KayCee posted this ZoneAlarm FAQ link back in March,
some how I forgot or missed it. There's lots of great info, so
in case anyone else missed it or is new:
grc.com
General Questions About Zone Alarm
Q. What's "Zone Alarm?"
A. Look, Steve's made this entire kick-ass ShieldsUp! website to help all of us. I didn't know a thing about
internet security until I came here. Really, you should go read all of Steve's pages and then come back. Go
ahead...the FAQ will be here when you return. OK, now that you're back, you know that Zone Alarm is a
personal firewall program that many of us are using to help secure our machines.
Q. Why are you using Zone Alarm?
A. Because it's free and has some nice features. Sure, it has some bugs too, but overall, it's very nice.
(Dollar-for-dollar, it's the best firewall available, too!)
Q. Is that my only option?
A. No, there are several other commercial products available as well. Some of us like those better than Zone
Alarm and are willing to pay for them. Some of us prefer Zone Alarm. Steve's put together a pretty good list
at grc.com. You could also check out the list of useful software included elsewhere in
this FAQ.
Q. OK, where can I get the latest version of Zone Alarm?
A. Zone Alarm is available through Zone Labs (go figure), and their site is located at
zonelabs.com.
Q. I already had Zone Alarm version 2.0.22 installed, but I see everyone talking about 2.0.26. I keep hitting
the "Check for update" button in Zone Alarm, but it keeps telling me that no update is available. What gives?
A. For some reason the Zone Labs guys took their time enabling the check for update availability of 2.0.26. I
don't know what the status of the "Update" button is at any given moment, but the best option is usually to
grab the file manually from the download link on the Zone Labs pages.
Q. Version 2.0.26? That's old news! What's the latest version of Zone Alarm?
A. It would be a real pain for me to have to update this FAQ every time Zone Labs releases a new version,
but you can always find it on their download page at zonelabs.com.
Q. OK, I keep seeing people talking about a "beta" version of Zone Alarm. What's that all about?
A. A beta version is just a public preview release. The beta may have new features and/or bug fixes.
However, it may also have new bugs!
Q. I can't find a link to it on Zone Alarm's web site. Where can I get it?
A. Understand that this is a beta release--it's not certified to be bug-free and you may have problems with it.
However, most people seem to be having good results with the betas. If you want to try it, go to
zonealarm.com.
Back to the Table of Contents
Questions About Zone Alarm Installation
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Q. Do I need to uninstall my older version of Zone Alarm before installing the latest?
A. Nope. However, some users recommend this p ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Q. What does it mean to allow an application to act as a server?
A. Most applications do not need to be allowed server access. Server access means that that program is
opening up a port and actively listening for other machines to initiate contact with it. This is how many
Trojan Horse programs work, BTW.
Q. Well if I don't give a program server access, doesn't that mean that it won't be able to receive information
from the net? How will my e-mail arrive? How will I see the web pages I ask for?
A. Re-read what I said before. Server access allows an application to listen for other machines to make
unsolicited connections with your computer. If a program without server access requests a resource from the
internet (a web page, your e-mail, etc.) Zone Alarm will allow the response to get through. Conversely, if
some computer out on the net tries to contact your machine first, Zone Alarm will "play dead" and not
answer. This is what Steve means by "Stealth."
Q. Whoa, that's complicated. Can you give me an analogy?
A. I'm glad you asked. Did you know that you can have a phone line installed that only receives calls and
doesn't allow you to make any?
Q. No I didn't know that.
A. Well it's true, and many businesses use this. When I was in high school, I worked at a pizza joint that had
an "incoming calls only" phone line for orders.
Q. Wow that's great. Can you teach me how to throw pizza dough?
A. I could, but that's beyond the scope of this FAQ. My point here, and I do have one, is for you to consider
the opposite--that you have a phone line that can only make outgoing calls but can't receive unsolicited
incoming calls. Kind of like an unlisted number, but without stupid friends that give your private number out
to everyone. (I'm not bitter, no.)
Q. Okay... What's this got to do with...
A. I'm getting to it! That's what Zone Alarm normally does. It acts like this unlisted number. Just because you
don't receive incoming calls doesn't mean you can't hear the people you call, right? They just can't call you
first. Well the same is true for your web browser running under Zone Alarm--if you want to go to Yahoo! and
surf, when your web browser asks for Yahoo!'s page it sort of tells Zone Alarm, "Hey, it's okay for Yahoo! to
send the answer." But the next day, when Yahoo! takes your IP address that they got from you the day before
and tries to send some info directly to your computer, Zone Alarm will say, in true Lee Corso fashion, "Not so
fast, my friend," and turn it away. Actually, that's not entirely true either. Zone Alarm will actually just play
dead and make Yahoo! think that your computer's off, you're disconnected from the net, or the IP address is
bad.
Q. Who's Lee Corso?
A. You don't watch much College Football, do you?
Q. No, never.
A. OK, well it's not important that you know. (If you're curious, though, here's the scoop.)
Q. So how do I know which applications to grant server access to?
A. You should be careful what applications you allow server privileges to. Most do not require them. Some
may even think they do, but they don't. Here's a rule of thumb: Never grant any application server access on
the first request. See if it will function without it first.
Q. How do I know if it's working?
A. Is it doing everything you expect it to do?
Q. Well yeah.
A. Then don't screw with it.
Q. Okay, now I'm trying to run this program that I've denied server privileges to and it's not working right.
A. First, ask yourself why it needs to listen on a port. Is this a good program that you trust, or is it some
application you received in an e-mail message that's supposed to be some dancing baby or something?
Q. No, I trust it. It's from a reputable software company. It makes sense that it would have to listen for
incoming connections to do its job, and that's okay with me.
A. Alright then grant it server access.
Q. Look dummy, I'm a newbie--that's why I'm here. I'm not capable of evaluating whether an application
should legitimately have to act as a server or not. Throw me a frickin' bone here. Tell me what sorts of
applications might have to be servers!
A. Sorry, I've been a frickin' evil computer geek for twenty frickin' years, okay? I forget that some people
don't have a feel for this stuff. First the big stuff--if you're running any kind of application that has the word
"server" in its name, you might need server access. This includes FTP servers, web servers, mail servers,
news servers, ad nauseam.
Q. OK, well what about Windows NT Server?
A. If you have to ask that, you should probably go back to Windows 98. Don't ask about Windows 2000 Server
either.
Q. OK, what else?
A. Well some communications clients may require server access. The most common being AOL Instant
Messenger and ICQ. I shall illustrate the way these work by describing ICQ, since I use it. When you get
online, ICQ sends a little note to the main ICQ server saying something to the effect of, "Hey, Chris is
online." Then when your friends get online, their ICQ clients contact the same network of ICQ servers and
say, "Hey, I'm online--is there anybody I know out there?" The server, knowing you're online too, tells your
friend that you're online. When your friend writes a message to you, it will either go directly to you if the ICQ
server has given your friend's ICQ client your current IP address, or it will be sent to you via ICQ's servers.
Either way, this message will arrive unannounced at your machine on a port at which ICQ is listening. If ICQ
is not allowed to act as a server, Zone Alarm won't let it listen on this port, and ICQ will never hear your
message. In this case, it's okay for ICQ to act as a server.
Q. OK, Smarty-pants, then why do I not have to give ICQ server privileges and it works just fine?
A. If you are trying to communicate with someone who is behind a firewall or also denying server access, ICQ
can be problematic. Sebastian Schlueter posted the following excellent description of the phenomenon on
the ShieldsUp! newsgroup:
It has something to do with direct client-to-client communication.
In default configuration, your ICQ client acts as a server when you receive a file for instance. If
you don't allow it to act as a server, you can't receive files. (You can send files because your ICQ
client acts as a client then.)
But you can configure it to behave differently: Go to the preferences dialog box and select the
connection tab. Then choose "I am behind a firewall or proxy". Now your ICQ client always acts
as a client, regardless of wether you're sending or receiving.
But this obviously can't work, when both users configured their client this way! In such a case, a
message pops up telling you that the transfer can't be done since both clients are behind a
firewall.
The bottom line is that if you follow these rules and don't give anything server access unless it doesn't work
otherwise, you'll be fine.
Q. Every time I try to use an FTP client, it asks for server access. I'm not setting up an FTP server, I'm just
trying to FTP to someone else's server. Why does this happen?
A. FTP is a protocol that is used for passing big hunks of data over the internet. If a server was to send this
data back on the same connection it sends commands, you could just forget about sending more commands
until it's finished. Thus, the normal behavior is that the FTP client sends the server commands, then the
server starts another connection to return the data. This forces the client to become a "server" in order to
receive this new connection. You can either accept this, and allow your FTP client to act as a server, or check
out if your client supports "PASV mode." This is a command the client can send to the server, in effect telling
the server, "Just wait a little, and I'll call you on another line for the downloading." Now both connections
start from the client, and the firewall is happy.
Q. When I set up Netscape or Internet Explorer or [insert your browser here], it didn't ask for server access.
I've been surfing the net for over a week now like this and everything was working just fine. Then I clicked
on a link and all of a sudden Zone Alarm asks me if I want to give my browser server access. What's going on?
A. Did you just click on an FTP link?
Q. I don't know, how can I tell?
A. Did it start with "ftp://"?
Q. Why yes, how did you know?
A. If you need me to answer this for you, you're thicker than I thought.
Q. Okay, answer me this: I'm running an application that I've explicitly denied server access to. However, in
Zone Alarm the app appears with a little hand under it, indicating that it's acting as a server anyway. When I
hover my mouse over it, it says the name of the application and then "Listening to port(s): xxxxx." What's
going on here?
A. You must be running Zone Alarm 2.0.26.
Q. Why yes, how did you know?
A. You also must have neglected to read the "readme.txt" file included with it, despite my persistent urgings.
Q. OK, you caught me, but how?
A. In the readme for 2.0.26, it states that a change has been made allowing localhost server connections
always. Some people like this idea and some people don't, but the fact remains it's in there. Your application
will only listen to your computer. If something out on the internet tries to connect on that port, it will be
Stealthed. Don't worry about it. (As far as I know, version 2.0.26 is the only one affected by this--version
2.1+ reverts back to the previous behavior.)
Q. Well what kinds of applications listen to local ports anyway. That's silly.
A. Mostly proxy servers. I also have this situation with ICQ and with the fax drivers in MS Outlook 98.
Q. What's a proxy server?
A. Oh boy, here we go. I'll refer you to a classic award-winning post by a brilliant young man. Search the
shieldsup headers for a post by Chris Baker in the thread "webwasher (was Re: AD BLOCKER)."
Q. Now suddenly Windows Explorer wants to access the internet. What purpose could that serve?
A. World domination, what else? No, seriously it is! The point is that Microsoft stuffed their browser into
Windows as hard as they could, and this is the result. The line between Windows Explorer and Internet
Explorer is blurry indeed. In fact, you can type an internet address into Windows Explorer or a local directory
into Internet Explorer. Now try to tell the difference!
Q. But still, there must be some reason for it?
A. Well, the reason ZoneAlarm identifies it as Windows Explorer is that the browser has started up inside the
Windows Explorer process. One reason that the browser may do this is that it's costly on resources to start
another process, so if RAM is limited, it's smarter to start inside one already running. In IE 4 you could set
this choice yourself, but IE 5 takes a look at the available resources and decides it for you. See Microsoft
Knowledge Base article Q240928 for more info.
Q. What is "Distributed COM Services," and why does it want to access the internet?
A. See Microsoft Knowledge Base article Q158508 for instructions on how to disable this. (Thanks to r.e.s.
for the link.)
Q. What about Microsoft NetMeeting?
A. I don't use it, so I don't know, but here's what Brian Sullivan had to say about it:
For NetMeeting to work properly, it must be able to act as a server. It listens on TCP port 1503
for incoming T.120 (data) calls and on TCP port 1720 for incoming H.323 (audio/video) calls.
Please note that since I don't actually use NetMeeting myself, I pretty much ignore all the NetMeeting threads
over on the newsgroups. If you have more info about NetMeeting, don't hesitate to e-mail me with all the
gory details. I know there must be some issues, since there are a lot of threads regarding NM.
Q. I installed Zone Alarm, and it's working great! It blocks all kinds of internet traffic that I don't want. I only
have one problem--it often blocks my e-mail program from getting to the mail server too. Why does this
happen, and what can I do about it?
A. Why? I don't have a freakin' clue. Remember that Zone Alarm is a product under development and still has
some bugs. This is one of them. What I've found that helps is if you add your mail server to the local sites
list under Advanced on the Security tab. You don't need to actually lower security for local sites--you can keep
that at high too. But for some reason I've found that adding my mail server to the local zone reduces the
number of false blocks from ZA.
Q. Does this work for other sites that get a lot of false blocks?
A. I have no idea. Try it and let me know.
Q. OK, I installed Zone Alarm and I'm surfin' along, fat, dumb and happy, and all of a sudden Zone Alarm pops
up this box that says it stopped someone from 205.188.160.15 accessing my computer. Am I under attack!?!
Should I call the police? The FBI? My lawyer? My network admin? My mom? My ISP?
A. No. Chill out. This has been happening to your computer ever since you got on the net, you just haven't
been made aware of it until you installed Zone Alarm. It's just "Internet Background Radiation."
Q. Oh my God! Radiation? Should I back away from my computer? Should I buy a Geiger-counter?
A. Whoa. I said chill out. "Internet Background Radiation," or IBR, was a term coined by Steve Gibson to
describe all the broad, general port scanning that goes on constantly.
