How to set optimum settings in ZA Pro?

FYI...I use "Windows Media Player Network Sharing Service" to allow Xbox to connect to pc to access media library from the gaming console. Haven't found any other use for WMPNetwk.exe...

 

I answer with what I know, anything I do not know (or uncertain) I check/test, this way I learn also.

If I was to be here only to give answers without a need to check, and my answers could resolve all questions without my need to learn,... then I would not be here on forum.

 

Stem:

Using add delete programs in cntrl panel didn't work all you can do there it seems is roll back to earlier versions I did that HOPING it would get rid of that network task. It didn't! So as you say this thing is embedded. When to windows removal components and clicking on WPP grey box it seemed to be saying if I proceeded it would take 9mb of HDD space. It's all gibberish to me.

So not to be deterred, and in step with the thread I used ZA Program settings and KILLED it! That got the job done. WMP network service is gone from task list.

ZA now gives me pop ups that WMP is a program malware!

Hope MS doesn't see this!

 

Agree 100%. My response sounded selfish and that I was alone in learning, I apologize since that is not the case.

Sometimes getting so deep into a subject I forget everything around me can block out sounds and activity while doing stuff, helped in university but not so much in give and take threads. I will try to improve. Best to reveal my observations as we go.

For my PC I'm content to just kill the Program. Now I have learned and anybody else. how to kill programs in ZA

 

Thanks, now I remember the services stuff it's been a while since I went in!

Action Taken: I have now disabled WMP, I will now unkill it in ZA program going to ? control to see if log entries for it stop.

Observations on Purchased Software Services that "call home"

1 Bitdefender Desktop updater is active to keep current
2 Perfect Disk
3 Truevector but not identified as belonging to ZA
4 Webroot spyswweper is active for automatic updates



Observations from ZA Program log

1) Winlogon shows 5 blocked attempts to kerinet, 66.39.30.176.53
2) wmpnnetwk shows many blocked attempts as follows

3 to loopback​

12 to no identity ip or listed dns​

6 to 239.255.255.250.1900​

3) FW blocked 4 incoming

2 IGMP query's​

2 ICMP's​

Comments? anybody?

 

Is this IP one of your DNS servers? Do you have the windows DNS client(service) active?

WMP will attempt outbound connections based on the options, for such as the retrieval of media information/ auto download codecs etc. You will also see an option to start the player in "Media guide", which, if enabled, will then on the startup of WMP will attempt outbound connections to 207.46.248.112/ 207.46.196.100 (on this setup).
There is also shown attemps at uPnP, I dont think you want WMP connecting to the router?

I would need more info on these packets before comment.

 

As before, responses in Red

 

This we need to look at, it may well be legit, but a bypass.

OK, you have disabled WMP, so no real question on its attempts at outbound, as this is completely blocked.

IGMP: Is this internal comms. Check the logs for IP (broadcast/multi/.. or defined)
ICMP: Type/Code. If logging then source/destination should show.

 

Here is one:

ZoneAlarm Pro has blocked access to port 0 on your computer

ZoneAlarm Pro has successfully stopped local network or Internet traffic from reaching your computer. No breach in your security has occurred. Your computer is safe.
Inside the firewall alert



Alert property Alert property value Technical explanation
Source IP Address 192.168.1.1 The IP address of the computer that sent the packet which caused the alert.
Destination IP 224.0.0.xxx The IP address of the computer to which the packet was sent.
Transport Layer Protocol IGMP The protocol that allows data to be transported between software programs on different computers.
Network Layer Protocol IP The protocol that allows two networked computers to locate each other on a network.
Protocol Specific Type 17 (0x11) - Membership Query Some protocols, such as ICMP and IGMP, have multiple "types" associated with the protocol. Each type number for a specific protocol has standardized meaning.
Link Layer Protocol Ethernet The protocol that allows two directly linked computers to share a network cable.
Alert Date May-18-2007 08:03:01 AM PDT The time when ZoneAlarm Pro detected the alert on your computer.
Alert Count 1 Number of times this connection attempt repeated its attempt on your machine after the original alert. ZoneAlarm Pro shields your machine from repeated displays of an identical alert.



ZoneAlarm Pro security enforcement at time of alert



Alert property Alert property value Technical explanation
Lock Level Lock Not Engaged Internet and network connections permitted by your ZoneAlarm Pro settings are not blocked by a lock setting.
Trusted Zone Security Level High This ZoneAlarm Pro setting blocks access from the Trusted Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Trusted Zone. This Security Level also enforces application privileges and Internet Lock settings.
Trusted Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Trusted Zone are not prevented from connecting to server programs running on your computer.
Internet Zone Security Level High This ZoneAlarm Pro setting blocks access from the Internet Zone to file and printer shares (NetBIOS) and other operating system services. Ports not currently in use by a program are blocked and are not visible to the Internet Zone. This Security Level also enforces application privileges and Internet Lock settings.
Internet Zone Servers Servers Allowed Computers in your ZoneAlarm Pro Internet Zone are not prevented from connecting to server programs running on your computer.
Packet Direction Incoming The packet that caused the alert was sent from a computer located somewhere on the Internet or on your network. It was being sent to your computer.
Zone Internet Zone This ZoneAlarm Pro zone contains all the computers and networks in the world that are connected to the Internet, until you explicitly define them as members of another zone.
Operating system Windows XP-5.1.2600-Service Pack 2-SP Version of operating system running on your co

 

Stem:
Here is the current status of my FW settings in ZA Pro. In case anybody else is working along with us and wants to test my settings on their ZA Pro.

