Re: ZoneAlarm

From: "@lf" <alf@xxxxxx>
Date: Sun, 03 Dec 2006 12:34:44 +0100

arja wrote:

"Postal Dude" <sp@xxxxxx> schreef in bericht news:e9pch.310$ja6.308@xxxxxxxxxxxxxxxxxxxxxxxxx
On Sun, 03 Dec 2006 00:45:23 +0100, arja wrote:
In contrary to the good for nothing windows firewall Zonealarm offers
monitoring of the outgoing traffic so youZr notified when youZr infected.

What if the malware has added itself to ZA's "allowed" rules? Then it does
not give an alert.

Do you have an example of that.

Technique called process infection. Malware pick a process in memory (software firewalls usually makes checksums for files) and add it's own code to the process which is on software firewall "trusted" list. Recently I tried to repair a machine where uTorren was sending mailes/spam (broadband account was locked). uTorrent client normally didn't have e-mail capacibility. Machine was zombie, flatten and rebuilded. Firewall was ZA and it didn't report anything.

Rootkit. How to stop something WinAPI (software firewalls use it) cannot see. Recently I noticed that rootkit infections (usually zombie machines) are not uncommon anymore. On a same machine after killing uTorrenr, Rootkit revealers didn't report anything. But after scanning machine remote (nmap) I noticed unusal ports opened (netstat and activeports didn't report anything there), so probably rootkit was running. ZA didn't report anything as well.
.

References:
- ZoneAlarm
  - From: Jim Ford
- Re: ZoneAlarm
  - From: Volker Birk
- Re: ZoneAlarm
  - From: arja
- Re: ZoneAlarm
  - From: Postal Dude
- Re: ZoneAlarm
  - From: arja

Prev by Date: Re: ZoneAlarm
Next by Date: Most sophisticated free firewall?
Previous by thread: Re: ZoneAlarm
Next by thread: Re: ZoneAlarm
Index(es):
- Date
- Thread

Relevant Pages

Re: Fraud.Windows.ProtectionSuite
... which uses an advanced rootkit technology to hide its ... detect the infection*, and because it goes so deep into the kernel, most ... driver is critical for system boot-up, Windows will not boot in Safe Mode ... normal mode and still no icons open programs. ...
(microsoft.public.windowsxp.general)
Re: Fraud.Windows.ProtectionSuite
... which uses an advanced rootkit technology to hide ... driver is critical for system boot-up, Windows will not boot in Safe Mode ... This infection is bringing all together the best of MBR rootkit, ... normal mode and still no icons open programs. ...
(microsoft.public.windowsxp.general)
[vaguely OT] Infected XP owners left unpatched
... Some of the latest security updates for Windows XP will not be installed on machines infected with a rootkit virus. ... Microsoft said it had taken the action because similar updates issued in February made machines infected with the Alureon rootkit crash endlessly. ... "These abnormal conditions on a system could be the result of an infection with a computer virus that modifies some operating system files, which renders the infected computer incompatible with the kernel update," read the statement. ...
(alt.sys.pc-clone.dell)
Re: cant get rid of anti-spyware or message
... | goes on to say theres possible harmful infection and click here to DL ... On Win9x/ME platforms the report will not be shown in your bowser ... It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML ...
(microsoft.public.windowsxp.security_admin)
Chemical Reaction May Have Caused Eye Infections
... Officials also believe the fungal contamination occurred in patients' ... After the same research team came out with a preliminary report in May, ... For the 34 million contact lens wearers in the United States, ... an infection that can lead to blindness or the ...
(sci.med.vision)