Firewall detecting intrusions

B

bolun

Posts: 18   +0
Hi,

My computer was having a lot of problems lately, viruses, spyware all that gunk. So, I decided to format my computer today. I installed ZA security suite right after I installed my OS, and within the first 10 minutes (of connecting to internet), the firewall detected 23 intrusions which it blocked. I did not have any browsers open, or using any programs accessing the internet. I was installing some drivers from the installation CD.

Should I be concerned about these intrusions? I plan on doing some online banking, is it safe?


Thanks,
 
bolun said:
Should I be concerned about these intrusions? I plan on doing some online banking, is it safe?
Click to expand...
That's the internet for you. at least the spyware was bocked. as long as your computer doesn't have a keylogger or other active invaders, your safe for banking. Of course, a firewall can't block everything, so try to get and keep an antivirus up-to-date. I'd say run frequent anti-malicious software checks and scans at least once a week in your case.
 
This is not correct:
"the firewall detected 23 intrusions which it blocked."

Scanning is a part of the internet. It goes on minute by minute. If your firewall blocks it, it is NOT an intrusion. Instead if is an attempt to access AKA scan. The firewall i doing it job.

ZoneAlarm listens at both incoming AND outgoing ports. Look at the ZA log- if you see 'FWOUT' that means something in your system is attempting to access the internet. IF you do have any spyware on the system, hopefully ZA will block it.

Get at least one more spyware/adware program, scan wit AV and the spyware programs, updating each right before the scans.
 
This is what Zone Alarm does... But you get reports on intrusions and high risk intrusions... there is a big difference. With the cookies and software security that are about necessary nowadays, the intrusions are always going to be there. Zone Alarm just lets you know. If they are known as "bad" they are blocked, and if they are "normal" intrusions, at least you know about them.
I suspect some of it is marketing. Zone Alarm is just reminding you it is doing its job, and might be worth getting one of the paid versions.
 
"Zone Alarm is just reminding you it is doing its job, and might be worth getting one of the paid versions."

The Zone Alarm Security Suite IS the paid version. I would also like to-again-direct you to a meaning of "intrusion":
"an illegal act of entering, seizing, or taking possession of another's property."

It is NOT an intrusion if the firewall stops it!
 
Hi, thanks everyone for your help

I've been getting a ton more access attempts which the firewall has blocked. The source DNS from these attempts were recorded in the firewall's log. Heres some of them:

d5153C3DD.access.telenet.be
208-59-135-23.c3-0.43d-ubr4.qens-43d.ny.cable.rcn.com
staticline18826.toya.net.pl

Also, in the last hour, I've gotten 6 highrated attempts, and the source ip is from another computer on my router. That computer is turned on right now, but no one is using it. Does that mean theres viruses on that computer and it is trying to attack my computer?


ps. sorry for using 'intrusion' improperly. Thanks for correcting me.
 
bolun said:
Also, in the last hour, I've gotten 6 highrated attempts, and the source ip is from another computer on my router. That computer is turned on right now, but no one is using it. Does that mean theres viruses on that computer and it is trying to attack my computer?
Click to expand...
all depends; the log should contain the IP address and Port of the 'attack or intrusion attempt'.

post some of those and I can help you there.
 
Source Ip: 192.168.1.101: (1063, 1061, 1057, 1055, 1053, 1051) Theres 6 of them
Destination Ip: 192.168.1.100: 139 (same for all 6)

101 is the other computer, and 100 is my computer.
 
bolun said:
Source Ip: 192.168.1.101: (1063, 1061, 1057, 1055, 1053, 1051) Theres 6 of them
Destination Ip: 192.168.1.100: 139 (same for all 6)

101 is the other computer, and 100 is my computer.
Click to expand...
SUPER -- Well done.

Port 139 is a file/print sharing port. You may also see 445

the Source ports from 101 don't tell you anything, it's the destination ports that matter.

If you would like to avoid these entries in the log, just add
allow in/out udp source-ip 192.168.1.100-192.168.1.101 dest port 139 nolog​

it would appear that there is some rule that is allowing ANY connection with LOGGING;
ie without the rule above, all access should have been DENIED.
Find the bad rule and delete it. If not found, then add
DENY ALL FROM ALL nolog​
and move it to the bottom of the rule list
 
Gimme a break. Go to the Zone Alarm site. Go to your Zone Alarm list of intrusions. That is not they way they define it. Or do a Gurgle search for the errors in "intrusions" that Zone Alarm has made over time.
 
I can't possibly have every known firewall installed nor all user's guides.

the rule is the generic form for any firewall; the specifics are determined by the
product itself.

sorry; I haven't learned to walk on water quiet yet.
 

Similar threads

S
Hackers are pretending to be cops - and tech companies keep falling for it
Replies
6
Views
106
ZedRM
ZedRM
S
YouTube has quietly become the backbone of US classrooms
Replies
12
Views
120
Garysco
G
D
Dangerous nostalgia: Taking Windows XP online will result in auto-installed viruses in a matter of minutes
2
Replies
28
Views
2K
ZedRM
ZedRM

Latest posts

Back