Page 1 of 2 12 LastLast
Results 1 to 10 of 26

Thread: Dangerous!!please help...

Hybrid View

  1. #1
    hate_virus Guest

    Default Dangerous!!please help...

    hi guys,
    do you have this file in your system32 folder?:

    Product name Microsoft
    Windows
    Operating System
    File name C:\WINDOWS\system32\wbem\wmiprvse.exe
    Last policy update Not applicable
    Version 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    Last modified date 2004/08/03 23:56:58
    File size 213 KB
    if yes,so why it was trying to do this?!:

    Description WMI was prevented from changing the behavior of ZoneAlarm Security Suite by modifying the file: WINSYSDIR\ZoneLabs\vsmon.exe
    Rating High
    Date / Time 2006/06/22 22:26:16+3:00 GMT
    Type File
    Subtype File Write
    Data WINSYSDIR\ZoneLabs\vsmon.exe
    Program C:\WINDOWS\system32\wbem\wmiprvse.exe
    Action Taken Blocked (once)
    Count 1
    thanks,

    Operating System:Windows XP Pro
    Product Name:ZoneAlarm Internet Security Suite
    Software Version:6.1

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Dangerous!!please help...

    Best regards.
    oldsod

  3. #3
    hate_virus Guest

    Default Re: Dangerous!!please help...

    hi and thanks,
    but as i said it was trying to change or hijack the ZA,this is the question: why it was doing that kind of dangerous work???!

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Dangerous!!please help...

    The ZA is designed not to be tampered with by malware to enable the protection during the time of an infected PC. It would be useless if malware could invade it and promptly shut it completely off. Thus the ZA firewall, when it sensed an intruder, it just gave a warning out. CCleaner when set to delete ZA Logs will do the same. Some antispy sweeps will also interfer with the ZA "don't touch me". In this case it is a recognized Windows component and it is not a threat by any means. Not saying to ignore any future warnings, just to be aware of the nature of the alerts.

    Oldsod

    Message Edited by Oldsod on 07-02-2006 11:03 AM

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Anti-Spyware
    Software Version:6.5
    Best regards.
    oldsod

  5. #5
    2nabote Guest

    Default Re: Dangerous!!please help...

    I understand the purpose of the feature but I still don't understand if wmiprvse.exe should be attempting to updateZA assets. If yes, what's thepurpose?If not,what is the source of this attempt?The OS Firewall has blocked 52 attempts to update the same number of ZAfiles, ZAP, EXE, and DLL. Thanks.

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Dangerous!!please help...

    Simple answer is Windows must do this. Why? To know which drivers and files to load and use for bootups, keep the master file correct, so OS will function elegantly, operate smoothly with the kernel drivers of ZA, coordinate paths and their sequences of the OS amd additional software, arrange tasks, allow system restore to function properly and a few thousand other seen and unseen processes.

    Oldsod
    Best regards.
    oldsod

  7. #7
    f_kawashima Guest

    Default A case study

    When I merely opened "INSTALL.LOG" and "ErrorLog.txt" with notepad.exe, a component of ZA Pro 6.1.744 (This occurred on 6.5.722 as well.) detected that vsmon.exe blocked the event (a file-writing) as if it was attempted by Windows Explorer. In stead, when I attempted to rename "INSTALL.LOG" and "ErrorLog.txt" within the directory, the below report was generated. I believe they are not sufficient reports because the given results were different from what I manipulated.

    TROUBLESHOOTING: Try recalling on having done at the time of the log detection (2006/06/22 22:26:16+3:00 GMT) and reproducing the scene.

    Description Notepad was prevented from changing the behavior of ZoneAlarm Pro by modifying the file: WINDIR\Internet Logs\ZALog.txt
    Rating High
    Date / Time 2006/06/28 07:39:10+9:00 GMT
    Type File
    Subtype File Write
    Data WINDIR\Internet Logs\ZALog.txt
    Program C:\WINDOWS\system32\notepad.exe
    Action Taken Blocked (once)
    Count 1

    Description Notepad was prevented from changing the behavior of ZoneAlarm Pro by modifying the file: WINDIR\Internet Logs\ZALog.txt
    Rating High
    Date / Time 2006/06/28 07:39:16+9:00 GMT
    Type File
    Subtype File Write
    Data WINDIR\Internet Logs\ZALog.txt
    Program C:\WINDOWS\system32\notepad.exe
    Action Taken Blocked (once)
    Count 1



    -------- Original results of a debug test ---------

    Description Windows Explorer was prevented from changing the behavior of ZoneAlarm Pro by modifying the file: ZLDIR\zonealarm.exe
    Rating High
    Date / Time xxxxxxxxxxxxxx GMT
    Type File
    Subtype File Write
    Data ZLDIR\zonealarm.exe
    Program C:\WINDOWS\explorer.exe
    Action Taken Blocked (once)
    Count 1


    SmartDefense Advisor

    Overview Technical Info Details
    Windows Explorer is trying to create or open a file.
    The current security setting for Windows Explorer does not permit this action, or ZoneAlarm Pro is asking you whether to allow this behavior. Your computer is safe.

    What should I do?
    Windows Explorer has attempted to create or open a file on your system. This action is currently not permitted. If you trust this program and believe it requires a file to be created or opened then give it permission. If it does not need to create or open a file, or you know that a file should not be created or opened, then deny it.

    Why?
    Windows Explorer may be malicious. This is particularly true if the file being created or opened contains application or Windows settings, and changing these settings will affect the security of the system.


    Windows Explorer is trying to create or open a file.
    The current security setting for Windows Explorer does not permit this action, or ZoneAlarm Pro is asking you whether to allow this behavior. Your computer is safe.

    Inside the OSFirewall alert

    Alert property Alert property value Technical explanation
    ----------------- ------------------------- ---------------------------
    Program Name Windows Explorer
    A program running on your computer, which attempted an action that was detected by the OSFirewall.

    Filename C:\WINDOWS\explorer.exe
    The filename of the program that ZoneAlarm Pro found on your computer.

    Program Size xxxxxxxxx
    The size of the program executable file in bytes.

    Program MD5 xxxxxxxxxxxxxxxxxxxxxxxxxx
    The MD5 hash, or number, that uniquely identifies the executable.

    Smart Checksum xxxxxxxxxxxxxxxxxxxxxx
    The SKIMP hash, or number, that uniquely identifies the executable.

    Date Modified
    The date when C:\WINDOWS\explorer.exe was most recently modified.

    Event Type File
    The event involved writing to or deletion of a file.

    Sub Event Type FileWrite
    Windows Explorer attempted to write to a file.

    File Pathname ZLDIR\zonealarm.exe
    Fully qualified name of the file being written to.


    Windows Explorer is trying to create or open a file.
    The current security setting for Windows Explorer does not permit this action, or ZoneAlarm Pro is asking you whether to allow this behavior. Your computer is safe.

    Details
    ZoneAlarm Pro protects your system from the malicious creation or opening of files.

    Malicious programs may attempt to create or open files on your system in order to disable or lower security settings, damage the operating system, or steal information about you or your system.

    Due to these potential threats, only programs which have been given explicit permission to create or open files on your system will be allowed to do so.

  8. #8
    Join Date
    Apr 2004
    Location
    East Coast of Florida - Lightening/Shark Bite Capital of the World
    Posts
    2,477

    Default Re: A case study



    Hi,

    VERY, VERY INTERESTING! PLEASE forward all this EXCELLENT info to Tech Support. Here is the direct link to them.

    Welcome to Zone Labs Web-Based Technical Support

    https://www.zonelabs.com/store/conte...ch_support.jsp

    Thank you very much for your time and have a "GREAT DAY" or "EVENING"!

    SlyFox
    "Politeness costs nothing and gains everything".

    Click here for ZA Support

    Avail. 24x7 - Excl. Holiday













  9. forum_moderator Guest

    Default Re: A case study



    Hi,

    Thanks, that is actually a very nice write-up of the OSFirewall protection, and how it is used to protect the system (in this case ZA, but we also protect all critical Windows processes and more).

    Marcus

  10. #10
    f_kawashima Guest

    Default A hypothesis

    Hello folks,

    I'm working on a hypothesis so as to collecting the information and testing the reproducibility that I want to imply some bug (derivative from June's MS security updates) in the Winlogon process routine could cause inconsistencies on the NTFS file system security features beyond the Journal's protective architecture. This could result in or impact on ZA 6.5.xxx issues and instabilities on network or security related applications runtime. Users run ZA 6.5.xxx on a FAT file system computer might not be affrected badly because the FAT system does not implement security.

    I think I'll be back sometime in this week, hopefully so.

    Regards

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •