Spyware allows penetration beyond Zonealarm

[pooh sun tzu]

BTW: Agnitum is making the same unfair comparison by comparing their Pro version to the Kerio personal (limited) version here. It's still a good chart, though.

Agreed, but I do think Kerio holds it's own even against the Pro one in quite a few areas Now, with both purchased and full version of the software, I'm sure they would stand toe to toe if not beyond (in kerio's name). I may just be biased though.

edit:

Let me also say how much I hate firewalls that preform web filtering, popup blocking, active x fixing, and other non-firewall related things. I enjoy having a firewall without it taking the incoming HTML (which slows it down) and recoding it (view the source, especially on zone alarm, it comments changes) to remove things. If I want to get rid of ads I will use the appropriate browser rather than extend the firewall to more aspects (thus a higher memory footprint) in terms of bloat and more features to find exploitable (ie zone alarm and older sygates for html ad parsing)

[Soda_Popinsky]

PST-

If I remember correctly, kerio comments changes as well? It's either that or sygate, but I'm pretty sure kerio does it.

Another thing- to get by the ZA firewall, does it exploit the software? You say there are reports of it getting past the NIS firewall as well. Would this be a specific attack by the adware against ZA and NIS, or a technique in general that allows it to slip past all software firewalls?

It sounds like the mythical jpeg virus that infects all picture viewers, which is "impossible". It would have to cater to all forms of software that open it, making it unrealistic. Does this spyware target ZA, and possibly NIS, or use a method that sneaks past the concept of a firewall?

[pooh sun tzu]

If I remember correctly, kerio comments changes as well? It's either that or sygate, but I'm pretty sure kerio does it.

Not kerio, because kerio doesn't filter or touch incoming HTML data since it doesn't bother with pop up or ad blocking (thankfully)

Another thing- to get by the ZA firewall, does it exploit the software? You say there are reports of it getting past the NIS firewall as well. Would this be a specific attack by the adware against ZA and NIS, or a technique in general that allows it to slip past all software firewalls?

Using API call checking (AFAIK) it knows when the designated popup window for ZA and NIS comes up to ask for permission of the software to connect to the internet. Upon seeing that it is up, it clicks the button and changes so quickly the user hardly notices.

source:

from http://www.spywareguide.com/product_show.php?id=517
First reported as suspicious, it became clear soon that it will pass the ZoneAlarm firewall without user consent. When it tries to connect to the Internet, and ZoneAlarm displays it's dialog whether the program should be allowed to connect or not, ClientMan will auto-click the 'Yes' button after checking the 'Always' checkbox. This way, it grants itself Internet Access without the user even noticing more than a short flash of the ZA dialog.

It bypasses norton is a similar manner, by automagically allowing itself to the "allow list" by directly editing the list. (source- http://www.spysweeper.com/removing-clientman.html)

For an even more indepth article on this particular peice of spyware:
http://www.pestpatrol.com/PestInfo/c/clientman.asp

It sounds like the mythical jpeg virus that infects all picture viewers, which is "impossible". It would have to cater to all forms of software that open it, making it unrealistic. Does this spyware target ZA, and possibly NIS, or use a method that sneaks past the concept of a firewall?

Just like how debuggers of C and C++ use window tools to gather than names of loaded windows along with currently loaded strings, the creator of this must have done the same. By gather the window names according to the program as well as the proper strings, they could detect when those "allow program outbound, and remember" popups occured from the firewalls. That's ZA specific, but the way it got around NIS was by merely adding itself to the list which was vunerable to direct manipulation. No myth here It can't breach sygate or kerio AFAIK

[Soda_Popinsky]

I'm about to look for the allow list that clientman edits in NIS. I have NIS password protected, and I have always expected that it would encrypt the allow list somehow with it. If it doesn't, then I see no point to passwording my firewall or AV if all it takes is a text edit to manipulate it.

Sygate and Kerio have window program alerts AFAIK, I don't see why the next generation clientman will manipulate them too. A quick fix would be to password protect the windows (password required) and pass encrypt the files the blocks are stored in.

[pooh sun tzu]

Sygate and Kerio have window program alerts AFAIK

They do, but either have not been targeted yet or there is something in the way they were coded as to not allow a hijack attempt. The exact method of hijacking is of course just speculation, as the programming of the spyware certainly isn't willing to talk.

edit In your post above mine you said "comments" and I wonder if you meant commits? kerio doesn't do HTML comments because it does not filter html. but it does have the ability to commit files to the allow list, if that is what you meant?