A few UFO sites are blocked as were discussed earlier during the "stopping phone home" posts. They all work fine. With all updates set to manual I can still update the product and the on demand ASW feature at will, I also get Smart_Advice in real time.

The only item I have Trusted it the loop back adapter? Comments?

I have my ISP listed as well, Comment at will please!

 

First of all i have been following this entire thread, and i must say that you and Stem have done an outstanding job in trying to explain to all about "Optimum settings in ZA Pro."

You may want to go to the following site and gather somemore info on who and what is connected or trying to connect to your computer. This site will give you a lot of Excellent info, especially on IP Addresses and who they are. Therefore giving you more to block in your firewall.

Http://analyze.privacy.net/

 

Thanks Steelhead,
I just went to the site and got quite a lot of information as you said:

Maybe you could have a look at this extract from the analysis and comment if you see anything I should change. My goal is to prevent packets leaving my PC that have no business doing that!

Firewall Test

Port and firewall status not determinable with JavaScript disabled.
Browser Type and Version

Browser: Firefox
Fullversion: 2.0.0.3
Gecko: True
GeckoBuildDate: 20070309
Crawler: False

Browser Security

Session Cookies Accepted
Persistant Cookies Accepted
JavaScriptEnabled: False
VBScriptEnabled: False
JavaEnabled: False
ActiveXEnabled: False
SSL: True
SSLActive: False
SSLKeySize: 0
SSLEnabled: False
Firewall: False
OpenPorts:
PopupsBlocked: False
ImagesEnabled: False
HighSecurity: True

Connection Details

Broadband: False
ConnectionType:
Firewall: False
Proxy: False
CompressGZip: True
AOL: False
MSN: False


The ip addresses I see are those belonging to my ISP and those passed through during the trace.

In your view, how should a user decide from such info who/what to block?

Be blunt, this stuff is important to keep clear and most of the readers here in this forum really want to maximize their security. Some have different views on how to do that but that's just reality.

 

Session Cookies - NOT Accepted
Persistant Cookies - NOT Accepted

Your quote," the ip addresses I see are those belonging to my ISP and those passed through during the trace." NOT all of them and you need to check out each IP Address to make sure if in fact the IP Addresses belong to your ISP. Btw, did it show on your test any of the following IP Addresses?

NetRange: 4.0.0.0 - 4.255.255.255 OrgName: Level3 Communications, Inc. Also known as MarkMonitor.com.

 

Hi Steel:

Thanks, I will have look at the cookies settings again. My ISP expects IE 6 or 7 so the only way I can get service their with FF is to allow that site the use of cookies. Most sites in FF I have blocked on any cookies.

Here is the trace I got on test 1:

IP Address Host name
66.98.244.1 gphou-66-98-244-1.ev1servers.net
66.98.241.16 gphou-66-98-241-16.ev1servers.net
66.98.240.3 gphou-66-98-240-3.ev1servers.net
216.110.27.97 216-110-27-97.static.twtelecom.net
66.192.246.126 dist-01-ge-0-2-1-506.hsto.twtelecom.net
66.192.255.93 core-01-so-0-0-0-0.chcg.twtelecom.net
66.192.244.20 peer-02-so-0-0-0-0.chcg.twtelecom.net
206.223.119.105 equinixexchange.chicago.rogers.com
66.185.81.189 so-0-2-0.gw02.bloor.phub.net.cable.rogers.com
24.153.5.245 -
24.153.5.22 -
66.185.90.28 -

At that point it timed out.

If you have a look at few posts back in the FW Zones I blocked MarkMonitor.com early on due to doubt about that site.

My view was if there is doubt block it! What else is a FW for but to block bad ins and outs. This is not a court where the site should be assumed innocent until proven guilty. For FW's it must be the reverse approach. There would be some false positive sites but that is better than a bad connect.

One thing that puzzled me is, does not an outbound packet take the a variable route to the destination? Each time would be different? Thus checking out each ip in traces would be a hopeless task? Straighten me out on this anybody!

I see the point on my isp sites, how do I check them again? I forgot the method to do it!

 

You need to go to http://www.dnsstuff.com/ to lookup the IP Addresses. Plus this site offers a lot of other interesting info you can also check out.

 

Forgot to come back on this... a recent MS Patch broken the service... have you tried to change the server? For example: time-a.nist.gov

I had the same issue after a MS monthly patch and after reading in another security forum discovered that it was a MS problem (ZA blocking the call). Changed the server and voila'... windows time sync again without blocking

Fax

 

My test PC is only patched to before the release of the build of ZA I am testing (to stop such problems with microsoft patches).
Before the installation, I did check that the "time service" was working correctly, as I dont normally have this service running, and there was no problem, my gateway logs showed the DNS lookups and the comms to "time.windows.com"(207.46.130.100)

Then there sould not be a problem on a system that as not installed this patch? But, ZA allows the DNS lookup, but then silently blocks the "time.windows.com" outbound (the outbound is not allowed, but there is nothing in ZA logs to show the blocked packet).

 

Everything can have an explanation that do not necessarily end up with "its a ZA bug"

In my case, running manually the syncro, triggered a blocking in ZA, so it was not a silent blocking. Changing the the server to whatever works... stopped the blocking and the logging. Why would windows.time be blocked and not another server? Uuuhm, may be we should look to service code or ZA code...

Have you tried it?

Fax

 

Stem: Hope I don't have this timing bug on my setup. How do I test to see if I can replicate it? If I grasp your message it seems connected with MS auto updates? is it having them on or off to manage calling home?

Fax, whatever happened to SlyFox ? Used to post good stuff and hints and links.

 

Fax posted that a recent microsoft update as broken this service, but from my test PC (which I have mentioned is only up to date on "Windows updates" to before the release of ZA (that I am testing). I only see a problem after ZA is installed.

For me, personally, on this point of "windows time", ZA is doing me a favour by blocking this. The reply from "fax" on this was aimed at a post of mine where I was actually saying I would disable this service anyway (to stop any outbound by svchost).

As for if a user wants "time sync" and ZA(or whatever) is (for whatever reason) blocking this, then simply change the "time" server (as mentioned by fax), to me the blocking of "windows time" is not a problem, certainly not something to get worked up about.

 

Thanks Stem if you are okay I'm not concerned about the clock business either.

Let's move on now to the next 2 columns in program settings Access Trusted and Internet. Columns 4 and 5 counting from the right. I have settings now of course. How are your own set up is there a simple way to start?

What if I just change every green check mark program in Internet column 4 to a ? or block (except MS media player which I have permanently blocked) ?

Or can we do it by program classes like all windows programs, all security programs all games etc etc?

Advice please?

Goal? Prevent packets that have no business leaving my PC from leaving?

 

Not to cut into this discussion with Stem, but a possible solution to prevent packets leaving your computer, would be to installed the program Ethereal (Free). Unless i am totally wrong here, this program will review ALL outbound traffic leaving your computer. Just a suggestion!

 

There have been other contending instructors putting in their own fax's.

Please read post 1 since you are new. If you have questions on the ground rules in my thread just ask.

Stem, have you used this Ethereal? It sounds like a duplication of what ZA Pro is doing and we don't need more technical conflicts in our test laboratory. So unless you think it would help you and me I'll do zip on this Ethereal for now.

 

I have used this in the past. It is a packet sniffer/capture/analyzer, I use other programs that do the same as this app, as this is how I collect data on the packets/connections made. but I normally have such an app on gateway to stop any possible conflicts with the firewalls I am checking.
If you want to log all outbound/inbound packets, then yes, have a look. It will certainly give you more info than ZA logs.

 

Thanks Stem, maybe later when we come out the bottom of this learning thread/laboratory.

TO ALL POSTERS HERE, THANKS FOR ALL YOUR INPUT AND COMMENTS, I READ THEM ALL BUT CAN'T RESPOND TO ALL. I FEEL NOW THAT I OWE EVERYONE A SORT OF SUMMARY OF WHAT I HAVE DONE WITH MY OWN ZA PRO SETTINGS. THEY SHOULD NOT IN MY VIEW EVERY BE JUST COPIED BY OTHERS SINCE WE HAVE LEARNED THAT EACH USER IS DIFFERENT AND HAS DIFFERENT NEEDS. I HAVE THAT &^%$ GAMING PC SHARING MY ROUTER, YOU MAY NOT HAVE THAT ETC ETC

So here is my summary of what I have done in Program Control so far

1. Send mail all red x'd except mail server, in my case ms outlook
2. Server, Trusted and Internet all red x'd every program except those I killed outright
3. Killed (using trust level) all games like solitare etc
4. Killed 4 windows programs for media player
5. set advanced program settings to match the server settings so new programs asking for connect don't violate MY rules, this doesn't work for send mail so ZA forces you to have to look from time to time to ensure send mail not added without your permission
   After todays MS Update 2 MS programs added but send mail was allowed by default. Comment: ZA defaults weak, why allow send mail for systems programs and games?
6. Backup your ZA settings daily for restore during testing and strengthening your security
7. Set Lan to Internet not Trusted in spite of the never ending debate

Notes from this mornings start up program requests GHPw32 outgoing goes to time nist.gov, this must relate to the time sysnc discussion.

wuauclt.exe and PC Health Help requested to be parents

BD10\vsserver.exe requested permission to access the internet

ZA Pro continues to turn off my log all alerts setting this is a bug in ZA Pro