How to set optimum settings in ZA Pro?

Hello Stem and all concerned!

Now I have a new alert! Blocking IP authentation I think ? See attached image and advise how to handle!

As a typical user I don't want to spend time responding to alerts that should be automated. I may have done something wrong settings wise(again!)

Thanks in advance

 

Hi Escaleder!

For troubleshooting purpose and to help Stem, it would important to post a screenshot of the details of the alert.
Such as Originating IP, Destination IP. I think this is reported under the "details" or "technical info tab (?)

More stringent are the rules more likely you will get copious warnings from ZA. It can help also to set ZA "high" in term of "alerts event shown" (alerts and logs tab) in a way that you will get instantly these warnings and you may better guess what could have caused them (depending on what you were doing in that moment). Unless this alert was already a pop-up from ZA.

Cheers,
Fax

 

A server is a program that requires inbound connections.

What program is being blocked in the alert? (it should be svchost(XP) making DHCP). Did you have the Internet lock enabled at the time?

 

Yes, I think I can do that next time it pops! But let me look in the logs now and see if the detail ( where the devil lives) is there,,,, I think it is recorded in attachment

 

Can't tell you what program is being blocked, you must be correct though, not the internet lock was not on!

 

Yep, it should be in the Alerts and Logs --> alert type: firewall. Select it and then push "more info" and it will bring back that webpage...

FAx

 

No, these do not require inbound connections, these programs make outbound connections to a server (such as for updates). In your setup, to be able to run server software, you would need to remove the alpha shield, and port forward in your router, then enable your server program "Server Internet".
It is only such programs as P2P/Torrent clients than run as servers, so other users can connect in.

Well, if svchost (Generic Host process for Win32 Services) is allowed Access to the internet, then DHCP should be allowed. It sounds buggy to me.

 

Okay, here is an incoming block that may shed light (maybe not)

Source IP Address xxx.xxx.xxx.xxx The IP address of the computer that sent the packet which caused the alert.
Source Port 1060 The port used by the source computer when sending the packet.
Destination IP 64.71.255.198 The IP address of the computer to which the packet was sent.
Destination Port 53 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
File Name SVCHOST.EXE The executable file on your computer that launches and runs Generic Host Process for Win32 Services.
Program Version 5.1.2600.2180 The version of SVCHOST.EXE running on your computer.
Alert Date Apr-28-2007 10:55:04 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level High This ZoneAlarm Pro setting blocks access from the Trusted Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Trusted Zone. This Security Level also enforces application privileges and Internet Lock settings.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Outgoing The packet that caused the alert was sent from a program on your computer. It was being sent to a computer located somewhere on the Internet or on your network.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your co

 

ZA for blocking the packet. Only if you have svchost blocked from internet access (or if you enable the internet lock) should DHCP be blocked



The info you have posted does not match the alert you gave earlier. In your post of the alert, this was for DHCP (port 6, In your last post, this info is for DNS (port 53)

 

I did post 2 alterts one in one out Sorry for my confusion. Here is the log entry for port 53.

ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
What happened?

ZoneAlarm Pro blocked an outbound communication to a Domain Name Server. The function of a Domain Name Server (DNS) is to convert a domain's IP address, such as 207.25.71.28, into a recognizable name, such as www.cnn.com.


Should I be concerned?

There is usually no reason to worry about this alert, but it should be investigated. One possibility is that your application attempted to send a query out to the Internet before ZoneAlarm Pro started running on your machine at start-up time. By default, ZoneAlarm Pro is loaded when Windows first starts up. This minimizes the possibility that an application will establish an Internet connection before the TrueVector Service is loaded.


What should I do?

Your internet application may not be not working properly. In that case, stop the application, then restart it. This often fixes the problem and in that case, you will not receive this alert again. In addition, go to the Configure panel to make sure that ZoneAlarm Pro is configured to load when Windows starts. You can also run regular checks on your machine for viruses and Trojan horses.
_________________________________________________________________

ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Inside the firewall alert



Alert property Alert property value Technical explanation
Source IP Address xxx.xxx.xxx.xxx The IP address of the computer that sent the packet which caused the alert.
Source Port 1060 The port used by the source computer when sending the packet.
Destination IP 64.71.255.198 The IP address of the computer to which the packet was sent.
Destination Port 53 The port on the destination computer used to receive the packet.
Transport Layer Protocol UDP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Program Name Generic Host Process for Win32 Services A program on your computer. This program either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
File Name SVCHOST.EXE The executable file on your computer that launches and runs Generic Host Process for Win32 Services.
Program Version 5.1.2600.2180 The version of SVCHOST.EXE running on your computer.
Alert Date Apr-28-2007 09:36:54 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level High This ZoneAlarm Pro setting blocks access from the Trusted Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Trusted Zone. This Security Level also enforces application privileges and Internet Lock settings.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Outgoing The packet that caused the alert was sent from a program on your computer. It was being sent to a computer located somewhere on the Internet or on your network.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your computer.
_________________________________________________________________

ZoneAlarm Pro prevented your computer from accessing port 53 on a DNS server

ZoneAlarm Pro prevented your computer from sending a message to a remote computer. No breach in your security has occurred.Your computer is safe.
Details




This alert was caused by an attempt to contact a DNS server. Domain Name Service (DNS) is a service provided by your ISP which allows you and the applications on your machine to refer to locations on the Internet by easy-to-remember names instead of by numeric IP addresses.

For example, cnn.com has an IP address of 207.25.71.30. When your application wants to connect to cnn.com, it first connects to port 53 on a DNS server and asks the server what the IP address is for cnn.com. It then proceeds to connect to 207.25.71.30.

Attempting to contact a DNS server is usually nothing to worry about. It is not a hostile action. However, it does indicate that an application on your machine was trying to reach an address on the Internet, or possibly, on your Local Area Network.

The alert usually means that, when you started ZoneAlarm Pro, an Internet application was already running on your machine. What happened is that your application made its original Internet connection before ZoneAlarm Pro was up. The original connection was not registered. For this reason, ZoneAlarm Pro cannot determine whether the most recent communication the application tried to establish should be permitted. Therefore, because your security was set to High, ZoneAlarm Pro has blocked the communication and you received an alert.

In the following paragraphs, we provide a list of reasons why the application may have already been running on your machine before ZoneAlarm Pro started:

An Internet connection may have already been established on your machine when you installed ZoneAlarm Pro. This could have caused the alert if you did not reboot after installation.
You may have started ZoneAlarm Pro manually with an already live connection to the Internet.
Your system may be configured to launch an Internet application when Windows boots up. If that is the case, the application might be establishing an Internet connection before the TrueVector Service finishes loading. This problem should not occur if you did not change the default configuration which causes ZoneAlarm Pro to load at Windows startup. This is an extremely rare problem because ZoneAlarm Pro is designed to avoid this situation.
Another possibility is that a Trojan horse that has been installed on your machine is launching when Windows starts up, then immediately establishing an Internet connection. For your protection, ZoneAlarm Pro immediately blocks any communication a Trojan tries to establish. Leaving ZoneAlarm Pro configured to load at Windows startup is your best protection against Trojans trying to communicate with their masters on the Internet.
If one of your applications is not functioning properly because of the blocked communication referred to by this alert, and if you just installed ZoneAlarm Pro or started ZoneAlarm Pro manually, stop your application then restart it. This will probably solve the problem. Once you restart the application, ZoneAlarm Pro will be able to detect any attempt the application makes to connect to the Internet. In response, ZoneAlarm Pro will either prompt you for permission or enforce the permission settings you have already set on the Programs panel.

To prevent an Internet connection from happening before the TrueVector Service is launched, we strongly recommend that you retain the default setting which loads ZoneAlarm Pro on your machine at Windows startup. The sooner ZoneAlarm Pro can begin monitoring Internet traffic on your machine, the safer you are from unauthorized Internet access, and the greater the likelihood that ZoneAlarm Pro will recognize all of your applications and allow them the access you desire. If both ZoneAlarm Pro and another application are configured to load when Windows starts and you continue to receive this alert, you should explore the options for delaying your application's loading time, so that the TrueVector Service and ZoneAlarm Pro can finish loading first.






Related Links




ZoneAlarm web site pages that may be helpful:

ZoneAlarm Online Support
ZoneAlarm Home Page

 

It was the log entry for the alert that you posted in post#51 (for DHCP). But it does not matter, you do not need to post that.

Different.
For svchost, look in ZA ->Program control->Programs. svchost is named as "Generic Host Process for Win32 Services"

If DHCP was being blocked, then you would get an alert every 5mins, and eventually you would not be able to connect to the internet.
It must be a bug within ZA.

 

Stem:

It is happening frequently, but ZA messages imply that repeated messages will not show up.

In Program control->Programs. "Generic Host Process for Win32 Services" shows Server is trusted but Internet is blocked. Does fact that we placed Family Lan as Internet not trusted cause this. The ZA seems to think the router should be trusted whereas you and I are saying no, it is part of the defense. Well it is defending and this is the price?

With the number of people for good or ill using ZA does it seem likely it is a bug or more likely I have installed it wrong or set it up wrong? We are still only part way my learning thread. Right now the Program control is at medium and component control in learning mode.

The latest block help says:

ZoneAlarm Pro blocked a probe to port 67. This is most likely your ISP's DHCP server requesting authentication so it can issue you an IP address. If you received an alert that ZoneAlarm Pro is blocking broadcast address 255.255.255.255 then that is confirmation your computer is asking for an address assignment from a DHCP server

The help offer to add it's IP 192.168.1.101 to the trusted zone ! I didn't do this.

I will add the 255.255...... to the internet zone and ask what will happen?

 

@Escalader,
My test PC as only ZA installed,.. My direct tests only check the firewall, not conflicts with other software.
What you are seeing is certainly a problem with ZA, possibly with other software. For a firewall to block outbound DHCP is a major problem. If this was inbound, then some explanation can be made.

I will start indepth checking, as this needs to be checked/resolved. From my installation/checks I do not see any problem, apart from the initial outbound attempts. But I am certainly interested/concerned.

