Can't turn Windows Firewall Off

[Niege]

I am running ZoneAlarm with Windows Firewall turned OFF. Yesterday I installed Firefox 2.0. Almost immediately (10 minutes) I was cut off from my network and the internet. The only solution was to uninstall it. I checked out ZoneAlarm and everything seemed okay. I reinstalled FF2.0 and the same thing happened.

I checked out ZoneAlarm again and there were two FF programs listed, one was grayed ou t. I deleted the grayed out one from ZA but it didn't help. I turned off ZA and restarted FF. No go. I uninstalled 2.0 again.

On a hunch I checked Windows Firewall in the security center and it said it was on. When I went to turn it off the check button said it was off. I said OK and went back to Security Center and it said it was On. I went back and turned it on, then turned it off. Security Center still says it is On. I cloesed Security Center and went back in. Still hold: Security Center says firewall On, the switch says its off.

I am now back to FF 1.5 but the Windows Firewall still has its anomalous indications. Any suggestions? Thanks.

 

[Lemon law]

In terms of other software firewalls---you can divide them into two types--the set of them that are recognized by the sp2 firewall---and the set of them that are not. I believe your zone alarm is in the set that are recognized---and hence the sp2 firewall turns itself off automatically so as not to conflict with zone alarm. Because you can have only one active software firewall running at a given time--or you will often get nasty conflicts between them. So while your sp2 firewall may turn itself off automatically in favor of zonealarm, it can still show as being on in the security center.--or such is my theory.---and the sp2 firewall will probably come on if you ever disabled zonealarm.

Which may explain that weird sp2 firewall behavior, but does not explain why Firefox 2.0 is causing you fits.

But in my case, I have upgraded to Firefox 2.0---and have no such problems---and the firewall I run is sygate 5.5---which is a firewall not in the set of sp2 automatically recognized firewalls---so I have to go the extra mile to turn the sp2 firewall off---which is to turn it off---then go control panel---security center--and click the recommend tab on the sp2 firewall,
and then check I have a software firewall I will monitor myself---if you try that, you may be able to get some clue on if if its the sp2 or the zonealarm firewall that is black balling Firefox 2.0---or for that matter--something in your isp or other security software could be doing it also.---and if both firewalls are off---you may be able to say its not the firewall.

Alternately you could go to the Mozilla forums and see if others are reporting the same problem---you can't be very unique if you are running XP with service pack 2---and using the zone alarm firewall.---which I routinely do when I have questions about new versions of Mozilla browsers.---usually I find my answers by reading other posts.

 

[John]

Is there a particular reason you are using a software firewall in the first place? If you're behind a router you're already "firewalled". If you insist on a software solution try Comodo and reinstall FF 2.0

 

[Lemon law]

I certainly think a hardware firewall is at best a little better than nothing. Much better security in the firewall security layer is to be found in a software firewall. Or the combination of both. The links John provide give an excellent guide to a multi-layered computer security defense---where firewalls are just one layer of many layers of defenses.

But I have heard some good things about the Comodo software firewall.---but it seems to me, its not yet established exactly what is blocking Firefox 2.0 on Neige's computer. Or that Neige is even using a router or not.

Just arbitrarily changing software firewalls may be a shot in the dark---but if it solves the problem, who can say its wrong?---but if it does not, what progress is made towards a
systematic troubleshooting procedure?

 

[Madwand1]

You can stop and disable the firewall service itself from the Services applet.

 

[Niege]

Thanks, guys. Progress so far: I went to the Mozilla FAQs about firewalls and looked there. They had some firewall setting, but I decided to leave those until later. I've uninstalled FF 2.0 and reinstalled 1.5, but the same things happen. Unless 2.0 installed something that remained after the uninstall, in terms of program or permanent settings, it probably isn't FF. The new problems seems to be that I can connect for about 10-20 minutes then all access is blocked to the network. I've disabled ZoneAlarm and disabled (in services app) Windows Security. I'm still behind my router firewall. In addition I have Norton AV 2005 OEM that came with the rig, all updates current, as with the OS.

I noticed that I got a worm alert from Norton coming from my computer. I did a complete virus scan with no detections. I changed options in internet worm protection to allow FF and Outlook as programs. So now I'm in the first 20 minutes and I'll see if I stay connected. I'll report back. And thanks again for all your help!

 

[Niege]

I think I may have found it. My Norton AV suddenly started blocking access to my computer through the internet worm detection module. The setting was on autoblock and it blocked as a worm attempt my computer's try to access my wife's laptop over the wireless network. It called it a high risk owing to 'Invalid ICMP Code.' That is above my knowledge level, but when I turned autoblock off I could suddenly connect. I tried unblocking just my computer, but that only worked until my rig tried to send a signal to the other computer (why it would do that when my wife's laptop is off and I'm not trying to access it, I don't know.) I don't know the source of this invalid code, except it comes from my rig. I guess I'll just see what happens and hope I'm not too exposed with all these security settings disabled.

 

[kamper]

Originally posted by: Lemon law
I certainly think a hardware firewall is at best a little better than nothing. Much better security in the firewall security layer is to be found in a software firewall.

Please stop spouting this crap. A hardware (nat) firewall is probably the single most important thing to use in the average non-technical home. Software firewalls suck because malware running on your computer can turn them off/open holes and because people inevitably open up holes to allow things like windows file sharing on the lan.

