Hi All. I recently had a security breach that seems to have been the result of an unfortunate, uhm, fubar in the way my isp handled some things and the way my erstwhile sound firewall handled some things. Anyway, the result was that port 1025 was left wide open with no protection whatsoever, apparently running as a DNS server on someone's WAN. I'm not sure what actually happened, but between my ISP (Charter) and my Firewall (ZoneAlarm Pro), I started having security and system level programs "call home" to odd ips. <BR><BR> Which brings me to this querry. The firewall just reported that FRESHCLAM.EXE tried to access 64.215.170.191:DNS. This seems an odd thing for an antivirus client to be doing and the ip address seems incorrect. So, is this an actual Clamshell ip? If so, what is FRESHCLAM.EXE doing at this point?

this is normal. freshclam.exe is using DNS queries to quickly determine ifvirus database version has changed.