AntiKeylogger + Lots more App discovery

Trusteer

Thanx for getting back with your lab tests.

I've been quite happily using ZoneAlarm version:5.5.062.000 for several years with many different Apps i've tried, and Never had any such high CPU % consumption before. In fact most of the time, as with all my other Apps, it's ZERO or at the very most only a few %. I won't, and don't need to change it to a later version.

Rebooted this afternoon at 17:44 and see this -



Very similar ZA barrage outbound attempts by TR to the ones i showed earlier. Notice the high numbers, between 1 - 9. Yes i can confirm that Rapport does do this every 15 minutes.

So that sounds as if through this, they have a direct input to peoples PC's every 15 minutes ? I presume and hope it can ONLY interact with TR and Nothing else ?

You mean RapportMgmtService.exe via TR itself in normal usage, because i was able to turn it off, pause it, in Services -



So it can be done ! I waited a few minutes before the next 15 minute attempt, and watched the ZA real time logs -



No outbound attempts now. Obviously TR won't work without the service running, and didn't as i tried it. The only reason i did this was to establish the fact it was RapportMgmtService.exe


More to follow -

 

More

Whilst i did all the above TR itself was NOT running, as soon as i enabled TR from Start/Programs/StartRapport = RapportService.exe as seen in Process Explorer, immediately i saw the high CPU % consumption occurring as before.



And in Performance + Connectivity in TR



I know Rapport shows 0% in the Dashboard, but that's because i had to be quick to try and capture the max CPU fluctuations, as both fluctuate. I'm presuming the Rapport % in the Dashboard is for RapportMgmtService.exe not RapportService.exe ?

And as soon as i go to Start/Programs/StopRapport it immediately ceases. That's what's causing the high CPU % consumption, not anything else. If i don't shut down Rapport, the high CPU % continues ad infinitum. So it looks as if RapportService.exe is responsible in some way/s !

I had Never ever had LSA trying to connect out before in all the years i've been on the Internet, it certainly appeared that way from my previous screenie. Well it happened again. I launched IE to see what would happen with RapportService.exe running, and within a few seconds i got another ZA LSA prompt



So if you say it 100% can in NO way be attributed to Anything to do with TR, then i don't know what to say ! But i'd sure like to find out what's causing it.

Please understand i am in NO way criticising TR's Anti KL and SC abilities, as i have proved already they are Excellent. I'm just concerned about the CPU issues, and the fact that it wants to phone home every 15 Minutes, allowing what knows what happening ? I'm sure others would also have concerns too about these.

 

Absolutely,
"I'm sure others would also have concerns too about these".

I am rather astounded that Trusteer said,
" Rapport doesn't use LSA to connect to the internet". - When you can show clearly that it does.

He then says,
"Regarding the phone home attempts you see - as I mentioned, these are configuration requests (the subscribed businesses can control various aspects of the security policy enforced by Rapport on their sites through the configuration)".

The phoning home might be neccessary in the situation where/when there are
these 'subscribed businesses' but surely that's in Europe - Can't figure it would be needed where none such exist ? Configurations I would have thought
all the configging. would have been done upfront, not every fifteen minutes.

I was seriously considering upping to Pro. to cover more but your very decent research (thank you) looks as though it might be putting the kibosh on my intentions Stevie. - I need LESS to be concerned about on the net., not to increase it.
Pity when it looked pretty good, but I require more openess than hearing, leave the calling home to us, don't worry about it - What, in today's world
which is in complete and utter disrepair, leave it out !!

 

I have to echo MICRO's sentiments.

I too was seriously considering this app' but the 'official' replies are not encouraging.

 

Hi

Regarding the access to the customer PC - this is used for configuration data, i.e. which URLs are protected by Rapport, etc.

Yes, the service process does most of the outbound traffic - no disagreement here.

Thanks,
The Trusteer team.

 

Hi

We tried to reproduce with ZA 5.5, but again - didnt see anything like what you describe. I'll have you reminded that ZA 5.5 is five years old now, so we don't regularly test against it. Anyway, in the interest of resolving this issue, may I suggest that you contact our support team and schedule a remote control session through which we'll be able to investigate the situation.

Thanks,
The Trusteer team.

 

Trusteer

Hi and Thanx for getting back, and i appreciate it's the weekend too ! Thought you'd done a bunk for a while lol. I do realise that testing takes time, and the fact that you were prepared to track down and install ZA v5 speaks volumes.

Even though i use v5 i'm quite happy with it, and i have tried several other FW's including later/current versions of ZA on Vista. Unfortunately, some vendors seem to think that adding bloat impresses people, well not me or a lot of others. Plus the later ZA versions try to phone home several times a day ! I know earlier versions can as well, but that's taken care of here. Another thing is, i believe that much later versions don't work on XP anyway.

Thanx for your Remote in offer, but sorry i don't do those, anyhow i have disabled all that stuff.

RE - Rapport doesn't use LSA to connect to the internet.

Well i felt certain it tried to more than once, of course i could be wrong, and if i am i appologise. I suppose it could have been just one/two of those things, caused by something else ! But i'll be keeping my eyes on it.

RE - Configuration data by Clients via RapportMgmtService.exe = which URLs are protected by Rapport, etc.

I still don't see the need for 2 way data flows every 15 Mins. I would have thought that once a URL is accepted from the off, even once a week, or at the most a day, would be more than sufficient ?

Anyway -

I'd like to make a suggestion to you, which i think would be much more acceptable to me and a lot of other people, and help you at the same time.

If you made another version, and removed ALL the client/phone home etc stuff and just kept all the Anti KL/SC etc, then you would have a formidable product to offer to the general public. And if you lowered the $ i believe a lot more people might buy it.

My review/testing clearly shows it's very capable in these respects.

MICRO + Huwge

Let's see what TR's response is to my latest post, it might be Good news ? Let's hope so.

 

Trusteer here...

We hear you about bloatware

Anyway - the 15 min attempts only occur while Rapport fails to communicate with our servers. Once communication is established, it's back to normal schedule (several times a day).

Rapport needs to communicate with our servers several times a day in order to quickly adapt to changes in the protected sites. We found that several times a day strikes a good balance here.

Thanks again for testing Rapport and providing your feedback
- The Trusteer team.

 

Got this for free from my bank and gave it a try. Unfortunately it is not compatible with Sandboxie and results in repeated browser crashes. It seems to be a nice app, however as it isn't something I desperately need I'll leave it to somebody else to pick up the batten and address the interoperability with tzuk....if anybody's interested