Page 4 of 4 FirstFirst 1234
Results 31 to 38 of 38

Thread: Some SmartDefense Advisor "Auto" settings kind of freak me out.

  1. #31
    ah_ha Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    <blockquote><hr>zasuiteuser wrote:
    (hey, isn't my username easier to type than yours) )</blockquote>

    Well... umh... I was hoping you wouldn't notice that dicrepancy. But, now I've typed it so many time my fingers blur as they fly across the keyboard! ;o)

    Cheers,
    Ah-hA

  2. #32
    jarvis Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    Zone Labs appear to have made some changes. Now the only Programs in my ZA-SS that have Internet Server rights are ones where I have granted them.

    Even rundll32.exe now only has trusted server rights with ASK (?) for Internet server.

    How's Firefox and Thunderbird looking?

  3. #33
    zaswing Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    WOW, you're a hero! you did it, you persuaded them to do it!!!! And they listened. See, I still think they're a good bunch.
    You're on ZASS 6, right?
    Did you get the upgrade to the dlls or where? did it come within the automatic upgrade? or is there a version change?
    Do you know whether the same fix applies to v5.5.094?
    If you previously had it red X has it changed to ASK?
    If you previously had it ASK, how do we know there's been a change.
    When it ASKS, whom do we allow to RunDLL - examples? This is always the hardest part to figure out for me.

  4. #34
    jarvis Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    This has been merely an update to the program control rules on ZA's servers, nothing to do with the installed program. The way to test it is to change one of the programs' SmartDefense setting from Custom back to Auto. Then run the program - the permissions will then change to whatever ZA's database thinks they should be.

    I reckon 5.5 essentially uses the same database, but just ignores the OSFirewall (Trust Level) setting. To test it in 5.5, you have to remove the program from the list (right-click on it and choose remove), because once you change the permissions the policy becomes "Custom" and there is no way to change it in 5.5

    As I said, it's the internet server permission they've stopped automatically granting, which is good. Some things like Word, Excel now have a red X in both server columns. Rundll32 now has green tick in Trusted server and blue ? in internet server. I have not yet received a program alert for rundll32 to say that it wants to be an internet server.

  5. #35
    ah_ha Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out. [Long post warning!

    Hi Jarvis,

    Thanks for sticking with us, in this thread.

    Warning: This is much longer than your post! :-o

    You wrote ( 02-01-2006 04:00 PM):

    &quot;Question: If you're connected directly to the internet (not behind a router or NAT modem) have you tried using GRC's Shields UP! test or another port scan test while these programs were running and granted Internet Server rights? Were you still stealthed?&quot;

    Well, I got around to doing your 'homework assignment,' about 8 days ago. I prepared a Test Report, before performing the ShieldsUP! testing, and also recorded my results, but I'm not going to post that report here. I wrote it to keep me focused on what I was doing, to remind me why I was doing it, and to help me understand the results I got.

    I don't know about anyone else, but making written notes helps me think better. On the other hand, I swear... sometimes I think I've got ADD, OCD, OTD and a bunch of other Ds, after I see how many notes I end up making!

    After finishing that 1st round of testing and considering the results, I noticed of a few other variations I could have tried, but didn't get a chance to do that until a couple of days ago.

    In summary, about as pithy as I can make it:

    * Connected to the Internet with my NAT router installed-

    The &quot;Server:Internet&quot; rights settings the Firefox browser has appears to be irrelevant. Firefox browser [Note 1] may have either &quot;Allow,&quot; &quot;Block,&quot; or &quot;Ask&quot; rights and the ShieldsUP! probes [Note 2] results still report that my system is fully stealthed.

    There was an exception to those result, for either &quot;Allow,&quot; &quot;Block,&quot; or &quot;Ask&quot; Server rights. When I open another Firefox browser instance (aka; a new browser tab) addressed to http://4.79.142.206 (the GRC the ShieldsUP! probe IP) the results of all probes was still &quot;Stealth,&quot; on all probed ports (including port 113), but the overall test &quot;Failed&quot; because of this single item... &quot;Unsolicited Packets: RECEIVED (FAILED)...&quot;

    * Connected to the Internet with my NAT router removed-

    Again, the &quot;Server:Internet&quot; rights settings the Firefox browser has appears to be irrelevant. Firefox browser [Note 1] may have either &quot;Allow,&quot; &quot;Block,&quot; or &quot;Ask&quot; rights and the ShieldsUP! probes [Note 2] results still report that my system is fully stealthed.

    A similar exception as noted in the &quot;router installed&quot; results also applied to these result. For either &quot;Allow,&quot; &quot;Block,&quot; or &quot;Ask&quot; Server rights, when I open another Firefox browser instance addressed to the ShieldsUP! probe IP my system is &quot;Stealth&quot; except at one port. The probe of port 113 reported a &quot;Closed&quot; condition. Because of that result and the &quot;Unsolicited Packets: RECEIVED...&quot; the overall test result was &quot;Failed.&quot;

    For an explanation of the failures noted above, please refer to Steve Gibson's &quot;Adaptive IDENT Stealthing Experimentation&quot; info. which can be found at the bottom of his web page, after performing the &quot;All Service Ports&quot; probe.

    My conclusions-

    Granting the Firefox browser &quot;Server:Internet&quot; right to &quot;Allow&quot; an incoming connections doesn't seem to be as dangerous as I've thought. If I understand the results of this testing and the information provided by Steve Gibson, there seems to be little possibility that I would even see an unsolicited incoming Server request. In other words, any incomming Server request I may see must be coming from a Web site with which Firefox browser has already established connection.

    Quoting from GRC [http://www.grc.com/su-firewalls.htm]:

    &quot;...when you surf the web you need to connect to web servers that might have any IP address. (...brevity snip...) ...a firewall can easily determine whether an arriving packet is initiating a new connection, or continuing an existing conversation. Packets arriving as part of an established connection would be allowed to pass through the firewall, but packets representing new connection attempts would be discarded. Thus, a firewall can permit the establishment of outbound connections while blocking any new connection attempts from the outside.&quot;

    In my case, the incoming Server connection issue seems to have been reduced to merely and issue of trust... Do I trust the Web site Firefox browser is connected with? So far the question is moot, because as far as I know I've never encountered such an event. The only Firefox browser Server connection requests I've seen were incoming from the &quot;Trusted&quot; zone.

    However, allowing Firefox browser to possibly establish an outgoing &quot;Server:Internet&quot; connection is another matter. This still seems dangerous, to me.

    The issue becomes, &quot;Am I knowingly running a program which may use Firefox browser to establish an outgoing &quot;Server:Internet&quot; connection, to an IP address with which Firefox browser does not currently have an established connection?&quot;

    In my case, I'm not running any of those types of programs. Furthermore, I want to be immediately notified about any Firefox browser outgoing Server connection events.

    A few days ago, I had an opportunity to discuss this issue with my brother. He uses the CA eTrust EZ Armor suite. He offered what I think is a pretty good suggestion and I promised to pass it on.

    He suggested that Zone Labs should implement an ZoneAlarm firewall installation process 'interview' which asks the user if he/she is using, or plans to use, any of the known types of programs which require an Internet browser to act as a Server.

    So, Jarvis, or anyone, feel free to correct me (or, applify... or, comment) if I seem to have this issue figured wrong, or all twisted out of shape, or whatever.

    -----Notes-----
    Note 1: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1
    Note 2: ShieldsUP! probes used: &quot;File Sharing,&quot; &quot;Common Ports,&quot; and &quot;All Service Ports.&quot;
    ---------------

    Cheers,
    Ah-hA

    P.S. - After seeing the length of this post, you can imagine how long my &quot;Test Report&quot; must be! ;-)

  6. #36
    ah_ha Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    Hi Jarvis,

    Thanks for the heads-up, and for keeping an eye on this thread.

    At this moment I can't think of a reason not to set Firefox and Thunderbird back to &quot;Auto&quot; and see what happens.

    But, I've done so much tinkering over the last week that I want to consider the situation twice, before I change any of them to &quot;Auto.&quot;

    Cheers,
    Ah-hA

  7. #37
    ah_ha Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out.

    I've wondered, for the longest time, why there isn't any SmartDefense Advisor advice given for Corel WordPerfect Office. Surely there are thousands of people using various versions of that office suite.

    Do you, or anyone, have any idea what the deal is on that?

    Cheers,
    Ah-hA

  8. #38
    ah_ha Guest

    Default Re: Some SmartDefense Advisor "Auto" settings kind of freak me out. [Long post warning!

    Hi Jarvis,

    Last night I finished making notes, on the custom Program Control: Programs settings I've chosen over the last week or so. So, in the interesting of helping you confirm the changes to SmartDefense Advisor (SDA) automatic permission settings I decided to change all my listed programs Custom settings back to Auto.

    Following are the results of that change in SDA settings, for the programs you asked about or were mentioned in my 1st posting of this thread:

    Firefox browser (firefox.exe V1.8.0.1: 2006011112)
    Current SDA &quot;Auto&quot; settings:

    SmartDefense Auto
    TrustLevel Super
    Access Trusted Allow
    Internet Allow
    Server Trusted Allow
    Internet Ask
    Send Mail Block

    Mozilla Thunderbird e-mail client (thunderbird.exe V1.8: 2005120115)
    Current SDA &quot;Auto&quot; settings:

    SmartDefense Auto
    TrustLevel Super
    Access Trusted Allow
    Internet Allow
    Server Trusted Allow
    Internet Ask
    Send Mail Allow

    Run a DLL as an App (rundll32.exe V5.1.2600.2180 (xpsp_sp2_rtm.040803-2158))
    Current SDA &quot;Auto&quot; settings:

    SmartDefense Auto
    TrustLevel Super
    Access Trusted Allow
    Internet Allow
    Server Trusted Allow
    Internet Ask
    Send Mail Ask

    Switching to pithy mode... here are the others mentioned in my 1st post:

    Windows Explorer (explorer.exe) Send Mail permission changed to Blocked.
    System Information (msinfo32.exe) still has Send Mail permission Allow. ?!
    Application Layer Gateway Service (alg.exe) Server:Internet setting is now Ask.

    No... I didn't type all of that. A lot of it is simple cut'n'paste and more of it would be if the ZAP Control Center was a bit more user friendly. But, that's another subject, for another day.

    Personally, I won't be using Auto SDA settings for some of the programs named above, because I prefer having more control over what those programs may be doing.

    I'll give one example of what I mean by that, for the Firefox browser (Note 1) SDA Auto setting of TrustLevel:Super.

    I've installed and frequently use the Firefox Extension named IE View (Note 2) which adds on a feature permitting quick opening of Internet Explorer (IE), to the Web page currently being viewed in Firefox.

    With the trust setting stated above, Firefox performs the extension's commands without a ZAP alert about suspicious program activity. The IE program starts and loads the same Web page I was viewing in Firefox.

    However, with a setting of TrustLevel:Trusted that same action results in a ZAP alert about Suspicious Behavior. I receive the warning, Firefox is trying to launch C:\Program Files\Internet\Explorer\iexplorer.exe, or use another program to gain access to privileged resources.

    The first part of that warning tells me that IE View is performing an action I initiated. I want to allow that to happen.

    It's the or part of that warning which concerns me. When Firefox is granted TrustLevel:Super status I'm never going to see a warning. If someone somehow figures a way, to get Firefox to perform program action which I didn't personally initiate, it's just going to happen.

    If you're interested in what SmartDefense Advisor says about this particular alert here's the Web address...
    http://osalerts.zonelabs.com/osanaly...p;tab=overview

    Note that on that Web page SDA offers this bit of advice, Firefox is potentially malicious.

    In your first post you wrote, It seems that the settings the SmartDefense gives out are to suit not only the majority but also some fringe users who don't want to be bothered by extra alerts.

    Yeah, I agree it seems that way, Jarvis. If that's truly the case IMHO it doesn't really strike me as a good security policy. Zone Labs ain't never gonna please everybody... no how... no way!

    IMO a good security policy would combine conservative initial SmartDefense Advisor (SDA) Auto settings plus 'Learning Mode' for the tricky permissions. Of course, that's the way it is to some extent, but SDA sets up some known programs with very non-conservative appearing permissions which short circuit 'Learning Mode' all together.

    For example, I've run the MS Notepad (notepad.exe) program for ages, with question marks across the board. I don't recall ever seeing a peep from ZAP, about Notepad wanting permission to do anything. Now, with the Auto settings for Notepad I see an Ask for TrustLevel and big red Xs across the board! That doesn't strike me as very conservative.

    Notepad just doesn't seem like a program that's capable of performing even remotely risky actions. The most advanced feature I see in Notepad's user interface is the Edit:Time/Date function which gets the current time and date from the system and pastes it into the document.

    Well, may be that's another topic, for another day. That's me... blah blah blah!

    Thank you, Jarvis, for contacting your source(s) and getting some good results, on the Server:Internet issue. I've learned quite a bit from studying the info. you provided and expect that'll be continued in the future.

    Cheers,
    Ah-hA

    -----NOTES-----
    Note 1: &quot;About Mozilla Firefox&quot;: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1

    Note 2: &quot;About IE View&quot;: version 1.2.7

Page 4 of 4 FirstFirst 1234

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •