Yep. Just downloaded it. Now I am an Official Paranoid Internet User http://sysopt.earthweb.com/forum/wink.gif.

Yesterday, my dad just got a virus and had to reformat his comp after much effort in trying to save it. That was the result of lack of updating the DAT files. I have to admit, I was not doing that either on my own comp.

The past 24 hours has changed the way my comp operates. I've got full security with McAfee set up and now Zone Alarm is installed. Just try to bust into my comp now! http://sysopt.earthweb.com/forum/smile.gif

What settings do you guys have set on your comp w/Zone Alarm? I mean, in the Security section and in the Programs section.

Also, do you ever get "hits" on your comp? I think that'd be kinda "cool" http://sysopt.earthweb.com/forum/smile.gif

Warthog

If you're getting hits then you're not stealthed. The idea of the firewall is to make you're computer invisible, as if it's not even there.
There are a couple of sites you can go to to check your security.
DSL reports and shield up.



[This message has been edited by darrelld (edited 11-25-2000).]

Oh you may get reports of attempts, but there will usually be a note that it was not successful. If you want to call that a "hit", ok by me.

If you are having any trouble going from site to site with it set to the High mode, rest assured that it learns quickly.

Btw, using ZA just makes you cautious or safety concious in my view. If everyone out there played nice Norton, McAfee, NetworkIce, etc might not even exist.

[This message has been edited by Ygor (edited 11-25-2000).]

darrelld,

Posting a message in all caps on the internet is considered YELLING and is RUDE. http://sysopt.earthweb.com/forum/wink.gif

Warthog,

It will say someone has attempted to access your computer when someone sends you an ICQ message too. So if you get 40 "hits" a day, that's not THAT unusual. http://sysopt.earthweb.com/forum/wink.gif

- Brandon

lol Brandon http://sysopt.earthweb.com/forum/smile.gif

I know...when I first saw it, I was thinking, "Did I ask a stupid question or something?" hehe http://sysopt.earthweb.com/forum/smile.gif

Thanks guys!

Warthog

Sorry, I was doing something else at the time and had the cap lock on.

no big deal http://sysopt.earthweb.com/forum/smile.gif

Warthog

Stealthed!? PLEASE explain this one to me! <note the sarcasm?>

Stealth...your system and portsare invisable.
Go here and let it scan and probe your system. http://www.grc.com/ When it's done, it will give you a full report about your system and help in fixing any problems you may have.

As suggested above, run Shields-Up (http://grc.com/default.htm) and have it "probe" your ports. Read the information provided by Gibson Research Corp. and you should have a fairly good concept of what a firewall can and can't do.

I run ZoneAlarm on the default settings; Medium for local intranet and High for Internet.

OK Mabus, I give. In your opinion how can we get a reliable test of our computer's security or is it possible at all? I use the fully paid for security test at http://www.secure-me.net/ to see how safe my computer is and I get a score of Zero (the best you can get). Is this site a loser too? I run a DSL connection through a Cisco router set up for DHCP...BID set to paranoid, with Tauscan and Norton AV also installed and running... am deluding myself that my system is secure? If you have any suggestions for improved internet security which would help board members, I'm sure you would get their undivided attention. http://sysopt.earthweb.com/forum/smile.gif

We're waiting Mabus! Please enlighten us.

Oh BTW, Stealth-Noun: To avoid detection by moving carefully <note the sarcasm>

[This message has been edited by darrelld (edited 11-26-2000).]

[This message has been edited by darrelld (edited 11-26-2000).]

Yeah, Junior. (Mabus, I'm referring to you.) Enlighten us.

GRC.com is a well known site, and is known for providing excellent security info. The man who runs it (Steve Gibson), knows his stuff.

ZoneAlarm has proven to be an excellent firewall, so I would not doubt anything that GRC.com tells you or me.

- Brandon

The first time I ran Shields-Up, the program identified my IP address, identified me by name, identified my computer by name, listed ALL partitions on ALL of my networked drives. I was curious about my settings after installing a home network. Windows by default, bound TCP/IP to my NIC's. I was absolutely vunerable to anyone who wanted to access my stuff. With the information found at Gibson Research, I was able to close all my ports, and make my computer resistant to internet hacking. The addition of a firewall subsequently "stealthed" my ports.

I do not know how effective Shields-Up really is, but if it says a port is "closed" or "stealth", then I trust that those ports are secure.

Ha ha ha! System and ports are invisable!? Man, I don't believe that for one second. I'm sorry, but they're just telling you a bunch of BS my friend.

O.K. Nobody even bother to go visit that www.grc.com (http://www.grc.com) site. TOTALLY useless. The only thing that's even remotely intelligent that it scans for is NetBIOS shares. AND IT ONLY SCANS 10 PORTS!!! I find it totally obscene that it claims to run a port scan. I'm sure there are people out there who are trusting their computer security to this site. One word if you are: DON'T!
..oh, and 9 of the 10 ports it scans for would never be open unless you purposely set up and were running a server specifically for those services, anyway.

