Results 1 to 5 of 5

Thread: Autolearn vs Maximum setting for Program Control

  1. #1
    riceorony Guest

    Default Autolearn vs Maximum setting for Program Control

    Everyone knows that the autolearn feature (for Program Control) is set-on by default for 21 days after installing ZoneAlarm.

    Depending on who you ask, this is possibly a vulnerability because the computer is some-how "less" secure for this brief period. However, I do notice that this autolearn feature dramatically cuts down the number and frequency of pop-up reminders prompting for you to allow access (or deny access) to various programs.

    How do the experts feel?

    I generally feel that the autolearn should be left on for 3 days to a week because within that time frame you'll most likely use a ton of the programs you normally do. This therefore will allow ZA to add them to the list, then you can raise it to Maximum.

    Or do you recommend setting it at Maximum right away? Or possible leaving the autolearn for the duration? Please give any explanations necessary.

    Thanks

  2. #2
    zaswing Guest

    Default Re: Autolearn vs Maximum setting for Program Control

    Disclaimer - not expert. Learning mode. Everyday
    I think the magic answer is as short time as possible to prevent ZA from learning something you'd rather it not learn.
    After installing ZA, run every application you got on the system (preferably proven clean already )
    I'd suggest doing it in phases. First the applications which are totally local to the computer (notepad-type or backups, Process explorer, etc). Then applications for the LAN (explorer-type). Finally internet applications, such as software updates.
    Include all possible modes of startup of those apps so that all modes get learned. And don't forget that some "local" applications may want internet, for instance Word going out to MS site for help or Windows Media player which always wants out but can be kept inhouse.
    Then shut off learning and respond to prompts on things missed.

    A lot can happen in 21 days. I think it's risky to permit such a long time.
    JMO.

    On the other hand, I'm not sure the computer is "less secure" during learning because while you may make mistakes allowing some subsystems to run, I think ZA will watch over you anyway on the internet, not permitting really bad stuff. But I'm not sure of that idea actually.

    I'd love to hear the Gurus speak on the subject as well.

    Edited: NaiveMelody just described few related things here:
    http://forum.zonelabs.org/zonelabs/b...&jump=true

    Message Edited by zasuiteuser on 09-21-2008 08:45 PM

  3. #3
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Autolearn vs Maximum setting for Program Control

    Autolearn = always alert for any new program activity and new activity by approved programs.
    Always alert the user for any rated type of alert.
    Autolearn will ask the user for approval or deny in the alert.
    The ZA in Autolearn has no default permissions for many programs and will always ask the user and this is considered a "training" mode.
    The ZA does include a large database of programs and applications, so really the alerts are at a minimum anyways.
    I would recommend to use the Medium or the AutoLearn before installing new programs or downloading/installing windows updates. (first change to the Autolearn, close and then re-open the ZA, and then do the installations and windows updates).

    Maximum = always block any new program activity and any new activity by approved programs.
    Never alert the user unless it is high rated alert or a high rated risk type of alert.
    Maximum will ask the user for approval or deny in the high rated alert.
    The ZA in Maximum has all of the stored permissions for all programs and will nevers ask the user and this is considered a "final" mode.

    Maximum setting is a "what is not explicitly allowed is implicitly denied" policy.
    I would recommend the Maximum if the ZA is properly configured and more importantly, the user is confident everything is properly arranged in the ZA.

    Almost every software firewall will use in either a set of radio buttons or a slider to adjust these firewall alerts.

    Question:
    Is there really any difference between the Maximum and the AutoLearn in terms of the security in the ZA and the protection it provides?
    Answer:
    There is no difference between the level of security between the Maximum and the AutoLearn.
    Both provide the same security.
    The Maximum setting will silently block and alert for only high rating whereas the AutoLearn will alert for any rating including the high rated.
    Conclusion:
    It really does not matter either way and the level used is basically a personal choice, not a security choice.
    If you want always to see all of the alerts, then use the AutoLearn mode for the permanent setting.
    If you want less alerts, then use the Maximum mode for the permanent setting.

    Other factors to consider:[*]The Expert rules used in the Firewall and the Application can be set to Alert and Log events, regardless of the Program Control slider mode settings.[*]The Application Expert rules can clearly define any application network activities/permissions and limit, deny or allow as needed to a very granular level of control.[*]The Firewall Expert can clearly define any network global activities and limit, deny or allow as needed to a very granular level of control.[*]Any new component (in the ZA | Programs | Components list) seeking internet/network activity will be alerted by the ZA in the Autolearn mode and never in the Maximum mode.[*] Some ZA users do not fully understand the internet and the program activity let alone firewalls. If the ZA user allowed a possible risk rated alert and mistakenly allowed some malware, then they really are better off to use the Maximum mode.
    Once the ZA has gone through the training stages in the Autolearn mode.
    This would greatly reduce their exposure to malware by making their own mistakes. This is relying on the ZA to protect you and in many situations is the best recommendation for new and unknowledgeable users.

    A classic example of some confusing firewall alerts are something like this, all asking for Allow or Deny. Maybe all while looking at some free online media:

    MR.ActiveX from movies-free-for-U-no-charge.com wants to install a "beep".ocx in windows temp folder.

    "beep".ocx want to install a "beep".dll in the Temp folder

    "beep".dll wants to change the IE home page

    "beep".dll wants to change the IE search engine

    "beep".dll wants to install "dancingmonkeys.exe in the Temp folder of the User's Documents and Setting

    "dancing monkeys.exe" in the User's Temp folder of the User's Documents and Setting want DNS internet access to remote port 53 by UDP, using local port 1644.

    "dancing monkeys.exe" in the User's Temp folder of the Documents and Setting want to act as server to DNS server using remote port 53 by UDP.

    "dancing monkeys.exe" in the User's Temp folder of the Documents and Setting wants outbound ICMP Type 8 to free-antivursR-US.com

    "dancing monkeys.exe" in the User's Temp folder of the Documents and Setting wants to act a server using ICMP Type 8 from free-antivursR-US.com

    "dancing monkeys.exe" in the User's Temp folder of the Documents and Setting wants to accept a connection using ICMP Type 0 from free-antivursR-US.com

    "dancing monkeys.exe" in the User's Temp folder of the Documents and Setting wants to act a server using ICMP Type 0 tfrom free-antivursR-US.com

    "dancing monkeys.exe" wants to install a new driver

    "dancing monkeys.exe" wants to edit the Services

    "dancing monkeys.exe" wants to change the Startup

    "dancing monkeys.exe" wants to set a new entry in RUN key in the registry

    "New Run key entry for the winlogon.exe in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run

    "dancing monkeys.exe" wants to use the explorer.exe process as a child process

    "dancing monkeys.exe" wants to open the notepad.exe

    "dancing monkeys.exe" wants to edit the Host file

    "dancing monkeys.exe" detected injecting itself into the antivirus main resident scanner component

    "dancing monkeys.exe" detected injecting itself into the disk management

    "dancing monkeys.exe" wants to connect to wespyonU.com using port 6667 TCP Flag SYN

    "dancing monkeys.exe" wants to connect act as a server to wespyonU.com using UDP remote port 6667

    "dancing monkeys.exe" wants the internet server rights for TCP port 1280 to URpownD-virusRus.com remote port 80 TCP.......

    Some people are completely baffled by these kind of alerts and may just get fed up of clicking allow once or deny and finally just allow everything always and go back to their nice free movie.
    And then wonder why the windows does not work as well as it did just minutes ago and why it no longer starts. Or wonder why there are all these popups and why has the wallpaper changed and why there are some new balloons on the desktop stating windows is infected with three troyans and it will now cost 24.99 dollars by their credit card to remove this "infection" ???
    And why does the IE now have smileysR-US.com as the home page and why there are these strange ads in the browser's web page and why the google search no longer works.
    And why does that evilkeylogger.exe installed by dancingmonkeys.exe keep asking for internet access to remote port 443 by TCP of wegotyourbankaccountnumber.com?


    In many cases, the Maximum mode would have just silently denied and never bothered the User with any alerts - only the high rated alerts would have apeared.
    And most people who see a high rated alert would probably err on the side of caution and deny the alert just to be safe, not allow the alert out of frustration!

    What do I use myself??
    Mostly the Medium Mode (ZA Pro 5.5 equilavent of the Autolearn setting in the later and more recent ZA releases).
    After the ZA has thrown every alert at you while running in the Autolearn mode and the ZA has seen all on the drive and has got a complete database, it will not really alert much you anyways and it is then basically operating in the same manner as the Maximum level.

    Oldsod.

    Sorry for the constant EDITS, it is a long post.

    Message Edited by Oldsod on 09-24-2008 07:51 AM
    Best regards.
    oldsod

  4. #4
    riceorony Guest

    Default Re: Autolearn vs Maximum setting for Program Control

    Good day Oldsod,

    Thanks for the explanation!

    I now know that you LOVE dancing monkeys hahaha

    This clarifys a ton for me.

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Autolearn vs Maximum setting for Program Control

    LOLz.

    Dancing monkeys are closedly related to dancing bunnies and dancing pigs.
    Read about those very happy and infectious creatures and others in this PDF.

    http://www.cs.auckland.ac.nz/~pgut00.../usability.pdf

    Something everyone should look at and stop to seriously think about those alerts and warnings.

    Oldsod.

    Message Edited by Oldsod on 09-24-2008 10:10 AM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •