Zonealarm Free fails against tooleaky!

My Zonealarm free has failed against tooleaky? Why? DoesZA PRO fails?

 

Have just upgranded to ZA PRO, and continues to fail to toolleaky!!

 

Ok, I´ve turned aplicattion control to high level, and ZA stopped toolleaky... But I think it´s a job that a good firewall, with or without aplicattion control, should do.

 

Hi,

My Zonealarm free passes that one and 99% of all others.

If you set up ZA to prompt you to Allow/Deny and DON'T select Remember for anything, and click DENY, then it WILL pass that test as in my Screen Shot.

http://img374.imageshack.us/img374/9118/2lky13sc.png

If you also install something like the Excellent and Free Winsonar as i have, then Any EXE test etc won't even be allowed to launch, unless you allow it.

. . .

Winsonar 2005 XP Freeware Edition is a program specifically designed for process monitoring and system protection from unknown processes.

Winsonar 2005 XP is a Freeware program and is provided without any limitation at no charge to the user. If you find this program fast, convenient and useful, a little donation to the UNICEF or to your National Red Cross is encouraged by the author.

http://digilander.libero.it/zancart/winsonar.html

. . .


StevieO

 

No ZAPRO does not fail! Suspicious Behaviour Alert is displayed and tooleaky is blocked...

And I have yet to see a leaktest passing ZA 6....(same as Outpost lol )

Fax
Edit: With default settings

 

Does anyone know if 4.5.094 free version and also 4.5.094 pro pass these test?

 

I don´t know why, but my ZA does not even ask for me to allow or deny Toolleaky

 

NOD32 has detected firehole as a virus...

 

Well, I was too optimist.... here you have....
[COLOR="Blue"]Removed link[/COLOR]
Not yet checked if true...

Fax

Removed link-TOS violation--Ron

 

Hello, POS.

I have two suggestions for you:

1) Run through the recommendations in the last bulleted points on the Zonelabs page at:

http://www.zonelabs.com/store/content/support/techNote_10.jsp

2) Register on the Zonelabs user forum, at http://forums.zonelabs.com/zonelabs

and ask any question you like there.

Good Luck.

Kwesi

 

Sorry Ron,

not sure what was wrong in that link but probably the answer would be 'read the TOS'...

May be this link from 'securityfocus' will be more acceptable? Feel free to remove...

Fax

 

Hi fax and All,


I've just tried this " New " test and here are my results.

This is what the website says about the test.

. . .

Description: Zone Alarm products with Advance Program Control or OS Firewall Technology enabled, detects and blocks almost all those APIs (like Shell, ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by malicious programs to send data via http by piggybacking over other trusted programs. However, it is still possible for a malicious program (Trojans or worms etc) to make outbound connections to the evil site by piggybacking over trusted Internet browser using “HTML Modal Dialog” in conjunction with simple “JavaScript”. Here it is assumed that the default browser (IE or Firefox etc) has authorization to access internet. In case of the default installation of ZoneAlarm Pro, IE is by default allowed to access internet.

The PoC discusses how the ZoneAlarm Advance Program Control and Behavior Based Technology can be defeated by using HTML Modal Dialog Box in conjunction with JavaScript. Refer the PoC (Proof of Concept) for more details.

. . .

This test is a slightly different implimentation of the earlier one, the DDE vulnerability, we looked at and experimented with here which was allowed.

Malicious code could trick ZoneAlarm firewall

https://www.wilderssecurity.com/showthread.php?t=99853

WinSonar thankfully DID block it for me again as it always does with unknown EXE's. But then i allowed it through to see what would happen.

Same as before, with no IE running i get a prompt alert from ZA which i DENY. But with IE running it piggybacks on it to the test page and you see this.

. . .

Demo - Defeating Zone Labs Products Advance Program Control and Personal Firewall Based On Behavioral Based Analysis

This is a demo page and has been hosted to demonstrate how Zone Alarm Firewall with Advance Program Control and other similar personal firewall based on behavioral analysis can be bypassed by a malicious program which make use of HTML Modal Dialog in conjunction with JavaScript to communicate with its master by injecting the data via other trusted programs (here it is IE). No information are logged during the demo other than the hit count. So feel free to try this demo as many times as you want.

. . .

I have Java Script etc disabled so it's not that !

http://img322.imageshack.us/img322/406/za13cw.png

The new test is osfwbypass-demo.exe = 25kb and the previous one is zabypass.exe = 26kb. Very similar GUI's but the new one fails to display correctly for me.

http://img322.imageshack.us/img322/6519/zapoc17nz.png


StevieO

 

Hi StevieO,

yes, I can confirm that this time Tr0y (a.k.a Debasis Mohanty) did his home work correctly as compared to the previous poor zabypass.exe PoC.

Cheer,
Fax

 

My free ZA does not fail Tooleaky .I don't get an alert but I get abox saying it did not connect and my connection is slow or similar words. Also PG asks if i want it to run. However there are several firewall tests ZA free did fail, but again PG asked if I wanted it to run. I think the one s ZA failed used dll injection I do not really understand this

 

Does one need Winsonar if one has PG Free. Do they work the same way?

 

@ gre87y

I loaded & tried ZA(Free) version 4.5.538.001 (the only version I keep around).

If it helps at all, given the same condition that IE must apply each time for permissions then I can confirm the above version of ZA produces the same result as StevieO's screenshot in post #5.

Just to confirm that as expected PG picked up on the .exe and had to be instructed to let it go for the sake of the test.

 

Which version are you using?

Yes, that's true. It can be a little annoying at times, though. Like when you go to open a program that Winsonar hasn't seen before and it kills it immediately. At first you wonder what's wrong, but then you remember than Winsonar is running.

Phil

 

Okay, now I have to ask, why that particular version? Does it have something the other versions lack?

Phil

 

does ZA pro pass the wallbreaker test?

i have nvidia firewall, but it doesnt pass it, doesnt even ask me for permission for anything.

 

4.5.538 was a popular one for quite a while when version 5.x first came out. There were a lot of problems with 5.0 initially, and some preferred to stick with trusty old 4.5 even later when the problems were resolved. 4.5 also didn't have the AV monitoring which many felt was useless.