ZoneAlarm conflicts TrendMicro online?

Discussion in 'other firewalls' started by abanerji, Aug 12, 2006.

Thread Status:
Not open for further replies.
  1. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
    I have just installed ZoneAlarm Free 6.5, switching from Windows Firewall. My System details are Compaq Presario P4, 256 MB RAM, XP-SP2, AVG Free 7, Ewido Anti-spyware 4.0, DiamondCS ProcessGuard Free 3.405.

    I had done TrendMicro onlinescan earlier without a hitch. But after installing ZoneAlarm, I am unable to do so. I even shutdown ZoneAlarm and switched on Windows Firewall, but now even Windows Firewall blocked TrendMicro traffic.

    Shall be grateful for advice please. Thanks,
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
  3. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
    Thank you for your fast post. Would any other online scan (kaspersky / a-squared / bitdefender) work seamlessly with Zone Alarm?

    Secondly, I did not understand why, even after shutting down ZA, my old Windows firewall suddenly jumped into action. I tried both IE (with Trendmicro in trusted zone, i.e., ActiveX enabled) & Firefox.
    I also have SunJava enabled and I had already tried the alternative Java-based scan of TrendMicro, but it too did not run.

    Also, ZA shows one blocked entry : Rating medium, Protocol UDP, Program svchost.exe, Source 192.168.1.2, Destination 218.248.255.145 (my ISP), Direction outgoing. Since I am new to non-Windows firewall, kindly let me know if this might represent the traffic going from my PC to Trendmicro Housecall through my ISP?

    Finally, maybe a bit off-topic, what if I go for AVG's paid AV-cum-firewall, since I am so comfortable with AVG (so far)?
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    They should all work, including TrendMicro.
    ZA has a feature that turns off the Windows FW, but if ZA is disabled it will no longer supress XP FW which starts to operate again - so long as it was switched on in the first place! (See Firewall/Main/Advanced section of ZA). That is so in the Pro version, so I suppose it applies in the free version as well.
    Firefox doesn't have Active X, so you need to use IE with Active X enabled (or use Java script based scans); having the IE Security Zone slider at Medium should be sufficient.
    For the alternative you would need Java scripting - I don't think it uses Sun Java applets, which is different.
    Svchost.exe runs .dll based services, you will probably have several instances running, each of which may contain several services. I've no idea which service was trying to communicate.

    I'm assuming you are actually getting to the TrendMicro site and then not being able to proceed because things won't D/L when you click the button; rather than being unable to access the site at all.

    I wondered if it might be an FTP download (as opposed to HTTP) being blocked because server rights are not being granted - but this cannot explain why it doesn't work when ZA is disabled. I think that a blocked FTP download may show up as a Svchost.exe entry, but it should be incoming. This is clearly a mystery!

    If XP FW settings have been changed you may be able to troubleshoot here:-
    http://support.microsoft.com/kb/875357/
    You would need to trial it on your system - that is the only way of knowing!
     
  5. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
    Thank you again. I had posted at the ZoneLabs Forum, and this is the response :

    "The Trend Micro site requires ActiveX to function and it would seem that a Zone Alarm Pro feature blocking ActiveX has been enabled in your Zone Alarm Free firewall. A database reset should fix that. Reset the database this way; you will lose your customizations and will need to reconfigure Zone Alarm.
    1. Boot your computer into the Safe Mode. {Instructions if needed}
    2. Navigate to the c:\windows\internet logs folder.
    3. Delete the backup.rdb and iamdb.rdb files in the folder.
    4.Reboot into the normal mode.
    Now clean your browser cache and try again."

    As regards my lack of understanding of firewalls, I apologise. My confusion regarding Windows firewall arose because I thought it doesn't block outward traffic, and here it was apparently trying to do that.

    The other point is, prior to ZA installation, TrendMicro would do online scan like a breeze. I have not changed any of my IE/Firefox settings. In other words, if ActiveX/Java was not an issue pre-ZA, I just wonder what's the trick now.
     
  6. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
    I just re-checked TrendMicro webpage (http://www.trendmicro.com/hc_intro/default.asp). It says "HouseCall 6.5 has two independent Core Engines to choose from: The ActiveX Core Engine: to use this engine, please adjust here the IE browser’s Security level to Medium at least and be sure that signed ActiveX objects are enabled.
    The Java VM Core Engine- to use this engine, please install the Java VM from www.java.com."

    So, most probably the Java version of the scan uses applets. I thought of adding these few lines to clarify.

    Thanks,
     
  7. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The response from the ZA Forum does not explain why you could not do the scan with ZA disabled. That is a mystery! o_O

    One thing you could try is go to Overview/Preferences in ZA, uncheck the box for load ZA at startup, then reboot. Vsmon.exe should not be running now. Make sure Windows XP FW is on, now try the TrendMicro scan. If it works then it would prove that the ZA configuration was the problem. But if it doesn't work you can be sure your FW is not to blame.
    I noticed that, but I always understood that the European link for TrendMicro used Java Script , rather than Sun Java, so that FireFox users could do the scan. Maybe that has changed? o_O

    I must say I've never heard of ZA free having components from ZAP activated so as to block Active X etc. I wonder if there is a problem with the TrendMicro site - that would be the simplest solution! o_O
     
  8. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    While that is techinically true, the reason that instruction was given by Guru Bill is to eliminate any possibilities that ZA might be involved in blocking you from doig an online scan. You should follow that set of instructions. If it still doesn't work, we know ZA is not responsible for it (which anyway is most probably the case).

    You should then reset IE's Browser Cache. Normally caches can cause quite a bit of problem:
    http://forum.zonelabs.org/zonelabs/board/message?board.id=gen&message.id=36152

    It is possible if the person had decided to trial ZA Pro for the 15 day trial period. When the trial ends, sometimes not all the settings get reset back to the ZA (free) defaults which means the database got corrupted. Hence Bill's instructions for reseting the database, just in case.
     
  9. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
    Thank you TopperID ... in the past also I have found your posts very helpful. I am certainly going to try all instructions from everybody (ZoneLabs' database reset may work, who knows what the installers extract!) :)

    Incidentally, I have already got a service ticket alloted by TrendMicro TechSupport ... hoping they get back.
    Yesterday, my googling on the issue had pointed to some conflict in 2004 between ZA & TrendMicro (not the online scan).

    unhappy_viewer, re IE cache clearance ... well, please read on ... sorry, if this post gets a bit longish.
    I am a bit paranoid about IE's cache, and clean up several times a day. In fact, yesterday, after installing ZA Free, I tried TrendMicro Housecall several times ... both in IE (after using CCleaner to wipe off all junk caches, with TrendMicro url in trusted zone, i.e., ActiveX and scripting enabled), and also in Firefox (using the alternative Java kernel).

    Here's a bit about my Java settings :-

    Just opened the "Applet Cache Viewer" from Java ControlPanel > Temp Files Settings ... "Enable caching" is checked. Yesterday, I tried TrendMicro scan from both their International site as well as European site. The Cache viewer clearly shows two sets of files (from both the sites) - Class & Jar both. In other words, prior to data transfer (from my PC to TrendMicro sites, which got blocked by both ZA and subsequently by Windows firewall when I had temporarily shut down ZA & re-activated Windows firewall for testing), the required Java applets did download and got initialised ... I had observed this in the status bar of my browsers. But thereafter, outward traffic to TrendMicro apparently got blocked, and since TrendMicro did not get a response from my PC, the scanning process froze. I am no techie, so all this may be wrong ... just a hypothesis.

    Java plugin ... today went to do some online banking, and my Bank's website is Java-coded. Was a breezy experience (as usual). My conclusion : Java plugin working fine in my PC.​

    I have done TrendMicro online so many times in the past (prior to ZA install), I have carefully observed the process. I am on broadband, and this time I concluded nothing was happening after waiting for very long time ... in the past, the actual scan had started by then.
    Basically, TrendMicro just seemed to have frozen (no internet or harddisc activity whatsoever), whether in IE or Firefox.

    unhappy_viewer, "... if the person had decided to trial ZA Pro for the 15 day trial period. When the trial ends, sometimes not all the settings get reset back to the ZA (free) defaults ...". My clarification : Not the case here! I am very particular while installing new software, even read the agreement. So, I had chosen ZA FREE, and skipped ZA Pro. I believe in first seeing what a pure free version (if available) would give, and then upgrade to paid (only if the free makes me happy) ... I don't like to downgrade features ... personal preference. More, I installed ZA Free yesterday, and so no trial period here (even for sake of argument).

    Thanks to all for your patience,
     
  10. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    I won't give you further advice here since you are already being helped by two gurus on the ZA forums. I don't want to give conflicting advices. The gurus have lots of knowledge and hopefully they will be able to help you out.

    I tried running an online scan at TrendMicro's site on my computer which has ZA Pro (I changed the settings to emulate the features that are turned off in ZA (Free)) and it worked fine for me.
     
  11. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    The only thing I can think of at the moment is the fact we had a Windows update a couple of days ago, including a cumulative patch for IE; can you remember whether you successfully did a scan AFTER that update, but before installation of ZA?

    Maybe I'm clutching at straws, but it's a possible cause I suppose. o_O
     
  12. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I don't expect it applies, but just for the sake of elimination, you haven't disabled Active X in ewido's 'AntiSpy' section have you?
     

    Attached Files:

  13. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
    Thank you unhappy_viewer, and I appreciate the trouble you have taken for me. I tried ZA forums' database reset instruction, but that has not helped.

    TopperID, I updated Windows/IE just after Patch Tuesday, i.e., on 9th august 11.20 PM. ZA installed on 12th august. My last successful TrendMicro online was on 9th august 8.58 PM (I have a saved screenshot) ... however, this was on Firefox.
    ewido antispy settings : ActiveX controls not disabled. However, your image shows built-in Windows Authentication disabled, in my settings it is not so (probably this is ewido's default, which I left as is).

    Meanwhile, I got a response from TrendMicro Tech Support, with detailed instructions for a workaround. They have not given a probable reason for Housecall not working in my case. The workaround (downloading the engine and signature database from their site, and then running offline scan in Windows Safe Mode) worked fine ... the scan took a full six hours, and what a relief - no virus/trojan/malware.

    Thank you for all the advice.
     
  14. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    I actually disabled it myself in the Advanced section of IE Internet Options, which explains why ewido shows it like that. ;)
    So we are no nearer a solution. :'(

    Except that your last successful scan was immediately BEFORE the Windows update - I simply cannot think how that might have affected it, but you never know. :blink:

    Possibly the ZA installation was a red-herring that you coincidently did at the time but has nothing to do with the problem. :-*

    I suppose you could try a system restore to get back to before the update, but if everything else is working I personally would not wish to do that! :eek:

    If other online scans work OK you may wish to use them instead. :)
     
  15. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
    Hi TopperID :

    I am really enjoying this conversation. Sometimes I wish :oops: I was in the technical field, and not what I do, viz., practising accountant. I know the reason ... did my Keirsey personality profiling only few years back ... I am a hardcore NT, but in an essentially SJ profession. Another case of square peg in round hole!

    Just wanted to add a line about TM scan (pre- Win update). The IE cumulative may have done something to IE behaviour, but thinking aloud ... how come Firefox can't do it now (suddenly).

    The other point I forgot to mention in my previous post ... I did try your advice of rebooting with ZA off & XP-FW on. I tried all permutations, i.e., IE (& Firefox too) with Housecall from TM's global site ... no luck. TM stopped after a while ... please see the attached screenshot.
    Surprisingly, when I tried the scan (in Firefox) from TM-Europe site, it started going through and the scan DID happen. But, then the result page never got populated.

    One last point. The above were done before resetting ZA database, as instructed in their Forum. Then I did reset ZA database, and now the situation w.r.t. Housecall is worse. Both in IE/Firefox, TM housecall pages are not even loading properly!!

    Anyway, since there's a workaround available to me now, I shall leave here, and attend my client :)
     

    Attached Files:

  16. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    It may not have been the IE cumulative that is the problem, it could be one of the other Windows patches.

    You can eliminate ZA definitively by uninstalling it and then seeing if difficulties persist.

    Similarly, you can go to Control Panel/Add or Remove Programs, check the box for 'Show Updates', then scroll down to the Windows Updates. You can then uninstall each recent update individually, looking for a possible culprit.

    I wouldn't bother to do that though, if there is an issue with a Windows update (and it does happen) Microsoft will issue a fresh patch soon enough.

    I don't rule out a temporary 'blip' with the TrendMicro site, in which case wait and see; in the meantime the best advice is:-
    :D :D
     
  17. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
    Thanks again for your views. I shall get back if there is some new info.

    Regards,
     
  18. abanerji

    abanerji Registered Member

    Joined:
    Aug 2, 2006
    Posts:
    37
  19. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Thanks for the update abanerji, it really is starting to look as though the new TrendMicro scanner is the culprit in all this; obviously it is not functioning correctly with some systems.

    I'm sure though that TrendMicro will be working on this (you can't be the only one who has alerted them to this situation) so hopefully 'normal service' will be resumed in the near future. ;)
     
Loading...
Thread Status:
Not open for further replies.