Hello all, including mods:
Is there a FAQ or a step-by-step where it is described which expert rules could be created to improve ZA default security, even on default highest.
For example a few vulnerability of ZAIS 8.059 allow manipulation and do not seem to protect
1. How do you protect an unknown program from low-level (direct) disk access? (ZA failed this test)2. How do you specify certain directions to protect from writing (system32 can be written to by any program)
How do you force ZA to protect various, important registry keys that can be manipulated?
1. Protect the Services key in registry to malware cannot install itself as a service (very very bad).
ZA fails this.
2. Protect winlogonnotify key so malware isnt started at startup (not protected by default)
3. protect UIhost key in registry so lononui is not overwritten with malware.
4. protect ServiceDll key to avoid having malicious dll launched with SVCHOST at start.
5. Protect StartupPrograms registry key to avoid malware launching at startup.
Other protections need to be addressed:
1. Missing *.sys driver in registry, malware can rename itself as referenced driver and gain low level access -- not protected in ZA
2. Driver Overwrite protection.
ZA is not able to protect drivers in windows, such as "beep.sys" from being overwritten by a malicious driver, and then load itself as device driver (ZA cannot do this or does not validate drivers loaded)
3. Protect driver path, so driver path of already existing driver is not redirected using service control manager (ZA does not protect)
1, 2 and 3 are common rootkit techniques that ZA does not protect again.
It only protects against driver loading through device driver API with call.
help?. Protect trusted processes running in meory so threads cannot be stolen from them and manipulated
Operating System:Windows XP Pro
Product Name:ZoneAlarm Internet Security Suite