Vsmon.exe is ZoneAlarm’s True Vector Monitor process. It is an essential component for the stable and secure running of the popular third-party software called ZoneAlarm firewall.
Vsmon.exe which is the firewall’s main process, provides packet interception functions for any connection being carried out from or to your computer. This includes applications which may require the Internet to update themselves or more. However ZA (ZoneAlarm – I will be referring to it as ZA from now on) has an internal knowledgebase which is practically an intelligent database to detect for example Windows Update Utilities and let them perform the update without asking you first. This is because certain utilities are default and it would be a bother to stop the user every time Windows needs to download an update. Security-wise the default programs which ZA lets them update automatically or connect to the Internet automatically is very short. The Windows Update as mentioned before is one of them since there is no point in stopping that process since is practically 100% safe even without intervention from a third party firewall like ZA.
Vsmon.exe process can be disabled or terminated permanently if one suspects that it is causing problems. Some of the most commonly known issues with this process are that it can take up to 100% CPU times, or else consume excessive memory space. To permanently disable ZoneAlarm you must uninstall it. However in this way you will remain without a firewall. To prevent ZoneAlarm from starting each time your system boots up, open ZoneAlarm, click the Configure button, and uncheck the checkbox next to the option ‘Load ZoneAlarm at Startup’.
If you need to disable it temporarily, you should exit ZoneAlarm properly by right clicking on the ZA icon in the System Tray and clicking on ‘Shutdown ZoneAlarm’. Killing the process manually through Windows Task Manage will leave you without a network connection until you reboot your computer.
Dangers of vsmon
As VSMON.EXE is a relatively common process on Windows Operating Systems, it is common for virus authors and spyware vendors to disguise their malware as the legitimate one.
The official process location on disk is %SystemRoot%\System32\zonelabs where %SystemRoot% is the Windows folder on your hard disk, most commonly C:\Windows however the hard disk letter can be anything which is set to your default hard disk letter (practically from A-Z) . Other malware may use a typos in the process name for example (vmson.exe). The following backdoor is known to try to pass up as the genuine VSMON.EXE process:
• W32/Rbot-FB (%SystemRoot%\System32)
o This is a Trojan that can spread over networks and it allows remote hackers to take full control over an infected system as if they were the actual administrator of the system. They can perform any function that the user of the system who has the vsmon.exe Trojan can do.
There typically should be only one instance of this process running at a given time on any one system. The presence of multiple instances may be an indicator of a malware infection however do not assume that this is always the case. For example the svchost.exe process is normal to have up to 5 to 6 processes by the same name and they are all legitimate. However the svchost.exe process can be targeted by malware authors as well. The most important thing is to be careful and safe by checking most your system using anti-viruses, registry cleaners, spyware removers and other software utilities which are a must to own nowadays. Don’t go for the cheap. It’s better to invest $30 in your computer than having to buy a new one after one year that you bought it.
