Experiences of the new Zonealarm 11.0.780 Free firewall

Discussion in 'other firewalls' started by Jarmo P, Aug 27, 2013.

Thread Status:
Not open for further replies.
  1. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Installing:
    It did manage to force change my Firefox homepage that I did not want to ZA search page. And install that toolbar that I wanted. I think it changed also Chrome's homepage to ZA's search one.

    I later found out that to my Windows 7 user account no browser changes were made. So no toolbar installed like I wanted.

    Notice: Installing the firewall did not make any System restore point and require a reboot. Other security is Avast free installed first, Sandboxie afterwards. So something wrong with the ZA install?

    Using:
    I used browsers and Skype, noticed rules were addded automatically. Restarted my system a ferw times noticing how the program rule list grew. And so many programs were allowed to connect to internet and almost all allowed Inbound Internet connections!

    So I changed that my DefenseNet is set to 'Manua'l and removed all the programs. Afterwards I could not connect with my browser to internet. It did not ask any permission to it nor for Avast webshield etc.

    I put DefenseNet back to 'Auto' and rebooted a few times not remembering if all worked after first reboot. Seems the firewall needs some Auto for the first usage. Now it has been put back to 'Manual' after I think necessary rules for Avast and Sandboxie and to those many Windows files have been auto added.

    I removed all the Inbound connection rights from programs except for Host Process for Windows Services, that svchost.exe. It is the only file in 'System' SmartDefense category. And because I know it needed server rights to forinstance time server update on older XP ran firewalls. Where that access could port/protocol limited with the likes of Sygate and kerio 2.1.5 firewalls.

    Some conclusions:
    Anyways Gibson's Shields up gives perfect stealth protection, but I was on cable connection behind a modem containing some sort of hardware firewall.
    So I shut it down and plugged my USB mobile connection stick and connected to internet with it. Same stealth protection test results. So that is good.

    I think there is now a lots of unnecessary programs allowed because of that 'Auto' needed to use at the start of the install. And I have not much idea what rules are safe to remove and what are best deny the internet outbound access.

    Best I can do is I guess put them to Ask and and respond according to popups.
     
    Last edited: Aug 27, 2013
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    In the free version you can choose to "skip all" (not very evident but already discussed here how to do it) or to install the toolbar but then I don't think you can avoid having the homepages changed. This is different in the paid version. On the other hand you don't need to work a lot to reset your browser to default.

    System Restore: not all program installations comes with a system restore. So, the ZA programmers did not enbed a system restore in the installer. Others do...

    Yes, this is by design. ZA has a huge cloud database and safe programs are automatically allowed. Again this is discussed in more detail in another ZAfree thread in here.

    Watch out... you have two types of inbound. Inbound to the trusted zone and Inbound Internet. The latter may be OK to block but not the trusted zone. Also watch out to move the trusted zone to HIGH as you will tranform anything into "internet" even your own PC. This may cause problems with programs/connections/DHCP/etc.

    Then better you do not touch them, everything may work fine now but under certain scenarios they may not and then you will become mad in understanding the cause of the problem and linking it back to a change in ZA you did 2 months ago.

    XP is much less demanding in terms of "internet inbound" than windows 7. So, the chances to mess up are much higher with WIN7. You are advised :D

    If you have already something else facing the internet than I would not work too much on restricting inbound as anyway you have another layer on top of ZA. Much more important to keep all software fully up-to-date.
     
  3. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Your comments are much appreciated Fax.

    I am on a wireless protected connection to my cable modem and have usually no other computers connected to it, so it is set as if I am connected to a Public zone. I think this was copied from my Windows 7 firewall setting.

    But appreciate your comment about not blocking programs's inbound server connections to trusted zone. I don't have any trusted zone defined at the moment.

    I notice that I can actually block all my programs from acting as servers to the internet with a single check box:
    Firewall -> Basic Firewall -> Advanced Settings and Block public servers.

    From the online help:
    "Prevents all programs on your computer from acting as servers to the Public Zone.
    NOTE: This setting overrides permissions granted through the Program Permissions settings."

    This could I guess brake also Generic Host Process from having any listening to internet and could be too tight for maybe some updates? I have not checked/remember if Avast really needs any programs to act as servers to internet for example.

    I did put the Auto program rule making on after again deleting all the tampered rules, by your recommendation. And maybe just maybe start by instead removing programs, putting inbound internet connections to programs to Ask single handedly after doing my checking.

    The action of ZA firewall seems be letting everything out to internet same as Windows 7 firewall with the Auto rulemaking. Except when the HIPS part takes an action. So there is definately some editing possible IF knowing what to do. But now the rulemaking goes to Manual.

    As you told it is maybe not worth it, the rule editing, since I am usually already behind that cable modem firewall. And editing rules could brake some functions from my Windows operating system, not updating properly or some features not functioning.

    To someones reading this, I tried Comodo before this ZA with also avast free and sandboxie installed. All went well with the basic firewall part. Then I activated Proactive defense and the other things except the AV and bang after reboot came a BSOD. It is always such a dissapointment though knowing HIPS part can so easy cause it. So it is gone.

    ZA seems to behave just fine, so far lol.
     
    Last edited: Aug 27, 2013
  4. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    You're welcome! Yes, in WIN7/WIN8 ZA takes the settings directly from windows.

    Under the setup you describe you will not be able to share any resources within your LAN (PC, Printers, etc connected to your WIFI). So, if you plan to attach PC, Printers remeber to add their IP to the TRUSTED zone (and with the ZA trusted zone set to MEDIUM)

    In the ZA zones you should normally see a network and a DHCP entry. As far as I can read you only have the network (?). In principle your router should assign an IP to your PC when you connect to it. To allow this without problems you should normally have the IP of the router in the TRUSTED zone.

    May be your PC is setup with a static IP. This could explain why you don't have a DHCP entry?

    and no, avoid that global block... unless you are looking for troubles this is especially true if the "Enable Microsoft Catalog Utilization" is UNchecked. "Enable Microsoft Catalog Utilization" will be overrided any rule you apply to MS certified applications.
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Ah.. forgot something... I guess you have already done it, if not, set the application control to MAX :)

    Yeap, not worth the trouble and you are already well covered with the rest of the tools you use.
     
  6. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    View Zones shows only: name of network (from my router), 192.168.0.0/255.255.255.0, Network, Public

    cmd Ipconfig shows:
    192.168.0.11 (my network cards IP address i guess) and 192.168.0.1 being the address by which to configure my cable modem's router/firewall.
    Lots of lines showing not connected, all in finnish language.
    All is working.

    That 192.168.0.11 I think is pretty static local network IP address, assigned by my cable modem to my PC. I think I can go to that devices settings and assign 4 different local network addresses. But since I am at the moment the only 1 connected, i get the first one.

    By the small leaflet for newbies, the DHCP server address range is 192.168.0.10-192.168.0.119 (NAT/DHCP mode)

    Hope this satisfies your curiosity ;)
     
  7. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Thanks!
    Well, to know your DHCP server IP its not enough to use IPCONFIG, you need to add /all (i.e. IPCONFIG /all) or if you want to exaggerate you can look for the exact info with IPCONFIG /all | findstr /C:"DHCP Server"

    To simplify, it seems indeed that your WIN7 has DHCP ON (you can check with the command above). Your PC IP is 192.168.0.11, your router IP is 192.168.0.1. Your DHCP should be 192.168.0.1 (your router).

    In principle, to be sure to keep been connected with your router (and internet) your DHCP server (router IP) should be added to the ZA zones and set as TRUSTED. So, if you see that you have difficulties connecting to the internet after boot, that you loose connection after a while or similar then you may need to add it.

    Did you install ZA without been connected with internet? This may explain why ZA did not add the DHCP.... just a wild guess.

    Cheers,
    Fax
     
  8. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    I will see if it stops working, seems just fine with boots etc. The DHCP server is indeed 192.168.0.1. It might be a change in ZA that it does not need to be added.

    So then i just add that IP address and set it to Trusted? No I was connected to internet while installing ZA, since I was behind the cable modem router/firefall.

