Guest Paul (Bornival) Posted July 21, 2008 Posted July 21, 2008 nOh, thank you. Any idea why ZA assumed those changes were due to malware infection. I like to know the details sice, after all, software is not "magic" but somethig made by a human (and therefore, intelligible by another human) to be used by a machine (and not the opposite). Paul. "Harry Johnston [MVP]" wrote: <span style="color:blue"> > Paul (Bornival) wrote: > <span style="color:green"> > > Thank you for your reply. I checked these forums but could not find > > specific information. Do you know which files were modified and why ZA could > > not cope with them ?</span> > > The Microsoft KB article describes the files that the update replaces: > > http://support.microsoft.com/kb/951748 > > <http://support.microsoft.com/kb/951748> > > I haven't confirmed this myself, but my understanding is that ZA assumed that > the changes were due to malware infection and refused to use the files. > > Harry. > </span> Quote
Guest Root Kit Posted July 21, 2008 Posted July 21, 2008 On Tue, 22 Jul 2008 08:10:00 +1200, "Harry Johnston [MVP]" <harry@scms.waikato.ac.nz> wrote: <span style="color:blue"> >I haven't confirmed this myself, but my understanding is that ZA assumed that >the changes were due to malware infection and refused to use the files.</span> Firewalls should just deal with network traffic. The fact that ZA has to resort to HIPS technology speaks volumes about what business they got themselves into. Quote
Guest John John (MVP) Posted July 21, 2008 Posted July 21, 2008 Harry Johnston [MVP] wrote:<span style="color:blue"> > John John (MVP) wrote: > <span style="color:green"> >> You constantly shift the discussion from the value of proper egress >> filtering to software firewalls, even though I have said right from >> the start that egress filtering at the firewall can be foiled and that >> users should consider better methods. So get it in your thick skull, >> egress filtering at a perimeter appliance is a sound security measure, >> [...]</span> > > > As far as I recall, nobody in this thread has ever said otherwise. The > discussion is about software firewalls, after all! > > Harry.</span> Read Kayman's posts, specifically: John said: <span style="color:blue"><span style="color:green"> >>There is also a developing and troubling trend in this whole debate, one <span style="color:darkred"> >>> that some people are bent on spreading at all costs, that because >>> software firewalls are not immune to exploits by malware attempting to >>> send data to outside networks, then by simple deduction any and all >>> egress filtering as a security concept is unnecessary. Egress filtering >>> at the perimeter, done by reliable network appliances, is a vital part >>> of network security, without proper egress control your network security >>> is incomplete, ignore egress traffic at your own perils!</span></span></span> Kayman said: <span style="color:blue"> > Fact: > Outbound control on an XP platform as a security measure against malware is > still utter nonsense. > The windows platform was designed with usability in mind providing all > kinds of possibilities for e.g. inter-process communication. This > together with the very high probability that the user is running with > unrestricted rights makes it impossible to prevent malware allowed to > run and determined to by-pass any outbound "control" (which, of course > modern malware is) from doing so. It's simply too unreliable to > qualify as a security measure. </span> Does that not say that "any" outbound control (egress control) is "utter nonsense that is too unreliable to qualify as a security measure"? The comment was made in direct reply to my statement that egress filtering at the perimeter was a vital part of network security, how else can you interpret Kayman's reply? John Quote
Guest Phyllis Posted July 21, 2008 Posted July 21, 2008 I replaced my wireless router and seems to have fixed the problems that I was having. Hugh coincidence that my router would start to die at the same time that everyone else started having problems with latest update. Thanks for your help. "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message news:u53wtES5IHA.2332@TK2MSFTNGP03.phx.gbl...<span style="color:blue"> > I'm not giving you attitude, I just need you to answer my questions, > Phyllis. If you'd like to get voluntary or paid assistance elsewhere, > please so do. ><span style="color:green"> >> ...I believe you should know that SP3 became available before July >> 8, 2008</span> > > SP3 was made available via Windows Update website on or about 07 May-08, > and > for a very bried period was being offered to some users who'd configured > Automatic Updates (AU) to "Download but notify" and "Notify Only." > > SP3 was made available to all users, independent of their AU settings, at > 17:00 UTC, 10 Jul-08. ><span style="color:green"> >> NO, it is not only after standby that it occurs...</span> > > Thank you for answering my specific question. ><span style="color:green"> >> I cleaned my machine of all files/traces of Norton after I uninstalled >> via >> Add/Remove Programs, but will download/run the removal tool that you >> provided.</span> > > Let me know if running the removal tool helps at all. Norton applications > are notorious for not uninstalling cleanly, Phyllis. The "remainders" > left > behind can have an untold number of affects on performance, including > connectivity. > > Phyllis, what's the make & model of your wireless router? Do you own it > or > do you lease it from your ISP there in Conway? > > Also tell me if the connectivity issues only seem to occur at specific > times of the day (e.g., only in the early evening; from 5 PM till > bedtime). > -- > ~PA Bear > > > Phyllis wrote:<span style="color:green"> >> My response from my last post: ("Don't remember date of SP3 install, was >> right after it became available and I got update notification from >> Automatic >> Updates.") I believe you should know that SP3 became available before >> July >> 8, 2008. I really appreciate all the help, but can do without the >> "attitude." I know this problem has been overwhelming to deal with and >> you >> are probably tired of incompetent people owning computers but none the >> less >> we all have them now. >> >> NO, it is not only after standby that it occurs. Also answered in last >> post. (Usually when I FIRST open Internet Explorer I get this box that >> says >> "no internet connection available, do you want to work offline or retry." >> When I click retry it connects right up. My wireless connection doesn't >> connect at startup and if I do manage to get it connected it drops during >> standby.) Does this response not answer the question about having the >> problem only after standby or hibernation? I have my computer set to >> never >> hibernate. >> >> Outlook Express also exhibits the same problem. >> >> I cleaned my machine of all files/traces of Norton after I uninstalled >> via >> Add/Remove Programs, but will download/run the removal tool that you >> provided. I will also install the updates. Thank you very much for your >> help. >> >> >> "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message >> news:e3tHLOK5IHA.4908@TK2MSFTNGP04.phx.gbl...<span style="color:darkred"> >>> [Crossposting eliminated] >>> >>> Did you or did you not install WinXP SP3 on or after 08 July 2008? >>> >>> You explained your connection problems before. I need to know if you >>> only have such problems after resuming the machine from Standby or >>> Hibernate? If not, please say so. >>> >>> Do any of your other applications (e.g., Outlook Express) exhibit these >>> connection problems or is it just IE7? >>> >>> ========================= >>>> ...I have also had Norton Internet Security during 2006 and 2007. >>> >>> 1. If anything named Norton or if LiveUpdate is listed in Add/Remove >>> Programs, please uninstall it/them. >>> >>> 2. Now download/run this removal tool and reboot: >>> http://service1.symantec.com/SUPPORT/tsgen...005033108162039 >>> >>> 3. Any improvement in the connectivity department? >>> ========================= >>> >>>> I did a system restore yesterday and told Automatic Updates to not show >>>> me >>>> KB951748 and KB951978 again. >>> >>> Please do NOT use System Restore to "undo" updates. Uninstall them via >>> Add/Remove Programs instead. >>> >>> I would STRONGLY recommend that you get KB951748 and