Results 1 to 6 of 6

Thread: ZoneAlarm Antivirus Security Leak

  1. #1
    monkeymagic Guest

    Default ZoneAlarm Antivirus Security Leak

    Hello all,
    last night
    I
    came across (what I consider to be) a security hole in ZoneAlarm AV (and possibly other ZA products as well).How it started was that
    I had just played a game (the game is called 'N', but that's irrevelant) but kinda got bored of it so I closed the application and went to view my BitTorrent downloads on Azureus. At that very moment ZA came up with an alert to this extent:
    Suspicious Behaviour"Windows NT High Contrast Invocation" is trying to control the keyboard input to the process:C:\Program Files\Azureus\Azureus.exeApplication: sethc.exe
    On top of that my keyboard and mouse access to the computer was disabled - no response came from pressing any key or even moving the mouse yet Windows itself had not frozen as I could see the percentage increases of the download amount on Azureus etc. Thus ZA was waiting for my response and yet I could not respond in any way, disconnecting
    & reconnecting the input devices from & to my computer had no effect. I then pressed the computer's shutdown button and turned the computer on again, thus restoring the normal state of my computer.I
    researched today
    in an attempt to find out what had gone wrong. The conclusion I came up with is that "sethc.exe" is a Windows accessibility service that activates upon pressing the shift key five times in a row, the process then monitors keystrokes to discover if any are pressed that it has been programmed to recognise. This program then wanted to monitor keyboard access to Azureus thus ZA asked my permission but in doing so ZA places a temporary denial of access to what the program wants to do (which was monitor my keystrokes) until I respond - denying anything to respond to my keystrokes or even mouse movements.
    So what was the point of all that? I would like CheckPoint to somehow change the way ZA reacts to programs so that this kind of block doesn't occur (maybe setup ZA by default to know to allow all Microsoft certified programs to do what they want to). Maybe add an option on to the alerts so that if any given alert is not reponded to within an hour or so that the alert will be answered with allow. I've also found it odd that ZA will only place one alert before the user, thus putting all other alerts into pending mode and blocking the requests of other programs until the first alert is answered.
    I've also found that when I will be typing a document and a program does something ZA wants an answer to that when the alert comes up it will quickly go away again. Why? Because I just pressed keys which answered the alert, even before I had time to read it. This could possibly allow the movements of programs with evil intent to do what they want. To fix this ZA could be changed to not accept keystrokes as an answer to the alert, or to have a timer of 15s before a keystroke (or even a mouse button press) is accepted as an answer to the alert.
    Thanks for reading all of that, I hope you enjoyed it! MonkeyMagic
    PS:My OS: Windows XPMy ZA: ZoneAlarm Antivirus 7.0.462.000

    Message Edited by MonkeyMagic on 04-14-2008 02:17 PM

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: ZoneAlarm Antivirus Security Leak

    Lets see.
    The azureus activated the sethc.exe and it attempted to hook into the keybpard/screen using thesethc.exe as a child application.
    I'm sure the ZA does recognize the sethc.exe as a windows application, but at the same time, the sethc.exe was seen by the ZA as being exploited or controlled by the azereus. Thus the ZA stopped the azereus from doing so.
    Malware could simply do the same - use sethc.exe as a child process and simple use it to steal information from a user. If the ZA was told to allow all activity by the sethc.exe, regardless of the controlling application, then the true purpose of the ZA's antikeylogger feature would be pointless.

    The keyboard locking up is normal and not just with the ZA, but also with many antikeyloggers applications.
    The required shutdown is normal if the lockup is serious. The required shutdown stops along with with the ZA "stopping" the application's hook attempt does prevent the hooking in to the mouse/keyboard.

    Usually applications are opened and RUN/used during the initial training period of the ZA's installation for the first few weeks. If applications were afterwards installed or have never been used before, the Program Control slider is best set at Medium for training the ZA. Once again in the training mode, the ZA will simple accept the new process and it usual events. Without any drama.

    I do not see why it is so difficult to answer the first alert before responding to the later alerts.
    On the other hand, it is easy enough to set the Alerts to Low and get fewer alerts in the first place. Less alerts means less problems for many users.
    Best regards.
    Oldsod.
    Best regards.
    oldsod

  3. #3
    Join Date
    Mar 2004
    Location
    Brisbane, Australia
    Posts
    645

    Default Re: ZoneAlarm Antivirus Security Leak

    Hi MonkeyMagic,

    CheckPoint do not monitor this forum. We are all users here. I suggest you e-mail ZA Customer Support with your suggestion.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: ZoneAlarm Antivirus Security Leak


    <blockquote><hr>FrereOP wrote:
    Hi MonkeyMagic,

    CheckPoint do not monitor this forum. We are all users here. I suggest you e-mail ZA Customer Support with your suggestion.
    <hr></blockquote>


    Amazing. We posted at the very same time!
    Best regards.
    Oldsod.
    Best regards.
    oldsod

  5. #5
    monkeymagic Guest

    Default Re: ZoneAlarm Antivirus Security Leak

    Thanks guys for the tip, yeah, I'll contact them directly.
    As for Azureus activating sethc.exe you got it wrong. The game I previously played (called 'N' as previously stated) activated sethc.exe by my
    hitting the shift key too many times. Then sethc.exe tried to monitor the keystrokes I was going to input just like it should be doing except for one reason or another ZA freaked out. I've been using this product for years so I don't think it is hiccups from 'training mode' as I have spent much time customising the settings to fit my own tastes.
    But other than that, thanks for the heads up &amp; have a nice day, evening, morning or weekend (take your pick :8} )Cheers,MonkeyMagic

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: ZoneAlarm Antivirus Security Leak

    Good morning (well it is here anyways)!

    I didn't mean hiccups from the training mode. I said to use the training mode. Anyways, if you have been customizing, it does not matter.
    However some users have customized and made mistakes, but I don't think this applies either.
    Checked the OSFirewall Logs in the Log Viewer for the event and some details?

    If the game called "N" acted as a a parent to the sethc.exe, then the ZA still saw it as being a threat.

    Nice to see the ZA is doing the job and providing security and safety from the previously unseen keylogger attempt.

    Cheers.
    Oldsod.

    Message Edited by Oldsod on 04-14-2008 08:47 AM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •