ZoneAlarm and SpywareBlaster conflict

[cmauze]

I'm not sure why I installed ZoneAlarm again...Guess I'm just a glutton for punishment! (lol).

But anyway, I go to check SpywareBlaster for updates...First thing when I open the program, I get a popup alert from ZAP labeled: DANGEROUS BEHAVIOR -- SPYWAREBLASTER.EXE is trying to change your network settings by modifying the file: WINDRVDIR\etc\hosts"

Not having the foggiest idea what this meant, I clicked Deny. This happens every time I start SB (there are two alerts, both read the same). It doesn't seem to affect SpywareBlaster though -- it finishes loading and checks online for updates just the same as before installing ZA. ZoneAlarm's so-called "SmartAdvisor" doesn't seem too smart on this one, either -- it's about as "helpful" as usual.

Is this a false alarm? is there some legitimate association SB has with that OS directory, or should I be concerned? What action should I take?

I suppose I should mention also that I am running Avast antivirus and it doesn't get along with ZA too well either. Something about Avast's webshield component and the privacy (cookie?) control in ZA -- although I'd deselected that option upon installation. I'm not sure if I chose the correct option or not regarding Avast webshield's proxy server-thingie (I'm on dialup). At first the browser was returning "cannot load page" but then after quitting/re-enabling the webshield it seems to be working ok right now (for now, anyway).

[CrazyM]

Hi cmauze

... and welcome to Wilders

Quote:

Originally Posted by cmauze

I'm not sure why I installed ZoneAlarm again...Guess I'm just a glutton for punishment! (lol).

But anyway, I go to check SpywareBlaster for updates...First thing when I open the program, I get a popup alert from ZAP labeled: DANGEROUS BEHAVIOR -- SPYWAREBLASTER.EXE is trying to change your network settings by modifying the file: WINDRVDIR\etc\hosts"

Not having the foggiest idea what this meant, I clicked Deny. This happens every time I start SB (there are two alerts, both read the same). It doesn't seem to affect SpywareBlaster though -- it finishes loading and checks online for updates just the same as before installing ZA. ZoneAlarm's so-called "SmartAdvisor" doesn't seem too smart on this one, either -- it's about as "helpful" as usual.

Is this a false alarm? is there some legitimate association SB has with that OS directory, or should I be concerned? What action should I take?

Are you sure on that directory (WINDRVDIR\etc\hosts)?
Do you have lock hosts enabled in ZAP?
Are you using the Hosts Safe tool in SpywareBlaster to back-up it up?

Regards,

CrazyM

[djuggernaut]

Hey,

I'm not sure if this helps but i believe the hosts file is located in C:\WINDOWS\system32\drivers\etc so i guess spywareblaster is trying to modify or backup the hosts file. I think this would be fine to allow.

regards

[cmauze]

Quote:

Originally Posted by CrazyM

Hi cmauze

... and welcome to Wilders


Are you sure on that directory (WINDRVDIR\etc\hosts)?

Yes -- I just double-checked it.

Quote:

Do you have lock hosts enabled in ZAP?

How do you check that? I haven't seen that option...

Quote:

Are you using the Hosts Safe tool in SpywareBlaster to back-up it up?

I presume you mean under Tools --> Hosts Safe --> Create New Backup? This is the error message I get when attempting that option:

http://img.photobucket.com/albums/v4...osts_error.jpg

That doesn't sound quite right, because I am the only user on my pc (only one desktop profile) and have never received alerts like that from any other program. Of course I had just clicked Deny on the ZA alert earlier, so could that have caused it? Oh yeah, and I also immunized through Spybot S&D -- could that have anything to do with it?

I'd like to find out something definitive about this so that I can either take corrective action or suppress/disable the alerts/access blocking, whichever the case may be. I find it odd that ZA has very little to nothing on their "SmartAdvisor" pages regarding either program -- or maybe not, since I suspect they're not overly fond of freeware security solutions. In the meantime, their lack of detailed info. makes it considerably more difficult for (relative) newbies like me to manage their computers.

[CrazyM]

Quote:

Originally Posted by cmauze

Yes -- I just double-checked it.

The normal directories for the hosts file are:
Windows XP = C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Windows 2K = C:\WINNT\SYSTEM32\DRIVERS\ETC
Win 98\ME = C:\WINDOWS
Is ZAP abbreviating this in it's alert?

Quote:

How do you check that? I haven't seen that option...

I believe you will find the option under the firewall > advanced tab.

Quote:

I presume you mean under Tools --> Hosts Safe --> Create New Backup? This is the error message I get when attempting that option:

http://img.photobucket.com/albums/v4...osts_error.jpg

That doesn't sound quite right, because I am the only user on my pc (only one desktop profile) and have never received alerts like that from any other program. Of course I had just clicked Deny on the ZA alert earlier, so could that have caused it? Oh yeah, and I also immunized through Spybot S&D -- could that have anything to do with it?

That alert would support the idea something else (ZAP or other app) is protecting/monitoring the hosts file.

Quote:

I'd like to find out something definitive about this so that I can either take corrective action or suppress/disable the alerts/access blocking, whichever the case may be. I find it odd that ZA has very little to nothing on their "SmartAdvisor" pages regarding either program -- or maybe not, since I suspect they're not overly fond of freeware security solutions. In the meantime, their lack of detailed info. makes it considerably more difficult for (relative) newbies like me to manage their computers.

As the dangerous behavior alert is for a trusted program, SpywareBlaster, you could allow this. Hopefully the smart advisor information will improve with time.

Regards,

CrazyM

[djuggernaut]

Hey,

It sounds to me like spywareblaster is modifying something in your host file, and zone alarm is monitoring the host file and detecting the change. I found something about this mentioned here:

http://castlecops.com/p627146-ZoneAlarm_Pro_V6.html

They said that spywareblaster did not add anything to the host file but it removed the "read only" check.

If you want you can allow whatever spywareblaster is doing, and look at the host file before and after to see what it is changing. Either way i don't think it is too important which you choose, but i could be wrong.

Enjoy

[Bubba]

Upon executing of Spywareblaster one of the files it queries(opens) is
the Hosts file which can be verified with a program such as Sysinternals FileMon. In your ZoneAlarm Advanced settings area should be a setting dealing with Lock hosts file.
If that is checked that is why ZA is alerting you to that fact IMHO.

In regards to the Spywareblaster Hosts error message. How large is your Hosts file ?
There is a known issue by Javacool where-by large Hosts files will cause this message.

SB vs Hosts file

Quote:

Originally Posted by Javacool

Yes, a very large hosts file (like the one you mentioned) could indeed cause that error message to be displayed.

I'll look into increasing the HOSTS file size that the Hosts Safe feature can support for a future version of SpywareBlaster.

[cmauze]

Thanks to all who have responded. Ok, this is what I know so far:

1) After checking the ZoneAlarm --> Firewall --> Advanced settings area, "Lock Hosts File" (or whatever it's called), I discovered is not checked.

2) I couldn't find windrvdir\etc\hosts on the C:\ drive (and I do have "show hidden files and folders" enabled); so I would presume that ZA is abbreviating. Thanks for alerting me to that possibility, however, because I never would have guessed!
However, in C:\WINDOWS\SYSTEM32\DRIVERS\ETC folder (I am running WinXP Home), the Host file is only listed as 1 KB (734 bytes), last modified 8/18/01 -- can that be right?? Are we referring to the same file here?

Quote:

If you want you can allow whatever spywareblaster is doing, and look at the host file before and after to see what it is changing.

I didn't attempt to open the hosts file as it had no extension and one of those weird-looking icons when Windows doesn't know what program to open a file with. In my limited observation, usually those are system files written in some kind of weird code; and/or pertain to some particular app that's only accessed from within the app (like a game, for instance).

3) ZA has also given "dangerous" alerts for Ad-Aware upon opening the program. Either something really odd is going on or ZA is like, waaaaay too oversensitive for average pc users (like me! ) who don't (or barely) know the difference between a registry and a hosts file (much less how to fix or tweak them), and who got their computers for something just a little more practical than constantly troubleshooting system internals.

Either way, after previously experiencing the aforementioned problems with ZA blocking half the normal internet with Avast, the only reason I reinstalled ZA (after pc being reformatted) is because Sygate and Kerio looked even more complicated! (UDP? DCHP? along with a host of other mysterious terminologies I don't remember)... I didn't even bother trying them, especially since Sygate required clean install each update (retraining for settings over and over from scratch? -- forget that, sheesh! )
But it looks like ZA has also gotten more complex (more settings, etc.) since the last time I used it. I barely understood it before; but at least I never used to get all of these "dangerous behavior"-type alerts, which I suspect (due to their frequency and the way they interrupt what was previously normal pc activity under WindowsXP-SP2 firewall) are probably false positives. Only I don't know for sure, and that's why I'm here asking.

I was only looking for a firewall to do its job *Quietly* in the background and let me get on with my normal everyday websurfing and computer work... but I guess in today's online climate that's a luxury of the past, huh?

[djuggernaut]

Hey,

Sorry that the firewall is complicated and you're having difficulties. About the spywareblaster alert... if you don't want to mess with it any more you can probably just choose deny or even allow and check the box that says not to ask again or whatever. I'm almost positive spyware blaster won't mess up your computer ; ) and i am sure that it doesn't need to do anything to the hosts file to function properly. So either way your good.

On the other hand if your a little more curious:

Yes i think that is the right file, mine is about the same size except modified more recently. In order to view it use notepad, just as long as you don't change anything and save it no harm will be done. Mine looks like this:


# Copyright (c) 1993-1999 Microsoft Corp.
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
# For example:
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
127.0.0.1 localhost


It kind of looks complicated... but every line that starts with a "#" means nothing (just comments to the reader) so really the only line that does anything is the last one (127.0.0.1 localhost). Yours may have more entries and even if you don't understand what the stuff does, you should still be able to check if spywareblaster adds anything or not when you allow the ZA alert. So before hand check to see what is in there and also look when you right click on the file and choose properties to see if "read only" is checked. Then see if either has changed after you allow spywareblaster to do its thing.

I'm not sure why ZA is protecting it even when the "lock hosts file" thing is unchecked... but my opinion is that that's what's happening. I think ZA would warn you if any application tried to modify it no matter how safe the program is. But i don't think you have to worry about anything. Just choose an option.

Hope this helped,
good luck

[patermann]

At the risk of triggering yet more alerts , you may consider using a blocking hosts file such as the MVPS hosts file to provide an extra layer of security. As well as providing a good blocking hosts file, the page referenced above gives full details on using it. As your current hosts file is the minimal default file, you can simply replace it with the MVPS one (no problems with merging hosts files like I have!).

HTH

patermann