Stem has suggested I start this thread. So this is a 1st post.

One request I have, please don't use the thread as a ZA /Checkpoint bashing opportunity. Stem I'm sure doesn't have the time deal with all that stuff which achieves nothing on a technical knowledge level. :thumbd:

So please restrict posts to technical content questions and answers please!8)

See 3 attached posted images of the options screens. I have put the following questions to start the ball rolling.

(1) Main Firewall.
What setting should user set Internet zone security?
What is custom used for and how to approach using it?

(2) Zones
How to determine what IP's and sites to put into the Trusted Zone?
How to determine what IP's and sites to put into the Internet zone? Zone?

(3) Expert
Is it required to use/set expert rules for ZA Pro? Why?
If so can you provide a proven tested default set?

Hello,

You should start with defaults and slowly expand.
Trusted zone might include network computers, if there are any such.

1. Leave as is. Custom means tweaking certain options in between settings.

2. IP address, type ipconfig /all (Start > Run > cmd).
Here you can see your IP. If you wish to allow other computers on your network to have access, you can define as trusted, either by single IP ro a range.

3. Expert rules are just manual rules, mainly for applications that need server rights, like P2P, Skype and such.

Mrk

{QUOTE-> Stem has suggested I start this thread. So this is a 1st post.

One request I have, please don't use the thread as a ZA /Checkpoint bashing opportunity. Stem I'm sure doesn't have the time deal with all that stuff which achieves nothing on a technical knowledge level. :thumbd:

So please restrict posts to technical content questions and answers please!8)

See 3 attached posted images of the options screens. I have put the following questions to start the ball rolling.
<-QUOTE}
1) Main Firewall
-The Internet Zone should always be put to high. There is usually no reason to decrease the level
-The custom button for the Internet and trusted zone is used to make more technical adjustments to some of the firewall rules. For example you could allow ZA to allow ICMP pings through or not. In normal cases, ICMP pings are blocked in the internet zone(provided its on the default setting of high) while they are allowed in the trusted zone (provided its on the default setting of medium).

2)Zones
-If you are on a home or office network and share printers and files over the LAN connection, you should put the network in the trusted zone. If you don't have a network or don't share stuff, nothing should be there. The only exception is the loopback adapter(127.0.0.1) which should be placed in the trusted zone.
-If you are on a local area network, ZA will automatically detect it. A wizard may pop up (depending on your setting) asking you which zone you wished to put the network in. Even if the wizard does not pop out, you can adjust the zone in the zone list. Remember IPs that you know you can trust can go into the trusted zone. IPs from say public hotspots should remain in the internet zone.

3)Expert Rules
-Users are not required to set expert rules in ZA. Usually trusted programs are installed into one's computer and if you really trust them, there should be no reason for you doubt them and create specific boundaries for these programs apart from the program permission in the program list. Of course there are those worry warts who would still like to have fine control of their programs as if the "supposedly trusted" programs they install may turn rogue. Setting expert rule may also complicate troubleshooting when you are trying to determine which aspect of your rule and settings is not right.
-If user requires fine control such as which time a program is only allowed to access with the internet, what protocol is allowed, who the program is only allowed to communicate too, then a expert rule is used.
-My recommendation: Absolutely no reason to touch expert rules if the programs you install are those that you trust (which you should anyway before you installed it). If you need to give a program server rights or access only to a certain zone, they can be easily done through ZA"s program list.

{QUOTE->
(3) Expert
Is it required to use/set expert rules for ZA Pro? Why?
If so can you provide a proven tested default set? <-QUOTE}
Just to add for now,
You are basing "Expert rules" as you would with "PCtools firewall" where a set of rules are in place for the full system/all applications. Yes, this can be done in the "Expert settings" you show, and rules placed here will over-ride all others. But, there is also the possibility of adding rules per application, if you go into "Program control / programs" and right click an application -> options

189310

Hi!
I don't know if you are aware of Hoov site, if not here you have. http://www.donhoover.net . There are some useful guidance on expert rules and other ZA related issues (e.g. trusted/internet).

And here you find some basic examples for expert rules:
http://zonealarm.donhoover.net/examples.html

Cheers,
Fax

{QUOTE-> 3)Expert Rules
-Users are not required to set expert rules in ZA. Usually trusted programs are installed into one's computer and if you really trust them, there should be no reason for you doubt them and create specific boundaries for these programs apart from the program permission in the program list. Of course there are those worry warts who would still like to have fine control of their programs as if the "supposedly trusted" programs they install may turn rogue. Setting expert rule may also complicate troubleshooting when you are trying to determine which aspect of your rule and settings is not right.
-If user requires fine control such as which time a program is only allowed to access with the internet, what protocol is allowed, who the program is only allowed to communicate too, then a expert rule is used.
-My recommendation: Absolutely no reason to touch expert rules if the programs you install are those that you trust (which you should anyway before you installed it). If you need to give a program server rights or access only to a certain zone, they can be easily done through ZA"s program list. <-QUOTE}It can of course be viewed from that personal stand point. We all have our own viewpoint. My suggested to "Escalader" to start this thread was mainly to learn. "Escalader" has shown interest in learning firewall rules/setup, so why not start with a firewall that is already know to them.
With ZA pro, rules per application can be made, all these rules can be logged, including (or just) a blocking rule, which can show any possible blocked connections/packets (which may be causing problems), as this can be done one application at a time, I dont see a major problem doing this.

{QUOTE-> Just to add for now,
You are basing "Expert rules" as you would with "PCtools firewall" where a set of rules are in place for the full system/all applications. Yes, this can be done in the "Expert settings" you show, and rules placed here will over-ride all others. But, there is also the possibility of adding rules per application, if you go into "Program control / programs" and right click an application -> options

189310 <-QUOTE}

Thanks Stem for pointing out this difference. I was going to stay in FW section of ZA first, then move to the application section next.

So then I ask this what does the ZA Pro user do in FW section and what in the Program setting section?

Let's leave expert settings to much later in both ZA sections since I would prefer only to use expert rules for exceptions that the all standard ZA options cannot handle. My PC can't be that unique so any learning here is of potential value to all FW users.

In my ideal world, I would never need to create any expert rules for any FW.
But since that is unrealistic, lets optimize ZA Pro first using it's standard options during setup and early use. Then at the end say, what's missing and fix those exceptions only with expert rules.

I'm going to wait a bit for more post contribution then I'll foolishly summarize what I think the answers are to my own questions for the experts here to either validate or correct. I'm not concerned with my own :-[ since this is a learning thread and I hope not just for me alone I'm only one member.

Fax, thanks for the link www.donhoover.net. Seem to remember that link. Can you make a post on these questions from your own experience?

{QUOTE-> It can of course be viewed from that personal stand point. We all have our own viewpoint. My suggested to "Escalader" to start this thread was mainly to learn. "Escalader" has shown interest in learning firewall rules/setup, so why not start with a firewall that is already know to them.
With ZA pro, rules per application can be made, all these rules can be logged, including (or just) a blocking rule, which can show any possible blocked connections/packets (which may be causing problems), as this can be done one application at a time, I dont see a major problem doing this. <-QUOTE}
While I encourage people to learn about expert rules, there is a reason why they are called "expert". From my experiences helping out in the ZL forums, alot of people using expert rules can't get them to work correctly because they usually don't fully understand the basis for expert rules and how it works. This usually results in a misconfiguration in their expert rules or program settings.

Remember that expert rules do not bring added security. Its just a way to give people more reign over their programs. As mentioned I just don't see the point in that unless you are incredibly paranoid.

{QUOTE-> Fax, thanks for the link www.donhoover.net. <-QUOTE}
Hoov's site is a great reference place. He is a guru on the ZL forum. He used to post there frequently but now the CastleCops ZA forum keeps him pretty busy.

{QUOTE->

Fax, thanks for the link www.donhoover.net. Seem to remember that link. Can you make a post on these questions from your own experience?

So then I ask this what does the ZA Pro user do in FW section and what in the Program setting section?
<-QUOTE}

Hi!
to be honest I personally leave SmartDefence ON and rely on automatic settings by ZA central database.

I beleive that there are basically three approaches to firewall settings:

1. Higher compatibility: Leave ZA decide best settings for applications. And set custom rules (not expert rules) for application that are unknow to ZA database (based on application needs).
2. Stricter control: Analyse you application list under program control and modify applications that have been given Server rights to the internet into '?' or 'X'. Enable Privacy control including mobile control and allow mobile code only for trusted site.
3. Security Conscious/Stressed (formerly called Paranoid ;D ): Use experts rules to limit the ports that an application can use. Only hhtp for Web broswsers, pop/smtp/IMAP for mail clients, etc...

And for Trusted/Untrusted:

1. Higher compatibility: Set your LAN as trusted.
2. Stricter control: Set your LAN as Internet and add only your router and PCs IPs in your LAN (if they need to access to your system/printer/etc..) to the trusted zone.

To sum-up, my experience is that is much more important to restrict web resources (activex, javascript, etc..) then to close down the firewall...

Hope this helps
Fax

Hi:

The following block occurred this AM. The source IP address is my own PC on the router? How do I get this stopped or do I even want to? It logged it for some reason.

The ZA smart defense is on for all 69 programs configured for internet access. OS component control is still off.

_________________________________________________________________



ZoneAlarm Pro blocked an ICMP Destination Unreachable message

No breach in your security has occurred. Your computer is safe.
Inside the firewall alert


Alert property Alert property value Technical explanation
Source IP Address 192.168.1.1 The IP address of the computer that sent the packet which caused the alert.
Destination IP xxx.xxx.xxx.xxx The IP address of the computer to which the packet was sent.
Transport Layer Protocol ICMP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Protocol Specific Type 3 - Destination unreachable Some protocols, such as ICMP and IGMP, have multiple "types" associated with the protocol. Each type number for a specific protocol has standardized meaning.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Alert Date Apr-24-2007 05:12:33 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.

ZoneAlarm Pro security enforcement at time of alert


Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level Medium This ZoneAlarm Pro setting enforces application privileges and Internet Lock settings, leaving your computer visible to other computers in the Trusted Zone. It does not block file or printer shares (NetBIOS) or operating system traffic to and from the Trusted Zone.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Incoming The packet that caused the alert was sent from a computer located somewhere on the Internet or on your network. It was being sent to your computer.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your computer.
port0ina

©2003-2007 Check Point Software Technologies Ltd. All rights reserved.
All rights reserved. All other trademarks are the property of their respective owners.

Privacy Policy

{QUOTE-> Hi:

The following block occurred this AM. The source IP address is my own PC on the router? How do I get this stopped or do I even want to? It logged it for some reason.

The ZA smart defense is on for all 69 programs configured for internet access. OS component control is still off.

<-QUOTE}

Strange... Is still 192.168.1.0 (Family Lan) as TRUSTED under the firewall Zones? Is the Trusted Zone Security set to MEDIUM?
An did you change anything in there? Like "Block incoming ping" (ICMP)?

Fax
EDIT: and what was the destination IP? Always from your LAN? 192.168.XXX.XXX???
EDIT2: Is your DNS and DHCP set by the router (i.e. DNS=DHCP=192.168.1.1)?

Is still 192.168.1.0 (Family Lan) as TRUSTED under the firewall Zones?

No, Family Lan is at Internet in FW zones. Internet Zone set at High!, see technical information provided down inside the ZA text provided in the more information service

Is the Trusted Zone Security set to MEDIUM?Yes, see technical information in post


An did you change anything in there? Like "Block incoming ping" (ICMP)?

Nope, changed zip, nada nothing! Not so strange perhaps. The way I read it ZA policy blocks these. Quote:"Packet Direction Incoming The packet that caused the alert was sent from a computer located somewhere on the Internet or on your network. It was being sent to your computer.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone"

EDIT: and what was the destination IP? Always from your LAN? 192.168.XXX.XXX???
on that block it is always from 192.1.168.1.1 to 192.1.168.1.100
EDIT2: Is your DNS and DHCP set by the router (i.e. DNS=DHCP=192.168.1.1)?

Yes, set by router

{QUOTE-> Is still 192.168.1.0 (Family Lan) as TRUSTED under the firewall Zones?

No, Family Lan is at Internet in FW zones. Internet Zone set at High!, see technical information provided down inside the ZA text provided in the more information service <-QUOTE}


OK, then its normal... If you put TRUSTED, it will not happen...
If you 'restrict' your LAN, your likely to get these warnings, from time to time.

Nothing to worry about.

Fax
P.S. There is no need of masking 192.68.whatever addresses, they are internal IPs. No one outside can do anything with that information ;D

{QUOTE-> While I encourage people to learn about expert rules, there is a reason why they are called "expert". From my experiences helping out in the ZL forums, alot of people using expert rules can't get them to work correctly because they usually don't fully understand the basis for expert rules and how it works. This usually results in a misconfiguration in their expert rules or program settings. <-QUOTE}Then maybe there is a lack of info/support in this area. I believe that if a user wants to create rulesets, for whatever reason, then support sould be given, certainly on a dedicated forum, simply informing a user they are not needed, is to me, not support.

{QUOTE-> Remember that expert rules do not bring added security. Its just a way to give people more reign over their programs. As mentioned I just don't see the point in that unless you are incredibly paranoid. <-QUOTE}I would disagree. As for example, I want to ensure that any updates for my AV are only made from that vendors update sites, why not then set rules for this, with logging. You say such is paranoid, I do not, I call this control/accountability.
Ignorance is not bliss when it comes to security.

{QUOTE-> Usually trusted programs are installed into one's computer and if you really trust them, there should be no reason for you doubt them and create specific boundaries for these programs apart from the program permission in the program list. <-QUOTE}My trust in a program/application is gained over time, I have yet to trust any program 100% simply based on what the vendor or others say. We can see such from windows itself, and the problems/concerns of outbound connections made.

{QUOTE-> OK, then its normal... If you put TRUSTED, it will not happen...
If you 'restrict' your LAN, your likely to get these warnings, from time to time.

Nothing to worry about.

Fax
P.S. There is no need of masking 192.68.whatever addresses, they are internal IPs. No one outside can do anything with that information ;D <-QUOTE}


Stem and Fax:

Could you guys verify/recheck these 2 statements for me, in learning mode so I need to understand "why" it is okay to put a family lan as "trusted" just to avoid warnings. Isn't security is the goal not avoiding warnings?

On masking the 192.168.1.0 type addresses is it technically accurate that no firm or person could use that information for anything?

{QUOTE-> Stem and Fax:

Could you guys verify/recheck these 2 statements for me, in learning mode so I need to understand "why" it is okay to put a family lan as "trusted" just to avoid warnings. Isn't security is the goal not avoiding warnings?

On masking the 192.168.1.0 type addresses is it technically accurate that no firm or person could use that information for anything? <-QUOTE}

Hi!
It is not only to avoid warning but to avoid any mulfuction in your LAN (lost packet, sharing files/printers, connection problems). If security is your primary objective then leave your LAN as untrusted but you should not be suprised if you get alerts in your firewall, may be by simply surfing the net or watching a move in youtube, using your IM software, your webcam, P2P, etc....

If you put, your LAN as untrusted, is good norm to add your router IP as Trusted to avoid communication problems between your router and your system. And if you are sharing resources in your LAN you will need to add those IPs to your trusted zone.

192.168.1.0 is reserved address, internal only. I can't ping you, its like pinging 127.0.0.0 (my/your/any computer). In my case I can tell you that my address is 192.168.2.2 and my router address is 192.168.2.1. You may guess the brand of my router but nothing else because my real IP (the real address and not the translated one) is different. Actually even if I give you my real IP address you cannot do much. Its like you know my home address but you don't have the keys to enter into my house ;D

It is perfectly safe (99% of the cases) to add your LAN as trusted granted that you trust the other elements in your LAN and that the other systems are equally protected as your system.

It is more important to: change the default password of the router, keep the router firmware updated and if you use wireless, to encrypt the connection using WPA/WPA2 with a strong random password (more than 30 characters).

Hope this helps.
Fax

{QUOTE-> so I need to understand "why" it is okay to put a family lan as "trusted" just to avoid warnings. Isn't security is the goal not avoiding warnings? <-QUOTE}Many will say to place your LAN as trusted, simply as this can cause less popups/warnings/ support issues. For me, adding a router is part of my layer of inbound protection, to me, if you simple place this as trusted, then that layer is removed.
I will say, that such as ICMP over an home LAN should be allowed, as without this, problems can/do arrise.
It really comes down to setup/need, example: if in an home LAN, and you use DHCP, then this needs to be taken into account, and yes, it is easier to say trust the DHCP server(router) than create rules. But is this for the better?

{QUOTE-> Many will say to place your LAN as trusted, simply as this can cause less popups/warnings/ support issues. For me, adding a router is part of my layer of inbound protection, to me, if you simple place this as trusted, then that layer is removed.
I will say, that such as ICMP over an home LAN should be allowed, as without this, problems can/do arrise.
It really comes down to setup/need, example: if in an home LAN, and you use DHCP, then this needs to be taken into account, and yes, it is easier to say trust the DHCP server(router) than create rules. But is this for the better? <-QUOTE}


Hi Stem,
if I have understood well, you are not even recommending adding your router IP to the trusted zone... well, if this is the case... it will create some headache to Escaleder when confronted with errors and connection problems...

But I would be curious to see your approach.. such as manual allocation of IPs (turn-off DHCP), set windows PC to managed this...

Well, at least its a way to learn how to deal with networks;D
But to the benefit of Escalader you should then give him concrete directions, otherwise he will be lost.

EDIT: But most of all, will this increase his protection?
Yes, but not proportional to potential difficulties he will encounter with programs/connection missbehaving (including the same ZA)

Fax

Hello fax,
{QUOTE-> if I have understood well, you are not even recommending adding your router IP to the trusted zone... well, if this is the case... it will create some headache to Escaleder when confronted with errors and connection problems... <-QUOTE}As mentioned, it depends on setup/needs, as with "Escalader", the PC is a fixed IP, so no DHCP needed, which is one of the main problems. ARP is allowed, then this again is not a problem.

{QUOTE-> But to the benefit of Escalader you should then give him concrete directions, otherwise he will be lost. <-QUOTE}My spare time is limited these days, but I will certainly use what I have to help anyone here on the forum.

{QUOTE-> Hello fax,
As mentioned, it depends on setup/needs, as with "Escalader", the PC is a fixed IP, so no DHCP needed, which is one of the main problems. ARP is allowed, then this again is not a problem. <-QUOTE}

Yep, OK... thanks for clarifying.
Fax

Thanks, guys your exchange was interesting.

Based on the concept that my router is part of a "layered defense" my words I see it it the same way a critical piece of the set up.

So for now, I will set the ZA FW to internet back from trusted.

Then as messages alters get logged I'll ask how to deal with those that can be accepted since the router and AlphaShield exist. My main concern is outgoing.

Bear with me on all this. 8)

{QUOTE-> Bear with me on all this. 8) <-QUOTE}As long as you want/need, certainly from me.

Let us look at a certain point, DHCP (http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol)
OK, this can be probmatic, as a need to connect to the DHCP servers (with reply allowed) is needed. Without such, internet connection will not be available. Now with such firewalls that have UDP SPI (state table) then only a need to allow the outbound bootdhcp(broadcast) is needed for this, the reply being allowed via the udp SPI(table). So, no actual allow inbound is required for this, so no need to "trust" the the DHCP server, as with most setups, svchost(XP) is allowed outbound due to this (and/or DNS,.. depending on setup) so the outbound is allowed. ZA does have UDP SPI(table), so there should be no problem.
I do still need to make checks on ZA during boot, I know ZA attempts outbound during boot, so I would presume DHCP as already taken place at that point, but will verify.



I do intend to give you direct answers to you original questions, but I am currently going with the digression, which is still on topic, but does need clarification (such as trusted zone/ use of)

{QUOTE-> Then maybe there is a lack of info/support in this area. I believe that if a user wants to create rulesets, for whatever reason, then support sould be given, certainly on a dedicated forum, simply informing a user they are not needed, is to me, not support. <-QUOTE}
We will give support if user certainly wishes to continue to use expert rules. However sometimes people create rules like allow Firefox to access all internet websites and that really does not differ from the basic program control. Same when people use expert rules to stop it from accessing IPs other than local IPs which could have been easily done again using ZA's program control. Obviously in these cases we tell people what they want can be easily satisfied just using ZA's program control.
{QUOTE-> I would disagree. As for example, I want to ensure that any updates for my AV are only made from that vendors update sites, why not then set rules for this, with logging. You say such is paranoid, I do not, I call this control/accountability.
Ignorance is not bliss when it comes to security. <-QUOTE}
Sure you can but accountability does not mean added security. I can hold my home security alarm accountable for protecting my home but if I am going to leave my doors and windows open, my home will still be robbed in a matter of seconds. The alarm will record that intruders were present(accountable) but security was never there to begin with. I could not install a home security alarm but if I lock my doors and shut my windows tight, my home is still safe (security).
{QUOTE-> My trust in a program/application is gained over time, I have yet to trust any program 100% simply based on what the vendor or others say. We can see such from windows itself, and the problems/concerns of outbound connections made. <-QUOTE}
I guess thats your way of trusting things. For me, its nothing on the computer unless the application is known to be a trusted program. So my trust in a program has to have its trust build up by other people (maybe people like you) before I even it even goes on my PC. You could be like Steve Gibson: no AV etc. but is still very safe since he locks his computer down.

{QUOTE-> As long as you want/need, certainly from me.

Let us look at a certain point, DHCP (http://en.wikipedia.org/wiki/Dynamic_Host_Configuration_Protocol)
OK, this can be probmatic, as a need to connect to the DHCP servers (with reply allowed) is needed. Without such, internet connection will not be available. Now with such firewalls that have UDP SPI (state table) then only a need to allow the outbound bootdhcp(broadcast) is needed for this, the reply being allowed via the udp SPI(table). So, no actual allow inbound is required for this, so no need to "trust" the the DHCP server, as with most setups, svchost(XP) is allowed outbound due to this (and/or DNS,.. depending on setup) so the outbound is allowed. ZA does have UDP SPI(table), so there should be no problem.
I do still need to make checks on ZA during boot, I know ZA attempts outbound during boot, so I would presume DHCP as already taken place at that point, but will verify.

I do intend to give you direct answers to you original questions, but I am currently going with the digression, which is still on topic, but does need clarification (such as trusted zone/ use of) <-QUOTE}

Stem:

Thanks Stem. I know you are busy and I only hope others will benifit from the thread as well!

This is an outgoing block ZA made on my behalf. It seems to be a directed toward my own ISP.

Question: Do I need to alter any basic settings?


ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Inside the firewall alert



Alert property Alert property value Technical explanation
Source IP Address xxx.xxx.xxx.xxx The IP address of the computer that sent the packet which caused the alert.
Source Port 1316 The port used by the source computer when sending the packet.
Destination IP 64.71.255.198 The IP address of the computer to which the packet was sent.
Destination Port 53 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
File Name SVCHOST.EXE The executable file on your computer that launches and runs Generic Host Process for Win32 Services.
Program Version 5.1.2600.2180 The version of SVCHOST.EXE running on your computer.
Alert Date Apr-25-2007 03:57:48 PM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level Medium This ZoneAlarm Pro setting enforces application privileges and Internet Lock settings, leaving your computer visible to other computers in the Trusted Zone. It does not block file or printer shares (NetBIOS) or operating system traffic to and from the Trusted Zone.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Outgoing The packet that caused the alert was sent from a program on your computer. It was being sent to a computer located somewhere on the Internet or on your network.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your computer.




ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Details




This alert was caused by an attempt to contact a DNS server. Domain Name Service (DNS) is a service provided by your ISP which allows you and the applications on your machine to refer to locations on the Internet by easy-to-remember names instead of by numeric IP addresses.

For example, cnn.com has an IP address of 207.25.71.30. When your application wants to connect to cnn.com, it first connects to port 53 on a DNS server and asks the server what the IP address is for cnn.com. It then proceeds to connect to 207.25.71.30.

Attempting to contact a DNS server is usually nothing to worry about. It is not a hostile action. However, it does indicate that an application on your machine was trying to reach an address on the Internet, or possibly, on your Local Area Network.

The alert usually means that, when you started ZoneAlarm Pro, an Internet application was already running on your machine. What happened is that your application made its original Internet connection before ZoneAlarm Pro was up. The original connection was not registered. For this reason, ZoneAlarm Pro cannot determine whether the most recent communication the application tried to establish should be permitted. Therefore, because your security was set to High, ZoneAlarm Pro has blocked the communication and you received an alert.

In the following paragraphs, we provide a list of reasons why the application may have already been running on your machine before ZoneAlarm Pro started:

An Internet connection may have already been established on your machine when you installed ZoneAlarm Pro. This could have caused the alert if you did not reboot after installation.
You may have started ZoneAlarm Pro manually with an already live connection to the Internet.
Your system may be configured to launch an Internet application when Windows boots up. If that is the case, the application might be establishing an Internet connection before the TrueVector Service finishes loading. This problem should not occur if you did not change the default configuration which causes ZoneAlarm Pro to load at Windows startup. This is an extremely rare problem because ZoneAlarm Pro is designed to avoid this situation.
Another possibility is that a Trojan horse that has been installed on your machine is launching when Windows starts up, then immediately establishing an Internet connection. For your protection, ZoneAlarm Pro immediately blocks any communication a Trojan tries to establish. Leaving ZoneAlarm Pro configured to load at Windows startup is your best protection against Trojans trying to communicate with their masters on the Internet.
If one of your applications is not functioning properly because of the blocked communication referred to by this alert, and if you just installed ZoneAlarm Pro or started ZoneAlarm Pro manually, stop your application then restart it. This will probably solve the problem. Once you restart the application, ZoneAlarm Pro will be able to detect any attempt the application makes to connect to the Internet. In response, ZoneAlarm Pro will either prompt you for permission or enforce the permission settings you have already set on the Programs panel.

To prevent an Internet connection from happening before the TrueVector Service is launched, we strongly recommend that you retain the default setting which loads ZoneAlarm Pro on your machine at Windows startup. The sooner ZoneAlarm Pro can begin monitoring Internet traffic on your machine, the safer you are from unauthorized Internet access, and the greater the likelihood that ZoneAlarm Pro will recognize all of your applications and allow them the access you desire. If both ZoneAlarm Pro and another application are configured to load when Windows starts and you continue to receive this alert, you should explore the options for delaying your application's loading time, so that the TrueVector Service and ZoneAlarm Pro can finish loading first.

{QUOTE-> Sure you can but accountability does not mean added security. I can hold my home security alarm accountable for protecting my home but if I am going to leave my doors and windows open, my home will still be robbed in a matter of seconds. The alarm will record that intruders were present(accountable) but security was never there to begin with. I could not install a home security alarm but if I lock my doors and shut my windows tight, my home is still safe (security). <-QUOTE}Comparison, why not. Even with doors/windows shut, alarms need to be in place. This is needed, nothing is 100% Windows/doors can be broken.
If a firewall, whichever, was 100%, I would install and tell all to use. Can you tell me of such a firewall, with honesty, from my checking, I still do not know one (any).


{QUOTE-> I guess thats your way of trusting things. For me, its nothing on the computer unless the application is known to be a trusted program. <-QUOTE}I cannot argue with you personal view, if you trust all the programs you install. But may I ask, how do you know/trust a program? Example: A new program online "whatever",.. how would you look at such? Do you install new programs?

{QUOTE-> Do I need to alter any basic settings? <-QUOTE}I am still trying to find a way to stop ZA attempting outbound during boot (why should ZA attempt outbound during boot), also, whatever options are disabled, ZA still attempts to connect out. This was reported as a bug in earlier versions.

{QUOTE-> Comparison, why not. Even with doors/windows shut, alarms need to be in place. This is needed, nothing is 100% Windows/doors can be broken. <-QUOTE}
Ah but my actual home never has an alarm and has never been burgled. Just good old solid door and windows protecting me. Maybe my neighbourhhood is a safe one. :)
{QUOTE-> If a firewall, whichever, was 100%, I would install and tell all to use. Can you tell me of such a firewall, with honesty, from my checking, I still do not know one (any). <-QUOTE}
The best firewall is one I always recommend myself and works 100% if you have it: common sense. Unfortunately, common sense is not really common these days. :( Alot of people when they see alerts or prompts have a tendency for automatically clicking th "Yes" button. A firewall with prompts, alerts can still only do that much
{QUOTE-> I cannot argue with you personal view, if you trust all the programs you install. But may I ask, how do you know/trust a program? Example: A new program online "whatever",.. how would you look at such? Do you install new programs? <-QUOTE}
Reputation and trust spreads easily by word of mouth.

{QUOTE-> I am still trying to find a way to stop ZA attempting outbound during boot (why should ZA attempt outbound during boot), also, whatever options are disabled, ZA still attempts to connect out. This was reported as a bug in earlier versions. <-QUOTE}

That's good Stem, but I could only guess why they might do that during boot. ZA Pro does the message once on a block but then blocks silently so that doesn't bother me.

I'm leaving my Family Lan as Internet not trusted based on your concept. Let's move on to the next question in original post.

But at any rate what I would really like to do now is set ZA Pro to run in as optimum a way as is possible on my setup behind the Router/AlphaShield router the way it is designed to work.

Then much later try to fix any flaws in my setup with your help and any other FW experts here. Maybe we will run a shields up or other test on my system to find and report the flaws.


But for you this part of the last block help page may/maynot give a clue:

"To prevent an Internet connection from happening before the TrueVector Service is launched, we strongly recommend that you retain the default setting which loads ZoneAlarm Pro on your machine at Windows startup. The sooner ZoneAlarm Pro can begin monitoring Internet traffic on your machine, the safer you are from unauthorized Internet access, and the greater the likelihood that ZoneAlarm Pro will recognize all of your applications and allow them the access you desire. If both ZoneAlarm Pro and another application are configured to load when Windows starts and you continue to receive this alert, you should explore the options for delaying your application's loading time, so that the TrueVector Service and ZoneAlarm Pro can finish loading first."

@Escalader,

So was the log showing the DNS lookup blocked at startup(or re-boot), if yes, then it was probably "windows time" that was making this attempt (or another windows service). I will set up a little later on a test PC, just to check through what is allowed/blocked (in/out) during bootup.

{QUOTE-> @Escalader,

So was the log showing the DNS lookup blocked at startup(or re-boot), if yes, then it was probably "windows time" that was making this attempt (or another windows service). I will set up a little later on a test PC, just to check through what is allowed/blocked (in/out) during bootup. <-QUOTE}

Great Idea Stem.

I'm on ZA Pro so I don't know if that makes a difference to your test PC.

I just cleared all logs and will reboot and send in the in/outs during my boot in order to answer your question easier

{QUOTE-> Great Idea Stem.

I'm on ZA Pro so I don't know if that makes a difference to your test PC.

I just cleared all logs and will reboot and send in the in/outs during my boot in order to answer your question easier <-QUOTE}

I see no blocks at login time:

What I have now is program control set to high where ZA says they must ask for IA and server rights. I still have component control off. Should I engage it? Anybody? Here are some log entries I got:

First New Log entry

Windows Explorer is trying to use another program to connect to the Internet or your local network.

ZoneAlarm Pro is asking you whether to allow the connection. No breach in your security has occurred. However, an Advanced Program alert may indicate a potentially dangerous situation. Proceed with caution.
Inside the program alert



Alert property Alert property value Technical explanation
Program Name Windows Explorer A program running on your computer, which either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
Filename EXPLORER.EXE The filename of the program that ZoneAlarm Pro found on your computer.
Program Version 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158) The version of Windows Explorer running on your computer.
Program Size 1032192 The size of the program executable file in bytes.
Program MD5 a0732187050030ae399b241436565e64 The MD5 hash, or number, that uniquely identifies the executable.
Program CRC e67b9ac9 The Cyclic Redundancy Check (CRC) checksum for the executable. This is the result of an algorithm for ensuring data integrity.
Date Modified Aug-04-2004 06:00:00 AM The date when EXPLORER.EXE was most recently modified.
Connect Type Access This value can be either Access, which is an Internet connection attempt by Windows Explorer or Server, which indicates that Windows Explorer is waiting for connections coming in from the Internet.
Remote Port 53 The port Windows Explorer is using on the remote computer.
Remote IP Address 206.190.36.17 The IP address of the remote computer that caused the alert.
Alert Date Apr-26-2007 12:05:18 PM PDT The time when ZoneAlarm Pro detected the alert on your computer.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Program Status New Parent Program Windows Explorer is trying to use another program to to gain indirect access to the Internet or local network. This is the first time Windows Explorer has attempted indirect access.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.


Next New Entry


Windows NT Logon Application is trying to use another program to connect to the Internet or your local network.

ZoneAlarm Pro is asking you whether to allow the connection. No breach in your security has occurred. However, an Advanced Program alert may indicate a potentially dangerous situation. Proceed with caution.
Inside the program alert



Alert property Alert property value Technical explanation
Program Name Windows NT Logon Application A program running on your computer, which either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
Filename WINLOGON.EXE The filename of the program that ZoneAlarm Pro found on your computer.
Program Version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158) The version of Windows NT Logon Application running on your computer.
Program Size 502272 The size of the program executable file in bytes.
Program MD5 01c3346c241652f43aed8e2149881bfe The MD5 hash, or number, that uniquely identifies the executable.
Program CRC 640920a2 The Cyclic Redundancy Check (CRC) checksum for the executable. This is the result of an algorithm for ensuring data integrity.
Date Modified Aug-04-2004 06:00:00 AM The date when WINLOGON.EXE was most recently modified.
Connect Type Access This value can be either Access, which is an Internet connection attempt by Windows NT Logon Application or Server, which indicates that Windows NT Logon Application is waiting for connections coming in from the Internet.
Remote Port 53 The port Windows NT Logon Application is using on the remote computer.
Remote IP Address 206.190.36.17 The IP address of the remote computer that caused the alert.
Alert Date Apr-26-2007 12:04:26 PM PDT The time when ZoneAlarm Pro detected the alert on your computer.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Program Status New Parent Program Windows NT Logon Application is trying to use another program to to gain indirect access to the Internet or local network. This is the first time Windows NT Logon Application has attempted indirect access.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.

Previous Session entry on quicken, I denied it seems to have zero effect on program usuage



Quicken Launcher is trying to monitor your system to observe what events are occurring.

ZoneAlarm Pro is asking you whether to allow this behavior. Your computer is safe.
Inside the OSFirewall alert



Alert property Alert property value Technical explanation
Program Name Quicken Launcher A program running on your computer, which attempted an action that was detected by the OSFirewall.
Filename qw.exe The filename of the program that ZoneAlarm Pro found on your computer.
Program Version 15.1.1.179 The version of Quicken Launcher running on your computer.
Program Size 13312 The size of the program executable file in bytes.
Program MD5 23f5bdb7ef472d3c55e242c85217730d The MD5 hash, or number, that uniquely identifies the executable.
Smart Checksum 4156e899de16b4e31f221662134628ca The SKIMP hash, or number, that uniquely identifies the executable.
Date Modified Aug-15-2005 05:18:30 AM The date when qw.exe was most recently modified.
Event Type Execution The event involved executing Windows instructions.
Sub Event Type ExecutionGlobalWindowsHook Quicken Launcher attempted to set

@Escalader,

For indirect access(trying to use another program to connect to the Internet), you need to be carefull. Such processes as "WINLOGON.EXE" if denied this can cause your browser not to be able to connect.

As for bootup.
I have setup with ZA installed on a PC on LAN, behind a gateway, just to check for DHCP etc, and to see what is being sent out. I have set the LAN as "Internet", and unchecked the "Allow broadcast" for that zone.
DHCPboot (with reply) is allowed: ARP(with reply) is allowed: ICMP is allowed(the gateway is pinged during boot, even with ICMP not allowed): IGMP is allowed(even with this not allowed).
So having the LAN as "Internet" from these results, will not cause problems for DHCP (renewal is also allowed)

ZA is still attempting to connect to Zonelabs during/after boot/ on close down, with whatever settings I make within the firewall. If your previous statement still stands: {QUOTE-> My main goal in all this is to control/ block outgoing packets that have no business leaving my PC <-QUOTE}Then I would suggest removing ZA.

{QUOTE-> @Escalader,

For indirect access(trying to use another program to connect to the Internet), you need to be carefull. Such processes as "WINLOGON.EXE" if denied this can cause your browser not to be able to connect.

As for bootup.
I have setup with ZA installed on a PC on LAN, behind a gateway, just to check for DHCP etc, and to see what is being sent out. I have set the LAN as "Internet", and unchecked the "Allow broadcast" for that zone.
DHCPboot (with reply) is allowed: ARP(with reply) is allowed: ICMP is allowed(the gateway is pinged during boot, even with ICMP not allowed): IGMP is allowed(even with this not allowed).
So having the LAN as "Internet" from these results, will not cause problems for DHCP (renewal is also allowed)

ZA is still attempting to connect to Zonelabs during/after boot/ on close down, with whatever settings I make within the firewall. If your previous statement still stands: Then I would suggest removing ZA. <-QUOTE}

Wow, that's quite a suggestion Stem. This has been a bad week for me so this suggestion fits in with the theme of the week... ! I'm now scared on the FW front!

Are you saying that I should remove ZA because it is allowing packets to leave my PC that shouldn't leave?

If the answer is yes, then I need a replacement FW ASAP! I don't think PC Tools FW + will do better will it?

I want to make sure I am not misunderstanding you here! Be as blunt as you need to be to make your points. I'm in learning mode and if you have to hit me over the head to make a point go for it!

{QUOTE-> Are you saying that I should remove ZA because it is allowing packets to leave my PC that shouldn't leave? <-QUOTE}We have seen this with ZA before, where ZA is constantly connecting out. It was eventually stated by ZA that this was a bug. Are we seeing the same bug again?

For me personally, I would not use this firewall untill a full explantion from ZA is made concerning this.

{QUOTE-> We have seen this with ZA before, where ZA is constantly connecting out. It was eventually stated by ZA that this was a bug. Are we seeing the same bug again?

For me personally, I would not use this firewall untill a full explantion from ZA is made concerning this. <-QUOTE}


Stem,
do you think that the Outpost F/W would be a better choice....based on your
experience?

{QUOTE-> We have seen this with ZA before, where ZA is constantly connecting out. It was eventually stated by ZA that this was a bug. Are we seeing the same bug again?

For me personally, I would not use this firewall untill a full explantion from ZA is made concerning this. <-QUOTE}

Hi Stem,

as far as I know this was fixed long time ago... did you follow this document to block all communication with ZA?

http://download.zonelabs.com/bin/free/pressReleases/2005/pr_22.html

Fax

{QUOTE-> Hi Stem,

as far as I know this was fixed long time ago... did you follow this document to block all communication with ZA?

http://download.zonelabs.com/bin/free/pressReleases/2005/pr_22.html

Fax <-QUOTE}

Stem/Fax:

Guy's I am at sea here.

It would be unwise to remove ZA Pro until I have a better replacement and or a fix and or an adequate explanation on this connection out issue. I'm sure I'm not the only one that wants to know.

The way I read this is Stem did behind the router tests and got the results he published a few posts back and found packets leaving and connecting out attempts during and before boot and during close down. These have yet to be explained properly. Or if there are good reasons for these connections out what are they? Is it possible they want to update it first before anything else loads? ZA is in business there must be an explanation available and it must be in their best interest to tell everybody here what it is?

Fax, I think you are saying this is an old bug fixed long ago.:-\

But if that were the case , how is it Stem got the results he did? Unless he has an unrepaired version, which seems unlikely. Why would the user have to follow a link to fix a bug or block all communications with ZA?

Come to think of it I want to communicate with ZA to get the latest fixes and updates to the ASW. I did not join the optional share setting service or opt for AV monitoring on the basis of security so that is not an issue (I hope)on my PC.

Stem, what version of ZA were you testing with? Mine is 7.0.337 which I hope is current.

I really think we need to avoid FUD here and I for one intend to avoid precipitous actions or assumptions. ZA will I hope clear this matter up.

Here is the explain help on contact with ZA, on my PC does this offer us any clues on these connections?

Setting contact preferences
Setting contact preferences ensures that your privacy is protected when ZoneAlarm security software communicates with ZoneAlarm (for example, to check automatically for updates).

To set contact preferences:

Select Overview|Preferences.
In the Contact with ZoneAlarm area, specify your preferences.
Alert me with a pop-up before I make contact Displays a warning before contacting ZoneAlarm to deliver registration information, get product updates, research an alert, or access DNS to look up IP addresses.
Note: There are certain situations in which you will not be notified before contact is made. Those include sending DefeneseNet data to ZoneAlarm, contacting ZoneAlarm for program advice, when an anti-virus update is performed, or when monitoring your anti-virus status. The "Share setting anonymously..." setting below, turns off the DefenseNet transfer. All other settings can be disabled from the main tab of their respective panels.
Hide my IP address when applicable Prevents your computer from being identified when you contact Zone Labs, LLC.
Hide the last octet of my IP address when applicable Omits the last section of your IP address (for example, 123.456.789.XXX) when you contact Zone Labs, LLC.
Share my security settings anonymously with ZoneAlarm Periodically sends anonymous configuration data to ZoneAlarm. For more information, see Joining the DefenseNet community .
Note: Configuration data is not collected from ZoneAlarm or ZoneAlarm Anti-virus users.

{QUOTE-> Stem/Fax:

But if that were the case , how is it Stem got the results he did? Unless he has an unrepaired version, which seems unlikely. Why would the user have to follow a link to fix a bug or block all communications with ZA?

<-QUOTE}

That is exactly the point, you should not worry about ZA contacting ZA servers. If ZA is your primary defence (or part of your security package) then you should care about everything else around it.

If you start to question why ZA is contacting ZA servers and you do not want ZA to contact ZA then better you remove ZA and use another software that you can trust. Trust on your securty tools is your starting point.

This issue can be easily taken up by trollers and transformed into "WARNING ZA is secretly leaking information from your system AGAIN".

I thought this thread was about optimum ZA settings for securing your system rather than how to secure your system from ZA :)

Fax

{QUOTE-> what version of ZA were you testing with? Mine is 7.0.337 which I hope is current. <-QUOTE}Yes, I was looking at this latest version.

{QUOTE-> That is exactly the point, you should not worry about ZA contacting ZA servers. If ZA is your primary defence (or part of your security package) then you should care about everything else around it. <-QUOTE}If I had auto updates etc enabled, then I would have to trust that the firewal would only do as I have allowed in the options I have enabled. But, as I have ALL these options disabled, I then trust the firewall NOT to make any unauthorized outbound,... but ZA does.

{QUOTE-> If you start to question why ZA is contacting ZA servers and you do not want ZA to contact ZA then better you remove ZA and use another software that you can trust. <-QUOTE}That is why I have suggested that "Escalader" should remove ZA

{QUOTE-> I thought this thread was about optimum ZA settings for securing your system rather than how to secure your system from ZA <-QUOTE}Making settings within a firewall is to protect the user, As "Escalader" shows concern as to what is leaving the PC, then I do need to point out the fact that ZA is making unauthorized outbound.

I would (and do) make a point of any firewall, or any application that was/is making unauthorized outbound comms. What a user does with this info is then up to themselves.

{QUOTE-> This issue can be easily taken up by trollers and transformed into "WARNING ZA is secretly leaking information from your system AGAIN" <-QUOTE}If ZA was to stop making unauthorized outbound, then it would not be an issue.

{QUOTE-> Yes, I was looking at this latest version.

If I had auto updates etc enabled, then I would have to trust that the firewal would only do as I have allowed in the options I have enabled. But, as I have ALL these options disabled, I then trust the firewall NOT to make any unauthorized outbound,... but ZA does.

That is why I have suggested that "Escalader" should remove ZA

Making settings within a firewall is to protect the user, As "Escalader" shows concern as to what is leaving the PC, then I do need to point out the fact that ZA is making unauthorized outbound.

I would (and do) make a point of any firewall, or any application that was/is making unauthorized outbound comms. What a user does with this info is then up to themselves. <-QUOTE}


Yes, Fine Stem... I understand your point. :)

Given your great expertise can you detail the server/ports and what is unathorizely sent (the exact string and lenght)?

Thanks,
Fax

{QUOTE-> can you detail the server/ports and what is unathorizely sent (the exact string and lenght)? <-QUOTE}

189427

If there are settings/options that may cause this (that I may of missed) please advise.

update
I am trying to find what the above comms could be, thinking there may be a problem with installation (or bug/conflict). So to compare comms, I have made a manual program update check with ZA:- (ZA shown as up to date)
189428


Edit:
Interesting, since making the manual update attempt, ZA is no longer connecting out. On re-boot, ZA does make DNS lookup for Zonelabs.com, but does not make outbound connection.
I will keep a check.

{QUOTE-> .......Trust on your securty tools is your starting point.

This issue can be easily taken up by trollers and transformed into "WARNING ZA is secretly leaking information from your system AGAIN".

I thought this thread was about optimum ZA settings for securing your system rather than how to secure your system from ZA :)

Fax <-QUOTE}

This is correct, my thread is about How to set optimum settings in ZA Pro!

Since I have very strong input control via the hardware FW and the router, my security concern is tilted more to output packet control.

I'm assuming that when this issue of outbound connections is resolved and dealt with by Stem and other posters to all our satisfaction that we can proceed to the next question in my first posts.

In fact to show more than my usual flexibility::),;D I'm willing to do that now while waiting for those with the expert knowledge to answers this connect issue. I am willing to assume there is a positive answer to it.

IMHO Trollers, will always be with us but what they do and how others react to these posts I think is way beyond the scope of this thread. We should not let the possible viewing by them influence what we do professionally.

Regards to all, lets remain calm

{QUOTE-> when this issue of outbound connections is resolved and dealt with..... <-QUOTE}At this moment in time, I am now looking at the outbound by ZA as a bug. As now, after the manual update I made, these comms have stopped. But of course, I will monitor.


Right, down to your questions.

{QUOTE-> (1) Main Firewall.
What setting should user set Internet zone security?
What is custom used for and how to approach using it? <-QUOTE}I currently have my LAN as internet, with high settings in both "Internet and Trusted" zone.
On my setup, (I have re-set Group policy in windows, so all default services are active, as would be with many users) I have unchecked the "Allow Broadcast/Multicast", as this was just noise, such as uPnP, netbios broadcasts. DHCP and ARP are still allowed, so no connection problems due to this.
As for the other settings for "Custom", I do not think they need changing. But if you have questions?
If not, we can move to your second question.

{QUOTE-> 189427

On re-boot, ZA does make DNS lookup for Zonelabs.com, but does not make outbound connection.
I will keep a check. <-QUOTE}

Thanks for further investigating on it.

"cm2.zonelabs.com" assists in the functioning of various services including the AlertAdvisor, antivirus/antispyware updates, and antivirus monitoring.

{QUOTE-> This is correct, my thread is about How to set optimum settings in ZA Pro! <-QUOTE}

Ehm, yes, sorry..... back to the original subject... :)

Fax

{QUOTE-> ....... As now, after the manual update I made, these comms have stopped. ......Stem, do you mean the update of the product itself as in Preferences update, manual?


Right, down to your questions.

I currently have my LAN as internet, with high settings in both "Internet and Trusted" zone. Right I have the same
On my setup, (I have re-set Group policy in windows, so all default services are active, as would be with many users) I have unchecked the "Allow Broadcast/Multicast", I copied you there and did the sameas this was just noise, such as uPnP, netbios broadcasts. DHCP and ARP are still allowed, so no connection problems due to this.
As for the other settings for "Custom", I do not think they need changing. But if you have questions?
If not, we can move to your second question. <-QUOTE}

Before doing that:

In my Zones I have attached a jpg image, please look this list over and tell me if I am fuzzy headed in putting specific sites in such as BitDefender etc and MY ISP?

{QUOTE-> do you mean the update of the product itself as in Preferences update, manual? <-QUOTE}Yes,... Za-> Overview-> Preferances

{QUOTE-> In my Zones I have attached a jpg image, please look this list over and tell me if I am fuzzy headed in putting specific sites in such as BitDefender etc and MY ISP? <-QUOTE}No need to place IP`s within the "Internet zone".
Certain setting can place certain "networks" as trusted, but it does depend on settings. Go to "Firewall-> Main-> Advanced" Here you see a number of settings/options. At the bottom of this, you will see "Network settings" ensure this is set as "Ask which Zone to place new networks in upon detection"

{QUOTE-> Yes,... Za-> Overview-> Preferances

No need to place IP`s within the "Internet zone".