Q. What? Somebody's scanning my computer? They must be trying to attack me! I'm gonna call the cops!
A. Damn. Relax, okay? You really shouldn't have gotten off the Ritalin so early. It could have been some dude
typing the wrong IP address into something by mistake. It might have been your ISP analyzing the
performance of its network. Or it could've been some script kiddie scanning one port at every cable modem
IP address looking for an easy machine to hack.
Q. What? Hack? "Script kiddie?" That's it, I'm gonna write my Congressman.
A. OK, slow down. A "script kiddie" is sort of like a wanna-be hacker. He doesn't have the in-depth knowledge
to be a "real" hacker--he only uses tools (scripts) prepared by others to do his rudimentary hacking. Some of
those scripts scan ports looking for unprotected machines or machines infected with Trojans that will allow
him to further access your computer.
Q. But if it could be some hacker trying to break in, shouldn't I alert my ISP?
A. I said "script kiddie" not "hacker."
Q. Whatever
A. No, there's a difference. This guy is small-time. He's not trying to break into your machine in particular.
He's trying to break into "a machine" somewhere. Most of these kiddies are looking for MP3 files, or pictures
of naked chicks, or pirated copies of Quake III.
Q. OK, well all my pictures are in a hidden folder so my wife doesn't find them.
A. Good, that's practicing excellent security.
Q. But this "kiddie" was still trying to attack me!
A. Yeah, you and every other IP address for 1,000 IPs on either side of you. Relax. He didn't get in, your
system is safe--thanks to Zone Alarm and ShieldsUp!
Q. But shouldn't I do something?
A. Hey, hello? Haven't you been listening to a word I said? It could've been an innocent little mistake or a
normal scan from your ISP. Do you really have so much free time that you want to pursue every little port
scan?
Q. Yeah, I'm a real loser.
A. OK. Well, I'm here to help. What do you want to know?
Q. Well it said the attack came from 205.188.160.15. How do I find out who that is?
A. You can use a reverse DNS lookup to resolve the hostname. In this case, it resolves to
"ht-d15.websys.aol.com".
Q. How did you do that?
A. Are you sure you really want to pursue this?
Q. Yes, tell me how, dammit!
A. OK, go to samspade.org and play around with the goodies there. You can also download tools
from the internet to do the same thing from your machine. There are plenty of other sites like this. (Robert
Wycoff recommends network-tools.com You can also accomplish the same thing from your machine
by dropping to the console (DOS Prompt) and typing "nslookup 205.188.160.15".
Q. Okay, how can I find out more information about the little bastard?
A. Run a Whois query.
Q. A who-what?
A. Whois on first?
Q. I don't know.
A. Third base!
Q. Stop screwing with me, I'm trying to save the net from this evil denizen.
A. OK, you can run a Whois from Sam Spade too. It tells you who owns that network block.
Q. OK, it says it's owned by AOL!
A. Duh. You probably could've figured that out without Whois, huh?
Q. Yes I suppose I could've. Now what?
A. Now you bitch to AOL.
Q. How do I do that?
A. Jeez, do I have to hold you hand through this entire process? Draft a complaint to them telling them that
you were evilly probed by a computer in their domain. Make sure you tell them the originating IP address and
port, your IP address and the port(s) scanned, and the exact UTC time that the scan happened.
Q. What's UTC time?
A. It's Greenwich Mean Time, or GMT.
Q. Oh. What's GMT?
A. It's the time at the Royal Observatory in Greenwich, England. It's used as a standard time around the
world. (That's right--they can't figure out how to make a local phone call, but we use them for a worldwide
standard time reference. Go figure.)
Q. OK. How do I figure out what the UTC time was? This happened to me at 8:02 p.m. Pacific Standard Time.
A. I'm not going to go into time conversion here, but an easy way for you to find out would be to double-click
on your clock and click the Time Zone tab. You see where it says "(GMT-08:00 Pacific Time (US & Canada)?"
Q. Yeah.
A. That means you're 8 hours behind GMT. Your local time is GMT minus 8 hours. That means that to convert
your local time into GMT, you need to add 8 hours. Something else you should know--GMT doesn't change
with daylight savings time. To convert Pacific Daylight Time to GMT, only add 7 hours.
