Page 3 of 4 FirstFirst 1234 LastLast
Results 21 to 30 of 38

Thread: Some SmartDefense Advisor "Auto" settings kind of freak me out.

  1. #21
    ah_ha Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    Hi Jarvis,

    You're just full of surprises, aren't you?

    Here's mine.

    Although the release of Firefox I have installed is called "Product Version 1.5" the Firefox executable file (firefox.exe) is "File Version 1.8: 2005111116" so I've copied and pasted that info (redundantly), from two sources, so you can pick and choose which and how much information you want to send for analysis.

    From "About Mozilla Firefox"= Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8)Gecko/20051111 Firefox/1.5

    From ZAP "Entry Detail"= firefox.exe Version 1.8: 2005111116 Last modified date 11/29/2005 23:20:50 File size 6995 KB

    skimpChecksum="90f9dc77-a1a2eb7f-17e4b40d-00fdb5d2"

    Here's some additional information that may, or may not be useful.

    Last night (early this morning -yesterday?) as I was getting ready to log off this forum I got a ZAP pop up which looked something like this...

    Description: Firefox requested permission to access the internet.
    Rating: High
    Date / Time: 2006/01/31 00:37:02-6:00 GMT
    Type: Repeat Server Program
    Program: C:\PROGRAM FILES\MOZILLA FIREFOX\firefox.exe
    Source IP: 207.69.188.185:53
    Destination IP:
    Direction: Incoming (accept)
    Action Taken: Allowed (once)/Manual
    Count: 1
    Source DNS: ns1.mindspring.com
    Destination DNS:

    The ZAP Programs log entry "Description" is technically correct but misleading unless the additional "Direction" information ("Incoming (accept)) isn't taken into account.

    I screen-captured the ZAP pop-up alert 'ballon' and saved it. The actual message on the 'ballon' is "Firefox wants to accept connections from the trusted zone."

    Here's what I got when dove into the ZAP "Alerts & Logs" Program Log, found the log entry, right clicked on the log entry, and selected "More Info"...

    [Partial Quote of the web page contents]

    SmartDefense Advisor ["Overview" tab]
    Firefox wants to accept connections from the Internet or your local network
    [...brevity snip...]
    Firefox is the main program for open source Firefox web browser, which is part of the Mozilla Internet browsing suite. It is normal for this program to request server permission, and it is safe to grant permission.

    [End Quote]

    Here's the URL... it's so long you may have to paste it back together in your browser address field, in order to see the entire SmartDefense Advisor web page for yourself... if you're interested and haven't already seen it a zillion times before.]

    http://pralerts.zonelabs.com/pranaly...overview&CL=en

    This begs the question, "Why would my ISP's DNS server be sending a connection request to my Firefox browser?" Of course, the answer is, "How the heck would I know!?"

    My decision was to uncheck "Remember this setting" and "Allow" the connection. And.... Hey! Nothing blew up! (This time ;-)

    I spent more than several hours this evening/morning (What day is it?) searching the Mozilla forums, knowledge base, and etc. I found this thread which is similar in content to other scattered post I found throughout the forum...

    http://forums.mozillazine.org/viewto...rm+thunderbird

    I don't know if this can and/or should be taken as a definite answer, because I think the Mozillazine forums are like this one... users supporting users... but, it does confirm what I thought and it does contradict the SmartDefense Advisor web page advice.

    Curious?

    Cheers,
    Ah-hA

  2. #22
    ah_ha Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    Hi zasuiteuser,

    Like you found for Outlook, I found multiple entries for 'program path="FIREFOX.EXE"' and each entry found had a different value for "skimpChecksum."

    However, I found only a single entry, in the entire backup XML file, for the full Firefox pathname search term "C:\PROGRAM FILES\MOZILLA FIREFOX\firefox.exe". As I understood his post, that particular entry is the only "skimpChecksum" Jarvis is asking for.

    Look at the Outlook "Entry Detail" in ZAP Program Control and use the "File name" path that you see there, as your search term.

    Does that help?

    Cheers,
    Ah-hA

  3. #23
    jarvis Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    Ah-Ha

    You're correct, please only post the skimpChecksum when you find a full path. Entries with just a filename are for different program versions from the one you're running.

  4. #24
    zaswing Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    I just corrected my message.All yours now!

  5. #25
    slickrick Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    More weird things happening this time with ZAP 5.5.094.In Alerts & Logs this time.....In Alert type :Progam
    Out of 13 alerts:
    9 blank Source IP
    9 blank Destination IP
    3 blank Directions
    3 blank Action Taken (if any)
    9 blank Source DNS
    10 blank Destination DNSScreen Capture in bmp availableMy confidence level is dropping with this version as well.

  6. #26
    jarvis Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    I have sent your skimpChecksum values to my contact at ZoneLabs. He has responded while I was composing this message to say they are looking into modifying the default permissions for these programs, but the changes would roll-out gradually while they test them. Apparently there are rare cases where Word acts as a server, but the function was only used in <1% of cases.

    I've also received an explanation of sorts for why some applications can be deliberately given Internet Server rights by SmartDefense.

    Warning, this is very long - I've tried to explain it in my own words
    Basically, some programs have multiple processes - e.g. like Zonealarm has vsmon.exe and zlclient.exe, or Diskeeper has dkservice.exe, dfrgntfs.exe, dfrgfat.exe, etc.

    There are various ways that these processes can communicate with eachother (Inter-process communication-IPC). One is DDE, which has been around since Windows 3.1. Another is DCOM which appeared in Windows9x (as an add-on, not with the OS) and from Windows2000 (and probably NT) was included. The problem with these methods are that they are specific to Windows. If you're writing a program that you might decide to port to another OS, it's better to use something more standard like TCP/IP. Another advantage of using TCP/IP for IPC is that it can work both within a single PC and also across a LAN, using the same piece of code. E.g. Diskeeper can be scheduled locally or remotely.

    So, one reason why a program could be granted "Server rights" is that it is able to be controlled across a LAN by another process, or perhaps just by another process on your PC. Now, it would be sensible to grant only "Trusted Server Rights" to these types of programs, because you would only want them to be controllable from your PC or your trusted network.

    When working within a single PC, the process that is sending out packets to another process, should create packets with a FROM address of 127.0.0.1 (Localhost) which are adressed TO Localhost as well. Localhost is in the Trusted Zone of ZA by default, so there would be no problem just granting Trusted Server rights to the listening process. However, apparently some of these types of programs put another IP in the FROM address, such as 192.168.0.254. And the listening process filters any packets coming in on whatever port it is listening on and only takes note of those coming from that IP. As that IP would not be in the Trusted Zone by default, they have to give it Internet Zone security to make it work. Now since 192.168.x.x are reserved for LANs, there is no way that a PC on the internet could control the process on your PC. But if there was a bug in the listening process, then a possibility exists for a remote exploit.

    So Zonelabs have to decide whether to make you secure but stop your favourite program from working (unless you modify the configuration) or let the program work but allow it to theoretically accept packets from the Internet Zone.

    None of the above is relevent to something like Firefox or Word, but could be applied to some of the Windows processes like mshta.exe.

    Question: If you're connected directly to the internet (not behind a router or NAT modem) have you tried using GRC's Shields UP! test or another port scan test while these programs were running and granted Internet Server rights? Were you still stealthed?

    I can't test because I'm behind a router.

  7. #27
    ah_ha Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.


    <BLOCKQUOTE><HR>Edited 2/1 - I just deleted all lines where there was no path. Sorry. Jarvis &amp; Ah-hA, please realize that I'm learning as we go along - I didn't understand themeaning ofpath/no path.

    Message Edited by zasuiteuser on 02-01-2006 09:41 AM
    <HR></BLOCKQUOTE>

    Hi zasuiteuser,

    Ialways try to realize that of others, and I hope others will treat me with the same respect. On the other hand, I will not gladly suffer a Troll!

    Sometimes, it seems like to methe learning curve just never tapers off... it just keeps going up, and up, and up... :robotsurprised:

    The good news is that, in mt experience, learning some basic terminology (such asthe meaning of "the full pathname of a file") leads to better understanding of other terminology.

    The bad news is that technology is growing so fast there's a never ending supply of *new* "basic terminology" to learn! :robotwink:

    Cheers,

    Ah-hA

  8. #28
    ah_ha Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.



    Thanks so much, Andy (aka Jarvis)!

    These tidbits of information you keep passing out are going to keep me pretty busy. In many respects, I'm in the samesituation as zasuiteuser when it comes to learning/understanding a lot of this information. It's going to take me a little while to read, and re-readyour post, look up terminology,and try to digest it all.<BLOCKQUOTE></BLOCKQUOTE>But, I already have a comment about this part of your post...

    <HR>There are various ways that these processes can communicate with eachother (Inter-process communication-IPC). One is DDE, which has been around since Windows 3.1. Another is DCOM which appeared in Windows9x (as an add-on, not with the OS) and from Windows2000 (and probably NT) was included. The problem with these methods are that they are specific to Windows. If you're writing a program that you might decide to port to another OS, it's better to use something more standard like TCP/IP. Another advantage of using TCP/IP for IPC is that it can work both within a single PC and also across a LAN, using the same piece of code. E.g. Diskeeper can be scheduled locally or remotely. <HR>

    <BLOCKQUOTE></BLOCKQUOTE>

    It seems to me that Microsoft has an uncanny knack for tinkering with "standard" communications 'stuff' and cooking upproprietary communications 'stuff' that sooner or later ends up being compromised by 'the bad guys.' ActiveX would be another example of that. I don't know... IMO Microsoft appears to be fundamentally warped when it comes to anything that's open source or open standards. (End Rant)

    Cheers,

    Ah-hA




  9. #29
    zaswing Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    Re: I have sent your skimpChecksum values to my contact at ZoneLabs...
    Great. I still wonder why I see two Outlooks in the current xml file. And what they'll say about Ah-hA's (hey, isn't my username easier to type than yours )Re: Warning, this is very long - I've tried to explain it in my own words...
    Jarvis, this to me is wonderful explanation. I m still reading and rereading. Not at all too long. Just clear enough to begin connecting some dots for me. I found the historical perspective quite interesting, I didn t know any of that.Re: When working within a single PC, the process that is sending out packets to another process, should create packets with a FROM address of 127.0.0.1 (Localhost) which are adressed TO Localhost as well...
    -- I ve seen 127 loopback but only when the log is set to show everything, I think.
    -- Normally I do see 192 sending to whatever DNS server my DSL provider uses, most of the ins and outs are blocked most of the time by ZA.On theZA log screen, I never see anything as clear as, say, Zone Labs upgrade server, or Google. So to this day, I m not sure what I m really seeing.
    -- A bit of confusion for me comes from the fact that I use a router, IP 192 some different number at the end, and run LogViewer on the screen which continually updates legitimate stuff, pinging and so on. It tells me the exact site name and IP address, but I have trouble relating it to the ZA logs.
    -- So my problem, I think is, that while some application or RunDLL might be connecting to the internet, ZA doesn t say where in most instances, or I think it doesn t. -- To add insult to injury yesterday was an interesting example. Adobe reader wanted to upgrade. I actually went through all the steps of the SmartDefense, only to be told on their 4th screen at the end that the IP addressAdobe wanted to talk to is a HACKER. Well, it s in the Iana s list and on the whois site as being Verizon DNS. So whom do I believe?? Unless for the past several months I ve been routed to some impostor ?!?!?!?!?!?!?
    -- Is all this a problem with Zone Alarm? I don t think so really. It s a problem of a user (me) misunderstanding things. Which is why I will continue reading and rereading what you wrote as well as the ZL documentation but that's not easy reading.
    -- I m not even sure if what I wrote here is even on-topic. Apologies, if not. As a moderator/Guru you can delete. I don't want this thread to become too messy with things that might not be related.Re: I can't test because I'm behind a router...
    I can t either. It s totally stealthed when GRC runs but that s not a test of ZA. Too scared to run your test, and I think the DSL modem also does NAT translation of sorts so taking the Linksys router out of the loop would not tell me much.

  10. #30
    ah_ha Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    Hi Jarvis,

    RE: Question: If you're connected directly to the internet (not behind a router or NAT modem) have you tried using GRC's Shields UP! test or another port scan test while these programs were running and granted Internet Server rights? Were you still stealthed?

    Yes, been there and done that. But, it's been a long time since I did that, and I never thought of having Firefox running when I did so. I am behind a router (does have NAT 'firewall') and a broadband modem (if it has NAT capability my ISP didn't enable it).

    Since I'm the System Administrator of my home network I can do anything I want! Well, anything I'm capable of doing, and your suggestion sounds like something I can do. I think it's just a simple matter of shutting down, cutting power to all the hardware, moving one end of the ethernet cable from the router plugin to the modem plugin, and powering back up. Since I'm bypassing the router (including its Network Address Translation (NAT)) when ZAP comes up it's going to find a 'new network.' That network is actually the untranslated network address provided to the broadband modem (and consequently to my computer) by my ISP... what anyone who isn't using a modem (with NAT) or a router (with NAT) would see as their "IP address."

    Thanks for the suggestion, Jarvis. I'll do that and let you know what I find out.

    FYI: Murphy's Law or one of its corollaries struck 'here' last night! An update to Firefox v1.5 was released by Mozilla. Let me know if you want the new skimpChecksum for it.

    Murphy's computers laws [http://www.murphys-laws.com/murphy/m...computer.html]

    Cheers,
    Ah-hA

    Message Edited by Ah-hA on 02-02-2006 03:52 PM

Page 3 of 4 FirstFirst 1234 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •