Can TDS knock out your Firewall?

[tepi]

Hi All:

Yesterday I decided to test the Network > TCP Port Listen > Bind to Port function and set it to listen to Port 137. After noting that port blocking seemed to be working I turned it off and a little later went to check my Zone Alarm (free version) log. To my surprise it seemed to be frozen at the entry for TDS. Normally it records on average about one 'intruder' or hit or ping per minute, most of them from Yahoo BBS, but the hits had just stopped coming. Even after rebooting, and even after reinstalling ZA, it wasn't working. Since I'd been thinking of shifting to Sygate anyway, I uninstalled ZA and installed Sygate. To my relief it seemed to be working, although it wasn't recording anywhere near the number of hits I'm used to getting. A little later I also received an alert from it and, having had enough for one day, shut down the computer. But today, just after turning it back on, a similar alert arrived: 'Somebody is scanning your computer. Your computer's TCP ports: 81, 8888, 3128, 8080 and 80 have been scanned from 64.132.100.254.' Does anyone have any idea what's going on?

My apologies in advance if a similar matter has already been treated in another thread, and my thanks for everyone's kind help with problems in the past.

[dallen]

tepi,

I'm sorry that I don't have an answer to your problem. However, I'm curious why you went away from Zone Alarm to Sygate?

dallen

[DolfTraanberg]

I cannot see how the port listen utility can crash your ZA.
TCP Port Listen is does exactly what it says: listening on a given port and can only do this while no other process is listening on that port.
Dolf

[tepi]

Hi Dallen:

Because, even after a reinstall, ZA wasn't working. And I'd been thinking of shifting to Sygate anyway as I did get the impression around here that in some ways it can be a bit better than ZA. Small point, but I'm finding that I like the layout of its log better. Anyway, something definitely knocked out ZA, whether it was TDS or a virus or a Trojan, and I don't want to be without a firewall.

Cheers

[tepi]

Quote:

quoting: Dollefie link=board=5;threadid=17535;start=0#msg108454 date=1070943799]
I cannot see how the port listen utility can crash your ZA.
TCP Port Listen is does exactly what it says: listening on a given port and can only do this while no other process is listening on that port.
Dolf

I don't see how either. That's why I wrote my post. The title is 'Can TDS knock out your Firewall?' not 'TDS knocked out my Firewall.' But it's odd that ZA's last log entry was about TDS.

[DolfTraanberg]

Quote:

quoting: tepi link=board=5;threadid=17535;start=0#msg108460 date=1070944006]
I don't see how either. That's why I wrote my post. The title is 'Can TDS knock out your Firewall?' not 'TDS knocked out my Firewall.' But it's odd that ZA's last log entry was about TDS.

in that case the answer is no it cannot

[tepi]

Then I wonder why the TDS operation was ZAs last long entry before it expired and could not be resuscitated.... Seems very strange, especially as Sygate is working OK.

[DolfTraanberg]

Well I don't know what the log said, but knowing how many port 137 probes are being launched and ZA knows TDS is listening on that port, I can imagine that ZA mentions TDS as the listening application on a blocked probe.
Dolf

edit: read TCP Port Listen for TDS

[tepi]

Yes

[Jooske]

When i went completely crazy from the miles long longs with 137 probes, i was very happy to use a little TDS script --didn't you write it Dollefie or was it another TDS family member?-- which kept listening on port 137 all time, thus the port was occupied and nobody could scan there or if they would be it was no longer logged with ZAPro. In later versions of ZAPro this was not working anymore that way and all the probes were logged again so i stopped using that nice little script.
I used that little script just because i didn't want to put up the port listen all time, and this way i could have permanet listening on more ports if i liked.
You have not to forget to close that function as ZA(pro) might like it so much it doesn't log the 137 at all anymore

For firewalls...... theer is a special forum for that which is best or better, i read so many good things about several but you must always have the one protecting you the best to your satisfaction on your own system, as you must work with it and do some testing if it is really safe.

But TDS didn't knock down your fw, it just helped stopping the log of the portscans, which should make you really happy
In fact you let them in, acting as an emulator, but since you're not really infected with the bugbear or whatever nocks there, it can't harm your system.

[tepi]

Hi Jooske:

Well the good news is that everything is back to normal now, with full TDS and NAV scans showing the computer as clean and Sygate working fine.

Cheers

[Jooske]

Sounds good!
In the later ZA(pro) 4.x versions the listen port 137 trick didn't work anymore to keep them from the logs just like that, so maybe sygate makes you more happy with that.

[Randy_Bell]

Quote:

quoting: Jooske link=board=5;threadid=17535;start=0#msg108786 date=1071009307]
Sounds good!
In the leter ZA(pro) 4.x versions the listen port 137 trick didn't work anymore to keep them from the logs, so maybe sygate makes you moe happy with that.

You can create an Expert Rule in ZAP 4.x to not log certain events, such as inbound port 137 probes. ;-)