PDA

View Full Version : zonealarm v outpost



tweak\'e
30-09-2002, 09:13 PM
and we are up to round 3.........

i havn't used zaf for a while due to the early bugs so i thought i would give it a go. however i find it eats resources (win98se) like loollies ;-) it uses 11% compared to opf (outpost free) 5%.

running zaf means i had to shut down progs when i was doing the news as i was hitting <30%....argghhhhh

is this just my overtweaked system or is za really hungry. can someone confirm figures ??

Terry Porritt
30-09-2002, 09:38 PM
Resource meter tells me that ZA uses 10% resources, been thinking it was a bit much, maybe I'll give Outpost a go.

-=JM=-
30-09-2002, 10:40 PM
Well it runs fine for me.

I've gone off Outpost. I got asked things to often.

Graham Petrie
30-09-2002, 10:47 PM
Unless things have changed in a newer version of ZA or Outpost, Sygate is the only one which supports ICS under windows XP. Thus, I use Sygate which I found to be a very easy to use, and powerful firewall. I have used both ZA (too basic for me, but good for most) and Outpost(my choice if it supported ICS + XP) and find Sygate to slot nicely between them in my personal rankings.

G P

-=JM=-
30-09-2002, 11:13 PM
I was using Sygate but then it randomly stopped loading at start-up.

dipstick01
30-09-2002, 11:42 PM
I haven't checked actual resources and figures but in my opinion outpost is less resource hungry and does not slow my connection as much as zonealarm. Things just seem to run that little bit slower with zonealarm running.

Danger
01-10-2002, 01:03 AM
Hey JM, I have that problem with Sygate too. Zone Alarm caused some sort of conflict with my sound card (lots of static through speakers, something to do with ZA conflicting with a vxd or something) and Outpost was just to complicated to get working right for me, and it would not allow me to use the voice part of messenger online. Could find no help or resolution to this problem and I was still struggling trying to set it up after a week so out it went. Sygate has been so easy to configure and use with the only problem being it doesn't always load on start up, so I just manully check it is running and start it if need be.

Susan B
01-10-2002, 08:37 AM
> I got asked things to often.

Like what?

It never asks me anything unless I install something that needs internet access.

Mike
01-10-2002, 09:17 AM
I don't use either... I use Kerio Personal Firewall (free edition)

I stopped using ZA because of bugs, and because it was too noisy - I got sooo many warnings it annoyed me. Kerio just sits there - I don't know of any warnings unless I open it to have a look. the only warnings I get are for communications directed at my machine (which are quite rare), or for the occasional new program that needs to access the net for whatever reason.

I don't use outpost cause I don't really know why - I just like Kerio I guess.

Had a quick look at system resources - Kerio uses around 0-1% most of the time (XP Pro).

Personally I don't like ZA because it gives too many messages.

Mike.

-=JM=-
01-10-2002, 10:31 AM
>>>Personally I don't like ZA because it gives too many messages.
Not when you turn off the warnings ;)

Kerio is nice. Used to run it on the old comp.

Susan: it's just that I found it would ask me a lot with DC++. Each time someone wanted to connect. So I just ended up having to enable it full access. ZAs one click is all you need is just easier. (I'm lazy :D)

Provided that my comp is OK according to GRC and Symantec I'm happy with it. If someone wants to get it they'll always find a way.

How are you people getting you percentage figures in XP Pro. Is their somewhere I'm not looking or are you just working it out roughly.

Terry Porritt
01-10-2002, 02:20 PM
Quite interesting result: Following Mike I installed Kerio, after first uninstalling ZoneAlarm(free version).
First thing that happened was a BSOD due to an 0E in filt95.vxd which is an Outpost file. I had Outpost already installed for a long time but havent been running it.
Uninstalling Outpost removed the BSOD.

Now, the resources used by Kerio using Resource Meter (in Win98SE) were not measurable, ie less than 1%.
I now get 90% resources on win bootup with Kerio running, whereas with ZA I would get 90% initially dropping to 80% when ZA loaded.

All that remains now is to check out Kerio at GRC etc, and tweake the filter rules, and try to find out how effective Kerio is.

Cheers

sal
01-10-2002, 03:06 PM
whos heard the story about zonealarm being a trojan? read on:

<-------------------- start of post -------------------------->
Subject: Zone Alarm: TROJAN disguised as FIREWALL?

From: "Bill" mailto:xxxx@xxxx.INVALID
Newsgroups:news:comp.security.firewalls, news:alt.privacy,
news:alt.binaries.cracks
Date: Sun, 12 Mar 2000 04:34:51 -0000


I have been very interested in the suggestion tonight by Ed Starry in
comp.security.firewalls that Zone Alarm may be a trojan disguised as a
firewall. That's a bold suggestion, but maybe the guy's got a point. The
posts have been brief, and not too focussed, but it got my curiosity up. So
I've been checking it out. I here report my preliminary findings.

Let us learn from the Aureate affair. The Aureate "spyware" was essentially
the advertising plugin advert.dll (there were apparently others, but this is
the only one that slipped onto my system unannounced and without an
uninstall program). So tonight I have looked to see what DLLs the process
known as Zone Alarm actually uses. It's too early to say that Zone Alarm
*is* a trojan....er... sorry..... "media plugin"....disguising itself as a
firewall, but I for one have found out enough tonight to concern me
considerably. I have taken the precaution of improving my Conseal ruleset
and have got rid of Zone Alarm altogether.

At the end of this post I include a complete list of the DLLs used by Zone
Alarm on my own system.

Preliminary thoughts: VSMONAPI.DLL is described as "TrueVector Client
Interface"; VSUTIL.DLL is "TrueVector Service"

The technology used by Zone Alarm, made by Zone Labs, is "TrueVector". Now,
according to their own very telling webpage at the Zone Labs site:
http://www.zonelabs.com/presspatent.htm
"Licensees of TrueVector include Media Metrix, Inc. (NASDAQ: MMXI), the
pioneer and leader in Internet and Digital Media Measurement, as well as
Tibco Software, Inc."

I've just visited the Media Metrix website:
http://www.mediametrix.com/About/Aboutwwx.html
Quote from the above webpage: "Media Metrix will provide the ability to
gauge Internet audience behavior on a worldwide scale - a critical tool for
effective advertising and marketing planning for any global company today."

Now look at this, another direct quote: "The company utilizes its patented
metering methodology to measure actual Internet and digital media audience
user behavior in real-time - click-by-click, page-by-page, second-by-second."

How would they manage that then? Hmmmmm..........

More about Media Metrix: "Over 600 clients - advertising agencies, media
organizations, marketers, technology providers and financiers - use Media
Metrix data regularly to plan, buy and sell new media advertising; develop
advertising, marketing and e-commerce strategies; understand consumer
behavior; gain competitive market intelligence; and for investment
decisions."

They sound like our friends don't they, hmmmmmm...........

According to the page at Zone Labs: "We chose to incorporate TrueVector into
our product because its technology was capable of telling our program when
another Internet application is in the foreground," said Mark L. Lambert,
Senior Architect, TIBCO Software, Inc. "This allows us to improve our user
experience by pushing data down to the client only when the user isn't
actively browsing the Web."

pushing data down to the client.....? hmmmm.......

Gregor Freund, President of Zone Labs, says: "TrueVector is the first
client/server platform to meet these demands as it offers the most flexible
and effective method of building Internet intelligence into applications."

Building Internet intelligence into applications??? What exactly does that
mean?

Apparently it means:
"Built with a focus on time-to-market and ease of integration, TrueVector
provides its advanced Internet sensing and traffic monitoring features in a
modular fashion, which can be adapted to a variety of specific customer
needs. Using TrueVector lets developers focus their efforts on building
innovative new solutions, rather than on the mechanics of monitoring
Internet activity."

hmmmm.... not looking good so far

now Ed Starry pointed out the Iamdb.rdb file to be found under
Windows/Internet Logs, that swells and swells for no apparent reason (seeing
as Zone Alarm 2 [not the new beta] does not have a logging function in the
sense that we would understand of a traditional firewall). My iamdb.rdb file
is already 487KB and is full of encoded data about ALL of the applications
running on my PC, even those that don't have any internet activity. Some
may say, well it needs info on all applications, it's a firewall--but does
it, Conseal doesn't have such an interest in all the applications on my PC.
To repeat, according to TIBCO, TrueVector technology "was capable of telling
our program when another Internet application is in the foreground". But why
should that be important to them? Take another look: "This allows us to
improve our user experience by pushing data down to the client only when the
user isn't actively browsing the Web." Remember, Zone Alarm is geared at
those who have their internet connections open all the time. So they are
monitoring when you are actively browsing the web, waiting for a time when
you are not--READ: so they can do something when you aren't looking. So, to
Tibco, TrueVector technology is of great interest to them simply because it
tells them this. And what was that the President of Zone Labs said:
"....advanced Internet sensing and traffic monitoring features...." Is that
a firewall he's talking about d'you think? A firewall monitors for US, but I
get the impression Zone Alarm is monitoring for THEM, with an idiot's
firewall thrown in to make you want to use it.

From the Zone Labs URL given above: "TrueVector provides a flexible and
scalable method to conduct real-time monitoring of all Internet data
exchanges on a personal computer. Due to the granularity of information
collected and the fine-grained level of control that TrueVector allows...."

HANG ON! STOP THERE!!!

*the granularity of information collected*....... ?? So it collects
information? Let me see if I've got this, they give out a free firewall to
protect us from attacks by hackers and malicious trojans, and, in return,
because there is no such thing as a free lunch, TrueVector collects
information....presumably via the two DLL "media plugins" mentioned above.
Have I got that right.... and the firewall stops Trojans right? So.... am I
getting this, it collects information, but there's no way for Media Metrix
or Tibco to get their hands on it because.... we've got a firewall
right....? Clever! And, as Steve Gibson points out, if we have Zone Alarm we
don't need any *other* firewall because ZA is fully stealthed, he in fact
uses it on its own he's so impressed. We can see how good it is for
ourselves by doing a Shields Up! and Ports Probe test at his website. How
much is he worth these days? The Zone Alarm site has a link to Gibson's
site. Not that I'm suggesting..... far be it from me to say.....

Starry says: "I installed ZA v2.1.1 yesterday and the <Iamdb.rdb> file
already exceeds 155 KB. After installing and configuring ZA this file was
only 54 KB. What is this extra 100 KB being used for, it surely isn't needed
for configuring because that's already been done."

He should think himself lucky, I have over 400KB of extra data and didn't
even know about the Iamdb.rdb file until tonight. Perhaps someone would care
to decrypt their Iamdb.rdb and let us all know what it says. Oh, and does
Iamdb stand for "I am database"? Just a thought.......

Let's go and visit Tibco Software Inc. Oh, the CEO's written a book:
http://www.powerofnow.com
Ranadive authored "The Power of Now: How Winning Technologies Sense and
Respond to Change Using Real-Time Technology."

And he's been interviewed: ""In the infrastructure space, there's a whole
stack of software you need if you're selling goods and services online," he
says. "We've greased the whole value chain. Our technology, for instance,
slides right into an Oracle database. It's being embedded right into Cisco's
routers and hubs.

http://cbs.marketwatch.com/archive/20000128/news/current/stwatch.htx?source
=htx/http2_mw



So, basically, our friendly firewall Zone Alarm is in bed with Tibco (who
like greasing the whole value chain and embedding real-time technology) and
Media Metrix (who want to know you on a click-by-click basis).

<---------------------- end of post ------------------------->

Terry Porritt
01-10-2002, 03:27 PM
Trying out Probe My Ports at Gibson Research told me that I should block port 135 from external access. That was easy enough to do in Kerio by making up a new filter rule to block TCP and UDP to that port number from any remote address and any application.

I am beginning to like Kerio :)

Mike
01-10-2002, 04:53 PM
I like it :) it's small and does the job. Although you generally do need to know a bit more than you do if you're running ZA (which I like to think I do :p)

Mike.

tweak\'e
01-10-2002, 05:54 PM
well when i las tried kerio it crashed my pc when it was installing.....o joy.

tiny was good except you almost need an IT degree to set up the rules (like how many people actually know what icmp rules to make...argggghh)

if its one thing ZA has got right is its easy to use.

Kahawai_Chaser
01-10-2002, 08:23 PM
Hi...

Because ZA is so easy to use (or rather not use), I have no idea what it is doing in relation to blocking the ports(s) or whatever. Is there a way to see how it physically (or programatically) stops inbound entries? (Just for interest). I have seen "trace route" programs for download, were you can track where these entries come from...
Though ZA is easy to forget about, except for loading up, because it takes a while. It's Icon appears to appear long after it's splash screen...

Cheers...

Mike
01-10-2002, 09:38 PM
Kerio and Tiny are pretty much the same thing.

Mike.

tweak\'e
01-10-2002, 10:00 PM
>Kerio and Tiny are pretty much the same thing.

mmm.....not quite. i can't remember the exact details but kerio is derived from tiny but both are seperate programs in their own right. however early kerio had all sorts of problems. not sure what its like now.

SoniKalien
01-10-2002, 10:04 PM
Heh, I sit here with a smug look on face surfing the net while making a minimum amount of waves due to my own knowledge and diligence, and the fact that I'm on dialup.

Firewalls are there to prevent unauthorised connections. Since I don't use vulnerable software, or visit dodgy sites, and know everything that goes on inside this box, I don't need to add another burden to the system by installing a firewall.

If I was on cable though, yes.

BTW I'm not surprised about ZA being accused of spyware...

Mike
01-10-2002, 10:05 PM
I've noticed very few details. I guess Kerio is a little easier to use than Tiny, but I thought that might just be because it's a newer version.

Mike.

Mike
01-10-2002, 10:10 PM
> Firewalls are there to prevent unauthorised
> connections. Since I don't use vulnerable software,
> or visit dodgy sites, and know everything that goes
> on inside this box, I don't need to add another
> burden to the system by installing a firewall.

