Sneaky Prevx

Discussion in 'Prevx Releases' started by StevieO, Jul 26, 2009.

Thread Status:
Not open for further replies.
  1. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Sir,

    In ZA all my Apps are configured to Always ask me for permission for access to the internet. So how does Prevx manage to sneak out data after detecting something new, or a potentially FP ?

    Malware could quite easily make use of this technique surely ! So how to only allow the good guys like Prevx, and block the bad ?

    Concerned in Tunbridge Wells.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    are you sure you have not allowed Prevx, and whatever .exe it uses, access to the net?
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Hi, yes i've just rechecked for you, and, Everything in ZA is set with a ? or X
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    if you click block all network traffic can Prevx connect?
     
  5. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    No, just tried by double clicking on a new file.
     
  6. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Just thought, it might be using FF to sneak out ? Going to log off and close all browsers and try. I'll be back.
     
  7. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    No it wasn't that, so o_O
     
  8. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    in ZA amongst the apps allowed out there will be a prevx component
     
  9. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Not that i can see, have a look
     

    Attached Files:

    • za.png
      za.png
      File size:
      34.5 KB
      Views:
      11
  10. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    what happens if you block that prevx entry?
     
  11. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    It doesn't get out when i block all 4, but then ....

    Jeepers creepers, would you belive it ? All i did was change 1 thing as in the screenie, and out it goes with NO warning. What's up with that o_O

    Not good at all, and makes me now wonder about what else could escape, or has !

    Well i'm looking forward to an answer from someone at Prevx ASAP, not that it's possibly their fault of course. But if they need data out and peoples FW's block it, then it won't reach them. But it shouldn't surrupticiously bypass a FW, if that's what it's doing !

    I'm all ears, i mean eyes.

    Cudni Thanx for your input.

    S
     

    Attached Files:

  12. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    it would interesting to hear what ZA has to say and why is there no prompt for connection (could be a bug)
     
  13. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    That's weird indeed o_O We aren't using anything strange to connect out... if you ask someone at ZL, you can tell them that Prevx uses the 'cURL' library to connect out.
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Just curious, StevieO... you're using Online Armor Firewall and ZoneAlarm together?
     
  15. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Cudni

    Quite honestly i doubt if ZA would even respond, as i'm using v5.5.062.000 on XP.

    PrevxHelp

    OK that's good to hear. Not sure exactly what 'cURL' library is, so i'll look it up.

    Page42

    Actually no, that entry must be from a previous OA version i tried, and i'm using the free version not Premium, so i don't know why it shows that ?

    Thanx all
     
  16. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    In the background ZoneAlarm silently uses the Application Layer Gateway Service for communications to bypass its Firewall.
    With ZoneAlarm the Firewall Rules are superficial because ZoneAlarm does as it wants when it comes to communications.
    One can create an Block Rule and ZoneAlarm will find away around the block through the Application Layer Gateway Service.
    The TrueVector Service patches the Windows Kernel far too deep for my comfort.

    HKEY1952
     
  17. Airflow

    Airflow Registered Member

    Joined:
    Jul 5, 2009
    Posts:
    39
    lol, what did you expect?:D :eek: :eek:
     
  18. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    HKEY1952

    Really, sheesh, how about that, the barstewards !

    After you wrote that i X'd all the lines in ZA for ALG, which didn't seem to prevent any problems to anything. But now i'm trying out the FW in OA, so i'll see what does, or doesn't !

    Thanx for the Very helpful insight.

    Airflow

    Err, not that lol.


    S
     
  19. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    LOL what a crap, ZA does not need alg.exe, it filters all communication via vsmon.exe, the firewall driver cannot be blocked via ZA. ZA cannot block itself (you can however turn off all the features that communicate out).

    Every year a new conspiracy theory on ZA. Must be like MS BS secret code... ZA was tested here by Stem and others and there was NO leaks OUT, stop posting BS!!

    On the other issue... well XP was not even there with version 5.5... sooo you can draw your own conclusions. :) Have you tried any more recent versions?

    Fax
     
    Last edited: Jul 28, 2009
  20. HKEY1952

    HKEY1952 Registered Member

    Joined:
    Jul 22, 2009
    Posts:
    648
    Location:
    HKEY/SECURITY/ (value not set)
    No one is talking about blocking ZoneAlarm or blocking the firewall driver, why don't you get your FAX straight before you Post.
    Also, the ZoneAlarm Forum tactics of defending ZoneAlarm do not work over here at the Wilders Security Forums.
    It is an FAX that the Application Layer Gateway Service can be used to bypass Firewalls.
    ZoneAlarm is currently only surviving on past reputation, and that reputation is rapidly decaying.
    Perhaps I sentenced it wrong in my first Post, it should have read:
    The ZoneAlarm vsmon.exe uses the Application Layer Gateway Service in its communications to bypass its Firewall.
    You know for an FAX that most of the ZoneAlarm Rules, especially the Expert Rules are ignored by ZoneAlarm and most of the Rules are superficial.
    Trying to setup Custom Rules or Expert Rules always corrupts ZoneAlarm and the ZoneAlarm user receives the famous ZoneAlarm Forum remedy:
    You have corrupted your installation of ZoneAlarm, you need to Reset ZoneAlarm. Now that's BS.


    HKEY1952
     
  21. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    ehu? LoL What are you talking about?
    ZA using ALG to avoid itself? It does not need to.
    It will use its own/MS services to connects out! May be you should put some FACTS on the table. Because otherwise it looks like you have been smoking something strange :)

    No comment on the rest of the post... already gives the reader a clear flavour on your ZA feelings ;)

    Fax
     
Thread Status:
Not open for further replies.