Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: ZoneAlarm Mutex update

  1. #1
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164

    Post ZoneAlarm Mutex update

    Ok, so I read the thread fully about the zonealarm mutex that prevents zonealarm from loading by fooling it into thinking it's already loaded. This occurs through the potential use of a trojan. After reading this, and being an avid ZoneAlarm Pro user (registered), I wrote Zonelabs to find out what, if anything, will be done about it, as well as the dll wraparounds that can fool ZA or any firewall into letting things come in and go out because it think it's web traffic (trusted port 80).

    Here's what they said:

    -------snip--------
    Hi,

    Thanks for using ZoneAlarm Pro.

    ZoneAlarm/ZoneAlarm Pro is dependent on a component called TrueVector. TrueVector monitors and controls Internet access on your computer. By default, TrueVector (vsmon.exe) is configured to run as a service when your system boots up. The TrueVector service continues to run when you close any client, until you shut down your computer or the service in the services manager. This ensures that security rules are enforced when your computer is running, even if no one is logged on. However, the user interface will not start until you log in.

    If you would rather not run ZA/ZAP at startup for any reason (your machine will NOT be protected until you start ZA/ZAP manually) :

    - UNcheck the box on the Configure Panel to Load At Startup
    - UNcheck the Deskband or the Show Shell Bar box
    - Reboot
    - You will need to start ZA/ZAP manually.

    =========================================================================

    A Trojan Horse is a software application specifically designed to take control of a computer from a remote source. A synonym for Trojans would be Remote Administration Tool (RAT). The caveat to using ZoneAlarm/ZoneAlarm Pro is that even if a Trojan somehow makes it onto your machine, it won't be able to cause any harm unless it is able to access the Internet. No other firewall provides this rock solid protection against Trojan Horses.

    If a file you do not recognize is requesting access to the Internet, it should be considered suspicious and you should deny its request for access to the Internet until you can determine what the file is. You can find detailed information about an application in ZoneAlarm's Programs Panel. In the program list, locate the application in question and hover the mouse pointer over the entry. A tool tip will display the location and other information about the application. An alternative is right clicking and checking the properties. Look for the file's location and conduct your research using one of the many search engines available on the Internet. You should also use search engines to discover removal instructions if the situation requires it.

    Trojan Horses can be easily disguised with cryptic file names so there is no surefire means of identifying them by sifting through the contents of your hard drive. They may use Windows services such as "RunDLL as an app", or may create their own process names to sound like Windows programs (i.e. "explore.exe", or such as BadTrans, which tries to disguise itself as "Kern32" or "Kernel32.exe"). ZA/ZAP will know that these are not the original program, if you gave the original access, by using the MD5 checksum.

    Keylogging programs (including some Trojans) keep a record of all your keystrokes, attempting to find your passwords and personal information. However, these must send the data somewhere in order to be effective - ZA/ZAP will detect the new program attempting to access the Internet when sending the information "home", and alert the user.

    Some Trojans are not easily removed, although there are some useful Trojan removal programs available as shareware and freeware. Also, major antivirus sites often have removal instructions and tools to aid in removal.

    ZA/ZAP is a personal firewall, and does not perform the functions of an antivirus. Zone Labs highly recommends the use of a good antivirus product, in conjunction with ZoneAlarm or ZoneAlarm Pro. In addition to simply installing antivirus and ZA/ZAP, you should:

    - always keep your security programs and DAT files up to date.
    - use safe computing practices at all times
    - never open attachments unless it is both (a) from someone you know, AND (b) expected from that person; many viruses are shared unknowingly by users who have each other in their email address book.

    Note that once some viruses get onto your system, while they may shut down the ZA/ZAP user interface, and cannot get out past ZA/ZAP, and they could be doing damage to your machine locally, sometimes within seconds or minutes.

    Zone Labs does not provide investigative research services for Trojan Horse incidents. Please do not send us your logs for review. We encourage ZoneAlarm users to be cautious yet ambivalent towards people who carry out Trojan Horse attacks. If you perceive the attacks as personal, you are giving the hacker an unnecessary advantage. We suggest you patiently obtain the assistance required to remove the Trojan(s) from your machine if discovered and allow ZoneAlarm/ZoneAlarm Pro to protect your computer from future attacks.

