ZoneAlarm Pro 70_337_000

Well, I forgot to mention that I have ZASS installed on two other systems... Intel Pentium 1,3/2 ghz 1G RAM... and no serious delays as experienced by Legendkiller. May be 5 to 15 seconds? Unless this is considered a serious delay.

Fax

 

Nope, seems fast enough IMO anyway... it only happens 1/day

 

i haven't used ZASS now,it was in march when the latest update was released....but since it did not work i renewed my norton's license and have been using it since then....
i would however be testing the new beta when i install vista tommorrow...

 

Hi legend:

Do you mean beta ZASS?

If yes, I would respectfully suggest you not try 2 new software tools (new to you) at the same time. You will never be able to tell which glitch is caused by what!

Also back up entire current working PC before you start, in case you have to fall back to where you are now!

Good luck!

 

thanks for your advice,i am still in two minds about installing vista....as for zass 7.0.337 i am not going to go through ordeal of installing it again on xp.....coz the huge start-up bugs not only me but my other family members as well who use the comp along with me....
as for vista i will decide only tommorrow..

 

It's all OT but if you are stable on XP with Norton 2007 why change anything?

What is it you want to achieve?

If it is test ZASS on Vista at same time, only do that on 1 PC designated as a TEST PC only. Nothing on it of any value!

Depends on what your goals are software debugging for MS and ZA or use PC's for your own personal reasons?

These are just my own views of course!

 

Another source provided this:

"My Vault only operates on a select number of TCP/IP ports including Port 80 (HTTP). Sending the same information out over other ports may not get detected (eg via FTP, SMTP etc) because it may not be checked on ports used for those kinds of tests.

I don't use My Vault because I think it creates more problems than it resolves and I really can't see a good use for it. But if you want to use it, you need to be aware of its limitations.

Like everything else in this world of software PC protection, it certainly lulls you into a false sense of security"

 

Yep, basically the same I have reported but with a more "colored" tone...
Knowing Myvault limits its very important but I personally found it useful as an additional layer of defense, especially for the most common malware/phishing attacks.

For example, yesterday I was reading about this recent Trojan attack… here: http://www.dslreports.com/forum/remark,18285118

Imaging that your phishing filter would fail and your AV would not warn about it and you are so ‘naïve’ to input your credit card detail into the form, Myvault will prevent this information to be sent, since it uses standard http communication (as most of these phishing attempts).

Well, on the other hand, you really need to use common sense… why Microsoft would ask you about credit card and why Microsoft would allow this information to be sent on clear channels…. and a completely ‘naïve’ user would still allow the information to leak through Myvault unless Myvault is set to HIGH instead of medium….

Fax

 

Fax:

It is possible for any of us yes, me, you etc to be naive, (a good word).

Trying to visualize a user that had enough wisdom to use MyVault set to medium then to high, with the experience to set up a phishing filter and then at the same time shove their credit card into an open form on a non https well..... nope I can't get the image focused.

As usual here are some specific questions ,

(1) What do you use for phishing filters? 1 or more? Rational is...?
(2) On My Vault there were some improvement made with 7, what were those? If you don't know that's okay.

My Opinion Piece: Even if users use all the best security practices, if a vendor misuses your private information in the course of honest business with flawed practices then none of this matters. Your id is blown!

Online purchases I use a second credit card with a minimum credit level, this minimizes risk. I recommend this to ALL posters.

 

1. No phishing filter, I use ZASS junk mail that works very well in filtering crap/phish... and never trust any e-mail asking me to input password/credit card etc...
2. No idea, sorry

Yes, 100% agree... vendor can be the weak point in the chain.
Though while compromised machines on the NET are in the order of millions... compromised vendors are hopefully less... so the probability of been using one of them is low (but still exist!)

Fax

 

Hi all ZA Pro Posters;

My PC connected to hs2.zonelabs.com, it was logged for me.

Must be a ZA server but there is no way to tell? or is there?

What is the reason this is needed? What type of information was exchanged?

I have auto updating turned off for the software and the ASW tool so it is unclear why this occurred? No I don't believe in the old story about ZA spying since that was disposed of a long time ago.

Any information will be appreciated

 

You can work around it by adding:
# Block access to ZoneLabs Server
127.0.0.1 zonelabs.com
to your Windows host file.

Also, you can check this out:
http://www.infoworld.com/article/06/01/13/73792_03OPcringley_1.html

 

I have the same problem with ZoneAlarm making unwarranted outbound even when all auto updates and share info are checked off.


208.185.174.65 > this seems to be the problem Zonelabs IP

209.87.209.52 > this is the Zonelabs program update


I blocked 208.185.174.65 by adding it to the host file; hopefully this will solve the outbound problem while still able to update.


--

 

Hi!

these are the main servers used by ZA.

cm2.zonelabs.com assists in the functioning of various services including the AlertAdvisor, antivirus updates, and antivirus monitoring.
hs2.zonelabs.com helps your client keep its services up to date.
ls2.zonelabs.com manages information relating to program configuration.
pa2.zonelabs.com manages the Program Advisor functionality.
ps2.zonelabs.com helps with updates to services and client functionality.
update.zonelabs.com supports the "Check for Update" functionality.
register.zonelabs.com handles product registration.

Disabling communication will disable most of the features in the paid product.
Automatic settings of known programs, automatic block of malware, updates, etc... Your are, more or less, using the ZA free firewall features.

If you do not trust the security tools you have installed better to remove it and choose a product you feel confortable with and a product with which you can use all features you are paying for...

Cheers,
Fax

 

Henry: thanks, but the basic question remains unanswered.

Any or all of these servers can be blocked but there are no technical reasons given to do so. At least not in this thread.

What are the technical details and real examples of exactly what/why data is passed to and from these many servers ?

for example ...helps your client keep its services up to date.... what exactly does that mean? it is too vague to act upon.

what client? what services, there are 2 update functions both are off, does the FW bypass of these 2 off's? Are there updating components that try to connect outside of the 2 blocked ones? It seems so but I want to know before just blocking something that is quite valid and explainable.

What are the facts?

 

Probably the best is to contact ZA support directly...
They may have additional info available or a better explanation (may be)

Fax

 

In reference to the following, 208.185.174.65 > this seems to be the problem Zonelabs IP. Why is Zonelabs connecting to Abovenet Communications, Inc, in the first place? Any reason to that?

 

Abovenet Communication? What are you talking about??

canonical name cm2.zonelabs.com.
aliases
addresses 208.185.174.65

canonical name update.zonelabs.com.
aliases
addresses 209.87.209.52

Fax
Better to leave this thread before it will be trasformed in.. the mossad is spying you... Keep ZA away.. LOL

 

I am talking about this. Abovenet Communications, Inc ABOVENET-6 (NET-208-184-0-0-1)
208.184.0.0 - 208.185.255.255

Btw, this is an discussion, NO NEED for an attitude problem.

 

Thanks for the inputs, I searched and found similar responses here:

http://forums.zonealarm.com/zonelabs/board/message?board.id=cfg&message.id=46795

http://forums.zonealarm.com/zonelabs/board/message?board.id=gen&message.id=17380


I understand that softwares need updates in order to be effective, but the basic questions and concerns remain the same:

1. If the ZA outbound in question is for update, why does it do that even after all updates are set to manual?

2. If it's not update, then what is it??


It can't possibly be a bug since the issue was known long ago, and Zonelabs would had fixed it if it's just a technical thing.


--

 

Network Whois record
Queried whois.arin.net with "!NET-208-185-174-0-1"...

CustName: Zone Labs, Inc.
Address: 1060 Howard Street
City: San Francisco
StateProv: CA
PostalCode: 94103
Country: US
RegDate: 2003-01-16
Updated: 2003-01-16

NetRange: 208.185.174.0 - 208.185.174.255
CIDR: 208.185.174.0/24
NetName: MFN-B709-208-185-174-0-24
NetHandle: NET-208-185-174-0-1
Parent: NET-208-184-0-0-1
NetType: Reassigned
Comment: abuse@zonelabs.com
RegDate: 2003-01-16
Updated: 2003-01-16

RTechHandle: NOC41-ORG-ARIN
RTechName: AboveNet NOC
RTechPhone: +1-877-479-7378
RTechEmail: noc@above.net

OrgAbuseHandle: ABOVE-ARIN
OrgAbuseName: AboveNet Abuse
OrgAbusePhone: +1-888-636-2778
OrgAbuseEmail: abuse@above.net

OrgNOCHandle: NOC41-ORG-ARIN
OrgNOCName: AboveNet NOC
OrgNOCPhone: +1-877-479-7378
OrgNOCEmail: noc@above.net

OrgTechHandle: ABOVE1-ARIN
OrgTechName: AboveNet Engineering
OrgTechPhone: +1-888-636-2778
OrgTechEmail: arin@above.net

# ARIN WHOIS database, last updated 2007-05-08 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

ZA is probably using above.net as service provider, so what?

Fax

 

Maybe later... best to try selective blocking 1st to see if there are any ill effects. Sometime vendor support points users to FAQ page and wastes time.
I'll test Maysky's idea first to see if I get the same outward packets.

The approach is when we find which/if servers are not needed for updates publish the results here. Sort of like 3rd party testing for the forum.

Using ZA Pro's excellent FW zones page enter theses sites and block them one by one day by day it should be easy


BTW Fax, is Berge01 pointing out that the Abovenet Communications, Inc is where the outward is going ?

"I am talking about this. Abovenet Communications, Inc ABOVENET-6 (NET-208-184-0-0-1)
208.184.0.0 - 208.185.255.255" .

and you are saying this is a service provider? Most ZA users are not aware of that linkage. Thanks for the extra data.

 

This, for me, on a security forum is somewhat disturbing. For a statement that "probably" using an IP, to "So what", is to me a need for concern.

When a member of this forum asks a question, then either the answer is unknown, or the answer is given. For a reply "So what", I give concern as to the ability/knowledge of that member to give info.

 

The answer was given and the "so what" was directed to the poster...
So what? You don't like ZA is using a service porvider?

"Probably" means: I am not working for ZA!!!! So I don't know why they have choosen that provider instead of XXX!

Fax

 

Hello all posters:

Just added hs2.zonelabs.com to the blocked sites list in the ZA FW.

It translated to 208.185.174.66 which is the range of ip's under review.

More testing data to follow.

I just did a manual update and ZA Client was blocked from trying to reach 17.112.152.32 which translates to www.apple.com. akadns.net. But the update ran okay.

Question: Why was an attempt made to apple?

I then ran an ASW update, and it ran without any pop ups.

I kind of like pop ups now since they teach us things we can't get any other way!

Now I'm adding 208.185.174.65 to the list, wait for it...

It is Abovenet Communications, Inc, just as Bergo1 said, good confirmation of facts. Very refreshing.

I again did an update of product, got the apple connect attempt blocked again but update was done.

The ASW ran okay no blocks or messages! Just think if we lowered the logging factors or eased the FW security these information would be lost or not poped up!

Does anybody want to test that?

Sorry my BD 10 just did it's automatic update, no messages, I can only assume they didn't try the apple connect or the Abovenet site.

Enjoy !

I'll return latter after adding more sites to block!