Results 1 to 10 of 10

Thread: ZoneAlarm startup sequence vulnerability?

  1. #1
    ah_ha Guest

    Default ZoneAlarm startup sequence vulnerability?

    Okay! I'm bleary-eyed and frazzled-brained, after spending too many hours trying to find a satisfactory answer to several issues. I've scoured the Zone Labs knowledge base and the Zone Labs Forum and the Internet as a hole (sic).

    The good news is they haven't been wasted hours. I've learned a bunch of new stuff. The bad news is I haven't found the info. I want/need and now I'm having a lot of trouble staying focused on the issue. (Perhaps, because I've got too much new stuff spinning around in my brain... vicious circle.)

    First, a little background information: I've been using one Zone Labs firewall product or another since I first found out about the 'freeware' version of ZoneAlarm. As best I can recall that was back around the time of the Microsoft Windows 95 OSR2, and certainly had to be shortly after I began to have serious doubts about whether or not I had the patience to browse the WWW through a 56 Kbaud dial-up modem.

    The point to my mentioning this is over the years between then and now I've become so used to the ZoneAlarm processes startup sequence being a certain way that I almost immediately noticed a recent change. As I've understood it, the TrueVector Security Engine service ("vsmon") should always start as soon as possible in the OS boot sequence. That's how I've always seen it to be in the Windows Task Manager Process listing. The "vsmon" process has always had a relatively low PID number and the "zlclient" process (Is that the Control Center? - What is it?) has always had a higher PID number.

    Now, and this is the issue that has me somewhat concerned, in the Task Manger Process list I'm seeing the "zlclient" process frequently having a PID number smaller than the "vsmon" process. Sometimes "zlclient" is appearing as the #3 item on the PID listing, right after the System Idle Process and System processes. And, the "vsmon" process is frequently showing up with such a high PID number that it appears near the bottom of the listing.

    For example, when I booted my computer this morning (used to be called 'cold boot') the "zlclient" appeared in the Task Manager Process list as PID #176 (3rd process on the list) and "vsmon" appeared as PID #1904 (27th process on a listing only containing 35 processes!). I've logged off & on my computer several times today, and as I prepare to post this message the processes appear in the order I've come to expect seeing, over the years. The TrueVector (vsmon) service is PID #1564 and the ZoneAlarm Client (zlclient) process is PID #2704.

    To make this "vsmon" startup sequence issue more interesting, when I restart my computer (used to be called 'hot boot'), or log off and log back on, the startup sequence of "vsmon" and "zlclient" will *sometimes* change order so that the ZoneAlarm processes appears like I've been accustomed to seeing. If I restart again the "vsmon" and "zlclient" sequence frequently changes order yet again. It's kind of like throwing dice!

    The recent change I've made to my system setup is this: I decided not to renew my updates subscription for the particular anti-virus product I've been using. Thus began my waking nightmare! Well, it hasn't been that bad, but the last week has been kind of like that old Chinese curse. It's been a little more 'interesting' than I'd prefer.

    Long story... short: I located an anti-virus product that was reputable enough and I didn't, at that time, find any information suggesting that the product was incompatible with ZAP. Unfortunately, I didn't look hard enough for compatiblity info. It turns out that anti-virus product apparently contains some sort of firewall. So much for that 30-day 'free' trial... which ended in less than 6 hours. Thank goodness for Safe Mode and System Restore!

    Moving on, I now have yet another anti-virus product 'free' trial successfully installed... apparently going well, so far. Seems to play well with ZAP.

    But, there's this nagging issue with the TrueVector service not 'acting' like I've come to expect.

    Open question(s):

    1.) Is "zlclient" starting before "vsmon" an issue I need to be concerned about?
    2.) Has my computer become vulnerable due to the relatively late TrueVector security engine (vsmon) start up?
    3.) Should I upgrade this "issue" to a "problem" and submit a Tech Support request to Zone Labs?

    Cheers,
    Ah-hA

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Pro
    Software Version:6.0

  2. #2
    billc Guest

    Default Re: ZoneAlarm startup sequence vulnerability?

    You are correct, zlclient is the control panel for Zone Alarm and does not start before vsmon.exe ). True Vector starts as a 'service' in the very beginning of the boot sequence. The PID (Process Identification Number) is a unique number assigned to the process while it runs but does not indicate the order in which a process starts. And a process will not always have the same PID on any session and on any system. For example, a very large PID does not necessarily mean that there are anywhere near that many processes on a system. This is because such numbers are often a result of the fact that PIDs are not immediately reused, in order to prevent possible errors. Does that help?

  3. #3
    ah_ha Guest

    Default Re: ZoneAlarm startup sequence vulnerability?

    Hi Bill,

    Thanks for that explanation. It does indeed help.

    Over the last few days, I had begun wondering whether or not Windows Task Manager Process List (and PID number) was a true indicator of when a process actually starts. But, for better or worse, that's the indicator I've been using these many years (Oops!). That's why I think I may have an issue to resolve (if only in my own mind), because it still seems to me to be related to this trial of an anti-virus product I've installed. Those two ZAP process are flipping around like I've never seen before.

    So, what method/tool/utility is going to give me a good indicator of when the TrueVector security engine (vsmon) process is firing up, in the boot sequence? Would the WinXP Advanced Options Menu (F8) boot log option give me a good indicator?

    If so, is there something better than that 'cause I sure don't like looking at that log!

    If not, what is your suggestion?

    Cheers,
    Ah-hA

  4. #4
    billc Guest

    Default Re: ZoneAlarm startup sequence vulnerability?

    Microsoft has this boot sequence for XP: <hr>STARTUP ORDER FOR WINDOWS NT4/2000/XP
    .................................................. .................................................. ..........................
    1. BootExecute
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
    2. Services
    3. User enters a password and logon to the system
    4. UserInit
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
    5. Shell
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    6. All Users-RunOnce
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnce
    7. All Users-Run
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
    8. All Users-RunOnceEx
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunOnceEx
    9. All Users-RunEx
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\RunEx
    10. Current User-RunOnce
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnce
    11. Current User-Run
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run
    12. Current User-RunOnceEx
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunOnceEx
    13. Current User-RunEx
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\RunEx
    14. Common Startup Folder
    15. Startup Folder <hr> You will note that services is number 2 and True Vector starts as a service. However, I've never tried to identify the order of the services.What I can say is that True Vector will block all internet access until it reads it's files and 'knows' what application are to be permitted access.

  5. #5
    ah_ha Guest

    Default Re: ZoneAlarm startup sequence vulnerability?

    Hi Bill,

    That helps, too. I suppose you provided that (Where'd you get it?!) so that I can take a look-see in my Registry, if I'm inclined to do that. Well, I am and I will. Such a sensible possibility as that hadn't even occured to me. Thanks!

    Three items in the boot sequence list you posted aren't clear to me:

    Q: "2. Services," do you mean, 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces'?

    Q: "14. Common Startup Folder," do you mean 'C:\Documents and Settings\All Users\Start Menu\Programs\Startup'?

    Q: "15. Startup Folder You will note that services is number 2 and True Vector...," Huh?

    Well, I got lost there. Was "15. Startup Folder" supposed to be a text line by itself, and "You will note that..." supposed to be starting a new line of text?

    If that's the case I think I understand what you mean... "Startup Folder" as in 'C:\Documents and Settings\Ah-hA\Start Menu\Programs\Startup', and by "You will note that services is number 2..." you are refering to item #2 on the boot sequence list you posted. Yes?

    Oh, and BTW, nix on that lousy boot log idea I had. I guess it's been longer than I thought since I poked around in the system's guts, to see what I could find. I forgot that a boot log only shows what's going on up to the time the OS starts up.

    Also, I have to admit that I didn't really get what you meant in your last post when you wrote, "True Vector starts as a 'service' in the very beginning of the boot sequence." That flew right past me until I dug up my copy of SysInternals' freeware utility "Process Explorer"... sort of a Task Manager on steroids.

    In Process Explorer I can see that the "parent" of the vsmon.exe process is the services.exe process. Got it! I can also see that the "parent" of the zlclient.exe process is the explorer.exe process. So zlclient.exe isn't a service at all!

    It's very clear to me now that PID numbers have their uses, but they're not a good indicator of the startup order, for services and such.

    From the looks of things so far, this issue of mine seems to be fairly quickly resolving into, "Not a problem." Just a little touch of paranoia, may be.

    Thanks for the helping hand, Bill!

    Cheers,
    Ah-hA

  6. #6
    billc Guest

    Default Re: ZoneAlarm startup sequence vulnerability?

    Some time ago I copied the boot sequence from a Microsoft Support site, but I did not retain the link. Anyway, the 'source' is Microsoft. And I think your understanding now covers as much as I know. That is, 'services' are number 2 in the sequence and True Vector starts then with services. That would be before all programs including any that would want to access the internet. I can also say that never ever have I heard or read about an infection occurring because a Zone Alarm firewall did not start in time.

  7. #7
    gerard_konijn Guest

    Default Re: ZoneAlarm startup sequence vulnerability?

    When starting up Windows, the first event will be 6009: Microsoft (R)Windows (R).Right after that 6005: The Event Log service was started.After that TrueVector Internet Monitor vsmon.exe. You don't see this because its always start automatically in services.From this point you are protected and no other programs are running then.After that the application popup's are coming ( machine check).After that the login screen and the programs are coming up, one of the first can bee the ZoneAlarm GUI, zlclient.exe, but it can also start at last.However,TrueVector Internet Monitor vsmon.exe, is one of the very firstservices to load in the boot sequence.So you are always protected with ZoneAlarm before an program is running.Kind regards/Vriendelijke groeten. Gerard Konijn. Tilburg. The Netherlands

  8. #8
    ah_ha Guest

    Default Re: ZoneAlarm startup sequence vulnerability?

    Hi Gerard,

    Thank you for reviewing the startup procedure for me, and reminding me about Event Viewer. What you described is what I see in System events... not much! It's a pitty the Event Viewer doesn't show information about system services starting (or, not).

    Until very recently I had not seen the ZA GUI starting so early and that had me somewhat concerned. After a failed installation of an anti-virus product trial, and a successful installation of a different anti-virus product trial, I noticed that change.

    It's good to know that the ZA GUI may start early, or late, and that in either case it doesn't effect TrueVector service.

    Cheers,
    Ah-hA

  9. #9
    ah_ha Guest

    Default Re: ZoneAlarm startup sequence vulnerability?

    Hi Bill,

    < Some time ago I copied the boot sequence from a Microsoft Support site, but I did not retain the link. Anyway, the 'source' is Microsoft. >

    OK, thanks for the information. If I can make the time I will search for that article, in the Microsoft Knowledge Base. It's been a while since I searched for any MS KB articles so I'm curious.

    < And I think your understanding now covers as much as I know... >

    I seriously doubt it, but thanks for the vote of confidence.

    < I can also say that never ever have I heard or read about an infection occurring because a Zone Alarm firewall did not start in time. >

    That is in deed a comfort to hear! Thanks for your time, Bill.

    Cheers,
    Ah-hA

  10. #10
    dougaltoo Guest

    Default Re: ZoneAlarm startup sequence vulnerability?

    Hi.
    I have read the useful comments and instructions in the chain above and since starting to investigate the problem I appeared to have, it has disappeared....
    I use ZA 7.0.337 and as a rule it loads as one of the first programs and before Skype (3.2.0.158).recently though, Skype has been loaded well before ZA - I have set ZA so that Skype needs permission to access the internet, so I can tell.The only thing I changed in trying to alter the order in which processes are loaded, was the &quot;priority&quot; setting of one of ZA process (In Task Manager).
    Although it didn't appear to make a difference at the time, after a couple of reboots, ZA now loads before Skype. (For the moment).
    It just shows that you can't leave things to run without some checking from time to time.


    Dougaltoo.


Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •