Question about ZA HIPS

Discussion in 'other firewalls' started by Rasheed187, Jan 5, 2006.

Thread Status:
Not open for further replies.
  1. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    I have installed Download Express and now IE wants to install a global hook, otherwise DE won´t work. Of course I don´t want to be bothered about this over and over again, so now I have given IE "super" access. The question is, will malware that get loaded by some zero day bug in IE be able to more damage now? I still run IE as a basic user, so it will not be able to install drivers or start/stop services, even with the "super" setting I assume. o_O
     
  2. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    I have it in Trusted. Super just seems too risky for me. :T
     
  3. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    Below is ZAP's reaction to IE's encounter with .WMF.

    In the security tab of options under Program Control, IE is not allowed to automatically interact with other programs or use other programs to access the Internet.

    Regards - Charles
     

    Attached Files:

  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Yes, that´s the problem, if you give an app "super access", ZA won´t alert you about suspicious behaviour anymore, and that can be a problem with browsers like IE and Maxthon. I mean of course you would want to be alerted about global hooks, service/drivers, code injection and application launching.

    For example, Maxthon has a feature where you can launch other apps via the browser (for quick access), problem is that ZA will alert you everytime. This can be a good thing, but it can also become annoying. So a solution would be to have more control when it comes to child-parent process interaction, like in System Safety Monitor.

    As I said before, I run IE/Maxthon in non-admin mode, so that should already protect against a lot of malicious actions taken by malware. This means that apps launched by IE/Max will not be able to do a lot of stuff, plus ZA Pro will still alert me if they want to install for example a global hook, I have tested this. :)

    So for a bit more security I can perhaps upgrade to the full PG version (if ZA Pro misses anything) and for better application control I could use SSM. I´m afraid I also need an app like RegDefend because ZA Pro is not monitoring all the important registry keys. So it looks like I might need to spend a lot of bucks. :rolleyes:
     
  5. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA
    Rasheed and others interested this is just an FYI about the OS firewall in ZAP and ZASS. Late in the beta testing process I saw that the way OS firewall alerts were being handled was going to cause some users concern, and I feel that concern is justified. As zcv's screenshot shows checking "remember" will permanently Allow/Disallow said action, not only for what triggered that alert but for every thing in that alerts class. By class I am referring to in ZA-speak, Medium-rated suspicious behavior (there are 4 items in this behavior) and High-rated suspicious behavior (there are 14 items in this behavior). I did submit a feature/enhancement request to ZL about this outlining not only my personal concerns about how secure the current handling of checking 'remember', as well as my concerns about how the more security savvy ZA users were going to receive this. My request was for each behavior class item be dealt with individually, not at the class level. Unfortunately this did not make it into the release version, but I will be lobbying ZL to incorporate my suggestion in the next version. Only time will tell.:)
     
  6. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    Hi Disciple,

    My request was for each behavior class item be dealt with individually, not at the class level.
    I certainly agree with you about that, but I didn't expect ZA to be fully mature with HIPs on the first outing.

    I've used PG and currently use SSM and this area is not fully worked out in those apps either, although much further along than ZA.

    Another area for ZA to work on is logging - never ZA's strong point anyway, the HIP's logging should be a seperate function or easily identifiable.

    Regards - Charles
     
  7. Disciple

    Disciple Registered Member

    Joined:
    Nov 14, 2002
    Posts:
    292
    Location:
    Ellijay, Georgia - USA

    Like most programs, new features do mature and evolve over time. I just feel that the current implementation causes more confusion and potential risk for an average user. It will be interesting to see what the next generation of the OS Firewall brings.

    Agreed, and even AppDefend has design/implementation pluses and minuses.

    How would you improve logging in ZA? To me and this is only my opinion: as currently implemented having one central log viewer with a drop list controlling what is seen in the list box makes sense. OTH though, if you are talking about the writing of all logged events to one file I can agree that trying to read it in <insert your favorite text editor here> can be quite a task at times.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    @ Disciple

    Yes I agree, that´s a good idea, I think it´s way too risky if you´re not being alerted anymore about any dangerous behaviour when you give an app "super access". So I also think that the "Alert classes" should be handled differently. ;)

    @ zcv

    I agree that at the moment this area is also not working optimally in apps like PG and SSM, I would like to see this improved before I will consider buying these apps. :rolleyes:
     
Loading...
Thread Status:
Not open for further replies.