Is there really something wrong with Zone Alarm?

Outpost does not phone home for serial number checks. I have (for testing) added a warez serial (which was reported to Agnitum in Nov 2004) and it is still working. Older warez serials I tested reported as expired. In no case did Outpost attempt to make a connection to www.agnitum.com (I placed a block on it using a router firewall which also would have logged any access attempts - nothing has been reported other than my test pings for the last hour). Such activity would also have been visible (and reported) by those running packet sniffers.

As the ASProtect page I linked to previously should have indicated, serial number blacklists are stored internally.

 

P2K-

You have done your homework. Like I said, Outpost has a good reputation, but somehow it dows not fit my style. I would not hesitate to tell folks to try it, along with ZA, Kerio 2.15, Sygate and a few other more exotic picks. A firewall is like a shoe, it has to fit right.

Funny thing is, for about 4 years I ran with nothing but either the built in XP firewall (pre SP2) or a NAT. No infections, and various AV's picked up stuff all the time. It was only a couple of months ago that I started to mess wih software firewalls (beyond the now XP SP2 FW) again. I won't go so far as to say that app control is worthless, but it is at a lower priority in my head than it is for many around here.

I don't know wher the answer lies. If an OS like windoze allows things like root kits, the problem is with the OS. Adding stuff like firewalls with extensive app controls or sandboxing with Prevx or process guard is a band aid.

You really have to go back to basics. Dump IE/OE and even consider running in a restricted account.

 

An interesting analogy, to be sure. Presumably older products then require odour-eaters to stay fresh.

One thing rarely mentioned in these forums is the need to assess online risk and choose security products accordingly. With the current level of scans and DoS attacks, a firewall capable of filtering incoming traffic is a must-have while the application-filtering aspect is arguably more important from a privacy viewpoint (preventing installed software, Windows included, from phoning home). However the ability of an application-filtering firewall to act as a last line of defence against malware should not be completely discounted.

Rootkits originated in the Unix world. The problem with Windows is that it has been so easy to compromise most systems that deploying rootkits has only recently become desireable (more so with the money that can be made from spyware and zombie PCs where malware needs to stay hidden for as long as possible). Ultimately, every OS has to be able to assign trust levels to code and distinguish between legitimate and malicious programs. Microsoft is really a novice at this compared to mainframe OS designers, which is a pretty shameful position for a company that has had a monopoly of unparalleled size in the computing world.

These should be the first things on any security checklist I'd agree. A pity that Microsoft hasn't been made to open Windows Update up to other browsers...

 

I'm using Win2k here and really like it. I wish MS would extend it's life, but I think that ends this June. I really don't want to go to XP, but I'll probably have to sooner or later, unfortunately. From what I've seen and heard about it, I'm better off with Win2k.

 

I removed ZA here myself a few days ago and am now sticking with Look N Stop for the time being. For some strange reason I really like it's simplicity and light footprint. It's weird, because a month or so ago I couldn't see what people saw in it. Just goes to show you how your opinion can change. I guess if Jetico comes up with something new to look at, I'll check it out. But for now it's LNS..

PS... Also took a quick look at Blackice tonight. Boy is that one weird. I can't say that I like it at all. So much for that..

 

K- Most IT professionals prefer w2k over XP because of greater stability and compatibility with older applications. MS intends t release a roll-up of fixes for it soon. After that it will be critical security patches only.

With w2k power management never seemed to be completely right. After each reboot I would have to change a power management setting and change it back for it to work. It is possible this is just a thing with this one box I use. There is a shut downdelay with KAV 5. The display is eaier to read on XP because of clear type.

Yeah, LnS has possibilities. There is just something I want to finish around here before really getting into it.

P2K- Odour-eaters, what a great come back.

 

Diver - That's good to hear about Win2k. Hopefully they will release a service pack 5 sometime soon. Then if they will just keep it patched with critical updates for the next few years that would be good. I read somewhere (on MS's site I guess) that Win2k's life only extends to June 2005. I took that to mean that they would stop issuing patches for it also, but maybe that's not what it means. I"ll have to do some research on that I guess. I do like W2k best and have never had any problems to speak of with it. It does have a few quirks, to be sure, but nothing major for me.

As for LNS, yes, it's got possibliities. I have seen Phantom criticize it but I find nothing major wrong with it so far. Works fine for me. Stops fragmented packets here (I can see them in the logs). App control works ok. I have seen a few bugs in app control though, but people have mentioned them in the LNS forum here at Wilders, so hopefully they'll get fixed. LNS isn't as slick as some firewalls. But if you're looking for a light simple and effective rules based firewall, I think it fits the bill pretty well. I have to admit that Jetico might be a little better though..

 

Diver, just out of curiosity, what is it that turns you off about Outpost? I've seen you mention that it's not for you. What bothers you about it?

 

Unfortunately ZA is notorious in both Emule and Edonkey forums for causing much trouble.My personal experience since 3.7 were,varying from version to version:

-Memory leak of vsmon.exe increasing with the increase of hours of p2p programme active (i once remember 120 MB RAM going to vsmon.exe)
-Severe cut of max dl speeds
-System locks.

This is the reason i have long ago migrated to Sygate which runs at 12 MB RAM even if you dl at max speed for hours.Last ZA i had tried was 5.0 i think and was a disaster.It's sad since i always liked ZA more than Sygate and i always hope they ll do something about the p2p problem.But unfortunately,from various forums i ve been (including the ZA labs forum) ,they tend to blame the p2p program and say that their firewall has no problem.Even Kerio 2.14 that i tried handles perfectly Edonkey/Emule and i would be using it if it wasn't for a fatal error (a dll i thnk) that i get occasionally making it crash.As i see it ,ZA simpy can't handle many connection requests and simply goes in tilt eating all the RAM,but ZA is too proud to admit it.They don't realise that people beleive their eyes and not their words and that this attitude of negating the obvious isn't getting them anywhere,because one thing is admitting a problem that MANY users have and another is laugh at their face as has happened to me once by a "Team Z" member.

 

eMule is an exceptional case though, since it can have download queues with hundreds (or even thousands) of users with each one needing a network connection. Either a firewall has to take up significant CPU/memory space keeping track of the state of each connection (ZoneAlarm/Outpost), impose limits on the number of such connections (Look'n'Stop with SPI enabled) or not try keeping proper track of connection state (Look'n'Stop without SPI).

I don't know how Kerio/Sygate handle network connections but there has to be a compromise somewhere if they show no perceptible increase in CPU/memory utilisation with a program like eMule.

 

See for yourself...This is a screenshot with the max usage i get from Sygate(CPU oscilates from 0 to 5%) and i ve been running edonkey for about 10 hours.I see no compromise.With Kerio 2.14 i actually had incredible speeds.With Sygate i was getting 95% of my top speed,now that i upgraded the line,i get 125 kb/sec out of the theoretical 160 i can.And right now i have 1143 on my queue.

 

If a firewall is taking short-cuts on checking packets, then you won't see anything. You could try testing by running online scans and leaktests with and without eMule running to see if there is any difference in results, but the definitive word on this would have to come from someone with expert understanding of how that firewall works.

 

And just to make you sure that the compromise isn't in the speed...Emule and Edonkey just looove Sygate and Kerio.

 

It's good enough for me.Did it right now (with Edonkey on) on shields up ,all ports stealth.Tried to upload the scan but it's over 100kb and won't accept it.I ve never been hacked either from outside all these years.Maybe all firewalls aren't coded the same way ,so different ones treat stressful situations differently.Kerio 4 for example is too different for me.Doesn't work well with p2p.

 

Interesting post from zone labs forum.Then in this forum there are many advanced users,someone could search more this issue.After all,it would be a major discovery to prove that when using p2p Sygate or Kerio 2 are insecure while ZA kills your RAM because does it's job well.Now let's see what that poster said:

"Ok I'm using emule 0.44d, and an old version of Zone Alarm Pro v4.5.594 (I did upgrade to version 5 briefly before my subscription expired, but found it caused all sorts of nastey issues with IIS and ASP.NET development). It seems once you get a stable version of Zone Alarm its best to stick with it until your forced to upgrade.

I seem to have the same problem everyone is describing where Zone Alarm chews up memory until its almost run out. Within a day it will have gotten up to about 600MB, I restarted it half an hour ago and its already up to 32MB with 452 handles (I'll come back to this). I *do* have UDP enabled in eMule, and also have an Expert rule defined opening the emule TCP and UDP ports, with logging diabled.

If you use an app like Process Explorer w w w . s y s i n t e r n a l s . c o m / n t w 2 k / f r e e w a r e / p r o c e x p . s h t m l
you can see what resources programs are using:-

* Emule obviously makes quite a lot of use of TCP connections (\Device\TCP) currenly it has about 30, and also UDP (\Device\UDP) with 2 connections. Now every now and then these TCP connections close and new ones open, keeping at around 30. The overal open handles (files/connections etc) for emule stays at around 298 on my machine.

* Zone Alarm (vsmon.exe) is obviously also interested in TCP connections. I can see lots of (\Device\TCP) handles there too, occasionally old ones drop of but more often new ones are added. At the moment vsMon has 260 TCP connections, now I'm guessing each one of these uses a bit of memory...

So the question is why is it that eMule is happy to kill of its old not needed connections but vsmon.exe hangs onto to them for too long. When I last killed of vsmon.exe. an hour ago it had over 12,000 handles. I'd love to upgrade to fix this, but looking at the posts the bods at ZoneLabs still havn't fixed this, and there on version 5.5 now....?

