ZoneAlarm block?

Discussion in 'Virus Information' started by mac1, Aug 24, 2004.

  1. mac1

    mac1 Guest

    Running WindowsXP, IE6, ZoneAlarm 5.1.011

    Today I received an alert that read:
    The fire wall has blocked internet access to 192.xxx.x.xxx (DNS) from your
    computer. (I've typed (x) instead of actual modem IP number.) Program
    Generic Host Process for windows 32 Services

    Not knowing if this is a virus, nor what to do if it was, opened the
    "Program control" in
    ZoneAlarm and found that "Generic Host process for windows 32 services" was
    listed in the program column.

    Currently Under the "Access" column: Trusted and Internet each had a check
    mark
    Currently Under the "Server" column: Trusted and Internet each had a
    question mark

    Below, in the entry detail box was the following information:
    Product name: Microsoft Windows Operating System.
    The file name: C:\Windows\System32\svchost.exe

    My question is should I do about this alert. If its safe should I place a
    check mark under Trusted and Internet in the Server column.

    Thanks for any clarification about the alert.
     
    mac1, Aug 24, 2004
    #1
    1. Advertisements

  2. mac1

    N. Miller Guest

    I wish that you had made it 192.168.x.x. Or, 192.68.x.x. It makes a
    difference; only 192.168.0.0/16 is private, the rest is public. Oh, and if
    it was a private range, tell me why you think posting 192.168.1.1 is such a
    threat to your privacy; there are certainly tens of thousands of networks in
    the U.S. with that IP address. I'd guess that my 192.168.102.0/24 is more
    unique because it isn't the manufacturer's default. Oops...did I let a cat
    out of a bag? What good is it that you now know my LAN IP address?

    And it would help to know if that IP address was a WAN IP address (in the
    part of 192.0.0.0/8 up to the start of 192.168.0.0/16), or a LAN IP address
    (within 192.168.0.0/16).

    Why is this distinction important? Your firewall blocked access from your
    computer ('localhost', or [127.0.0.1]) to some IP address; but was it a
    local request, or a remote request? Who knows? I won't endeavor to guess.
    I would trust any internal requests, as in traffic between to LAN computers,
    or the LAN computer and the router. I've only seen shares, or LAN resource
    management activity on my LAN.

    But, since part of that 192.x.x.x that you failed to distinguish is public,
    and because you might have an Internet connection from a provider issuing
    public IP addresses in that range, you might actually be seeing a DNS
    request to your provider's DNS service. That is also acceptable, and
    expected. That is how your system works to resolve a Fully Qualified Domain
    Name (FQDN), the "friendly" name of a site (yahoo.com) into an IP address
    which it can use to actually send a request for packets.

    IOW, you gave us a lot of suppositions, and questions, but insufficient
    detail to offer a definitive description of what took place to make your
    program react as you described.
     
    N. Miller, Aug 24, 2004
    #2
    1. Advertisements

  3. mac1

    Chek Guest

    You can check the IP address you detected using something like:
    http://www.whoisview.com/products/whoisview/whoisview_online.php

    Unfortunately, knowing which process requested the connection doesn't help
    much.
    Various trojan .dll's attach themselves to various legit windows processes.
    If you are suspicious at all follow the advice here:
    http://www.aumha.org/a/parasite.htm
    with particular attention to installing and running:
    CWShredder
    Spybot Search & Destroy 1.3
    AdAware (SE has now replaced version 6)
    Hi Jack This
    About This
    Spywareblaster.

    In conjunction with a HiJack This logfile, sorting through the files running
    within a process
    by using Advanced Process Manipulator from
    http://www.diamondcs.com.au/index.php?page=apm
    can stop a bad file running and then it can be deleted.

    Hope this helps,

    Chek
     
    Chek, Aug 24, 2004
    #3
  4. mac1

    mac1 Guest

    Norman,

    Unfortunately, one of the many problems of being a newbie is: I simply don't
    have a clue about what is safe or not safe to post in a public forum. So, I
    thought it best to err on the side of caution and list a partial IP address.
    Had no idea that thousands of networks in the US had that IP address.