I once thought like that. Not anymore. Ever used Kazaa or similar? Something with spyware? Gator? Audio Galaxy? Do you know what those programs could be sending from your system? It's not just inbound connections you need to worry about. Ever accidentally landed in the wrong site? (usually when this happens, it's REALLY the wrong site :() You never know what could happen without your knowledge, and the firewall is there to help protect you. How do you know that you're safe, if you just think you are because you haven't been anywhere or installed anything that could be a threat.

Mike.

SoniKalien
01-10-2002, 10:33 PM
> I once thought like that. Not anymore. Ever used
> Kazaa or similar? Something with spyware? Gator?
> Audio Galaxy?

Nope, don't touch the stuff thanks...

> Do you know what those programs could
> be sending from your system?

I've got nothing to hide, no useful information, and no sensitive data, so it wouldn't worry me if they could.

It's just parnoia hype.

> It's not just
> inbound connections you need to worry about.

I know. And I also know exactly what is and isn't i hard drive at any given moment. Ever heard of SequoiaView?

> Ever
> accidentally landed in the wrong site?

Nope. Rarely mistype URLs, not a random surfer, and can spot a dodgy site a mile away. Well an internet mile anyway.

> You never know what could happen without your
> r knowledge,

Yes I could, and it's about being observant.

> and the firewall is there to help
> protect you.

...if you leave your computer connected to the internet all the time.

> How do you know that you're safe, if
> you just think you are because you haven't been
> anywhere or installed anything that could be a
> threat.

Just by saying what you just said. Hackers can't perform voodoo you know. And, like they say, know thy enemy. :D

SiK

Mike
01-10-2002, 10:41 PM
Well it's your choice I guess... but better to be safe than sorry I say. I don't random surf or surf dodgy sites either, but I have mistyped (even just by getting 2 letters round the wrong way) URLS and ended up where I don't want to be.

I've never had a problem with a firewall hogging my resources, so I'd rather have it there than not there.

And yes, hackers can perform voodoo.

Mike.

tweak\'e
01-10-2002, 10:42 PM
with IT pros it may not be so crictical as they usual are fully aware (and have to tools to check) of their pc and net connection. also they have no problems in fixing things if the worse happens.

however 95% of people have no idea on what to look for or even be able to fix it.

-=JM=-
01-10-2002, 11:04 PM
Last I knew Kerio bought Tiny.

SoniKalien
01-10-2002, 11:21 PM
Mike, Don't get me wrong. I'm not saying nobody should use a firewall. Most people should. It's just that I feel I know enough not to have to use one.

I also think that the subject is still an iffy one and perhaps a bit hyped ina lot of cases.

And no, hackers can't perform voodoo. They are just very smart. :D

tweak\'e
01-10-2002, 11:27 PM
>And no, hackers can't perform voodoo.

so that black ice rubber chicken dosn't do anything?
<throws rubber chicken out window>

i will still keep praying to the MS god and ZA god .....just in case :^O

Vince
02-10-2002, 02:00 AM
Is there some reason why 'Resource Meter' is telling us all that ZA is using 10% of available RAM, in spite of us using different versions on different OS's and with varying amounts of RAM? I have Win98 with 320 MB of RAM and am using ZA free, upgraded to the latest version just a few weeks ago. After turning ZA on and off several times and checking available RAM each time, Cacheman tells me that ZA is using about 5.5 MB; and that's with several other programs running! Vince

Mike
02-10-2002, 07:20 AM
Vince, Resource Meter doesn't tell you that it's using 10% of available RAM, but 10% of system resources (or generally, 10% of CPU use is accounted for by ZAF). It's not a measure of how much RAM is being used but how much your CPU is being used.

Mike.

-=JM=-
03-10-2002, 12:58 AM
well I tried out ZA Pro today.

All I can say is that I'd successfully blocked all internet access with in 3minutes :_|

Vince
03-10-2002, 04:12 PM
&gt; well I tried out ZA Pro today.
&gt;
&gt; All I can say is that I'd successfully blocked all
&gt; internet access with in 3minutes :_|

ZA needs to be told which programs are to be permitted internet access. Click 'Program Control' - 'Program Wizard' (bottom right) or for more control, choose the 'Programs' tab (top right). Vince

-=JM=-
03-10-2002, 06:52 PM
> > well I tried out ZA Pro today.
> >
> > All I can say is that I'd successfully blocked
> all
> > internet access with in 3minutes :_|
>
> ZA needs to be told which programs are to be
> permitted internet access. Click 'Program Control' -
> 'Program Wizard' (bottom right) or for more control,
> choose the 'Programs' tab (top right). Vince

Yes I realise this. I had internet access, it's just that it asked me whether I wanted to allow my browser access to a certain .dll file. I looked at the name and thought "it doesn't need that" but somehow that also meant I couldn't PING, NSLOOKUP, email or anything.
Back to the free one and all is good.