    Could it have been also that because there is in Basic Firewall /Advanced Settings a radiobutton 'Ask which Zone to place new networks in upon detection.' selected? And I think my wireless connection to the modem is protected (WPA2-PSK) so it should not automatically be put on the Public Zone, but I also could have wanted to make it so.

    I am actually now going to see how CyberGhost VPN is added and I feel safer that if it is added to the trusted Zone, my Trusted zone setting is High. That is the point in your first post i could not understand. I sure don't want to really trust some VPN network like them to be able to connect to my computer.

    ..... CyberGhost server's network is made also Public in the View Zones so that is safe I guess and I could have left the Trusted zone setting to Med.
    And after I disconnected the VPN and closed the program that zone is deleted from ZA :)

    And after cleaning the Sandboxie DefaultBox and using CCleaner my normal surfing connection is back. Might have not been needed that cleaning even.
     
    Last edited: Aug 27, 2013
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Yes, please leave it as MED. You control what to trust in the ZA firewall zones and not in the trusted zone settings. So, normally any new network will be set as it is set in win7 or ZA will prompt you where to put it (ZA pop-up window with a request to select either trusted or public).

    If you put the trusted zone to high you basically do no trust anything and make the firewall zones section redundant. :)

    Yes, in case of connection problems try that.
     
  10. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Another question. It is about SmartDefense.

    I have now not tampered any of the program rules listed. Now the DefenseNet is set to Manual, not Auto. I have been asked about a few programs.

    The list contains columns Programs, SmartDefense, Outbound Trusted, Outbound Internet, Inbound Trusted, Inbound Internet.
    Under SmartDefense I have all 'Auto', except System Host Process as 'System'. Allelse have Auto.

    As an example I deleted KbClient_FD2.exe from there. It is belonging to my Silvercrest wireless keyboard as a driver I think.

    Then soon pops up: SUSPICIOUS BEHAVIOUR and the content being that that executable is trying to communicate with C:\Windows\Explorer.EXE by operating its process.

    I reply Allow and to remember the setting.
    Rule is KbClient, Auto, ?, ?,?, ?,?.

    Seems ZA makes no distinction under SmartDefense colums about if that rule was Auto allowed or allowed under Manual as this was. There is Custom also, but does that ever come from answering a popup?

    Does Auto under SmartDefense mean that it ZA knows about that program already from some Cloud data base etc. ? If not it would be nice to show somehow that the allowance was made by answering a popup. To be able later to check out if the decision made was a good one.
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    In application control window, the "Auto" will take the settings from the cloud if available or as soon as added in the cloud. "Custom" is when you want different settings from the cloud or you do not want the cloud to change them. Do you see the way it is used?
     
  12. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Basically my question is I allowed it in the Manual mode and it still says Auto. Does it mean that the application IS listed in that cloud despite that Suspicious behaviour.

    It does also popup for say my firefox browser and by Manual does not allow inbound server rights by Max. The online manual is really confusing about this stuff. I think Auto with Med. allows server rights to firefox.

    Anyways I have not yet found a program that does not have Auto on it. Guess I use quite known apps?
    The KbClient_FD2.exe does not obviously access internet at all and just came from the HIPS part of the ZA. It never asks for internet connection. It's sister application MouClient_FD.exe has same rules that were made with Auto and Med. settings I think never popped up.

    Edit: Med and Auto allows server rights to Firefox while Max. and Manual don't. I just checked. So that is the difference. And I guess those Silvercrest wireless keyboard and mouse drivers are I think indeed in the cloud. I think I have to do another total clean up of rules and try add all back with Auto and Max and reboots. Hope I don't a BSOD like with Comodo lol.

    Edit 2: No I don't need to do that. Tested. Max. and Auto seems to allow server rights to Firefox too. So Auto makes always the same rules whether setting is Med(ical) or Max(imum) :)
     
    Last edited: Aug 29, 2013
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    No, it means that an addittion of that program in the cloud or a change of that program (if already present) can change the related permissions in the application control for that program. If you move to custom this will not happen.
     
  14. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    I see, so I basically sayed to that keyboard driver that if it is in the future in the cloud it's rules can change. I think it is now there though, since that mouse driver accept. Would be better if some program currently not there would be after accept flagged as Unknown or Custom or whatever for my suspicious mind.

