za question

Discussion in 'other firewalls' started by Bethrezen, Oct 17, 2002.

Thread Status:
Not open for further replies.
  1. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi all

    does anyone know if za free is imune to process killing i only ask coz there have been reports that this new virus bug bare atempt to shut down za amoung others and other apps like avg nav etc

    comments anyone ?
     
  2. CARCHARODON

    CARCHARODON Registered Member

    Joined:
    Oct 1, 2002
    Posts:
    68
    Location:
    Portland, Or. USA
    I believe they added a message box that pops up and asks you if the process can be killed. So yes.
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Zone Alarm does have some built-in protections against being shutdown or externally terminated. I had tested some of this in the past, but when I saw your question, I decided to run several more tests to refresh my memory.

    Keep in mind, that there are many versions of ZA and many different versions of windows, and there are differences in how exactly this will work depending upon the mixture of these. Below are some of my generalized observations, based upon limited testing, but, the results are in keeping with all I've heard/seen posted regarding Zone Alarm. This evenings tests were done with the latest version of Zone Alarm Plus (3.1.395).

    If a shutdown command is sent to it, ZA confirms the shutdown with a popup window asking for user confirmation. On NT based Window systems, this is also logged with a system event (which can be viewed in the Administrative Tools > Event Viewer). Some people have said it would be possible for a program to not only issue the shutdown command, but also respond to the popup window, hiding it from the user. I have NOT heard that bugbear can do this though.

    There are two main parts of Zone Alarm - the True Vector service (vsmon.exe), which is the actual firewall service and the User Interface (Zonealarm.exe). If True Vector is killed, ZA alerts the user with the popup window posted below. Notice also that the ZA icon in the Systray has changed to a bright X - during this time, all Internet / network access has been blocked. You can restart the vsmon.exe service, and connectivity can be restored once it’s running properly.

    If the Zonealarm.exe user interface is killed, Internet / network access is also blocked, but no popup is given. If both processes are killed off, network access is likewise blocked. Zone Alarm can still be restarted and network will be restored. If you don't restart it, you can't access the network.

    In my testing, I killed so much of it off, several different ways, that I finally decided to reboot to guarantee that I got it all back properly.

    Software firewalls can be terminated by malicious programs, but, the program will need to be tailored for the firewalls it’s trying to kill. A good Anti-Virus, combined with a memory resident Anti-Trojan are good backup protection for your firewall.

    Best Wishes,
    LowWaterMark
     

    Attached Files:

  4. SaSa

    SaSa Registered Member

    Joined:
    Oct 17, 2002
    Posts:
    4
    Location:
    Germany
    Zone Labs' official BugBear response

    Key info:
    1. ZA Enterprise editions, ZA Pro, and ZA Plus are not affected.

    2. Only ZA 'free' is affected.
    Key info:

    Zone Labs response to the BugBear worm

    The BugBear worm is a new threat that spread via email and network shares. Some reports indicate that the BugBear worm is capable of shutting down Zone Labs’ software.

    Enterprise users need not concern themselves with these reports. Due to their multiple layers of protection, Zone Labs Integrity and ZoneAlarm Pro are completely unaffected by the worm. Also, for users of POP email accounts, these applications offer an additional layer of protection through Advanced MailSafe. MailSafe identifies and quarantines suspicious email attachments upon arrival, preventing infection from email in the first place.

    Home and small business users of our ZoneAlarm Pro and ZoneAlarm Plus products are also protected from this worm, and do not need to worry about these reports.

    Against our free ZoneAlarm product, BugBear is sometimes able to shut down the graphical user interface. If your copy of ZoneAlarm is affected by a BugBear infection, you should remove BugBear with anti-virus software, and then reinstall ZoneAlarm by following the instructions at http://www.zonelabs.com/store/content/support/znalmInstallFAQ.jsp Zone Labs is examining further methods to eliminate the potential effects of this worm on our free product.

    We recommend that users always run an updated anti-virus product along with a Zone Labs product to maximize protection for their PCs.
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Shutting down the GUI shouldn't lower the firewalls actual protection, but, it does make for difficult operations, that's for sure. It'd be nice if ZL had specifically said what the actual effect on the firewall module was when the GUI is killed - one way or the other.

    As far as BugBear goes, it may be as simple as the killing of a named process or exe. The EXE that runs the GUI has a different name in each of the three products: ZAF, ZA+ and ZAP. It'd be interesting to know what's coded inside BugBear exactly.
     
  6. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Hey guys & gals

    I just updated my old "ZA" to 3.1.395. Now http://www.grc.com -probe my ports- shows my HTTP 80 as closed; not stealthed unlike with old ZA. Actually port 80 showed to be as open with "Spyblocker" but I threw that away. And now 80 is closed. Shall I return using old ZA or what is this allabout, is ZA going worse ? Now I do not get UDP 137 probes at all; which is weird now on. They are all gone.

    grateful for info
    -Ari
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Krusty,

    Question for you - how did you update ZA? Did you install it over your existing ZA, or did you uninstall the old version (including, emptying the c:\windows\internet logs\ directory) and then install the new version cleanly?

    I know the Zone Labs website does say you can install over the top of the previous version, but, whenever there are problems, the first thing their support tells you to do is uninstall fully and reinstall cleanly.

    Also, as to port 80, I have not heard anything at all that says the new ZA has a problem securely stealthing all ports. The problem you are having is not common, so I suspect a corrupt installation is the issue.

    If you'd like to try it again, here are the instructions for a full uninstall of ZA...

    http://www.zonelabs.com/store/content/support/znalmInstallFAQ.jsp

    Let us know your situation in regards to the question I've asked and we can advise you further.

    Best Wishes,
    LowWaterMark
     
  8. snowy

    snowy Guest

    Respectfully given suggestions


    FILE PROTECTOR: by Javacool


    from the supply information it appears at first blush that the free version may be open to this attack because it lacks the e mail protection of the ZA shareware versions.......possible fix: a script protector such as SCRIPT DEFENDER.........with the proper script name inserted...FE: wsh........


    may be incorrected here...feel free to correct.


    snowman
     
  9. *Ari*

    *Ari* Registered Member

    Joined:
    Feb 15, 2002
    Posts:
    431
    Location:
    Finland
    Thank you for the fast answers Admin Paul and LowWaterMark !

    That was exactly I eventually thought, it was corrupted installing OR it doesn´t matter, because everything can be hacked at last.
    Besides this connection is dial up so I notice for sure when something strange is going on.
    Yep sure I installed it as a patch like it recommends to do. :rolleyes:

    -Ari

    ZA needed computer to be booted after removing all parts of ZA, and booted after new install. It works perfect :)
    thanks to Steve Gibson for a great firewall
     
Loading...
Thread Status:
Not open for further replies.