Archived from groups: microsoft.public.windowsupdate,comp.security.firewalls (More info?)

There is an issue with the latest update to ZoneAlarm Pro. I have posted
this to a ZoneAlarm user forum:

----------------------------------------------

ZoneAlarm Pro version:6.0.631.003
TrueVector version:6.0.631.003
Driver version:6.0.631.003
Anti-spyware engine version:4.0.9.7
Anti-spyware signature DAT file version:01.200508.111
Windows XP Home

If I set any privacy options, this prevents Microsoft Update from working.
Instead it fails with error number 0x80072F76.

Note that it doesn't matter what combination of privacy options is selected
(cookie control, ad blocking, mobile code control). If ANYTHING is set to
"block", Microsoft Update will fail.

There are also [other issues - snipped]

Brian

Archived from groups: microsoft.public.windowsupdate,comp.security.firewalls (More info?)

"BrianW" <brian@nospam.net> wrote in message
news0ZNe.8107$914.1855@newsfe6-gui.ntli.net...
> There is an issue with the latest update to ZoneAlarm Pro. I have
posted
> this to a ZoneAlarm user forum:
>
> ----------------------------------------------
>
> ZoneAlarm Pro version:6.0.631.003
> TrueVector version:6.0.631.003
> Driver version:6.0.631.003
> Anti-spyware engine version:4.0.9.7
> Anti-spyware signature DAT file version:01.200508.111
> Windows XP Home
>
> If I set any privacy options, this prevents Microsoft Update from
working.
> Instead it fails with error number 0x80072F76.
>
> Note that it doesn't matter what combination of privacy options is
selected
> (cookie control, ad blocking, mobile code control). If ANYTHING is
set to
> "block", Microsoft Update will fail.
>
> There are also [other issues - snipped]
>
> Brian

As far as I remember, I've always had to turn off Privacy controls to
get Microsoft Update to work. That's a given. I'm still using
4.5.594 because of issues with later versions. Win 98 isn't supported
for later versions anyway. The more bells and whistles, the more
complications, I've found. As long as my ports are stealth, and it
blocks the bad stuff, I'm happy.

charlie R
>
>

Archived from groups: comp.security.firewalls (More info?)

charlie R <welpctSKIPME@psci.net> wrote:
> As long as my ports are stealth

Nothing is stealth. Your ports are filtered, and everybody, who uses
nmap -P0 i.e., will see that.

Your "Personal Firewall" just violates the Internet Protocol by nor
sending RST (see RFC 793 / STD 0007, section 3.4), nor sending ICMP
Destination Unreachable Message with code 3 (port unreachable, see
RFC 792 / STD 0005).

http://www.rfc-editor.org

Say: your "Personal Firewall" has a broken implementation of the
Internet Protocol, but this is not resulting in making anything
"stealth".

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: microsoft.public.windowsupdate,comp.security.firewalls (More info?)

I am running 5.5.094 and I have cookie control set to custom, ad
blocking set to high and mobile control set to off and have never had
problems with either Windows Update or Microsoft Update.


On Sun, 21 Aug 2005 09:15:34 -0500, "charlie R"
<welpctSKIPME@psci.net> wrote:

>
>"BrianW" <brian@nospam.net> wrote in message
>news0ZNe.8107$914.1855@newsfe6-gui.ntli.net...
>> There is an issue with the latest update to ZoneAlarm Pro. I have
>posted
>> this to a ZoneAlarm user forum:
>>
>> ----------------------------------------------
>>
>> ZoneAlarm Pro version:6.0.631.003
>> TrueVector version:6.0.631.003
>> Driver version:6.0.631.003
>> Anti-spyware engine version:4.0.9.7
>> Anti-spyware signature DAT file version:01.200508.111
>> Windows XP Home
>>
>> If I set any privacy options, this prevents Microsoft Update from
>working.
>> Instead it fails with error number 0x80072F76.
>>
>> Note that it doesn't matter what combination of privacy options is
>selected
>> (cookie control, ad blocking, mobile code control). If ANYTHING is
>set to
>> "block", Microsoft Update will fail.
>>
>> There are also [other issues - snipped]
>>
>> Brian
>
>As far as I remember, I've always had to turn off Privacy controls to
>get Microsoft Update to work. That's a given. I'm still using
>4.5.594 because of issues with later versions. Win 98 isn't supported
>for later versions anyway. The more bells and whistles, the more
>complications, I've found. As long as my ports are stealth, and it
>blocks the bad stuff, I'm happy.
>
>charlie R
>>
>>

Archived from groups: microsoft.public.windowsupdate,comp.security.firewalls (More info?)

My experience with ZA 4.5.594 is similar - no problems from this source -
although I only use the Ad blocking Banner and Popups. However FWIW, I
_have_ found that the Delayed Popup blocker in AdShield3 will interfere with
http://update.microsoft.com/microsoftupdate/v6/ and must be unchecked for it
to Scan. Using Win2kSP4R1|IE6.

--
Regards, Jim Byrd, MS-MVP
My Blog, Defending Your Machine, here:
http://defendingyourmachine.blogspot.com/

"Jerome M. Katz" <jerrymkatz@NOSPAM@yahoo.com> wrote in message
news:1e5hg15isro67eark5l27hvuuqlfvi7377@4ax.com
> I am running 5.5.094 and I have cookie control set to custom, ad
> blocking set to high and mobile control set to off and have never had
> problems with either Windows Update or Microsoft Update.
>
>
> On Sun, 21 Aug 2005 09:15:34 -0500, "charlie R"
> <welpctSKIPME@psci.net> wrote:
>
>>
>> "BrianW" <brian@nospam.net> wrote in message
>> news0ZNe.8107$914.1855@newsfe6-gui.ntli.net...
>>> There is an issue with the latest update to ZoneAlarm Pro. I have
>>> posted this to a ZoneAlarm user forum:
>>>
>>> ----------------------------------------------
>>>
>>> ZoneAlarm Pro version:6.0.631.003
>>> TrueVector version:6.0.631.003
>>> Driver version:6.0.631.003
>>> Anti-spyware engine version:4.0.9.7
>>> Anti-spyware signature DAT file version:01.200508.111
>>> Windows XP Home
>>>
>>> If I set any privacy options, this prevents Microsoft Update from
>>> working. Instead it fails with error number 0x80072F76.
>>>
>>> Note that it doesn't matter what combination of privacy options is
>>> selected (cookie control, ad blocking, mobile code control). If
>>> ANYTHING is set to "block", Microsoft Update will fail.
>>>
>>> There are also [other issues - snipped]
>>>
>>> Brian
>>
>> As far as I remember, I've always had to turn off Privacy controls to
>> get Microsoft Update to work. That's a given. I'm still using
>> 4.5.594 because of issues with later versions. Win 98 isn't
>> supported for later versions anyway. The more bells and whistles,
>> the more complications, I've found. As long as my ports are
>> stealth, and it blocks the bad stuff, I'm happy.
>>
>> charlie R

Archived from groups: comp.security.firewalls (More info?)

"Volker Birk" <bumens@dingens.org> wrote in message
news:430891da@news.uni-ulm.de...
> charlie R <welpctSKIPME@psci.net> wrote:
> > As long as my ports are stealth
>
> Nothing is stealth. Your ports are filtered, and everybody, who uses
> nmap -P0 i.e., will see that.
>
> Your "Personal Firewall" just violates the Internet Protocol by nor
> sending RST (see RFC 793 / STD 0007, section 3.4), nor sending ICMP
> Destination Unreachable Message with code 3 (port unreachable, see
> RFC 792 / STD 0005).
>
> http://www.rfc-editor.org
>
> Say: your "Personal Firewall" has a broken implementation of the
> Internet Protocol, but this is not resulting in making anything
> "stealth".
>
> Yours,
> VB.

Ah, Volker, what has a good Firewall ever done to you to make you hate
them so? I'll just keep on using mine, in the hopes that it's "better
than nothing", if you don't mind. I'm just on dial-up. Highspeed
internet might make me a lot more paranoid.

charlie R

Archived from groups: comp.security.firewalls (More info?)

charlie R <welpctSKIPME@psci.net> wrote:
> Ah, Volker, what has a good Firewall ever done to you to make you hate
> them so?

Nothing. Why do you think that? I'm just recalling facts, as you can
proof yourself, if you'll read the mentioned sources.

> I'll just keep on using mine, in the hopes that it's "better
> than nothing", if you don't mind.

Oh, please, do what you want ;-) No problem for me.

> I'm just on dial-up. Highspeed
> internet might make me a lot more paranoid.

It's a good idea then to think about security, you're right. I just
wanted to remind, that a good security concept is much better than
believing in placebo effects and advertisment ;-)

Unfortunately it's not so easy, that security can be bought in boxes.

If you're interested, I would be pleased to explain, what I think what
would be a good security concept for a single PC on a high-speed line.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

Volker Birk wrote:

> charlie R <welpctSKIPME@psci.net> wrote:
>
>>I'm just on dial-up. Highspeed
>>internet might make me a lot more paranoid.
>
> It's a good idea then to think about security, you're right. I just
> wanted to remind, that a good security concept is much better than
> believing in placebo effects and advertisment ;-)
>
> Unfortunately it's not so easy, that security can be bought in boxes.
>
> If you're interested, I would be pleased to explain, what I think what
> would be a good security concept for a single PC on a high-speed line.


Since you know so much about these things, so go ahead.


I would be interested especially how to secure Windows 2000 at lowest
possible system overhead using firewall program and firewall box combo.
In 100 Mbps Ethernet connection. I already run F-Secure Anti-Virus
Client Security 5.55 in Windows 2000, containing a software firewall
(F-Secure Internet Shield). Are there any good sources of tweaking
instructions to it? I also have run Kerio 2.1.5 in Windows 98SE,
and have adjusted its behaviour.


While at it, could you and others too give opinion of following
router/firewall boxes? They all seem be available here at affordable
prices. I would be interested of their ability to provide a reliable
connection to a small *n*x web server, besides 1-2 Windows 98SE/2000
PC:s.

D-Link DI-604
Linksys BEFSX41
ZyXel Prestige 334
ZyXel Prestige 335
SMC Barricade 7004VBR
SMC Barricade Plus BR14VPN


DI-604 (Rev. B 1.82) seems to require occasional power cutout between
couple of days, in this network, possibly because it gets confused of
network overload or some other reason, who knows. It seems not to be
the most stable choice here.


--
S.Suikkanen

Archived from groups: comp.security.firewalls (More info?)

S.T. Suikkanen <ei.posti@osoitetta.notvalid> wrote:
> I would be interested especially how to secure Windows 2000 at lowest
> possible system overhead using firewall program and firewall box combo.

For lowest overhead, just use Torsten's script, and switch off any
listening server. This means: no overhead at all. Then you don't need
filtering at all. http://www.ntsvcfg.de/ntsvcfg_eng.html

Then abandon to use Internet Explorer; just use any other browser.

The problem with Internet Explorer is not that it has security holes -
every browser has this from time to time; OK, Internet Explorer had
unfixed holes for years, this is worst case. But also Mozilla from time
to time are not perfect in security, to say the minimum. The problem is
the ActiveX technology, Internet Explorer uses as the plugin concept.
The problem with this is, that ActiveX / COM is a system wide concept
without any security if a control is running. There is no sandbox concept,
and, once marked "scripting sage", any control in the complete system
is a possible flaw, which can be abused. The unfortunate zone concept
of Internet Explorer was refitted, it's a flub, one could say.

Keep your software up to date. Use Windows-Update, and keep any
other software up to date, which you're using in the Internet.

When you're installing new software, don't forget to use netstat -an
to check, if there are new servers started, you should stop again.