    If you need to reply to us, please keep all text intact.

    You can download the latest version of ZoneAlarm and ZoneAlarm Pro from our website:

    http://www.zonelabs.com/zonealarm

    Note that the Trial version is the same as the Full version once you enter your license key. We recommend that you keep a copy of the latest file in case of problems later.

    Best regards,
    Zone Labs Support

    -------snip--------

    I'm not sure if that's a good thing or not, and whether I should find someone else's product for a firewall. Their best answer, as I got, was "Be paranoid and don't trust anything". What do you guys/gals think?
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    I think you should load Sygate Personal Firewall because it uses a much better technology. And on top of that if you go to www.hackbusters.net and download Outbound you'll see how truly not secure ZoneAlarm is.

    Sygate all the way , my friend.

    P.S. Do be paranoid about a company that refuses to fix, or for that matter acknowledge, a well known problem with their software.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Banned
    Join Date
    Oct 2001
    Posts
    1,459
    Now... I have a little question for ZoneAlarm..... Why does the #1 firewall for Windoze have to rely on a external program for it to be functional... Thats just asking for a security risk.....

  4. #4
    I've never read a more patronising piece of crap....Might be time to give another firewall a try.







  5. #5
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Come to think of it, they didn't even address your concern. They just cut and paste some chain letter for a response. I wonder if you sent them a different email with a completely different question would you get the same response back?

    You should also ask them why they refused to work with Tom Liston when he showed them his Outbound program and how it made swiss cheese of their "firewall".
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  6. #6
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    This ensures that security rules are enforced when your computer is running, even if no one is logged on
    This is not even true...some weeks ago we had a discussion here on AO about someone keeping his/her box online without logging into windoze. The question was does ZA still protects the box. They say yes.
    I say NO

    I tried this at home: after a cold boot and no log in, so at the login screen.
    I could easily ping the box with another box and recieve the results (with ZA set to high security this is not possible), I could even use windows shares through the open ports... open ports! not even blocked. So there's definitly something wrong cause when ZA runs they are stealthed.
    Second: ZA did not work on my Win2K server so I installed Sygate Firewall.

  7. #7
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164
    Goodbye ZoneAlarm Pro, hello Sygate! ZoneAlarm, it's been nice knowing ya...know that I've used that one year license for almost 3 years now, woohoo!
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    882
    Originally posted by VictorKaum

    I tried this at home: after a cold boot and no log in, so at the login screen.
    I could easily ping the box with another box and recieve the results (with ZA set to high security this is not possible), I could even use windows shares through the open ports... open ports! not even blocked. So there's definitly something wrong cause when ZA runs they are stealthed.
    Second: ZA did not work on my Win2K server so I installed Sygate Firewall.
    Oh well. I used to think so highly of ZA.
    The COOKIE TUX lives!!!!
    Windows NT crashed,I am the Blue Screen of Death.
    No one hears your screams.


  9. #9
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    Sygate has also some errors, on a Win2K Pro box sometimes it closes it's engine but keeps the client application, this means that you could think your box is protected while it's not. However you can see this cause the traffic indication in the taskbar becomes grey instead of flashing when there's traffic. The reason for this error? I think it has something to do with the standby option from M$, cause it only happened to me when I used the stand-by function...
    Are there other ppl having the same prob?
    perhaps it's some prob with my particular config.

    However Sygate's Free version has more functionality than the free ZA version.

  10. #10
    Old-Fogey:Addicts founder Terr's Avatar
    Join Date
    Aug 2001
    Location
    Seattle, WA
    Posts
    2,007
    Personally I don't really class ZA as a firewall, because it doesn't let you (AFAIK free version) set actual application-independent rules. It's more of an application-watcher... For a firewall that CAN make application rules (but doesn't only do that) I'd suggest Tiny Personal Firewall... I just can't run my NAT software with it.
    [HvC]Terr: L33T Technical Proficiency

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •