| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 25283 | 2002-09-30 10:13:00 | zonealarm v outpost | tweak'e (174) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 84746 | 2002-10-01 03:20:00 | Quite interesting result: Following Mike I installed Kerio, after first uninstalling ZoneAlarm(free version). First thing that happened was a BSOD due to an 0E in filt95.vxd which is an Outpost file. I had Outpost already installed for a long time but havent been running it. Uninstalling Outpost removed the BSOD. Now, the resources used by Kerio using Resource Meter (in Win98SE) were not measurable, ie less than 1%. I now get 90% resources on win bootup with Kerio running, whereas with ZA I would get 90% initially dropping to 80% when ZA loaded. All that remains now is to check out Kerio at GRC etc, and tweake the filter rules, and try to find out how effective Kerio is. Cheers |
Terry Porritt (14) | ||
| 84747 | 2002-10-01 04:06:00 | whos heard the story about zonealarm being a trojan? read on: <-------------------- start of post --------------------------> Subject: Zone Alarm: TROJAN disguised as FIREWALL? From: "Bill" mailto:xxxx@xxxx . INVALID Newsgroups:news:comp . security . firewalls, news:alt . privacy, news:alt . binaries . cracks Date: Sun, 12 Mar 2000 04:34:51 -0000 I have been very interested in the suggestion tonight by Ed Starry in comp . security . firewalls that Zone Alarm may be a trojan disguised as a firewall . That's a bold suggestion, but maybe the guy's got a point . The posts have been brief, and not too focussed, but it got my curiosity up . So I've been checking it out . I here report my preliminary findings . Let us learn from the Aureate affair . The Aureate "spyware" was essentially the advertising plugin advert . dll (there were apparently others, but this is the only one that slipped onto my system unannounced and without an uninstall program) . So tonight I have looked to see what DLLs the process known as Zone Alarm actually uses . It's too early to say that Zone Alarm *is* a trojan . . . . er . . . sorry . . . . . "media plugin" . . . . disguising itself as a firewall, but I for one have found out enough tonight to concern me considerably . I have taken the precaution of improving my Conseal ruleset and have got rid of Zone Alarm altogether . At the end of this post I include a complete list of the DLLs used by Zone Alarm on my own system . Preliminary thoughts: VSMONAPI . DLL is described as "TrueVector Client Interface"; VSUTIL . DLL is "TrueVector Service" The technology used by Zone Alarm, made by Zone Labs, is "TrueVector" . Now, according to their own very telling webpage at the Zone Labs site: . zonelabs . com/presspatent . htm" target="_blank">www . zonelabs . com "Licensees of TrueVector include Media Metrix, Inc . (NASDAQ: MMXI), the pioneer and leader in Internet and Digital Media Measurement, as well as Tibco Software, Inc . " I've just visited the Media Metrix website: . mediametrix . com/About/Aboutwwx . html" target="_blank">www . mediametrix . com Quote from the above webpage: "Media Metrix will provide the ability to gauge Internet audience behavior on a worldwide scale - a critical tool for effective advertising and marketing planning for any global company today . " Now look at this, another direct quote: "The company utilizes its patented metering methodology to measure actual Internet and digital media audience user behavior in real-time - click-by-click, page-by-page, second-by-second . " How would they manage that then? Hmmmmm . . . . . . . . . . More about Media Metrix: "Over 600 clients - advertising agencies, media organizations, marketers, technology providers and financiers - use Media Metrix data regularly to plan, buy and sell new media advertising; develop advertising, marketing and e-commerce strategies; understand consumer behavior; gain competitive market intelligence; and for investment decisions . " They sound like our friends don't they, hmmmmmm . . . . . . . . . . . According to the page at Zone Labs: "We chose to incorporate TrueVector into our product because its technology was capable of telling our program when another Internet application is in the foreground," said Mark L . Lambert, Senior Architect, TIBCO Software, Inc . "This allows us to improve our user experience by pushing data down to the client only when the user isn't actively browsing the Web . " pushing data down to the client . . . . . ? hmmmm . . . . . . . Gregor Freund, President of Zone Labs, says: "TrueVector is the first client/server platform to meet these demands as it offers the most flexible and effective method of building Internet intelligence into applications . " Building Internet intelligence into applications??? What exactly does that mean? Apparently it means: "Built with a focus on time-to-market and ease of integration, TrueVector provides its advanced Internet sensing and traffic monitoring features in a modular fashion, which can be adapted to a variety of specific customer needs . Using TrueVector lets developers focus their efforts on building innovative new solutions, rather than on the mechanics of monitoring Internet activity . " hmmmm . . . . not looking good so far now Ed Starry pointed out the Iamdb . rdb file to be found under Windows/Internet Logs, that swells and swells for no apparent reason (seeing as Zone Alarm 2 [not the new beta] does not have a logging function in the sense that we would understand of a traditional firewall) . My iamdb . rdb file is already 487KB and is full of encoded data about ALL of the applications running on my PC, even those that don't have any internet activity . Some may say, well it needs info on all applications, it's a firewall--but does it, Conseal doesn't have such an interest in all the applications on my PC . To repeat, according to TIBCO, TrueVector technology "was capable of telling our program when another Internet application is in the foreground" . But why should that be important to them? Take another look: "This allows us to improve our user experience by pushing data down to the client only when the user isn't actively browsing the Web . " Remember, Zone Alarm is geared at those who have their internet connections open all the time . So they are monitoring when you are actively browsing the web, waiting for a time when you are not--READ: so they can do something when you aren't looking . So, to Tibco, TrueVector technology is of great interest to them simply because it tells them this . And what was that the President of Zone Labs said: " . . . . advanced Internet sensing and traffic monitoring features . . . . " Is that a firewall he's talking about d'you think? A firewall monitors for US, but I get the impression Zone Alarm is monitoring for THEM, with an idiot's firewall thrown in to make you want to use it . From the Zone Labs URL given above: "TrueVector provides a flexible and scalable method to conduct real-time monitoring of all Internet data exchanges on a personal computer . Due to the granularity of information collected and the fine-grained level of control that TrueVector allows . . . . " HANG ON! STOP THERE!!! *the granularity of information collected* . . . . . . . ?? So it collects information? Let me see if I've got this, they give out a free firewall to protect us from attacks by hackers and malicious trojans, and, in return, because there is no such thing as a free lunch, TrueVector collects information . . . . presumably via the two DLL "media plugins" mentioned above . Have I got that right . . . . and the firewall stops Trojans right? So . . . . am I getting this, it collects information, but there's no way for Media Metrix or Tibco to get their hands on it because . . . . we've got a firewall right . . . . ? Clever! And, as Steve Gibson points out, if we have Zone Alarm we don't need any *other* firewall because ZA is fully stealthed, he in fact uses it on its own he's so impressed . We can see how good it is for ourselves by doing a Shields Up! and Ports Probe test at his website . How much is he worth these days? The Zone Alarm site has a link to Gibson's site . Not that I'm suggesting . . . . . far be it from me to say . . . . . Starry says: "I installed ZA v2 . 1 . 1 yesterday and the <Iamdb . rdb> file already exceeds 155 KB . After installing and configuring ZA this file was only 54 KB . What is this extra 100 KB being used for, it surely isn't needed for configuring because that's already been done . " He should think himself lucky, I have over 400KB of extra data and didn't even know about the Iamdb . rdb file until tonight . Perhaps someone would care to decrypt their Iamdb . rdb and let us all know what it says . Oh, and does Iamdb stand for "I am database"? Just a thought . . . . . . . Let's go and visit Tibco Software Inc . Oh, the CEO's written a book: http://www . powerofnow . com Ranadive authored "The Power of Now: How Winning Technologies Sense and Respond to Change Using Real-Time Technology . " And he's been interviewed: ""In the infrastructure space, there's a whole stack of software you need if you're selling goods and services online," he says . "We've greased the whole value chain . Our technology, for instance, slides right into an Oracle database . It's being embedded right into Cisco's routers and hubs . . marketwatch . com/archive/20000128/news/current/stwatch . htx?source" target="_blank">cbs . marketwatch . com =htx/http2_mw So, basically, our friendly firewall Zone Alarm is in bed with Tibco (who like greasing the whole value chain and embedding real-time technology) and Media Metrix (who want to know you on a click-by-click basis) . <---------------------- end of post -------------------------> |
sal (67) | ||
| 84748 | 2002-10-01 04:27:00 | Trying out Probe My Ports at Gibson Research told me that I should block port 135 from external access. That was easy enough to do in Kerio by making up a new filter rule to block TCP and UDP to that port number from any remote address and any application. I am beginning to like Kerio :) |
Terry Porritt (14) | ||
| 84749 | 2002-10-01 05:53:00 | I like it :) it's small and does the job. Although you generally do need to know a bit more than you do if you're running ZA (which I like to think I do :p) Mike. |
Mike (15) | ||
| 84750 | 2002-10-01 06:54:00 | well when i las tried kerio it crashed my pc when it was installing.....o joy. tiny was good except you almost need an IT degree to set up the rules (like how many people actually know what icmp rules to make...argggghh) if its one thing ZA has got right is its easy to use. |
tweak'e (174) | ||
| 84751 | 2002-10-01 09:23:00 | Hi... Because ZA is so easy to use (or rather not use), I have no idea what it is doing in relation to blocking the ports(s) or whatever. Is there a way to see how it physically (or programatically) stops inbound entries? (Just for interest). I have seen "trace route" programs for download, were you can track where these entries come from... Though ZA is easy to forget about, except for loading up, because it takes a while. It's Icon appears to appear long after it's splash screen... Cheers... |
Kahawai_Chaser (166) | ||
| 84752 | 2002-10-01 10:38:00 | Kerio and Tiny are pretty much the same thing. Mike. |
Mike (15) | ||
| 84753 | 2002-10-01 11:00:00 | >Kerio and Tiny are pretty much the same thing. mmm.....not quite. i can't remember the exact details but kerio is derived from tiny but both are seperate programs in their own right. however early kerio had all sorts of problems. not sure what its like now. |
tweak'e (174) | ||
| 84754 | 2002-10-01 11:04:00 | Heh, I sit here with a smug look on face surfing the net while making a minimum amount of waves due to my own knowledge and diligence, and the fact that I'm on dialup. Firewalls are there to prevent unauthorised connections. Since I don't use vulnerable software, or visit dodgy sites, and know everything that goes on inside this box, I don't need to add another burden to the system by installing a firewall. If I was on cable though, yes. BTW I'm not surprised about ZA being accused of spyware... |
SoniKalien (792) | ||
| 84755 | 2002-10-01 11:05:00 | I've noticed very few details. I guess Kerio is a little easier to use than Tiny, but I thought that might just be because it's a newer version. Mike. |
Mike (15) | ||
| 1 2 3 4 | |||||