Ok, so I read the thread fully about the zonealarm mutex that prevents zonealarm from loading by fooling it into thinking it's already loaded. This occurs through the potential use of a trojan. After reading this, and being an avid ZoneAlarm Pro user (registered), I wrote Zonelabs to find out what, if anything, will be done about it, as well as the dll wraparounds that can fool ZA or any firewall into letting things come in and go out because it think it's web traffic (trusted port 80).

Here's what they said:

-------snip--------
Hi,

Thanks for using ZoneAlarm Pro.

ZoneAlarm/ZoneAlarm Pro is dependent on a component called TrueVector. TrueVector monitors and controls Internet access on your computer. By default, TrueVector (vsmon.exe) is configured to run as a service when your system boots up. The TrueVector service continues to run when you close any client, until you shut down your computer or the service in the services manager. This ensures that security rules are enforced when your computer is running, even if no one is logged on. However, the user interface will not start until you log in.

If you would rather not run ZA/ZAP at startup for any reason (your machine will NOT be protected until you start ZA/ZAP manually) :

- UNcheck the box on the Configure Panel to Load At Startup
- UNcheck the Deskband or the Show Shell Bar box
- Reboot
- You will need to start ZA/ZAP manually.

=========================================================================

A Trojan Horse is a software application specifically designed to take control of a computer from a remote source. A synonym for Trojans would be Remote Administration Tool (RAT). The caveat to using ZoneAlarm/ZoneAlarm Pro is that even if a Trojan somehow makes it onto your machine, it won't be able to cause any harm unless it is able to access the Internet. No other firewall provides this rock solid protection against Trojan Horses.

If a file you do not recognize is requesting access to the Internet, it should be considered suspicious and you should deny its request for access to the Internet until you can determine what the file is. You can find detailed information about an application in ZoneAlarm's Programs Panel. In the program list, locate the application in question and hover the mouse pointer over the entry. A tool tip will display the location and other information about the application. An alternative is right clicking and checking the properties. Look for the file's location and conduct your research using one of the many search engines available on the Internet. You should also use search engines to discover removal instructions if the situation requires it.

Trojan Horses can be easily disguised with cryptic file names so there is no surefire means of identifying them by sifting through the contents of your hard drive. They may use Windows services such as "RunDLL as an app", or may create their own process names to sound like Windows programs (i.e. "explore.exe", or such as BadTrans, which tries to disguise itself as "Kern32" or "Kernel32.exe"). ZA/ZAP will know that these are not the original program, if you gave the original access, by using the MD5 checksum.

Keylogging programs (including some Trojans) keep a record of all your keystrokes, attempting to find your passwords and personal information. However, these must send the data somewhere in order to be effective - ZA/ZAP will detect the new program attempting to access the Internet when sending the information "home", and alert the user.

Some Trojans are not easily removed, although there are some useful Trojan removal programs available as shareware and freeware. Also, major antivirus sites often have removal instructions and tools to aid in removal.

ZA/ZAP is a personal firewall, and does not perform the functions of an antivirus. Zone Labs highly recommends the use of a good antivirus product, in conjunction with ZoneAlarm or ZoneAlarm Pro. In addition to simply installing antivirus and ZA/ZAP, you should:

- always keep your security programs and DAT files up to date.
- use safe computing practices at all times
- never open attachments unless it is both (a) from someone you know, AND (b) expected from that person; many viruses are shared unknowingly by users who have each other in their email address book.

Note that once some viruses get onto your system, while they may shut down the ZA/ZAP user interface, and cannot get out past ZA/ZAP, and they could be doing damage to your machine locally, sometimes within seconds or minutes.

Zone Labs does not provide investigative research services for Trojan Horse incidents. Please do not send us your logs for review. We encourage ZoneAlarm users to be cautious yet ambivalent towards people who carry out Trojan Horse attacks. If you perceive the attacks as personal, you are giving the hacker an unnecessary advantage. We suggest you patiently obtain the assistance required to remove the Trojan(s) from your machine if discovered and allow ZoneAlarm/ZoneAlarm Pro to protect your computer from future attacks.

If you need to reply to us, please keep all text intact.

You can download the latest version of ZoneAlarm and ZoneAlarm Pro from our website:

http://www.zonelabs.com/zonealarm

Note that the Trial version is the same as the Full version once you enter your license key. We recommend that you keep a copy of the latest file in case of problems later.

