Re: Zone Alarm - firewalls


"James Egan" <jegan@xxxxxxxxx> wrote in message
news:85odf25vs40eaqncnh4sc12uru97hvv0jg@xxxxxxxxxx
On Thu, 31 Aug 2006 08:21:06 GMT, "pc doctor" <msuhm@xxxxxxxxxx>
wrote:


The system protection does not have to have failed for a trojan to enter
your computer.

No-one said it did. But if it's phoning home then it has already been
executed and is running.


Yes...you did, at the top of your previous post: "The key point you seem to
be ignoring in this scenario is that the
system protection has already failed and some malware is already active."


The Windows firewall would not stop the trojan from connecting, and you
would not likely be aware of it.

Zonealarm will tell you about outgoing connections that don't make any
attempt to hide themselves. This usually also means the connections
are probably valid anyway. It's the ones it doesn't tell you about
that you need to worry about the most.

I do not use ZoneAlarm and cannot comment regarding their specific product.
The Sygate and Kerio firewalls that I use/have used will alert you to all
outgoing attempts unless you permanently approve the connections. They will
also alert you if some program executes any suspicious behavior such as
trying to start up IE.
With regards to the Windows firewall, I guess you would always need to be
worried, as it is *never* going to tell you about outgoing connections,
whether valid or invalid.

From this point forward, your system could
become a "zombie" for forwarding spam e-mails out to the world, and you
would not have any clue it was happening


True with or without zonealarm is malware is active.


In regards to your comment that in an infected system, the malware can do
what it likes, how is the trojan going to start controlling the outgoing
notifications of your firewall unless there is an unpatched vulnerability
that would allow it to take control of the firewall.

Assuming something more than a sledgehammer approach which closes down
the firewall (a simple wm_destroy to the process called zonealarm used
to close it completely and maybe still does), a likely approach would
be for the malware to use (say) your browser to send out all your
sensitive data since this more than likely already has zonealarm's
permission to send stuff out onto the Internet.

Is this the vulnerability that I referred to in my previous post? I recall
that in the past, ZoneAlarm had some vulnerability that could allow a hacker
to bypass it's security, but that was quite some time ago.

And wouldn't the
trojan have to be coded to take advantage of your particular brand and
version firewall?


The more popular the firewall, the more tempting it would be for a
malware author to write stuff to circumvent it.

Of course. That's why IE and Windows are constantly attacked. And that's
why the firewall's authors need to be diligent in securing their products.
Keeping your statement in mind, and knowing the track record of Micros*ft to
fully secure their products, would it really be advisable to trust the
security of your system to the Windows built-in firewall? Or might a 3rd
party firewall, who's core business *is* firewalls and security, likely be a
better choice.
Knowing that 97% of computer users are now using some form of Windows (I saw
the report just yesterday from a link in some security forum), and the
likelyhood that many of them are using the default Windows firewall,
wouldn't you think that malware authors are probably going to, if not
already, concentrate heavily on defeating the Windows firewall?


With todays systems, considering the fast cpu speeds, and the much larger
and faster memory, how much of a hit are you actually taking by having
outgoing protection? Are you foregoing anti-virus protection also?

pc doc



If you're happy with za outgoing protection then stick with it. Just
don't expect it to tell you about everything.

If I was behind a router I wouldn't bother with a firewall at all. If
a machine has a direct connection to the Internet I would use the
built in firewall. I would always recommend using av though not
resident scanners for clued up people.

I do not use ZoneAlarm, and my system is behind a router/firewall, although
hardware firewalls are also generally "1-way" firewalls. I happen to be one
of the *clued up* people, but I also recognize that most computer users are
not *clued up*, including the majority of my customers.
Contrary to what many people profess in virus/anti-virus/malware forums
regarding the use of resident scanners, I personally have had Avast's
resident scanner stop a virus from infecting my system. (I received an
infected e-mail from a customer's e-mail address just 2 days after I had
been working on his system, and I knew that the system was clean and well
protected. After checking mail headers, I determined that the infected
e-mail did not come from his system, or my own. But that the virus/worm just
happened to spoof the exact address of one of my good customers. Since we
regularly communicate via e-mail and send attachments, if the resident
scanner had not been active, I might not have given the e-mail a 2nd thought
before opening it.)

And along this same thread, why would someone take the chance on hosing
their entire system, or damaging programs, or losing documents? Because with
the resident scanners turned off, your system could become infected and you
may not know it until either system problems start developing, files become
inaccessible, or you get around to running an a/v scan. By this time, it
may be to late to save your system.

pc doc


.

Quantcast