Tony's ruleset - Minor problem with Zone Alarm settings

Discussion in 'Ghost Security Suite (GSS)' started by zoril, Apr 17, 2006.

Thread Status:
Not open for further replies.
  1. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    I found at startup that certain settings re my Zone Alarm Firewall (based on the svchost) were being refused. On the standard ruleset this was not the case? I wasn't given choice to accept or refuse..........Howard
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I'm wondering if this has anything to do with ZA's email (ZAmailsafe) protection which likes to set values on the HKEY_CLASSES_ROOT\* Key. The new Tony ruleset has a lot of these 'file association' extensions covered and it just might interfere.

    I am of course referring to ZASS, ZAP etc; I don't think this applies to the free version of ZA. But if you are running the former, create an Application Rule for:-

    zlclient.exe

    <PF>\zone labs\zonealarm\zlclient.exe

    HKEY_LOCAL_MACHINE\Software\Classes**

    and see if you have problems then. (BTW I know that Key is different from HKEY_CLASSES_ROOT\*, but it works this way due to an anomaly!).


    Another possibility (and this might be relevant to free ZA as well - particularly since you mention SVCHost) is to try creating an Application Rule for both vsmon.exe and SVCHost as follows:-

    vsmon.exe

    <WD>\system32\zonelabs\vsmon.exe

    HKEY_LOCAL_MACHINE\System\*controlset*\Services**


    SVCHost

    <WD>\system32\svchost.exe

    HKEY_LOCAL_MACHINE\System\*controlset*\Services**

    In all of the above cases you need to allow Values to be set.

    If none of that works you really need to put up a screenshot of your Log, otherwise we are stabbing in the dark!
     
  3. zoril

    zoril Registered Member

    Joined:
    May 31, 2005
    Posts:
    243
    I think that you may be right.

    I am using the Zone Alarm free version. My problem is that I am not very good configuring the advanced options...

    Most of the time Reg Defend gives me the option to accept or reject but not this time!...............Howard:)
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I was only making suggestions.

    What you really need to do is look at your RD log to see what is being denied and make a note of the app concerned (eg zlclient.exe, vsmon.exe etc) and the Rule/Reg Key that it wishes to amend. With that information it would be possible to make a more precise recommendation.
     
  5. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hi Topper,

    In post #2 in re: to ZASS, you have to add those values to RD.

    I have ZASS that's why I ask. I don't have RD installed yet.

    Thanks

    Rilla927
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    There is an 'E-mail Protection' section in ZAP and ZASS, and I have noticed that everytime you click the tab to enter that section in the ZA GUI, or click the 'Attachments' tab, ZA will set values on the sub-keys relating to all of the protected extensions on the HKEY_LOCAL_MACHINE\Software\Classes Key.

    I have also noticed that if you have all those sub-Key extensions protected by RD on the HKEY_CLASSES_ROOT Key, then ZA will hang for a few seconds whenever you click to enter ZA's e-mail protection section or Attachments sub-section. Also, due to a quirk in the way windows operates, you will not receive a pop-up from RD nor do you see anything in RD's log.

    As it happens, the new Tony Ruleset does protect a long list of HKEY_CLASSES_ROOT extensions in its 'File Association' section. So if you installed RD and experience a slight 'hang' problem you should be able to get round this by creating the following Application Rule:-

    Group Name: zlclient.exe

    Filename: <PF>\zone labs\zonealarm\zlclient.exe

    Key: HKEY_LOCAL_MACHINE\Software\Classes**

    Value: *

    Allow 'Set Value'

    I should explain that I'm personally running a modified Ruleset that protects all extensions on HKEY_CLASSES_ROOT\.* This makes it more of an issue for me; but the above App Rule solves the problem and I then see all activity in RD's log section.

    Naturally, you would only need to create the App Rule if you had a problem and it may be that the more limited list of extensions in the Tony Ruleset would not give you a problem.
     
  7. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Hey Topper,

    thanks for the info. I would have never known. It's good to know these things a head of time with certain apps.

    Thanks

    Rilla927
     
Thread Status:
Not open for further replies.