    Will see if that cloud will grant back the server rights to Firefox, since it is now on Auto. Interesting so see after next browser update.
     
    Last edited: Aug 29, 2013
  15. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Another question. For some reason I did not get that toolbar to my user account Firefox in Windows 7. To my admin account I of course installed the program I did get it.

    The firewall says Privacy Toolbar is installed, but I don't have it in my basic user account Firefox I only normally use. Any chance of getting it installed now later to my user account browser? I guess not but just asking. I did read from the ZA forum that it is like when the browser changes it gets outdated. Anyways I always update it too from my admin account so they should have been the same versions.

    EDIT: in Chrome I did not get toolbar also in admin account. And I had made a new profile maybe for Firefox to my user account from default if that is the culprit.
     
    Last edited: Aug 29, 2013
  16. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Well, next browser update will trigger a new entry in the list since all entries are authenticated not just by name or location. The permission for new entries will be regulated according to your main DefenseNet settings. That in your case is MANUAL.. i.e. you should get a prompt the first time you use the new FF version... :)
     
  17. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Uuuhm... I guess not too. But I honestly don't know. The user account has ad-hoc restriction that you applied or you used simply the default user account in WIN7? I am surprised that you didn't get it if you used default user. Normally it should work. Or may be you just need to turn on the toolbar components in the Firefox extensions?

    A note: ZA does not support the windows guest account.
     
  18. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    A guest account is not the same as a normal user account. I guess in my case it is the changed Firefox profile or my Finnish language Win 7 operating system. I suspect the first one. Though as told i did not get it installed to my Chrome in Admin account too, so something sucks in that. ZA works just fine with a non admin user account as it should be other than not that toolbar installed. I searched the web if that can be later installed same as all other FF extensions but guess not. I can live without it with my Sandboxie protection, except bothers me a bit.
     
    Last edited: Aug 29, 2013
  19. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Yes, guest and user account are a two completely different beasts. I mentioned it just in case :)

    Sorry, I see only now that you have mentioned also Chrome. ZA toolbar does not support Chrome.

    ...and final warning... ZA only support English, French, Spanish, German and Italian localized version of windows. It does not mean it will not work but just that they are only testing it under the above mentioned versions.

    And on the user profile... it may be the case that the toolbar does not work on a limited user account and that is not your fault... could be!

    Cheers,
    Fax
     
  20. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    No worries Fax, I think we did good stuff in this thread you and me. I needed some knowledge that is hidden by numerous posts and often misguided.

    The way Windows 7 is built, the language should not be much of a problem. It is just some bother to me sometimes when I try find out how stuff is or that my Windows is Finnish and try to communicate. like that DHCP ipconfig lol.

    That ZA free thread is history or I hope with all the negatives. Best someone post new threads, like I did.

    No one is interested to find out things by joining the ZA forum if they have been in here for years like me. Cheers back.
     
  21. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Lets hope so and thank you very much for your constructive input! We need more of this... :thumb:
     
  22. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,273
    I can't resist joining this. Wish I could use this version of ZA on my XP.

    Beautiful thread, coherent, unhijacked by bashing, thank you both :)
     
  23. Jarmo P

    Jarmo P Registered Member

    Joined:
    Aug 27, 2005
    Posts:
    1,188
    Thank you act8192.

    I contrinued my explorations. As Fax told it is best leave the cumulated processes and programs to have all outbound and inbound access Trusted Zone access that were given from the cloud. They could need it for various reasons, might be just some localhost traffic in the computer or also when having some other computers and shared printes in the trusted network.

    Internet access is another thing. It is safe to change the granted Allow access to Ask for all the programs both outbound and inbound.

    I did not change svchost.exe since it is a System instead Auto and might have also some restricted ZA rules concerning outbound and inbound. By making it Custom who knows I might degrade my security.

    Also so far I have not changed the other Host process taskhost.exe rules until I know better even if it is Auto. It is now also allowed internet access out and listening.

    After a few reboots none of the other Windows Microsoft system files seem to need internet access. The other rules for them come only cause of the HIPS part of ZA.
     
    Last edited: Aug 31, 2013
Loading...
Thread Status:
Not open for further replies.