I use this site to test my firewalls: http://scan.sygatetech.com/ I'm using ZA and BlackICE!

Just curious Gutterball, but how were your scan results from Sygate as opposed to GRC? I'm running ZA and BID as well (set to max security). To my surprise, even though I scored a "stealth" on every port scan Steve Gibson tried, Sygate found three open...along with two possible trojan horses! Mabus may be right (to a certain degree). Okay, my next question: what's the most whoop *** trojan eliminator? I've been relying on Norton for far too long.

Yes, I like that Sygate scanner also! Very thorough, I think.

SithLord, for Trojan scanners/detectors I've used/am using at some point: Tauscan (http://www.agnitum.com/products/tauscan/) , The Cleaner (http://www.moosoft.com) , and TDS-3 Trojan Defence Suite (http://tds.diamondcs.com.au/)

I'd be interested to hear of others' recommendations.

[This message has been edited by socalgal (edited 11-27-2000).]

Another bit of info that gives me that "not so fuzzy" feeling:

The TCP scan at Sygate produced two open ports on my machine (24 & 199) that were marked as "unknown" with no additional info available. Has anyone else seen this on their scans?

Also, according to Sygate, I may have both BoBo and RingZero trojans. I just downloaded and used The Cleaner (updated files), and it found nothing. Ofcourse, Norton was completely useless.

Is it possible to run Sygate Personal Firewall with BID and ZA? How good is Sygate, and is it relatively easy to set up? After using Sygate's scanner, I'm really loosing faith in these firewall "solutions".

My Zone Alarm is set to high for both internal and internet. For program settings I let programs that access the net regularly like Netscape and IE free access but update programs that I only run occasionally I have them ask first.
Also, as an interesting note Zone alarm caught a TSAdBot from accessing the net - It came with a game I bought the kids - when I contacted the software firm they told me the "bot" was part of the game and couldn't be removed without destroying the game! But at least I can prevent it from doing anything.
I also use the Sygate site for testing ports. It took a while but I tested all ports and Zone Alarm blocked everything.
The individual who first told me about Zone Alarm gave some of his co-workers (amateur hackers)his IP address and had them attack his computer - they couldn't even find it let alone attack it.
I use AntiVir as my AV scanner - It even caught the TSAdBot.
I beleive SysOpt has a review of firewalls and the Sygate fire wall came out on top.

[This message has been edited by johnqp (edited 11-27-2000).]

I just ran the Sygate scan and it says that Ports 23 and 80 are open doing the quick test... all the other tests show stealth.
I suspect that since I'm using a VPN behind a Cisco router that any external scanner is reading the router and not my system... I ran the IP Agent from the GRC site and it confirmed that theory.

Normally a battery of tests such as these would have immediately set of BID, but it didn't.

I guess running BID along with Norton AV and Tauscan with my VPN gives me about as much protection as can be expected without having an expensive hardware firewall in place.

I have noticed that since going to a DSL connection through a router, that BID hasn't shown any intrusions at all, I used to get a couple a week (mainly from Asia and Israel) now nothing. Coincidence, I think not. http://sysopt.earthweb.com/forum/smile.gif

O.K. First of all Brandon184, why are you defending this site? It's obviously complete garbage, it still has adds bosting that it's products are YEAR 2000 COMPLIANT!! The ONLY thing it's useful for is checking NetBIOS shares. Alright, the ports that it scans for are the obvious one, NetBIOS, then a few mail server ports, (???) a telnet port, (again, ???) and a news server port. I only have one question... why? There is no possibly reason it should scan any of those, with the exception of NetBIOS, of course. Like I say, you'd have to purposely set up a server to run on those ports in order to have them open.
And this site's definition of a "stealthed" port is just a port that your computer won't respond to. That's like, most of 'em. I don't have any firewalls running and I did the test, it said two of my ports were stealted. Finger and something else. The others were just closed. Closed is perfectly fine. That means your computer acknowledges requests to that port, but won't open a connection.

Harrold7, yup, sorry my friend. That site is even worse than the first. I purposely opened up a bunch of stupid ports, (including the MAJOR threat to windows, port 139, the NetBIOS port) and it said my connection was perfectly secure. Yes, it said ALL of my ports were filtered, uh I'm sorry, NO!! Even though I had a bunch of shares with no password running, it still said perfectly secure. That's very, very wrong.

However, from what I can see, http://scan.sygatetech.com/ seems to be alright.

And yes Harrold7, if you do any scans of your computer, you're not actually getting your computer. You would just be getting the firewall, unless you had things configured very, very badly. And if you have that Cisco all set up right, that's FAR better than any software firewall ever could be. Running software firewalls would just be redundant because no external connections can be made from outside. ...well, assuming your router box is configured correctly. And yes, telnet should be open on that router, but you had better have a strong password. And HTTP is open because it's just another means of configuring the router, same as Telnet, but it looks prettier. =)

I take it back, http://scan.sygatetech.com/ is VERY good! It does a amazing job for an online scan. You can even get it to scan through all 65565 ports! Although that would take days even on a fast connection, the possibility is still there! Wow, I'm impressed.

