How to set optimum settings in ZA Pro?

Discussion in 'other firewalls' started by Escalader, Apr 23, 2007.

Thread Status:
Not open for further replies.
  1. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    I am still trying to find a way to stop ZA attempting outbound during boot (why should ZA attempt outbound during boot), also, whatever options are disabled, ZA still attempts to connect out. This was reported as a bug in earlier versions.
     
  2. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    Ah but my actual home never has an alarm and has never been burgled. Just good old solid door and windows protecting me. Maybe my neighbourhhood is a safe one. :)
    The best firewall is one I always recommend myself and works 100% if you have it: common sense. Unfortunately, common sense is not really common these days. :( Alot of people when they see alerts or prompts have a tendency for automatically clicking th "Yes" button. A firewall with prompts, alerts can still only do that much
    Reputation and trust spreads easily by word of mouth.
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    That's good Stem, but I could only guess why they might do that during boot. ZA Pro does the message once on a block but then blocks silently so that doesn't bother me.

    I'm leaving my Family Lan as Internet not trusted based on your concept. Let's move on to the next question in original post.

    But at any rate what I would really like to do now is set ZA Pro to run in as optimum a way as is possible on my setup behind the Router/AlphaShield router the way it is designed to work.

    Then much later try to fix any flaws in my setup with your help and any other FW experts here. Maybe we will run a shields up or other test on my system to find and report the flaws.


    But for you this part of the last block help page may/maynot give a clue:

    "To prevent an Internet connection from happening before the TrueVector Service is launched, we strongly recommend that you retain the default setting which loads ZoneAlarm Pro on your machine at Windows startup. The sooner ZoneAlarm Pro can begin monitoring Internet traffic on your machine, the safer you are from unauthorized Internet access, and the greater the likelihood that ZoneAlarm Pro will recognize all of your applications and allow them the access you desire. If both ZoneAlarm Pro and another application are configured to load when Windows starts and you continue to receive this alert, you should explore the options for delaying your application's loading time, so that the TrueVector Service and ZoneAlarm Pro can finish loading first."
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    @Escalader,

    So was the log showing the DNS lookup blocked at startup(or re-boot), if yes, then it was probably "windows time" that was making this attempt (or another windows service). I will set up a little later on a test PC, just to check through what is allowed/blocked (in/out) during bootup.
     
  5. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Great Idea Stem.

    I'm on ZA Pro so I don't know if that makes a difference to your test PC.

    I just cleared all logs and will reboot and send in the in/outs during my boot in order to answer your question easier
     
  6. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    I see no blocks at login time:

    What I have now is program control set to high where ZA says they must ask for IA and server rights. I still have component control off. Should I engage it? Anybody? Here are some log entries I got:

    First New Log entry

    Windows Explorer is trying to use another program to connect to the Internet or your local network.

    ZoneAlarm Pro is asking you whether to allow the connection. No breach in your security has occurred. However, an Advanced Program alert may indicate a potentially dangerous situation. Proceed with caution.
    Inside the program alert



    Alert property Alert property value Technical explanation
    Program Name Windows Explorer A program running on your computer, which either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
    Filename EXPLORER.EXE The filename of the program that ZoneAlarm Pro found on your computer.
    Program Version 6.00.2900.2180 (xpsp_sp2_rtm.040803-215:cool: The version of Windows Explorer running on your computer.
    Program Size 1032192 The size of the program executable file in bytes.
    Program MD5 a0732187050030ae399b241436565e64 The MD5 hash, or number, that uniquely identifies the executable.
    Program CRC e67b9ac9 The Cyclic Redundancy Check (CRC) checksum for the executable. This is the result of an algorithm for ensuring data integrity.
    Date Modified Aug-04-2004 06:00:00 AM The date when EXPLORER.EXE was most recently modified.
    Connect Type Access This value can be either Access, which is an Internet connection attempt by Windows Explorer or Server, which indicates that Windows Explorer is waiting for connections coming in from the Internet.
    Remote Port 53 The port Windows Explorer is using on the remote computer.
    Remote IP Address 206.190.36.17 The IP address of the remote computer that caused the alert.
    Alert Date Apr-26-2007 12:05:18 PM PDT The time when ZoneAlarm Pro detected the alert on your computer.



    ZoneAlarm Pro security enforcement at time of alert



    Alert property Alert property value Technical explanation
    Program Status New Parent Program Windows Explorer is trying to use another program to to gain indirect access to the Internet or local network. This is the first time Windows Explorer has attempted indirect access.
    Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.


    Next New Entry


    Windows NT Logon Application is trying to use another program to connect to the Internet or your local network.

    ZoneAlarm Pro is asking you whether to allow the connection. No breach in your security has occurred. However, an Advanced Program alert may indicate a potentially dangerous situation. Proceed with caution.
    Inside the program alert



    Alert property Alert property value Technical explanation
    Program Name Windows NT Logon Application A program running on your computer, which either attempted to send an IP packet over the Internet or is waiting for an incoming packet.
    Filename WINLOGON.EXE The filename of the program that ZoneAlarm Pro found on your computer.
    Program Version 5.1.2600.2180 (xpsp_sp2_rtm.040803-215:cool: The version of Windows NT Logon Application running on your computer.
    Program Size 502272 The size of the program executable file in bytes.
    Program MD5 01c3346c241652f43aed8e2149881bfe The MD5 hash, or number, that uniquely identifies the executable.
    Program CRC 640920a2 The Cyclic Redundancy Check (CRC) checksum for the executable. This is the result of an algorithm for ensuring data integrity.
    Date Modified Aug-04-2004 06:00:00 AM The date when WINLOGON.EXE was most recently modified.
    Connect Type Access This value can be either Access, which is an Internet connection attempt by Windows NT Logon Application or Server, which indicates that Windows NT Logon Application is waiting for connections coming in from the Internet.
    Remote Port 53 The port Windows NT Logon Application is using on the remote computer.
    Remote IP Address 206.190.36.17 The IP address of the remote computer that caused the alert.
    Alert Date Apr-26-2007 12:04:26 PM PDT The time when ZoneAlarm Pro detected the alert on your computer.



    ZoneAlarm Pro security enforcement at time of alert



    Alert property Alert property value Technical explanation
    Program Status New Parent Program Windows NT Logon Application is trying to use another program to to gain indirect access to the Internet or local network. This is the first time Windows NT Logon Application has attempted indirect access.
    Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.

    Previous Session entry on quicken, I denied it seems to have zero effect on program usuage



    Quicken Launcher is trying to monitor your system to observe what events are occurring.

    ZoneAlarm Pro is asking you whether to allow this behavior. Your computer is safe.
    Inside the OSFirewall alert



    Alert property Alert property value Technical explanation
    Program Name Quicken Launcher A program running on your computer, which attempted an action that was detected by the OSFirewall.
    Filename qw.exe The filename of the program that ZoneAlarm Pro found on your computer.
    Program Version 15.1.1.179 The version of Quicken Launcher running on your computer.
    Program Size 13312 The size of the program executable file in bytes.
    Program MD5 23f5bdb7ef472d3c55e242c85217730d The MD5 hash, or number, that uniquely identifies the executable.
    Smart Checksum 4156e899de16b4e31f221662134628ca The SKIMP hash, or number, that uniquely identifies the executable.
    Date Modified Aug-15-2005 05:18:30 AM The date when qw.exe was most recently modified.
    Event Type Execution The event involved executing Windows instructions.
    Sub Event Type ExecutionGlobalWindowsHook Quicken Launcher attempted to set
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    @Escalader,

    For indirect access(trying to use another program to connect to the Internet), you need to be carefull. Such processes as "WINLOGON.EXE" if denied this can cause your browser not to be able to connect.

    As for bootup.
    I have setup with ZA installed on a PC on LAN, behind a gateway, just to check for DHCP etc, and to see what is being sent out. I have set the LAN as "Internet", and unchecked the "Allow broadcast" for that zone.
    DHCPboot (with reply) is allowed: ARP(with reply) is allowed: ICMP is allowed(the gateway is pinged during boot, even with ICMP not allowed): IGMP is allowed(even with this not allowed).
    So having the LAN as "Internet" from these results, will not cause problems for DHCP (renewal is also allowed)

    ZA is still attempting to connect to Zonelabs during/after boot/ on close down, with whatever settings I make within the firewall. If your previous statement still stands:
    Then I would suggest removing ZA.
     
  8. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Wow, that's quite a suggestion Stem. This has been a bad week for me so this suggestion fits in with the theme of the week... ! I'm now scared on the FW front!

    Are you saying that I should remove ZA because it is allowing packets to leave my PC that shouldn't leave?

    If the answer is yes, then I need a replacement FW ASAP! I don't think PC Tools FW + will do better will it?

    I want to make sure I am not misunderstanding you here! Be as blunt as you need to be to make your points. I'm in learning mode and if you have to hit me over the head to make a point go for it!
     
  9. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    We have seen this with ZA before, where ZA is constantly connecting out. It was eventually stated by ZA that this was a bug. Are we seeing the same bug again?

    For me personally, I would not use this firewall untill a full explantion from ZA is made concerning this.
     
  10. henryg

    henryg Registered Member

    Joined:
    Dec 13, 2005
    Posts:
    342
    Location:
    Boston

    Stem,
    do you think that the Outpost F/W would be a better choice....based on your
    experience?
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Hi Stem,

    as far as I know this was fixed long time ago... did you follow this document to block all communication with ZA?

    http://download.zonelabs.com/bin/free/pressReleases/2005/pr_22.html

    Fax
     
  12. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Stem/Fax:

    Guy's I am at sea here.

    It would be unwise to remove ZA Pro until I have a better replacement and or a fix and or an adequate explanation on this connection out issue. I'm sure I'm not the only one that wants to know.

    The way I read this is Stem did behind the router tests and got the results he published a few posts back and found packets leaving and connecting out attempts during and before boot and during close down. These have yet to be explained properly. Or if there are good reasons for these connections out what are they? Is it possible they want to update it first before anything else loads? ZA is in business there must be an explanation available and it must be in their best interest to tell everybody here what it is?

    Fax, I think you are saying this is an old bug fixed long ago.:doubt:

    But if that were the case , how is it Stem got the results he did? Unless he has an unrepaired version, which seems unlikely. Why would the user have to follow a link to fix a bug or block all communications with ZA?

    Come to think of it I want to communicate with ZA to get the latest fixes and updates to the ASW. I did not join the optional share setting service or opt for AV monitoring on the basis of security so that is not an issue (I hope)on my PC.

    Stem, what version of ZA were you testing with? Mine is 7.0.337 which I hope is current.

    I really think we need to avoid FUD here and I for one intend to avoid precipitous actions or assumptions. ZA will I hope clear this matter up.

    Here is the explain help on contact with ZA, on my PC does this offer us any clues on these connections?

    Setting contact preferences
    Setting contact preferences ensures that your privacy is protected when ZoneAlarm security software communicates with ZoneAlarm (for example, to check automatically for updates).

    To set contact preferences:

    Select Overview|Preferences.
    In the Contact with ZoneAlarm area, specify your preferences.
    Alert me with a pop-up before I make contact Displays a warning before contacting ZoneAlarm to deliver registration information, get product updates, research an alert, or access DNS to look up IP addresses.
    Note: There are certain situations in which you will not be notified before contact is made. Those include sending DefeneseNet data to ZoneAlarm, contacting ZoneAlarm for program advice, when an anti-virus update is performed, or when monitoring your anti-virus status. The "Share setting anonymously..." setting below, turns off the DefenseNet transfer. All other settings can be disabled from the main tab of their respective panels.
    Hide my IP address when applicable Prevents your computer from being identified when you contact Zone Labs, LLC.
    Hide the last octet of my IP address when applicable Omits the last section of your IP address (for example, 123.456.789.XXX) when you contact Zone Labs, LLC.
    Share my security settings anonymously with ZoneAlarm Periodically sends anonymous configuration data to ZoneAlarm. For more information, see Joining the DefenseNet community .
    Note: Configuration data is not collected from ZoneAlarm or ZoneAlarm Anti-virus users.
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    That is exactly the point, you should not worry about ZA contacting ZA servers. If ZA is your primary defence (or part of your security package) then you should care about everything else around it.

    If you start to question why ZA is contacting ZA servers and you do not want ZA to contact ZA then better you remove ZA and use another software that you can trust. Trust on your securty tools is your starting point.

    This issue can be easily taken up by trollers and transformed into "WARNING ZA is secretly leaking information from your system AGAIN".

    I thought this thread was about optimum ZA settings for securing your system rather than how to secure your system from ZA :)

    Fax
     
  14. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes, I was looking at this latest version.

    If I had auto updates etc enabled, then I would have to trust that the firewal would only do as I have allowed in the options I have enabled. But, as I have ALL these options disabled, I then trust the firewall NOT to make any unauthorized outbound,... but ZA does.

    That is why I have suggested that "Escalader" should remove ZA

    Making settings within a firewall is to protect the user, As "Escalader" shows concern as to what is leaving the PC, then I do need to point out the fact that ZA is making unauthorized outbound.

    I would (and do) make a point of any firewall, or any application that was/is making unauthorized outbound comms. What a user does with this info is then up to themselves.

    If ZA was to stop making unauthorized outbound, then it would not be an issue.
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost

    Yes, Fine Stem... I understand your point. :)

    Given your great expertise can you detail the server/ports and what is unathorizely sent (the exact string and lenght)?

    Thanks,
    Fax
     
  16. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Capture31-08-2006-11.44.1827-04-2007-22.28.29.jpg

    If there are settings/options that may cause this (that I may of missed) please advise.

    update
    I am trying to find what the above comms could be, thinking there may be a problem with installation (or bug/conflict). So to compare comms, I have made a manual program update check with ZA:- (ZA shown as up to date)
    Capture31-08-2006-11.44.1827-04-2007-22.59.33.jpg


    Edit:
    Interesting, since making the manual update attempt, ZA is no longer connecting out. On re-boot, ZA does make DNS lookup for Zonelabs.com, but does not make outbound connection.
    I will keep a check.
     
    Last edited: Apr 27, 2007
  17. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    This is correct, my thread is about How to set optimum settings in ZA Pro!

    Since I have very strong input control via the hardware FW and the router, my security concern is tilted more to output packet control.

    I'm assuming that when this issue of outbound connections is resolved and dealt with by Stem and other posters to all our satisfaction that we can proceed to the next question in my first posts.

    In fact to show more than my usual flexibility:rolleyes:,:D I'm willing to do that now while waiting for those with the expert knowledge to answers this connect issue. I am willing to assume there is a positive answer to it.

    IMHO Trollers, will always be with us but what they do and how others react to these posts I think is way beyond the scope of this thread. We should not let the possible viewing by them influence what we do professionally.

    Regards to all, lets remain calm
     
  18. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    At this moment in time, I am now looking at the outbound by ZA as a bug. As now, after the manual update I made, these comms have stopped. But of course, I will monitor.


    Right, down to your questions.

    I currently have my LAN as internet, with high settings in both "Internet and Trusted" zone.
    On my setup, (I have re-set Group policy in windows, so all default services are active, as would be with many users) I have unchecked the "Allow Broadcast/Multicast", as this was just noise, such as uPnP, netbios broadcasts. DHCP and ARP are still allowed, so no connection problems due to this.
    As for the other settings for "Custom", I do not think they need changing. But if you have questions?
    If not, we can move to your second question.
     
  19. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,899
    Location:
    localhost
    Thanks for further investigating on it.

    "cm2.zonelabs.com" assists in the functioning of various services including the AlertAdvisor, antivirus/antispyware updates, and antivirus monitoring.

    Ehm, yes, sorry..... back to the original subject... :)

    Fax
     
  20. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Before doing that:

    In my Zones I have attached a jpg image, please look this list over and tell me if I am fuzzy headed in putting specific sites in such as BitDefender etc and MY ISP?
     

    Attached Files:

  21. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Yes,... Za-> Overview-> Preferances

    No need to place IP`s within the "Internet zone".
    Certain setting can place certain "networks" as trusted, but it does depend on settings. Go to "Firewall-> Main-> Advanced" Here you see a number of settings/options. At the bottom of this, you will see "Network settings" ensure this is set as "Ask which Zone to place new networks in upon detection"
     
  22. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    What about the other entries I made for my security software like BitDefender site, Webroot, and ZA itself etc etc does that make sense to you?
     
  23. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Certain IP`s/ranges cause question, such as private/reserved: example 192.168.***.*** / 10.*** etc. So confirmation is needed as to if these IP`s/ranges should be trusted or not. IP`s which are not private/reserved are internet, and no need for confirmation is needed, As with the IP`s for (example) "Spy sweeper" this will be seen as "Internet".

    For the Zones, the main concern is:-
    What is/should be blocked.
    What is trusted, and should be placed here.

    All else is internet. (if possible exception(as for reserved), you will be asked, due to your settings)
     
  24. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Sorry, I missed that question.

    Gateway Security: Not needed in your setup, as this is a check on compatible gateways within a LAN.
    Internet Connection Sharing: Default setting can be left on your setup.
    General setting:
    Block all fragments, Normally, blocking fragmented packets will not cause problems, and adds extra filtering protection. With normal day to day surfing, I do not see fragmented packets.
    Block Trusted servers: Block Internet servers. These are over-rides to the program control settings, if set, they will block any program from acting as server in the zone selected. (if connected directly to the internet, and you do not use server software, then selecting "Block Internet servers" is a good option, as this will prevent any possible mis_config of allowing unsolicited inbound to programs that may of been allowed server status unintentionally)
    Enable ARP Protection: This is mainly for large possibly untrusted LAN, to stop attempt of ARP poisoning. With this enabled, unsolicited ARP will be dropped. You can enable this, it will not affect your connection.
    Filter IP traffic over 1394 Some PC connections can be made over firewire (I do this for some debugging/tests). Firewire is also used for some external connections to external HD etc. This setting will depend on what you have(if anything) connected over 1394
    Allow VPN/ uncommon protocols. This depends on the needs of your own setup. If you do not know what these are, then you more than likely do not need to enable these.
    Lock Hosts FileIf you use the windows hosts file, then enabling this will protect that file.
    Disable windows FirewallThis is just to make sure that the windows firewall is disabled.
     
  25. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    Stem: Thanks again. We are proceeding well one by one like a good programmer should! :thumb:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.