Why Does Gzserv.exe Upload So Much Data?
it's only been two weeks since I installed my new router and it monitors all data transmissions, tonight it had a pop-up and I went to the program and while I was there I noticed gzserv.exe has the largest amount of data going up, 850mb in the past two weeks, constant speed of 1.4kb down and 517b's up. I understand connecting to get updates and such but a constant steady upload and download, and such a high upload amount? what exactly is it uploading?
Comments
-
ok sounds good, no need to block then, thanks for the response
0 -
Interesting and worrisome. I used Nirsoft's NetworkTrafficView and the traffic is visible.
Ethernet Type IP Protocol Source Address Destination Address Source Port Destination Port Service Name Status Packets Count Total Packets Size Total Data Size Data Speed Maximum Data Speed Process Filename Average Packet Size Maximum Packet Size First Packet Time Last Packet Time Duration Latency Process ID TCP Ack TCP Push TCP Reset TCP Syn TCP Fin Source Country Destination Country
IPv4 TCP 148.251.76.155 192.168.1.98 443 2220 https Closed 4 1 047 887 0.1 KiB/Sec C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe 261.8 365 20.03.2015 23:56:17 20.03.2015 23:56:17 00:00:00.500 436 4 3 0 0 0Data on the IP connected to:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Information related to '148.251.0.0 - 148.251.255.255'
% No abuse contact registered for 148.251.0.0 - 148.251.255.255
inetnum: 148.251.0.0 - 148.251.255.255
netname: HETZNER-RZ-BLK-ERX2
descr: Server Block
country: DE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
status: LEGACY
remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources
mnt-by: HOS-GUN
mnt-lower: HOS-GUN
mnt-routes: HOS-GUN
mnt-domains: HOS-GUN
changed: mf@hetzner.de 20121217
source: RIPE
role: Hetzner Online AG - Contact Role
address: Hetzner Online AG
address: Stuttgarter Strasse 1
address: D-91710 Gunzenhausen
address: Germany
phone: +49 9831 61 00 61
fax-no: +49 9831 61 00 62
e-mail: ripe@hetzner.de
abuse-mailbox: abuse@hetzner.de
remarks: *************************************************
remarks: * For spam/abuse/security issues please contact *
remarks: * abuse@hetzner.de, not this address. *
remarks: * The contents of your abuse email will be *
remarks: * forwarded directly on to our client for *
remarks: * handling. *
remarks: *************************************************
remarks:
remarks: *************************************************
remarks: * Any questions on Peering please send to *
remarks: * peering@hetzner.de *
remarks: *************************************************
org: ORG-HOA1-RIPE
admin-c: MH375-RIPE
tech-c: GM834-RIPE
tech-c: SK2374-RIPE
tech-c: TF2013-RIPE
tech-c: MF1400-RIPE
tech-c: SK8441-RIPE
nic-hdl: HOAC1-RIPE
notify: ripe-mntner@hetzner.de
mnt-by: HOS-GUN
source: RIPE
changed: mf@hetzner.de 20130114
changed: mf@hetzner.de 20130227
changed: sebastian.krannich@hetzner.de 20130418
% Information related to '148.251.0.0/16AS24940'
route: 148.251.0.0/16
descr: HETZNER-RZ-BLK-ERX2
origin: AS24940
org: ORG-HOA1-RIPE
mnt-by: HOS-GUN
changed: ripe@hetzner.de 20121224
source: RIPE
organisation: ORG-HOA1-RIPE
org-name: Hetzner Online AG
org-type: LIR
address: Hetzner Online AG
address: Attn. Martin Hetzner
address: Industriestrasse 25
address: 91710
address: Gunzenhausen
address: GERMANY
phone: +49 9831 610061
fax-no: +49 9831 610062
admin-c: TF2013-RIPE
admin-c: MF1400-RIPE
admin-c: GM834-RIPE
admin-c: HOAC1-RIPE
admin-c: MH375-RIPE
admin-c: SK2374-RIPE
admin-c: SK8441-RIPE
mnt-ref: HOS-GUN
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
abuse-c: HOAC1-RIPE
source: RIPE
e-mail: info@hetzner.de
changed: bitbucket@ripe.net 20140403
% This query was served by the RIPE Database Query Service version 1.78 (DB-1)
Hostname seems to be 'ep-reverse.nimbus.bitdefender.net', which gives reply "Bad Request" after presenting self signed certificate.
Hetzner.de seems to be some german hosting provider.
Anyone have time to look what data is being moved?0 -
Interesting and worrisome. I used Nirsoft's NetworkTrafficView and the traffic is visible.
Ethernet Type IP Protocol Source Address Destination Address Source Port Destination Port Service Name Status Packets Count Total Packets Size Total Data Size Data Speed Maximum Data Speed Process Filename Average Packet Size Maximum Packet Size First Packet Time Last Packet Time Duration Latency Process ID TCP Ack TCP Push TCP Reset TCP Syn TCP Fin Source Country Destination Country
IPv4 TCP 148.251.76.155 192.168.1.98 443 2220 https Closed 4 1 047 887 0.1 KiB/Sec C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe 261.8 365 20.03.2015 23:56:17 20.03.2015 23:56:17 00:00:00.500 436 4 3 0 0 0
Data on the IP connected to (I'm in Europe):% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Information related to '148.251.0.0 - 148.251.255.255'
% No abuse contact registered for 148.251.0.0 - 148.251.255.255
inetnum: 148.251.0.0 - 148.251.255.255
netname: HETZNER-RZ-BLK-ERX2
descr: Server Block
country: DE
admin-c: HOAC1-RIPE
tech-c: HOAC1-RIPE
status: LEGACY
remarks: For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources
mnt-by: HOS-GUN
mnt-lower: HOS-GUN
mnt-routes: HOS-GUN
mnt-domains: HOS-GUN
changed: mf@hetzner.de 20121217
source: RIPE
role: Hetzner Online AG - Contact Role
address: Hetzner Online AG
address: Stuttgarter Strasse 1
address: D-91710 Gunzenhausen
address: Germany
phone: +49 9831 61 00 61
fax-no: +49 9831 61 00 62
e-mail: ripe@hetzner.de
abuse-mailbox: abuse@hetzner.de
remarks: *************************************************
remarks: * For spam/abuse/security issues please contact *
remarks: * abuse@hetzner.de, not this address. *
remarks: * The contents of your abuse email will be *
remarks: * forwarded directly on to our client for *
remarks: * handling. *
remarks: *************************************************
remarks:
remarks: *************************************************
remarks: * Any questions on Peering please send to *
remarks: * peering@hetzner.de *
remarks: *************************************************
org: ORG-HOA1-RIPE
admin-c: MH375-RIPE
tech-c: GM834-RIPE
tech-c: SK2374-RIPE
tech-c: TF2013-RIPE
tech-c: MF1400-RIPE
tech-c: SK8441-RIPE
nic-hdl: HOAC1-RIPE
notify: ripe-mntner@hetzner.de
mnt-by: HOS-GUN
source: RIPE
changed: mf@hetzner.de 20130114
changed: mf@hetzner.de 20130227
changed: sebastian.krannich@hetzner.de 20130418
% Information related to '148.251.0.0/16AS24940'
route: 148.251.0.0/16
descr: HETZNER-RZ-BLK-ERX2
origin: AS24940
org: ORG-HOA1-RIPE
mnt-by: HOS-GUN
changed: ripe@hetzner.de 20121224
source: RIPE
organisation: ORG-HOA1-RIPE
org-name: Hetzner Online AG
org-type: LIR
address: Hetzner Online AG
address: Attn. Martin Hetzner
address: Industriestrasse 25
address: 91710
address: Gunzenhausen
address: GERMANY
phone: +49 9831 610061
fax-no: +49 9831 610062
admin-c: TF2013-RIPE
admin-c: MF1400-RIPE
admin-c: GM834-RIPE
admin-c: HOAC1-RIPE
admin-c: MH375-RIPE
admin-c: SK2374-RIPE
admin-c: SK8441-RIPE
mnt-ref: HOS-GUN
mnt-ref: RIPE-NCC-HM-MNT
mnt-by: RIPE-NCC-HM-MNT
abuse-c: HOAC1-RIPE
source: RIPE
e-mail: info@hetzner.de
changed: bitbucket@ripe.net 20140403
% This query was served by the RIPE Database Query Service version 1.78 (DB-1)
Hostname seems to be 'ep-reverse.nimbus.bitdefender.net', which gives reply "Bad Request" after presenting self signed certificate.
Hetzner.de seems to be some german hosting provider.
Anyone have time to look what data is being moved?0 -
Since the product is heavily cloud based, it's not surprising to see traffic. At least to me it isn't.
0 -
Since the product is heavily cloud based, it's not surprising to see traffic. At least to me it isn't.
Which part of BD Free Antivirus is 'cloud based'? Aren't all the logic and malware signatures stored on user's computer, locally?0 -
Hiya goldencut,
Bitdefender Antivirus Free Edition uses a combination of Cloud scanning and behavioural analysis to detect new or unknown threats that other antiviruses miss.
Ro.0 -
So BD's ad claims and many believe to be. What I actually can't find is any information on why and how this is done. If malware signatures are downloaded to my computer (BD folder is around 190MB) then why would my files be sent off from my computer to the world and end up who knows where, without me knowing? What part of BD detection engine/technology requires cloud? Are my files that are without my knowledge uploaded by BD still anonymous, secure and private when in some Romanian company's web server? Nothing about it can be found on BD's website or wikipedia page.
Also, if BD's engine/technology requires cloud then what happens when I'm offline and decide to connect an USB stick (or CD, HDD etc) to my PC, is BD then less effective in protecting my PC because the connected media is not exposed to the 'cloud scanning' technology ie do I actually need to be always connected to internet to be safe and protected?0 -
Yes you do need to be connected to receive the full protection. As I understand it, BD Free works somewhat like MSE and the new Windows Defender in that if a file looks suspicious but does not have an actual malware signature in the database, then the cloud part kicks in and the file is checked against all the latest malware data that may not yet have been received in a database update and decides whether the file should be quarantined. Many people don't know that MSE/Defender does that but it does.So BD's ad claims and many believe to be. What I actually can't find is any information on why and how this is done. If malware signatures are downloaded to my computer (BD folder is around 190MB) then why would my files be sent off from my computer to the world and end up who knows where, without me knowing? What part of BD detection engine/technology requires cloud? Are my files that are without my knowledge uploaded by BD still anonymous, secure and private when in some Romanian company's web server? Nothing about it can be found on BD's website or wikipedia page.
Also, if BD's engine/technology requires cloud then what happens when I'm offline and decide to connect an USB stick (or CD, HDD etc) to my PC, is BD then less effective in protecting my PC because the connected media is not exposed to the 'cloud scanning' technology ie do I actually need to be always connected to internet to be safe and protected?0 -
Well, your guess is as good as any... AFAIK in MS SE and MS WD user can turn sample sending feature off so nothing is uploaded to the "cloud" (ie 'some corporation's server'). Do you actually know what happens to your files when they are uploaded to that server, how long are they stored there, when and how deleted, who can access them? If any other corporation would do that (like Sony did) it would be called 'spyware', 'backdoor' etc. Anyhow, since BD AV seems to connect for signature updates multiple times every day then all the latest malware info should already be on my local PC. If all the signatures are available locally then what EXTRA happens on BD'd servers? Somebody opens my files in some sandbox and takes a closer look what's inside? What if that file contains my private data?
0 -
Well, your guess is as good as any... AFAIK in MS SE and MS WD user can turn sample sending feature off so nothing is uploaded to the "cloud" (ie 'some corporation's server'). Do you actually know what happens to your files when they are uploaded to that server, how long are they stored there, when and how deleted, who can access them? If any other corporation would do that (like Sony did) it would be called 'spyware', 'backdoor' etc. Anyhow, since BD AV seems to connect for signature updates multiple times every day then all the latest malware info should already be on my local PC. If all the signatures are available locally then what EXTRA happens on BD'd servers? Somebody opens my files in some sandbox and takes a closer look what's inside? What if that file contains my private data?
Well, if you want to be what I consider to be paranoid about such things, that's up to you. Personally, I don't worry about it. They're in the security business so I trust them to only use the data in that end. They don't have to look at the contents of a file for it to be scanned for known or suspicious behavior. Since the bad stuff is most often found in the first few bytes of a file where it has been injected, there's no need to examine the whole thing and I doubt very much that that ever happens. Also, It doesn't matter if your signature database is updated every hour. There is still going to be new malware that will not be included. BD only checks every hour or so but updates only come through once or twice a day. It takes time to create the new signatures and test them before pushing them out. Therefore, it's very possible that there could be a malware detection that you haven't received yet. ALL the signatures are probably never available locally.
A certain amount of trust is necessary to have since the only real way to be fully protected is to turn off the computer and never use it again.0 -
Hopefully at least some people care and worry. And yep, they are business as you said, but so are Google, Facebook and others who general public saw as trustworthy (and who have much more to lose) yet turned out to share users' data with NSA, maybe others. What a much smaller company might do if it faces financial or other difficulties, who knows? So I do prefer to know when and what is uploaded from my computer and what happens to it. I don't like the idea of my files laying around on some ftp server in Romanian company where anyone who has access to intranet can browse then, for example...
I can't make any sense of your explanation why BitDefender clients check servers for updates several times a day but wouldn't download updates if they are available.0 -
It's simple, the updates are not available until an update package has been assembled and tested. You won't ever get a download for every single new detection. It just doesn't work that way for any security vendor.Hopefully at least some people care and worry. And yep, they are business as you said, but so are Google, Facebook and others who general public saw as trustworthy (and who have much more to lose) yet turned out to share users' data with NSA, maybe others. What a much smaller company might do if it faces financial or other difficulties, who knows? So I do prefer to know when and what is uploaded from my computer and what happens to it. I don't like the idea of my files laying around on some ftp server in Romanian company where anyone who has access to intranet can browse then, for example...
I can't make any sense of your explanation why BitDefender clients check servers for updates several times a day but wouldn't download updates if they are available.
I also have nothing against Google or Facebook and use both every day. As the band Buffalo Springfield once said, "paranoia runs deep".0 -
Then this thread is not for you probably. I think the person who started this thread and also I live more by the proverb "Trust, but verify".
0 -
Then this thread is not for you probably. I think the person who started this thread and also I live more by the proverb "Trust, but verify".
Any thread should be for anyone who has an opinion on the matter.0