How to set optimum settings in ZA Pro?

Hi gre87y I remember you!

Not to worry I'm sure Fax will continue posting.

In my view, Stems,and Faxes the OP had been 'hijacked' or "diverted OT", what ever words fit. They have agreed to take those OT issues elsewhere. I for one appreciate that!

Perhaps a new thread for those issues will be created? You could do that!

This thread had gone OT, IMHO. It happens. it gets fixed and we all move on.

My thread is not a debating thread it is a learning thread with me as the "learner". I was buried and lost in OT posts and losing heart till Stem helped us out.

If anybody has a fact/experienced based contribution to make on this learning thread go ahead and make it! I would read it for sure! I then wait for Stem as that is his role in this thread. But a never ending debate, no thanks, not in this thread.

We have moved now to Program Control, what are your own learnings to share on my recent posted questions to Stem?

 

@Escalader,

I have placed ZA back on LAN.

I am now seeing some boot problems, ZA PC was issued with LAN IP this was accepted, and ZA made the usual DNS lookup for zonelabs, there was then an outbound blocked DHCP by ZA, at the same time, the ZA PC changed IP (to an IP out of LAN range). I will need to see how often this happens, as this will cause the PC to have no internet access.

Update,
The problem I am seeing is due to my now using an nVidia onboard NIC. (I just plugged into the nearest when I changed my setup around), changing back to a Realtek onboard NIC, and the problem as gone. So there is a conflict with nVidia NIC(or drivers) on my setup.

EDIT:

Now we did set this option back on when you where having connection problems. But I do not see any need for this in the internet zone (as DHCP broadcast is allowed with this setting off). The only use I can see of this (from my setup, with what is being broadcast) is for if you are sharing files/printers, so that boot up connection would be made (via the netbios broadcast) So I do think this should be disabled in the internet zone.

 

Good Morning Stem:

Things running more smoothly now on my bootup and logging in (with multicast allowed) See below where I have changed it as per your edit.

With SS no longer in the internet zone as a site, ZA gave me an altert that it was trying to use IE to access trusted zone 127.0.0.1 port 1252. I allowed it since that is SS normal update of signatures etc for parasites.

BD updated smoothly with no alerts or blocks. These 2 were earlier removed from my zones list.

ZA also blocked an incoming packet 192.168.1.1 to 192.168.1.100 ICMP Unreachable was blocked.

If you need more details my logs have it. There were more recorded but that's enough on FW for now.

Right! it was on from before so here then are my modified ZA Pro FW settings!

So in FW Zones all I have is:

(1) host site apple blocked
(2) Family Lan 192.168.1.0/255.255.255.0 Internet
(3) Loopback Adapter 127.0.0.1 IP Trusted

Internet Zone,

I'm NOT allowing broadcast multicast

Trusted Zone
all default, nothing ticked

Advanced Settings

Sharing

not on ICS/NAT

General 5 ticked

block all framents
enable ARP
filter IP trafic on 1394
Lock hosts file
Disable Windows firewall

Network Settings 2 ticks

ask which zone....
automatically put new unprotected wireless networks into internet zone. ( that's and interesting one I didn't see before. ZA says internet zone ..)

So unless you see something I missed or should change, let's make our settings as close as possible and move on?

I'm ready to move to Program Control.

Both main settings at High, Lock is off. Nothing changed on the screen saver rules, have a look at that please.

Custom for HIGH ALL options ticked both for OS and Component control!

On permissions all set at ask permission, nothing changed.

If you are all okay there lets move to programs in detail, click on programs column heading to bring ZA programs to the top. There are the main columns for the first 3 and the options. Which vary by program of which there are many more of than columns. I would suggest you give a policy or principle we should use by column for example SEND mail, why would I have more than 1 program approved for send mail. There are 5 ticked green.

Anyway Stem, if there is a easier way for you to help optimize the settings in programs let me know. I'm flexible.

 

I have split a number of posts to here


@Escalader,

For program control, start with the basics as you mention.

Allow to send mail~ only your mail clients, all else can have a red "X"
Allow server in Internet~ as you have mentioned, you do not want any inbound connections, so none should have a green tick
Allow out to internet~ this is where we need to take some time and look at the programs that require this. Most windows applications dont actually need internet access, but it can/will depend on your needs.

Allow out to/ server in trusted~ No rush on this yet as you only have the loopback adapter within the trusted zone. Whatever is ticked or "?" leave for now.

