I'm "stealthed" no matter what I do

Discussion in 'other firewalls' started by Soul_Flame, Apr 18, 2002.

Thread Status:
Not open for further replies.
  1. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    I'm demoing different software firewall applications and decided to run some of the different online tests for comparative purposes.  So first, I decided I needed a baseline as to what I look like unprotected.  Normally I run behind a linksys router, so I unplugged from that, disconnected the router from the dslmodem, and plugged directly into the dslmodem (of course reconfiguring all my ip info).  I turned off any firewalls, and the only security related app I had going was NAV2002.  

    I ran tests at GRC, Security Space, PC Flank and DSLReports, and every single test came back with a perfect score of either "0" or "all stealthed".  I run XP Home and have the XP Firewall disabled.  

    How can this be?  I really don't understand these results.  I was expecting to see a bunch of open and closed ports, but not stealthed.  I'm really at a loss as to how to proceed, as I now have no basis upon which to differentiate the effectiveness of different firewall applications.

    How can I get "unstealthed"?
     
  2. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Soul_Flame - You might want to try making sure you're running an IM program (ICQ, AIM, etc), a file-sharing program (WinMX, audiognome, etc) and that you go in and enable file-sharing within your OS itself before you take the tests (and, of course, change that back after the test). Pete
     
  3. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    spy1.....I don't have any IM apps, but I do have audiogalaxy, i could try that.  re filesharing, since I have a little two pc 'home network', I already have file and print sharing enabled.

    I would think that should be sufficient to show as vulnerable.
     
  4. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Well, since it's XP OS - are you sure it's actually got the built-in firewall turned off ? Not at all familiar with it.

    Does it have a 'Network' icon in Control Panel? If so, in the 'Configuration' tab, does every single item listed in the network components box have "I want to to be able to give others access to my files" checked when you click on 'File and Print Sharing' for each item listed?  Pete
     
  5. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    My first guess is that it's not you being scanned. Go to the command prompt and type ipconfig and see what your IP is and compare that to the IP reported by the scan site.
    Pete, I don't understand why you would want to enable file sharing or whatever just for the sake of a test.
    For real world best results. I always suggest testing your machine in the configuration you run it in. If you make special settings for tests, your just fooling yourself.
    Perhaps I misunderstand.
    If your true IP is being scanned, then I have to believe the XP firewall is blocking, unless by some fluke you have all your system services and settings such that there is not one port listening. Find that hard to believe because port 135 is always listening.
    Also may be possible your ISP has a firewall?
     
  6. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    root.....yeah, it's reporting the correct ip, no question.

    I've triple checked and the XP Firewall is definitely NOT enabled.

    Re the file/print sharing, I had the same question.  I would think I should be able to test in my normal mode, and having to 'gimmick up' my setup to test doesn't seem right to me.

    I don't think my ISP has a firewall or filtering in place.  I've heard that if you run zone alarm, even with it disabled and shut down there have still been reports of test problems.  I'm going to do a hard uninstall per their support pages, delete my internet logs, the whole 9 yards, then re-test.  It's a pain to do it and I have to wait for the right time because I have to unplug the router and connect directly, so the wife's machine is stranded while I'm testing.  I'll report back what I find, but this really has me stumped.
     
  7. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    My guess is that (since you are sure you have all firewalls down/disabled) if it is not one of your firewalls that is somehow still loading its driver - your ISP *may* be blocking the attempts.

    In my experience, this would be highly unusual - I have never come across an ISP that would block ALL hack attempts and let my computers pass stealth on ALL tests (I do know of a couple that block on a very rudimetary level, which is necessary because anything higher might block services that clients are running, such as VPN, video-streaming, etc.).

    I'm rather interested to read how this turns out.
     
  8. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    S_F and root - "So first, I decided I needed a baseline as to what I look like unprotected."

    There I go, taking things literally again. Pete
     
  9. FanJ

    FanJ Guest

    S_F,

    Maybe a stupid question from my side, but were you using ZA(P)? And in case you did, did you uncheck the box "Load ZA on start up" and then reboot? That is the only way in which ZA(P) will not be running.
    Well, maybe you knew this all already or you weren't using ZA(P); in that case: sorry !
     
  10. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    FanJ......yep, did exactly that.  One question though, would I not be 'unprotected' had I simply shutdown ZAP and not rebooted?  

    Spy1...not sure I understand your post about taking things literally.  I consider an 'unprotected baseline' to be normal settings minus security software, ie, turn off firewalls and see just how naked my pc is.  
     
  11. FanJ

    FanJ Guest

    Hi Soul_Flame,

    Yes, as far as I know if you only "simply" shutdown ZA, the firewall would still be running. You have to un-check the box "Load ZA on start-up" and then reboot, and only then the firewall ZA would not be running.
     
  12. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    If you are using ZAP, simply set the firewall security level down to "low", which in ZAP 3.0, at least, means the firewall should not be blocking anything.
     
  13. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    Well, I discovered what the problem was.  And guess what, unchecking the 'load at startup' box and rebooting is NOT enough to neuter ZAP.  I uninstalled it yesterday and hadn't run it in days, and had rebooted several times since then.  The uninstall could not be completed because some element of True Vector was still active.  Had to reboot to complete the process, after which 'unprotected' scans revealed closed and open ports, but nothing stealthed.

    I really dislike the 'stickiness' of ZoneAlarm and I'm glad it's off my system.
     
  14. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,997
    Well, glad to hear you got everything working...

    But I have a quick question (if you don't mind):
    What version of ZoneAlarm/ZoneAlarm Pro were you using? (I find it interesting that it was so "stuck" as you put it, into the system. I'd be interested to see if I could replicate this effect.)
     
  15. Soul_Flame

    Soul_Flame Registered Member

    Joined:
    Apr 7, 2002
    Posts:
    41
    javacool, no problem at all.  It was the latest version, 3.018 if memory serves.  That sounds right, anyway.  OS was XP Home.
     
Loading...
Thread Status:
Not open for further replies.