[Full-Disclosure] Zone Alarm Pro

From: gregh (chows_at_ozemail.com.au)
Date: 07/10/03

  • Next message: Paul Szabo: "[Full-Disclosure] Acroread 5.0.7 buffer overflow"
    To: "Disclosure Full" <full-disclosure@lists.netsys.com>
    Date: Thu, 10 Jul 2003 08:00:44 +1000
    
    

    Tested on Windows XP Home only.

    Background:
    ------------

    Due to the nature of the customers in my area and their lack of basic caring about what may be getting on to their systems, just caring about "Ease of use", I chose to use exactly what the major amount of my business customers would allow on their computers, being Win XP Home, ZA Pro, OE etc. The idea was that whatever would affect them would, hopefully, be found by me before they had it happen to them.

    Problem:
    --------

    In doing this, I put ZA Pro on my system last year in order to check out "ease of use" which, once set up, was fine and given their strict email/browsing rules around here, seemed enough. Naturally, as they get spam and sometimes don't realise that which they are clicking on, I decided to use ZA Pro V3.7x to block port 80 outbound, for OE in an attempt to stop emails that they read "phoning home" and basically telling spammers, in the best scenario, that the mailbox is active no matter what they do with the email once read and in the worst scenario - well I leave that up to you. It is, to be sure, a basic way of handling things but when they pay you, then you have to make things easy if they flat out demand it and that was the case. In V3.7x this basic blocking - and blocking of other programs on other ports - worked and was "good enough" so long as I routinely visited them and checked out what they may have accumulated in the meantime. Then V4.x came out. The ability to blo!
     ck programs access per port had been totally removed. It had been replaced by "Expert Rules". A little investigation showed that now you could not define a port number of your choice to block but at least I could, according to those rules, block "HTTP" which I assumed, at first meant port 80 for OE and I set this up. That was where the problem started. I had mistakenly assumed it would work that way and in came a HTML email which contacted, on port 80, Internet in order to download graphics to put in the email. It actually did that. At first I thought it was my fault and did all sorts of permutations in order to fix the mistake but nothing changed.

    Notification:
    -------------

    I notified Zone Labs starting 18th June 2003. Their first responses were that I had it set up wrong and I was willing to believe them, did what they said and it resulted in the same problem still being there. After a couple of emails back and forth, they finally told me that the rule that had existed in V3.7x had, in fact, been removed because "it wasn't being used" which is something I cant understand how they would know one way or another. They also NOW say that the "Expert Rules" are NOT meant to block OE outbound on port 80. However, when you set up a rule to do that using their predefined "HTTP" it actually defaults to port 80 according to the program then doesn't do a thing about it. According to Zone Labs, the ZA Pro can NOT block ANY program on port 80 any longer though the "Expert Rules" when set up, say something else.

    Conclusion:
    -----------

    If you have customers who rely on you for the smooth running of their Windows machines and really don't understand the basics of a basic program like ZA Pro, you would be well advised to tell them NOT to update to V4.x and await the expiry date of their licence then find something that works properly.

    Greg.
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Paul Szabo: "[Full-Disclosure] Acroread 5.0.7 buffer overflow"

    Relevant Pages

    • [Full-disclosure] Wi-fi. Approaching customers
      ... Greg. ... Full-Disclosure - We believe in it. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://www.secunia.com/ ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Is this caused by Sobig?
      ... has a firewall in front of it. ... > Greg. ... Full-Disclosure - We believe in it. ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] next blaster variant on its way
      ... I note Adaware even has a detection for msblaster now.... ... Greg. ... Full-Disclosure - We believe in it. ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
      (Full-Disclosure)
    • Re: [Full-Disclosure] Idea
      ... NO SHELL! ... Greg. ... Full-Disclosure - We believe in it. ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
      (Full-Disclosure)
    • [Full-Disclosure] Whois appears to have taken a hit
      ... whois.opensrs.net - no response from ping or whois queries. ... Full-Disclosure - We believe in it. ... Charter: http://lists.netsys.com/full-disclosure-charter.html ...
      (Full-Disclosure)