Three more remarks/questions about ZA

Discussion in 'other firewalls' started by stalker, Feb 2, 2004.

Thread Status:
Not open for further replies.
  1. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia
    I have two further questions/remarks related to my topic "ZA Expert Firewall/Program rules hierarchy" ...



    One is again about "incompatible" rules:

    1.) If I use p2p sharing program, which use only TCP protocol, only on 2240 and 2234 ports. I also know IPs of its 4 servers.

    So for this program, I set rules to permit all (green mark), but there is some confusion here. Puting server IPs (that program uses) to Trusted Zone (under Firewall-Zones, not under Programs-Expert Rules) doesn't make any sense. I would give full access to servers, but as mentioned users IPs would still be in Internet Zone.


    - If I would allow in expert rules communication with mentioned ports and IP's, and allow TCP protocol, the actual users IPs (wrom whom I will download/upload) would still be in Internet Zone. So how to make expert rules for this program.

    Maybe to make Expert Rule to allow all (incoming/outgoing) on 2240 and 2234 ports for Internet Zone (from My Computer to Internet Zone, and inversely) ??


    - but then what about port settings in "Firewall - Custom - High/Medium security for Internet/Trusted Zone - Allow/Block Incoming/Outgoing TCP Ports" ...

    Do I need to put 2240 and 2234 ports also here under "High (if I have set slider High) security for Internet Zone" ??



    2.) Second question is very short. I constantly get an error message: "An error was encountered while parsing the XML data. Processing has been halted." After clicking O.K., sometimes all rules I made so far for specific program are gone, sometimes only the last one, sometimes all rules are there.

    What is this error. Is it dangerous. In case if some important rules are erased, and currently I am under attack, or some malicous program, or program I don't want to access internet wants to connect, etc.

    Could this error message appears also in Firewall/Zone Expert Rules, or in Trusted/Internet zone Rules ??

    Any idea, how to avoid it ??

    I read somewhere it is possible to save this XML rules (probably as file in xml format). How could I do that??



    3.) As I wrote in one of my previous posts, that True Vector Service (Zone Alarm 4.5.530), to be more specific - one certain thread - consumes enormeous amount of CPU ("kernell mode"), compare to previous version, when using some specific program (Irfan View, and DU Meter) as "front/active" application. When switching to some other program it jumped back to normal usage.

    I reinstalled it (I used NPF for some time instead, but it driver, Symevent.sys was causing "Blue Screens", making errors to disk, etc.), and yesterday, after re-installing Zone Alarm, there was NO more such problem for some time. Now I just check, when writing this post, and surprisingly, when watching some .gif in Irfan View, True Vector again jumped to 50 % CPU, and for that period it becomes the most CPU consuming process on my PC. Again, only in "kernell mode"), and no in user mode (as usual applications are), or Hardware Interrupts and Deffered Procedures placeholder ...

    And again right after switching back "front" application (the one, you are currently working with) the vsmon.exe CPU falls back on 0-5 % CPU average ...



    thanks for your answer
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Well, you don't have to use the Trusted Zone for this; you can create a special group instead. You referenced Groups in your other thread so it sounds like you know how to make them already, but just in case... The easiest way to make a group is in ZAP > "Firewall" panel > "Expert" tab > "Groups" button which brings up the Group Manager. Use the "Add" button. Name the group (something like "P2P Servers") and give it a description, then simply add all four servers, each as individual "locations" in that screen.

    Now, use this group in your rules for the P2P program. They aren't in the trusted zone and will only be used in whatever rule you decide to enter that group name in as either the Source or Destination of packets.

    Yes, the key point here is that a group set up as I described above is not in any zone, which means those servers (IP addrs) would be treated the same as any other Internet site - except for any rule in which you use that group name in either source or destination fields.

    Unfortunately, I don't use any P2P software, so I may need to use another example, but let's see... POP3 email. The rule you allow for that is Source: your computer/TCP any port (or limit ports to the range 1024-5000); Destination: your ISP's email server/TCP port 110.

    But, this is where I'm unsure because of not using P2P myself... When you run the P2P client yourself and it reaches out to look at available files from "out there", are both ends of the connection on only the two ports you mention, or are those ports just the "destination ports" in all cases? If so, then the source ports might be in the range of ephemeral ports (1024-5000), but again I just don't know. At the very least you should make sure which it is and set up your rules accordingly.

    You should not need to because you are granting server rights to the P2P program right? So ZAP should allow the traffic in regardless. (There are sometimes weird circumstances where you might need to add a port to the Allowed port list you mention if things just aren't working, but that is very rare in my experience. Try it without. If it doesn't work, try adding them as allowed incoming ports just as a test, but you should be able to get it working without those ports there.)

    Please describe exactly when you are getting that error. The only time XML data is processed should be when you are either using the Backup / Restore feature, or perhaps while making significant configuration changes. Are you getting these errors at other times during normal operation or just when trying to run a Restore or reconfigure your settings and/or rules?

    I need to know more about when you are getting these errors as noted above.

    That is the Backup / Restore feature available at ZAP > "Overview" panel > "Preferences" tab > "Backup and Restore Security Settings". Backup outputs all your rules and configuration settings to a new XML file for use later in a restore operation. Restore loads in an existing XML file (made from a previous backup) to reset / reload all your configurations when you need to replace or fix your ZAP configuration.

    Ah, I remember that discussion now.

    All I can say here is this... First, obviously this is not supposed to be happening. I think I posted last time on this that it must be a conflict or some similar incompatibility, though I can't say what. It doesn't help to know that it is kernel versus user mode or any of that because none of us have access to the internals of the ZA firewall. This information might help when you report this problem to Zone Labs and work with them diagnosing the problem, but those of us who are merely users of the product can't do anything about this.

    However, that said I'm wondering if this problem is related to your XML problem (and any other problem you might be having) and the source of it all is a bad configuration. There's no way you should constantly be getting XML parsing errors. You also shouldn't be getting runaway CPU usage by vsmon.exe either. But, if there is a corrupt configuration then maybe, just maybe that's behind all the problems.

    A full clean setup of ZAP can be accomplished as follows. When you have a good backup XML file that stores what you consider to be a good configuration, you save that file somewhere safe and then wipe your current ZAP configuration. To do this... 1. Shutdown the network connection. 2. Shutdown ZAP using the proper exiting procedure from the systray icon. 3. Check to be sure both the ZAP client and vsmon have exited (in Task Manager). 4. Delete all files from \Windows\Internet Logs\. 5. Start up ZAP. 6. Check to be sure the client and vsmon have started in task manager, and look in \Internet Logs\ - there should be a new set of replacement ZAP true vector database files there now. 7. Start your ISP network connection up. (If you get an alert about svchost trying to connect out, click Yes.) 8. Go into ZAP > "Overview" panel > "Preferences" tab > "Backup and Restore Security Settings" > "Restore" button... When it asks for a XML file to restore, give it the one you saved above.

    Now, that is how you can get a really clean ZAP setup. Restore is supposed to work as described above. However, experience has shown me sometimes you have to reload these files more than once because of un-displayed parsing errors during restore. So what I do is I continue on like this:

    9. Disconnect network again. 10. Shutdown ZAP again. 11. Start ZAP up again. 12. Connect the network. 13. Go into ZAP's Preferences tab again and twice in a row restore the same XML file, one right after another.

    Don't skip any of the steps, especially the closing and restarting of ZAP; this is a very exact set of instructions!

    For me, this procedure has always ensured a clean and complete restore, with no missing rules or settings. (It isn't always necessary, but it does always work.)

    At this point, quite frankly I shutdown the network and ZAP, and then reboot my PC cleanly just to make sure I had everything perfect before testing anything else, but that may just be me. My system reboots in about 60 seconds and I can execute the above ZAP clean restore process, with reboot in about 6 to 8 minutes. I do this every month or so just to ensure a totally clean ZAP configuration and I rarely have any problems.
     
  3. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia


    Thanks, LowWaterMark for all your very educative support. I think you are right about CPU concumption. It is probably related to some OS settings, I made (some time ago) in current Windows installation.





    Though, I have two more questions, but to not start another topic, I will posted them here:


    - how many "access" (what kind of rules) to grant for zlclient.exe process in case of just for normal use (IP lookup, and other "required" features), and NOT for update feature, or "More Info" for Component Alert, etc. ??


    - If I already mentioned "More Info" feature. I must have missconfigured something in past (certainly NOT related to ZA), cause everytime, I try to use it, it says: "The default browser was not found".

    The same message "Web Browser could not be started" is displayed also, when starting my AntiVirus program update (though evrything is O.K., cause browser is needed only to check registration) ...


    There are also others similar simptoms: IE links are not working from inside Outlook, from inside various help (.chm, .hlp) files, URL links are not working - I ADDED SCREENSHOT - (not if opened from inside IE, but if opened from Start Menu), though, I addidionally check if they (.html, .htm, and .url extensions) are set-up to open (associated) with Internet Explorer, and there are more examples of some interal problem with IE "cooperating" with other programs ...




    Thank you for all your help again ...
     

    Attached Files:

  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    I don't advise setting any expert rules on the ZA client. Just use the access settings and chose either Allow ("checkmarks") or Ask ("?") for all fields in program line for ZAP. I find no value in trying to further control ZAP itself with custom rules.

    Sounds like you need to repair the file associations. Did you install some other browser at some point? Do you only have IE now? One of the easiest ways is to have IE reclaim the full web file associations after you've let another browser have them is to let IE check and alert you: In IE > Tools > Internet Options... > Program tab > check "Internet Explorer should check to see whether it is the default browser". If another browser had the associations, this may cause IE to alert you and have it reset them all the next time it starts.

    Otherwise, you may have to look into a more complex IE repair or reinstallation of some sort, but that's a rather different topic than this.
     
  5. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia
    The last three (short) questions about ZA

    1.) Simple question - how to set "port range" correctly in Expert Rules --> Protocol. Just add " - " character mark between two ports ??

    Do ZA "understands" that ??

    Example: 1024-5000


    2.) Second is rather a remark - how to set Firewall/Zone (global) expert rules ??

    In which cases to use them ??

    What if I leave all fields empty, how protection would look like, how rules will be applied ??



    3.) And the last question - how ZA free version deals with all this, when we all know, it doesn't have "Expert Rules", nor "Custom" settings for HIGH or MEDIUM Trusted and Internet Zone ??



    Thanks for any explanation
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Re:The last three (short) questions about ZA

    Yes, that is correct. Basically, you go into the port number box (where 'Any' is by default) and type in a port range such as your example ('1024-5000'). Take a look at the image at this link. It's from the SpywareBlaster rule thread I noted before and it shows the use of ranges of ports a couple times.

    I'm sorry, I really not sure what you are asking here? Can you explain your question in more detail? Are you asking why you would make global rules in the Firewall tab's Expert section? If so, the example I gave in your first thread here, for the blocking without logging worm traffic was a good reason to make a new expert rule.

    And I'm not at all sure what you mean by "What if I leave all fields empty..." - If you do that, you might as well not make a rule at all.

    ZAF can't do any of these more complex things. It just has basic inbound and outbound protections, much like the defaults (uncustomized) in ZAP. In the ZA Free product, you set a program to either allow, ask or block, and have no custom settings at all for a program. In its Firewall tab, you have just trusted, internet and blocked sites - no detailed port rules or custom allows or blocks.
     
  7. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia
    Re:The last three (short) questions about ZA



    Yes, I meant just that - the all fields are empty (ZA saying "No expert rules have been added"), so there are no Expert Rules, just Zone (Trusted/Internet/Blocked) Rules.

    How am I protected i such case ??

    I just assume that all my protection then depends "only" on High/Medium/Low rate (slider) in Firewall section, Zone (Trusted/Internet/Blocked) Rules & Zone Expert Rules, and Program Access & Program Expert Rules ...


    And in which "cases" to make some rule, compare to proection level, if having no rule !!




    Thanks for your answer
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Ah, I see what you mean.

    Expert rules set up in the Firewall panel are really just for customizing your access levels; they are not required in order to be secure.

    By default, if you have the Firewall slider for the Internet Zone set to High, then ZA blocks all unsolicited packets. The only point in making rules under these curcumstances are to: 1. allow some things (some form of access) that you want to come in and which is being block by default in ZAP; or 2. to perhaps set different time-of-day restrictions, or different logging settings that vary from the overall configuration in ZAP.

    Leaving the expert rules blank in the Firewall tab is not a bad thing at all. They are available merely to customize (usually to expand) the accesses being allowed.

    But, the expert rules in the Programs section are a different case. You can add a lot of security by adding expert rules to certain programs - my Outlook Express example is a good one. You see, with ZAP if you allow a program but don't define any expert rules for it, then it is allowed to access any port, at any time, to any destination. With Program expert rules you can dramatically narrow the access of a program. So, these are worth adding in order to increase security. But global rules in the firewall section are not needed to increase security - rather they are used to allow or change access, not secure it.
     
  9. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia
    I just remeber to wrote two more things here:


    1.) I use some program, which caches all that is put to clipboard. It store last 15 entries. Very usefull program, if you cut some text, and forget to paste it, it also has "permanent clipsets", which are brilliant for HTML editing, and other programming.

    So, it is 100 % not internet-related program, but it sometimes causes ZA alerts (if I for example try to paste part an IP or host to ZA)

    I am just curious - is this alert related to so called "Open Processes Control" function ??



    2.) My second additional question is - what is definition of "Incoming/Outgoing" traffic ??

    As far as I could try to imagine, this has nothing to do with download/upload, but with "who" (which computer) started connection (send request/first packet of data).

    So I am meaning, if for example my p2p sharing program starts connection to sharing servers, and someone will then browse my files and start uploading them from me, it would still be an Outgoing connection ??


    Am I right ??




    Thanks all
     

    Attached Files:

  10. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    The image you attached... Is that absolutely all that is ever alerted? If you look in the Log Viewer panel, is there anymore information? I can't tell anything just from that alert image.

    But, it could be related to any of the advanced program controls. Modules, components of any type can cause alerts even if they themselves do not access the network - just so long as they are some how connected to another program, they can be involved in an alert. This could be the case here, but without more alert or log information, I can't say.

    (Nice clipboard program, by the way. :) )

    The terminology of incoming and outgoing traffic never changes, regardless of who initiated the connection or the request for the movement of the data.

    It may be best to think of the ZA firewall as if it was a separate thing from your computer (in a logical sense), as if it was an external firewall of some sort. Incoming is always packets from the Internet coming in to your PC and outgoing is always packets generated on your PC heading out to some place off your PC, "through the firewall".

    The place where the terms do vary like you are describing are "source" and "destination"... When you define rules, your PC can be either the source or the destination depending upon the context of the rule. If it is a rule to control incoming packets, then your PC is always the destination (and the source is out on the outside network). If it is a rule effecting packets going out from your PC to the world, then your PC is the source and the destination is somewhere out there.

    But, no matter the rule or context, outgoing packets are always those heading from your PC to the Internet regardless of the program involved or the system that requested the movement of the information.
     
  11. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia

    Yeah, the one and only alert, related to Clipomatic.exe process




    You know it ??




    Ah, so it IS related to downloading (from someone) vs. uploading (to someone) ??



    Thanks, LowWaterMark for all your friendly and educative answers !!!
     
  12. stalker

    stalker Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    152
    Location:
    Ljubljana, Slovenia
    Hi,


    Again, because I don't want to start whole new topic for only this question, I will answer it here ...


    When I tried to restore ZA configuration, I got that error, that .xml was not formatted properly. Anyone knows, what could cause it ??


    Maybe HD problem (though scandisk didn'z find any problems on my F:\partition, where the .xml files were stored ...) ??




    Thanks again
     

    Attached Files:

  13. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    I'm sorry, I've never seen that error.

    Generally, when you use the Backup button to create an XML output file, it should be fine when you use that file later for a Restore. (Well, so long as you don't try to edit the file or alter in it any other way.)
     
Loading...
Thread Status:
Not open for further replies.