer that this is abnormal behavior.

How can this be debugged?

I really don't want my machine talking on the internet without my permission.

Randall, as just an ordinary user, it sounds like Clamwin is doing something it wasn't programmed to do. However, you didn't tell us what sort of system/environment you are using Clamwin in, how you have ClamWin configured, and what other security software you are using. I suggest that you first uninstall ClamWin and then reinstall it and see if the behavior continues. If it does continue, get back here with the above information, and someone can probably help.

Regards,

Guitar Bob:

I did what you suggested yesterday, removing ClawWin off my machine, then reinstalling v.0.94.1

The machine is a Windows XP service pack 3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)

I am running ClawWin v0.94.1 and ZoneAlarm freeware version:7.0.483.000 for my antivirus/firewall combination

If you want information about the running processes and services, I can provide that too.

What more do I need to provide?

You didn't say what the results were after uninstalling/re-installing ClamWin, but I assume the problem persists. I don't understand why you are using that manual command--you can check the version no. by rightclicking the Clamwin icon in your system tray and selecting Check Latest Version. When I tried to Run that command in my Win XP SP3 machine, I didn't seem to get any results. It could be that the manual command is unstable in conjunction with your firewall. Make sure ClamWin is recognized/enabled by the firewall.

Unless a ClamWin developer says different, if ClamWin scans/updates okay and the Check Latest Version works, my advice is just not to use the manual command. You are in a Windows environment anyway, which minimizes such commands.

Regards,

Guitar Bob:

Sorry if I wasn't clear. The odd results came back after the new install. I will continue to manually block the requests.

One of these days I might create a .NET project and then add the correct debugging code and see what's really going on, but I have more important things to do.

Your feedback is appreciated

Hi Randall,

We started discussing it in emails but let's continue here.

"c:\program files\clamwin\bin\clamwin.exe" --mode=checkversion" just does a simple HTTP request using urllib2 python library: http://www.python.org/doc/2.5.2/lib/module-urllib2.html
This does require a DNS request and it seems to me that the DNS resolution part on your machine is somehow oddly behaved. IT might be just confined to use python or a more generic issue.

I know that ZoneAlarm uses a modified python interpreter which might thorw a spanner into clamwin. However I installed latest ZoneAlarm here and the only DNS it contacts is the local one.

Could you check what DNS settings do you have configured in ipconfig /all?

ipconfig/all shows:

Windows IP Configuration

Host Name . . . . . . . . . . . . : RLR
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : gateway.2wire.net

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controller
Physical Address. . . . . . . . . : 00-14-22-EF-78-B1

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . : gateway.2wire.net
Description . . . . . . . . . . . : Intel(R) PRO/Wireless 3945ABG Network Connection
Physical Address. . . . . . . . . : 00-13-02-08-D7-E2
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.1.106
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
DHCP Server . . . . . . . . . . . : 192.168.1.254
DNS Servers . . . . . . . . . . . : 192.168.1.254
Lease Obtained. . . . . . . . . . : Friday, December 05, 2008 8:52:28 AM
Lease Expires . . . . . . . . . . : Saturday, December 06, 2008 8:52:28 AM

nothing wrong there, the gateway/router is used as DNS. Same as in my configuration when I tested it with ZA. I don't know why it does that to be honest.
I will make a small test utility that uses urllib2 and post it here for you to test, then we will at least isolate the problem.

Did someone write a small test routine? My ClamWin keeps calling out to odd DNS locations.

sorry, been busy. Will try to do that before Christmas