mailing list archives
Re: Microsoft to ship new versions with firewall enabled
From: Omachonu Ogali <nanog () missnglnk com>
Date: Thu, 14 Aug 2003 15:41:29 -0400
On Thu, Aug 14, 2003 at 05:37:44PM +0100, Richard Cox wrote:
What I do like in the latest release of Zone Alarm Pro is that it will
stop ANY program from connecting outbound on Port 25 unless that program
has been specifically authorised to send mail. It was quite informative
to see which programs were trying to mail information back to their base!
Zone Alarm Pro is very stupid as well. When a machine makes an outbound
connection attempt, yes, you'll see a dialog that pops up asking you
whether to allow that SINGLE connection or not, I guess this is what
BUT on every single occasion I get that dialog box, it's telling me
that the program is trying to access my ISP's DNS servers, which is
correct, I click yes to allow that SINGLE connection, and it lets
the program go ahead and connect to port 22 (putty is the application
in this instance), instead of asking me about port 22 next.
Reasons why this is bad?
A) Semi-savvy user sees 'DNS' and their ISP's nameservers and clicks
yes not knowing it's a trojan trying to resolve the hostname for
B) Trojanned program operates semi-normally, makes the initial
connection to the proper host, you ok it with ZoneAlarm because it
looks legit, but ZoneAlarm goes ahead and lets the program connect
to whatever it wants after the inital OK, (example scenario: buffer
overflow), so the trojan connections are concealed.
C) It's bothersome. Ask the user every time they fire up the program
whether they want to let it connect to something, and they're going
to click the "please don't ask me about this crappy program ever
again" checkbox, and be done with it, again, concealing trojan
connections in the event the program gets modified later down the
RE: Microsoft to ship new versions with firewall enabled Matthew Watkins (Aug 14)
Re: East Coast outage? Larry Snyder (Aug 14)