Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: Completely mystified - how do Programs get server rights?

  1. #11
    nosenothing Guest

    Default Re: Completely mystified - how do Programs get server rights?

    Thanks.

    I don't know how to do a port scan.

    Checking the logs will not help me do anything, because I don't know what they mean.

    Which goes back to my original question. People who don't know what is going on will choose the Smartdefense option. If it is unsafe to give Internet server rights, surely the program default should be to deny it, rather than to grant it. Oh well, I'll just have to be happy living in ignorance....

  2. #12
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Completely mystified - how do Programs get server rights?

    Hi

    The main point is everybody is doing things different and using different software and using the PC for different uses. The causal web browsing/email user is vastly different from the constant IM/VOIP/IRC user and the they are different from the VPN business user and they are different from the online role playing game user. The hard core PC user that does immense video/photo work or some other commercial uses is different again. So it impossible to create hard and fast rules for firewalls, since each has different needs and uses differnt OS components.

    Things that do need the occaional internet access and occasional trusted server and can be set as Ask:

    windows explorer.exe
    wuauclt.exe
    rundll32.exe
    crss.exe
    lsass.exe
    mmc.exe
    userinit.exe
    winlogon.exe
    logonui.exe
    smss.exe
    wupudmgr.exe
    msiexe.exe
    drwtsn32.exe

    If you deny them the Ask for the Trusted Zone server, just keep checking your log and see what was blocked. The only times the casual user may find they go internet is for new software installations or MS check for updates or new patches get installed. You may even find a few more, since I always do the patches manually.

    The generic host process or svchost.exe does need both Internet and Trusted Zone access and the server rights for the Trusted Zone.

    Any other windows process can have Trusted Zone access and Ask for the Internet. They could easily have ask for the Trusted server, but I never do.

    The others such as AV or added AS, they could have all access for the Trusted Zone or at least Ask since they very often wish to monitor the local host or some ports. Usually just one or two of the antivirus and later after seeing what the other AV parts are doing the ask for the Trusted server can be removed. again checking the logs reveals a lot.

    Other common updaters such as java or adobe can be set to ask for the internet. But again , these two softwares are set to manual updating on my rigs.

    Things like the hardware or sound, graphics, etc do not usually need internet access (or trusted zone access for that matter). Byt if using a TV or second monitor or a special sound/audio hardware, that could be needed to be changed.

    Oldsod
    Best regards.
    oldsod

  3. #13
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Completely mystified - how do Programs get server rights?

    Hi

    A port scans is easily done here. But check the paragraph to verify that the IP being scanned is your IP of the PC. They will scan the first firewall - that can be the NAT enabled modem or the router.

    Do the ipconfig /all command and see the exact IP of the PC. The IP given in the ipconfig /all command must match the IP of the Shields Up test. If the two do not match, then you are just scanning the router and not the actual firewall of the PC.

    https://www.grc.com/x/ne.dll?bh0bkyd2

    Once you have checked the two IPs, then use the Proceed button and follwo it through.

    Oldsod
    Best regards.
    oldsod

  4. #14
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Completely mystified - how do Programs get server rights?

    Hi

    Open the ZA and select the Log Viewer of the Alerts and Logs.

    The Firewall, OSfirewall and the Program in the dropdown of the Alert type is there. Just be sure to set the alerts in the Advanced button of the Main of the Alerts and Logs to as many as possible. This way the logging is complete and very detailed and nothing will get missed. Do the check all option in the Custom button also.

    Now run the PC for a few days and go back and check the logs. There is even a More Info on the logs shown- the Zone labs will come to your rescue with the Smart Defense once again.

    Even if they are difficult to understand, the basic blocked/allowed and inbound/outbound and component listed does give some idea what was happening.

    Plus any internet address and information can be determined from here>

    http://www.dnsstuff.com/

    So if there is an IP listed and you wonder what was the reason it was there or who is that anyways, just take some looking and find out.

    Another gem is the Tools page of this site>

    http://www.fixedorbit.com/

    A quick port lookup is here>

    http://en.wikipedia.org/wiki/List_of...P_port_numbers

    This site has each port listed with links for lots of info.


    This site has a complete port search engine>

    http://www.ports-services.com/

    What does this mean? OH LIke this...If the browser does use port other than 80 or 443 and to a strange place, then there is definitely trouble at the homestead. Or if something tried to get a DNS from malwareforyouandyourfriends.com or hongkongbustersinternet.com them there is an issue- the DNS remote port being 53 (always and nothing ever else).

    OR if something was going out to port 6667 and using 113 and you never use any IRC. Then there is definitely a worm or trojan on the PC.

    or perhaps the email client or something else is using port 109 at spammersareustoyou.com, then definitely a worm or trojan.

    Viruses almost never call home. They ruin the PC and just call it a day.

    Just some simple tips.

    Oldsod
    Best regards.
    oldsod

  5. #15
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Completely mystified - how do Programs get server rights?

    Then there is the log showing the browser going to port 80 of the ispyonu.com This would mean a hijacker or trojan or some malware.

    The email of the ZA shows email leaving the PC every 15 minutes to nsuzxysusa.com or multiple servers. Hmm something suspicious again.

    Just keep the alerts on high and then the ZA will warn you of such strange activities. The button for more information does lead back to Zone Labs and the smart defense advisor does have details or the button info will show the exact processes involved. A quick google will lead to lots of information...

    sites like these do help with the confusing components....

    http://www.processlibrary.com/directory/files/svchost.exe?engine=adwords!7175&keyword=%28svc host.exe%29&match_type=&gclid=CIHd38KTnIsCFQtp GAodhzWWPw

    http://www.liutilities.com/products/...brary/svchost/

    http://www.neuber.com/taskmanager/pr...chost.exe.html

    http://www.computerhaven.info/svchost.htm

    I still use the task manager, but I also use the Process Explorer and AutoRuns for tracing things. Both give tons of info and details. Plus the Process Explorer has a google search for the components builtin.

    Find these here>

    http://www.microsoft.com/technet/sys...s/default.mspx

    I do not use the TCPView that is available from sysinternals, and instead use a netstat and other commands...

    http://www.microsoft.com/resources/d...s/netstat.mspx

    Plus the occasional software does have a netstat view and usually is more complete. The SSM 2.3 does have this feature and so does the free Ewido or AVGAntispy (last time I saw it had this feature).





    Oldsod

    Message Edited by Oldsod on 03-30-2007 05:17 AM
    Best regards.
    oldsod

  6. #16
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Completely mystified - how do Programs get server rights?

    Now just digest all this information and reply with some new questions. There is more to know about the subject, since it is vast.

    But the easiest way to secure a PC is by using a software firewall. This guards all outbound connections and makes sure no tyoe of spyware or amlware takes command of the outbound connections. And in the ZA sitaution, the ZA will stop the malware from spreading and can be stopped- just hit the Red Kill option in the left click of the component in the Program Control list and the malware is no longer active. This can be also done in the task manager, but the ZA does that and makes sure any internet access is completely ceased at the same time!

    Oldsod
    Best regards.
    oldsod

  7. #17
    Join Date
    Jun 2006
    Location
    The 3rd Coast - South Central Texas
    Posts
    10,461

    Default Re: Hey ...gr8 help ! but what abt ...

    POSTING - Don't hijack anyone else's thread. The problems may sound similar but can be completely different!!
    When posting, be sure to give as much information as possible, including the pulldown boxes, so people can try to help you.
    GeorgeV
    ZoneAlarm® Extreme Security


    Click here for ZA Support
    Monday-Saturday__ 6am to 10pm Central time
    Closed Sundays and Holidays

  8. #18
    nosenothing Guest

    Default Re: Completely mystified - how do Programs get server rights?

    Thanks so much, Oldsod. I think I've got more useful information from you in a dozen posts than since I got Zone Alarm. One question - my personal opinion is that the first line of security is not to give the opportunity to those who would do you harm (lock your front door, don't leave your bags unattended, don't give out any information willy-nilly). In relation to the port scan, how are you supposed to know that you are not just telling hackers that your computer is wide open? Who are the people on the other end of the port scanning site and how do you know they are not just hackers waiting for people to tell them that their security is not up to scratch? (no offence to the site people intended - it's a general question)

  9. #19
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Completely mystified - how do Programs get server rights?

    Hi

    The grc.com site is very reputable. Steve Gibson is well known for his long term effort for security and PC and internet users. Not a shadow of doubt on his personal and professional reputation.

    Besides a basic port scan will do no harm. The router has been scanned thousands of times by now if not more, just by the interent itself and it's usual traffic.

    It is your case anyways, just scanning the router. Not the ZA itself. If you wish to test the integrity of the software firewall, it must be using the DMZ of the router or be plugged directly into your cable modem.

    Basically if a hacker was to scan your ports and look for vulnerabilities, the open ports would be of interest to him.

    Closed ports are just that - closed. Closed ports do indicate that there is something there, whereas stealthed ports never indicate there is something there or not. Closed ports can become opened, but only internally by the OS or the software riding on the OS.
    Hence always keep windows fully patched to stop the OS exploits and avoid those server righst for the Internet Zone Server.

    Open ports are posing a danger. Open ports can be exploited and yet they can be only exploited by the appropiate useage for that port. The http port that is being used by the browser cannot be exploited by lets say the netstat.exe for an example. Ot the browser cannot be exploited by something like... port 55,768. Things have their own place and each has their own port. But open ports are declared open because they have responded to an external inquiry. They actually said yes I am here and replied- because they assume that information is to be exchanged back and forth. If the incorrect inquiry is presented from an external source, the open port ceases communications, by nature if design. But if the correct inquiry is presented, then the open port is interested in further communications. Thus a hacker will try to find the open ports, then make the corrrelations of uses for that actual port and then try to exploit the open port based on it's purposes. Perhpas you remember or have googled the sasser worm- it was exploiting a windows flaw and used a specific port by disguising it's inquiry as the correct useage for that the exploited port. Just an example of exploiting an open port. Really such an exploit could have been completely avoided by a firewall.

    The closed port never responded, but did mention that it was there and visible to an external inquiry. It cannot be exploited. But if a router or firewall shows closed ports, the number of hits on it increase, since the hackers or general internet traffic see those ports and will attempt to establish communications. Remember the ZA has all ports closed and stealthed.

    Stealthed ports are different. The actual port could be closed or open, yet when a software firewall, such as the ZA, stealths the ports, it can not be determined. The firewall steps in between all of the ports and the external communications. They can not be seen directly by the external side or communicate either in or out and can not communicate with the LAN or the Internet unless the ZA allows it. The ZA firewall is that good.

    Port list>

    http://www.iana.org/assignments/port-numbers

    In this list you see the correct ports assigned to the uses, protocols, applications and specific purposes. This will give you some idea of the wide scope of ports, all 65,535 all of them.

    FIRST AND FOREMOST understand that the router if setup correctly it will have stealthed all ports. SECOND AND MORE importantly understand the ZA firewall is the second layer of inbound protection and the main defense for the OUTBOUND PROTECTION. There is no outbound protection in the router. The ZA has by default all ports closed and any port scan will show the ports protected by the ZA as stealthed.

    Any exploit that attempts to establish outbound communication will be stopped by the ZA software firewall.

    Oldsod

    BTW just click that bottom link called browserspy in my sig. That is what every site you have and will visit does actually see about your PC. Or for a quick and limited info see this>

    http://www.dnsstuff.com/tools/aboutyou.ch

    Take a look at this post for some commons sense approach to not letting in the vulnerabilities>

    http://forums.zonealarm.com/zonelabs...ssage.id=17426

    Bear in mind this...

    So many users have good security applications and yet fail to obey some simple practises and prevent those exploits in the first place. So they get paranoid and nervous and still continue to violate the rules for safe PCing and safe internet practises. Then they will blame somebody else or the security applications for failing them. Many have decided to decline both the antivirus and the software firewall warnings because they want to see the great free offer for the vacation or they really want to see the movie starlet in that private movie or need to see the latest movie two weeks before it's official public release or they desperately want the free software from that shady site or want those key carks or key gens or, well, the list is a mile long!!!! They fail themsleves and it is not the security that is failing them

    Message Edited by Oldsod on 03-30-2007 10:00 AM

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Anti-Spyware
    Software Version:6.1
    Best regards.
    oldsod

  10. #20
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Completely mystified - how do Programs get server rights?

    Best regards.
    oldsod

Page 2 of 3 FirstFirst 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •