I have two further questions/remarks related to my topic "ZA Expert Firewall/Program rules hierarchy" ...



One is again about "incompatible" rules:

1.) If I use p2p sharing program, which use only TCP protocol, only on 2240 and 2234 ports. I also know IPs of its 4 servers.

So for this program, I set rules to permit all (green mark), but there is some confusion here. Puting server IPs (that program uses) to Trusted Zone (under Firewall-Zones, not under Programs-Expert Rules) doesn't make any sense. I would give full access to servers, but as mentioned users IPs would still be in Internet Zone.


- If I would allow in expert rules communication with mentioned ports and IP's, and allow TCP protocol, the actual users IPs (wrom whom I will download/upload) would still be in Internet Zone. So how to make expert rules for this program.

Maybe to make Expert Rule to allow all (incoming/outgoing) on 2240 and 2234 ports for Internet Zone (from My Computer to Internet Zone, and inversely) ??


- but then what about port settings in "Firewall - Custom - High/Medium security for Internet/Trusted Zone - Allow/Block Incoming/Outgoing TCP Ports" ...

Do I need to put 2240 and 2234 ports also here under "High (if I have set slider High) security for Internet Zone" ??



2.) Second question is very short. I constantly get an error message: "An error was encountered while parsing the XML data. Processing has been halted." After clicking O.K., sometimes all rules I made so far for specific program are gone, sometimes only the last one, sometimes all rules are there.

What is this error. Is it dangerous. In case if some important rules are erased, and currently I am under attack, or some malicous program, or program I don't want to access internet wants to connect, etc.

Could this error message appears also in Firewall/Zone Expert Rules, or in Trusted/Internet zone Rules ??

Any idea, how to avoid it ??

I read somewhere it is possible to save this XML rules (probably as file in xml format). How could I do that??



3.) As I wrote in one of my previous posts, that True Vector Service (Zone Alarm 4.5.530), to be more specific - one certain thread - consumes enormeous amount of CPU ("kernell mode"), compare to previous version, when using some specific program (Irfan View, and DU Meter) as "front/active" application. When switching to some other program it jumped back to normal usage.

I reinstalled it (I used NPF for some time instead, but it driver, Symevent.sys was causing "Blue Screens", making errors to disk, etc.), and yesterday, after re-installing Zone Alarm, there was NO more such problem for some time. Now I just check, when writing this post, and surprisingly, when watching some .gif in Irfan View, True Vector again jumped to 50 % CPU, and for that period it becomes the most CPU consuming process on my PC. Again, only in "kernell mode"), and no in user mode (as usual applications are), or Hardware Interrupts and Deffered Procedures placeholder ...

And again right after switching back "front" application (the one, you are currently working with) the vsmon.exe CPU falls back on 0-5 % CPU average ...



thanks for your answer

-{ Quote: " quoting: stalker link=board=23;threadid=21027;start=0#msg126915 date=1075751657]1.) If I use p2p sharing program, which use only TCP protocol, only on 2240 and 2234 ports. I also know IPs of its 4 servers.

So for this program, I set rules to permit all (green mark), but there is some confusion here. Puting server IPs (that program uses) to Trusted Zone (under Firewall-Zones, not under Programs-Expert Rules) doesn't make any sense. I would give full access to servers, but as mentioned users IPs would still be in Internet Zone." }-

Well, you don't have to use the Trusted Zone for this; you can create a special group instead. You referenced Groups in your other thread so it sounds like you know how to make them already, but just in case... The easiest way to make a group is in ZAP > "Firewall" panel > "Expert" tab > "Groups" button which brings up the Group Manager. Use the "Add" button. Name the group (something like "P2P Servers") and give it a description, then simply add all four servers, each as individual "locations" in that screen.

Now, use this group in your rules for the P2P program. They aren't in the trusted zone and will only be used in whatever rule you decide to enter that group name in as either the Source or Destination of packets.

-{ Quote: "- If I would allow in expert rules communication with mentioned ports and IP's, and allow TCP protocol, the actual users IPs (wrom whom I will download/upload) would still be in Internet Zone. So how to make expert rules for this program." }-

Yes, the key point here is that a group set up as I described above is not in any zone, which means those servers (IP addrs) would be treated the same as any other Internet site - except for any rule in which you use that group name in either source or destination fields.

-{ Quote: "Maybe to make Expert Rule to allow all (incoming/outgoing) on 2240 and 2234 ports for Internet Zone (from My Computer to Internet Zone, and inversely) ??" }-

Unfortunately, I don't use any P2P software, so I may need to use another example, but let's see... POP3 email. The rule you allow for that is Source: your computer/TCP any port (or limit ports to the range 1024-5000); Destination: your ISP's email server/TCP port 110.

But, this is where I'm unsure because of not using P2P myself... When you run the P2P client yourself and it reaches out to look at available files from "out there", are both ends of the connection on only the two ports you mention, or are those ports just the "destination ports" in all cases? If so, then the source ports might be in the range of ephemeral ports (1024-5000), but again I just don't know. At the very least you should make sure which it is and set up your rules accordingly.

-{ Quote: "- but then what about port settings in "Firewall - Custom - High/Medium security for Internet/Trusted Zone - Allow/Block Incoming/Outgoing TCP Ports" ...

Do I need to put 2240 and 2234 ports also here under "High (if I have set slider High) security for Internet Zone" ??" }-

You should not need to because you are granting server rights to the P2P program right? So ZAP should allow the traffic in regardless. (There are sometimes weird circumstances where you might need to add a port to the Allowed port list you mention if things just aren't working, but that is very rare in my experience. Try it without. If it doesn't work, try adding them as allowed incoming ports just as a test, but you should be able to get it working without those ports there.)

-{ Quote: "2.) Second question is very short. I constantly get an error message: "An error was encountered while parsing the XML data. Processing has been halted." After clicking O.K., sometimes all rules I made so far for specific program are gone, sometimes only the last one, sometimes all rules are there.

What is this error. Is it dangerous. In case if some important rules are erased, and currently I am under attack, or some malicous program, or program I don't want to access internet wants to connect, etc. " }-

Please describe exactly when you are getting that error. The only time XML data is processed should be when you are either using the Backup / Restore feature, or perhaps while making significant configuration changes. Are you getting these errors at other times during normal operation or just when trying to run a Restore or reconfigure your settings and/or rules?

-{ Quote: "Could this error message appears also in Firewall/Zone Expert Rules, or in Trusted/Internet zone Rules ??

Any idea, how to avoid it ??" }-

I need to know more about when you are getting these errors as noted above.

-{ Quote: "I read somewhere it is possible to save this XML rules (probably as file in xml format). How could I do that??" }-

That is the Backup / Restore feature available at ZAP > "Overview" panel > "Preferences" tab > "Backup and Restore Security Settings". Backup outputs all your rules and configuration settings to a new XML file for use later in a restore operation. Restore loads in an existing XML file (made from a previous backup) to reset / reload all your configurations when you need to replace or fix your ZAP configuration.

-{ Quote: "3.) As I wrote in my previous post, that True Vector Service (Zone Alarm 4.5.530) - consumes enormeous amount of CPU ("kernell mode"), compare to previous version, when using some specific program (Irfan View, and DU Meter) as "front/acive" application. When switching to some other program it jumped back to normal usage." }-

Ah, I remember that discussion now.

-{ Quote: "I reinstalled it (I used NPF for some time instead, but it driver, Symevent.sys was causing "Blue Screens", making errors to disk, etc.), and yesterday, after re-installing Zone Alarm, there was NO more such problem for some time. Now I just check, when writing this post, and surprisingly, when watching some .gif in Irfan View, True Vector again jumped to 50 % CPU, and for that period it becomes the most CPU consuming process on my PC. Again, only in "kernell mode"), and no in user mode (as usual applications are), or Hardware Interrupts and Deffered Procedures placeholder ...

And again right after switching "front" application (the one, you are currently working with) the vsmon.exe CPU falls back on 0-5 % CPU average ..." }-

All I can say here is this... First, obviously this is not supposed to be happening. I think I posted last time on this that it must be a conflict or some similar incompatibility, though I can't say what. It doesn't help to know that it is kernel versus user mode or any of that because none of us have access to the internals of the ZA firewall. This information might help when you report this problem to Zone Labs and work with them diagnosing the problem, but those of us who are merely users of the product can't do anything about this.

However, that said I'm wondering if this problem is related to your XML problem (and any other problem you might be having) and the source of it all is a bad configuration. There's no way you should constantly be getting XML parsing errors. You also shouldn't be getting runaway CPU usage by vsmon.exe either. But, if there is a corrupt configuration then maybe, just maybe that's behind all the problems.

A full clean setup of ZAP can be accomplished as follows. When you have a good backup XML file that stores what you consider to be a good configuration, you save that file somewhere safe and then wipe your current ZAP configuration. To do this... 1. Shutdown the network connection. 2. Shutdown ZAP using the proper exiting procedure from the systray icon. 3. Check to be sure both the ZAP client and vsmon have exited (in Task Manager). 4. Delete all files from \Windows\Internet Logs\. 5. Start up ZAP. 6. Check to be sure the client and vsmon have started in task manager, and look in \Internet Logs\ - there should be a new set of replacement ZAP true vector database files there now. 7. Start your ISP network connection up. (If you get an alert about svchost trying to connect out, click Yes.) 8. Go into ZAP > "Overview" panel > "Preferences" tab > "Backup and Restore Security Settings" > "Restore" button... When it asks for a XML file to restore, give it the one you saved above.

Now, that is how you can get a really clean ZAP setup. Restore is supposed to work as described above. However, experience has shown me sometimes you have to reload these files more than once because of un-displayed parsing errors during restore. So what I do is I continue on like this:

9. Disconnect network again. 10. Shutdown ZAP again. 11. Start ZAP up again. 12. Connect the network. 13. Go into ZAP's Preferences tab again and twice in a row restore the same XML file, one right after another.

Don't skip any of the steps, especially the closing and restarting of ZAP; this is a very exact set of instructions!

For me, this procedure has always ensured a clean and complete restore, with no missing rules or settings. (It isn't always necessary, but it does always work.)

At this point, quite frankly I shutdown the network and ZAP, and then reboot my PC cleanly just to make sure I had everything perfect before testing anything else, but that may just be me. My system reboots in about 60 seconds and I can execute the above ZAP clean restore process, with reboot in about 6 to 8 minutes. I do this every month or so just to ensure a totally clean ZAP configuration and I rarely have any problems.

-{ Quote: "LowWaterMark" }-



Thanks, LowWaterMark for all your very educative support. I think you are right about CPU concumption. It is probably related to some OS settings, I made (some time ago) in current Windows installation.





Though, I have two more questions, but to not start another topic, I will posted them here:


- how many "access" (what kind of rules) to grant for zlclient.exe process in case of just for normal use (IP lookup, and other "required" features), and NOT for update feature, or "More Info" for Component Alert, etc. ??


- If I already mentioned "More Info" feature. I must have missconfigured something in past (certainly NOT related to ZA), cause everytime, I try to use it, it says: "The default browser was not found".

The same message "Web Browser could not be started" is displayed also, when starting my AntiVirus program update (though evrything is O.K., cause browser is needed only to check registration) ...


There are also others similar simptoms: IE links are not working from inside Outlook, from inside various help (.chm, .hlp) files, URL links are not working - I ADDED SCREENSHOT - (not if opened from inside IE, but if opened from Start Menu), though, I addidionally check if they (.html, .htm, and .url extensions) are set-up to open (associated) with Internet Explorer, and there are more examples of some interal problem with IE "cooperating" with other programs ...




Thank you for all your help again ...

-{ Quote: " quoting: stalker link=board=23;threadid=21027;start=0#msg127018 date=1075770901]Though, I have two more questions, but to not start another topic, I will posted them here:

- how many "access" (what kind of rules) to grant for zlclient.exe process in case of just for normal use (IP lookup, and other "required" features), and NOT for update feature, or "More Info" for Component Alert, etc. ?? " }-

I don't advise setting any expert rules on the ZA client. Just use the access settings and chose either Allow ("checkmarks") or Ask ("?") for all fields in program line for ZAP. I find no value in trying to further control ZAP itself with custom rules.

-{ Quote: "- If I already mentioned "More Info" feature. I must have missconfigured something in past (certainly NOT related to ZA), cause everytime, I try to use it, it says: "The default browser was not found".

The same message "Web Browser could not be started" is displayed also, when starting my AntiVirus program update (though evrything is O.K., cause browser is needed only to check registration) ... " }-

Sounds like you need to repair the file associations. Did you install some other browser at some point? Do you only have IE now? One of the easiest ways is to have IE reclaim the full web file associations after you've let another browser have them is to let IE check and alert you: In IE > Tools > Internet Options... > Program tab > check "Internet Explorer should check to see whether it is the default browser". If another browser had the associations, this may cause IE to alert you and have it reset them all the next time it starts.

Otherwise, you may have to look into a more complex IE repair or reinstallation of some sort, but that's a rather different topic than this.

1.) Simple question - how to set "port range" correctly in Expert Rules --> Protocol. Just add " - " character mark between two ports ??

Do ZA "understands" that ??

Example: 1024-5000


2.) Second is rather a remark - how to set Firewall/Zone (global) expert rules ??

In which cases to use them ??

What if I leave all fields empty, how protection would look like, how rules will be applied ??



3.) And the last question - how ZA free version deals with all this, when we all know, it doesn't have "Expert Rules", nor "Custom" settings for HIGH or MEDIUM Trusted and Internet Zone ??



Thanks for any explanation

-{ Quote: " quoting: stalker link=board=23;threadid=21027;start=0#msg127543 date=1075932067]1.) Simple question - how to set "port range" correctly in Expert Rules --> Protocol. Just add " - " character mark between two ports ??

Do ZA "understands" that ??

Example: 1024-5000 " }-

Yes, that is correct. Basically, you go into the port number box (where 'Any' is by default) and type in a port range such as your example ('1024-5000'). Take a look at the image at this link (http://www.wilderssecurity.com/attachments/SpywareBlaster-FW-Rules2.gif). It's from the SpywareBlaster rule thread I noted before and it shows the use of ranges of ports a couple times.

-{ Quote: "2.) Second is rather a remark - how to set Firewall/Zone (global) expert rules ??

In which cases to use them ??

What if I leave all fields empty, how protection would look like, how rules will be applied ??" }-

I'm sorry, I really not sure what you are asking here? Can you explain your question in more detail? Are you asking why you would make global rules in the Firewall tab's Expert section? If so, the example I gave in your first thread here (http://www.wilderssecurity.com/showthread.php?t=21021;start=msg126933#msg126933), for the blocking without logging worm traffic was a good reason to make a new expert rule.

And I'm not at all sure what you mean by "What if I leave all fields empty..." - If you do that, you might as well not make a rule at all.

-{ Quote: "3.) And the last question - how ZA free version deals with all this, when we all know, it doesn't have "Expert Rules", nor "Custom" settings for HIGH or MEDIUM Trusted and Internet Zone ??" }-

ZAF can't do any of these more complex things. It just has basic inbound and outbound protections, much like the defaults (uncustomized) in ZAP. In the ZA Free product, you set a program to either allow, ask or block, and have no custom settings at all for a program. In its Firewall tab, you have just trusted, internet and blocked sites - no detailed port rules or custom allows or blocks.

-{ Quote: "
And I'm not at all sure what you mean by "What if I leave all fields empty..." - If you do that, you might as well not make a rule at all.
" }-



Yes, I meant just that - the all fields are empty (ZA saying "No expert rules have been added"), so there are no Expert Rules, just Zone (Trusted/Internet/Blocked) Rules.

How am I protected i such case ??

I just assume that all my protection then depends "only" on High/Medium/Low rate (slider) in Firewall section, Zone (Trusted/Internet/Blocked) Rules & Zone Expert Rules, and Program Access & Program Expert Rules ...


And in which "cases" to make some rule, compare to proection level, if having no rule !!




Thanks for your answer

Ah, I see what you mean.

Expert rules set up in the Firewall panel are really just for customizing your access levels; they are not required in order to be secure.

By default, if you have the Firewall slider for the Internet Zone set to High, then ZA blocks all unsolicited packets. The only point in making rules under these curcumstances are to: 1. allow some things (some form of access) that you want to come in and which is being block by default in ZAP; or 2. to perhaps set different time-of-day restrictions, or different logging settings that vary from the overall configuration in ZAP.

Leaving the expert rules blank in the Firewall tab is not a bad thing at all. They are available merely to customize (usually to expand) the accesses being allowed.

But, the expert rules in the Programs section are a different case. You can add a lot of security by adding expert rules to certain programs - my Outlook Express example is a good one. You see, with ZAP if you allow a program but don't define any expert rules for it, then it is allowed to access any port, at any time, to any destination. With Program expert rules you can dramatically narrow the access of a program. So, these are worth adding in order to increase security. But global rules in the firewall section are not needed to increase security - rather they are used to allow or change access, not secure it.

I just remeber to wrote two more things here:


1.) I use some program, which caches all that is put to clipboard. It store last 15 entries. Very usefull program, if you cut some text, and forget to paste it, it also has "permanent clipsets", which are brilliant for HTML editing, and other programming.

So, it is 100 % not internet-related program, but it sometimes causes ZA alerts (if I for example try to paste part an IP or host to ZA)

I am just curious - is this alert related to so called "Open Processes Control" function ??



2.) My second additional question is - what is definition of "Incoming/Outgoing" traffic ??

As far as I could try to imagine, this has nothing to do with download/upload, but with "who" (which computer) started connection (send request/first packet of data).

So I am meaning, if for example my p2p sharing program starts connection to sharing servers, and someone will then browse my files and start uploading them from me, it would still be an Outgoing connection ??


Am I right ??




Thanks all

-{ Quote: " quoting: stalker link=board=23;threadid=21027;start=0#msg127586 date=1075944163]1.) I use some program, which caches all that is put to clipboard. It store last 15 entries. Very usefull program, if you cut some text, and forget to paste it, it also has "permanent clipsets", which are brilliant for HTL editing, and other programming.

So, it is 100 % not internet-related program, but it sometimes causes ZA alerts (if I for example try to paste part an IP or host to ZA)

I am just curious - is this alert related to so called "Open Processes Control" function ??" }-

The image you attached... Is that absolutely all that is ever alerted? If you look in the Log Viewer panel, is there anymore information? I can't tell anything just from that alert image.

But, it could be related to any of the advanced program controls. Modules, components of any type can cause alerts even if they themselves do not access the network - just so long as they are some how connected to another program, they can be involved in an alert. This could be the case here, but without more alert or log information, I can't say.

(Nice clipboard program, by the way. :) )

-{ Quote: "2.) My second additional question is - what is definition of "Incoming/Outgoing" traffic ??

As far as I could try to imagine, this has nothing to do with download/upload, but with "who" (which computer) started connection (send request/first packet of data).

So I am meaning, if for example my p2p sharing program starts connection to sharing servers, and someone will then browse my files and start uploading them from me, it would still be an Outgoing connection ??" }-

The terminology of incoming and outgoing traffic never changes, regardless of who initiated the connection or the request for the movement of the data.

It may be best to think of the ZA firewall as if it was a separate thing from your computer (in a logical sense), as if it was an external firewall of some sort. Incoming is always packets from the Internet coming in to your PC and outgoing is always packets generated on your PC heading out to some place off your PC, "through the firewall".

The place where the terms do vary like you are describing are "source" and "destination"... When you define rules, your PC can be either the source or the destination depending upon the context of the rule. If it is a rule to control incoming packets, then your PC is always the destination (and the source is out on the outside network). If it is a rule effecting packets going out from your PC to the world, then your PC is the source and the destination is somewhere out there.

But, no matter the rule or context, outgoing packets are always those heading from your PC to the Internet regardless of the program involved or the system that requested the movement of the information.

-{ Quote: "The image you attached... Is that absolutely all that is ever alerted? If you look in the Log Viewer panel, is there anymore information? I can't tell anything just from that alert image." }-


Yeah, the one and only alert, related to Clipomatic.exe process



-{ Quote: "(Nice clipboard program, by the way. :) ) " }-


You know it ??



-{ Quote: "The terminology of incoming and outgoing traffic never changes, regardless of who initiated the connection or the request for the movement of the data ...
... Incoming is always packets from the Internet coming in to your PC and outgoing is always packets generated on your PC heading out to some place off your PC, "through the firewall" ...
... The place where the terms do vary like you are describing are "source" and "destination"...
... But, no matter the rule or context, outgoing packets are always those heading from your PC to the Internet regardless of the program involved or the system that requested the movement of the information." }-


Ah, so it IS related to downloading (from someone) vs. uploading (to someone) ??



Thanks, LowWaterMark for all your friendly and educative answers !!!

Hi,


Again, because I don't want to start whole new topic for only this question, I will answer it here ...


When I tried to restore ZA configuration, I got that error, that .xml was not formatted properly. Anyone knows, what could cause it ??


Maybe HD problem (though scandisk didn'z find any problems on my F:\partition, where the .xml files were stored ...) ??




Thanks again

I'm sorry, I've never seen that error.

Generally, when you use the Backup button to create an XML output file, it should be fine when you use that file later for a Restore. (Well, so long as you don't try to edit the file or alter in it any other way.)