KB951978 installed >>> again ASAP! You've proven that neither of them caused your problem, and >>> KB951748 especially is a big deal! => >>> http://blog.washingtonpost.com/securityfix...net_tues_1.html >>> >>> And I can assure you that all responsible ISPs consider it a big deal, >>> too, and are scrambling to make changes to protect against these >>> vulnerabilities. >>> -- >>> ~Robear Dyer (PA Bear) >>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002 >>> AumHa VSOP & Admin http://aumha.net >>> DTS-L http://dts-l.net/ >>> >>> >>> Phyllis wrote: >>>> I am using microsoft.public.security in my Outlook Express to >>>> view/reply. >>>> >>>> Problem started first part of the week after Windows Updates and AVG >>>> update. >>>> >>>> Don't remember date of SP3 install, was right after it became available >>>> and >>>> I got update notification from Automatic Updates. Usually when I first >>>> open >>>> Internet Explorer I get this box that says "no internet connection >>>> available, do you want to work offline or retry." When I click retry >>>> it >>>> connects right up. My wireless connection doesn't connect at startup >>>> and >>>> if >>>> I do manage to get it connected it drops during standby. >>>> >>>> I use Windows Firewall, but have recently had Zone Alarms but didn't >>>> like >>>> some things about it and uninstalled via Add/Remove programs. I have >>>> run >>>> a >>>> search and did not find any files associated with Zone Alarms on my >>>> computer. I have also had Norton Internet Security during 2006 and >>>> 2007. >>>> >>>> I did a system restore yesterday and told Automatic Updates to not show >>>> me >>>> KB951748 and KB951978 again. I did install the Malicious Software >>>> Tool. >>>> Problem remains. I am wondering if maybe my internet provider may have >>>> been >>>> messing with it trying to resolve this problem themselves. I believe >>>> it >>>> was >>>> on Zone Alarms forum that I read where internet providers were having >>>> to >>>> make corrections to their servers too. Don't know if that is correct >>>> or >>>> not. I have read so much today, I can hardly remember my name at this >>>> point. I have it all connected right now and has been working fine for >>>> the >>>> last couple of hours. Don't know what is going on. >>>> >>>> "PA Bear [MS MVP]" <PABearMVP@gmail.com> wrote in message >>>> news:%23bqaawG5IHA.1196@TK2MSFTNGP05.phx.gbl... >>>>>> I have been experiencing problems with my internet >>>>>> connection all week. >>>>> >>>>> "All week" meaning since you installed KB951748, KB951978, and the >>>>> Malicious Software Removal Tool on or shortly after 08 July 2008? >>>>> >>>>> When did you install WinXP SP3? Was AVG running in the background >>>>> when >>>>> you installed SP3? Do you only experience such issues after resuming >>>>> from >>>>> Standby or Hibernation? >>>>> >>>>> You've told us that ZoneAlarm isn't installed. Is another third-party >>>>> firewall installed or are you using the Windows Firewall? >>>>> >>>>> Has a Norton or McAfee application ever been installed on the machine? >>>>> >>>>> Lastly, if you uninstall "Security Update for Windows XP (KB951748)" >>>>> via >>>>> Add/Remove Programs & reboot, does the behavior persist? >>>>> >>>>> PS: Please tell me which newsgroup you're using to view and reply to >>>>> this >>>>> thread. I'd prefer that we discontinue the unnecessary crossposting. >>>>> >>>>> Phyllis wrote: >>>>>> Microsoft Windows Updates this week were KB951748 (Security Update >>>>>> for >>>>>> XP), >>>>>> KB951978 (Update for Windows XP), KB890830 (Windows Malicious >>>>>> Software >>>>>> Removal Tool). I have been experiencing problems with my internet >>>>>> connection all week. Sometimes I can't get it to connect at all, or >>>>>> a >>>>>> window will come up and say "there is no internet connection >>>>>> available, >>>>>> do I >>>>>> want to work offline or retry." If I click retry it will connect >>>>>> right >>>>>> up. >>>>>> Then at other times it will connect to the cable connection with no >>>>>> problem, >>>>>> but then my wireless connection will not connect, it doesn't even >>>>>> show >>>>>> a >>>>>> network available. After fooling with it (disable, re-enable, >>>>>> repair) >>>>>> it >>>>>> will just finally connect up. >>>>>> >>>>>> I had already upgraded to AVG 8.0 several weeks ago. The update this >>>>>> week >>>>>> was just a part of daily updates, but required restart of my computer >>>>>> which >>>>>> it never did before. It says 8.0.138. >>>>>> >>>>>>> What other Windows updates did you install this week? Exactly >>>>>>> what >>>>>>> problems are you experiencing since installing the July 2008 >>>>>>> updates? >>>>>>> >>>>>>> Did you upgrade from AVG v7.5 to v8.0, and are you now running >>>>>>> v8.1.135? >>>>>>> -- >>>>>>> Phyllis wrote: >>>>>>>> Sorry about posting in the wrong place, but I was mainly commenting >>>>>>>> on >>>>>>>> the >>>>>>>> fact that there were others with what seemed like the same problem >>>>>>>> that >>>>>>>> did >>>>>>>> not have ZA. >>>>>>>> >>>>>>>> XP SP3, IE 7, and my AVG did an update this week that required >>>>>>>> restart >>>>>>>> of >>>>>>>> my >>>>>>>> computer which has never happened before, so it is possible they >>>>>>>> made >>>>>>>> some >>>>>>>> changes as well. Has anyone complained about that freebie screwing >>>>>>>> things >>>>>>>> up? Seems like everything I have on my computer has been wanting >>>>>>>> to >>>>>>>> update >>>>>>>> today and I'm getting a little gun shy. Thanks >>>>>>>> >>>>>>>>> No, sorry. It's been a very long week... >>>>>>>>> >>>>>>>>> Then again, you did post in a thread about ZoneAlarm and KB951748 >>>>>>>>> instead >>>>>>>>> of beginning your own thread. >>>>>>>>> >>>>>>>>> What's your Windows version (e.g., WinXP SP3) and IE version, >>>>>>>>> Phyllis? >>>>>>>>> What other updates did you install this week besides KB951748? >>>>>>>>> -- >>>>>>>>> Phyllis wrote: >>>>>>>>>> So this fix works even if you are not running Zone Alarms? >>>>>>>>>> >>>>>>>>>>> ZA's had the fix for several days now: >>>>>>> <snip></span></span> > </span> Quote
Guest Kayman Posted July 21, 2008 Posted July 21, 2008 On Mon, 21 Jul 2008 09:22:07 -0700, Paul (Bornival) wrote: <span style="color:blue"> > "Kayman" wrote: > <span style="color:green"><span style="color:darkred"> >>> Where can we find the technical details of the incompatibility. I have been >>> looking hard but have not found anything relevant so far (or so vague you >>> can't understand what is going on).</span> >> >> Informative reading: >> >> Dan Kaminsky Discovers Fundamental Issue In DNS: ...</span> > > Thank you. But I have actually read all those documents. What I was > interested in was to understand the technical (ral) reason for the > incompatibility of ZA with KB951748.</span> Don't know (can't locate) any technical reasons re incompatiblity. My guess is that ZA just did not realize the impact KB951748 would have to their software. For the ZA users, this actually would be an interesting question to ask in their forum. Quote
Guest Anthony Buckland Posted July 22, 2008 Posted July 22, 2008 "Kayman" <kaymanDeleteThis@operamail.com> wrote in message news:e1JqD046IHA.4864@TK2MSFTNGP06.phx.gbl...<span style="color:blue"> > On Mon, 21 Jul 2008 09:22:07 -0700, Paul (Bornival) wrote: > ... > Don't know (can't locate) any technical reasons re incompatiblity. My > guess > is that ZA just did not realize the impact KB951748 would have to their > software. For the ZA users, this actually would be an interesting question > to ask in their forum.</span> Believe me, it's been all over the ZoneAlarm forum. The first thing you see now when you enter the forum is a G R E A T B I G W A R N I N G about the situation and its fix. Quote
Guest Harry Johnston [MVP] Posted July 22, 2008 Posted July 22, 2008 John John (MVP) wrote: <span style="color:blue"><span style="color:green"> >> As far as I recall, nobody in this thread has ever said otherwise. The >> discussion is about software firewalls, after all!</span></span> <span style="color:blue"> > Read Kayman's posts, specifically:</span> [John John quoting Kayman:] "Fact: Outbound control on an XP platform as a security measure against malware is still utter nonsense. The windows platform was designed with usability in mind providing all kinds of possibilities for e.g. inter-process communication." Kayman is obviously talking about software firewalls here, since otherwise IPC would be irrelevant. I can't speak for Kayman, of course, but I'd guess he simply missed the fact that you'd unexpectedly changed the subject. ... on the other hand, and speaking only for myself, I don't see how external egress filtering is going to help much; how is the device to distinguish between legitimate and illegitimate traffic? (Well, OK, there's the obvious case of spam engines, but apart from that ...) Harry. Quote
Guest Harry Johnston [MVP] Posted July 22, 2008 Posted July 22, 2008 Paul (Bornival) wrote: <span style="color:blue"> > Any idea why ZA assumed those changes were due to malware infection.</span> I would guess it simply assumed that /any/ change to the network stack must be due to malware. The real answer may be more complex than this, but only the developers could provide it. Harry. Quote
Guest jen Posted July 22, 2008 Posted July 22, 2008 Microsoft patch knocks some ZoneAlarm users offline: Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm http://www.computerworld.com/action/articl...ticleId=9108298 -jen "Paul (Bornival)" <PaulBornival@discussions.microsoft.com> wrote in message news:7C0F355E-FB21-4DAD-BB25-860799FE8FEA@microsoft.com...<span style="color:blue"> > nOh, thank you. > Any idea why ZA assumed those changes were due to malware infection. > I like > to know the details sice, after all, software is not "magic" but > somethig > made by a human (and therefore, intelligible by another human) to be > used by > a machine (and not the opposite). > Paul. > > "Harry Johnston [MVP]" wrote: ><span style="color:green"> >> Paul (Bornival) wrote: >><span style="color:darkred"> >> > Thank you for your reply. I checked these forums but could not >> > find >> > specific information. Do you know which files were modified and >> > why ZA could >> > not cope with them ?</span> >> >> The Microsoft KB article describes the files that the update >> replaces: >> >> http://support.microsoft.com/kb/951748 >> >> <http://support.microsoft.com/kb/951748> >> >> I haven't confirmed this myself, but my understanding is that ZA >> assumed that >> the changes were due to malware infection and refused to use the >> files. >> >> Harry. >> </span></span> Quote
Guest Harry Johnston [MVP] Posted July 22, 2008 Posted July 22, 2008 jen wrote: <span style="color:blue"> > Microsoft patch knocks some ZoneAlarm users offline: > Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm > http://www.computerworld.com/action/articl...ticleId=9108298</span> Thanks. This description doesn't gibe completely with some of the reported behaviour (in particular the claim that reinstalling ZoneAlarm fixed the issues) but perhaps the reports were confused. Be that as it may, the only situation I see where Microsoft could rightly be blamed is if Zone Alarm had asked to receive pre-release versions of updates for testing and Microsoft had refused. Microsoft can't reasonably be expected to bear the cost of testing third-party products with new updates (particularly those using undocumented techniques to pervert the functioning of the operating system) but they should of course be cooperative with reputable third-party vendors. Harry. Quote
Guest Kayman Posted July 22, 2008 Posted July 22, 2008 On Mon, 21 Jul 2008 14:20:08 -0300, John John (MVP) wrote: <span style="color:blue"> > Kayman wrote:<span style="color:green"> >> On Mon, 21 Jul 2008 09:14:31 -0300, John John (MVP) wrote: >> >> <span style="color:darkred"> >>>Kayman wrote: >>> >>> >>>>Fact: >>>>The only reasonable way to deal with malware is to prevent it from being >>>>run in the first place. That's what AV software or Windows' System >>>>Restriction Policies are doing. And what 3rd party Personal (so-called) >>>>Firewalls fail to do! >>>> >>>>John John (MVP), would you please educate and inform yourself by studying >>>>publications not associated with any COMMERCIAL influence. Additionally, >>>>the authors of these publications can be contacted....why don't you bite >>>>the bullet and do so? It'll brighten your horizon and you could pass on >>>>your newly acquired knowledge to this and other newsgroups. >>> >>>Only a fool...