za+ set up help

Discussion in 'other firewalls' started by Bethrezen, Apr 19, 2003.

Thread Status:
Not open for further replies.
  1. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi all

    i recently got a hold of a copy of za+ but i have no clue how i should configure it as previous to this i only ever used the free version of za as i don't have a clue how to work rule base firewalls coz there to complicated but now i got all these extra settings to play with and I'm totally lost and in need of some immediate assistance

    here is a basic run down of how i have za set so far

    overview/preferences

    i have hide ip when applicable checked

    firewall/main

    i have both sliders set to high

    firewall/main/custom

    i have unchecked everything under both trusted and internet zone

    firewall/main/advanced

    i have auto check gateway for security enforcement checked i have this comp isn't an ics/nat network checked i have block all fragments block local and internet servers blocked and enable arp protection checked and i have the last 3 unchecked and i have ask which place to place new network checked

    Program Control/main

    i have the slider set to high and auto lock enabled

    Program Control/main/program control custom

    i have both boxes unchecked as i don't know how to configure the component control and this is where i really need help because i don't know what is safe to let connect and what isn't

    Program Control/main/automatic lock custom

    auto lock engage after 1 min of inactivity and allow pass-lock programs to access the net

    Program Control/main/advanced/access permission

    connection attempts always ask for permission and server access always deny

    Program Control/main/advanced/alerts and functionality

    i have show alert when net access is denied and deny if access permission is set to ask and true vector is running but za+ isn't ans the last box is greyed out

    Program Control/Programs

    under access i have all apps set to allow and under server i have all apps set to deny and under pass lock i have all apps set to allow

    Program Control/component control this list is blank

    any help tightening my security further would be appreciated thanks
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    Hi Bethrezen,

    Well, unfortunately, there is no one size fits all on how to set up ZA+ or ZAP. It depends upon what you want to do with it. Now, reading through what you chose in those various tabs, something occur to me.

    You've basically configured ZA+ to act exactly the same as ZAF would if you checked a couple of its available options and set its sliders to High.

    You see, the advantages in ZA+ are: component control, which you've got turned off; and the detailed customized configs, which you've got mostly unchecked or unused. (More on component control below...)

    It's impossible to go through all those tabs and tell you what to enable or disable, especially without knowing a lot more about your system, preferences and configs.

    However, I can say this...
    All of this means you have very tight settings, especially blocking all servers (that's good if you aren't running anything that needs server rights). Note that if you start having odd lockups or trouble with programs or websites, you may want to uncheck the "block all fragments", or allow some of the firewall protocols - but this depends upon the type of Internet access you have. I can not use the block all fragments function at all because of the type of ADSL I use. (Again, like most things, this will vary from PC to PC.)
    What do you mean by "both boxes"? For Program Control > Custom, I have only one box on that screen "Enable Advanced Program Control" which I have checked.

    Usually, you should start at Program Control at Medium, and have the above option checked so that ZA+ will "learn" the components you have on your system as you run every Internet aware application a few times. They recommend a couple days of normal system usage before sliding the program control to High.

    I have over a thousand components in the Components listing tab by the time I move the slider to High. Even then, as I run other functions within the more complex programs, like IE, every now and then I'll be prompted when it uses a component not yet seen by ZA+.

    Another general comment here overall. You've given every program total access out and denied server access. I agree with denying the server rights, but not with giving every program access rights, all the time. Hijacking and piggybacking programs (those that use other programs, like IE, to access out to the Internet on their behalf, can use these programs whenever they want given your set up right now and ZA+ will allow it.)

    I have most programs set to "?" in ZA+. Not all, but most like IE, OE and a few of the heavy hitters. Yes, when I first fire them up I have to allow them out, but I like having to approve that access. From then on, if you keep the program running, you don't have to reapprove it. Only when you stop it and restart a new copy.
    I don't use the auto lock feature myself. Your settings here, and by allowing pass lock on every program, are allowing all programs to bypass the lock anyway.
    Yes, these are normal. (If you haven't set a password for the ZA+ interface at ZA+ > Overview > Preferences > Password > Set Password..., then that last option isn't used.

