CORRECT! Here's ZA Tech Support's Email Re: Internet Worms and ZoneAlarm

From: Chuck Something (ReplyTo@Thisnewsgroup.com)
Date: 02/03/02


From: "Chuck Something" <ReplyTo@Thisnewsgroup.com>
Date: Sun, 3 Feb 2002 15:01:05 -0600


"NormanM" <norman_miller@11BlauWaldmail.com> wrote in message
news:3c5ce2ae.9944048@news.sf.sbcglobal.net...
| On Tue, 29 Jan 2002 00:21:01 -0600, "Chuck Something"
| <ReplyTo@Thisnewsgroup.com> wrote:
|
| >My (free) ZA is set up Pass Lock for MSIE/OE, so a worm (if I was to get
| >one) would be home free if it used OE.
| >
| >However, some worms have their own SMTP routines which (I believe) bypass
| >the usual email client. Would ZA prevent such from connecting to the
Net?
| >
| >TIA,
| >
| >Chuck S
| >
| >
| IIRC, ZA will pop up a warning asking if an application it doesn't
| recognize should be allowed an outbound connection. If the worm is
| using a client which ZA hasn't seen before, it should let you know
| about it.
|
|
| Norman M.
| >>>Clear-cut the Blue Forest to reply by email.<<<

Thanks, Norman. This is true, as I found out from ZA Tech Support. See
message below.

Best,

Chuck S

======================================

ZoneAlarm protects the computer it is installed on by only allowing Internet
traffic authorized explicitly by the user.

ZoneAlarm uses 2 Zones - untrusted Internet (highest security), trusted
Local (for connecting to servers or sites that you trust, and who require
more access to your machine).

There is a third zone -- a Restricted Zone (which restricts access to your
computer from individual computers or groups of computers) -- which is
available in ZoneAlarm Pro only. This should not be used as a substitute
for parental controls, as some sites use multiple IP addresses or may
periodically change their IP address.

Remember that checking a Block Servers Box for either Internet or Local Zone
will block access to servers in that Zone.

When an application tries to access the Internet for the first time,
ZoneAlarm immediately brings it to the users attention letting the user
decide if it should be allowed. This unique feature exposes hidden programs
and lets the user prevent Trojans from secretly communicating over the
Internet. ZoneAlarm also knows if an application has changed, and will alert
you to that fact as well. This is one way that Trojans can trick users into
allowing them access - so if you see a Program Has Changed alert, be sure
that either you updated the program, or that it is allowed to automatically
update itself.

When a user authorizes an application, like Microsoft Outlook, your web
browser or an online game to access the Internet, it is granted full access
and can receive and send data freely until you disconnect from the network.
If you check the box to remember that the application in ZoneAlarm's
Program's list, it will always allow the application network access.

ZoneAlarm MailSafe feature protects against Visual Basic Script .VBS
attachments.

Malicious programs can enter a computer via email or from downloading files.
ZoneAlarm's unique application control exposes all programs that attempt to
communicate over the Internet and enables the user to stop them.

ZoneAlarm is dependent on its TrueVector service to monitor and control
Internet access on your computer. You can verify that the TrueVector driver
is running by opening ZoneAlarm's Configure Panel and checking its status.
By default, TrueVector is configured to run as a service when your system
boots up. Currently, the TrueVector service continues to run when you close
any client, until you shut down your computer or the service in the services
manager. This ensures that security rules are enforced when your computer
is running, even if no one is logged on.

ZoneAlarm gives rock-solid protection against thieves and vandals by
combining the safety of a dynamic firewall with total control over how
applications use the Internet. ZoneAlarm makes ironclad Internet security
easy-to-use.

Zone Labs recommends using ZoneAlarm/ZoneAlarm Pro, and a good up-to-date
antivirus program. Always keep your security programs and DAT files up to
date.

=========================================================================

There are some default Windows processes which may prompt for access to the
Internet. In some cases you may see some of these processes 'listening' for
incoming connections.

Note that if a program asks for Server rights and you say Yes, it will have
Server rights to both Local AND Internet Zones. If the program only requires
Server rights to Local Zone (i.e. if you have added the servers that the
program will connect to, into the trusted Local Zone, you should go into the
Programs Panel and deny Access and Server rights for that program to the
Internet Zone).

The Services and Controller App is necessary in order for you to surf the
web.

Generic host process for win32 is (like the name implies) a generic process,
which acts as a host for other processes running from DLLs. Therefore,
more than one entry for this process is possible. If you are using Windows
2000, you can see what processes are running by using the Microsoft file
Tlist.exe found on the Windows 2000 CD-ROM. The syntax is tlist -s at the
command prompt.

Windows Messaging subsystem may be required by Microsoft email clients - for
more information, search for article #Q254458 at MS support :

    http://support.microsoft.com

RPCSS is the remote procedure call service.

SSH is a secure shell. This service supports the ability to re-direct ports
on both local and remote machines (for example to pick up mail from a POP
server). This allows you to access non-telnet services through an encrypted
channel.

Depending on what else you are running, W2K may also prompt Distributed COM
services for server rights to the Internet.

If you are concerned with DCOM for network security reasons then please
continue reading. DCOM can be disabled but be aware that this will disable
the ability to communicate for any program that is programmed to use DCOM,
and may have unexpected results. Products such as Microsoft Message Queue
and Microsoft Transaction Server use DCOM.

How to disable DCOM's ability to use networking:

The DCOM configuration utility is called DCOMCNFG.EXE. (By default it is in
W2K, in NT as of SP4; Win95 and 98 must be installed by user by downloading
from Microsoft).

Click Start>Run. Type DCOMCNFG. Under the "Default Protocols" tab, select
and remove all listed protocols. That should remove DCOM's ability to
communicate via a network.

Some other Windows services that you might see listed are:

-Windows Management Instrumentation
-Server Protect Win32-based Service
-Microsoft License Server
-Microsoft Management Console
-Logical Disk Manager Service process
-Internet Information Services

PORTS :
-Universal Plug N Play (accesses port 5000)
-Simple Service Discover Protocol (accesses port 1900)

If you test your security and find these ports showing as not stealthed even
with your Internet Zone set to high, this is likely due to a security issue
with the Operating System. For more info and a patch:

      http://www.microsoft.com/technet/security/bulletin/ms01-054.asp

NOTE - Some Trojans may try to use commonly used ports that Windows services
use, with similar process names, in order to trick you into allowing them
access.

For further information please see the Microsoft Support site at
http://support.microsoft.com. Some good articles to read (simply search by
article ID):

Q263201 (Windows Services)
Q262458 (Description of Universal PnP)
Q276507 (How to enable Universal PnP)

You can also select your version of Windows, type in the word "port" and the
ports you are interested in (or, if ZA/ZAP shows a service name, use that
instead), and this will often give you the information you need.

If you need to reply to us, please keep all text intact.

You can download the latest version of ZoneAlarm and ZoneAlarm Pro from our
website:

        http://www.zonelabs.com/zonealarm

Note that the Trial version is the same as the Full version once you enter
your license key. We recommend that you keep a copy of the latest file in
case of problems later.

Best regards,
Zone Labs Support



Relevant Pages

  • Re: For anyone interested in blocking nameserver lookups to sites
    ... > 8.2.x series name server and a semi-current version of RedHat Linux. ... > The first thing that you need to do is setup the start of the named.conf ... > zone "doubleclick.net" in { ... > however you can go into Internet Options -> Advanced tab and turn off ...
    (comp.os.linux.security)
  • Re: DNS passthrough on no explicit result?
    ... I am a stealth master for my external zone, so all changes to IPs will ... On the recursive resolving name server that you use inside your network, ... This configuration can cause confusion (you can't resolve ... Internet. ...
    (comp.protocols.dns.bind)
  • Re: Choosing DNS Name
    ... external Internet you need option 1, although it is the most DNS-intensive ... Same internal and external DNS domain name. ... maintain entirely separate DNS implementations (no zone transfers, etc.), ... of an important IP host such as a web server, mail server, or VPN server) ...
    (microsoft.public.windows.server.active_directory)
  • Re: How to use sub-domain
    ... The administrator maintains entirely separate DNS implementations (no zone ... server, or VPN server) must also be changed manually in the internal AD/DNS ... Company users accessing the network from the Internet ...
    (microsoft.public.windows.server.general)
  • Re: What is Generic Host Process for Win32 Services with the file name/path C:WINDOWSsystem32svchost
    ... program (ZoneAlarm by ZoneLabs), which say that it had blocked ... have server permission for the Internet Zone. ...
    (comp.security.firewalls)