</span> >> >> >> You just can't help yourself, can you. >> Name calling does not hide your immaturity. >> >> <span style="color:darkred"> >>>...would claim that proper egress control has no place in network security.</span> >> >> >> Where precisely did I claim that? >> >> <span style="color:darkred"> >>>Even the experts at Microsoft advise users to protect their data with >>>egress control.</span> >> >> >> Which 3rd party personal (so-called) firewall is MSFT recommending? >> Where are links, URL's, publications? >> >> <span style="color:darkred"> >>>You, of course, also know better than the folks at Microsoft.</span> >> >> >> Your assumption is nothing but an assumption (you've got to replace that >> crystal ball). And who in particular from MSFT are you referring to? I'd be >> genuinely interested to read their write-ups. If you're referring to the >> authors already mentioned in this thread, please point me to their >> publication(s) which state that 3rd party personal (so-called) firewall is >> an effective tool for controlling egress traffic. >> It seems you either totally not understanding my point or deliberately >> evading the issue! >> MSFT knows exactly well that outbound application protection is an >> illusion, which is why they don't offer such a (phony-baloney) thing. >> Unlike you, they understand the nature of their operating system, and are >> even honest enough to admit that outbound control is way too unreliable. >> Even commercial enterprises like Sunbelt, makers of Kerio and Steve Gibson >> of Gibson Research Corporation have finally conceded this fact! >> Now don't change directions here and twist this straightforward post into a >> convoluted psychedelic drivel. >> John John (MVP), WHERE IS THE BEEF? SHOW US THE MONEY! PUT UP OR SHUT UP!</span> > > You constantly shift the discussion from the value of proper egress > filtering to software firewalls, even though I have said right from the > start that egress filtering at the firewall can be foiled and that users > should consider better methods. So get it in your thick skull, egress > filtering at a perimeter appliance is a sound security measure, even the > folks at Microsoft will tell you this: > http://msdn.microsoft.com/en-us/library/aa302431.aspx > > Now maybe you should read what is says there and get a grip on yourself, > you don't know all that there is to know about network security and data > protection! Quite frankly you should not be one to speak of drivel, you > spew enough of it yourself! If you are really too stupid to recognize > the purpose and usefulness of egress traffic control then you are indeed > lacking in the basics of network and data security! > </span> This thread is about what the original heading suggests; It later graduated to security issues in relation to 3rd party personal (so-called) firewalls. I reiterate, this thread is about 3rd party personal (so-called) firewall(s)! My posts and responses were composed accordingly! If anybody is running around like a headless chicken it is you. The sole purpose for snipping my posts so cleverly is to save your face; It enables you to take my responses out of context which is a sorry attempt for trying to re-establish your credibility! After reading my posts in their UNCUT version, anybody with average reading skills and moderate level of comprehension see through your 'game'. John John (MVP), After you've wiped the tons of eggs from your face, I suggest you never ever touch that subject again, change your name, sell your house and migrate to Andorra or Lesotho then join a yacht club and teach sailing. I am done with you. Quote
Guest Kayman Posted July 22, 2008 Posted July 22, 2008 On Mon, 21 Jul 2008 17:19:54 -0700, Anthony Buckland wrote: <span style="color:blue"> > "Kayman" <kaymanDeleteThis@operamail.com> wrote in message > news:e1JqD046IHA.4864@TK2MSFTNGP06.phx.gbl...<span style="color:green"> >> On Mon, 21 Jul 2008 09:22:07 -0700, Paul (Bornival) wrote: >> ... >> Don't know (can't locate) any technical reasons re incompatiblity. My >> guess >> is that ZA just did not realize the impact KB951748 would have to their >> software. For the ZA users, this actually would be an interesting question >> to ask in their forum.</span> > > Believe me, it's been all over the ZoneAlarm forum. The first thing > you see now when you enter the forum is a > > G R E A T B I G W A R N I N G > > about the situation and its fix.</span> Okay, okay, okay; I believe you! I have no reasons for visiting that particular forum. What have/had the moderators (not the posters) to say in relations to the DNS issue? Quote
