Why Does Gzserv.exe Upload So Much Data?

Interesting and worrisome. I used Nirsoft's NetworkTrafficView and the traffic is visible.

Ethernet Type    IP Protocol    Source Address    Destination Address    Source Port    Destination Port    Service Name    Status    Packets Count    Total Packets Size    Total Data Size    Data Speed    Maximum Data Speed    Process Filename    Average Packet Size    Maximum Packet Size    First Packet Time    Last Packet Time    Duration    Latency    Process ID    TCP Ack    TCP Push    TCP Reset    TCP Syn    TCP Fin    Source Country    Destination Country    
IPv4    TCP    148.251.76.155    192.168.1.98    443    2220    https    Closed    4    1 047    887        0.1 KiB/Sec    C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe    261.8    365    20.03.2015 23:56:17    20.03.2015 23:56:17    00:00:00.500        436    4    3    0    0    0

Data on the IP connected to:
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '148.251.0.0 - 148.251.255.255'

% No abuse contact registered for 148.251.0.0 - 148.251.255.255

inetnum:        148.251.0.0 - 148.251.255.255
netname:        HETZNER-RZ-BLK-ERX2
descr:          Server Block
country:        DE
admin-c:        HOAC1-RIPE
tech-c:         HOAC1-RIPE
status:         LEGACY
remarks:        For information on "status:" attribute read https://www.ripe.net/data-tools/db/faq/faq-status-values-legacy-resources
mnt-by:         HOS-GUN
mnt-lower:      HOS-GUN
mnt-routes:     HOS-GUN
mnt-domains:    HOS-GUN
changed:        mf@hetzner.de 20121217
source:         RIPE

role:           Hetzner Online AG - Contact Role
address:        Hetzner Online AG
address:        Stuttgarter Strasse 1
address:        D-91710 Gunzenhausen
address:        Germany
phone:          +49 9831 61 00 61
fax-no:         +49 9831 61 00 62
e-mail:         ripe@hetzner.de
abuse-mailbox:  abuse@hetzner.de
remarks:        *************************************************
remarks:        * For spam/abuse/security issues please contact *
remarks:        *   abuse@hetzner.de, not this address.         *
remarks:        *   The contents of your abuse email will be    *
remarks:        *   forwarded directly on to our client for     *
remarks:        *   handling.                                   *
remarks:        *************************************************
remarks:
remarks:        *************************************************
remarks:        *    Any questions on Peering please send to    *
remarks:        *              peering@hetzner.de               *
remarks:        *************************************************
org:            ORG-HOA1-RIPE
admin-c:        MH375-RIPE
tech-c:         GM834-RIPE
tech-c:         SK2374-RIPE
tech-c:         TF2013-RIPE
tech-c:         MF1400-RIPE
tech-c:         SK8441-RIPE
nic-hdl:        HOAC1-RIPE
notify:         ripe-mntner@hetzner.de
mnt-by:         HOS-GUN
source:         RIPE
changed:        mf@hetzner.de 20130114
changed:        mf@hetzner.de 20130227
changed:        sebastian.krannich@hetzner.de 20130418

% Information related to '148.251.0.0/16AS24940'

route:          148.251.0.0/16
descr:          HETZNER-RZ-BLK-ERX2
origin:         AS24940
org:            ORG-HOA1-RIPE
mnt-by:         HOS-GUN
changed:        ripe@hetzner.de 20121224
source:         RIPE

organisation:   ORG-HOA1-RIPE
org-name:       Hetzner Online AG
org-type:       LIR
address:        Hetzner Online AG
address:        Attn. Martin Hetzner
address:        Industriestrasse 25
address:        91710
address:        Gunzenhausen
address:        GERMANY
phone:          +49 9831 610061
fax-no:         +49 9831 610062
admin-c:        TF2013-RIPE
admin-c:        MF1400-RIPE
admin-c:        GM834-RIPE
admin-c:        HOAC1-RIPE
admin-c:        MH375-RIPE
admin-c:        SK2374-RIPE
admin-c:        SK8441-RIPE
mnt-ref:        HOS-GUN
mnt-ref:        RIPE-NCC-HM-MNT
mnt-by:         RIPE-NCC-HM-MNT
abuse-c:        HOAC1-RIPE
source:         RIPE
e-mail:         info@hetzner.de
changed:        bitbucket@ripe.net 20140403

% This query was served by the RIPE Database Query Service version 1.78 (DB-1)

Hostname seems to be 'ep-reverse.nimbus.bitdefender.net', which gives reply "Bad Request" after presenting self signed certificate.

Hetzner.de seems to be some german hosting provider.

Anyone have time to look what data is being moved?

Since the product is heavily cloud based, it's not surprising to see traffic. At least to me it isn't.

Hiya goldencut,

From this page.

Bitdefender Antivirus Free Edition uses a combination of Cloud scanning and behavioural analysis to detect new or unknown threats that other antiviruses miss.

Ro.

So BD's ad claims and many believe to be. What I actually can't find is any information on why and how this is done. If malware signatures are downloaded to my computer (BD folder is around 190MB) then why would my files be sent off from my computer to the world and end up who knows where, without me knowing? What part of BD detection engine/technology requires cloud? Are my files that are without my knowledge uploaded by BD still anonymous, secure and private when in some Romanian company's web server? Nothing about it can be found on BD's website or wikipedia page.

Also, if BD's engine/technology requires cloud then what happens when I'm offline and decide to connect an USB stick (or CD, HDD etc) to my PC, is BD then less effective in protecting my PC because the connected media is not exposed to the 'cloud scanning' technology ie do I actually need to be always connected to internet to be safe and protected?

Well, your guess is as good as any... AFAIK in MS SE and MS WD user can turn sample sending feature off so nothing is uploaded to the "cloud" (ie 'some corporation's server'). Do you actually know what happens to your files when they are uploaded to that server, how long are they stored there, when and how deleted, who can access them? If any other corporation would do that (like Sony did) it would be called 'spyware', 'backdoor' etc. Anyhow, since BD AV seems to connect for signature updates multiple times every day then all the latest malware info should already be on my local PC. If all the signatures are available locally then what EXTRA happens on BD'd servers? Somebody opens my files in some sandbox and takes a closer look what's inside? What if that file contains my private data?

Well, if you want to be what I consider to be paranoid about such things, that's up to you. Personally, I don't worry about it. They're in the security business so I trust them to only use the data in that end. They don't have to look at the contents of a file for it to be scanned for known or suspicious behavior. Since the bad stuff is most often found in the first few bytes of a file where it has been injected, there's no need to examine the whole thing and I doubt very much that that ever happens. Also, It doesn't matter if your signature database is updated every hour. There is still going to be new malware that will not be included. BD only checks every hour or so but updates only come through once or twice a day. It takes time to create the new signatures and test them before pushing them out. Therefore, it's very possible that there could be a malware detection that you haven't received yet. ALL the signatures are probably never available locally.

A certain amount of trust is necessary to have since the only real way to be fully protected is to turn off the computer and never use it again.

Hopefully at least some people care and worry. And yep, they are business as you said, but so are Google, Facebook and others who general public saw as trustworthy (and who have much more to lose) yet turned out to share users' data with NSA, maybe others. What a much smaller company might do if it faces financial or other difficulties, who knows? So I do prefer to know when and what is uploaded from my computer and what happens to it. I don't like the idea of my files laying around on some ftp server in Romanian company where anyone who has access to intranet can browse then, for example...

I can't make any sense of your explanation why BitDefender clients check servers for updates several times a day but wouldn't download updates if they are available.

I also have nothing against Google or Facebook and use both every day. As the band Buffalo Springfield once said, "paranoia runs deep".

Then this thread is not for you probably. I think the person who started this thread and also I live more by the proverb "Trust, but verify".

Any thread should be for anyone who has an opinion on the matter.