As I mentioned before, every one who uses ZA, all of those who were planning to upgrade to ZA Pro and now are not sure, people like me who didn't feel the need for ZA Pro but were going to buy it anyway just to make sure they were supporting a good company (but not anymore), all those people who are looking for other alternatives based on ZL's attitude must let their opinions be known. How many people would actually do that is not a concern to me. I'm responsible for my own actions not others. I will be doing it and I'll make sure I'll do everything I can to publicize this. Whether it'd be by sending mail to my local computer papers and asking for their opinion or by posting in forums like this or by any other means. I'd love to see everyone do that but I'm not sure how realistic that would be.

It is absolutely true that ZA is safe if you don't let a Trojan in. But so are most other firewalls. The leak test wouldn't have worked either had you not copied it to your computer. The fact is that when it came to the choice between a firewall that wasn't affected by Leak Test and the one that was, most of us chose the one that wasn't and in this matter if someone shows that their product is not affected by this problem I'll be going with them. That's what ZL needs to understand and that's what my email is going to contain.
--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,305101 Mon, 01 Jan 2001 22:18:31 EDT http://www.dslreports.com/forum/remark,304954 jaykaykay : I have already sent a message to ZL letting them know of my great disappointment in their decision to do nothing about the 2 known vulnerabilities in their product. I just hope that others, many others, also are following my lead. I have also got a good AV running, so I feel fairly good about what little I am doing on my system at the moment. It is the least one can do to have the best possible measure of security, in light of the fact that the product that they were led to believe was a good one is still a good one...but could easily be bettered, and should.
--
JKK:-)

Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature!
]]> http://www.dslreports.com/forum/remark,304954 Mon, 01 Jan 2001 21:30:23 EDT http://www.dslreports.com/forum/remark,304547 GaryK7 : If it were a news item on the home page of DSLR some large news outfit should pick up on it quickly. Then it would really spread. I wonder if Justin would do that?

I'm not sure a patch would work well. But it does not seem a major deal to encrypt the password, encrypt the registry entry, and encourage people to install in a non-standard folder.
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb]]> http://www.dslreports.com/forum/remark,304547 Mon, 01 Jan 2001 19:25:35 EDT http://www.dslreports.com/forum/remark,304537 EmilioG : A letter writing campaign is a good idea, but I'm afraid that a couple of dozen letters to ZL isn't going to "soften Pharaohs' heart". It would take a major outcry from both the home users and the business users of Zone Alarm. Maybe a few articles in the press might get their attention?

Correct me if I'm wrong, but it doesn't seem like a major over-haul to fix the problem with ZoneAlarm does it? Would a downloadable patch do it?
--
Emilio

Its failings notwithstanding, there is much to be said in favor of journalism
in that by giving us the opinion of the uneducated, it keeps us in touch with
the ignorance of the community.
-- Oscar Wilde

]]> http://www.dslreports.com/forum/remark,304537 Mon, 01 Jan 2001 19:18:50 EDT http://www.dslreports.com/forum/remark,304358 GaryK7 : One paragraph:

Regardless of what firewall you use you must be vigilant about keeping your AV software up to date and scan everything that comes into your computer. So long as you do not let a trojan onto your system this problem with ZA and other firewalls will not affect you.
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
[text was edited by author 2001-01-01 18:08:12]
]]> http://www.dslreports.com/forum/remark,304358 Mon, 01 Jan 2001 18:07:40 EDT http://www.dslreports.com/forum/remark,304325 R2 : Where do I buy the Cliff notes to this thread?

Can someone summarize it in a small paragraph!:):)
]]> http://www.dslreports.com/forum/remark,304325 Mon, 01 Jan 2001 17:55:17 EDT http://www.dslreports.com/forum/remark,304122 larsfum : I have been trying to follow this thread as well. While thinking about this last night, I realized that it is my responsibility to protect my system from outside intrusions. It is the softwares' responsibility, however, to do as it says it will. I came here today, to post that we should start a, friendly, email campaign on Zone Labs to try to persuade them that it is in their best interest to fix this security lapse. However, I see that JKK has beat me to it. I am not suggesting a spam session to Zone Labs, but a constructive critique of their shortcomings from its consumers.
--
Fish laugh at the mere mention of my name!]]> http://www.dslreports.com/forum/remark,304122 Mon, 01 Jan 2001 16:39:56 EDT http://www.dslreports.com/forum/remark,304079 GaryK7 : I would be very happy to make webspace available that would let people fill in their name and email address and then send an appropriately worded form letter email to ZL. We could even give folks a choice of letters.
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb
[text was edited by author 2001-01-01 16:29:40]
]]> http://www.dslreports.com/forum/remark,304079 Mon, 01 Jan 2001 16:28:25 EDT http://www.dslreports.com/forum/remark,304049 Wildcatboy :
Good point JKK. Although we are trying to find ways to protect ourselves from Za's vulnerability, it's really Zone Labs' job to do this. I haven't had a chance to see if there are any news breaks about this on other sites or papers, but I think a news break such as the one we had about the leak test is called for.
I have a suggestion and I will be doing it myself anyway. I think everyone who has ZA or ZA Pro should send Zone Lab an email telling them how disappointed they are. May be once they get thousands of email pieces they come to their senses and think twice about their decision. I'm not saying that we should send them rude and angry letters, just reasonable, objective letters. We may be missing the fact that we carry a great power due to our numbers. DSLR has over 50000 registered members (I think) and just imagine Hermann's face if he gets 20000 email. Does anybody have Conrad Hermann's email address? :) Let's go get him and CC the email to the president of Zone Labs.
--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,304049 Mon, 01 Jan 2001 16:21:41 EDT http://www.dslreports.com/forum/remark,303906 GaryK7 : I somewhat agree with you, JKK.

ZL knows of this problem, apparently knows about reasonable steps they can take to deal with it, but has decided not to do anything about it. I suspect their EULA will preclude any lawsuits though. Like I mentioned earlier I think and sort of hope that this decision will come back to haunt them in the form of really bad publicity and that then they will be forced to make some changes.

Please keep in mind though that with good AV protection that includes email scanning and a firewall like ZA you are still very well protected.
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb]]> http://www.dslreports.com/forum/remark,303906 Mon, 01 Jan 2001 15:38:32 EDT http://www.dslreports.com/forum/remark,303874 jaykaykay : Not that this whole thread isn't educational, enlightening, and most gratifying to see so many folks doing their thing to help so many others, I will now add my $.02. I have read and re-read so much of this thread, I am going cross-eyed. Yes, I missed a few days and that's made it worse. Add to that that my understanding of the registry and many other workings of the computer that you are all dealing with is, to say the least limited, so much of what you are dicussing is lost to me.

What really needs to be done, even with all you are trying to do within the confines of DSLR, is that ZA take the friggin' bull by the horns and do something pro-active to make their product into what it was touted as being in the first place. There are too many users out here like myself without the ability to understand enough of what you are trying to do, and more than that, a total or non-existant ability to remedy anything on their 'puters' safely in the manner you are speaking. Add to that, if ZA doesn't do something pro-active, how many users, who are not privy to this cyber-sation will have no idea of the limitations/threats that lie out there, waiting to strike, all the while thinking that they are at least as well protected as they can be with a limited understanding of how to be so? Routers, NAT, rules, etc? These are all well and good, but that isn't the point here and it isn't something that even I would have the knowledge of how to set up and/or maintain, so it all comes back to the same disgusting thing. ZL is the only one that can actually do something for the millions of users out here in cyberland, which takes into consideration these many of us that do not have the know-how to do what you are all doing. Even those of us who have file sharing turned off and have done all the things suggested re:binding/unbinding, who can have a security scan and still come up fully stealthed without ZA on, are being taken for a ride by ZL's attitude.

If they, ZL, do nothing, to my way of thinking, they are wide open for a large law suit and more, as they know of the problems, know that they have made a choice to do nothing to remedy them, and yet still tout their product (and all other software products are touted the same way and have the same vulnerabilities, I am aware) as being the product to have...with no acknowldgement of the problems that exist. All you guys are doing is great, but unless instructions of how to do what you eventually conclude, if anything, can be written for the novice computer user can be posted, those other users like myself, even thought we know the score, are still caught between a rock and a hard place.

Now, she jumps from her soap box and scampers off to enjoy a little more of this New Year's Day. A good one to you all.
--
JKK:-)

Age is a very high price to pay for my maturity, so
if I can't stay young, I can at least stay immature!
]]> http://www.dslreports.com/forum/remark,303874 Mon, 01 Jan 2001 15:28:46 EDT http://www.dslreports.com/forum/remark,303008 wheelert$93 : NT locations?? Here they be. :)


HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/SharedDlls
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Enum/Root/LEGACY_VSMON
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/Services/vsmon
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Enum/Root/LEGACY_VSMON
HKEY_LOCAL_MACHINE/SYSTEM/ControlSet002/Services/vsmon
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Enum/Root/Legacy_VSMON
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/vsmon
--
"Rome did not create a great empire by having meetings. They did it by killing all those who opposed them."
]]> http://www.dslreports.com/forum/remark,303008 Mon, 01 Jan 2001 08:54:43 EDT http://www.dslreports.com/forum/remark,302306 EmilioG : These are two posts by Diamond CS at the GRC.com Ten-Forward/Vulnerabilty news group; There are some very interesting ideas and discussions going on over there, some really sharp people. There is also a threaded started by Steve Gibson and other discussions on security.