...65536, sorry.

And you're using a VPN? Uhh... K. Do you just mean you have a few computers networked together behind the router, or do you actually mean VPN?

Okay, this is strange. Perhaps someone can clear this up for me. Since I used Sygate's trojan scan, they've identified both port 4321 & 8080 as open due to "possibly" BoBo and RingZero. I have since upgraded my Norton Anti-Virus 5.0 (updated files) to Norton Anti-Virus 2001 (updated as well). With heuristics set to max, no extension exclusions and set to scan all files...Norton did not detect anything, even though RingZero is posted along with details at Symantec. I have also done a search for the three possible file name's this trojan may reside in, but again nothing could be found. Is it possible that these are "stealthed" trojans that TauScan, The Cleaner AND Norton cannot identify? How do I close these ports? I know that the 8080 open port has something to do with me connecting to a proxy server with my ISP. Would eliminating the use of the proxy actually close the port?

Interesting...

Within IE 5.5's LAN connection settings, I unchecked the automatic configuration script, and proxy server. Running the trojan scan again with Sygate produced...NADA. False-positive, trojan within IE or fluke?

Here is an example of the message i send to a ahckers ISP provider.



----- Original Message -----
From: Robert-François Trudeau
To: abuse@videotron.ca
Sent: Monday, November 27, 2000 7:50 PM
Subject: Unlawful entry attempt.


Your IP has been logged !!FWIN,2000/11/27,19:32:52 -5:00 GMT,24.202.33.68:21168,24.202.111.58:137,UDP

Do not attempt to communicate with this IP: 24.202.111.58 or any of it's subnets.

This is personal computer on a legal ISP provider in a Country other than the USA.

Further attempts will be logged for 76 hours.

3 more attempts and this automated server will report this activity to the appropriate authorities of your country of your business.

Source ARIN WHOIS

Result
Videotron Ltee (NETBLK-VL-2BL)
2000 Rue Berri
Montreal, Quebec H1V 2E4
CA

Netname: VL-2BL
Netblock: 24.200.0.0 - 24.202.255.255
Maintainer: VLCA

Coordinator:
Roy, Pierre (PR163-ARIN) pierre_roy@VIDEOTRON.COM | for abuse, E-mail abuse@videotron.ca
(514) 985-8656

End of report
Tag ID # 010
Entry # 1
Port # 21168
Status BLOCKED
script=mailto_whois_logdenied_advise


They (the isp) usually jump when they see its an automated message like their's.

Even more interesting...

The ports that were originally marked as open throught the Sygate scan are now blocked!

http://sysopt.earthweb.com/forum/wink.gif
Well, I feel a little better now.

[This message has been edited by SithLord075 (edited 11-27-2000).]

Does anybody have an opinion of the security test available at Symantec's site, http://www.symantec.com/securitycheck/. Also, I ran the tests at Sygate and it says I'm fully protected against Trojans. However, for the quick scan and stealth scan it says I'm not fully protected because some of it's probes connected with my computer. The results all showed "blocked" except for two which showed "closed". Is it saying the "closed" ones are the weak link? I'm currently using Norton Internet Security 1.0. Thanks.

[This message has been edited by Mark (edited 11-27-2000).]

[This message has been edited by Mark (edited 11-27-2000).]

[This message has been edited by Mark (edited 11-27-2000).]

SithLord: Don't worry about the virus warnings from sygate, it's only a _possible_ one http://sysopt.earthweb.com/forum/smile.gif Port 8080 has to be open...it can't be 100% closed http://sysopt.earthweb.com/forum/smile.gif Our school tried to block that port...but I found a Tunnel program that sneaks through 8080 http://sysopt.earthweb.com/forum/smile.gif Correct me if I'm wrong, but isn't port 8080 like the standard port for Internet access???

Sithlord: Sygate told me the same thing about having a few ports open. I'm not too concerned though. BID hasn't been set off by anything yet, so ZA is holding up http://sysopt.earthweb.com/forum/smile.gif I tried Sygate and it seems a bit complicated to me. Maybe I'll try it again later! The Cleaner works for me...it found something it can't scan though "mmf.sys" if anyone knows what this file is, please let me know http://sysopt.earthweb.com/forum/smile.gif Thanks!

Sith,
visit symantec.com for more info on the RingZero trojan problem. I will like a link below. I didnt find much on bobo http://sysopt.earthweb.com/forum/frown.gif
http://www.symantec.com/avcenter/venc/data/ringzero.trojan.html

Ouch...now this really stinks. I'll try to remove it, and do a little searching for BoBo.

No, you're wrong. =)
That's the port used for SOCKS proxies. That's why it was open when you enabled the proxy settings in IE, by the way. And no, there is no trojan built into IE. =) =)