Results 1 to 8 of 8

Thread: Zonealarm Security Warning

  1. #1
    za_avastfan Guest

    Cool Zonealarm Security Warning

    Dear ZA Forum Gurus,

    I received 34 warnings (2 different types detailed below) in a row this morning on my computer which stated:

    Zonealarm Securitywarning: The firewall blocked /prevented Internet Access to 192.168.0.145 (TCP Port 445) from your Computer (TCP-Flags:S)
    The firewall blocked /prevented Internet Access to 192.168.0.145 (Netbios-Session) from your Computer (TCP-Flags:S).'

    I am running Windows XP SP2, Firefox 3.0, Zonealarm Free, Avira AntiVir and a Samsung Printer.
    I have a cable internet connection through a router at my house. I am not sure whether another computer which is in the house is connected (or trying to connect?!?!?!) to my computer?

    I have never received these warnings before and the only thing I did differently this morning was to give all Nero programs in the program list a green tick in the two columns - Access to trusted and Access to Internet. (I did NOT give them server access to trusted or internet).

    Please help me!!! I am worried about this!!! The other computer I mentioned above is attempting to be cleaned from a trojan Win32.Agent.pz could it be that this is trying to infect my computer? How do I know if my computer has a connection with the other one? I only know we use a router for the cable internet connection and that the aforementioned computer is also connected via this connection.

    Thanks in advance!!

    ZA_avastfan

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm (Free)

  2. #2
    za_avastfan Guest

    Default Re: Zonealarm Security Warning

    Quick addition:

    My security setting for internetzone is high and my security setting for trusted zone is middle.

    Thanks!!

  3. #3
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Zonealarm Security Warning

    Port 445 is a netbios port (file sharing, printer. ics, etc) and the 192.168.x.x IP is a private IP.
    So what happened - one PC of your local area network tried to connect to the other PC - all on your own local are network. Not the Internet.
    It was just a connection attempt and not an attack

    The ZA gave this alert because the other PC's IP is not entered as Trusted into the Zones and that other PC is perceived as being Internet (no open ports are allowed) , not Trusted (will allow open ports).

    Even if the other PC is in the middle of a cleanup, then connections from the other PC are still blocked by the ZA firewall.
    You are still safe and secure.

    More than likely some security scanner or event of the cleanup or reset/replacement of windows files triggered the outgoing connection from the infescted PC.
    This would probably be a normal event for that infected PC - trying to connect to the other devices of the local area network.
    Most win32.agent troyans use regular http (port 80) or the mIRC/IRC ports or some weird port in the 10000-60000 range for the internet connections. Not port 445.
    To be sure, why not check the firewall logs of the infected PC and see what application was attempting the outgoing connections across you LAN.
    Checking those firewall logs will save you a lot of guessing or worrying.

    Oldsod.

    Message Edited by Oldsod on 06-23-2008 10:55 AM
    Best regards.
    oldsod

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Zonealarm Security Warning

    You obviously do not have the other PC's IP entered as Trusted in the ZA.
    Trusted Security slider set at medium will allow open ports to the Trusted IPs.
    (before you get upset, the dns and dhcp IP should be set as Trusted in the Zones - these IP's need to have the ZA accept unsolicited incoming connections from the dns and the dhcp and diredctly to the correct applications involved in the events).

    Oldsod.
    Best regards.
    oldsod

  5. #5
    za_avastfan Guest

    Default Re: Zonealarm Security Warning

    Dear Oldsod,

    Thank you for the prompt reply and useful information.

    The ZA Log shows the following under:
    Date: 23.06.2008 Type: Firewall Protocoll: TCP (Flags:S) Programm: (This entry is blank) Source IP: 192.168.0.156:445 Direction: Outgoing Action: Blocked

    BUT

    when I change the 'warning-type' option at the top to 'Warning Type: Program' ZA shows the following entry:
    Rating: High Date: 23.06.2008 Type: Known Serverprogram Program: C:\Windows\System32\oodag.exe Source IP: 0.0.0.0:50300 Program: (This entry is blank) Direction: Incoming (Connection request received) Action: (This entry is blank)

    I think after some googling that oodag.exe is a defragmentation program on my computer. In the progam settings section of zonealarm all o&o files have the four options set to ask (ie. access and server areas are all set to ask).

    What should I do? Should I raise the bar in 'protection - middle' to trusted?

    Should I tick the box on the continuous warnings - 'Don't show this warning again' and effectively ignore them?

    Should I uninstall the O&O defrag program?

    When I loaded O&O up just then it asks for a registration code as 30 days trial free has expired. Do you think this is the cause of all the problems?

    Thank you so much for your time and assistance, I look forward to your next advice.

    ZA_Avastfan

  6. #6
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Zonealarm Security Warning

    Dear Oldsod,

    Thank you for the prompt reply and useful information.

    The ZA Log shows the following under:
    Date: 23.06.2008 Type: Firewall Protocoll: TCP (Flags:S) Programm: (This entry is blank) Source IP: 192.168.0.156:445 Direction: Outgoing Action: Blocked

    BUT

    when I change the 'warning-type' option at the top to 'Warning Type: Program' ZA shows the following entry:
    Rating: High Date: 23.06.2008 Type: Known Serverprogram Program: C:\Windows\System32\oodag.exe Source IP: 0.0.0.0:50300 Program: (This entry is blank) Direction: Incoming (Connection request received) Action: (This entry is blank)

    I think after some googling that oodag.exe is a defragmentation program on my computer. In the progam settings section of zonealarm all o&o files have the four options set to ask (ie. access and server areas are all set to ask).

    What should I do? Should I raise the bar in 'protection - middle' to trusted?

    Should I tick the box on the continuous warnings - 'Don't show this warning again' and effectively ignore them?

    Should I uninstall the O&O defrag program?

    When I loaded O&O up just then it asks for a registration code as 30 days trial free has expired. Do you think this is the cause of all the problems?

    Thank you so much for your time and assistance, I look forward to your next advice.

    ZA_Avastfan<hr>



    First instead of spending time and effort with search engines, why not right click the file in question and open the Properties and have a look at the time/date of install, the file's other names and the file's vendor & product name and look at the certificates for the file. A lot easier and faster and much more accurate.


    Why are you suddenly scared of 0.0.0.0 address...this is 0.0.0.0 is very commonplace and absolutely secure... this addresses refer to source hosts on network or as a source of the localhost.
    Or in other words strictly for the localhost addressing and for connecting ONLY to your local area network. Not the internet as would be the case with a troyan.
    Really this is absolutely nothing to be concerned about.
    This happens all the time with many other applications and will continue to happen, but it is probably the first time this has come to your attention. Go back to ignoring it.

    As I said before the port connection was dropped anyways, so why all this fuss???

    Do not increase the Trusted Security slider unless you are prepared to make Expert Rules to now compenssate for the blocked (& needed connections) incoming from the dhcp and the dns and other related servers. If you set up the firewall with expert rules, then sure go ahead and increase the security level. If no rules are getting set up, then leave this up to the ZA and let the ZA dop this automatically for you.
    It does seem the ZA has being doing the job perfectly for you so far.

    If the O&O trial has expired, the why not uninstall it or just buy it?
    If the defragger is able to do networked drives, it is more than likely will defrag networked drives - does that now make sense as to why a safe and secure (albeit expired) trial wants to oonnect to other networked devices??? Maybe it is trying to find other network drives to defrag? If you just loaded the O&O, does it not stand to reason it will then search for network drives and do activation of files / injections on the host PC?
    Next time do not load the O&O or just uninstall it or buy it (if it's any good and you want to spend monies on a degfagger). The problem will get solved that way.

    Just relax, stay calm and clean the other infected PC.
    I can not see anything wrong excepted unwarranted worrying, unfounded doubts and un-neccessary fears.

    Yes ignore the ZA alerts or set the alerts to not show this warning again.

    Oldsod.

    Message Edited by Oldsod on 06-23-2008 12:20 PM
    Best regards.
    oldsod

  7. #7
    za_avastfan Guest

    Default Re: Zonealarm Security Warning

    Thanks for the reassurance Oldsod, it is much appreciated.

    ZA_Avastfan

  8. #8
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Zonealarm Security Warning

    You are welcome ZA_Avastfan

    It is good to be concerned, but always looking for the unusal events can be mis leading at times (even though malware could be that unusual event).

    The hard part is not knowing what is correct and acceptable and what is not.
    We have all been there and some of us never have forgot that state of confusion.
    The knowledge only comes from experience and constant learning.
    Once the basics of the networking and internet is better understood, then the firewalls, logs and servers all fall into place.
    And so will a lot of understanding of security fall into place with that new learning.

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Web Security warning
    By qualityjohn in forum Web Security/Security Toolbar/Do Not Track
    Replies: 1
    Last Post: December 5th, 2012, 04:21 AM
  2. Windows Security warning that Firewall turned off
    By pds_pei in forum Security Issues
    Replies: 2
    Last Post: April 1st, 2008, 03:27 AM
  3. Security Warning Alerts Issues
    By bearcreekman in forum Windows and ZoneAlarm Messages and Alerts
    Replies: 1
    Last Post: September 7th, 2006, 08:38 AM
  4. Security Warning
    By gebhards in forum General - Questions that don't fit any other category
    Replies: 0
    Last Post: July 15th, 2006, 04:33 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •