Zonealarm Free fails against tooleaky!

Discussion in 'other firewalls' started by POS, Nov 8, 2005.

Thread Status:
Not open for further replies.
  1. POS

    POS Guest

    My Zonealarm free has failed against tooleaky? Why? DoesZA PRO fails?
     
  2. POS

    POS Guest

    Have just upgranded to ZA PRO, and continues to fail to toolleaky!!
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    Maybe you have to upgrade to the Internet Security Suite. ?

    Zone Labs
     
  4. POS

    POS Guest

    Ok, I´ve turned aplicattion control to high level, and ZA stopped toolleaky... But I think it´s a job that a good firewall, with or without aplicattion control, should do.
     
  5. StevieO

    StevieO Guest

    Hi,

    My Zonealarm free passes that one and 99% of all others.

    If you set up ZA to prompt you to Allow/Deny and DON'T select Remember for anything, and click DENY, then it WILL pass that test as in my Screen Shot.

    http://img374.imageshack.us/img374/9118/2lky13sc.png

    If you also install something like the Excellent and Free Winsonar as i have, then Any EXE test etc won't even be allowed to launch, unless you allow it.

    . . .

    Winsonar 2005 XP Freeware Edition is a program specifically designed for process monitoring and system protection from unknown processes.

    Winsonar 2005 XP is a Freeware program and is provided without any limitation at no charge to the user. If you find this program fast, convenient and useful, a little donation to the UNICEF or to your National Red Cross is encouraged by the author.

    http://digilander.libero.it/zancart/winsonar.html

    . . .


    StevieO
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    No ZAPRO does not fail! Suspicious Behaviour Alert is displayed and tooleaky is blocked...:D

    And I have yet to see a leaktest passing ZA 6....(same as Outpost:p lol )

    Fax
    Edit: With default settings
     
  7. gre87y

    gre87y Registered Member

    Joined:
    Oct 27, 2004
    Posts:
    164
    Does anyone know if 4.5.094 free version and also 4.5.094 pro pass these test?
     
  8. POS

    POS Guest

    I don´t know why, but my ZA does not even ask for me to allow or deny Toolleaky
     
  9. POS

    POS Guest

    NOD32 has detected firehole as a virus...
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Well, I was too optimist.... here you have....
    [COLOR="Blue"]Removed link[/COLOR]
    Not yet checked if true...

    Fax

    Removed link-TOS violation--Ron
     
    Last edited by a moderator: Nov 9, 2005
  11. kwesi

    kwesi Registered Member

    Joined:
    May 18, 2004
    Posts:
    82
    Location:
    London
  12. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost
    Sorry Ron,

    not sure what was wrong in that link but probably the answer would be 'read the TOS'...

    May be this link from 'securityfocus' will be more acceptable? Feel free to remove...

    Fax
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    That's fine. Some of the sites that discover vulnerabilities in software do some good. Unfortunately, some of those sites also have what would be classified as malware on them.
     
  14. StevieO

    StevieO Guest

    Hi fax and All,


    I've just tried this " New " test and here are my results.

    This is what the website says about the test.

    . . .

    Description: Zone Alarm products with Advance Program Control or OS Firewall Technology enabled, detects and blocks almost all those APIs (like Shell, ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by malicious programs to send data via http by piggybacking over other trusted programs. However, it is still possible for a malicious program (Trojans or worms etc) to make outbound connections to the evil site by piggybacking over trusted Internet browser using “HTML Modal Dialog” in conjunction with simple “JavaScript”. Here it is assumed that the default browser (IE or Firefox etc) has authorization to access internet. In case of the default installation of ZoneAlarm Pro, IE is by default allowed to access internet.

    The PoC discusses how the ZoneAlarm Advance Program Control and Behavior Based Technology can be defeated by using HTML Modal Dialog Box in conjunction with JavaScript. Refer the PoC (Proof of Concept) for more details.

    . . .

    This test is a slightly different implimentation of the earlier one, the DDE vulnerability, we looked at and experimented with here which was allowed.

    Malicious code could trick ZoneAlarm firewall

    https://www.wilderssecurity.com/showthread.php?t=99853

    WinSonar thankfully DID block it for me again as it always does with unknown EXE's. But then i allowed it through to see what would happen.

    Same as before, with no IE running i get a prompt alert from ZA which i DENY. But with IE running it piggybacks on it to the test page and you see this.

    . . .

    Demo - Defeating Zone Labs Products Advance Program Control and Personal Firewall Based On Behavioral Based Analysis

    This is a demo page and has been hosted to demonstrate how Zone Alarm Firewall with Advance Program Control and other similar personal firewall based on behavioral analysis can be bypassed by a malicious program which make use of HTML Modal Dialog in conjunction with JavaScript to communicate with its master by injecting the data via other trusted programs (here it is IE). No information are logged during the demo other than the hit count. So feel free to try this demo as many times as you want.

    . . .

    I have Java Script etc disabled so it's not that !

    http://img322.imageshack.us/img322/406/za13cw.png

    The new test is osfwbypass-demo.exe = 25kb and the previous one is zabypass.exe = 26kb. Very similar GUI's but the new one fails to display correctly for me.

    http://img322.imageshack.us/img322/6519/zapoc17nz.png


    StevieO
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,731
    Location:
    localhost

    Hi StevieO,

    yes, I can confirm that this time Tr0y (a.k.a Debasis Mohanty) did his home work correctly as compared to the previous poor zabypass.exe PoC.:D

    Cheer,
    Fax
     
  16. My free ZA does not fail Tooleaky .I don't get an alert but I get abox saying it did not connect and my connection is slow or similar words. Also PG asks if i want it to run. However there are several firewall tests ZA free did fail, but again PG asked if I wanted it to run. I think the one s ZA failed used dll injection I do not really understand this
     
  17. Does one need Winsonar if one has PG Free. Do they work the same way?
     
  18. eyes-open

    eyes-open Registered Member

    Joined:
    May 13, 2005
    Posts:
    721
    @ gre87y

    I loaded & tried ZA(Free) version 4.5.538.001 (the only version I keep around).

    If it helps at all, given the same condition that IE must apply each time for permissions then I can confirm the above version of ZA produces the same result as StevieO's screenshot in post #5.

    Just to confirm that as expected PG picked up on the .exe and had to be instructed to let it go for the sake of the test.
     
  19. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Which version are you using?


    Yes, that's true. It can be a little annoying at times, though. Like when you go to open a program that Winsonar hasn't seen before and it kills it immediately. At first you wonder what's wrong, but then you remember than Winsonar is running.

    Phil
     
  20. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Okay, now I have to ask, why that particular version? Does it have something the other versions lack?

    Phil
     
  21. does ZA pro pass the wallbreaker test?

    i have nvidia firewall, but it doesnt pass it, doesnt even ask me for permission for anything.
     
  22. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    4.5.538 was a popular one for quite a while when version 5.x first came out. There were a lot of problems with 5.0 initially, and some preferred to stick with trusty old 4.5 even later when the problems were resolved. 4.5 also didn't have the AV monitoring which many felt was useless.
     
Loading...
Thread Status:
Not open for further replies.