> I already run F-Secure Anti-Virus
> Client Security 5.55 in Windows 2000

It is a good idea to use an AV software regulary. Please keep in mind,
that AV software only works good, if it's malware signatures are bleeding
edge. Unfortunately, the heuristics to detect unkown malware are not
functioning very well.

And keep in mind, that the best AV software is your brain - no-one
wants to make your dick longer, no-one want's to offer pr0n for free
by mail, and no bank sends you login or password request by mail ;-)

Unfortunately, AV software is not reliable - that means, it can help,
it's useful, but you should not bank on it.

And: if you're detecting an infection, please have a look on the type
of malware - if it's loading code through the Internet or if it's
offering access to your box for somebody in the Internet, it's im-
possible to get a clean box again, but with flatten and setup the
system again.

See: http://www.microsoft.com/technet/c [...] m0504.mspx

> containing a software firewall
> (F-Secure Internet Shield). Are there any good sources of tweaking
> instructions to it? I also have run Kerio 2.1.5 in Windows 98SE,
> and have adjusted its behaviour.

I don't know, if you need tweeking a port filter. I don't know, if you
need a port filter at all.

> D-Link DI-604
> Linksys BEFSX41
> ZyXel Prestige 334
> ZyXel Prestige 335
> SMC Barricade 7004VBR
> SMC Barricade Plus BR14VPN

I know the D-Link and the Linksys devices. Both seem to be OK.

If you're using such a router, don't forget to configure it for
filtering. NAT is not enough, because NAT primary is not a security
feature, so usually, the NAT implementations are not secure.

Especially, filter away any packet, which reaches your router at the
outside interface, but has a source IP adress, which seems to be
inside (say: source 0.0.0.0/8, 127.0.0.0/8, 192.168.0.0/16, 10.0.0.0/8,
172.16.0.0/12 and non-used blocks like 169.254.0.0/16, 192.0.2.0/24 or
192.168.0.0/16, see RFC 3330).

If your router is filtering, perhaps it's not so important any more,
if your box uses a port filter or not ("firewall" ) or even is offering
servers or not.

And beware of mail attachements ;-) Think about it.

> DI-604 (Rev. B 1.82) seems to require occasional power cutout between
> couple of days, in this network, possibly because it gets confused of
> network overload or some other reason, who knows. It seems not to be
> the most stable choice here.

Hm... had no problems with this device so far. Perhaps another hardware
revision?

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"

Archived from groups: comp.security.firewalls (More info?)

In article <dear01$s2c$1@pscinews.psci.net>, welpctSKIPME@psci.net
says...
>
> "Volker Birk" <bumens@dingens.org> wrote in message
> news:430891da@news.uni-ulm.de...
> > charlie R <welpctSKIPME@psci.net> wrote:
> > > As long as my ports are stealth
> >
> > Nothing is stealth. Your ports are filtered, and everybody, who uses
> > nmap -P0 i.e., will see that.
> >
> > Your "Personal Firewall" just violates the Internet Protocol by nor
> > sending RST (see RFC 793 / STD 0007, section 3.4), nor sending ICMP
> > Destination Unreachable Message with code 3 (port unreachable, see
> > RFC 792 / STD 0005).
> >
> > http://www.rfc-editor.org
> >
> > Say: your "Personal Firewall" has a broken implementation of the
> > Internet Protocol, but this is not resulting in making anything
> > "stealth".
> >
> > Yours,
> > VB.
>
> Ah, Volker, what has a good Firewall ever done to you to make you hate
> them so? I'll just keep on using mine, in the hopes that it's "better
> than nothing", if you don't mind. I'm just on dial-up. Highspeed
> internet might make me a lot more paranoid.
>

You probably don't even need one for dial-up. I went for 3-4 years on
dial-up with no firewall and never had one problem of any kind..

--
Kerodo

Archived from groups: comp.security.firewalls (More info?)

"Kerodo" <loopback@localhost.com> wrote in message
news:MPG.1d72b7f1447ccf8a989681@news.west.cox.net...
> In article <dear01$s2c$1@pscinews.psci.net>, welpctSKIPME@psci.net
> says...
> >
> > "Volker Birk" <bumens@dingens.org> wrote in message
> > news:430891da@news.uni-ulm.de...
> > > charlie R <welpctSKIPME@psci.net> wrote:
> > > > As long as my ports are stealth
> > >
> > > Nothing is stealth. Your ports are filtered, and everybody, who
uses
> > > nmap -P0 i.e., will see that.
> > >
> > > Your "Personal Firewall" just violates the Internet Protocol by
nor
> > > sending RST (see RFC 793 / STD 0007, section 3.4), nor sending
ICMP
> > > Destination Unreachable Message with code 3 (port unreachable,
see
> > > RFC 792 / STD 0005).
> > >
> > > http://www.rfc-editor.org
> > >
> > > Say: your "Personal Firewall" has a broken implementation of the
> > > Internet Protocol, but this is not resulting in making anything
> > > "stealth".
> > >
> > > Yours,
> > > VB.
> >
> > Ah, Volker, what has a good Firewall ever done to you to make you
hate
> > them so? I'll just keep on using mine, in the hopes that it's
"better
> > than nothing", if you don't mind. I'm just on dial-up. Highspeed
> > internet might make me a lot more paranoid.
> >
>
> You probably don't even need one for dial-up. I went for 3-4 years
on
> dial-up with no firewall and never had one problem of any kind..
>
> --
> Kerodo

ZAPRO makes it easy to configure security settings and cookie and ad
control on a site by site basis. Allow Active X on trusted sites that
need it, and block for all others. It monitors traffic in and out,
and blocks when I tell it to. Spyware Blaster provides extra
security. I stay off dodgy sites and only download free apps
recommended by MVP's in newsgroups. My AV is updated daily. This
machine has never been infected or compromised.

charlie R

Archived from groups: microsoft.public.windowsupdate,comp.security.firewalls (More info?)

BrianW answered:
> There is an issue with the latest update to ZoneAlarm Pro. I have posted
> this to a ZoneAlarm user forum:
>
> ----------------------------------------------
>
> ZoneAlarm Pro version:6.0.631.003
> TrueVector version:6.0.631.003
> Driver version:6.0.631.003
> Anti-spyware engine version:4.0.9.7
> Anti-spyware signature DAT file version:01.200508.111
> Windows XP Home
>
> If I set any privacy options, this prevents Microsoft Update from working.
> Instead it fails with error number 0x80072F76.
>
> Note that it doesn't matter what combination of privacy options is selected
> (cookie control, ad blocking, mobile code control). If ANYTHING is set to
> "block", Microsoft Update will fail.
>
> There are also [other issues - snipped]
>
> Brian
>
>
you forgot the BIGGEST issue.. "FOR YOU!!"

I have ZA 6 pro and everything is working *JUST FINE*. AND I have cookie
blocking enabled, AND ad blocking enabled. and windows update works JUST
FINE..

So the issue is *for you*.

Archived from groups: microsoft.public.windowsupdate,comp.security.firewalls (More info?)

Jerome M. Katz answered:
> I am running 5.5.094 and I have cookie control set to custom, ad
> blocking set to high and mobile control set to off and have never had
> problems with either Windows Update or Microsoft Update.
>
>
I never did either, AND I have upgraded to the very Latest version of 6
pro, and STILL have no problems.

Archived from groups: comp.security.firewalls (More info?)

Jack Zwick <jackzwick@yahoo.com> wrote:
> I have ZA 6 pro and everything is working *JUST FINE*. AND I have cookie
> blocking enabled, AND ad blocking enabled. and windows update works JUST
> FINE..
> So the issue is *for you*.

For you and all other Zonealarm users are these issues:

Zonealarm is vulnerable to the SelfDoS attack.

It opens Popups with texts, which most users don't understand and
misinterpret.

Zonealarm cannot prevent spyware from sending your personal information
across the Internet; it failed in our tests together with the rest of the
"Personal Firewalls".

Zonealarm does not make a PC "invisible" or "stealth" in the Internet, as
this is not possible at all.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"