Emilio

**You can view the news group with OutLook express or similar news reader.


[text was edited by author 2000-12-31 23:02:42]


[text was edited by author 2000-12-31 23:16:25]
]]> http://www.dslreports.com/forum/remark,302306 Sun, 31 Dec 2000 23:00:15 EDT http://www.dslreports.com/forum/remark,302283 2kmaro : The listing/locations I provided were for a Win98 system - it was provided by ZoneLabs to me some time back when I also had trouble moving between ZA-free/ZA Pro Beta/back to ZA-free.

The entries all do resolve to proper locations/registry entries for ZA free on a Win98SE system.

I'll go sit at the W2K system in a little while and try to see what they look like (ZA free on W2K) and let you know if there are significant differences. Can't help with WinME - none in the house or at work. If it comes to a question about ZA basic on Win NT, I can look into that when I go back to work Tuesday - just ask, otherwise I won't mess with it.
]]> http://www.dslreports.com/forum/remark,302283 Sun, 31 Dec 2000 22:50:47 EDT http://www.dslreports.com/forum/remark,302213 jp : Sorry for the split post but I'm doing double duty and only have short bursts of time for on-line activities.

A search for LEGACY_VSMON turned up nothing and a search for vsmon turned up one key in runservices and two other keys in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
No other vsmon entries found.
--
All that is gold does not glitter]]> http://www.dslreports.com/forum/remark,302213 Sun, 31 Dec 2000 22:22:01 EDT http://www.dslreports.com/forum/remark,302166 jp : Wow, I'm not up to date on this thread - it is just moving too fast :-)

Here is a screen shot of Windows ME regedit for the area in discussion - its ZA pro:



Very different key structure from your list.
--
All that is gold does not glitter]]> http://www.dslreports.com/forum/remark,302166 Sun, 31 Dec 2000 22:02:26 EDT http://www.dslreports.com/forum/remark,302052 Wildcatboy :
The entries that I mentioned are for the Free version of ZA and on my NT 4.0 Server. I don't know if there is a substantial change in the way ME's registry functions. I guess we can hope for someone else with ME to show up and do a registry search and let us know if they get the same results as you are getting. Anyone?
--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,302052 Sun, 31 Dec 2000 21:05:44 EDT http://www.dslreports.com/forum/remark,301958 paul613 : I have search using all 3(data, keys, values) check boxes, I have also checked each key listed in the posts and on zonelabs site personally.

I will let you know IF they respond to my inquiry..
--
Don't take life too seriously, you will never get out alive!]]> http://www.dslreports.com/forum/remark,301958 Sun, 31 Dec 2000 20:25:08 EDT http://www.dslreports.com/forum/remark,301921 GaryK7 : How are you doing the search? Is it possible you're not checking all the checkbox options that determine where regedit looks during a search?
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb]]> http://www.dslreports.com/forum/remark,301921 Sun, 31 Dec 2000 20:13:08 EDT http://www.dslreports.com/forum/remark,301909 paul613 : Maybe THEY ARE SUPPOSED TO BE THERE(there website says the same files for 95/98/me)
But they are NOT (I don't know why) But the program works as it is designed to. So that would indicate the values added are NOT needed for WinME. And it would not be unheard of an application putting entries in the reg that were not needed.

I am very puzzled by this, as I know the program works without them, But why, that is the puzzling part. I did not remove them, so either they weren't there to begin with OR Windows ME decided it didn't want/need them(although highly unlikely).

One other possible reason would be the info on zonelabs site may not current, maybe the modified the latest version and did not change that info.
I sent them an email... we will see what they say.
--
Don't take life too seriously, you will never get out alive!]]> http://www.dslreports.com/forum/remark,301909 Sun, 31 Dec 2000 20:08:05 EDT http://www.dslreports.com/forum/remark,301847 paul613 : 2kmaro, The files are on the hard drive in the right places, but not in the registry keys you listed. Are you running WIN ME?

The registry values in Shared dlls and run services ARE NOT PRESENT For zone alarm under WINME, the only entries I have are under zonelabs (and don't contain much, no calls to dll,vxd or exe )in the registry NOTHING under windows\current version.

Wildcatboy, would you have those like Trailblazer ON THE PRO version OR the free version??

And I don't have them at the keys you listed,
I DON'T even have Keys: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
or HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002

SO what I can deduce is that the installation is varied across operating systems, so any trojan written WOULD HAVE TO BE DIFFERENT for windows 95/98 then for ME and Win2K, which would certainly make it that more difficult to write and deploy.

