February 4th, 2002 10:59 PM
ZoneAlarm Mutex update
Ok, so I read the thread fully about the zonealarm mutex that prevents zonealarm from loading by fooling it into thinking it's already loaded. This occurs through the potential use of a trojan. After reading this, and being an avid ZoneAlarm Pro user (registered), I wrote Zonelabs to find out what, if anything, will be done about it, as well as the dll wraparounds that can fool ZA or any firewall into letting things come in and go out because it think it's web traffic (trusted port 80).
Here's what they said:
Thanks for using ZoneAlarm Pro.
ZoneAlarm/ZoneAlarm Pro is dependent on a component called TrueVector. TrueVector monitors and controls Internet access on your computer. By default, TrueVector (vsmon.exe) is configured to run as a service when your system boots up. The TrueVector service continues to run when you close any client, until you shut down your computer or the service in the services manager. This ensures that security rules are enforced when your computer is running, even if no one is logged on. However, the user interface will not start until you log in.
If you would rather not run ZA/ZAP at startup for any reason (your machine will NOT be protected until you start ZA/ZAP manually) :
- UNcheck the box on the Configure Panel to Load At Startup
- UNcheck the Deskband or the Show Shell Bar box
- You will need to start ZA/ZAP manually.
A Trojan Horse is a software application specifically designed to take control of a computer from a remote source. A synonym for Trojans would be Remote Administration Tool (RAT). The caveat to using ZoneAlarm/ZoneAlarm Pro is that even if a Trojan somehow makes it onto your machine, it won't be able to cause any harm unless it is able to access the Internet. No other firewall provides this rock solid protection against Trojan Horses.
If a file you do not recognize is requesting access to the Internet, it should be considered suspicious and you should deny its request for access to the Internet until you can determine what the file is. You can find detailed information about an application in ZoneAlarm's Programs Panel. In the program list, locate the application in question and hover the mouse pointer over the entry. A tool tip will display the location and other information about the application. An alternative is right clicking and checking the properties. Look for the file's location and conduct your research using one of the many search engines available on the Internet. You should also use search engines to discover removal instructions if the situation requires it.
Trojan Horses can be easily disguised with cryptic file names so there is no surefire means of identifying them by sifting through the contents of your hard drive. They may use Windows services such as "RunDLL as an app", or may create their own process names to sound like Windows programs (i.e. "explore.exe", or such as BadTrans, which tries to disguise itself as "Kern32" or "Kernel32.exe"). ZA/ZAP will know that these are not the original program, if you gave the original access, by using the MD5 checksum.
Keylogging programs (including some Trojans) keep a record of all your keystrokes, attempting to find your passwords and personal information. However, these must send the data somewhere in order to be effective - ZA/ZAP will detect the new program attempting to access the Internet when sending the information "home", and alert the user.
Some Trojans are not easily removed, although there are some useful Trojan removal programs available as shareware and freeware. Also, major antivirus sites often have removal instructions and tools to aid in removal.
ZA/ZAP is a personal firewall, and does not perform the functions of an antivirus. Zone Labs highly recommends the use of a good antivirus product, in conjunction with ZoneAlarm or ZoneAlarm Pro. In addition to simply installing antivirus and ZA/ZAP, you should:
- always keep your security programs and DAT files up to date.
- use safe computing practices at all times
- never open attachments unless it is both (a) from someone you know, AND (b) expected from that person; many viruses are shared unknowingly by users who have each other in their email address book.
Note that once some viruses get onto your system, while they may shut down the ZA/ZAP user interface, and cannot get out past ZA/ZAP, and they could be doing damage to your machine locally, sometimes within seconds or minutes.
Zone Labs does not provide investigative research services for Trojan Horse incidents. Please do not send us your logs for review. We encourage ZoneAlarm users to be cautious yet ambivalent towards people who carry out Trojan Horse attacks. If you perceive the attacks as personal, you are giving the hacker an unnecessary advantage. We suggest you patiently obtain the assistance required to remove the Trojan(s) from your machine if discovered and allow ZoneAlarm/ZoneAlarm Pro to protect your computer from future attacks.
If you need to reply to us, please keep all text intact.
You can download the latest version of ZoneAlarm and ZoneAlarm Pro from our website:
Note that the Trial version is the same as the Full version once you enter your license key. We recommend that you keep a copy of the latest file in case of problems later.
Zone Labs Support
I'm not sure if that's a good thing or not, and whether I should find someone else's product for a firewall. Their best answer, as I got, was "Be paranoid and don't trust anything". What do you guys/gals think?
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.