For any blocked ICMP etc from your router, we can look at creating some rules (once we know you have no problems with setup)

 

Program Control, These are my main settings:

Both main settings at High, Lock is off. Nothing changed on the screen saver rules, have a look at that please.

Custom for HIGH ALL options ticked both for OS and Component control!

On permissions all set at ask permission, nothing changed.

 

As before, my post comments are in RED

 

Hello All:

We have moved on to Program Settings.

The following 5 ticked green in SEND mail as defaults:

1. COM Surrogate
2. Internet Explorer (6)
3. MS Help and Support Center
4. MS Office Outlook
5. MS office word

How/who derives these defaults? Why would 1,2 and 3 receive green ticks?

Another quirk is bugging me. On Alerts Events Shown ZA keeps turning it off!
I need it on during this learning thread. How do I lock it on?

Under Server Internet , what will happen if I make every single setting a red X? Warning aside?

 

Good morning Stem! (or is it night?)

I posted a few before you can look at when there is time.

Here is a jpg of a ZA Options pop up window showing defaults by application.

I am unsure if the defaults are "optimum", what do you suggest, I can change this for each program line if you want or do nothing?

Please advise.

 

Right, lets get back to this:

These I suspect will be from the "advisor". If an application is capable of sending e-mails, and this is seen as "trusted", then the options are put in place. This is really to save popups in the future for these apps. Of course not all are actually wanted or possibly needed, so we can simply edit these to suit what you want/need.
Basically, tick the mail client you use, question mark or red "X" the ones you dont. (I say question mark, as you/others may be unsure of what is used, and with a question mark, then a popup will show if that app attempts to send an e-mail, and if the user as just attempted to send an e-mail, they will then know it should be allowed, and the option can be changed)

 

May I add some info to this. You DO NOT have to give Generic Host Services any SERVER rights. Those two columns under server rights are all X's for every program on my computer and I have no problems.

 

of course you can.

Server rights for the internet are certainly not needed for the correct operation of the OS. Server rights to allow inbound connections for localhost(loopback) can/are needed on some setups, but this depends on the software installed on the system.

Like on a setup, behind a router, then the OS can be set where svchost needs no direct outbound to the Internet (apart from windows updates, if these are done via auto updates)

 

I suppose the svchost.exe could have Expert Rules for the DHCP, DNS, windows updates and such and then have the server rights for the Trusted Zone could be changed from allowed to ask?

12fw

 

For the setup I mentioned "behind a router", the OS can be given a static IP/DNS servers, the DNS client can be disabled, such as "windows time" which ZA does not allow out(in my setup) and browser service etc etc, can be disabled.
This would certianly stop any possible problems with DHCP(in this setup), which as been one of the main problems (due to some hardware/driver problems I have seen).
For me such a setup is not a problem, and certainly not a problem for me to advise to others to make. It is only due to other posts/PM`s that I attempt to place all for the firewall. I do see that I should of stayed with my own thoughts on this, as it is less probmatic, and certainly does not take a lot of time to show to make such a setup.

 

Stem:

Due to the outbound packet destination ip issues, I turned Smart adviser off.
I have now turned it to medium which if I read it right, gives advice but not make setting on it's own as at the high setting. Does that make sense?

As to the SEND mail red X's I have them ALL off except one my email program which is MS Outlook ( NOT EXPRESS)

I am able to send and receive mail so that column is done?

 

Stem, this where I need some advice I have red x'd the svchost in both those columns. As well, I have red x'd the whole column marked Server Internet.
On server trusted there is a mix of X's and ?. One program does have 2 green X's Windows Genuine Advantage Notification. I didn't ask for 2 greens. But my guess is the last mass MS update to XP which I installed must have changed them.

If I Red X every program as Berge01 does? What will happen next MS update?

Berge01 do you do these updates every time, did your Red X change as well?

 

No Escalader, you need to have two Green Checkmarks under the Access columns for Generic Host.

Everything that is in the SERVER columns in Programs Control have all RED X's in them and I have not had any type of problems by having this setup. Now, if you feel unsure about having yours, then I suggest you leave a Blue Question Mark, so this way it will ask you, if you want to allow it or not. But, this is your decision. My decision has been made on how I WANT my firewall to be set up and run correctly.

 

As before my Q and A's are embedded in RED.

 

@Escalader,

Are the 2 green (do you mean ticks/checks) entries for outbound in the trusted/internet zone.

There was an uproar about this WGA, as this was contacting the microsoft servers at regular intervals. These intervals where reportedly (by microsoft) reduced, but as I do not have this installed, I do not have any current info on this.

http://en.wikipedia.org/wiki/Windows_Genuine_Advantage

 

Yes, I mean 2 ticks entries for both in and outbound in the SERVER trusted/internet zone.

These entries have not been customized, they are there as AUTO via the working SmartDefense feature which is at Medium at the moment.

I will set these as 2 red X's for now unless you recommend otherwise later.

Is there any reason why we can't just red x, ALL programs in both columns under SERVER trusted/internet zone?

Another way to put it is do you have ANY of your own programs in these 2 columns with a ? or green tick that you put there via customizing the settings for that program? If so which ones and why.

Ignore my way of putting all questions it has zero tone in it... just a style matter at my end.

Take care

 

Hi Escalader,

Well, I do not know why a firewall would allow unsolicited inbound from the Internet to any windows applications by default, certainly these settings need to be changed.

If we go from basic needs. Unsolicited Internet inbound (server rights) are not needed. It is only for such as server software (P2P/torrent client), or some messenger programs where the users wants unsolicted inbound messages (as we have seen in another thread).
In your own setup you do not use any of these, so you can place a red "X" in all of the "server Internet".
Now, server in "trusted", well, many program will make comms through localhost, so as you will see from other posts, most will add the localhost(127.0.0.0/255.255.255.0) as trusted, then allow programs outbound/server in the trusted zone. These settings do actually depend on the firewall in use, and how the localhost is handled.

My own setup, no. Only if I was to add, for example a P2P/torrent client for testing do I allow server rights. My own setup at this time does not have any entry within the "Trusted Zone", so I can simply have all "server" in this zone as red "X".

 

Hi Stem, (as before mine in red)

I have excerpts of the post to tell you what I have/will do now

If we go from basic needs. Unsolicited Internet inbound (server rights) are not needed. ......In your own setup you do not use any of these, so you can place a red "X" in all of the "server Internet".

Done, ALL are Red X now

.. server in "trusted", well, many program will make comms through localhost, so as you will see from other posts, most will add the localhost (127.0.0.0/255.255.255.0) as trusted, then allow programs outbound/server in the trusted zone. These settings ...depend on the FW .....and how the localhost is handled.

I'm confused . Maybe the words are just different. I have Loopback 127.0.O.1 adpater as Trusted in FW settings. The Lan is 198.168.1.0/255.255.255.0 named Network as Internet.

Right. What do you need from me to close this matter off? My user need is to minimize outbound packets that have NO business leaving MY PC.! What should I do given this is the FW I have?

Since we have moved now to Program settings in ZA Pro that answer should go PM? Your call. I have promised ALL Thread posters/readers that want them to provide all my learnings on this thread.


My own setup, ...........any entry within the "Trusted Zone", so I can simply have all "server" in this zone as red "X".

I have done the same, the tool gave me a warning message on all the Systems Programs warning me NOT to customize them. I did it anyway. Okay?

So to summarize we have the last 3 columns in Program settings ALL red X'd except (in my case) for 1 green tick for my email server.

One observation, I never noticed this earlier, TRHS of screen in ZA Pro I have serval programs actively showing there, 1 is Windows Media Player Network Sharing Service. I did recently update to version 11 but don't recall that being there. I don't know what it is. If it is anticipating me downloading music that isn't on, to much illegal or unethical activity on that front for my taste.

What should I do?

After that matter, what is column is best to do next?

Take care Stem

 

Stem:

Fixed the MS Media thing (partially), by removing it from the start up menu and messing about with it's setting so I isn't in memory all the time. So it isn't creating log entries any more, which is good.

It still shows wmpnetwk.exe as Network services, do need that either, but have forgotten how to get at the services again.

Please give me a hint and look at my last reply post to you.

Thanks.

 

Localhost

Loopback

Start Menu-> Run, type services.msc

 

For this, I will need to install/look at WMP 11 that you have installed (I personally do not use WMP, and have ver9 installed). WMP does integrate deeply into IE(and the OS), due to user (possible) needs for streaming video/music etc. (also when WMP is active, it will attempt connection through other browsers such as firefox)
We will need to look at settings within WMP, your needs of this, and then what can be done to limit these connections.

 

Stem:

Please don't do it for my sake! I'm removing the product. I'd rather just work on the next column of settings in ZA Pro. I can always put it back in the future if I need it!