Results 1 to 4 of 4

Thread: GRC: Port 1026 is Closed not Stealthed

  1. #1
    lhookway Guest

    Default GRC: Port 1026 is Closed not Stealthed

    I'm running ZA Security Suite 6.1.744.000, XP Pro SP2 connected to the internet via a Speedtouch USB modem, no router.
    I have reinatalled ZA numerous times and encounter the following problem.
    Using netstat I find that the ISAFE.EXE usually has port 1026 listening on local address 127.0.0.1, remote address 0.0.0.0.
    ISAFE.EXE is configured to NOT act as a server for the internet zone.
    If I use GRC to probe port 1026 the the port is reported as closed instead of stealthed? All other ports are reported by GRC as being stealthed. Why is port 1026 reports as being closed
    when
    ISAFE.EXE is configured to
    NOT act as a server in the internet zone?
    If I explicitly set up a
    PROGRAM expert rule for ISAFE.EXE to block access to port 1026
    when the source is the internet zone then GRC STILL reports that the port is closed when it should be stealthed. Why?
    If I set up a
    PROGRAM expert rule for ISAFE.EXE to block access to ALL ports when the source is the internet zone then GRC STILL reports that the port is closed when it should be stealthed. Why?
    If I set up an identical
    FIREWALL expert rule for
    to block access to port 1026
    when the source is the internet zone then GRC correctly reports
    port 1026 as being stealthed.
    I cannot understand why ZA is apparently allowing ISAFE.EXE to act as a server in the internet zone by not stealthing port 1026.
    I cannot understand why ZA is apparently ignoring
    the program rule for ISAFE.EXE
    which is intended to
    block all inbound access from the internet when an identical firewall rule works.
    Can anyone help me understand what is going on?



    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.1

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: GRC: Port 1026 is Closed not Stealthed

    Hi When following up the port information at grc.com in regards to port 1026, it should indicate that 1026 is also used for DCOM. Many things are listening on the ports of the system and should appear to be closed, at the very least or stealthed by the Zone Alarm firewall. Perhaps changing the DCOM to off or disabling it will show the port 1026 as it should- stealthed. Take care Oldsod
    Best regards.
    oldsod

  3. #3
    lhookway Guest

    Default Re: GRC: Port 1026 is Closed not Stealthed



    Thanks for the reply.




    I have DCOM decombobulated via GRC, so I don't believe that is the cause of this issue.

    The only process on my system that is listening on port 1026 is ISAFE.EXE.

    ZA should be blocking this port because ISAFE.EXE is not permitted to act as a server in the internet zone, but it isn't.

    In addtion ZA should be blocking this port because ISAFE.EXE has an expert rule which blocks communication to this port from the internet zone, but it isn't.

  4. #4
    Join Date
    Mar 2004
    Location
    Brisbane, Australia
    Posts
    645

    Default Re: GRC: Port 1026 is Closed not Stealthed

    A little knowledge can be a dangerous thing and interent security is no exception. Computer security is all about risk management. Before you allow or disallow a program to have server rights or internet access, you should understand exactly what it is that a program does. Do you know what "isafe.exe" does? Do you know why it wants access to the internet?

    Firstly, a port being closed (as opposed to stealth) does not constitute a security risk. Even a port being OPEN is not a security risk, it just affords an increased level of risk. To be a security risk an attacher trying to get through your firewall needs a program on the inside that is listening on a specific port, and can respond to the commands it is being sent.

    There are some programs which need server rights including most of the instant messenger services (MSN, Yahoo and Skype), Apache (which is a web server) and FTP servers. It just so happens that ISAFE.EXE needs to act as a server because it is part of Computer Associates eTrust AntiVirus which keeps your Internet security product up to date. ISAFE.EXE listens for connection requests from Computer Associates and manages downloading of the AV updates when they become available. Given that this is the AV in ZASS, it is possible that ZASS is internally configured to allow ISAFE.EXE the correct access rights (overriding your settings) to ensure it functiones properly.

    Finally, 127.0.0.1 is the loopback adaptor (a fancy way of saying your own computer) and Netstat is telling you that ISAFE.EXE is listen for connection requests from you rown PC. On th eother hand, 0.0.0.0 is not a valid IP address for use on the Internet.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •