Why Does Gzserv.exe Upload So Much Data?

it's only been two weeks since I installed my new router and it monitors all data transmissions, tonight it had a pop-up and I went to the program and while I was there I noticed gzserv.exe has the largest amount of data going up, 850mb in the past two weeks, constant speed of 1.4kb down and 517b's up. I understand connecting to get updates and such but a constant steady upload and download, and such a high upload amount? what exactly is it uploading?

Comments

  • ok sounds good, no need to block then, thanks for the response

  • Interesting and worrisome. I used Nirsoft's NetworkTrafficView and the traffic is visible.


    Ethernet Type    IP Protocol    Source Address    Destination Address    Source Port    Destination Port    Service Name    Status    Packets Count    Total Packets Size    Total Data Size    Data Speed    Maximum Data Speed    Process Filename    Average Packet Size    Maximum Packet Size    First Packet Time    Last Packet Time    Duration    Latency    Process ID    TCP Ack    TCP Push    TCP Reset    TCP Syn    TCP Fin    Source Country    Destination Country    
    IPv4    TCP    148.251.76.155    192.168.1.98    443    2220    https    Closed    4    1 047    887        0.1 KiB/Sec    C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe    261.8    365    20.03.2015 23:56:17    20.03.2015 23:56:17    00:00:00.500        436    4    3    0    0    0


    Data on the IP connected to:
    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf

    % Information related to '148.251.0.0 - 148.251.255.255'

    % No abuse contact registered for 148.251.0.0 - 148.251.255.255

    inetnum:        148.251.0.0 - 148.251.255.255
    netname:        HETZNER-RZ-BLK-ERX2
    descr:          Server Block
    country:        DE
    admin-c:        HOAC1-RIPE
    tech-c:         HOAC1-RIPE
    status:         LEGACY
    remarks:        For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources
    mnt-by:         HOS-GUN
    mnt-lower:      HOS-GUN
    mnt-routes:     HOS-GUN
    mnt-domains:    HOS-GUN
    changed:        mf@hetzner.de 20121217
    source:         RIPE

    role:           Hetzner Online AG - Contact Role
    address:        Hetzner Online AG
    address:        Stuttgarter Strasse 1
    address:        D-91710 Gunzenhausen
    address:        Germany
    phone:          +49 9831 61 00 61
    fax-no:         +49 9831 61 00 62
    e-mail:         ripe@hetzner.de
    abuse-mailbox:  abuse@hetzner.de
    remarks:        *************************************************
    remarks:        * For spam/abuse/security issues please contact *
    remarks:        *   abuse@hetzner.de, not this address.         *
    remarks:        *   The contents of your abuse email will be    *
    remarks:        *   forwarded directly on to our client for     *
    remarks:        *   handling.                                   *
    remarks:        *************************************************
    remarks:
    remarks:        *************************************************
    remarks:        *    Any questions on Peering please send to    *
    remarks:        *              peering@hetzner.de               *
    remarks:        *************************************************
    org:            ORG-HOA1-RIPE
    admin-c:        MH375-RIPE
    tech-c:         GM834-RIPE
    tech-c:         SK2374-RIPE
    tech-c:         TF2013-RIPE
    tech-c:         MF1400-RIPE
    tech-c:         SK8441-RIPE
    nic-hdl:        HOAC1-RIPE
    notify:         ripe-mntner@hetzner.de
    mnt-by:         HOS-GUN
    source:         RIPE
    changed:        mf@hetzner.de 20130114
    changed:        mf@hetzner.de 20130227
    changed:        sebastian.krannich@hetzner.de 20130418

