I’m Afraid I Can’t Do That, Dave: When Firewall Upgrades Go Wrong

A client called this morning saying “I clicked on a security alert and now I can’t get on the internet…”  Of course, my spideysense said “Ah!  Classic Malware!”

However, when I got on-site, there was no malware on the machine. 

A quick glance over the Autoruns turned up nothing out of the ordinary, MalwareBytes turned up nothing, doing a netsh winsock reset did nothing to improve the situation… not feeling like standard malware… was this thing rootkitted?

But then I noticed there was an odd entry in his start menu called “ZoneAlarm!12dc_532f!erased” which had a broken link to a “ZoneAlarm Security Tutorial”

The client does use ZoneAlarm, and prior issues with his machine had been traced back to ZA — most notably when a Microsoft DNS patch befuddled the firewall, forcing it to block all DNS traffic — so I didn’t rule ZA out of the equation.

Searching all the files on his machine which were created in the past 24 hours, turned up a file in c:\windows\internet logs called fwpktlog.txt (FireWall PacKeT LOG anyone?  And why are we still limiting ourselves to 8.3 naming?  Does anything other than our own laziness still rely on that?)

In this file was a whole bunch of lines denying packets from the local machine to Internet addresses.  I could still access machines on the local network, but nothing outside.

What created that packet filter file?

I looked in the services list and there was nothing for ZoneAlarm in there, but there was a entry for ForceField (ZA’s browser security program) and it was running.  Stopping the service and setting it to disabled did nothing.

Open the pod bay doors, Hal! 
I’m afraid I can’t do that, Dave.

Also, among the recently created files, I found an installer_02251175403.log file, also in the c:\windows\internet logs folder.  Opening it up, it pointed me to a temp folder it had created: C:\DOCUME~1\Steve\LOCALS~1\Temp\02251175403 within which was a bunch of files including an executable called cpes_clean.exe which is listed as “Check Point Endpoint Security Cleaner” from “Check Point Software Technologies LTD” in the file properties.

Going for broke, I ran the program.

It ate up some CPU according to Task Manager, but didn’t show any sort of UI until it popped up a box asking to reboot.

Rebooted the machine, and lo and behold, we could access sites out on the internet.

Pop over to ZoneAlarm’s and download the latest build, and 145MB and 15 minutes later (DSL!!!) and the download is corrupt.

Another 15 minute download, and ZA is happily reinstalling itself.

Microsoft Patch Breaks Zone Alarm

Got a call from a client today complaining that he could no longer access the Internet. He’s running Zone Alarm 7.

Trek out to the site and lo and behold, we can ping IP addresses thru the firewall, but we can’t resolve any names. Turns out DNS had a big hole in it, and it’s been patched by the major vendors, Microsoft among them.

So, Microsoft rolls out KB951748 yesterday as part of Patch Tuesday, and this morning all the machines set to autoupdate who are also running Zone Alarm find themselves out of luck.

The quick fix is to run ZoneAlarm’s Internet Zone Security in “Medium” mode.

Zone Alarm released a knowledge base article suggesting three options: the aforementioned “medium mode” fix; uninstalling the patch or adding your DNS servers to the trusted zone.

Adding the DNS servers to the trusted zone is the most secure solution as it allows you to run in full stealth and still enjoy the “benefits” of the Microsoft path.