P.S. Now at the end of this message Emule's still stable at 290 handles (78,924k) and vsmon.exe is now using 498 handles! (42,436k) "

http://forums.zonelabs.com/zonelabs/board/message?board.id=gen&message.id=22997#M22997


Just food for thought.If the above poster is correct,then ZA can't handle well 30 connections at a time,which i think is a problem of ZA,not a defect of Sygate and Kerio 2 not inspecting well the packets.

 

K-

Regarding Outpost, somehow I get the feelig that it is just too big and complex for the problem it is trying to solve. I can't really go beyond that. I don't think it is a bad firewall, it is more of a style thing with me. Lots of folks around here love it.

The deal with LnS is that there are some issues with fragmented packets that the new beta driver is supposed to solve, when the registry key is added. Phant0m will have to speak for himself, but there seems to be love/hate thing going on with him and LnS.

W2K will not have a service pack 5. The existing security patches and a few other fixes will be in a roll up. That is much less comprehensive than a service pack. Once June rolls around MS, I beieve, puts W2K on extended support which means security fixes only. W2K should remain viable for a while.

 

Hyperion-

You may have missed the part later in the thread where I said that I had noticed a slowdown with ZA and P2P apps. I had left both eMule and bittorrent running overnight and the system was like molasses in the morning. The explanation about too many connections sounds like it is right on the button. Never the less, ZA's strong point is that it is the easiest of all application aware firewalls to set up, provided the user has no desire to implement expert rules. That is why it is so popular.

 

Diver - Regarding LNS and fragmented packets, so far I've seen them blocked ok here. No problems. I think Jetico just outright blocks ALL frags with that rule, so any analysis at all would be better than nothing.

I'm trying Phantom's rules in LNS today too, and I've pretty much got them customized for my needs. They offer more control and logging so that's good. Seems nice.

As I mentioned in another thread though, I think I'm going to try running CHX-I as my packet filter and LNS for app control. I believe that CHX-I does a good fragmented packet analysys and I like the fact that it has UDP SPI also, where LNS does not. Might be a good combo. I can tweak the CHX-I UPD timeout setting also, which I like to do so that those late dns packets don't get in.

Win2k, yep I just read a few articles on that and understand it'll be an "update rollup" instead of SP5. Fine with me. And if they continue to release critical updates via the regular windows update scheme after the June 2005 date, then I'll be happy enough for another year or so. Sounds good to me...

 

K-

Actually, running CHX-1 this evening. I think I have the rules for it knocked. After the third of fourth time the documentation started to make sense. You just have to think completely differently when writing CHX-1 rules. With the P2P apps, you have to watch them run with tcpview, or something like that and get some understanding of what is going on.

I am wondering if something like Process Guard or winsonar would make a better compliment to CHX-1 than LnS. But I have not used either of those yet. Phant0m has mentioned combining a heavy duty packet filter like CHX-1 or 8signs with LnS.

 

Diver - Just installed the new LNS beta driver as you mentioned, and made the appropriate registry changes. I'll see if I notice any differences. So far there's some changes to app control. It's asking if it's ok for Explorer to start Outlook which wants to access the internet. Also asked about Winlogon too. That's new for both of those. Looks good though.

CHX-I rules are totally different from the usual, but they're cool once you get it figured out. I need to install CHX-I again and then really create an elaborate rule set for outbound stuff. This I haven't done yet. So you're probably one step ahead of me there.

I think I'm going to run LNS packet filter today and then maybe tomorrow use CHX-I again with LNS app filtering.

I did look at that Winsonar briefly a few times and followed Arup's pointers, but it didn't seem all that strong to me. I think it might have actually allowed IE to access the net before I answered the prompt, but I'm not sure. I don't remember for sure. I'll try again I guess and see. It sure would be nice to run CHX-I along with just a simple app control software though. Something as simple as possible that just asked you if it's ok to allow an app internet access. That would be great.

 

Just tested Winsonar here and am disappointed. It allows apps to connect to the internet before you approve it. To it's credit, it does pop up a dialog box a few seconds after the app has connected, asking you if you want to terminate it and so on. But if you're trying to actually block an app from connecting, then by that time it's too late. The damage has been done, if any. So if you're looking to block internet access, Winsonar won't do it. It will however alert you that something is happening. Just a little too late.

 

Kerodo,

In my case, Winsonar didnt even let Leak Test execute on the system so for me thats all the security I need.

 

CHX-1 can be used along with Kerio 2.15 as well or with LnS it makes a good combo? I coudnt find CHX issues until i visted SSC forum but the rules they specified is more then enuff to start with?

 

I'm going to play with it some more and see.. I think I'm looking for something else to just query me on internet access only. But apparently no such program exists anymore.

You may have a point though. If a program can't even execute, then you should be pretty safe from something trying to connect out I guess. Unless something can somehow get out using a trusted program. Don't know. I've not been that concerned before about programs getting out anyway... We'll see. I'll give it another look over.. Thanks...

 

Hello everyone.

I hate to interject here but the thread seems to be drifting O/T.

Since the original topic is about ZA , feel free to start a new thread to discuss other firewall comparisons.



snowbound