Zone Alarm Free Edition has blocked 8 high-rated attempted intrusions.

[mitchafi]

I have a cable modem directly connected to my computer. I am using a linksys wireless access point router to wirelessly connect the one other computer in my household to the internet. I understand that routers also act as firewalls but I haven't configured it to do so. Does it function as a firewall automatically? I usually leave Zone Alarm on at all times but sometimes I turn it off to play certain games. As mentioned in the topic, I just noticed that ZoneAlarm reports having blocked 2129 intrusions, 8 of which were high-rated. Is there any way to find out where these attempted intrusions are coming from? Also, should I take this as a warning and never turn off ZoneAlarm again? Thanks in advance.

 

[Navid]

Many of your questions are beyond my knowlege!
But, I know that if you get those warnings by ZoneAlarm, you should not disable it until you can figure out how to set up your router to act as a barrier.

I do not have a rounter. I only use ZoneAlarm. I have cable. I play online games with ZoneAlarm still active. I just give permissoin for the game to access the internet.

 

[TwoBills]

Go to "Shields Up" and do a port scan, with and without your zone alarm. If your router is configured for firewall you'll see there's not any difference in the scan. Basicly, software firewalls prevent outgoing stuff and hardware firewalls prevent incoming stuff. Or so I'm told.

 

[Yanagi]

My provider installed a script with the drivers using ftp command and opens a cmd wich pings an adress meaning my bandwidth is 3kb/sek all the time. seeing as my line is capped at 8gb per month and If I were to be connected 24/7 my usage IDLE would be 8GB. SUcks doesnt it? Stupid Irish ISP. I disabled the scripts but still. And all those scripts made my FW go nuts. I had in one week 9000 warning and 300 high rated. ALL from teh ISP itself. Wow.... I miss sweden.

 

[mitchafi]

Shields Up gives me the same exact results whether or not Zone Alarm is activated, so I guess that means that the router is acting as a firewall. All of the tests passed except one:

Solicited TCP Packets: RECEIVED (FAILED) ? As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.

How can I fix this? The Port Scan tells me that all of my ports are stealthed except for one which is closed. Why am I receiving unsolicited packets?

 

[Noid]

My instincts tell me that you need to close the Incomming NetBIOS ports.
Go into ZA,
click on "firewall"
click on "internet Zone" "custom" button
Scroll down to "Medium security settings"
Make sure "Block Incoming NetBIOS (ports 135,137-9,445)" is checked
You can block Incoming Ping also if you want.
Then click "apply"
and re-boot

Then try Shields Up again

You could tell your router to block these also, but they are harder to undo if you need too.
I have my rounter configured to allow only game and http ports open.

 

[mitchafi]

I don't see where I can check "Block incoming NetBIOS Ports (135, 137-9, 445)". I am using the Free Version if that has anything to do with it. I have Internet Zone set to high and trusted set to Medium.

 

[Noid]

click on "internet Zone" "custom" button

the free version has no "custom" button ...?

 

[mitchafi]

Nope, no custom button. There is an advanced tab that has a few options I am not familiar with in it.

 

[Noid]

Ok ,,, well ... go back to ShieldsUp
and this time .... read the entire page ...

From what I understand from your post ,,, you failed the "common port" test...

Re-run that test....

Page down and take notes, or cut and paste the port list results.

That list says what ports are open on your system.
Post back.

 

[mitchafi]

Here is the text summary:

GRC Port Authority Report created on UTC: 2004-09-11 at 18:50:31

Results from scan of ports: 0, 21-23, 25, 79, 80, 110, 113,
119, 135, 139, 143, 389, 443, 445,
1002, 1024-1030, 1720, 5000

0 Ports Open
1 Ports Closed
25 Ports Stealth
---------------------
26 Ports Tested

NO PORTS were found to be OPEN.

The port found to be CLOSED was: 113

Other than what is listed above, all ports are STEALTH.

TruStealth: FAILED - NOT all tested ports were STEALTH,
- NO unsolicited packets were received,
- NO Ping reply (ICMP Echo) was received.

The text summary shows that I failed because NOT all tested ports were STEALTH. On the main page I still get the message:

Solicited TCP Packets: RECEIVED (FAILED) ? As detailed in the port report below, one or more of your system's ports actively responded to our deliberate attempts to establish a connection. It is generally possible to increase your system's security by hiding it from the probes of potentially hostile hackers. Please see the details presented by the specific port links below, as well as the various resources on this site, and in our extremely helpful and active user community.

So is it failing me because I'm receiving solicited TCP Packets or because not all tested ports were stealth?

All of the ports listed are stealth except for Port 113 which is closed. I believe that is what's causing the problem.

0
<nil>
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

21
FTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

22
SSH
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

23
Telnet
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

25
SMTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

79
Finger
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

80
HTTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

110
POP3
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

113
IDENT
Closed Your computer has responded that this port exists but is currently closed to connections.

119
NNTP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

135
RPC
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

139
Net
BIOS
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

143
IMAP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

389
LDAP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

443
HTTPS
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

445
MSFT
DS
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1002
ms-ils
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1024
DCOM
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1025
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1026
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1027
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1028
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1029
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1030
Host
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

1720
H.323
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

5000
UPnP
Stealth There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

 

[BZeto]

I'm running behind my routers NAT firewall and I run Zone Alarm. However Zone Alarm hasn't reported a single intrusion or 'calling home' attempt yet. So most of the time I dont even use ZA.

 

[mitchafi]

It never used to report anything for me either, but now it's reporting that it has blocked many high rated intrusions, which concerns me.

 

[Noid]

Your report card looks good

ZA should have a "more info" button to use for more explaination of what was blocked.

Go into "alerts and Logs"
Click "Log Viewer"
Click a "high level alert" log entry to select, then clink "more Info" button.
That will open a broswer window to ZA website alert info page.

 

[mitchafi]

Well I can't believe I missed that tab. The logs show that every blocked intrusion (even high-rated) have come from the IP 192.168.2.xxx, so I guess that means they're coming from a computer on my network. Thanks for the help Noid.

 

[BZeto]

haha, nice ending.

 

[Noid]

Glad to help.
(thx for the kudos )