On Thu, Aug 14, 2003 at 05:37:44PM +0100, Richard Cox wrote:
What I do like in the latest release of Zone Alarm Pro is that it will stop ANY program from connecting outbound on Port 25 unless that program has been specifically authorised to send mail. It was quite informative to see which programs were trying to mail information back to their base!
Zone Alarm Pro is very stupid as well. When a machine makes an outbound connection attempt, yes, you'll see a dialog that pops up asking you whether to allow that SINGLE connection or not, I guess this is what you mean... BUT on every single occasion I get that dialog box, it's telling me that the program is trying to access my ISP's DNS servers, which is correct, I click yes to allow that SINGLE connection, and it lets the program go ahead and connect to port 22 (putty is the application in this instance), instead of asking me about port 22 next. Reasons why this is bad? A) Semi-savvy user sees 'DNS' and their ISP's nameservers and clicks yes not knowing it's a trojan trying to resolve the hostname for trojan base. B) Trojanned program operates semi-normally, makes the initial connection to the proper host, you ok it with ZoneAlarm because it looks legit, but ZoneAlarm goes ahead and lets the program connect to whatever it wants after the inital OK, (example scenario: buffer overflow), so the trojan connections are concealed. C) It's bothersome. Ask the user every time they fire up the program whether they want to let it connect to something, and they're going to click the "please don't ask me about this crappy program ever again" checkbox, and be done with it, again, concealing trojan connections in the event the program gets modified later down the road.