Right, I'll remove it.
Certain setting can place certain "networks" as trusted, but it does depend on settings. Go to "Firewall-> Main-> Advanced" Here you see a number of settings/options. At the bottom of this, you will see "Network settings" ensure this is set as "Ask which Zone to place new networks in upon detection"
I went there and it was already checked, thanks. What about other settings in advanced?

<-QUOTE}

What about the other entries I made for my security software like BitDefender site, Webroot, and ZA itself etc etc does that make sense to you?

Certain IP`s/ranges cause question, such as private/reserved: example 192.168.***.*** / 10.*** etc. So confirmation is needed as to if these IP`s/ranges should be trusted or not. IP`s which are not private/reserved are internet, and no need for confirmation is needed, As with the IP`s for (example) "Spy sweeper" this will be seen as "Internet".

For the Zones, the main concern is:-
What is/should be blocked.
What is trusted, and should be placed here.

All else is internet. (if possible exception(as for reserved), you will be asked, due to your settings)

{QUOTE-> What about other settings in advanced?
<-QUOTE}Sorry, I missed that question.

Gateway Security: Not needed in your setup, as this is a check on compatible gateways within a LAN.
Internet Connection Sharing: Default setting can be left on your setup.
General setting:
Block all fragments, Normally, blocking fragmented packets will not cause problems, and adds extra filtering protection. With normal day to day surfing, I do not see fragmented packets.
Block Trusted servers: Block Internet servers. These are over-rides to the program control settings, if set, they will block any program from acting as server in the zone selected. (if connected directly to the internet, and you do not use server software, then selecting "Block Internet servers" is a good option, as this will prevent any possible mis_config of allowing unsolicited inbound to programs that may of been allowed server status unintentionally)
Enable ARP Protection: This is mainly for large possibly untrusted LAN, to stop attempt of ARP poisoning. With this enabled, unsolicited ARP will be dropped. You can enable this, it will not affect your connection.
Filter IP traffic over 1394 Some PC connections can be made over firewire (I do this for some debugging/tests). Firewire is also used for some external connections to external HD etc. This setting will depend on what you have(if anything) connected over 1394
Allow VPN/ uncommon protocols. This depends on the needs of your own setup. If you do not know what these are, then you more than likely do not need to enable these.
Lock Hosts FileIf you use the windows hosts file, then enabling this will protect that file.
Disable windows FirewallThis is just to make sure that the windows firewall is disabled.

{QUOTE-> Sorry, I missed that question. No sweat when that happens I'll just ask again, you are a busy person!

Gateway Security: Not needed in your setup, as this is a check on compatible gateways within a LAN. I unchecked this then
Internet Connection Sharing: Default setting can be left on your setup. OKay, done
General setting:
Block all fragments, Normally, blocking fragmented packets will not cause problems, and adds extra filtering protection. With normal day to day surfing, I do not see fragmented packets. Good I have now enabled this!
Block Trusted servers: Block Internet servers. These are over-rides to the program control settings, if set, they will block any program from acting as server in the zone selected. (if connected directly to the internet, and you do not use server software, then selecting "Block Internet servers" is a good option, as this will prevent any possible mis_config of allowing unsolicited inbound to programs that may of been allowed server status unintentionally) Hum confused here due to brain defect no doubt, how do I know if I use a program as a server? When I update say SpySweeper am I using it as a server, this is a conceptual gap I have, so I have done nothing with the boxes. When in doubt do nothing is my rule ::)
Enable ARP Protection: This is mainly for large possibly untrusted LAN, to stop attempt of ARP poisoning. With this enabled, unsolicited ARP will be dropped. You can enable this, it will not affect your connection. Done!
Filter IP traffic over 1394 Some PC connections can be made over firewire (I do this for some debugging/tests). Firewire is also used for some external connections to external HD etc. This setting will depend on what you have(if anything) connected over 1394 :-\ I don't know if I do or not, left default as ticked.
Allow VPN/ uncommon protocols. This depends on the needs of your own setup. If you do not know what these are, then you more than likely do not need to enable these. Okay, I haven't!
Lock Hosts FileIf you use the windows hosts file, then enabling this will protect that file. I decided to block it, but it may duplicate what SS does.
Disable windows FirewallThis is just to make sure that the windows firewall is disabled. Right, it is disabled <-QUOTE}

Stem: Thanks again. We are proceeding well one by one like a good programmer should! :thumb:

Hello Stem and all concerned!

Now I have a new alert! Blocking IP authentation I think ? See attached image and advise how to handle!

As a typical user I don't want to spend time responding to alerts that should be automated. I may have done something wrong settings wise(again!)

Thanks in advance

{QUOTE-> Hello Stem and all concerned!

Now I have a new alert! Blocking IP authentation I think ? See attached image and advise how to handle!

As a typical user I don't want to spend time responding to alerts that should be automated. I may have done something wrong settings wise(again!)

Thanks in advance <-QUOTE}

Hi Escaleder!

For troubleshooting purpose and to help Stem, it would important to post a screenshot of the details of the alert.
Such as Originating IP, Destination IP. I think this is reported under the "details" or "technical info tab (?)

More stringent are the rules more likely you will get copious warnings from ZA. It can help also to set ZA "high" in term of "alerts event shown" (alerts and logs tab) in a way that you will get instantly these warnings and you may better guess what could have caused them (depending on what you were doing in that moment). Unless this alert was already a pop-up from ZA.

Cheers,
Fax

{QUOTE-> how do I know if I use a program as a server? When I update say SpySweeper am I using it as a server, <-QUOTE}A server is a program that requires inbound connections.

{QUOTE-> Now I have a new alert! Blocking IP authentation I think <-QUOTE}What program is being blocked in the alert? (it should be svchost(XP) making DHCP). Did you have the Internet lock enabled at the time?

{QUOTE-> Hi Escaleder!

For troubleshooting purpose and to help Stem, it would important to post a screenshot of the details of the alert.
Such as Originating IP, Destination IP. I think this is reported under the "details" or "technical info tab (?)

More stringent are the rules more likely you will get copious warnings from ZA. It can help also to set ZA "high" in term of "alerts event shown" (alerts and logs tab) in a way that you will get instantly these warnings and you may better guess what could have caused them (depending on what you were doing in that moment). Unless this alert was already a pop-up from ZA.

Cheers,
Fax <-QUOTE}


Yes, I think I can do that next time it pops! But let me look in the logs now and see if the detail ( where the devil lives) is there,,,, I think it is recorded in attachment

{QUOTE-> A server is a program that requires inbound connections.

Right, so that would include email, updates to security software, the OS itself.Other programs I have I would not want to accept incoming or send outgoing, eg: Age of Empires Game or ant game for that matter,

What program is being blocked in the alert? (it should be svchost(XP) making DHCP). Did you have the Internet lock enabled at the time? <-QUOTE}

Can't tell you what program is being blocked, you must be correct though, not the internet lock was not on!

{QUOTE-> Yes, I think I can do that next time it pops! But let me look in the logs now and see if the detail ( where the devil lives) is there,,,, I think it is recorded in attachment <-QUOTE}

Yep, it should be in the Alerts and Logs --> alert type: firewall. Select it and then push "more info" and it will bring back that webpage...

FAx

{QUOTE-> Right, so that would include email, updates to security software, the OS itself. <-QUOTE}No, these do not require inbound connections, these programs make outbound connections to a server (such as for updates). In your setup, to be able to run server software, you would need to remove the alpha shield, and port forward in your router, then enable your server program "Server Internet".
It is only such programs as P2P/Torrent clients than run as servers, so other users can connect in.


{QUOTE-> Can't tell you what program is being blocked, you must be correct though, not the internet lock was not on! <-QUOTE}Well, if svchost (Generic Host process for Win32 Services) is allowed Access to the internet, then DHCP should be allowed. It sounds buggy to me.

{QUOTE-> No, these do not require inbound connections, these programs make outbound connections to a server (such as for updates). In your setup, to be able to run server software, you would need to remove the alpha shield, and port forward in your router, then enable your server program "Server Internet".
It is only such programs as P2P/Torrent clients than run as servers, so other users can connect in.

Ah so! I never never want users connecting to my PC. Unless in another life I start a ISP service!;D Now I get it, the light went on, when I update I use the vendors server! Good!


Well, if svchost (Generic Host process for Win32 Services) is allowed Access to the internet, then DHCP should be allowed. It sounds buggy to me. Buggy? Whose bug, me on set up or them is sending alterts? I'm at sea again, someday I'll learn to swim! <-QUOTE}

Okay, here is an incoming block that may shed light (maybe not)

Source IP Address xxx.xxx.xxx.xxx The IP address of the computer that sent the packet which caused the alert.
Source Port 1060 The port used by the source computer when sending the packet.
Destination IP 64.71.255.198 The IP address of the computer to which the packet was sent.
Destination Port 53 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
File Name SVCHOST.EXE The executable file on your computer that launches and runs Generic Host Process for Win32 Services.
Program Version 5.1.2600.2180 The version of SVCHOST.EXE running on your computer.
Alert Date Apr-28-2007 10:55:04 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level High This ZoneAlarm Pro setting blocks access from the Trusted Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Trusted Zone. This Security Level also enforces application privileges and Internet Lock settings.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Outgoing The packet that caused the alert was sent from a program on your computer. It was being sent to a computer located somewhere on the Internet or on your network.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your co

{QUOTE-> Buggy? Whose bug, me on set up or them is sending alterts? I'm at sea again, someday I'll learn to swim! <-QUOTE}ZA for blocking the packet. Only if you have svchost blocked from internet access (or if you enable the internet lock) should DHCP be blocked



The info you have posted does not match the alert you gave earlier. In your post of the alert, this was for DHCP (port 68), In your last post, this info is for DNS (port 53)

{QUOTE-> ZA for blocking the packet. Only if you have svchost blocked from internet access (or if you enable the internet lock) should DHCP be blocked

Where in ZA would I look to see if the svchost is blocked? Didn't we agree a few posts back on setting to lock the hosts file? Or is this a different thing?



The info you have posted does not match the alert you gave earlier. In your post of the alert, this was for DHCP (port 68), In your last post, this info is for DNS (port 53) <-QUOTE}

I did post 2 alterts one in one out Sorry for my confusion. Here is the log entry for port 53.

ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
What happened?

ZoneAlarm Pro blocked an outbound communication to a Domain Name Server. The function of a Domain Name Server (DNS) is to convert a domain's IP address, such as 207.25.71.28, into a recognizable name, such as www.cnn.com.


Should I be concerned?

There is usually no reason to worry about this alert, but it should be investigated. One possibility is that your application attempted to send a query out to the Internet before ZoneAlarm Pro started running on your machine at start-up time. By default, ZoneAlarm Pro is loaded when Windows first starts up. This minimizes the possibility that an application will establish an Internet connection before the TrueVector Service is loaded.


What should I do?

Your internet application may not be not working properly. In that case, stop the application, then restart it. This often fixes the problem and in that case, you will not receive this alert again. In addition, go to the Configure panel to make sure that ZoneAlarm Pro is configured to load when Windows starts. You can also run regular checks on your machine for viruses and Trojan horses.
_________________________________________________________________

ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Inside the firewall alert



Alert property Alert property value Technical explanation
Source IP Address xxx.xxx.xxx.xxx The IP address of the computer that sent the packet which caused the alert.
Source Port 1060 The port used by the source computer when sending the packet.
Destination IP 64.71.255.198 The IP address of the computer to which the packet was sent.
Destination Port 53 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
File Name SVCHOST.EXE The executable file on your computer that launches and runs Generic Host Process for Win32 Services.
Program Version 5.1.2600.2180 The version of SVCHOST.EXE running on your computer.
Alert Date Apr-28-2007 09:36:54 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level High This ZoneAlarm Pro setting blocks access from the Trusted Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Trusted Zone. This Security Level also enforces application privileges and Internet Lock settings.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Outgoing The packet that caused the alert was sent from a program on your computer. It was being sent to a computer located somewhere on the Internet or on your network.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your computer.
_________________________________________________________________

ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Details




This alert was caused by an attempt to contact a DNS server. Domain Name Service (DNS) is a service provided by your ISP which allows you and the applications on your machine to refer to locations on the Internet by easy-to-remember names instead of by numeric IP addresses.

For example, cnn.com has an IP address of 207.25.71.30. When your application wants to connect to cnn.com, it first connects to port 53 on a DNS server and asks the server what the IP address is for cnn.com. It then proceeds to connect to 207.25.71.30.

Attempting to contact a DNS server is usually nothing to worry about. It is not a hostile action. However, it does indicate that an application on your machine was trying to reach an address on the Internet, or possibly, on your Local Area Network.

The alert usually means that, when you started ZoneAlarm Pro, an Internet application was already running on your machine. What happened is that your application made its original Internet connection before ZoneAlarm Pro was up. The original connection was not registered. For this reason, ZoneAlarm Pro cannot determine whether the most recent communication the application tried to establish should be permitted. Therefore, because your security was set to High, ZoneAlarm Pro has blocked the communication and you received an alert.

In the following paragraphs, we provide a list of reasons why the application may have already been running on your machine before ZoneAlarm Pro started:

An Internet connection may have already been established on your machine when you installed ZoneAlarm Pro. This could have caused the alert if you did not reboot after installation.
You may have started ZoneAlarm Pro manually with an already live connection to the Internet.
Your system may be configured to launch an Internet application when Windows boots up. If that is the case, the application might be establishing an Internet connection before the TrueVector Service finishes loading. This problem should not occur if you did not change the default configuration which causes ZoneAlarm Pro to load at Windows startup. This is an extremely rare problem because ZoneAlarm Pro is designed to avoid this situation.
Another possibility is that a Trojan horse that has been installed on your machine is launching when Windows starts up, then immediately establishing an Internet connection. For your protection, ZoneAlarm Pro immediately blocks any communication a Trojan tries to establish. Leaving ZoneAlarm Pro configured to load at Windows startup is your best protection against Trojans trying to communicate with their masters on the Internet.
If one of your applications is not functioning properly because of the blocked communication referred to by this alert, and if you just installed ZoneAlarm Pro or started ZoneAlarm Pro manually, stop your application then restart it. This will probably solve the problem. Once you restart the application, ZoneAlarm Pro will be able to detect any attempt the application makes to connect to the Internet. In response, ZoneAlarm Pro will either prompt you for permission or enforce the permission settings you have already set on the Programs panel.

To prevent an Internet connection from happening before the TrueVector Service is launched, we strongly recommend that you retain the default setting which loads ZoneAlarm Pro on your machine at Windows startup. The sooner ZoneAlarm Pro can begin monitoring Internet traffic on your machine, the safer you are from unauthorized Internet access, and the greater the likelihood that ZoneAlarm Pro will recognize all of your applications and allow them the access you desire. If both ZoneAlarm Pro and another application are configured to load when Windows starts and you continue to receive this alert, you should explore the options for delaying your application's loading time, so that the TrueVector Service and ZoneAlarm Pro can finish loading first.






Related Links




ZoneAlarm web site pages that may be helpful:

ZoneAlarm Online Support
ZoneAlarm Home Page

{QUOTE-> I did post 2 alterts one in one out Sorry for my confusion. Here is the log entry for port 53. <-QUOTE}It was the log entry for the alert that you posted in post#51 (for DHCP). But it does not matter, you do not need to post that.

{QUOTE-> Where in ZA would I look to see if the svchost is blocked? Didn't we agree a few posts back on setting to lock the hosts file? Or is this a different thing? <-QUOTE}Different.
For svchost, look in ZA ->Program control->Programs. svchost is named as "Generic Host Process for Win32 Services"

If DHCP was being blocked, then you would get an alert every 5mins, and eventually you would not be able to connect to the internet.
It must be a bug within ZA.

{QUOTE-> It was the log entry for the alert that you posted in post#51 (for DHCP). But it does not matter, you do not need to post that.

Different.
For svchost, look in ZA ->Program control->Programs. svchost is named as "Generic Host Process for Win32 Services"

If DHCP was being blocked, then you would get an alert every 5mins, and eventually you would not be able to connect to the internet.
It must be a bug within ZA. <-QUOTE}

Stem:

It is happening frequently, but ZA messages imply that repeated messages will not show up.

In Program control->Programs. "Generic Host Process for Win32 Services" shows Server is trusted but Internet is blocked. Does fact that we placed Family Lan as Internet not trusted cause this. The ZA seems to think the router should be trusted whereas you and I are saying no, it is part of the defense. Well it is defending and this is the price?

With the number of people for good or ill using ZA does it seem likely it is a bug or more likely I have installed it wrong or set it up wrong? We are still only part way my learning thread. Right now the Program control is at medium and component control in learning mode.

The latest block help says:

ZoneAlarm Pro blocked a probe to port 67. This is most likely your ISP's DHCP server requesting authentication so it can issue you an IP address. If you received an alert that ZoneAlarm Pro is blocking broadcast address 255.255.255.255 then that is confirmation your computer is asking for an address assignment from a DHCP server

The help offer to add it's IP 192.168.1.101 to the trusted zone ! I didn't do this.

I will add the 255.255...... to the internet zone and ask what will happen?

@Escalader,
My test PC as only ZA installed,.. My direct tests only check the firewall, not conflicts with other software.
What you are seeing is certainly a problem with ZA, possibly with other software. For a firewall to block outbound DHCP is a major problem. If this was inbound, then some explanation can be made.

I will start indepth checking, as this needs to be checked/resolved. From my installation/checks I do not see any problem, apart from the initial outbound attempts. But I am certainly interested/concerned.

{QUOTE-> @Escalader,
My test PC as only ZA installed,.. My direct tests only check the firewall, not conflicts with other software.
What you are seeing is certainly a problem with ZA, possibly with other software. For a firewall to block outbound DHCP is a major problem. If this was inbound, then some explanation can be made.

I will start indepth checking, as this needs to be checked/resolved. From my installation/checks I do not see any problem, apart from the initial outbound attempts. But I am certainly interested/concerned. <-QUOTE}

Yes, I agree with all your concerns. I restarted my PC after setting 255.255.255.255 to the internet zone. Since then the alerts and blocks to/from DHCP have stopped.

The question I have is why would I as a "typical" FW user even have to do this in a commercial FW product?

Personally I don't mind doing it inside a learning thread, but I didn't start out trying to debug anything let alone ZA Pro.

As an experiment what do you think about me reversing the 255 trick to see if the alerts resume?

{QUOTE-> As an experiment what do you think about me reversing the 255 trick to see if the alerts resume? <-QUOTE}The bootdhcp broadcast is not being blocked on my setup. I cannot understand why it would in your setup.
Remove the entry for 255.255.255.255 ~ internet, then go back into Firewall-> Main-> Internet Zone security-> custom, and enable the "Allow Broadcast/multicast". If any blocked packets for DHCP then show, check the local/remote IP`s.

Hi!
probably one of the reason why Stem does not get those warnings is that he does not rely on the router for the IPs allocation and DNS resolving....

How is your set up Stem?

So, in principle, your next step in securing your connection is to disable DHCP in your router and set the different XP machine with fixed IPs and DNS information.

Fax

Hello fax,

I can understand your thought on this. But basically, what you are saying is to disable DHCP, so there would be no need for outbound/inbound DHCP. This is not a fix, but a workaround. Svchost(XP) should not be blocked from making outbound DHCP, unless internet access is denied to svchost(XP), or the internet lock is active. This is the same for DNS(when DNS service/client is active)

{QUOTE-> The bootdhcp broadcast is not being blocked on my setup. I cannot understand why it would in your setup.
Remove the entry for 255.255.255.255 ~ internet, then go back into Firewall-> Main-> Internet Zone security-> custom, and enable the "Allow Broadcast/multicast". If any blocked packets for DHCP then show, check the local/remote IP`s. <-QUOTE}

Good Morning Stem, boy this is some learning thread for me! I started in grade school now I'm in Q and A at grad school, but I'm not complaining.

I will do the remove 255.255.255.255 and enable Allow Broadcast.... But 1st let me give you some symptoms from my start up this AM. My PC couldn't acquire an address, last nite when I shut down I had disconnected from the internet closed all security including ZA. I played a standalone game to get some fun out of the PC for a bit. (therapy;D )

This morning I started up, all security software came to life, 1st BD 10appears on the task bar, then SS 5.3 then ZA pro. But of course no connection since it was off from last nites close down.

Then I got some alterts that seem to me to be down the track you are checking for me and all others who I hope are benefiting from the thread!

They are attached as images: Please look at these and advise if your removal step is still the way to go:-\

189456

Hello Escalader,

Good morning to you, although it is 3:45 PM here in the UK

Interesting alerts/log. I am currently in a thread concerning DHCP and the low level needs for this (http://www.wilderssecurity.com/showthread.php?p=993304#post993304). I have still to see any such alert from ZA, although due to my settings within ZA, these would be only log entries.

I can only, at this time go from your info, and what I see in my own setup. I do not see blocked broadcast, or even blocked IGMP on boot. I have/do make many boot on the test PC (with installed ZA), I will now perform this again, and show you the logs from my gateway, with what is logged in ZA

Just give me 15mins while I boot ZA a few time, to compare logs made, I will then show you what is happening during boot. My gateway is allowing all outbound from the test PC (as if it was connected directly to the internet, it is just a case of further filtering by my gateway (invalids etc), but there are no restictions on what outbound is allowed. (if my gateway does show any outbound blocked from ZA, I would adjust to allow,.. to see what connections are being made)

{QUOTE-> Hello fax,

I can understand your thought on this. But basically, what you are saying is to disable DHCP, so there would be no need for outbound/inbound DHCP. This is not a fix, but a workaround. Svchost(XP) should not be blocked from making outbound DHCP, unless internet access is denied to svchost(XP), or the internet lock is active. This is the same for DNS(when DNS service/client is active) <-QUOTE}

yep, but I think previous DHCP warnings were not outbound but inbound...

Fax

{QUOTE-> yep, but I think previous DHCP warnings were not outbound but inbound...

Fax <-QUOTE}http://www.wilderssecurity.com/showthread.php?p=993182#post993182 this is outbound, unless the report is incorrect

If this is a probem with ZA, which at the moment it looks possible, then I would prefer to confirm this, then reports can be made to ZA. This helps ZA to resolve such problems, and if resolved, then stops problems for the end user.

{QUOTE-> http://www.wilderssecurity.com/showthread.php?p=993182#post993182 this is outbound, unless the report is incorrect <-QUOTE}

Hi!
I was referring to this:
http://www.wilderssecurity.com/showpost.php?p=993329&postcount=62

"ZoneAlarm Pro blocked a probe to port 67. This is most likely your ISP's DHCP server requesting authentication so it can issue you an IP address"

Fax

{QUOTE-> Hello Escalader,

Good morning to you, although it is 3:45 PM here in the UK

Interesting alerts/log. I am currently in a thread concerning DHCP and the low level needs for this (http://www.wilderssecurity.com/showthread.php?p=993304#post993304). I have still to see any such alert from ZA, although due to my settings within ZA, these would be only log entries.

I can only, at this time go from your info, and what I see in my own setup. I do not see blocked broadcast, or even blocked IGMP on boot. I have/do make many boot on the test PC (with installed ZA), I will now perform this again, and show you the logs from my gateway, with what is logged in ZA

Just give me 15mins while I boot ZA a few time, to compare logs made, I will then show you what is happening during boot. My gateway is allowing all outbound from the test PC (as if it was connected directly to the internet, it is just a case of further filtering by my gateway (invalids etc), but there are no restictions on what outbound is allowed. (if my gateway does show any outbound blocked from ZA, I would adjust to allow,.. to see what connections are being made) <-QUOTE}


No rush, Stem! Take all the time you need.
It is noon here clear and cool!

My PC is running I got connected by setting the 255.255.... to TRUSTED.

For all posters here, I'm reading all contributor's posts, but unless Stem tells me to do/change something I'm viewing them as data for Stem! If I act any other way the learning thread will go out of control.

On a personal note, Stem is to be commended for his dedication and patience in doing this work here, which IMO goes way beyond the normal call of duty! I can never repay him, I will try of course. Let's not guess at possible reasons let's KNOW from a base either of a test, a log a fact it just deflects energy and time. This is a technical thread, so like the old detective series years ago ' just the facts ... please!" ... circa Joe Friday.;D

A reminder, I'm trying to optimize ZA pro settings. Not trying to debug the product. If bugs are found, so be it. They can be reported but in my view that is secondary till finished with the ordered list of OP questions.

{QUOTE-> If this is a probem with ZA, which at the moment it looks possible, then I would prefer to confirm this, then reports can be made to ZA. This helps ZA to resolve such problems, and if resolved, then stops problems for the end user. <-QUOTE}

I am more inclined to think that working on the router will solve most of this (and XP network setup). In fact, your set-up, if I understood well, is only different in this respect. The rest in ZA is the same.

I would also check not to run any IM programs meanwhile testing ZA and the router calls... so not to complicate the troubleshooting even more.

Fax

{QUOTE-> I am more inclined to think that working on the router will solve most of this (and XP network setup). In fact, your set-up, if I understood well, is only different in this respect. The rest in ZA is the same.

I would also check not to run any IM programs meanwhile testing ZA and the router calls... so not to complicate the troubleshooting even more.

Fax <-QUOTE}

Thanks for the opinion. I don't use IM it is disabled.

I'll wait for Stem's results and take next steps based on his tests and my actual observations.

It's not really that complicated for me at all very interesting work though!;D

{QUOTE-> I am more inclined to think that working on the router will solve most of this (and XP network setup). In fact, your set-up, if I understood well, is only different in this respect. The rest in ZA is the same. <-QUOTE}As I have mentioned, my setup is a base XP setup. All base(default) XP services are enabled. From this, I have DHCP enabled, DNS client/service enabled. From a typical end user, these are base settings, even behind a router. Yes, changing windows settings can.will change the needs of comms, but the thread is for settings within ZA, not the OS

{QUOTE-> I would also check not to run any IM programs meanwhile testing ZA and the router calls... so not to complicate the troubleshooting even more.

<-QUOTE}At this point, I have only connected out via IE from testPC.

{QUOTE-> At this point, I have only connected out via IE from testPC. <-QUOTE}

Yes, this was more for Escaleder then you... sorry for the misunderstandings...

Fax

Not sure if this is the same thing you guys are talking about but I thought I'd throw it out there anyway...

When I was using ZA Pro 7.0.377 a while back, I had my local network set to Internet and I was getting a lot of firewall log entries denying service host - even though I had it set to super in program control. Someone on the ZA forum suggested that I add the DNS and DHCP server address as trusted. By using Ipconfig/all at the command prompt, I found that my router was the DNS / DHCP server. So I added my router address as trusted (along with the loopback adapter (127.0.0.1) and the logging problem for service host went away and never came back. I don't know if this causes a security concern...

My setup is WinXP SP2, SS 5.3, Nod32 2.7. Verizon Fios IP, Actiontec router w/ SPI and NAT.

If this info is not germane to the present discussion, please disregard and continue with this excellent and educational thread.

Regards,
Oldshep

{QUOTE-> Not sure if this is the same thing you guys are talking about but I thought I'd throw it out there anyway... <-QUOTE}

Yep, that would solve the problem... but they excluded adding the router to the trusted zone.... Or more simply setting the LAN to trusted.
Its more an excercise to set everything per book. Interesting indeed but practically (day to day use) unnecessary (IMO).

Fax

{QUOTE-> ......

....... Someone on the ZA forum suggested that I add the DNS and DHCP server address as trusted. By using Ipconfig/all at the command prompt, I found that my router was the DNS / DHCP server. So I added my router address as trusted (along with the loopback adapter (127.0.0.1) and the logging problem for service host went away and never came back. I don't know if this causes a security concern...
.......
If this info is not germane to the present discussion, please disregard and continue with this excellent and educational thread.....

Regards,
Oldshep <-QUOTE}

Hello OldShep, I remember you!:thumb: :

I also recall the loopback adapter point so this is question of security Stem will address when he has time.

One thing we have said the router is a key piece of the security layer, therefore I have it as Internet not trusted. Stem has not said to me as the "learner" here put it as trusted, so I haven't.

I think your post is relevant but all posts are for Stem to review and then advise, then and only then do I change a setting.

I did have to put 255.255..... in as trusted this AM to get an address.

If I really wanted to just stop the alerts and blocks I know several ways in ZA Pro I could accomplish it, but the point is to set optimum settings not those that are.... how to say this.... workarounds or methods that get rid off messages but lower the security of my PC and by extension others reading the thread!

OK, I didn't realize you guys were specifically trying to keep the router in the internet zone. I will look forward to Stem's comments on the security ramifications of putting the router (and loopback adapters) in the trusted zone. And I will contiue to read all further comments in this excellent thread.

Oldshep

@fax,

It seemed to me at the time that adding only the router address (instead of the entire Lan) was more secure. My router has a wireless connection, so if I added the entire Lan and someone cracked the wireless encryption, they could get access to my PC (?). Cracking the wireless encryption would not be trivial but if I wasn't a bit of a paranoid about stuff like that, I probably wouldn't spend so much time on these forums;D

Oldshep

{QUOTE-> If I really wanted to just stop the alerts and blocks I know several ways in ZA Pro I could accomplish it, but the point is to set optimum settings not those that are.... how to say this.... workarounds or methods that get rid off messages but lower the security of my PC and by extension others reading the thread! <-QUOTE}

Just to avoid panic on other ZA users and users of firewall in general. Adding your router to the trusted zone will not lower your security.

If we define security, the package of measures you are using for protecting your computer from an external thread, you are absolutely safe. Bet anyone to get into your system with such a setting without the direct interaction with the machine or exploiting a flaw or weak setting of the router. This has been experimented before in the community.

Vector of infection or compromised systems are 99,99% not influenced by adding your router to the trusted zone. Reason is very simple: it take more time and resources to crack a router than using a simple viral attack to comprise the OS.

I think the excercise here (still very valuable) is to secure your network communication and ensure complete control on it. It is a useful exercise to understand how network communication works.

Fax

{QUOTE-> @fax,

It seemed to me at the time that adding only the router address (instead of the entire Lan) was more secure. My router has a wireless connection, so if I added the entire Lan and someone cracked the wireless encryption, they could get access to my PC (?). Cracking the wireless encryption would not be trivial but if I wasn't a bit of a paranoid about stuff like that, I probably wouldn't spend so much time on these forums;D

Oldshep <-QUOTE}

Yes, indeed.. that is why I have already stated before that is more important to secure the router... i.e. change the default password (there are scripts on the net that, once loaded in your system will check hundreds of standard passwords and ID and once in the router changing your DNS).

Yes, you should use WPA/WPA2 and random password with more then 30 characters. I think they managed to bruce force WPA/WPA2 simple passwords with up to 20 characters.

Fax

.....Just to avoid panic on other ZA users and users of firewall in general. Adding your router to the trusted zone will not lower your security.
.....................................there is no need to panic, unless the wings are on fire and they aren't;D

I think the exercise here (still very valuable) is to secure your network communication and ensure complete control on it. It is a useful exercise to understand how network communication works... glad to have this thought, but the exercise here was defined in the original posts. Yes, things are being learned but the focus is to find out "How to set optimum settings in ZA Pro?" if others benefit so much the better. Let's stay on track and not question or alter the purposes, they are unchanged8)

Let's wait for Stem to return with his next steps....there is no rush to conclusions we are testing, learning all at the same time:thumb: .

BTW no one asked me, but I have long ago changed the router default password. We are not dealing with wireless, but a simple Ethernet hard wired LAN.

Could somebody explian to me as to why setting the router as Internet is safer than setting it to Trusted. I need a good explaination and some details. I am really confused about this idea.

12fw

{QUOTE-> Could somebody explian to me as to why setting the router as Internet is safer than setting it to Trusted. I need a good explaination and some details. I am really confused about this idea.

12fw <-QUOTE}
LOL Yes I am also very confused by this please enlighten me.

{QUOTE-> LOL Yes I am also very confused by this please enlighten me. <-QUOTE}

The only risk I can see is that if your router get "owned" your system will be open to attacks... but I beleive if your router is "owned", setting ZA to 'internet' will not help much... ;D

But I would also welcome a more detailed and reasonable explanation on this...

Fax

{QUOTE-> .........

But I would also welcome a more detailed and reasonable explanation on this...

Fax <-QUOTE}

Maybe Stem can explain it!

I asked everyone to wait for Stem's actual tests results. Now we see why!

Opinions don't cut it in a learning thread....wait, don't guess. ZA Pro is a program no doubt with some issues but all I am trying to do is learn how to optimize it on my system.

For now, lets just all agree that there are different honestly held views and opinions.

I'm not interested in learning via opinions, I like to read them but in this thread I have no intention at all of following them till proven, and verified by Stem.

Escalader

"Opinions don't cut it in a learning thread....wait, don't guess. ZA Pro is a program no doubt with some issues but all I am trying to do is learn how to optimize it on my system."

What issues are those exactly?

12fw

{QUOTE-> Escalader

"Opinions don't cut it in a learning thread....wait, don't guess. ZA Pro is a program no doubt with some issues but all I am trying to do is learn how to optimize it on my system."

What issues are those exactly?

12fw <-QUOTE}

We may know when we are done.

There are over 90 posts now, BUT please forgive me, this thread is not an opportunity to complain about ZA or Checkpoint. That achieves zip!

I should not have said anything about issues here, I allowed myself to become distracted by the last few posts and didn't follow my own rules set in the start. I apologize. :-[

If you want to start a thread on issues do so but I'm fishing in this thread now and learning and hopefully we can all just become 8)

fax

"The only risk I can see is that if your router get "owned" your system will be open to attacks... but I beleive if your router is "owned", setting ZA to 'internet' will not help much... "

How does a wired router get owned when there is a hardware firewall in front of it and the password and the account has been changed to higher security?

Would the software firewall still block even if the router did get owned? Isn't that what a software firewall does anyways?

12fw

Stem:

My router/lan is set in the internet zone.

What I am asking now is what if I changed ZA Pro's custom FW settings to allow DHCP on port 67 in the internet zone?

It seems to me that that allows the address business and still keeps the router in internet? Would that still preserve optimum security and allow the address to be assigned?

But maybe I'm wrong on the way this works.:-\

See attached jpg

Escalader

I thought you were talking about something from this thread. Unless you have something intended?

12fw

Escalader

Do you think having DHCP for port 67 opened to all of the internet is a wise decision?

12fw

{QUOTE-> fax

"The only risk I can see is that if your router get "owned" your system will be open to attacks... but I beleive if your router is "owned", setting ZA to 'internet' will not help much... "

How does a wired router get owned when there is a hardware firewall in front of it and the password and the account has been changed to higher security?

Would the software firewall still block even if the router did get owned? Isn't that what a software firewall does anyways?

12fw <-QUOTE}

Hi!
I guess that if the PC rely on the router for DHCP and DNS (as it is in this case) and the router is owned then you can have any firewall in front of the router but all your calls will be re-routed... so you are basically out of any control on your connections...

Fax

{QUOTE-> Could somebody explian to me as to why setting the router as Internet is safer than setting it to Trusted. I need a good explaination and some details. I am really confused about this idea.

12fw <-QUOTE}If you check, it is the LAN that is set as internet. ZA does not place only the router as trusted, but the full LAN. As from the default settings for the "trusted" zone, windows services will be open to this zone. Most will have the default settings within the "Program control" to allow these windows services (via svchost(XP)) unsolicited inbound (allow server in trusted zone). As "Escalader" as stated, there is more than one PC on the LAN, and a need not to share/connect to this, so why then trust the LAN, and allow the inbound to the services.
Not all users only have one PC on the LAN, and certainly not all users are on a Trusted LAN, so I cannot understand how anyone can say just to add the LAN as trusted.

Stem

The full LAN was never referred to as the router or am I missing something here? When I first installed the ZA, the first reboot after installing, showed a window with the router IP and a question to set it as trusted or internet. The entire LAN was never mentioned, just the router IP itself. The other PC on the LAN is still not included as Trusted and it still should be seen as Internet, hence not Trusted. I am not too sure where I did say LAN instead of the router.

12fw

12fw,

Check "firewall -> Zones" The entry will be for the LAN, not just the router: example 192.168.0.0/255.255.255.0. This entry will be for all IP`s in the range 192.168.0.0 to 192.168.0.255 (Also the "entry type" will show as "Network") So if set to trusted, you are trusting all the IP`s in that range, not just the router.

Thank you Stem. I see now what you mean.

So why not change this and make it just the router IP as Trusted and exclude the rest of the LAN? I am at a disadvantage since I am just a single PC arrangement. Would there not be Alerts about unsolicted packets and blocked routed packets regardless of the LAN set as Trusted?

12fw

{QUOTE-> 12fw,

Check "firewall -> Zones" The entry will be for the LAN, not just the router: example 192.168.0.0/255.255.255.0. This entry will be for all IP`s in the range 192.168.0.0 to 192.168.0.255 (Also the "entry type" will show as "Network") So if set to trusted, you are trusting all the IP`s in that range, not just the router. <-QUOTE}

Hi Stem,

I think you misunderstood 12fw (and correct me if I am wrong), but the question was: why the router is not trusted (NOT the Lan)? What would be the security risk of adding the router (ONLY the router) to the trusted zone?

Or I am missing something in the explanation you gave to 12fw.

EDIT: ooops I see that 12fw has already posted the same question.... sorry.

Fax

Fax

Not a problem since we are all very civilized users.

Stem

I just set the router or more correctly the LAN to internet. I did the same for the DNS servers. These are now Internet and not Trusted. Then I rebooted. Other than some blocked inbound from the DNS, I cannot see where there is any problems. I should add that under the Advanced button of the Firewall, I do have the router listed under "this computer is a client of an ICS/NAT gateway using the ZAPro" and the router address is clearly seen in the little windows. Does this make any difference or reduce the security?

12fw

{QUOTE-> Would there not be Alerts about unsolicted packets and blocked routed packets regardless of the LAN set as Trusted? <-QUOTE}Most packets on the LAN would be directed at windows services (svchost(XP)) which as server rights in the trusted zone, so that unsolicited inbound would be allowed.

From the popup given by ZA when a network is found:- Trusted Zone: "Use only if you need to share files or printers with others on this network"

{QUOTE-> I do have the router listed under "this computer is a client of an ICS/NAT gateway using the ZAPro" and the router address is clearly seen in the little windows. Does this make any difference or reduce the security?

12fw <-QUOTE}From my understanding of this, these settings are for ICS, and if the gateway is running ZA, then this option is checked.

Stem

But the LAN is now Internet not trusted, so would not that count, since the only Trusted is the localhost? There is no other Trusted and anything from the LAN should be internet.

I do not think it means the gateway is running the ZAPro, but the PC is a client using the ZAPro that has a gateway using the router IP. The router address is clearly seen and no other. Plus I have all ICS disabled.

12fw

12fw,
If we look at one of the options for this:-
Forward alerts from gateway to this computer
This to me would indicate the setup of comms between the gateway and the client. So for this to happen, then both the gateway and client would need to be running ZA?

I also see the options "This computer is an ICS/NAT gateway" and " This computer is not on an ICS/NAT network". But if I use the second mentioned, does not defeat the NAT from the router?

The LAN and the router are defined as Internet and so are the DNS. There is no ICS enabled in the PC or any kind of remote assistance. The file and printer sharing is unchecked in the network properties.

Stem quoted

"From my understanding of this, these settings are for ICS, and if the gateway is running ZA, then this option is checked."

Why would the PC care if the gateway was using the ZA? I think my explaination is correct.

12fw

Stem

"Forward alerts from gateway to this computer"

Yes all nice and good, but that option is not choosen.

12fw

{QUOTE-> Stem

"Forward alerts from gateway to this computer"

Yes all nice and good, but that option is not choosen.

12fw <-QUOTE}When the option "This computer is a client of an ICS/NAT gateway running Zonealarm pro" is enabled, UDP packets are sent from local port 17986 to gateway IP port 17987. This looks like attempted comms specific to/from ZA. I would need to install ZA on gateway and client to confirm.

edit,
On checking, when this option is enabled ZA pro is listening for inbound UDP on local ports 17985/17987

So from this, ZA pro would need to be on gateway/client for these comms to function correctly

I tried to change the actual IP and subnet of the router/LAN to just the single IP, but it will not change. So the change to Internet still is applied. But I did add the actual router IP as Trusted and with no subnet or range. Just the router IP itself. Does this threaten security? Should this be removed?

I have the Internet Security slider set at Hgh. Should the Trusted Security slider be set at High?

The only thing in the logs is the dropped UDP from the DNS server.

12fw

Stem:

It's not possible for me to follow all this cross talk since interpretations vary.

This AM on bootup ZA wouldn't let me logon to the internet until I set the Lan etc to trusted! See attached jpg

Another thing was my log all events option was turned off! On bootup

As you know, ZA auto updates are ALL turned off, so why did Updclient.exe which is ZA try to use my blocked no apple connects to connect out? Maybe someone will help you by checking this out. I'm not trying to restart the spy story again. So there must be a legit explanation. I don't care since it was blocked.

Stem what did your own tests while you were working show?.

As you know I'm only acting on your steps and ideas. I didn't want to go trusted but otherwise I wouldn't be able to post here;D

I will now reset the Lan to internet and leave the actual ip's as trusted just to see what happens while waiting for you.

PS Are we all having fun yet? think of it we are only on the second tab of FW settings!;D

Here is the latest news

I set the advanced to "This computer is not on a ICS/NAT network"

I removed the router IP and just left the original ZA calculated router/LAN as Internet.

I set both Internet and Trusted Security sliders at High.

The Program Control slider is at High.

The alert events are set at High.

The whole thing is working fine and internet is very smooth and the only logs are the blocked UDP from the DNS.

What am I doing wrong?

12fw

{QUOTE-> Stem:

It's not possible for me to follow all this cross talk since interpretations vary.

This AM on bootup ZA wouldn't let me logon to the internet until I set the Lan etc to trusted! See attached jpg

Another thing was my log all events option was turned off! On bootup

As you know, ZA auto updates are ALL turned off, so why did Updclient.exe which is ZA try to use my blocked no apple connects to connect out? Maybe someone will help you by checking this out. I'm not trying to restart the spy story again. So there must be a legit explanation. I don't care since it was blocked.

Stem what did your own tests while you were working show?.

As you know I'm only acting on your steps and ideas. I didn't want to go trusted but otherwise I wouldn't be able to post here;D

I will now reset the Lan to internet and leave the actual ip's as trusted just to see what happens while waiting for you.

PS Are we all having fun yet? think of it we are only on the second tab of FW settings!;D <-QUOTE}

Not having the connection unless you have the LAN set to trusted is a weird problem...
Did you follow the suggestion from Stem? i.e. Removing that 255.255.... and set back "allow braodcast/multicast"...

Are bitdefender and SS disabled? They may interfere in all of this... or at least doing some active monitoring and/or port activity.


Fax

I have the set the advanced to "This computer is not on a ICS/NAT network". And have done many netstats -ano I can not see any port monitored by the ZA fw. There is no green dot under the Active column for network activity by any ZA component. So I am assuming the ZA is now not monitoring any special ports of it's own and just what is happening with the PC?

12fw

Escalader

I have no trouble getting internet and it is fast as before. I really have no idea why there are alerts and issues on your PC. Mine is super tight now and is just fine. Let's wait for Stem and his suggestions.

12fw

Stem, Fax and Escalader

I have the "allow braodcast/multicast" checked in the ZA. Does that make any difference? Is this a security risk?

12fw

{QUOTE-> What I am asking now is what if I changed ZA Pro's custom FW settings to allow DHCP on port 67 in the internet zone? <-QUOTE}I think the 2 rules~ Allow outgoing DNS/ Allow outgoing DHCP are for use on an ICS gateway (to allow server for DNS/DHCP to the clients). I will need to change my setup to confirm.

{QUOTE-> I have the "allow braodcast/multicast" checked in the ZA. Does that make any difference? Is this a security risk?

12fw <-QUOTE}
If you where connected directly to the internet, possibly, as from enabling this, broadcasts by netbios etc are allowed. With this option disabled, it certainly does not block the inbound DHCP broadcasts.

{QUOTE-> This AM on bootup ZA wouldn't let me logon to the internet until I set the Lan etc to trusted! <-QUOTE}The only way I have been able to cause bootup problems (for DHCP) is to block ARP. Was your router already booted/on before you booted the PC?

Even if I block the replies for DHCP when the PC with ZA boots, when I then start the DHCP server, the broadcast by the server is allowed through by ZA, and the IP resolved.

{QUOTE-> .....

Are bitdefender and SS disabled? They may interfere in all of this... or at least doing some active monitoring and/or port activity.


Fax <-QUOTE}

It is not reasonable to disabling BD and or SS during this work. Stem has made no such suggestion.

{QUOTE-> Escalader

I have no trouble getting internet and it is fast as before. I really have no idea why there are alerts and issues on your PC. Mine is super tight now and is just fine. Let's wait for Stem and his suggestions.

12fw <-QUOTE}

Right, that is exactly what I will do. Thanks, yours is a voice of reason;D

{QUOTE-> The only way I have been able to cause bootup problems (for DHCP) is to block ARP. Was your router already booted/on before you booted the PC? Yes, I leave it on

Even if I block the replies for DHCP when the PC with ZA boots, when I then start the DHCP server, the broadcast by the server is allowed through by ZA, and the IP resolved. <-QUOTE}

What now, I have no next step for me to do for you to narrow this down?

{QUOTE-> Stem, Fax and Escalader

I have the "allow braodcast/multicast" checked in the ZA. Does that make any difference? Is this a security risk?

12fw <-QUOTE}

Sorry 12fw, I have no idea yet on this. Best to remain silent unless you do know is my policy. Wait for Stem and we can learn together!

{QUOTE-> I think the 2 rules~ Allow outgoing DNS/ Allow outgoing DHCP are for use on an ICS gateway (to allow server for DNS/DHCP to the clients). I will need to change my setup to confirm. <-QUOTE}

OKay, maybe I asked the wrong question in attempting to solve this with you?

If it's a bad idea just say so Stem!

{QUOTE-> If you where connected directly to the internet, possibly, as from enabling this, broadcasts by netbios etc are allowed. With this option disabled, it certainly does not block the inbound DHCP broadcasts. <-QUOTE}

Well, per book (ZA manual) it only allows DHCP brodcast and not NETBIOS (for sure not for the internet zone).
I guess that if your system need to re-new the IP it may have troubles in getting one due to the broadcast been blocked (from system to router)

Fax

Escalader

I found these for some reference material.

TCP/IP Routing Basics for Windows NT

http://support.microsoft.com/kb/140859

Broadcast address

http://en.wikipedia.org/wiki/Broadcast_address

Multicast address

http://en.wikipedia.org/wiki/Multicast_address

Stem has already said that to check the "allow braodcast/multicast" is safe for you.

12fw

{QUOTE-> Well, per book (ZA manual) it only allows DHCP brodcast and not NETBIOS (for sure not for the internet zone).
I guess that if your system need to re-new the IP it may have troubles in getting one due to the broadcast been blocked (from system to router)

Fax <-QUOTE}This is the gateway log

Remember the LAN is set to "Internet"

First log, bootpc with ZA, Broadcasts not allowed.

189473

Second log, bootpc with ZA, Broadcasts are allowed (no replies are allowed from gateway to netbios)

189474

On both logs, ZA is installed on 192.168.0.83

{QUOTE-> This is the gateway log

Remember the LAN is set to "Internet"

First log, bootpc with ZA, Broadcasts not allowed.

Second log, bootpc with ZA, Broadcasts are allowed (no replies are allowed from gateway to netbios)

On both logs, ZA is installed on 192.168.0.83 <-QUOTE}

Thanks for checking it up....

UUUhhm, so....apart been the user manual wrong, in practical terms, does this means it is safe or not safe to allow brodcasting??

Fax

{QUOTE-> Escalader

I found these for some reference material.

TCP/IP Routing Basics for Windows NT

http://support.microsoft.com/kb/140859

Broadcast address

http://en.wikipedia.org/wiki/Broadcast_address

Multicast address

http://en.wikipedia.org/wiki/Multicast_address

Stem has already said that to check the "allow braodcast/multicast" is safe for you.

12fw <-QUOTE}

12fw, thanks for references and the reminder about what Stem told us to do!

In all the cross talk I kind of forgot what the question was! I went in and checked it BUT guess what it was no longer checked, maybe I forgot to click apply! :-[

Okay, here we are at post 120, here is my April 30 zones setting window.

Stem, please look at this jpg and indulge me as the OP and "learner".

Look at each line and tell me if the line is needed or not and if needed if I should alter the settings to from trusted/internet. At this point I don't need to know why you recommend what you recommend. If others here disagree with Stem I don't need to here about it at this point.

I have heard about the loopback, but I don't have that in this list should it be there?

Escalader

The loopback is Trusted, since it is an address that goes no where. It is a reserved address for the computer itself and is only used inside the computer. It never goes out or accepts anything in.

Maybe the DNS server should be added, but I set miine as Internet. In the spirit of the thread.

The router IP I dropped, but I did set the router/lan as Internet.

It is okay to block sites or servers, but I do not think it is important to include the updater sites as Internet, since they should be internet to begin and not assumed to be trusted.

12fw

Stem

I am curious. If the "allow braodcast/multicast" is enabled and the PC has no UPnP or BIOS or file/printersharing or remote assistance or such used, is the multicast a real threat? Yes there are outgoing, but there is nothing to respond to any replies.

12fw

12fw,

I admit that I've become a little confused over the last couple of pages of comments. Would you mind taking a look at my setup ( post #78 ) and comment as to the differences between it and what you now have?

If I get rid of the trusted router address and just leave the entire lan in the internet zone, I think I get a lot of warnings for service host in the logs - at least that's what happened a few months back when testing ZAPro.

I still don't know what if any are the security risks for leaving the router as trusted.

Thanks,

Oldshep

oldshep

For the spirit of the this special thread, I set the router/lan as internet, the dns server as internet and the loopback as trusted. Other than blocked UDP from the DNS, nothing unusual is happening. I had placed the router IP as trusted, but in the spirit of the thread, I removed it. Still all is okay.

Having the router IP as trusted shouldn't be a real issue. The only possible threat is if the router got owned. The only way that could happen is if the default password and account haven't been changed.

12fw

{QUOTE-> Escalader

The loopback is Trusted, since it is an address that goes no where. It is a reserved address for the computer itself and is only used inside the computer. It never goes out or accepts anything in.

Maybe the DNS server should be added, but I set miine as Internet. In the spirit of the thread.

The router IP I dropped, but I did set the router/lan as Internet.

It is okay to block sites or servers, but I do not think it is important to include the updater sites as Internet, since they should be internet to begin and not assumed to be trusted.

12fw <-QUOTE}

Thanks, the spirit was established in the first few posts. It is for Stem to provide me answers to simple questions. If you guy's persuade him to advise me something then and only then will I change/do anything. Otherwise I will be blown this way and that. Don't get me wrong here I'm not saying you aren't correct just that I have to do what a OP poster learner guy said on post 1!

12fw,

Many thanks for the clarification. I think I understand what you all are saying. I may retest and move my router address back to internet to confirm what happens.

I'll continue to read further posts with interest.

Oldshep

{QUOTE-> Thanks, the spirit was established in the first few posts. It is for Stem to provide me answers to simple questions. If you guy's persuade him to advise me something then and only then will I change/do anything. Otherwise I will be blown this way and that. Don't get me wrong here I'm not saying you aren't correct just that I have to do what a OP poster learner guy said on post 1! <-QUOTE}

Yep, lets wait for Stem..

But, Stem already suggested to remove the 255.255.255.255 rule: http://www.wilderssecurity.com/showpost.php?p=993605&postcount=65

and not to set the router as trusted: http://www.wilderssecurity.com/showpost.php?p=991180&postcount=17

Well, for me adding the router to the trusted zone is perfectly fine ;D but I think Stem approach is different i.e. (broadly speaking) whatever is outside your PC is not trusted by definition but only by specific rules (if needed)...

Fax

Did a quick check and the ZA says this about the new network found when first installing:

192.168.x.x


Keep in Internet Zone:
-For use at public or questionable access points (hotel,airport,coffeeshop,...)
-AllowsOnternet access, blocks others from accessing your computer

Allows into trusted Zone:

-For trusted, secure locations only (home,office...)
-Use only if you need to share files or printers with others on this network

I think escalader should follow the advice from before and make sure that his SpySweeper and BitDefender are not causing any conflicts. They do have web scanning and web content filtering. The potential problems are possible.

12fw

{QUOTE-> The bootdhcp broadcast is not being blocked on my setup. I cannot understand why it would in your setup.
Remove the entry for 255.255.255.255 ~ internet, then go back into Firewall-> Main-> Internet Zone security-> custom, and enable the "Allow Broadcast/multicast". If any blocked packets for DHCP then show, check the local/remote IP`s. <-QUOTE}

Good morning Stem:

Because of the FUD factor to confirm for Stem I have removed 255.255..... and allowed Broadcast/multicast as he suggested.

I also added the loopback adapter. Is that okay Stem?

The only block I see at the moment is ZA's Updclient.exe trying to access the apple site which I have explictly blocked. What reason would ZA have for trying that when I have turned off all automatic updating?

Another observation is ZA Pro keeps turning off All Alerts High, on every boot up!

See latest and greatest jpg.

OK,
We are going around in circles, and losing track, certainly as to the original members posts/concerns.

Let us go over what we have found/posted, and try to address this in a way understandable to all.

First, it as been mentioned of placing the PC as a fixed IP, also a post of hardening the system by disabling some windows services, and yes, I have made posts onto forum to show some un-needed services that can be disabled. But, due to this thread, as I mentioned, I have reset the group-policy within XP (all services as default windows installation), as I believe it is the setting within ZA that are being asked for. I think some understanding of what is able to leave/enter the PC with default windows setting and default ZA settings needs to be known, so that changes (where possible) can be made within ZA to secure the system.


Main point at this time, is the adding of the LAN/router into the trusted zone. OK, this is already within the popup from zonealarm when the new network is found "Use only if you need to share files or printers with others on this network". Adding the router as trusted,.. I do have to ask "Why" there should be no need for this. I put the router as a layer of defence and like to keep this isolated. If the router is placed within the trusted zone, with default trusted zone settings, then windows is able to connect to the router via SSDP(uPnP). Yes, again, I am going from default windows settings, and also default router settings (most routers now are uPnP, and most have the uPnP enabled), so I prefer the PC not to be able to control anything within the router(and so will not simply say "yes" to making this trusted). This leads to the connection problems shown, such entries as outbound DHCP/DNS blocked, as I have mentioned, this should not happen as long as svchost(XP) is allowed internet outbound and the Internet lock is off.
From my checking of DHCP allowed with ZA, you will see a log (first pic post#127), this basically show the DHCP broadcast allowed out from ZA, with the reply broadcast allowed.(I know the return broadcast was allowed as ZA then made a DNS lookup for zonelabs). I have also checked, by only allowing DHCP on LAN after booting ZA, that unsolicited inbound DHCP broadcasts are allowed. Now I can understand if DNS replies may be blocked, these may be late replies and seen as unsolicited, if these servers are internet, then why would you want to place these as trusted, you are (from ZA default setting) basically allowed all out/in to these servers, even up to a point of sharing files on the PC.(remember: trusted zone:- "Use only if you need to share files or printers with others on this network")

Adding loopback(127.0.0.1) as trusted, yes, I have no problem with this in ZA, as restrictions are made to the access of this)


So, for now, I need to know where "Escalader" is with this, and what points need clarification.
(As for the concerns of possible conflict with other software on the PC that may be causing the problems, yes, this will need to be checked)

edit,
Sorry Escalader, you posted as I was posting/reviewing thread

{QUOTE-> ........
Well, for me adding the router to the trusted zone is perfectly fine ;D but I think Stem approach is different i.e. (broadly speaking) whatever is outside your PC is not trusted by definition but only by specific rules (if needed)...

Fax <-QUOTE}

edit: Sorry Stem, you posted as I was doing this one. We are of the same mind on ending the circle. I will post separately in reply to your last post.

Viva La difference. For me, it is clear that Stem's, ideas are the more secure and optimum path. So let's drop that debate it is done with as far as this thread is concerned, it is the optimum setting for ZA Pro for me and I'm staying with it. Unless Stem comes to a different conclusion later which has a 1/100,000 of happening.

To all (excluding Stem) posters in the thread! (12fw, Fax, oldshep, etc)

Please post your ZA Pro Firewall zones settings as I have done multiple times, it would be educational for me for sure and all thread contributors. Some have done it earlier but changes have been made. If you don't want questions on your settings best not to post them though. My own view is that if I want to learn best to be open and clear and sometimes admit to being :-\ , :-[ and lost at sea. If we see posters are actually using ZA right now then their post is more... how to put this .... can't get right word... but usefull comes to mind, no insult intended.... this is difficult stuff for me anyway but it is best to know where everybody is coming from!;D

(Use Alt + PrintScreen paste to Paint save as jpg and upload as an attachment to your post, but I suspect every body knows this)

There are the following sets of ZA software (this is not a commercial) so please indicate which product you are using for this learning thread


ZoneAlarm security software is a family of security products that offers a wide range of features and benefits. This release supports the following versions of ZoneAlarm security software:

ZoneAlarm
Offers firewall protection, limited MailSafe protection and Program Control, and Anti-virus Monitoring.

ZoneAlarm Anti-virus
Includes the same features available in free ZoneAlarm, plus Kaspersky Anti-virus protection, Inbound and Outbound MailSafe protection, Program Control with SmartDefense Advisor, and OSFirewall protection.

ZoneAlarm Anti-Spyware
Includes the same features available in free ZoneAlarm, plus Anti-spyware protection, Inbound and Outbound MailSafe Protection, Program Control with SmartDefense Advisor, and OSFirewall protection.

ZoneAlarm Pro
Includes expert firewall protection, Inbound and Outbound MailSafe protection, Program Control with SmartDefense Advisor, Privacy control, Identity Protection, Anti-spyware protection, and OSFirewall protection.

ZoneAlarm Security Suite
Includes the features available in ZoneAlarm Pro, plus IM Security, Parental Control, Identity Protection, Kaspersky Anti-virus protection, Junk E-mail Filtering, and offers protection for mobile laptop users and wireless home networks.

{QUOTE-> OK,
.........

Adding loopback(127.0.0.1) as trusted, yes, I have no problem with this in ZA, as restrictions are made to the access of this)

So, for now, I need to know where "Escalader" is with this, and what points need clarification.

(As for the concerns of possible conflict with other software on the PC that may be causing the problems, yes, this will need to be checked)

edit,
Sorry Escalader, you posted as I was posting/reviewing thread <-QUOTE}


Okay, Stem here where I am at, lets move to detail on MY settings only,

(1) Please review my zones entries line by line (as of may 1 was posted earlier)

(2) Just say remove/change and add any item I need. Is my family LAN a range or a single ip with the subnet as a qualifier?

(3) I have my cable isp listed as a trusted ip is that wise or needed?

Then very briefly remind me of the custom settings I should have in both Trusted and internet zones. NO NEED TO REPEAT WHY AT THIS POINT!;D

I do have a 2nd non sharing gaming computer PC on the LAN only sharing the Cable DSL router.

My ISP assigned by DHCP as 198.168.1.100
Subnet mask is 255.255.255.0 (now removed)
Default Gateway 192.168.1.1

AFTER I MAKE FINAL CORRECTIONS ON ZONES AND CUSTOM SETTINGS I WANT TO MOVE ON TO PROGRAM CONTROL.

If others poster want to pursue other points of view with you/me maybe they can start a specific thread for that or PM you/me directly.:thumb:

{QUOTE-> Yes, good point uPnP can be a security risk. No doubts...

However:

1. UPnP is disabled by default in windows XP machines
2. UPnP is disabled by default in most (if not all) router brands. At least it was in 4 different brand routers I have tried.

and:

3. UpnP si not prevented if you set in ZA your LAN/router to the Internet zone. I have just tested it now with MSN Messenger Live that uses UPnP. Apparently pre-condition for not allowing UpnP is to disabled it in the OS or in circular debatethe router.

So, to summarise is still unclear the concrete risk of adding the router to trusted zone granted that your router is set-up securely (as already described in previous posts). But, for the purpose of this thread I perfectly understand why you have suggested to keep it out from the trusted zone

Fax <-QUOTE}

To All postesr:

I am :'( or >:( I don't know which.

Please follow the latest and greatest requests to drop the trusted router subject
For me it is done! It may be unclear to some but not to me anyway.:thumb:

To my fellow posters here, my router is not your router, my xp settings are not your xp settings, I refuse to use messenger, my questions and view of what is wise is not equal to yours! So this thread is about specific optimum settings for ZA Pro. An endless circular debate is not helping with learning or achieving the goals of the OP. I ask everyone to respect the very special theme of this thread.

It would be easy for me to take it all off line via PM's with Stem or even use poster blocking but I have responded in good faith to Stem's idea of me as a "learner" in plain view and these negative steps would end the thread and lose any benefits for those who read only the thread fearing to enter or post where wise men fear to thread!

If there are honest disagreements, make the point once with rationale/proof from actual testing and move on with me to the next subject. Please no FUD, speculations or red herrings.

Posters can act not act on their own systems as they see fit.

Let's all get back to the last posts twixt Stem and me and move on!8)

{QUOTE-> Sorry Escaleder, I have made my last post on the uPnP issue with Stem... promise is my last... Sorry again for Hijacking your post...

Peace,
Fax <-QUOTE}

Peace in our time? :-\

Apology accepted.

I had a boss once who said we can accept all these mistakes you make but it is these errors you make that worry us!;D

{QUOTE-> (1) Please review my zones entries line by line (as of may 1 was posted earlier) <-QUOTE}You do not need to add IPs(from the internet) as Internet. The only entries you should place here are for "Blocked" or "Trusted". The only exception to this is if you are placing the LAN as internet.

{QUOTE-> (2) Just say remove/change and add any item I need. Is my family LAN a range or a single ip with the subnet as a qualifier? <-QUOTE}You would need to check the router as to what range of IP`s are issued. ZA does pick up this LAN (from the DHCP) so the range should show within that network entry.

{QUOTE-> (3) I have my cable isp listed as a trusted ip is that wise or needed? <-QUOTE}Again, I do not see why you should place this as trusted.
I do think we need to find why you are having problem with DHCP, as without some resolution to this, your problems will be ongoing.

Please confirm the other (all) security applications you have installed, I will install these on my base setup to see if I can recreate the problem.

Okay, Stem my replies are within your answers in RED

{QUOTE-> You do not need to add IPs(from the internet) as Internet. The only entries you should place here are for "Blocked" or "Trusted". The only exception to this is if you are placing the LAN as internet.

Okay, I will now remove them

You would need to check the router as to what range of IP`s are issued. ZA does pick up this LAN (from the DHCP) so the range should show within that network entry. Is that inside the router settings or the Lan network status?

Again, I do not see why you should place this as trusted.

It is removed (the isp address) completely

I do think we need to find why you are having problem with DHCP, as without some resolution to this, your problems will be ongoing.

Okay, but let's see what happens now with these changes to my FW settings. What about the summary for me of the custom settings for both zones? Let's verify I haven't fouled that up!

I want to restart my PC now to see if I am still having issues, so I'm clearing the ZA logs to get a fresh start.


Please confirm the other (all) security applications you have installed, I will install these on my base setup to see if I can recreate the problem. <-QUOTE}

Okay, but why don't you wait untill we find out if the problem is solved now, that would save you some effort (maybe)

Here is my active / realtime security software list

ZA Pro 7.0.337.000, all autoupdates off, all email, asw, spysite blocking off
SpySweeper 5.3 with active AV turned off
BitDefender 10 with AV real time enabled, Behavioral ASW enabled
SpyWareBlaster
FF 2.0.0.3, DOM inspector, RefControl, Script control
PC Tools, Spam Monitor


Here is my passive / on demand 1/ month security software list

Adware SE (free), never finds anything
SpyBot S& Destroy never finds anything

{QUOTE-> Hello fax,
I am certainly interested in your findings, and would certainly like to go through settings you have, the comms made etc. But as noted, the thread is digressing too much from original poster. You can start a new thread on this, and/or I can split off the posts regarding this issue. But I do have to respect the member who started this/any thread. So if you wish to continue this, which I have no problem with doing, please PM me if you would like any of the posts (by you/my reply/your reply etc) from this thread moving to one where we can continue. <-QUOTE}

Stem / Fax:
This is a solution I like. Please snip/move the non OP posts including mine if any and take your discussion to another thread, I will not give up this learning opportunity.

Fax, human nature is hard to contain as has been shown but if the OT posts can move and occur in another place we all can get on with the original thread. 160 posts and still on page 2! It's a bit much!

{QUOTE-> Okay, but why don't you wait untill we find out if the problem is solved now, that would save you some effort (maybe) <-QUOTE}As you wish.

{QUOTE-> Here is my active / realtime security software list

ZA Pro 7.0.337.000, all autoupdates off, all email, asw, spysite blocking off
SpySweeper 5.3 with active AV turned off
BitDefender 10 with AV real time enabled, Behavioral ASW enabled
SpyWareBlaster
FF 2.0.0.3, DOM inspector, RefControl, Script control
PC Tools, Spam Monitor


Here is my passive / on demand 1/ month security software list

Adware SE (free), never finds anything
SpyBot S& Destroy never finds anything[/COLOR] <-QUOTE}Noted, for future possible installation to check on possible confilcts.


I made some changes to setup earlier, and attached ZA(PC) directly to Internet DHCP/DNS (my setup, well, can be confusing to explain). I see in the ZA logs that replies from my DNS (Internet)servers have been blocked. This shows what as been mentioned earlier, and this does give me concern. I know, from my logs, these replies where well within any timeout.

Hi Stem: as before mine are in RED

{QUOTE-> As you wish.

Okay, I have no real objection to you trying out my combo of software it would be interesting for me to learn what you do from that simulation.

It's just that I want to leave that till we finish with the first questions, I am making the assumption that there is no real conflict between these 3 tools.
I have that from a number of sources. WebRoot has even stated that they have no conflict working with BD 10 as long as the AV on SS is OFF, in my case it is.

Noted, for future possible installation to check on possible conflicts.


I made some changes to setup earlier, and attached ZA(PC) directly to Internet DHCP/DNS (my setup, well, can be confusing to explain). I see in the ZA logs that replies from my DNS (Internet)servers have been blocked. This shows what as been mentioned earlier, and this does give me concern. I know, from my logs, these replies where well within any timeout.

It a coincidence that you thought of hooking direct to Internet. That of course removes the router issues from the equation and allows you to study ZA without that. I am continuing with router route for the thread.

Right now, with the changes I have made things seem much better since I removed ip's and added the loopback. I haven't had a block since I logged back in. Mind you the router was not powered down.

So in FW Zones all I have is:

(1) host site apple blocked
(2) Family Lan 192.168.1.0/255.255.255.0 Internet
(3) Loopback Adapter 127.0.0.1 IP Trusted

Internet Zone, I'm
allowing broadcast multicast
Trusted Zone
all default, nothing ticked

Advanced Settings

Sharing

not on ICS/NAT

General 5 ticked

block all framents
enable ARP
filter IP trafic on 1394
Lock hosts file
Disable Windows firewall

Network Settings 2 ticks

ask which zone....
automatically put new unprotected wireless networks into internet zone. ( that's and interesting one I didn't see before. ZA says internet zone ..)

So unless you see something I missed or should change, let's make our settings as close as possible and move on?

I'm ready to move to Program Control.

Both main settings at High, Lock is off. Nothing changed on the screen saver rules, have a look at that please.

Custom for HIGH ALL options ticked both for OS and Component control!

On permissions all set at ask permission, nothing changed.

If you are all okay there lets move to programs in detail, click on programs column heading to bring ZA programs to the top. There are the main columns for the first 3 and the options. Which vary by program of which there are many more of than columns. I would suggest you give a policy or principle we should use by column for example SEND mail, why would I have more than 1 program approved for send mail. There are 5 ticked green.

Anyway Stem, if there is a easier way for you to help optimize the settings in programs let me know. I'm flexible.











<-QUOTE}

{QUOTE-> Stem / Fax:
This is a solution I like. Please snip/move the non OP posts including mine if any and take your discussion to another thread, I will not give up this learning opportunity.

Fax, human nature is hard to contain as has been shown but if the OT posts can move and occur in another place we all can get on with the original thread. 160 posts and still on page 2! It's a bit much! <-QUOTE}
I would like to see Fax continue his posting. Good to see both sides of an issue:)

{QUOTE-> I would like to see Fax continue his posting. Good to see both sides of an issue:) <-QUOTE}

Hi gre87y I remember you!

Not to worry I'm sure Fax will continue posting.

In my view, Stems,and Faxes the OP had been 'hijacked' or "diverted OT", what ever words fit. They have agreed to take those OT issues elsewhere. I for one appreciate that!

Perhaps a new thread for those issues will be created? You could do that!

This thread had gone OT, IMHO. It happens. it gets fixed and we all move on.

My thread is not a debating thread it is a learning thread with me as the "learner". I was buried and lost in OT posts and losing heart till Stem helped us out.

If anybody has a fact/experienced based contribution to make on this learning thread go ahead and make it! I would read it for sure! I then wait for Stem as that is his role in this thread. But a never ending debate, no thanks, not in this thread.

We have moved now to Program Control, what are your own learnings to share on my recent posted questions to Stem?

@Escalader,

I have placed ZA back on LAN.

I am now seeing some boot problems, ZA PC was issued with LAN IP this was accepted, and ZA made the usual DNS lookup for zonelabs, there was then an outbound blocked DHCP by ZA, at the same time, the ZA PC changed IP (to an IP out of LAN range). I will need to see how often this happens, as this will cause the PC to have no internet access.

Update,
The problem I am seeing is due to my now using an nVidia onboard NIC. (I just plugged into the nearest when I changed my setup around), changing back to a Realtek onboard NIC, and the problem as gone. So there is a conflict with nVidia NIC(or drivers) on my setup.

EDIT:
{QUOTE-> Internet Zone, I'm
allowing broadcast multicast <-QUOTE}Now we did set this option back on when you where having connection problems. But I do not see any need for this in the internet zone (as DHCP broadcast is allowed with this setting off). The only use I can see of this (from my setup, with what is being broadcast) is for if you are sharing files/printers, so that boot up connection would be made (via the netbios broadcast) So I do think this should be disabled in the internet zone.

Good Morning Stem:

Things running more smoothly now on my bootup and logging in (with multicast allowed) See below where I have changed it as per your edit.

With SS no longer in the internet zone as a site, ZA gave me an altert that it was trying to use IE to access trusted zone 127.0.0.1 port 1252. I allowed it since that is SS normal update of signatures etc for parasites.

BD updated smoothly with no alerts or blocks. These 2 were earlier removed from my zones list.

ZA also blocked an incoming packet 192.168.1.1 to 192.168.1.100 ICMP Unreachable was blocked.

If you need more details my logs have it. There were more recorded but that's enough on FW for now.

{QUOTE-> @Escalader,

Please check my "EDIT" on post#164.

We can then move on. <-QUOTE}

Right! it was on from before so here then are my modified ZA Pro FW settings!

So in FW Zones all I have is:

(1) host site apple blocked
(2) Family Lan 192.168.1.0/255.255.255.0 Internet
(3) Loopback Adapter 127.0.0.1 IP Trusted

Internet Zone,

I'm NOT allowing broadcast multicast

Trusted Zone
all default, nothing ticked

Advanced Settings

Sharing

not on ICS/NAT

General 5 ticked

block all framents
enable ARP
filter IP trafic on 1394
Lock hosts file
Disable Windows firewall

Network Settings 2 ticks

ask which zone....
automatically put new unprotected wireless networks into internet zone. ( that's and interesting one I didn't see before. ZA says internet zone ..)

So unless you see something I missed or should change, let's make our settings as close as possible and move on?

I'm ready to move to Program Control.

Both main settings at High, Lock is off. Nothing changed on the screen saver rules, have a look at that please.

Custom for HIGH ALL options ticked both for OS and Component control!

On permissions all set at ask permission, nothing changed.

If you are all okay there lets move to programs in detail, click on programs column heading to bring ZA programs to the top. There are the main columns for the first 3 and the options. Which vary by program of which there are many more of than columns. I would suggest you give a policy or principle we should use by column for example SEND mail, why would I have more than 1 program approved for send mail. There are 5 ticked green.

Anyway Stem, if there is a easier way for you to help optimize the settings in programs let me know. I'm flexible.

I have split a number of posts to here (http://www.wilderssecurity.com/showthread.php?t=173448)


@Escalader,

For program control, start with the basics as you mention.

Allow to send mail~ only your mail clients, all else can have a red "X"
Allow server in Internet~ as you have mentioned, you do not want any inbound connections, so none should have a green tick
Allow out to internet~ this is where we need to take some time and look at the programs that require this. Most windows applications dont actually need internet access, but it can/will depend on your needs.

Allow out to/ server in trusted~ No rush on this yet as you only have the loopback adapter within the trusted zone. Whatever is ticked or "?" leave for now.

For any blocked ICMP etc from your router, we can look at creating some rules (once we know you have no problems with setup)

{QUOTE-> ........

For program control, start with the basics as you mention.

Allow to send mail~ only your mail clients, all else can have a red "X"
_________________________________________________________________

As before, My comments are in "Red", Okay, I'm just a robot programmer at heart so I'll deal first with the SEND mail suggestions.


Allow to send mail~ only your mail clients, all else can have a red "X"

There are 5 ticked green,
COM Surrogate
Internet Explorer (6)
MS Help and Support Centre
MS Office Outlook
MS office word


I'm scared of 1 so until you tell me it no need green tick on it I'll do zip. I will remove green tick on 2,3 and 4 I meant 5 NOT 4

Allow server in Internet~ as you have mentioned, you do not want any inbound connections, so none should have a green tick.

ZA help agrees with this as I read it they say few programs need server rights in internet zone but leave a note that those programs I trust can have it. A bit fuzzy, so I'll change all green ticks there to ? for now and wait for you to hit me over the head on outright red X them?


Allow out to internet~ this is where we need to take some time and look at the programs that require this. Most windows applications don't actually need internet access, but it can/will depend on your needs.

I have done nothing here

Allow out to/ server in trusted~ No rush on this yet as you only have the loopback adapter within the trusted zone. Whatever is ticked or "?" leave for now.

I have done nothing here

For any blocked ICMP etc from your router, we can look at creating some rules (once we know you have no problems with setup) I have done nothing here <-QUOTE}




Program Control, These are my main settings:

Both main settings at High, Lock is off. Nothing changed on the screen saver rules, have a look at that please.

Custom for HIGH ALL options ticked both for OS and Component control!

On permissions all set at ask permission, nothing changed.

As before, my post comments are in RED
{QUOTE-> I have split a number of posts to here (http://www.wilderssecurity.com/showthread.php?t=173448)


@Escalader,

For program control, start with the basics as you mention.

Allow to send mail~ only your mail clients, all else can have a red "X"

Send Mail settings I have gone ahead and blocked them all except MS Outlook with a RED X

Allow server in Internet~ as you have mentioned, you do not want any inbound connections, so none should have a green tick

I'm timid so I changed them to ask? Hit me again on this Stem, why would ZA's standard setup allow a green tick? Is because of the difference in security design concepts?

Allow out to internet~ this is where we need to take some time and look at the programs that require this. Most windows applications dont actually need internet access, but it can/will depend on your needs.

Nothing done here yet!

Allow out to/ server in trusted~ No rush on this yet as you only have the loopback adapter within the trusted zone. Whatever is ticked or "?" leave for now.

Nothing done here yet!

For any blocked ICMP etc from your router, we can look at creating some rules (once we know you have no problems with setup)

Okay, I'm assuming like you Stem that this is unknown at this point in time! (BTW points in time don't exist! :-[ )



<-QUOTE}

Hello All:

We have moved on to Program Settings.

The following 5 ticked green in SEND mail as defaults:

1. COM Surrogate
2. Internet Explorer (6)
3. MS Help and Support Center
4. MS Office Outlook
5. MS office word

How/who derives these defaults? Why would 1,2 and 3 receive green ticks?

Another quirk is bugging me. On Alerts Events Shown ZA keeps turning it off!
I need it on during this learning thread. How do I lock it on?

Under Server Internet , what will happen if I make every single setting a red X? Warning aside?

Good morning Stem! (or is it night?)

I posted a few before you can look at when there is time.

Here is a jpg of a ZA Options pop up window showing defaults by application.

I am unsure if the defaults are "optimum", what do you suggest, I can change this for each program line if you want or do nothing?

Please advise.

Right, lets get back to this:
{QUOTE-> The following 5 ticked green in SEND mail as defaults:

1. COM Surrogate
2. Internet Explorer (6)
3. MS Help and Support Center
4. MS Office Outlook
5. MS office word

How/who derives these defaults? Why would 1,2 and 3 receive green ticks?

<-QUOTE}These I suspect will be from the "advisor". If an application is capable of sending e-mails, and this is seen as "trusted", then the options are put in place. This is really to save popups in the future for these apps. Of course not all are actually wanted or possibly needed, so we can simply edit these to suit what you want/need.
Basically, tick the mail client you use, question mark or red "X" the ones you dont. (I say question mark, as you/others may be unsure of what is used, and with a question mark, then a popup will show if that app attempts to send an e-mail, and if the user as just attempted to send an e-mail, they will then know it should be allowed, and the option can be changed)

{QUOTE-> Right, lets get back to this:
These I suspect will be from the "advisor". If an application is capable of sending e-mails, and this is seen as "trusted", then the options are put in place. This is really to save popups in the future for these apps. Of course not all are actually wanted or possibly needed, so we can simply edit these to suit what you want/need.
Basically, tick the mail client you use, question mark or red "X" the ones you dont. (I say question mark, as you/others may be unsure of what is used, and with a question mark, then a popup will show if that app attempts to send an e-mail, and if the user as just attempted to send an e-mail, they will then know it should be allowed, and the option can be changed) <-QUOTE}

May I add some info to this. You DO NOT have to give Generic Host Services any SERVER rights. Those two columns under server rights are all X's for every program on my computer and I have no problems.

{QUOTE-> May I add some info to this. <-QUOTE}of course you can.
{QUOTE-> You DO NOT have to give Generic Host Services any SERVER rights. Those two columns under server rights are all X's for every program on my computer and I have no problems. <-QUOTE}Server rights for the internet are certainly not needed for the correct operation of the OS. Server rights to allow inbound connections for localhost(loopback) can/are needed on some setups, but this depends on the software installed on the system.

Like on a setup, behind a router, then the OS can be set where svchost needs no direct outbound to the Internet (apart from windows updates, if these are done via auto updates)

I suppose the svchost.exe could have Expert Rules for the DHCP, DNS, windows updates and such and then have the server rights for the Trusted Zone could be changed from allowed to ask?

12fw

{QUOTE-> I suppose the svchost.exe could have Expert Rules for the DHCP, DNS, windows updates and such and then have the server rights for the Trusted Zone could be changed from allowed to ask?

12fw <-QUOTE}For the setup I mentioned "behind a router", the OS can be given a static IP/DNS servers, the DNS client can be disabled, such as "windows time" which ZA does not allow out(in my setup) and browser service etc etc, can be disabled.
This would certianly stop any possible problems with DHCP(in this setup), which as been one of the main problems (due to some hardware/driver problems I have seen).
For me such a setup is not a problem, and certainly not a problem for me to advise to others to make. It is only due to other posts/PM`s that I attempt to place all for the firewall. I do see that I should of stayed with my own thoughts on this, as it is less probmatic, and certainly does not take a lot of time to show to make such a setup.

{QUOTE-> Right, lets get back to this:
These I suspect will be from the "advisor". If an application is capable of sending e-mails, and this is seen as "trusted", then the options are put in place. This is really to save popups in the future for these apps. Of course not all are actually wanted or possibly needed, so we can simply edit these to suit what you want/need.
Basically, tick the mail client you use, question mark or red "X" the ones you dont. (I say question mark, as you/others may be unsure of what is used, and with a question mark, then a popup will show if that app attempts to send an e-mail, and if the user as just attempted to send an e-mail, they will then know it should be allowed, and the option can be changed) <-QUOTE}

Stem:

Due to the outbound packet destination ip issues, I turned Smart adviser off.
I have now turned it to medium which if I read it right, gives advice but not make setting on it's own as at the high setting. Does that make sense?

As to the SEND mail red X's I have them ALL off except one my email program which is MS Outlook ( NOT EXPRESS)

I am able to send and receive mail so that column is done?

{QUOTE-> of course you can.
Server rights for the internet are certainly not needed for the correct operation of the OS. Server rights to allow inbound connections for localhost(loopback) can/are needed on some setups, but this depends on the software installed on the system.

Like on a setup, behind a router, then the OS can be set where svchost needs no direct outbound to the Internet (apart from windows updates, if these are done via auto updates) <-QUOTE}

Stem, this where I need some advice I have red x'd the svchost in both those columns. As well, I have red x'd the whole column marked Server Internet.
On server trusted there is a mix of X's and ?. One program does have 2 green X's Windows Genuine Advantage Notification. I didn't ask for 2 greens. But my guess is the last mass MS update to XP which I installed must have changed them. :-\

If I Red X every program as Berge01 does? What will happen next MS update?

Berge01 do you do these updates every time, did your Red X change as well?

{QUOTE-> Stem, this where I need some advice I have red x'd the svchost in both those columns. As well, I have red x'd the whole column marked Server Internet.
On server trusted there is a mix of X's and ?. One program does have 2 green X's Windows Genuine Advantage Notification. I didn't ask for 2 greens. But my guess is the last mass MS update to XP which I installed must have changed them. :-\

If I Red X every program as Berge01 does? What will happen next MS update?

Berge01 do you do these updates every time, did your Red X change as well? <-QUOTE}

No Escalader, you need to have two Green Checkmarks under the Access columns for Generic Host.

Everything that is in the SERVER columns in Programs Control have all RED X's in them and I have not had any type of problems by having this setup. Now, if you feel unsure about having yours, then I suggest you leave a Blue Question Mark, so this way it will ask you, if you want to allow it or not. But, this is your decision. My decision has been made on how I WANT my firewall to be set up and run correctly.

As before my Q and A's are embedded in RED.

{QUOTE-> No Escalader, you need to have two Green Checkmarks under the Access columns for Generic Host.

That is how they are set now for Generic Host

Everything that is in the SERVER columns in Programs Control have all RED X's in them and I have not had any type of problems by having this setup. Now, if you feel unsure about having yours, then I suggest you leave a Blue Question Mark, so this way it will ask you, if you want to allow it or not. But, this is your decision. My decision has been made on how I WANT my firewall to be set up and run correctly.

Berg01, the way this thread works was set up in the first few posts, thread has with conditions. (easy ones). I pose a question, people post their stuff, I read these, and do zip until Stem advises me. That way I don't get confused (again) and lose my way in the thread. Don't miss understand me please, you may very well be dead on probably are but my action steps wait for Stem who considers all advice and may make actual tests on his setup before giving his advice. Very professional and fact based:thumb:

A bit different yes, but there it is.

That out of the way, everything in my SERVER columns in Programs Control is all RED X's, like you have.

My question to Stem was:

"One program does have 2 green X's Windows Genuine Advantage Notification. I didn't ask for 2 greens. But my guess is the last mass MS update to XP which I installed must have changed them "

Please tell us what settings you have for that program?



<-QUOTE}

@Escalader,
{QUOTE->
"One program does have 2 green X's Windows Genuine Advantage Notification. I didn't ask for 2 greens. But my guess is the last mass MS update to XP which I installed must have changed them <-QUOTE}Are the 2 green (do you mean ticks/checks) entries for outbound in the trusted/internet zone.

There was an uproar about this WGA, as this was contacting the microsoft servers at regular intervals. These intervals where reportedly (by microsoft) reduced, but as I do not have this installed, I do not have any current info on this.

http://en.wikipedia.org/wiki/Windows_Genuine_Advantage

{QUOTE-> @Escalader,
Are the 2 green (do you mean ticks/checks) entries for outbound in the trusted/internet zone.

There was an uproar about this WGA, as this was contacting the microsoft servers at regular intervals. These intervals where reportedly (by microsoft) reduced, but as I do not have this installed, I do not have any current info on this.

http://en.wikipedia.org/wiki/Windows_Genuine_Advantage <-QUOTE}

Yes, I mean 2 ticks entries for both in and outbound in the SERVER trusted/internet zone.

These entries have not been customized, they are there as AUTO via the working SmartDefense feature which is at Medium at the moment.

I will set these as 2 red X's for now unless you recommend otherwise later.

Is there any reason why we can't just red x, ALL programs in both columns under SERVER trusted/internet zone?

Another way to put it is do you have ANY of your own programs in these 2 columns with a ? or green tick that you put there via customizing the settings for that program? If so which ones and why.

Ignore my way of putting all questions it has zero tone in it... just a style:-[ matter at my end.

Take care

Hi Escalader,

{QUOTE-> Yes, I mean 2 ticks entries for both in and outbound in the SERVER trusted/internet zone. <-QUOTE}Well, I do not know why a firewall would allow unsolicited inbound from the Internet to any windows applications by default, certainly these settings need to be changed.

If we go from basic needs. Unsolicited Internet inbound (server rights) are not needed. It is only for such as server software (P2P/torrent client), or some messenger programs where the users wants unsolicted inbound messages (as we have seen in another thread).
In your own setup you do not use any of these, so you can place a red "X" in all of the "server Internet".
Now, server in "trusted", well, many program will make comms through localhost, so as you will see from other posts, most will add the localhost(127.0.0.0/255.255.255.0) as trusted, then allow programs outbound/server in the trusted zone. These settings do actually depend on the firewall in use, and how the localhost is handled.

{QUOTE-> Another way to put it is do you have ANY of your own programs in these 2 columns with a ? or green tick that you put there via customizing the settings for that program? If so which ones and why. <-QUOTE}My own setup, no. Only if I was to add, for example a P2P/torrent client for testing do I allow server rights. My own setup at this time does not have any entry within the "Trusted Zone", so I can simply have all "server" in this zone as red "X".

Hi Stem, (as before mine in red)

I have excerpts of the post to tell you what I have/will do now

If we go from basic needs. Unsolicited Internet inbound (server rights) are not needed. ......In your own setup you do not use any of these, so you can place a red "X" in all of the "server Internet".

Done, ALL are Red X now

.. server in "trusted", well, many program will make comms through localhost, so as you will see from other posts, most will add the localhost (127.0.0.0/255.255.255.0) as trusted, then allow programs outbound/server in the trusted zone. These settings ...depend on the FW .....and how the localhost is handled.

I'm confused :-[ . Maybe the words are just different. I have Loopback 127.0.O.1 adpater as Trusted in FW settings. The Lan is 198.168.1.0/255.255.255.0 named Network as Internet.;D

Right. What do you need from me to close this matter off? My user need is to minimize outbound packets that have NO business leaving MY PC.! What should I do given this is the FW I have?

Since we have moved now to Program settings in ZA Pro that answer should go PM? Your call. I have promised ALL Thread posters/readers that want them to provide all my learnings on this thread.


My own setup, ...........any entry within the "Trusted Zone", so I can simply have all "server" in this zone as red "X".

I have done the same, the tool gave me a warning message on all the Systems Programs warning me NOT to customize them. I did it anyway. Okay?

So to summarize we have the last 3 columns in Program settings ALL red X'd except (in my case) for 1 green tick for my email server.

One observation, I never noticed this earlier, TRHS of screen in ZA Pro I have serval programs actively showing there, 1 is Windows Media Player Network Sharing Service. I did recently update to version 11 but don't recall that being there. I don't know what it is. If it is anticipating me downloading music that isn't on, to much illegal or unethical activity on that front for my taste.

What should I do?

After that matter, what is column is best to do next?

Take care Stem:thumb:

Stem:

Fixed the MS Media thing (partially), by removing it from the start up menu and messing about with it's setting so I isn't in memory all the time. So it isn't creating log entries any more, which is good.:thumb:

It still shows wmpnetwk.exe as Network services, do need that either, but have forgotten how to get at the services:-[ again.

Please give me a hint and look at my last reply post to you.

Thanks.

{QUOTE-> I'm confused :-[ . Maybe the words are just different. I have Loopback 127.0.O.1 adpater as Trusted in FW settings. <-QUOTE}

Localhost (http://en.wikipedia.org/wiki/Localhost)

Loopback (http://en.wikipedia.org/wiki/Loopback)


{QUOTE-> but have forgotten how to get at the services again. <-QUOTE}Start Menu-> Run, type services.msc

{QUOTE-> One observation, I never noticed this earlier, TRHS of screen in ZA Pro I have serval programs actively showing there, 1 is Windows Media Player Network Sharing Service. I did recently update to version 11 but don't recall that being there. I don't know what it is. If it is anticipating me downloading music that isn't on, to much illegal or unethical activity on that front for my taste.

What should I do? <-QUOTE}For this, I will need to install/look at WMP 11 that you have installed (I personally do not use WMP, and have ver9 installed). WMP does integrate deeply into IE(and the OS), due to user (possible) needs for streaming video/music etc. (also when WMP is active, it will attempt connection through other browsers such as firefox)
We will need to look at settings within WMP, your needs of this, and then what can be done to limit these connections.

{QUOTE-> For this, I will need to install/look at WMP 11 that you have installed (I personally do not use WMP, and have ver9 installed). WMP does integrate deeply into IE(and the OS), due to user (possible) needs for streaming video/music etc. (also when WMP is active, it will attempt connection through other browsers such as firefox)
We will need to look at settings within WMP, your needs of this, and then what can be done to limit these connections. <-QUOTE}

Stem:

Please don't do it for my sake! I'm removing the product. I'd rather just work on the next column of settings in ZA Pro. I can always put it back in the future if I need it! :thumb:

FYI...I use "Windows Media Player Network Sharing Service" to allow Xbox to connect to pc to access media library from the gaming console. Haven't found any other use for WMPNetwk.exe...

{QUOTE-> Please don't do it for my sake! <-QUOTE}I answer with what I know, anything I do not know (or uncertain) I check/test, this way I learn also.

If I was to be here only to give answers without a need to check, and my answers could resolve all questions without my need to learn,... then I would not be here on forum.

{QUOTE-> For this, I will need to install/look at WMP 11 that you have installed (I personally do not use WMP, and have ver9 installed). WMP does integrate deeply into IE(and the OS), due to user (possible) needs for streaming video/music etc. (also when WMP is active, it will attempt connection through other browsers such as firefox)
We will need to look at settings within WMP, your needs of this, and then what can be done to limit these connections. <-QUOTE}

Stem:

Using add delete programs in cntrl panel didn't work all you can do there it seems is roll back to earlier versions I did that HOPING it would get rid of that network task. It didn't! So as you say this thing is embedded. When to windows removal components and clicking on WPP grey box it seemed to be saying if I proceeded it would take 9mb of HDD space. It's all gibberish to me.

So not to be deterred, and in step with the thread I used ZA Program settings and KILLED it! That got the job done. WMP network service is gone from task list.

ZA now gives me pop ups that WMP is a program malware!

Hope MS doesn't see this!;D

{QUOTE-> I answer with what I know, anything I do not know (or uncertain) I check/test, this way I learn also.

If I was to be here only to give answers without a need to check, and my answers could resolve all questions without my need to learn,... then I would not be here on forum. <-QUOTE}

Agree 100%. My response sounded selfish and that I was alone in learning, I apologize since that is not the case.

Sometimes getting so deep into a subject I forget everything around me can block out sounds and activity while doing stuff, helped in university but not so much in give and take threads. I will try to improve. Best to reveal my observations as we go.

For my PC I'm content to just kill the Program. Now I have learned and anybody else. how to kill programs in ZA;D

{QUOTE-> Localhost (http://en.wikipedia.org/wiki/Localhost)

Loopback (http://en.wikipedia.org/wiki/Loopback)


Start Menu-> Run, type services.msc <-QUOTE}

Thanks, now I remember the services stuff it's been a while since I went in!

Action Taken: I have now disabled WMP, I will now unkill it in ZA program going to ? control to see if log entries for it stop.

Observations on Purchased Software Services that "call home"

1 Bitdefender Desktop updater is active to keep current
2 Perfect Disk
3 Truevector but not identified as belonging to ZA
4 Webroot spyswweper is active for automatic updates



Observations from ZA Program log

1) Winlogon shows 5 blocked attempts to kerinet, 66.39.30.176.53
2) wmpnnetwk shows many blocked attempts as follows
3 to loopback
12 to no identity ip or listed dns
6 to 239.255.255.250.1900
3) FW blocked 4 incoming
2 IGMP query's
2 ICMP's

Comments? anybody?

{QUOTE-> Observations from ZA Program log

1) Winlogon shows 5 blocked attempts to kerinet, 66.39.30.176.53 <-QUOTE}Is this IP one of your DNS servers? Do you have the windows DNS client(service) active?
{QUOTE-> 2) wmpnnetwk shows many blocked attempts as follows
3 to loopback
12 to no identity ip or listed dns
6 to 239.255.255.250.1900 <-QUOTE}WMP will attempt outbound connections based on the options, for such as the retrieval of media information/ auto download codecs etc. You will also see an option to start the player in "Media guide", which, if enabled, will then on the startup of WMP will attempt outbound connections to 207.46.248.112/ 207.46.196.100 (on this setup).
There is also shown attemps at uPnP, I dont think you want WMP connecting to the router?
{QUOTE-> 3) FW blocked 4 incoming
2 IGMP query's
2 ICMP's <-QUOTE}I would need more info on these packets before comment.

As before, responses in Red

{QUOTE-> Is this IP one of your DNS servers? Do you have the windows DNS client(service) active?

NO. It is a McAfee red site link connected to one of my applications I blocked it

DNS client(service) active? Yes, it is active and set to automatic

WMP will attempt outbound connections based on the options, for such as the retrieval of media information/ auto download codecs etc. You will also see an option to start the player in "Media guide", which, if enabled, will then on the startup of WMP will attempt outbound connections to 207.46.248.112/ 207.46.196.100 (on this setup).


Disabled that option, also removed WMP from startup. Don't need it or other programs sending packets on my behalf without my permission. We need to establish control over information leaving the PC's.

There is also shown attemps at uPnP, I dont think you want WMP connecting to the router?

This is true, WPM service is disabled now on my PC, I also removed it from the start menu. I think I will also KILL the program in ZA Program Settings.


I would need more info on these packets before comment.

Yes, what information do you need? I will post if I can.

<-QUOTE}

{QUOTE-> NO. It is a McAfee red site link connected to one of my applications I blocked it <-QUOTE}This we need to look at, it may well be legit, but a bypass.

OK, you have disabled WMP, so no real question on its attempts at outbound, as this is completely blocked.

{QUOTE-> Yes, what information do you need? I will post if I can. <-QUOTE}
IGMP: Is this internal comms. Check the logs for IP (broadcast/multi/.. or defined)
ICMP: Type/Code. If logging then source/destination should show.

{QUOTE-> This we need to look at, it may well be legit, but a bypass.

OK, you have disabled WMP, so no real question on its attempts at outbound, as this is completely blocked.


IGMP: Is this internal comms. Check the logs for IP (broadcast/multi/.. or defined)
ICMP: Type/Code. If logging then source/destination should show. <-QUOTE}

Here is one:

ZoneAlarm Pro has blocked access to port 0 on your computer

ZoneAlarm Pro has successfully stopped local network or Internet traffic from reaching your computer. No breach in your security has occurred. Your computer is safe.
Inside the firewall alert



Alert property Alert property value Technical explanation
Source IP Address 192.168.1.1 The IP address of the computer that sent the packet which caused the alert.
Destination IP 224.0.0.xxx The IP address of the computer to which the packet was sent.
Transport Layer Protocol IGMP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Protocol Specific Type 17 (0x11) - Membership Query Some protocols, such as ICMP and IGMP, have multiple "types" associated with the protocol. Each type number for a specific protocol has standardized meaning.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Alert Date May-18-2007 08:03:01 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level High This ZoneAlarm Pro setting blocks access from the Trusted Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Trusted Zone. This Security Level also enforces application privileges and Internet Lock settings.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Incoming The packet that caused the alert was sent from a computer located somewhere on the Internet or on your network. It was being sent to your computer.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your co

Stem:
Here is the current status of my FW settings in ZA Pro. In case anybody else is working along with us and wants to test my settings on their ZA Pro.8)

A few UFO sites are blocked as were discussed earlier during the "stopping phone home" posts. They all work fine. With all updates set to manual I can still update the product and the on demand ASW feature at will, I also get Smart_Advice in real time.

The only item I have Trusted it the loop back adapter?:-\ Comments?

I have my ISP listed as well, Comment at will please!

First of all i have been following this entire thread, and i must say that you and Stem have done an outstanding job in trying to explain to all about "Optimum settings in ZA Pro."

You may want to go to the following site and gather somemore info on who and what is connected or trying to connect to your computer. This site will give you a lot of Excellent info, especially on IP Addresses and who they are. Therefore giving you more to block in your firewall.

Http://analyze.privacy.net/

{QUOTE-> First of all i have been following this entire thread, and i must say that you and Stem have done an outstanding job in trying to explain to all about "Optimum settings in ZA Pro."

You may want to go to the following site and gather some more info on who and what is connected or trying to connect to your computer. This site will give you a lot of Excellent info, especially on IP Addresses and who they are. Therefore giving you more to block in your firewall.

Http://analyze.privacy.net/ <-QUOTE}

Thanks Steelhead,
I just went to the site and got quite a lot of information as you said:

Maybe you could have a look at this extract from the analysis and comment if you see anything I should change. My goal is to prevent packets leaving my PC that have no business doing that!

Firewall Test

Port and firewall status not determinable with JavaScript disabled.
Browser Type and Version

Browser: Firefox
Fullversion: 2.0.0.3
Gecko: True
GeckoBuildDate: 20070309
Crawler: False

Browser Security

Session Cookies Accepted
Persistant Cookies Accepted
JavaScriptEnabled: False
VBScriptEnabled: False
JavaEnabled: False
ActiveXEnabled: False
SSL: True
SSLActive: False
SSLKeySize: 0
SSLEnabled: False
Firewall: False
OpenPorts:
PopupsBlocked: False
ImagesEnabled: False
HighSecurity: True

Connection Details

Broadband: False
ConnectionType:
Firewall: False
Proxy: False
CompressGZip: True
AOL: False
MSN: False


The ip addresses I see are those belonging to my ISP and those passed through during the trace.

In your view, how should a user decide from such info who/what to block?

Be blunt, this stuff is important to keep clear and most of the readers here in this forum really want to maximize their security. Some have different views on how to do that but that's just reality.

{QUOTE-> Thanks Steelhead,
I just went to the site and got quite a lot of information as you said:

Maybe you could have a look at this extract from the analysis and comment if you see anything I should change. My goal is to prevent packets leaving my PC that have no business doing that!

Firewall Test

Port and firewall status not determinable with JavaScript disabled.
Browser Type and Version

Browser: Firefox
Fullversion: 2.0.0.3
Gecko: True
GeckoBuildDate: 20070309
Crawler: False

Browser Security

Session Cookies Accepted
Persistant Cookies Accepted
JavaScriptEnabled: False
VBScriptEnabled: False
JavaEnabled: False
ActiveXEnabled: False
SSL: True
SSLActive: False
SSLKeySize: 0
SSLEnabled: False
Firewall: False
OpenPorts:
PopupsBlocked: False
ImagesEnabled: False
HighSecurity: True

Connection Details

Broadband: False
ConnectionType:
Firewall: False
Proxy: False
CompressGZip: True
AOL: False
MSN: False


The ip addresses I see are those belonging to my ISP and those passed through during the trace.

In your view, how should a user decide from such info who/what to block?

Be blunt, this stuff is important to keep clear and most of the readers here in this forum really want to maximize their security. Some have different views on how to do that but that's just reality. <-QUOTE}

Session Cookies - NOT Accepted
Persistant Cookies - NOT Accepted

Your quote," the ip addresses I see are those belonging to my ISP and those passed through during the trace." NOT all of them and you need to check out each IP Address to make sure if in fact the IP Addresses belong to your ISP. Btw, did it show on your test any of the following IP Addresses?

NetRange: 4.0.0.0 - 4.255.255.255 OrgName: Level3 Communications, Inc. Also known as MarkMonitor.com.

{QUOTE-> Session Cookies - NOT Accepted
Persistant Cookies - NOT Accepted

Your quote," the ip addresses I see are those belonging to my ISP and those passed through during the trace." NOT all of them and you need to check out each IP Address to make sure if in fact the IP Addresses belong to your ISP. Btw, did it show on your test any of the following IP Addresses?

NetRange: 4.0.0.0 - 4.255.255.255 OrgName: Level3 Communications, Inc. Also known as MarkMonitor.com. <-QUOTE}

Hi Steel:

Thanks, I will have look at the cookies settings again. My ISP expects IE 6 or 7 so the only way I can get service their with FF is to allow that site the use of cookies. Most sites in FF I have blocked on any cookies.

Here is the trace I got on test 1:

IP Address Host name
66.98.244.1 gphou-66-98-244-1.ev1servers.net
66.98.241.16 gphou-66-98-241-16.ev1servers.net
66.98.240.3 gphou-66-98-240-3.ev1servers.net
216.110.27.97 216-110-27-97.static.twtelecom.net
66.192.246.126 dist-01-ge-0-2-1-506.hsto.twtelecom.net
66.192.255.93 core-01-so-0-0-0-0.chcg.twtelecom.net
66.192.244.20 peer-02-so-0-0-0-0.chcg.twtelecom.net
206.223.119.105 equinixexchange.chicago.rogers.com
66.185.81.189 so-0-2-0.gw02.bloor.phub.net.cable.rogers.com
24.153.5.245 -
24.153.5.22 -
66.185.90.28 -

At that point it timed out.

If you have a look at few posts back in the FW Zones I blocked MarkMonitor.com early on due to doubt about that site.

My view was if there is doubt block it! What else is a FW for but to block bad ins and outs. This is not a court where the site should be assumed innocent until proven guilty. For FW's it must be the reverse approach. There would be some false positive sites but that is better than a bad connect.

One thing that puzzled me is, does not an outbound packet take the a variable route to the destination? Each time would be different? Thus checking out each ip in traces would be a hopeless task? :-\ Straighten me out on this anybody!

I see the point on my isp sites, how do I check them again? I forgot the method to do it!:-[

{QUOTE-> Hi Steel:

Thanks, I will have look at the cookies settings again. My ISP expects IE 6 or 7 so the only way I can get service their with FF is to allow that site the use of cookies. Most sites in FF I have blocked on any cookies.

Here is the trace I got on test 1:

IP Address Host name
66.98.244.1 gphou-66-98-244-1.ev1servers.net
66.98.241.16 gphou-66-98-241-16.ev1servers.net
66.98.240.3 gphou-66-98-240-3.ev1servers.net
216.110.27.97 216-110-27-97.static.twtelecom.net
66.192.246.126 dist-01-ge-0-2-1-506.hsto.twtelecom.net
66.192.255.93 core-01-so-0-0-0-0.chcg.twtelecom.net
66.192.244.20 peer-02-so-0-0-0-0.chcg.twtelecom.net
206.223.119.105 equinixexchange.chicago.rogers.com
66.185.81.189 so-0-2-0.gw02.bloor.phub.net.cable.rogers.com
24.153.5.245 -
24.153.5.22 -
66.185.90.28 -

At that point it timed out.

If you have a look at few posts back in the FW Zones I blocked MarkMonitor.com early on due to doubt about that site.

My view was if there is doubt block it! What else is a FW for but to block bad ins and outs. This is not a court where the site should be assumed innocent until proven guilty. For FW's it must be the reverse approach. There would be some false positive sites but that is better than a bad connect.

One thing that puzzled me is, does not an outbound packet take the a variable route to the destination? Each time would be different? Thus checking out each ip in traces would be a hopeless task? :-\ Straighten me out on this anybody!

I see the point on my isp sites, how do I check them again? I forgot the method to do it!:-[ <-QUOTE}

You need to go to http://www.dnsstuff.com/ to lookup the IP Addresses. Plus this site offers a lot of other interesting info you can also check out.

{QUOTE-> .... the DNS client can be disabled, such as "windows time" which ZA does not allow out(in my setup) <-QUOTE}

Forgot to come back on this... a recent MS Patch broken the service... have you tried to change the server? For example: time-a.nist.gov

I had the same issue after a MS monthly patch and after reading in another security forum discovered that it was a MS problem (ZA blocking the call). Changed the server and voila'... windows time sync again without blocking ;)

Fax

{QUOTE-> Forgot to come back on this... a recent MS Patch broken the service... have you tried to change the server? For example: time-a.nist.gov <-QUOTE}My test PC is only patched to before the release of the build of ZA I am testing (to stop such problems with microsoft patches).
Before the installation, I did check that the "time service" was working correctly, as I dont normally have this service running, and there was no problem, my gateway logs showed the DNS lookups and the comms to "time.windows.com"(207.46.130.100)

{QUOTE-> I had the same issue after a MS monthly patch and after reading in another security forum discovered that it was a MS problem (ZA blocking the call). Changed the server and voila'... windows time sync again without blocking ;) <-QUOTE}Then there sould not be a problem on a system that as not installed this patch? But, ZA allows the DNS lookup, but then silently blocks the "time.windows.com" outbound (the outbound is not allowed, but there is nothing in ZA logs to show the blocked packet).

{QUOTE-> My test PC is only patched to before the release of the build of ZA I am testing (to stop such problems with microsoft patches).
Before the installation, I did check that the "time service" was working correctly, as I dont normally have this service running, and there was no problem, my gateway logs showed the DNS lookups and the comms to "time.windows.com"(207.46.130.100)

Then there sould not be a problem on a system that as not installed this patch? But, ZA allows the DNS lookup, but then silently blocks the "time.windows.com" outbound (the outbound is not allowed, but there is nothing in ZA logs to show the blocked packet). <-QUOTE}

Everything can have an explanation that do not necessarily end up with "its a ZA bug" :)

In my case, running manually the syncro, triggered a blocking in ZA, so it was not a silent blocking. Changing the the server to whatever works... stopped the blocking and the logging. Why would windows.time be blocked and not another server? Uuuhm, may be we should look to service code or ZA code...

Have you tried it?

Fax

{QUOTE-> Everything can have an explanation that do not necessarily end up with "its a ZA bug" :)

In my case, running manually the syncro, triggered a blocking in ZA, so it was not a silent blocking. Changing the the server to whatever works... stopped the blocking and the logging. Why would windows.time be blocked and not another server? Uuuhm, may be we should look to service code or ZA code...

Have you tried it?

Fax <-QUOTE}

Stem: Hope I don't have this timing bug on my setup. How do I test to see if I can replicate it? If I grasp your message it seems connected with MS auto updates? is it having them on or off to manage calling home?

Fax, whatever happened to SlyFox ? Used to post good stuff and hints and links.

{QUOTE-> If I grasp your message it seems connected with MS auto updates? is it having them on or off to manage calling home?
<-QUOTE}Fax posted that a recent microsoft update as broken this service, but from my test PC (which I have mentioned is only up to date on "Windows updates" to before the release of ZA (that I am testing). I only see a problem after ZA is installed.

For me, personally, on this point of "windows time", ZA is doing me a favour by blocking this. The reply from "fax" on this was aimed at a post of mine where I was actually saying I would disable this service anyway (to stop any outbound by svchost).

As for if a user wants "time sync" and ZA(or whatever) is (for whatever reason) blocking this, then simply change the "time" server (as mentioned by fax), to me the blocking of "windows time" is not a problem, certainly not something to get worked up about.

Thanks Stem if you are okay I'm not concerned about the clock business either.

Let's move on now to the next 2 columns in program settings Access Trusted and Internet. Columns 4 and 5 counting from the right. I have settings now of course. How are your own set up is there a simple way to start?

What if I just change every green check mark program in Internet column 4 to a ? or block (except MS media player which I have permanently blocked) ?

Or can we do it by program classes like all windows programs, all security programs all games etc etc?

Advice please?

Goal? Prevent packets that have no business leaving my PC from leaving?

{QUOTE-> Thanks Stem if you are okay I'm not concerned about the clock business either.

Let's move on now to the next 2 columns in program settings Access Trusted and Internet. Columns 4 and 5 counting from the right. I have settings now of course. How are your own set up is there a simple way to start?

What if I just change every green check mark program in Internet column 4 to a ? or block (except MS media player which I have permanently blocked) ?

Or can we do it by program classes like all windows programs, all security programs all games etc etc?

Advice please?

Goal? Prevent packets that have no business leaving my PC from leaving? <-QUOTE}

Not to cut into this discussion with Stem, but a possible solution to prevent packets leaving your computer, would be to installed the program Ethereal (Free). Unless i am totally wrong here, this program will review ALL outbound traffic leaving your computer. Just a suggestion!

{QUOTE-> Not to cut into this discussion with Stem, but a possible solution to prevent packets leaving your computer, would be to installed the program Ethereal (Free). Unless i am totally wrong here, this program will review ALL outbound traffic leaving your computer. Just a suggestion! <-QUOTE}

There have been other contending instructors putting in their own fax's.

Please read post 1 since you are new. If you have questions on the ground rules in my thread just ask.

Stem, have you used this Ethereal? It sounds like a duplication of what ZA Pro is doing and we don't need more technical conflicts in our test laboratory. So unless you think it would help you and me I'll do zip on this Ethereal for now.

{QUOTE-> Stem, have you used this Ethereal? It sounds like a duplication of what ZA Pro is doing and we don't need more technical conflicts in our test laboratory. So unless you think it would help you and me I'll do zip on this Ethereal for now. <-QUOTE}I have used this in the past. It is a packet sniffer/capture/analyzer, I use other programs that do the same as this app, as this is how I collect data on the packets/connections made. but I normally have such an app on gateway to stop any possible conflicts with the firewalls I am checking.
If you want to log all outbound/inbound packets, then yes, have a look. It will certainly give you more info than ZA logs.

{QUOTE-> .....
If you want to log all outbound/inbound packets, then yes, have a look. It will certainly give you more info than ZA logs. <-QUOTE}

Thanks Stem, maybe later when we come out the bottom of this learning thread/laboratory.

TO ALL POSTERS HERE, THANKS FOR ALL YOUR INPUT AND COMMENTS, I READ THEM ALL BUT CAN'T RESPOND TO ALL. I FEEL NOW THAT I OWE EVERYONE A SORT OF SUMMARY OF WHAT I HAVE DONE WITH MY OWN ZA PRO SETTINGS. THEY SHOULD NOT IN MY VIEW EVERY BE JUST COPIED BY OTHERS SINCE WE HAVE LEARNED THAT EACH USER IS DIFFERENT AND HAS DIFFERENT NEEDS. I HAVE THAT &^%$ GAMING PC SHARING MY ROUTER, YOU MAY NOT HAVE THAT ETC ETC

So here is my summary of what I have done in Program Control so far


Send mail all red x'd except mail server, in my case ms outlook
Server, Trusted and Internet all red x'd every program except those I killed outright
Killed (using trust level) all games like solitare etc
Killed 4 windows programs for media player
set advanced program settings to match the server settings so new programs asking for connect don't violate MY rules, this doesn't work for send mail so ZA forces you to have to look from time to time to ensure send mail not added without your permission
After todays MS Update 2 MS programs added but send mail was allowed by default. Comment: ZA defaults weak, why allow send mail for systems programs and games?
Backup your ZA settings daily for restore during testing and strengthening your security
Set Lan to Internet not Trusted in spite of the never ending debate


Notes from this mornings start up program requests GHPw32 outgoing goes to time nist.gov, this must relate to the time sysnc discussion.

wuauclt.exe and PC Health Help requested to be parents

BD10\vsserver.exe requested permission to access the internet

ZA Pro continues to turn off my log all alerts setting this is a bug in ZA Pro

ZA Question:

I just looked at my ZoneAlarm log and noticed an entry that C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe successfully accessed destination IP 216.73.86.152:53 -- which points to annymegaadvip2.doubleclick.net

The comments section states:

Description: Zone Labs Client requested permission to access the internet
Rating: High

Why would my ZoneAlarm client be hitting a DoubleClick ad server?

Operating System: Windows XP Home Edition
Product Name: ZoneAlarm (Free)

Why indeed, for some years ZA has been tagged with the phone home issues. The vendor is somewhat less than transparent on this matter.

I have personally found unwanted calls to sites that had zip to do with maintaining the product in spite of heated posts from the ZA advocates which inhabit these regions. Thanks for the extra IP I will add it to my growing list of computers to block. But I fear it is futile like the myth of the little boy trying to plug holes in the dam.

Now you know the value of doing trials with software before laying out real $.

if you are staying with ZA free be aware it has the whole package KAV and all waiting to be activated and it will nag you to buy buy buy.

My advice would be look at this thread post by post from # 1
change all your setting in program control to ask and in the case of the internet zone set all of them to a red X if free will allow that. I can't remember.

Hi!
ZA is not designed to block itself but to control third party software installed on your system and when you start to work with blocking it via IP lock it will simply behave oddly. Also try to limit the entries in the firewall tab and use more the program control tab to monitor outgoing packets.

Unless you leave ZA free to work, you will see confused reporting about zlclient.exe or other ZA system files trying to communicate with SS, WEB, whatever programs are installed.

In this specific case it looks like a DNS lookup while you were browsing the net (probably some advertising within a web page).

The only way to understand the origin of packets leaving your system (with ZA set to block itself) is to install other sniffer software, like, for example, the one suggested by Cold Pizza.

Hope this helps.
Fax

{QUOTE-> Hi!
ZA is not designed to block itself but to control third party software installed on your system and when you start to work with blocking it via IP lock it will simply behave oddly. Also try to limit the entries in the firewall tab and use more the program control tab to monitor outgoing packets.

Unless you leave ZA free to work, you will see confused reporting about zlclient.exe or other ZA system files trying to communicate with SS, WEB, whatever programs are installed.

In this specific case it looks like a DNS lookup while you were browsing the net (probably some advertising within a web page).

The only way to understand the origin of packets leaving your system (with ZA set to block itself) is to install other sniffer software, like, for example, the one suggested by Cold Pizza.

Hope this helps.
Fax <-QUOTE}

FYI, this was a deleted question and answer from the "other" forum;D

{QUOTE-> FYI, this was a deleted question and answer from the "other" forum;D <-QUOTE}

You mean you are not interested anymore on the answer?
Sorry I can't follow...

Fax

Further observations , the full site name is report.bitdefender.com, ip is 80.86.106.67 (the site name got bleeped out at ZA user forum)

Recommend ALL ZA Pro users to add this ip to blocked sites in FW zones ASAP. Since I blocked it after 1 attempt by zlclient then 5 attempts in rapid order with a switch to winlog as access program. All Alerts continues to be turned off on any change in settings or on reboots.

My ASW, product updates and SmartDefense on manual all work fine with selected blocks and "optimized" settings.

I am now going to ask BD support if they own the site using their product name.

Will report back later.

{QUOTE-> Further observations , the full site name is report.bitdefender.com, ip is 80.86.106.67 (the site name got bleeped out at ZA user forum)

Recommend ALL ZA Pro users to add this ip to blocked sites in FW zones ASAP. Since I blocked it after 1 attempt by zlclient then 5 attempts in rapid order with a switch to winlog as access program. All Alerts continues to be turned off on any change in settings or on reboots.

My ASW, product updates and SmartDefense on manual all work fine with selected blocks and "optimized" settings.

I am now going to ask BD support if they own the site using their product name.

Will report back later. <-QUOTE}

You are acting like a virus... ;D in fact many viruses add "report.bitdefender.com" to the HOST file in order to block BD functionality...

report.bitdefender.com is legit...

But that IP does not correspond to report.bitdefender.com but to:

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '80.86.106.0 - 80.86.106.255'

inetnum: 80.86.106.0 - 80.86.106.255
netname: INES-DATACENTER-NET
descr: iNES Group SRL
descr: Virgil Madgearu 2-4
descr: Bucharest
country: RO
admin-c: INES-RIPE
tech-c: INES-RIPE
status: ASSIGNED PA
notify: hostmaster@ines.ro
mnt-by: AS12310-MNT
changed: tbb@ines.ro 20030616
source: RIPE

role: iNES Internet NOC
address: 2-6 Virgil Madgearu st.
address: sector 1
address: Bucharest / ROMANIA
phone: +40 21 232 2112
fax-no: +40 21 232 3461
e-mail: hostmaster@ines.ro
admin-c: INES-RIPE
tech-c: TU790-RIPE
tech-c: DC1119-RIPE
tech-c: AG5625-RIPE
tech-c: BP1868-RIPE
tech-c: BC2200-RIPE
nic-hdl: INES-RIPE
remarks: -------------------------------
remarks: abuse reports: abuse@ines.ro
remarks: NOC Phone 24x7: +40 21 232 2112
remarks: NOC E-mail: support@ines.ro
remarks: -------------------------------
notify: hostmaster@ines.ro
mnt-by: AS12310-MNT
changed: tbb@ines.ro 20030314
changed: tbb@ines.ro 20031126
changed: tbb@ines.ro 20051015
changed: adi@ines.ro 20060519
source: RIPE

% Information related to '80.86.96.0/20AS12310'

route: 80.86.96.0/20
descr: iNES Group
descr: ro.ines local registry
origin: AS12310
mnt-by: AS12310-MNT
changed: hostmaster@ines.ro 20030801
source: RIPE

And as said previously you can't use ZA logs to base your analysis since ZA is not functioning properly... (I am not surprised)

Fax

As promised I am reporting back:

Here is the latest information I have on this:

1) As Chris suggested I turned off the "Send virus reports and Enable BitDefender Outbreak Detection" options in BD setup. The repeated connections to 80.86.106.67 continue unabated.
2) I ran a Whois Server Version 1.3 here is the result.

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for domain "REPORT.BITDEFENDER.COM".

Conclusion, it is another case of phone home by ZA.

Recommendation: Everybody should block this site and the ip ASAP.

Did a whois and reverse dns and got the information that the site 80.86.106.67 is in Bucherest , Romania. No firm listed. Data base indicates whole country as having a high fraud profile. Great.

ip range for Romania 80.86.96.0 to 80.86.127.255.

I'm done with this but loading the blocker sites where ever I can.

Someone else should work on this as well.

More damn questions than answers.

What I would like is a way of saying which sites to connect to and EXCLUDE all other sites.

{QUOTE-> Did a whois and reverse dns and got the information that the site 80.86.106.67 is in Bucherest , Romania. No firm listed. Data base indicates whole country as having a high fraud profile. Great.

ip range for Romania 80.86.96.0 to 80.86.127.255.

I'm done with this but loading the blocker sites where ever I can.

Someone else should work on this as well.

More damn questions than answers.

What I would like is a way of saying which sites to connect to and EXCLUDE all other sites. <-QUOTE}

Looks normal to me....
Complete dossier for report.bitdefender.com

Cheers,
Fax

--------------------------
canonical name report.bitdefender.com.
aliases
addresses 80.86.106.67


Domain Whois record
Queried whois.internic.net with "dom bitdefender.com"...

Whois Server Version 1.3

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

Domain Name: BITDEFENDER.COM
Registrar: REGISTER.COM, INC.
Whois Server: whois.register.com
Referral URL: http://www.register.com
Name Server: NS.BITDEFENDER.COM
Name Server: HORIZON.BITDEFENDER.RO
Status: clientTransferProhibited
Updated Date: 13-feb-2007
Creation Date: 08-jun-2001
Expiration Date: 08-jun-2012


>>> Last update of whois database: Tue, 29 May 2007 21:45:50 UTC <<<

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.

Queried whois.register.com with "bitdefender.com"...

The data in Register.com's WHOIS database is provided to you by
Register.com for information purposes only, that is, to assist you in
obtaining information about or related to a domain name registration
record. Register.com makes this information available "as is," and
does not guarantee its accuracy. By submitting a WHOIS query, you
agree that you will use this data only for lawful purposes and that,
under no circumstances will you use this data to: (1) allow, enable,
or otherwise support the transmission of mass unsolicited, commercial
advertising or solicitations via direct mail, electronic mail, or by
telephone; or (2) enable high volume, automated, electronic processes
that apply to Register.com (or its systems). The compilation,
repackaging, dissemination or other use of this data is expressly
prohibited without the prior written consent of Register.com.
Register.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by these terms.

Registrant:
SOFTWIN SRL
Mihai Radu
5 Fabrica de Glucoza
Bucharest, 3 020331
RO
Email: aanescu@bitdefender.com

Registrar Name....: REGISTER.COM, INC.
Registrar Whois...: whois.register.com
Registrar Homepage: www.register.com

Domain Name: bitdefender.com

Created on..............: Fri, Jun 08, 2001
Expires on..............: Fri, Jun 08, 2012
Record last updated on..: Tue, Feb 13, 2007

Administrative Contact:
SOFTWIN SRL
Razvan DITA
5 Fabrica de Glucoza
Bucharest, 3 72322
RO
Phone: +40 21 233 07 80
Email: domains-admin@bitdefender.com

Technical Contact:
SOFTWIN SRL
Razvan DITA
5 Fabrica de Glucoza
Bucharest, 3 72322
RO
Phone: +40 21 233 07 80
Email: domains-admin@bitdefender.com

DNS Servers:

ns.bitdefender.com
horizon.bitdefender.ro


Visit AboutUs.org for more information about bitdefender.com

<A HREF="http://www.aboutus.org/bitdefender.com">AboutUs: bitdefender.com</A>

Register your domain name at http://www.register.com


Network Whois record
Queried whois.ripe.net with "-B 80.86.106.67"...

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

% Information related to '80.86.106.0 - 80.86.106.255'

inetnum: 80.86.106.0 - 80.86.106.255
netname: INES-DATACENTER-NET
descr: iNES Group SRL
descr: Virgil Madgearu 2-4
descr: Bucharest
country: RO
admin-c: INES-RIPE
tech-c: INES-RIPE
status: ASSIGNED PA
notify: hostmaster@ines.ro
mnt-by: AS12310-MNT
changed: tbb@ines.ro 20030616
source: RIPE

role: iNES Internet NOC
address: 2-6 Virgil Madgearu st.
address: sector 1
address: Bucharest / ROMANIA
phone: +40 21 232 2112
fax-no: +40 21 232 3461
e-mail: hostmaster@ines.ro
admin-c: INES-RIPE
tech-c: TU790-RIPE
tech-c: DC1119-RIPE
tech-c: AG5625-RIPE
tech-c: BP1868-RIPE
tech-c: BC2200-RIPE
nic-hdl: INES-RIPE
remarks: -------------------------------
remarks: abuse reports: abuse@ines.ro
remarks: NOC Phone 24x7: +40 21 232 2112
remarks: NOC E-mail: support@ines.ro
remarks: -------------------------------
notify: hostmaster@ines.ro
mnt-by: AS12310-MNT
changed: tbb@ines.ro 20030314
changed: tbb@ines.ro 20031126
changed: tbb@ines.ro 20051015
changed: adi@ines.ro 20060519
source: RIPE

% Information related to '80.86.96.0/20AS12310'

route: 80.86.96.0/20
descr: iNES Group
descr: ro.ines local registry
origin: AS12310
mnt-by: AS12310-MNT
changed: hostmaster@ines.ro 20030801
source: RIPE



DNS records
DNS query for 67.106.86.80.in-addr.arpa returned an error from the server: NameError

name class type data time to live
report.bitdefender.com IN A 80.86.106.67 3600s (01:00:00)
bitdefender.com IN SOA server: ns.bitdefender.com
email: gvoicu.bitdefender.com
serial: 2007041700
refresh: 28800
retry: 900
expire: 604800
minimum ttl: 1800
86400s (1.00:00:00)
bitdefender.com IN NS nemesis.bitdefender.com 3600s (01:00:00)
bitdefender.com IN NS ns.bitdefender.com 3600s (01:00:00)
bitdefender.com IN NS horizon.bitdefender.ro 3600s (01:00:00)
bitdefender.com IN MX preference: 10
exchange: mail.bitdefender.com
3600s (01:00:00)
bitdefender.com IN MX preference: 20
exchange: horizon.bitdefender.ro
3600s (01:00:00)
bitdefender.com IN A 66.223.50.102 3600s (01:00:00)

-- end --

I have confirmed from 2 BD sources that report.bitdefender.com is in fact a BD server. The database sources are poorly documented causing FUD. It is used by their virus and spam outbreak control service. It is also used in their mobile device AV service.

What I'm still working on is why BD "phone home" accesses still try to access when the user turns off these BD10 options.

Apart from the one log entry I got from zlclient trying to access this BD site it no longer does that. So ZA is not doing now on my PC this as far as I can tell.

So it seems that BD 10 also ignores user options, and I'm going with that assumption for now. It may be a bug. They responded to questions in hours and were very helpful.

I'm leaving the site blocked since I can still update the product with hourly AV updates and in principal I don't want unsolciated outgoing packets leave the PC.

If I get more I will report back.

I'm following advice now to ignore some posts.
Blocking the sources works well and avoids being diverted from forum/ thread work !

1st and this is important, backup the ZA settings to a flash memory or cd daily. When you mess with settings as I have you get some surprises and need to revert back a level. So if you start using some of the finding here back up your current settings now!

For the members here, I have attached my current FW page showing blocked ip's and sites of doubtful purposes, more than you would ever have believed!

Note that my router/ Lan is set to internet NOT TRUSTED and the PC works fine. This point has been shown correct by Stem and others so that matter is over for me.

For ZA Pro users who want to try tighter settings (at their own risk of course) I have also attached my ZA Pro program settings.

Set SmartDefenseAdvisor to medium, you get the advice BUT you decide what is best setting for your PC with that application. Don't join the share setting league on install.

AntiSpyware turn off, doesn't fit with a FW, UNLESS you don't have any ASW from top group, then use ZA's.

Leave spysite blocking on, does no harm, only site it ever found for me was pcflanktest which provides evaluations of ZA and other tools

AV monitor leave off unless it accepts your AV, it doesn't recognize BD 10 among others. So I leave it off.

Email, leave it off, it is not the job IMO of a FW to scan email. BD10 does that for me. UNLESS you have no email in/out scanner then turn ZA's on.

Privacy: This one I am not finished with but here is my status

Clean cache daily, don't use auto.

id protection, block ebay and paypal if you don't use them
put nothing in trusted sites, except perhaps your own online bank.

MyVault: Well it is quite a misnomer, I had some fun by putting my legal ZA license number in the vault, plus BD 10. On ZA product updates ZA blocked the license # from being sent. Updates worked fine anyway. On ASW updates it doesn't ask for license #, inconsistent logic. Why ask for data not needed?

With BD 10 on updates it doesn't ask for license #, so that not an issue for them.

There are bugs/issues with Alerts and logs set on High. ZA keeps turning mine off. When you ask? If I add a block site, it immediately turns it off! I turn it on and guess what? it logs 5 rapid order attempts to connect to the new blocked site! As to why? Well it can't be a bug can it?

zlclient and BD both tried to send packets from my PC to the site called report.bitdefender.com. This is in Romania. I contacted BD and they told me it was their world wide collection site for spam and data from users on malware outbreaks. It is not their site for product updates. So I promptly blocked it and the rest of that country. My BD updates continue to work fine because BD told me all their update sites lie outside Romania.

That's it guys, I'm done with this thread (unless someone wants to ask me a question)

{QUOTE-> I'm following advice now to ignore some posts.
Blocking the sources works well and avoids being diverted from forum/ thread work !

1st and this is important, backup the ZA settings to a flash memory or cd daily. When you mess with settings as I have you get some surprises and need to revert back a level. So if you start using some of the finding here back up your current settings now!

For the members here, I have attached my current FW page showing blocked ip's and sites of doubtful purposes, more than you would ever have believed!

Note that my router/ Lan is set to internet NOT TRUSTED and the PC works fine. This point has been shown correct by Stem and others so that matter is over for me.

For ZA Pro users who want to try tighter settings (at their own risk of course) I have also attached my ZA Pro program settings.

Set SmartDefenseAdvisor to medium, you get the advice BUT you decide what is best setting for your PC with that application. Don't join the share setting league on install.

AntiSpyware turn off, doesn't fit with a FW, UNLESS you don't have any ASW from top group, then use ZA's.

Leave spysite blocking on, does no harm, only site it ever found for me was pcflanktest which provides evaluations of ZA and other tools

AV monitor leave off unless it accepts your AV, it doesn't recognize BD 10 among others. So I leave it off.

Email, leave it off, it is not the job IMO of a FW to scan email. BD10 does that for me. UNLESS you have no email in/out scanner then turn ZA's on.

Privacy: This one I am not finished with but here is my status

Clean cache daily, don't use auto.

id protection, block ebay and paypal if you don't use them
put nothing in trusted sites, except perhaps your own online bank.

MyVault: Well it is quite a misnomer, I had some fun by putting my legal ZA license number in the vault, plus BD 10. On ZA product updates ZA blocked the license # from being sent. Updates worked fine anyway. On ASW updates it doesn't ask for license #, inconsistent logic. Why ask for data not needed?

With BD 10 on updates it doesn't ask for license #, so that not an issue for them.

There are bugs/issues with Alerts and logs set on High. ZA keeps turning mine off. When you ask? If I add a block site, it immediately turns it off! I turn it on and guess what? it logs 5 rapid order attempts to connect to the new blocked site! As to why? Well it can't be a bug can it?

zlclient and BD both tried to send packets from my PC to the site called report.bitdefender.com. This is in Romania. I contacted BD and they told me it was their world wide collection site for spam and data from users on malware outbreaks. It is not their site for product updates. So I promptly blocked it and the rest of that country. My BD updates continue to work fine because BD told me all their update sites lie outside Romania.

That's it guys, I'm done with this thread (unless someone wants to ask me a question) <-QUOTE}

I know this is an old thread, but I do have some questions for you, if you don't mind answering them?

Did you ever have Bit Defender installed on your computer? If not, why would ZA be trying to send packets from your PC to the site called report.bitdefender.com? Something is very strange here!

Have a nice day!

{QUOTE-> I know this is an old thread, but I do have some questions for you, if you don't mind answering them?

Did you ever have Bit Defender installed on your computer? If not, why would ZA be trying to send packets from your PC to the site called report.bitdefender.com? Something is very strange here!

Have a nice day! <-QUOTE}

If you read the post again and look at my signature you will see BD is active on my PC.

BitDefender confirmed that report.bitdefender.com is their collection site worldwide for collection of data on spam and virus outbreaks.
They also told me that if I was worried about security I could block that site as the support and update sites are outside of Romania. At least they were honest about it!

I have the auto send off for bitdefender but it continued to try to send packets anyway. The turn off features for sending information are NOT reliable.

On ZA, I had one reported connect to report.bitdefender.com but that is one too many right?

As to why? I could only speculate and that would just add fuel to the great conspiracy theory !

But ask Fax, 12fw (Oldsod at ZA), or gre87y (Greb49er at ZA) to explain it either here or over at their forum.

I have now got dozens of collection sites blocked and more on the way.
There is the one from BD, others from ZA and from M$.

If posters doubt any or all of this put the sites in your own block lists and track the attempts.;D

{QUOTE->

But ask Fax, 12fw (Oldsod at ZA), or gre87y (Greb49er at ZA) to explain it either here or over at their forum. <-QUOTE}

Already explained above somewhere... most of them where DNS:53 calls... with all the blocking on ZA that Escalader did, I think ZA was not correctly reporting "who did what"...

A simple sniffer could have been useful to clarify origin/destination of the connections...

Cheers,
Fax

{QUOTE-> Already explained above somewhere... most of them where DNS:53 calls... with all the blocking on ZA that Escalader did, I think ZA was not correctly reporting "who did what"...

A simple sniffer could have been useful to clarify origin/destination of the connections...

Cheers,
Fax <-QUOTE}

Cold Pizza (=?Fax) never on line at same time! Fax answers for Cold Pizza;D

But anyway, wrong again.

Thread learners

Stem already dealt with these hardcoded call homes in ZA in the past. So that matter is over. He did all the sniffing work for us.

The issue for ZA Pro users is to block its hard coded collection sites.
ZA does it sure, no news there, but BD was news but they were honest and said go ahead an block that site so I did. That ZA also trys to send there is well, what to say... interesting8)

For anyone who wants to KNOW put my blocks in your own set up, updates all work fine as does Smart advice.... qed

Privacy: This one I was not finished with but here is was the status

Clean cache daily, don't use auto.

id protection, block ebay and paypal if you don't use them
put nothing in trusted sites, except perhaps your own online bank.

MyVault: Well it is quite a misnomer, I had some fun by putting my legal ZA license number in the vault, plus BD 10. On ZA product updates ZA blocked the license # from being sent. Updates worked fine anyway. On ASW updates it doesn't ask for license #, inconsistent logic. Why ask for data not needed?

With BD 10 on updates it doesn't ask for license #, so that not an issue for them.

There are bugs/issues with Alerts and logs set on High. ZA keeps turning mine off. When you ask? If I add a block site, it immediately turns it off! I turn it on and guess what? it logs 5 rapid order attempts to connect to the new blocked site! As to why? Well it can't be a bug can it?

zlclient and BD both tried to send packets from my PC to the site called report.bitdefender.com. This is in Romania. I contacted BD and they told me it was their world wide collection site for spam and data from users on malware outbreaks. It is not their site for product updates. So I promptly blocked it and the rest of that country. My BD updates continue to work fine because BD told me all their update sites lie outside Romania.

{QUOTE-> Cold Pizza (=?Fax) never on line at same time! Fax answers for Cold Pizza;D <-QUOTE}

Sorry but I am not like you ArrowPilot :P
Ever thought about Time Zones and different continents?

Fax

{QUOTE-> Stem already dealt with these hardcoded call homes in ZA in the past. <-QUOTE}

By the way, if I remember well Stem couldn't really replicate your persistent 'call home' in his setup...
To be fair to ZA, you should at least state that the ZA call home was "in your set-up"!

Cheers,
Fax

{QUOTE-> By the way, if I remember well Stem couldn't really replicate your persistent 'call home' in his setup...
To be fair to ZA, you should at least state that the ZA call home was "in your set-up"!

Cheers,
Fax <-QUOTE}

Stem speaks for himself as do I.

Suggesting words for others to speak is silly.

Of course ZA call homes were in my setup:wacko:

All users have to do is make the blocks and log.

{QUOTE-> By the way, if I remember well Stem couldn't really replicate your persistent 'call home' in his setup...
To be fair to ZA, you should at least state that the ZA call home was "in your set-up"!

Cheers,
Fax <-QUOTE}

I see we are on this kick again about calling home. Well, IMO any type of Security Software Program will call home. No matter what you can try to do to prevent it, some way it will get through. Before attacking the program maker of any type of Security Software Program, perhaps we should look at who is REALLY behind all of this, Big Brother. This has been going on for sometime and now with all the latest events in the world, it has become more intense. You can either do two things IMO, try to block them at your firewall or reach down, pull the plug out of the wall outlet, box up your computer, and find some other way to communicate with the rest of the world.

Thank you for your time and have a Great Day!

{QUOTE-> Of course ZA call homes were in my setup:wacko:
<-QUOTE}

This sounds better...

Cheers,
Fax

{QUOTE-> I see we are on this kick again about calling home. Well, IMO any type of Security Software Program will call home. No matter what you can try to do to prevent it, some way it will get through. Before attacking the program maker of any type of Security Software Program, perhaps we should look at who is REALLY behind all of this, Big Brother. This has been going on for sometime and now with all the latest events in the world, it has become more intense. You can either do two things IMO, try to block them at your firewall or reach down, pull the plug out of the wall outlet, box up your computer, and find some other way to communicate with the rest of the world.

Thank you for your time and have a Great Day! <-QUOTE}

You to Berge01, wondered where you had gone!

Well, assuming we are not going to pull the plug, and that Big Brother is the cause and forcing these program makers to hard code call home to gathering sites I choose block them as you put it "at the FW".

So where's the list of sites to block? I'll key every dang one of them in! ;D

{QUOTE-> By the way, if I remember well Stem couldn't really replicate your persistent 'call home' in his setup...
<-QUOTE}That is correct, the only outbound I could not find reason for, was for the HTTPS connection after installation.

Hello Escalader,
You keep mentioning BD outbound, have you found the application making these attempts? (and please advise, is "Task Schedular" active on your sysytem? (in windows services))

{QUOTE-> You to Berge01, wondered where you had gone!

Well, assuming we are not going to pull the plug, and that Big Brother is the cause and forcing these program makers to hard code call home to gathering sites I choose block them as you put it "at the FW".

So where's the list of sites to block? I'll key every dang one of them in! ;D <-QUOTE}

I don't believe the list I post here would make the Forum Moderators very happy, besides some of the members may not agree, causing more hostile posts, and besides your Firewall can only hold so many Blocks to be effective.

{QUOTE-> That is correct, the only outbound I could not find reason for, was for the HTTPS connection after installation.

Hello Escalader,
You keep mentioning BD outbound, have you found the application making these attempts? (and please advise, is "Task Schedular" active on your sysytem? (in windows services)) <-QUOTE}

Stem:

Here is the Q and A posted on the BitDefender forum a few weeks back when I was still running ZA Pro. The application was zlclient first, then when blocked switched to WINLOGON.exe. The spam gathering site is in Romania 80.86.96.0 to 80.86.127.255. The site was report.bitdefender.com.

post 1..... Since I blocked it after 1 attempt by zlclient then 5 attempts in rapid order with a switch to winlog as access program. All Alerts continues to be turned off on any change in settings or on reboots.

My ASW, product updates and SmartDefense on manual all work fine with selected blocks and "optimized" settings.

post 2
Hi Escalader,

I might be wrong, but that could be BitDefender trying to send/receive data about viruses as a result of the options Send virus reports and Enable BitDefender Outbreak Detection (General -> Settings)

Try to disable these options, and see if you have any more attempts.

.


Hi :

I will try your idea, what puzzled me was I didn't change any BD options lately and it was zlclient that connected first. Now it is WINLOGON.exe that is attempting the connect. I have it blocked until I know what's happening here.

post 3

Here is the latest information I have on this:

1) As ... suggested I turned off the "Send virus reports and Enable BitDefender Outbreak Detection" options in BD setup. The repeated connections to 80.86.106.67 continue unabated.
2) I ran a Whois Server Version 1.3 here is the result.

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

No match for domain "REPORT.BITDEFENDER.COM".

post 4

Did a reverse DNS and the ip comes up as Bucerest Romania. No information on organization owning it.

The whois data base lists this country with a high fraud profile?

post 5
Hello,
Nobody except Bitdefender can register sub-domains of BitDefender.com ,the Head Quarters of BitDefender are in Romania. Once you own a Domain name you can register as many sub-domains as you want for free, that can be done just by the main owner of the domain.The report.bitdefender.com could be a server in the HQ so it's not dangerous at all.

post 6

Just to be clear I trust BitDefender or I wouldn't use the product.

But the way this came to light was very strange.
First as mentioned a few posts back zlclient was the program that first accessed report.bitdefender.com.

Next the id of the program attempting access switched to WINLOGON.exe.

Is report.bitdefender.com a server in HQ? The city and country are right but the whois data base don't confirm BD's ownership of this site.

Could be a server is not the same as is a server.

I'm not trying to be difficult, I just want clarity.

post 7

The owner you see there is INES , that is one of our Internet Providers. The connection is leading to our internal server.Over this connection are virus and spam statistics send.

Real Time Virus Report (RTVR) & Real Time Spam Report (RTSR)

RTVR/RTSR is a system included in BitDefender products deployed all over the Internet that reports virus and spam activity to the BitDefender Labs(report.bitdefender.com) to help isolate and prevent the spreading of malware and spam in an efficient and timely manner.
So it is our server.


Hi ...:

Thank you very much for tracking this down for me. Best to be clear!

I currently have followed the following idea:

"....turned off the "Send virus reports and Enable BitDefender Outbreak Detection" options in BD setup"

The repeated connections attempts to 80.86.106.67 continue anyway.

This seems to me to mean that the RTVR and RTSR connects occur even if the options are turned off.

In my set up I have the address blocked, yet updates of the product continue ok as do the attempts to send reports back.

So updates must use one server and reports on virus and spam must use another?

Have I described all this correctly?

Post 8

The update servers are different from the one with statistic reports. Why?
Beacuse we need to have good connection to all the users from the World. That's why you will have servers scattered all over the World and only one server that gathers information about viruses and spam in Romania.

If you are concerned about your security just block report.bitdefender.com although is our server and everything is secured.

Since I then knew the site was a gatherer, I blocked the whole country.
BD updates continue unimpeded.

I checked scheduler and found 2 old McAfee entries. I haven;t had it for 2 years! Should have cleaned it out but didn't. Gone now. Thanks.
The only scheduled tasks are SpySweeper scans.

The attempted connects to report.bitdefender.com no longer occur.

The difference? ZA Pro uninstalled, CFW is installed.

Observation it wasn't BD continuing to attempt connects but ZA Pro.

{QUOTE-> I don't believe the list I post here would make the Forum Moderators very happy, besides some of the members may not agree, causing more hostile posts, and besides your Firewall can only hold so many Blocks to be effective. <-QUOTE}

Good heavens what to do? ;D

I guess I'll just max out my FW or just block whole country's.

Can you post the country ranges to block?

Then when a valid ip pops up I'll allow it! one by one! Can't be any more than 5 or 6 safe sites left!

It is a real challenge. Time for Mrk to enter this thread he always has unnique ideas!

What I really need is a leak proof vault then I could put all my secrets in it and scrap the FW completely!::)

{QUOTE-> That is correct, the only outbound I could not find reason for, was for the HTTPS connection after installation.

Hello Escalader,
You keep mentioning BD outbound, have you found the application making these attempts? (and please advise, is "Task Schedular" active on your sysytem? (in windows services)) <-QUOTE}

Stem:

The short answer to is task scheduler active on my system is yes.8)
I use this service for SS scheduled scans etc.

Hello Escalader,
{QUOTE-> The application was zlclient first, then when blocked switched to WINLOGON.exe. <-QUOTE}From this info, I would be more inclined to think that winlogon.exe was making these outbound, at first through zlclient.
Winlogon.exe, being a system app (with high trust in ZA) would possibly of been set with "This program may use other programs to access the internet" (or set by the user at some point) This option being at:- Program control~ Programs ~ right click "windows NT logon"~ Options.

I would need to find time to check the installation of BD to see if this is correct. (to check if BD is injecting/loading a dll into winlogon and/or other apps)

{QUOTE-> Hello Escalader,
From this info, I would be more inclined to think that winlogon.exe was making these outbound, at first through zlclient.
Winlogon.exe, being a system app (with high trust in ZA) would possibly of been set with "This program may use other programs to access the internet" (or set by the user at some point) This option being at:- Program control~ Programs ~ right click "windows NT logon"~ Options.

I would need to find time to check the installation of BD to see if this is correct. (to check if BD is injecting/loading a dll into winlogon and/or other apps) <-QUOTE}

Hi Stem.

I have not seen these romanian outbounds since ZA Pro was removed.

BD is still working away on my PC, but if it is injecting dll to try to call home why don't I see the blocked attempts in CFW? All I see there this AM is FF being blocked from certain ip outbound attempts and not one is the BD gathering site.

{QUOTE-> We have seen this with ZA before, where ZA is constantly connecting out. It was eventually stated by ZA that this was a bug. Are we seeing the same bug again?

For me personally, I would not use this firewall untill a full explantion from ZA is made concerning this. <-QUOTE}

Has there been any update to this issue? Also, does the unsolicited outbound connections occur in ZA Pro only or in all versions of ZA, including their free firewall?

Finally, I believe there was a comment about turning off automatic updates alone would not stop ZA from making outbound connections. But there needed to be a manual update to stop ZA from automatically phoning home. Is there any information about what all ZA retrieves from your computer when a manual update is performed?

Thanks.

Hi acr1965, As before let me comment in red in context with your post

{QUOTE->

Has there been any update to this issue?

Not from me, I have id'd the sites to block but can still allow you to update ZA Pro.

Also, does the unsolicited outbound connections occur in ZA Pro only or in all versions of ZA, including their free firewall?

Good question, I don't know from direct experience but if you block the sites in you own FW's and log connect attempts you can answer this easily. If I was a betting man I'd say all their products/versions do it, but I only worked with ZA Pro.



Finally, I believe there was a comment about turning off automatic updates alone would not stop ZA from making outbound connections.

Yes, this is what I found on my PC with ZA Pro at the time.


But there needed to be a manual update to stop ZA from automatically phoning home.

ZA web site provides a procedure (complex IMHO) that purports to stop this phone home. I followed that to the letter but phone homes continued thus the blocks.

Is there any information about what all ZA retrieves from your computer when a manual update is performed?

I have nothing new on that but if you browse the thread I think there was a post about putting the ZA license # in their My Vault. I did that when manual update was done the vault feature blocked the # from being sent but the update proceeded anyway! So they asked for that and didn't use it to stop the update. Unless the block was false. What else they try for is a mystery.

The main issue is why would I use such a product that probes for info from my PC. As well it is tool to protect me from such things yet does it itself.

This is why I dropped the tool it is well designed but it is a hazard on it's implementation.



<-QUOTE}