Q. But if I add 8 hours to 8:02 p.m., that gives me 4:02 a.m. THE NEXT DAY!
A. Way to go, Einstein. You're going to have to increment the date in your report as well.
Q. Wow! How do you know so much about time zones?
A. I'm in the Navy, and I'm a pilot. We deal with this stuff a lot.
Q. OK, I've converted the time to GMT, but that still doesn't change the fact that my clock's 17 minutes off. I
set it every other day, but it's a really sucky clock.
A. Most computer clocks are. If you insist on bothering ISP's with reports of scans, you need to give them
exact times so they can have a chance of tracking down the offender and corroborating your story. I
recommend downloading one the of the freeware or shareware time synchronization utilities from someplace
like:
Winfiles Windows 95/98 Time and Clock Tools
winfiles.cnet.com
Winfiles Windows NT/2000 Time and Clock Tools
winfiles.cnet.com
Q. Man, this sure is a lot of work. I had no idea it would be such a pain.
A. Now you see why most of us just ignore these warnings.
Q. OK, you've convinced me. I sent a couple of letters to my ISP and to AOL about these scans, but I haven't
heard back from them. What are they doing?
A. They most likely made a note of the offending IP or user and trashed your message.
Q. You mean they're not going to lock the guy up?
A. No. In most locales, port scanning is not illegal. Many states have laws against hacking, and using a port
scanner to find a weak spot and then breaking into another user's computer is illegal. Port scanning in and of
itself is not.
Q. Well is it illegal anywhere?
A. The following information was provided by Brett Turcotte:
Most of the states I've found, including Texas, California, Florida, and Illinois among the
biggies, and Arizona, Vermont and Rhode Island among the others, make it a criminal offense
to merely communicate with a computer or network without permission, even if no damage is
done.
Q. So the bottom line is...?
A. It's all kind of up in the air. One thing is certain, though--even in locales where this type of port scanning
is illegal, the cost of tracking down and proving a case against a simple port scanner isn't justifiable. It would
probably still take a successful hack before anyone would get ruffled enough to do something serious about it.
Q. Well this guy was obviously looking to do that. Why else would he be scanning all those IP addresses?
A. You're probably right. But he didn't--at least not to your machine.
Q. So what good did all this do?
A. Not a whole lot, but if the ISP receives many similar complaints about the same user, they may start to
keep an eye on him. They'll monitor his activity. If they find him scanning lots of people's machines, then
they'll pull the plug on him.
Q. So it's not necessarily wasted time to make these complaints?
A. You could make that case. I suppose it depends on what you consider wasted time. Remember that you
came to ShieldsUp! because you were concerned about the security of your machine. You wanted to turn it
into Ft. Knox to foil these script kiddies. Well, now imagine you're living in Ft. Knox. Are you really going to
be concerned about people shooting paper straw wrappers at the walls?
Q. Well, no.
A. Then relax. Zone Alarm is doing its job and keeping these kiddies at bay.
Q. OK, I feel better now. I guess I'll stop posting the details of every alert message that pops up into the
ShieldsUp! newsgroup and asking for people to help me track down the offender.
A. That would be a start.
Q. But why monitor these alerts if I'm not going to do anything about them?
A. Good question. I don't. They just pop up and annoy me. I've turned them off. Some people do, however, so
they know when they've really been attacked. With the advent of Zone Alarm 2.1, logging is finally supported,
and having the alert pop-up is even less necessary.
Q. How do I tell when I've really been attacked?
A. You've been targeted when you see hundreds of probes from the same IP address or subnet. That means
someone is methodically checking all of your ports, looking for a weakness.
Q. Holy pajamas! That's happening right now!
A. OK, you're really being attacked this time, you can stop relaxing!
Q. Don't just sit there, tell me what to do!
A. Open up Zone Alarm. You see the big red button? Hit it.
Q. What does that do.
A. It's equivalent to unplugging your phone line or your cable or your DSL lines or your network cable, etc.
You're "pulling the plug" on them.
Q. OK, now what?
A. Now might be a good time to use those "mad skillz" you developed chasing after the script kiddies to make
a real complaint to both your ISP as well as the offending site's ISP. You can use the tools at Sam Spade to
help you. You might also be able to put some pressure on the offender's end by determining who provides his
connection to the internet backbone and writing to them as well. This time, you won't get flamed if you post
on the newsgroup, so go ahead and solicit advice there.
Q. Do I really need to go through all those cumbersome steps? I wanna get this guy right now!
A. You might want to check out this kick-ass utility, created by one of our own:
Network Tracer - by pchelp
pc-help.org
In addition to providing a useful tool, his page is very educational.
Q. Wow, thanks for all the good info and for helping me to not contribute to the problem of posting details of
every port scan to Steve's newsgroup.
A. Don't mention it. |