 

[Lemon law]

To kamper,

I think what you call crap is just your opinion----I do follow computer security---and I have yet to find anyone who I consider responsible putting much faith in NAT as very effective firewall security. But you are right in one thing---hardware can't be hacked and software can---but it has to get in first to do its damage to software---and be written to target the software firewall---when a hardware and software firewalls are totally porous to all kinds of Malware in many situations. And an ignorant user plus just NAT is a security hole of massive proportions. And because NAT is just one way, those infected will not even get alerted that their information is being back out--and a two way software firewall would sound that alert.

But the most dangerous myth often advocated is to lead anyone into thinking NAT alone is enough.

 

[kamper]

Originally posted by: Lemon law
To kamper,

I think what you call crap is just your opinion----I do follow computer security---and I have yet to find anyone who I consider responsible putting much faith in NAT as very effective firewall security.

Who exactly have you asked? People that think people are port scanning their pcs through their nat firewall? People who have to reinstall their os every month because they can't keep it clean?

But you are right in one thing---hardware can't be hacked and software can---but it has to get in first to do its damage to software---and be written to target the software firewall---when a hardware and software firewalls are totally porous to all kinds of Malware in many situations.

:roll: A hardware firewall can be hacked just as easily as a software firewall from the outside (read: neither is usually feasible). The only reason it is more consistent is that people can't open it up as easily and the malware is usually on a seperate machine and (hopefully) can't communicate with the firewall.

And an ignorant user plus just NAT is a security hole of massive proportions.

An ignorant user is a security hole of massive proportions in any situation unless you take away all their administrative privileges and have an incoming firewall.

And because NAT is just one way, those infected will not even get alerted that their information is being back out--and a two way software firewall would sound that alert.

Trying to contain something after it's gotten in your system is completely messy. It's too late by that point.

But the most dangerous myth often advocated is to lead anyone into thinking NAT alone is enough.

It's plenty if you don't do stupid things on your computer.

 

[Lemon law]

To Kamper,

The follow two quotes from you contains exactlly the falacy of your arguement.

It's plenty if you don't do stupid things on your computer.

Please stop spouting this crap. A hardware (nat) firewall is probably the single most important thing to use in the average non-technical home.

First you say not to do stupid things---because NAT won't protect you---then you say the person who is non-technical---and hence does not understand what is stupid vs. smart is protected by NAT.

But I take my advice from security forums like spyware warriors, castle cops, and others. Following their common sense advice has kept me and my wife protected for years---nothing worse than a few tracking cookies get in---and they don't last long. That advice on a layered defense is also contained in the links John gives.

While I don't see this as a pointless argument---but lets get some other opinions also. ---passionately defending a self contradictory opinion is one thing---some other expert opinions would be helpful now.

 

[kamper]

No, NAT won't stop you from doing stupid things. What it will stop is attacks that are not helped by the pc user. Putting up a wall that says that, by default, absolutely no unsolicited traffic is allowed to reach a machine is extremely important.

NAT won't protect from bad things that the user helps out with, like visiting websites that exploit browser bugs or installing spyware infested programs like kazaa. An outbound software firewall may provide a little bit of security in this case, but it's not nearly as effective as an inbound firewall (like NAT). You can't filter based on ports because malware that wants to phone home will just use port 80. You can't filter based on the originating user because this stuff will run under the users account, possibly as an administrator. You can filter based on originating application but that requires the user to keep an organized security policy on what can and can't call out. Most users will see that something they want doesn't work and start breaking down the firewall until it works. Or the malware will pop up a convincing message saying that it needs access to the internet or the computer will stop working and the user will comply. Nevermind that if the malware is running as an administrator, it can technically open its own holes.

So sure, if you plan out carefully what can and can't access the internet and only use an administrative account very briefly for specific maintenance jobs then a software firewall can be useful. But with the current state of windows, that is far too much for the average user to care about, nevermind be capable of. More often it turns into a burden that just messes up their computer, like one of my friends who recently installed mcaffee because her norton update subscription was expired. Suddenly all office programs stopped working and she didn't realize that running two av products simultaneously was a problem. In this case, antivirus software caused far more harm than it ever did good. That's roughly analogous to asking people to maintain their own software firewalls: they just can't do this stuff properly on their own. But a NAT firewall just about anyone can do with no more than 5 minutes set up help from someone who knows what they're doing.

 

[Lemon law]

to Kamper,

Once again you have a flawed argument---typical of it is---------------------------In this case, antivirus software caused far more harm than it ever did good. That's roughly analogous to asking people to maintain their own software firewalls:

In this case the antivirus apps did their job---and removing both antivirus apps would be the stupidest possible outcome. I find the greatest danger of your argument is that you encourage the ignorant to think NAT is enough---and being ignorant on security is the greatest security hole in any computer.

But I am not changing your mind and you sure are not changing mine. Nor do I desire to engage in a pissing contest with you---maybe its time for some other opinions

 

[kamper]

I find the greatest danger of your argument is that you make it seem like nat isn't really very important and that a software firewall is far more secure which it certainly isn't. I'd take a nat and no software firewall over a software firewall and a direct connection to the internet any day, especially for non-technical people.

But you're right, I seem to be making no headway in convincing you 😛

 

[Lemon law]

Actually kamper,

You can have both a hardware and software firewall---no need to choose--have your cake and eat it too--rare in this world.---and I hope it settles this debate if other opinions are lacking.

And still have an very insecure PC----a firewall is just one layer in the four or five layers of defenses any PC should have.---which involve user self-education.

The links John has on this thread are very good---its not rocket science--its simple common sense.

 

[kamper]

Oh, of course you can have both, I was just speaking hypothetically. I keep the firewall up on my laptop so that I don't have to remember to turn it on when I leave the house, but I don't bother with outgoing filters (os x doesn't even have a way to configure it, if it can be done with ipfw).