Best regards,
Zone Labs Support

-------snip--------

I'm not sure if that's a good thing or not, and whether I should find someone else's product for a firewall. Their best answer, as I got, was "Be paranoid and don't trust anything". What do you guys/gals think?

I think you should load Sygate Personal Firewall because it uses a much better technology. And on top of that if you go to www.hackbusters.net and download Outbound you'll see how truly not secure ZoneAlarm is.

Sygate all the way , my friend.

P.S. Do be paranoid about a company that refuses to fix, or for that matter acknowledge, a well known problem with their software.

Now... I have a little question for ZoneAlarm..... Why does the #1 firewall for Windoze have to rely on a external program for it to be functional... Thats just asking for a security risk..... :rolleyes: ;)

I've never read a more patronising piece of crap....Might be time to give another firewall a try.

Come to think of it, they didn't even address your concern. They just cut and paste some chain letter for a response. I wonder if you sent them a different email with a completely different question would you get the same response back?

You should also ask them why they refused to work with Tom Liston when he showed them his Outbound program and how it made swiss cheese of their "firewall".

This ensures that security rules are enforced when your computer is running, even if no one is logged on


This is not even true...some weeks ago we had a discussion here on AO about someone keeping his/her box online without logging into windoze. The question was does ZA still protects the box. They say yes.
I say NO

I tried this at home: after a cold boot and no log in, so at the login screen.
I could easily ping the box with another box and recieve the results (with ZA set to high security this is not possible), I could even use windows shares through the open ports... open ports! not even blocked. So there's definitly something wrong cause when ZA runs they are stealthed.
Second: ZA did not work on my Win2K server so I installed Sygate Firewall.

Goodbye ZoneAlarm Pro, hello Sygate! ZoneAlarm, it's been nice knowing ya...know that I've used that one year license for almost 3 years now, woohoo!

Originally posted by VictorKaum

I tried this at home: after a cold boot and no log in, so at the login screen.
I could easily ping the box with another box and recieve the results (with ZA set to high security this is not possible), I could even use windows shares through the open ports... open ports! not even blocked. So there's definitly something wrong cause when ZA runs they are stealthed.
Second: ZA did not work on my Win2K server so I installed Sygate Firewall.

Oh well. I used to think so highly of ZA.

Sygate has also some errors, on a Win2K Pro box sometimes it closes it's engine but keeps the client application, this means that you could think your box is protected while it's not. However you can see this cause the traffic indication in the taskbar becomes grey instead of flashing when there's traffic. The reason for this error? I think it has something to do with the standby option from M$, cause it only happened to me when I used the stand-by function...
Are there other ppl having the same prob?
perhaps it's some prob with my particular config.

However Sygate's Free version has more functionality than the free ZA version.

Personally I don't really class ZA as a firewall, because it doesn't let you (AFAIK free version) set actual application-independent rules. It's more of an application-watcher... For a firewall that CAN make application rules (but doesn't only do that) I'd suggest Tiny Personal Firewall... I just can't run my NAT software with it. :(

Originally posted by VictorKaum
Sygate has also some errors, on a Win2K Pro box sometimes it closes it's engine but keeps the client application, this means that you could think your box is protected while it's not. However you can see this cause the traffic indication in the taskbar becomes grey instead of flashing when there's traffic. The reason for this error? I think it has something to do with the standby option from M$, cause it only happened to me when I used the stand-by function...
Are there other ppl having the same prob?
perhaps it's some prob with my particular config.

However Sygate's Free version has more functionality than the free ZA version.

That's a M$ problem. I believe the new version of Sygate solves that problem. It's 5.0.

That's a M$ problem. I believe the new version of Sygate solves that problem. It's 5.0.


Thx KorpDeath
I will look at my version.

yeah, there is a new version available
http://www.sygate.com/swat/products/pspf_ov.htm
the new 5.0 pro has some feature to prevent firewall termination.

Originally posted by VictorKaum
yeah, there is a new version available
http://www.sygate.com/swat/products/pspf_ov.htm
the new 5.0 pro has some feature to prevent firewall termination.

I wouldn't lie to you VictorKaum... It also has some other really cool features.


Now if they would just give me the beta to their enterprise version 3.0......It should be here soon. Lots of cool stuff, but alas I signed an NDA with them so I can't tell. Sorry.

hmm I am using za and sygate together. Maybe I should get rid of za then. :2pick:

I was always using ZoneAlarm, never used any others before, so I thought it was pretty good, cos I didn't know what the others offered. After reading this post, I thought I'd try out Sygate's firewall since almost everyone here gives it the thumbs up.

Well, I removed ZA, installed Sygate and I like it!! It gives you more flexibility, more control. ZA was great, offered an easy GUI and was simple. I like Sygate more and will keep it, it shows you exactly what ports are open and what their status is, which I find really useful.

I was also going to try Tiny, but before I clicked 'download now' I noticed a message which said Tiny will not function properly with M$ Internet connection sharing, which I use, so I thought I'd just give it a miss. (This was at http://download.cnet.com/)

Greg

I'm going to repeat myself (posted a similar message some time ago)
But it's worth repeating.

Zone Alarm is only as good as the user makes it. If the user allows
an unknown program to access the internet, they have violated their
own security.

Case in point. Yesterday a client had puter problems and (voila !!)
a quick check of the logs showed port a BO port open. Seems the
youngest son didn't know that 'Kill Pokemon.exe' was the trojan
Bladerunner.

There was Kill Pokemon.exe allowed in and out of Zone Alarm
opening a back door.

Okay.....their AntiVirus should have picked it up; but it was an old
version and missed it. Another common error.

Y'all talk about Sygate....so I'm going to try it

Originally posted by gold eagle
hmm I am using za and sygate together. Maybe I should get rid of za then. :2pick:



Yes you should. I don't see what you would gain by running two software firewalls but that's just me.

If you want better protection the last thing you do is put on two rubbers. Know what I mean?

Better use a software firewall and a separate firewall box to protect your LAN network.

Unless there is a NEW Mutex problem this was fixed some time ago as I remember applying the patch. DiamondCS had the patch for this issue

For the last time. The issue I'm speaking is not a Mutex problem but a problem with the technology the use. Go to www.hackbusters.net and run Outbound on your ZA firewall. It fails miserably.

By all means continue running ZA but don't come back and complain if you get it in the end. Know what I mean? The only way to approach security is to be paranoid. And don't ever settle on what the vendor or some individual who happens to write for magazine has to say.
They are usually the ones without backups or virus scanning, etc. etc. etc. :bawling:

Well, due to ZA's canned response that does resemble something they'd send to anyone with a problem concerning security, I've gotten rid of it and got Sygate Pro 5.0 and have it configured for both machines. So far, grc.com's leaktest, outbound, and Sygate's own Test-your-firewall all came back negative, which is good. Oh yeah, TooLeaky failed as well (although TooLeaky is hardcoded for IE, and not the default browser).

where is this test-your-firewall located ?

Valentino

ok, i now ran the grc.com tests and it said i was totaly stealth ...

am i on the "safe" side now ?


Valentino

Nope... No one test can make you 100% safe... I have 4 firewalls running at the same tim (im a bit paranoid), and I still see logs that I am being hacked LOL :D

"Stealth" simply means that grc.com couldn't find any known open ports. This test is bogus if you're running through a 4-port router or whatnot and you have a linux server like I do where services run because it reports them and says I'm vulnerable to a bunch of things when I'm not. This does not mean that there aren't other ways into your machine.

ok, i now ran the grc.com tests and it said i was totaly stealth ...

am i on the "safe" side now ?

first stealth is your firewall dropping packets without sending a response...basically the scanner says...hey you there...your firewall keeps its mouth shut and hopes the scanner goes away...the other possible responses are....ya i'm here...but my doors are locked and you can't come in...which isn't so good as someone can say...hmmm...they've got somthing to hide in there...maybe i'll go see if a window is open...and lastly...hey come on in...i'll leave the door open...and i'll be out for a couple of hours...make yourself at home...(this is an unfirewalled windows 9x response... :D )


be aware that grc doesn't seem to probe with udp ...i was happily sitting behind my linksys at home running grc.com saying that i was invisible...then for some fun (ya ok i need a life...) i went and did the same scan me shtick at dslreports...and i wasn't as invisible as i thought...it detected a closed udp port response...which means it raises a flag that something is sitting there..

so 3 lessons...

1 - linksys routers don't drop "all" scans it shows a closed for some udp ports (i replaced it with a watchguard soho which IS stealthed from a dslreports scan and is much much better firewall..a lot more expensive tho...)

2- grc.com isn't scanning for udp ports

3- never believe anyone that says you are safe (actually even grc.com does mention this...)