    By the way, a password is a good thing also, in case some program gets on your system that has the ability to "click the ZA buttons" itself, a password would block it from changing your permanent settings thru this method. But, I think you need to work out some other configs before setting a password.
    Well, it's good to block server when you aren't running things that require it. I do that, too. But, as noted above, I prefer setting some program to Ask for outbound access. And, I don't use the lock, but wouldn't set pass lock unless I was: 1. leaving my system up all the time, and 2. wanted programs like auto-updates to run while I wasn't there, and therefore would have to let them access out even while the lock is set.

    As I said, there's really too much to make sweeping statements as to what to change. I do suggest starting with setting Program Control to Medium, enabling Advanced Program Control and letting ZA+ learn the long list of your components as you use all your normal apps. Then, moving it to High.

    If some programs or your overall connection is problematic at times, mention that and we can look at how much you are blocking and figure out what is perfectly fine to allow in the advanced and custom tabs, especially in the firewall section.

    If you have specific questions, maybe we could take them one section at a time.

    For a good example of the benefits of using the ZA+ detailed program configs, see the sticky here on restricting Outlook Express.

    ZA+ is a good choice in my opinion and you can do a lot with it. It is also what I use, so perhaps I'm biased. ;)
     
  3. Pretender

    Pretender Registered Member

    Joined:
    Apr 23, 2002
    Posts:
    670
    Location:
    Virtual Paradise
    There are ZA forums for users also which you might like to check out:

    http://forums.zonelabs.com/zonelabs
     
  4. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    hi

    thanks for ya replys you are right in saying i only got za+ set at default zaf config but thats only coz i don't know how to configure the more advanced options hence the point of asking so how about you tell me what info ya need to start helping me out and we can take it from there ?

    oh and as to ya question

    What do you mean by "both boxes"? For Program Control > Custom, I have only one box on that screen "Enable Advanced Program Control" which I have checked

    i have 2 boxes one says enable advance program control and the other says enable component control
     
  5. Pretender

    Pretender Registered Member

    Joined:
    Apr 23, 2002
    Posts:
    670
    Location:
    Virtual Paradise
    Just curious to see if you ck'd out the za forums?
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    Well, I gave you a good start as far as the Program control tab goes. You need to set the slider to Medium and enable component control. You should use all your normal Internet based programs and let the Components list fill up for a couple days. Then move the slider up to High and enable advanced program control. That'll give you the strongest protection against piggybacking and hijacking programs like tooleaky and other leaktest proof of concept exploits.

    As to the other tabs in ZA+, they either depend upon the needs of the programs you run, (if something isn't working right, you use many of those to grant additional, limited access rights, more granular than the sliders), or they deal with just how many warnings and pop-up inquiries you want to get from ZA+ when some access attempt is made. Your Firewall tab is already at maximum security, so you should focus entirely on the Programs tab next.

    You have some very secure settings there already, except for what I've noted above.
     
  7. Bethrezen

    Bethrezen Registered Member

    Joined:
    Apr 16, 2002
    Posts:
    546
    Re:Zea+ set up help

    hi

    ok i did as you suggested and put component control in to learning mode for the last few days and though i was time that i put it to high to stop exploits like to leakey

    how ever iv noticed something rather curious for some reason windows explorer is trying to connect to the net and i like to know why as this shouldn't be but when i say no i cant get anything working so for now i put it back in to learning mode

    now my other question is this even though iv had the component control in learning mode and a good number of components have been auto authorised as ok to connect to the net my question is what do i do with the ones that still have ? next to them

    how can i tell if there ok to let connect take icq for instance that is infested with all sorts of adware dll files and probable shouldn't be allow but how can i tell what is what

    plus how can i verify what za+ has allowed in learning mode is ok because id be willing to bet that it has probable allowed some elements that would be deemed questionable
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,282
    Location:
    New England
    Hi Bethrezen,

    Sounds like you are making progress! :)

    >> how ever iv noticed something rather curious for some reason windows explorer is trying to connect to the net and i like to know why as this shouldn't be but when i say no i cant get anything working so for now i put it back in to learning mode

    When exactly is Windows Explorer trying to connect out? Immediately at bootup or at network connection start? Or, when you run some other program or system function? Also, is it just trying to get access out to Internet or is it ever asking to "act as server"?

    Generally speaking, there are functions in Windows that are housed (controlled, accessed) through the use of Windows Explorer, so it is not necessarily a bad thing to allow it access out to the Internet. (I would not grant it the ability to act as server though, unless you have a specific need to do so - which is rare.)

    >> now my other question is this even though iv had the component control in learning mode and a good number of components have been auto authorised as ok to connect to the net my question is what do i do with the ones that still have ? next to them

    Whether ZA+/ZAP chooses to apply a {check-mark} or a {question-mark} to a component has more to do with exactly how you answered the question regarding the main program that first called the component. If you denied / blocked access to the main program - even just the first time you ran it, ZA is likely to set the {question-mark} on it. ZA is not making any safe / unsafe decisions with regard to which is set, so don't expect that the "?" marked items are necessarily unsafe.

    This is the complicated part of things like component control. This is very similar to how Black Ice application control works, and also a sandbox like Tiny Trojan Trap. All of these have the same thing in common - they assume that while they are running in their respective learning modes, (or perhaps even just at installation time, if they auto-sense all programs and components), that you already have a clean system! No malware or other problematic items.

    You see, none of these programs can diagnose the state of your system. All they can do is either learn or global accept all existing programs as clean and valid, or, they ask you to confirm every one of them yourself. Sounds a little scary, right? Well, in a way it is.

    Since there are very few people anywhere that can identify and confirm the safety of say 1,000+ programs and dlls on any system, some assumptions have to be made instead...

    What I recommend is that you scan your entire system with whatever AV, AT and spyware tools that you have, remove anything indicated as bad, and then simple go into ZA+ Component's tab and set every remaining component to {check-mark}. It's all you can do really unless you can specifically identify problem files and programs yourself.

    >> how can i tell if there ok to let connect take icq for instance that is infested with all sorts of adware dll files and probable shouldn't be allow but how can i tell what is what

    >> plus how can i verify what za+ has allowed in learning mode is ok because id be willing to bet that it has probable allowed some elements that would be deemed questionable

    Same as above. What I recommend specifically is this. If you want some idea of how safe you system currently is...

    1. Run full system scans with your installed AVs with their latest updates. (Do you still have both NAV and AVG?)

    2. For a second opinion, and because it's pretty powerful, run the Panda Online AV scanner via the link on our free services (link) page.

    3. You have Spybot S&D right? Run a full scan and spyware cleanup with it after making sure it's updated.

    These tools combined should find most anything bad on your system. If you don't think that's enough, then try an eval scan with either TDS-3, Trojan Hunter or even GAV (this is a beta product, but, it installs and removes very cleanly/easily) as one more double check.

    Keep one thing in mind, if you block even one component from Internet access, you may have problems making everything else work. Component control is a very interesting thing. You see, components are purposely reusable, and are very often shared between different programs. Microsoft Windows components are very heavily shared between things like Internet Explorer, Outlook / OE, Windows Explorer, etc.

    Once you've ensured your system's current state is trustworthy, and have allowed all components, then set Component Control back to High. Yes, you will still see additional component alerts from time to time, especially as you perform some function or run some program combination that wasn't seen before. When you see the alert for a "New Component" hit the Details button, then look at the Properties of the component and see if what it says makes sense...

    What makes sense? Well, for example, the first time you hit a Java Applet in Internet Explorer, if ZA+ hasn't learned all the Java components yet, you see alerts for a few Java related components. That would make sense. Or, the first time you view a streaming video or hear streaming audio, if it wasn't learned yet, you'll see alerts for audio or video related components. Same thing with Acrobat Reader and other browser helper apps.

    Beyond that the only thing I can recommend is: common sense and frequent full system scans for malware, at least until ZA+ has picked up all the major components. (Oh, keep in mind, after any software install or a Windows update, you will see new and/or changed components, as well.)

    It's complicated, I know, but it's the only way any software can control and monitor your system at this level - either they must trust everything, or they must ask you to confirm. There's no other way.

    I hope this helps,
    LowWaterMark
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.