 

Yes, I agree with all your concerns. I restarted my PC after setting 255.255.255.255 to the internet zone. Since then the alerts and blocks to/from DHCP have stopped.

The question I have is why would I as a "typical" FW user even have to do this in a commercial FW product?

Personally I don't mind doing it inside a learning thread, but I didn't start out trying to debug anything let alone ZA Pro.

As an experiment what do you think about me reversing the 255 trick to see if the alerts resume?

 

The bootdhcp broadcast is not being blocked on my setup. I cannot understand why it would in your setup.
Remove the entry for 255.255.255.255 ~ internet, then go back into Firewall-> Main-> Internet Zone security-> custom, and enable the "Allow Broadcast/multicast". If any blocked packets for DHCP then show, check the local/remote IP`s.

 

Hi!
probably one of the reason why Stem does not get those warnings is that he does not rely on the router for the IPs allocation and DNS resolving....

How is your set up Stem?

So, in principle, your next step in securing your connection is to disable DHCP in your router and set the different XP machine with fixed IPs and DNS information.

Fax

 

Hello fax,

I can understand your thought on this. But basically, what you are saying is to disable DHCP, so there would be no need for outbound/inbound DHCP. This is not a fix, but a workaround. Svchost(XP) should not be blocked from making outbound DHCP, unless internet access is denied to svchost(XP), or the internet lock is active. This is the same for DNS(when DNS service/client is active)

 

Good Morning Stem, boy this is some learning thread for me! I started in grade school now I'm in Q and A at grad school, but I'm not complaining.

I will do the remove 255.255.255.255 and enable Allow Broadcast.... But 1st let me give you some symptoms from my start up this AM. My PC couldn't acquire an address, last nite when I shut down I had disconnected from the internet closed all security including ZA. I played a standalone game to get some fun out of the PC for a bit. (therapy )

This morning I started up, all security software came to life, 1st BD 10appears on the task bar, then SS 5.3 then ZA pro. But of course no connection since it was off from last nites close down.

Then I got some alterts that seem to me to be down the track you are checking for me and all others who I hope are benefiting from the thread!

They are attached as images: Please look at these and advise if your removal step is still the way to go

 

Hello Escalader,

Good morning to you, although it is 3:45 PM here in the UK

Interesting alerts/log. I am currently in a thread concerning DHCP and the low level needs for this. I have still to see any such alert from ZA, although due to my settings within ZA, these would be only log entries.

I can only, at this time go from your info, and what I see in my own setup. I do not see blocked broadcast, or even blocked IGMP on boot. I have/do make many boot on the test PC (with installed ZA), I will now perform this again, and show you the logs from my gateway, with what is logged in ZA

Just give me 15mins while I boot ZA a few time, to compare logs made, I will then show you what is happening during boot. My gateway is allowing all outbound from the test PC (as if it was connected directly to the internet, it is just a case of further filtering by my gateway (invalids etc), but there are no restictions on what outbound is allowed. (if my gateway does show any outbound blocked from ZA, I would adjust to allow,.. to see what connections are being made)

 

yep, but I think previous DHCP warnings were not outbound but inbound...

Fax

 

https://www.wilderssecurity.com/showthread.php?p=993182#post993182 this is outbound, unless the report is incorrect

If this is a probem with ZA, which at the moment it looks possible, then I would prefer to confirm this, then reports can be made to ZA. This helps ZA to resolve such problems, and if resolved, then stops problems for the end user.

 

Hi!
I was referring to this:
https://www.wilderssecurity.com/showpost.php?p=993329&postcount=62

"ZoneAlarm Pro blocked a probe to port 67. This is most likely your ISP's DHCP server requesting authentication so it can issue you an IP address"

Fax

 

No rush, Stem! Take all the time you need.
It is noon here clear and cool!

My PC is running I got connected by setting the 255.255.... to TRUSTED.

For all posters here, I'm reading all contributor's posts, but unless Stem tells me to do/change something I'm viewing them as data for Stem! If I act any other way the learning thread will go out of control.

On a personal note, Stem is to be commended for his dedication and patience in doing this work here, which IMO goes way beyond the normal call of duty! I can never repay him, I will try of course. Let's not guess at possible reasons let's KNOW from a base either of a test, a log a fact it just deflects energy and time. This is a technical thread, so like the old detective series years ago ' just the facts ... please!" ... circa Joe Friday.

A reminder, I'm trying to optimize ZA pro settings. Not trying to debug the product. If bugs are found, so be it. They can be reported but in my view that is secondary till finished with the ordered list of OP questions.

 

I am more inclined to think that working on the router will solve most of this (and XP network setup). In fact, your set-up, if I understood well, is only different in this respect. The rest in ZA is the same.

I would also check not to run any IM programs meanwhile testing ZA and the router calls... so not to complicate the troubleshooting even more.

Fax

 

Thanks for the opinion. I don't use IM it is disabled.

I'll wait for Stem's results and take next steps based on his tests and my actual observations.

It's not really that complicated for me at all very interesting work though!