Guest Paul (Bornival) Posted July 22, 2008 Posted July 22, 2008 "jen" wrote: <span style="color:blue"> > Microsoft patch knocks some ZoneAlarm users offline: > Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm > http://www.computerworld.com/action/articl...ticleId=9108298 > > -jen > </span> Thank you. Interesting and makes sense, even if technical details are not given. Quote
Guest Root Kit Posted July 22, 2008 Posted July 22, 2008 On Mon, 21 Jul 2008 23:48:44 -0400, "jen" <jen@example.com> wrote: <span style="color:blue"> >Microsoft patch knocks some ZoneAlarm users offline: > Firewall's hooks into Windows XP kernel the cause, says ZoneAlarm >http://www.computerworld.com/action/articl...ticleId=9108298</span> <quote> The quickest way to regain Internet access, said the company, is to uninstall the security update tagged as KB951748 using Windows' Add or Remove Programs utility. Alternately, users could tweak ZoneAlarm's firewall settings or reduce the security level of the machine. <end-quote> How responsible..... <quote> "We filter network traffic at the kernel, where malware can't avoid us," said James Grant, a ZoneAlarm team lead. "If you filter traffic in user mode, malware can see what we're doing." <end-quote> Yearh, right. As if malware wouldn't compromise the kernel as well.... <quote> The problem notwithstanding, she defended kernel hooking. "It's undocumented, but it's in widespread use. Every major security vendor makes use of it," said Yecies. <end-quote> So does any serious malware writer.... <quote> "This isn't about finger-pointing," said Yecies, when asked which company was responsible for the snafu, ZoneAlarm or Microsoft. When pressed, however, she acknowledged that Microsoft should have caught the problem before issuing its security update. <end-quote> Yearh, right. "Don't make changes to your kernel without making sure we didn't mess with it."..... Quote
Guest Kerry Brown Posted July 22, 2008 Posted July 22, 2008 > At this point some versions of Zone Alarm barfed. I don't use Zone Alarm <span style="color:blue"> > so the rest of the story I gleaned from reading Zone Alarm forums and > official announcements. The Zone Alarm application noticed that some > Windows files had changed and decided not to allow these files to > communicate to the Internet. It wasn't anything in the way the files > worked, merely that they had changed, that caused the problem. Because > these are system files Zone Alarm doesn't ask about them. Clearing the > Zone Alarm database so that it would not think the files were changed > fixed the problem. How is an OS supposed to update itself if it can't > change files? The way that Zone Alarm monitors and responds to system file > changes is flawed.</span> It looks like this may not be quite the whole story. There are conflicting reports about exactly what caused Zone Alarm to barf. Some stories say it was Zone Alarm's heuristics causing the problem. Others say the update broke the way Zone Alarm uses unsupported methods to hack the kernel. Zone Alarm hasn't commented officially that I can find. It doesn't really change anything. It's merely a technical point of interest. The fault lays with Zone Alarm if either reason is the cause. -- Kerry Brown MS-MVP - Windows Desktop Experience: Systems Administration http://www.vistahelp.ca/phpBB2/ http://vistahelpca.blogspot.com/ Quote
Guest Harry Johnston [MVP] Posted July 22, 2008 Posted July 22, 2008 Root Kit wrote: <span style="color:blue"> > <quote> > "We filter network traffic at the kernel, where malware can't avoid > us," said James Grant, a ZoneAlarm team lead. "If you filter traffic > in user mode, malware can see what we're doing." > <end-quote> > > Yearh, right. As if malware wouldn't compromise the kernel as well....</span> Well ... if the user isn't an administrator, it won't. But what it can do is hook itself into a program that's already allowed access, like your web browser. Harry. Quote
