ZoneAlarm Free Antivirus+Firewall - Issue

Discussion in 'other firewalls' started by Tarantula, Jun 12, 2014.

Thread Status:
Not open for further replies.
  1. Tarantula

    Tarantula Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    359
    The problem is that I can easily disable VSMON.EXE through Process Hacker which is my default task manager. If I can do it so easily, that means it's even easier for the malware to do it. Any suggestions? I thought this program has a self-defense module or something.
     
  2. Tarantula

    Tarantula Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    359
    I even have my settings locked with password, but doesn't help. Just need to close zatray.exe first and then vsmon.exe. In this order.
     
  3. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Normal, if you allow a program or malware to have free ride on the system then your system is lost. If instead follow your security software warnings you at least get suspicious as you should see at least 4 or 5 pop-up from when you installing it to when you running it... just a couple of screenshot as a sample...
     

    Attached Files:

  4. Tarantula

    Tarantula Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    359
    It's not normal. I can't do that with Win7 task manager even if it's the primary task manager. Giving a program access to the internet has nothing to do with what I said. The second picture is weird and means nothing.
     
  5. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Yes, the second picture is the loading of PH at low level. If you allow that you are allowing PH to kill services on the system. Yes, the warning is not easy to ready. Win 7 does not load TM at low level and thefore cannot unload all services. I am afraid I cannot see any scoop on your findings.

    Again, if you allow a software/malware to load at kernel level or same level of system then the game is lost for the system and the security tool. ;)

    On the rest, any pop-up from unknown components in your system should alert you. In this case a user will see several pop-ups on a weird component trying to access the localhost and the internet. A clueless users probably will allow everything, that's why its important just not using a security tool but been educated in understanding the risks behind allowing something that is new or unknown.
     
    Last edited: Jun 12, 2014
  6. Tarantula

    Tarantula Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    359
    I've never seen such an alert like on your 2nd pic, but I have to admit you have a good point. Thank you! You've just helped me to clear my head. lol
     
  7. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    @Fax,
    Just curious: isn't it true that the box is still protected because of vsdatant driver? That's my recollection from XP and old ZA (v8 or 9). So even if this process hacker managed to disable the crucial service by elevating rights, the user still might be ok, though unnecessarily messed up/scared.
     
  8. Tarantula

    Tarantula Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    359
    Not really. I was able to install whatever I tried to. Windows Action Center still shows that ZA is enabled though.
     
  9. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Yes, it is still there in order to protect ZA processes. But if you load a another driver with the same privilegies than vsdatant then easy to guess the results. I.e. any driver can be unloaded. So, ZA hips warns you about this loading and if you allow it then its game over. :thumb:

    I am sure you can find many different ways to kill any security software with access to the system, elevated privilegies and a little bit of time. The point is always the same, preventing rather than simply count on remediation after the accident. For example, simply running ZA+AV on a non-adminitrative account with an up-to-date system can avoid the majority of the problems, without going into more complex layered security. Of course, nothing is 100% proof.
     
    Last edited: Jun 13, 2014
  10. Tarantula

    Tarantula Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    359
    Man, when you disable zatray.exe and vsmon.exe, there are no other running ZA processes at all. What is vsdatant driver protecting then?
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Uuuhm... going around in circles... LoL. You can disabled it because the tool you use to disable it is loaded with the same privilegies than vsdatant and vsmon.
    On the other hand, as you also reported, if you use a tool with lower privilegies you cannot kill vsmon (task manager in W7). Better now? :)

    By the way vsdatant is hidden, you can find it by running any rootkit tool that will display hidden hooking. Even with windows system information it should appear in the hidden drivers.

    ZA was the first security tool to protect itself using the same approach of a rootkit back in the year 2004-2006 (or earlier... can't remember, sorry).
     
    Last edited: Jun 13, 2014
  12. Tarantula

    Tarantula Registered Member

    Joined:
    Jul 23, 2010
    Posts:
    359
    But he asked 'Just curious: isn't it true that the box is still protected because of vsdatant driver?'

    I believe that he means after zatray.exe and vsmon.exe are already disabled.
     
  13. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,730
    Location:
    localhost
    Regardless if the system is still partially covered (e.g. new unknown connection will be blocked) you have to assume that if a malware is given low level access to the system than whatever you have in place is not going to protect you fully. So, for me, no, you are not protected.
     
Loading...
Thread Status:
Not open for further replies.