    % Information related to '148.251.0.0/16AS24940'

    route:          148.251.0.0/16
    descr:          HETZNER-RZ-BLK-ERX2
    origin:         AS24940
    org:            ORG-HOA1-RIPE
    mnt-by:         HOS-GUN
    changed:        ripe@hetzner.de 20121224
    source:         RIPE

    organisation:   ORG-HOA1-RIPE
    org-name:       Hetzner Online AG
    org-type:       LIR
    address:        Hetzner Online AG
    address:        Attn. Martin Hetzner
    address:        Industriestrasse 25
    address:        91710
    address:        Gunzenhausen
    address:        GERMANY
    phone:          +49 9831 610061
    fax-no:         +49 9831 610062
    admin-c:        TF2013-RIPE
    admin-c:        MF1400-RIPE
    admin-c:        GM834-RIPE
    admin-c:        HOAC1-RIPE
    admin-c:        MH375-RIPE
    admin-c:        SK2374-RIPE
    admin-c:        SK8441-RIPE
    mnt-ref:        HOS-GUN
    mnt-ref:        RIPE-NCC-HM-MNT
    mnt-by:         RIPE-NCC-HM-MNT
    abuse-c:        HOAC1-RIPE
    source:         RIPE
    e-mail:         info@hetzner.de
    changed:        bitbucket@ripe.net 20140403

    % This query was served by the RIPE Database Query Service version 1.78 (DB-1)


    Hostname seems to be 'ep-reverse.nimbus.bitdefender.net', which gives reply "Bad Request" after presenting self signed certificate.


    Hetzner.de seems to be some german hosting provider.


    Anyone have time to look what data is being moved?

  • Interesting and worrisome. I used Nirsoft's NetworkTrafficView and the traffic is visible.


    Ethernet Type    IP Protocol    Source Address    Destination Address    Source Port    Destination Port    Service Name    Status    Packets Count    Total Packets Size    Total Data Size    Data Speed    Maximum Data Speed    Process Filename    Average Packet Size    Maximum Packet Size    First Packet Time    Last Packet Time    Duration    Latency    Process ID    TCP Ack    TCP Push    TCP Reset    TCP Syn    TCP Fin    Source Country    Destination Country    
    IPv4    TCP    148.251.76.155    192.168.1.98    443    2220    https    Closed    4    1 047    887        0.1 KiB/Sec    C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe    261.8    365    20.03.2015 23:56:17    20.03.2015 23:56:17    00:00:00.500        436    4    3    0    0    0


    Data on the IP connected to (I'm in Europe):


    % This is the RIPE Database query service.
    % The objects are in RPSL format.
    %
    % The RIPE Database is subject to Terms and Conditions.
    % See http://www.ripe.net/db/support/db-terms-conditions.pdf

    % Information related to '148.251.0.0 - 148.251.255.255'

    % No abuse contact registered for 148.251.0.0 - 148.251.255.255

    inetnum:        148.251.0.0 - 148.251.255.255
    netname:        HETZNER-RZ-BLK-ERX2
    descr:          Server Block
    country:        DE
    admin-c:        HOAC1-RIPE
    tech-c:         HOAC1-RIPE
    status:         LEGACY
    remarks:        For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources
    mnt-by:         HOS-GUN
    mnt-lower:      HOS-GUN
    mnt-routes:     HOS-GUN
    mnt-domains:    HOS-GUN
    changed:        mf@hetzner.de 20121217
    source:         RIPE

    role:           Hetzner Online AG - Contact Role
    address:        Hetzner Online AG
    address:        Stuttgarter Strasse 1
    address:        D-91710 Gunzenhausen
    address:        Germany
    phone:          +49 9831 61 00 61
    fax-no:         +49 9831 61 00 62
    e-mail:         ripe@hetzner.de
    abuse-mailbox:  abuse@hetzner.de
    remarks:        *************************************************
    remarks:        * For spam/abuse/security issues please contact *
    remarks:        *   abuse@hetzner.de, not this address.         *
    remarks:        *   The contents of your abuse email will be    *
    remarks:        *   forwarded directly on to our client for     *
    remarks:        *   handling.                                   *
    remarks:        *************************************************
    remarks:
    remarks:        *************************************************
    remarks:        *    Any questions on Peering please send to    *
    remarks:        *              peering@hetzner.de               *
    remarks:        *************************************************
    org:            ORG-HOA1-RIPE
    admin-c:        MH375-RIPE
    tech-c:         GM834-RIPE
    tech-c:         SK2374-RIPE
    tech-c:         TF2013-RIPE
    tech-c:         MF1400-RIPE
    tech-c:         SK8441-RIPE
    nic-hdl:        HOAC1-RIPE
    notify:         ripe-mntner@hetzner.de
    mnt-by:         HOS-GUN
    source:         RIPE
    changed:        mf@hetzner.de 20130114
    changed:        mf@hetzner.de 20130227
    changed:        sebastian.krannich@hetzner.de 20130418

    % Information related to '148.251.0.0/16AS24940'

    route:          148.251.0.0/16
    descr:          HETZNER-RZ-BLK-ERX2
    origin:         AS24940
    org:            ORG-HOA1-RIPE
    mnt-by:         HOS-GUN
    changed:        ripe@hetzner.de 20121224
    source:         RIPE

    organisation:   ORG-HOA1-RIPE
    org-name:       Hetzner Online AG
    org-type:       LIR
    address:        Hetzner Online AG
    address:        Attn. Martin Hetzner
    address:        Industriestrasse 25
    address:        91710
    address:        Gunzenhausen
    address:        GERMANY
    phone:          +49 9831 610061
    fax-no:         +49 9831 610062
    admin-c:        TF2013-RIPE
    admin-c:        MF1400-RIPE
    admin-c:        GM834-RIPE
    admin-c:        HOAC1-RIPE
    admin-c:        MH375-RIPE
    admin-c:        SK2374-RIPE
    admin-c:        SK8441-RIPE
    mnt-ref:        HOS-GUN
    mnt-ref:        RIPE-NCC-HM-MNT
    mnt-by:         RIPE-NCC-HM-MNT
    abuse-c:        HOAC1-RIPE
    source:         RIPE
    e-mail:         info@hetzner.de
    changed:        bitbucket@ripe.net 20140403

    % This query was served by the RIPE Database Query Service version 1.78 (DB-1)


    Hostname seems to be 'ep-reverse.nimbus.bitdefender.net', which gives reply "Bad Request" after presenting self signed certificate.


    Hetzner.de seems to be some german hosting provider.


    Anyone have time to look what data is being moved?

  • Since the product is heavily cloud based, it's not surprising to see traffic. At least to me it isn't.

  • Since the product is heavily cloud based, it's not surprising to see traffic. At least to me it isn't.


    Which part of BD Free Antivirus is 'cloud based'? Aren't all the logic and malware signatures stored on user's computer, locally?

  • Hiya goldencut,


    From this page.



    Bitdefender Antivirus Free Edition uses a combination of Cloud scanning and behavioural analysis to detect new or unknown threats that other antiviruses miss.



    Ro.

  • Hiya goldencut,


    From this page.



    Ro.


    So BD's ad claims and many believe to be. What I actually can't find is any information on why and how this is done. If malware signatures are downloaded to my computer (BD folder is around 190MB) then why would my files be sent off from my computer to the world and end up who knows where, without me knowing? What part of BD detection engine/technology requires cloud? Are my files that are without my knowledge uploaded by BD still anonymous, secure and private when in some Romanian company's web server? Nothing about it can be found on BD's website or wikipedia page.


    Also, if BD's engine/technology requires cloud then what happens when I'm offline and decide to connect an USB stick (or CD, HDD etc) to my PC, is BD then less effective in protecting my PC because the connected media is not exposed to the 'cloud scanning' technology ie do I actually need to be always connected to internet to be safe and protected?

  • dch48
    edited March 2015
    So BD's ad claims and many believe to be. What I actually can't find is any information on why and how this is done. If malware signatures are downloaded to my computer (BD folder is around 190MB) then why would my files be sent off from my computer to the world and end up who knows where, without me knowing? What part of BD detection engine/technology requires cloud? Are my files that are without my knowledge uploaded by BD still anonymous, secure and private when in some Romanian company's web server? Nothing about it can be found on BD's website or wikipedia page.


    Also, if BD's engine/technology requires cloud then what happens when I'm offline and decide to connect an USB stick (or CD, HDD etc) to my PC, is BD then less effective in protecting my PC because the connected media is not exposed to the 'cloud scanning' technology ie do I actually need to be always connected to internet to be safe and protected?

    Yes you do need to be connected to receive the full protection. As I understand it, BD Free works somewhat like MSE and the new Windows Defender in that if a file looks suspicious but does not have an actual malware signature in the database, then the cloud part kicks in and the file is checked against all the latest malware data that may not yet have been received in a database update and decides whether the file should be quarantined. Many people don't know that MSE/Defender does that but it does.
  • Well, your guess is as good as any... AFAIK in MS SE and MS WD user can turn sample sending feature off so nothing is uploaded to the "cloud" (ie 'some corporation's server'). Do you actually know what happens to your files when they are uploaded to that server, how long are they stored there, when and how deleted, who can access them? If any other corporation would do that (like Sony did) it would be called 'spyware', 'backdoor' etc. Anyhow, since BD AV seems to connect for signature updates multiple times every day then all the latest malware info should already be on my local PC. If all the signatures are available locally then what EXTRA happens on BD'd servers? Somebody opens my files in some sandbox and takes a closer look what's inside? What if that file contains my private data?

  • Well, your guess is as good as any... AFAIK in MS SE and MS WD user can turn sample sending feature off so nothing is uploaded to the "cloud" (ie 'some corporation's server'). Do you actually know what happens to your files when they are uploaded to that server, how long are they stored there, when and how deleted, who can access them? If any other corporation would do that (like Sony did) it would be called 'spyware', 'backdoor' etc. Anyhow, since BD AV seems to connect for signature updates multiple times every day then all the latest malware info should already be on my local PC. If all the signatures are available locally then what EXTRA happens on BD'd servers? Somebody opens my files in some sandbox and takes a closer look what's inside? What if that file contains my private data?


    Well, if you want to be what I consider to be paranoid about such things, that's up to you. Personally, I don't worry about it. They're in the security business so I trust them to only use the data in that end. They don't have to look at the contents of a file for it to be scanned for known or suspicious behavior. Since the bad stuff is most often found in the first few bytes of a file where it has been injected, there's no need to examine the whole thing and I doubt very much that that ever happens. Also, It doesn't matter if your signature database is updated every hour. There is still going to be new malware that will not be included. BD only checks every hour or so but updates only come through once or twice a day. It takes time to create the new signatures and test them before pushing them out. Therefore, it's very possible that there could be a malware detection that you haven't received yet. ALL the signatures are probably never available locally.


    A certain amount of trust is necessary to have since the only real way to be fully protected is to turn off the computer and never use it again.

  • Hopefully at least some people care and worry. And yep, they are business as you said, but so are Google, Facebook and others who general public saw as trustworthy (and who have much more to lose) yet turned out to share users' data with NSA, maybe others. What a much smaller company might do if it faces financial or other difficulties, who knows? So I do prefer to know when and what is uploaded from my computer and what happens to it. I don't like the idea of my files laying around on some ftp server in Romanian company where anyone who has access to intranet can browse then, for example...


    I can't make any sense of your explanation why BitDefender clients check servers for updates several times a day but wouldn't download updates if they are available.

  • Hopefully at least some people care and worry. And yep, they are business as you said, but so are Google, Facebook and others who general public saw as trustworthy (and who have much more to lose) yet turned out to share users' data with NSA, maybe others. What a much smaller company might do if it faces financial or other difficulties, who knows? So I do prefer to know when and what is uploaded from my computer and what happens to it. I don't like the idea of my files laying around on some ftp server in Romanian company where anyone who has access to intranet can browse then, for example...


    I can't make any sense of your explanation why BitDefender clients check servers for updates several times a day but wouldn't download updates if they are available.

    It's simple, the updates are not available until an update package has been assembled and tested. You won't ever get a download for every single new detection. It just doesn't work that way for any security vendor.


    I also have nothing against Google or Facebook and use both every day. As the band Buffalo Springfield once said, "paranoia runs deep".

  • Then this thread is not for you probably. I think the person who started this thread and also I live more by the proverb "Trust, but verify".

  • Then this thread is not for you probably. I think the person who started this thread and also I live more by the proverb "Trust, but verify".


    Any thread should be for anyone who has an opinion on the matter.