Guest Root Kit Posted July 23, 2008 Posted July 23, 2008 On Wed, 23 Jul 2008 11:40:05 +1200, "Harry Johnston [MVP]" <harry@scms.waikato.ac.nz> wrote: <span style="color:blue"> >Root Kit wrote: ><span style="color:green"> >> <quote> >> "We filter network traffic at the kernel, where malware can't avoid >> us," said James Grant, a ZoneAlarm team lead. "If you filter traffic >> in user mode, malware can see what we're doing." >> <end-quote> >> >> Yearh, right. As if malware wouldn't compromise the kernel as well....</span> > >Well ... if the user isn't an administrator, it won't. </span> That's correct. Unless the firewall is so badly designed it allows the malware to exploit it to gain SYSTEM credentials, that is. But unfortunately running as administrator is what the vast majority of windows users do. Quote
Guest Kayman Posted July 23, 2008 Posted July 23, 2008 On Wed, 23 Jul 2008 07:28:16 GMT, Root Kit wrote: <span style="color:blue"> > On Wed, 23 Jul 2008 11:40:05 +1200, "Harry Johnston [MVP]" > <harry@scms.waikato.ac.nz> wrote: > <span style="color:green"> >>Root Kit wrote: >><span style="color:darkred"> >>> <quote> >>> "We filter network traffic at the kernel, where malware can't avoid >>> us," said James Grant, a ZoneAlarm team lead. "If you filter traffic >>> in user mode, malware can see what we're doing." >>> <end-quote> >>> >>> Yearh, right. As if malware wouldn't compromise the kernel as well....</span> >> >>Well ... if the user isn't an administrator, it won't. </span> > > That's correct. Unless the firewall is so badly designed it allows the > malware to exploit it to gain SYSTEM credentials, that is. > > But unfortunately running as administrator is what the vast majority > of windows users do.</span> That is sadly true! A timely reminder and friendly advice for all the lurkers out there running on WinXP, please take notice :-) The most dependable defenses are: 1. Do not work as Administrator; For day-to-day work routinely use a Limited User Account (LUA). 2. Secure (Harden) your operating system. 3. Don't expose services to public networks. 4. Keep your operating (OS) system (and all software on it)updated/patched. (Got SP3 yet?). 5. Reconsider the usage of IE and OE. 5a.Secure (Harden) Internet Explorer. 6. Review your installed 3rd party software applications/utilities; Remove clutter, including 3rd party software personal (so-called) firewall application (PFW) - the one which claims: "It can stop/control malicious outbound traffic". 7. If on dial-up Internet connection, activate the build-in firewall and configure Windows not to use TCP/IP as transport protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135,137-139 and 445 (the most exploited Windows networking weak point) closed. 7a.If on high-speed Internet connection use a router. For the average homeuser it is suggested blocking both TCP and UDP ports 135 ~ 139 and 445 on the router and implement countermeasures against DNSChanger. 8. Routinely practice Safe-Hex. Also, ensure you do: a. Regularly back-up data/files. b. Familiarize yourself with crash recovery tools and re-installing your operating system (OS). b. Utilize a good-quality real-time anti-virus application and some vital system monitoring utilities/applications. c. Keep abreast of the latest developments. And finally: Most computer magazines and/or (computer) specialized websites are biased i.e. heavely weighted towards the (advertisement) dollar almighty! Therefore: a. Don't fall for software applications touted in publications relying on advertisement revenue. b. Do take their test-results of various software with a considerable amount of salt...! c. ...Which also applies to their investigative test reports related to any software applications. d. Investigate claims made by software manufacturer prior downloading their software; Specialized Newsgroups and/or Fora are a great way to find out the 'nitty-gritties'. Wanna know details? Go ahead and ask :-) -- Security is a process not a product. (Bruce Schneier) Quote
![Guest PA Bear [MS MVP]](https://offtopic.forum/uploads/set_resources_2/84c1e40ea0e759e3f1505eb1788ddf3c_default_photo.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.