    Addressing my initial post: The IP address in the alert did contain:
    192.168.

    So if you will, please overlook the ignorance, and the omission of pertinent
    information you needed to answer my question. I've got a tremendous learning
    curve ahead of me as I slowly gain knowledge about software and hardware I
    know very little about.
     
    mac1, Aug 24, 2004
    #4
  5. mac1

    N. Miller Guest

    In general, any IP address is reasonably safe to post; all the more so if
    you just limit it to the first two octets (I.e., 172.29.x.x). An IP address
    is no more than the number on the side of the building, visible from the
    street. If you have a public IP address, you've already been scanned by
    thousands of worms, dropped P2P connections, and spammers. I can assure you,
    from scanning my own logs, it is rare to see a scan that can be casually
    identified as a hostile scan directed at finding a computer to crack.

    Since you are using Zone Alarm, you can use an aggregator service to collect
    output from your logs. Check out these:

    http://www.dshield.org/
    http://www.mynetwatchman.com/

    I used the last one for a long time, but when I replaced a router with a
    model that they didn't support, I stopped reporting. Now they can accept
    reports from my router using a different log collector, and the other site
    can also accept my reports. I still haven't made up my mind which to
    continue with; both are good, it is just a matter of being able to collect
    data from the logs in a manner that both suits my ends, and their format.
    Okay, let's review your questions:
    Generic Host Process is one of those Win32 APIs, (at least I think it is)
    that are invoked by a process which needs some kind of service to operate.
    In this case, there appears to be a need for DNS resolution. I am a bit
    puzzled that the process thinks it will get DNS resolution from an address
    on your LAN. OTOH, your LAN IP address range should be configured as
    'trusted' by Zone Alarm, so I wouldn't expect to be seeing this in the log.
    That means that Generic Host is trusted to send requests to remote computers
    on both the LAN ("Trusted"), and the Internet. In my own firewall rules I
    permit DNS out (ZA's "Access") for all applications to a limited set of
    local, and remote IP addresses. I can define my ISP's DNS server IP
    addresses as 'trusted', and then allow access to those servers.
    That means that Generic Host will ask you what to do whenever you get an
    incoming DNS request, or response. Again, I can define my ISP's DNS server
    IP addresses as 'trusted', and allow their responses to reach my calling
    application.

    If Zone Alarm has a way to do this, you need to configure your ISP's DNS
    server IP addresses as 'trusted'; then you can allow that access while
    blocking all other DNS access.

    You can use 'ipconfig' from a command line to find your ISP's DNS servers.
    Or, if you are behind a router, check your router status page. There will at
    least two IP addresses; sometimes more. Take them in the order presented,
    and add them to the Zona Alarm 'trusted' zone.
    Once you have your ISP's DNS server IP addresses marked as 'Trusted', you
    can place checks under the 'Trusted' column in both cases, and block the
    Internet column in both cases. You need the two-way contact with your ISP's
    DNS servers in order to resolve names like, 'yahoo.com', 'google.com', or
    'microsoft.com' to the corresponding IP address. But you don't need to allow
    every passerby on the Internet to be a party to your DNS requests.
    Any time. BTW, I can't help you with the details of marking your ISP's DNS
    servers as trusted; I don't use ZA, I use Kerio Personal Firewall 2.1.5.
    Also, I am behind a Netgear FR114P device; a router and firewall combined.
    Well to the extent that it has SPI filters, it can be considered a firewall.
     
    N. Miller, Aug 25, 2004
    #5
  6. mac1

    N. Miller Guest

    But knowing where the connection requests are going can be a help. In this
    case, apparently, the connection is a combination of local (which, while it
    isn't necessarily benign, it isn't sending anything off to the Internet),
    and DNS requests (which should be confined to the provider's DNS servers).
    If that is all that there is, malicious activity is not a likely cause.
     
    N. Miller, Aug 25, 2004
    #6
  7. mac1

    mac1 Guest

    Thanks for taking the time to explain and answer all my questions. I'll
    definitely have to
    print this post and reread it several times to digest the information you've
    shared.
     
    mac1, Aug 25, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.