And if in Windows ME there is no need for the registry entries (as clearly I don't have them, and ZA is running )the shortcut could be named anything and NO trojan could anticipate that.
Any thoughts??
--
Don't take life too seriously, you will never get out alive!]]> http://www.dslreports.com/forum/remark,301847 Sun, 31 Dec 2000 19:49:23 EDT http://www.dslreports.com/forum/remark,301670 Wildcatboy : I'm not sure why they are not found on your system. There are several key, value and data entries on my machine pointing to Vsmon minilog and others.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VSMON
HKEY_LOCAL_MACHINE\SYSTE M\ControlSet001\Services\vsmon
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vsmon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs
HKEY_LOCAL_MACH INE\SYSTEM\ControlSet001\Services\vsmon\Imagepath
HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro lSet\Services\minilog

Are just a few examples of many.
--
You can catch the Devil, but you can't hold him long.]]> http://www.dslreports.com/forum/remark,301670 Sun, 31 Dec 2000 18:55:58 EDT http://www.dslreports.com/forum/remark,301664 2kmaro : Ok, look at either the folders or in the registry for these entries (all of this is from a document I got from ZoneLabs quite some time back). The following things are stuff I don't think you can hide/move:

The c:\windows\system folder contains these files:
vsutil.dll
vsmonapi.dll
vsdata.dll
vsdata95.vxd -- if computer runs Windows 95 or 98
vsdatant.sys -- if the computer runs Windows NT or Windows 2000

The c:\windows\system\zonelabs folder contains these files:
vsdb.dll
html.tdr
vsmon.exe
vsruledb.dll

Installing also creates a shortcut called "ZoneAlarm.lnk" in the
C:\Windows\Start Menu\All Users\Programs\StartUp
folder. If this exists, the path to ZoneAlarm interface file will exist.

Registry Entries.
Key: HKEY_LOCAL_MACHINE\Software\Zone Labs\ZoneAlarm and all its subkeys and values.

For each user who has run ZoneAlarm, there are registry keys in
Key: HKEY_CURRENT_USER\Software\Zone Labs\ZoneAlarm

If your system is running Windows 95 or Windows 98, this registry value starts the TrueVector service.
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
Value: TrueVector

Under all versions of Windows, these values are added to the Shared DLLs database:

Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedDLLs
This is a database that contains a long list of values, but only these values are related to ZoneAlarm and TrueVector:
c:\Windows\System\vsdata.dll
c:\Windows\System\vsdata95.vxd
c:\Windows\System\vsmonapi.dll
c:\Windows\System\vsutil.dll
c:\Windows\System\ZoneLabs\html.tdr
c:\Windows\System\ZoneLabs\vsdb.dll
c:\Windows\System\ZoneLabs\vsmon.exe
c:\Windows\System\ZoneLabs\vsruledb.dll


[text was edited by author 2000-12-31 18:58:04]
]]> http://www.dslreports.com/forum/remark,301664 Sun, 31 Dec 2000 18:53:29 EDT http://www.dslreports.com/forum/remark,301566 paul613 : Yep THEY are NOT there.

What happens for my system is those files are loaded by the zonealarm.exe file which is ONLY CALLED from the C:\WINDOWS\All Users\Start Menu\Programs\Startup\
There is a shortcut there for the zonealram.exe file,
There is not even an icon in the start up folder that appears thru taskbar.
Where is it for you guys??


And it would be a small matter to rename the shortcut, AS I had already install zone alram to a NON standard directory on my d: drive.

Don't get me wrong there are entries in the reg for zone labs, but there is NO ENTRY calling the start of the program, so IT WOULD BE HARD FOR A TROJAN to find what is not there.
--
Don't take life too seriously, you will never get out alive!]]> http://www.dslreports.com/forum/remark,301566 Sun, 31 Dec 2000 18:12:53 EDT http://www.dslreports.com/forum/remark,301554 GaryK7 : I'm using ZAP with Win98SE. I guess the registry keys are different but I don't know if that's because of Windows or ZoneAlarm.
--
-tb/gary.
"The person who says it cannot be done should not interrupt the person doing it."
Chinese Proverb]]> http://www.dslreports.com/forum/remark,301554 Sun, 31 Dec 2000 18:07:11 EDT http://www.dslreports.com/forum/remark,301541 paul613 : I could not find them there IN windows ME, there are a ton of listings, BUT I can not find any for vsmon.exe or minilog.exe

The only thing that comes up is the MRU listings for the search.

I have the free version of ZA 2.1.44 (which I am begining to believe has HIDDEN itself very Well)

I can find the files on the hard drives, I just can not find any reg key calling to them.
--
Don't take life too seriously, you will never get out alive!]]> http://www.dslreports.com/forum/remark,301541 Sun, 31 Dec 2000 18:02:41 EDT http://www.dslreports.com/forum/remark,301506 GaryK7 :

said by paul613:

---

Did you find a registry key calling either the vsmon or the minilog exe files ?? could you post that if you did, I would like to try a thing or two.

---