Confused using Sygate Personal Firewall

I downloaded this program however when alerts are popping up I find it difficult to decide which ones to allow or not...what can I do? shall I uninstall this program? whenever it tells me that in isp no is accessing my pc I feel terrified as I think someone is hyjacking my pc

thanks
claudine

 

Hello claudine,

It sounds like what your getting warned about is something known as Port Scans which the firewall is blocking and simply telling you that it occured and was blocked; Sygate is doing its job. There is a Help file option in the program - look for that, I don't have Sygate in front of me anymore. Take the time to read thru the help file.

A port scanner is a piece of software designed to search a network, in this case your ISP's, for open ports. Your ISP may be doing it to see who and how many systems are connected, or an infected computer(s) in the ISP's network is doing it, or someone on purpose looking for a vulnerable system.

The following are links to security sites where you can test your system against their attempt at penetration.

http://www.dslreports.com/scan

http://www.pcflank.com/scanner1.htm

The most vulnerable "door" into your system is not the firewall however, it is the Browser. It is the Browser that lets spyware/virus intrustions in. Test the Browser at those sites as well.

I am curious though why you downloaded Sygate and from where. Sygate was aquired by Symantec earlier this year. One consequence is that the Sygate line of personl firewalls will not be updated anymore.

This does not mean that you should panic and uninstall it. But over time, as threats evolve, you shoud get a firewall that is supported with updated capabilities to counter new threats.

I ran Sygate for almost four years and loved it above all the others. But I came to the conclusion that I had to give it up and substituted Kerio for it. On another XP installation I run Zone Alarm, another well known and competent firewall.

Regards - Charles

 

Sygate!

I installed it from it's main site I think and because since I had Ares I had my own doubts on who had access to my pc...sygate constanly tells me:

An application named NDIS User mode I/O Driver (file name ndisuio.sys) has been blocked from accessing the network.

what's this please? will read the help info though...are zonealarm and Kerio freeware? is there really the need for these extra firewalls other than the windows one?

thanks
Claudine

 

I truned my windows firewall off and sygate to allow all and one of the websites you gave me to scan my pc is telling me:

The test has found that the IP address used by your computer cannot be scanned. This commonly occurs because of a firewall program on your computer and/or you are connected to the Internet through a proxy-server or your ISP uses Network Address Translation (NAT) to share IP addresses.

This means the test cannot check your system as the results of the testing would be incorrect.

Why please?

 

Is a system service that provides automatic configuration for the 802.11 adapters. In other words, for wireless devices. You can either shut the service down, provided you don't use any linksys wireless devices, or tell Sygate not to tell you each time it blocks it, or ignore it.

To shut the service down, from the control panel, then administration tools,then services, scroll down to Wireless Zero Configuration at the bottom, double click and disable it.

Both free and paid.

What these 3rd party firewalls do is add permission/deny options for outbound web connections. The rationale is if malware does get on your system, the firewall would alert you to it when it wants to "phone home ". The other rationale is to control legitimate applications connection behavior. Otherwise, XP's firewall is just as good as any other in the basic firewall function, which is to block unsolicited intrusion atempts.

If you are interested in contolling what connects out, then go to this post http://www.windowsbbs.com/showthread.php?t=39425 and lookup the proccesses running on your system and once you've decided what to allow on startup and established a baseline, then anything new is easier to spot and easier to make decisions about.

You appear to be behind a router. This result is fine, if they have trouble in scanning your system, then so do others.

BTW, you should not have

The windows firewall, yes, not Sygate, it negates the reason for the test, which is to test the firewall. It turns out, your hardware router did the job.

Regards - Charles

 

didn't understand your last bit

 

Hi Claudine,

"truned my windows firewall off and sygate ". By what you wrote, you run WF and Sygate together - don't run two software firewalls together. Keep WF off as long as Sygate is running.

I forgot to explicitly say that your router is a hardware firewall and will not conflict with either WF or Sygate.

As far as I can tell, firewall wise, you're well protected. If you're having problems with malware, it entered thru the Browser - solicited, meaning invited in by clicking on a web site. Everytime you click on a web site, some of the contents end up on your system in the Browser's cache and then clicking further on links and file downloads on that web site adds more to your system. Firewalls aren't designed to protect you against that. Aniti virus and anti malware programs that filter web content are.

Regards - Charles

 

Dear Charles,

I thank you for your detailed explanation, now it's all clear to me...so when downloading zipped files...I always rn a scan before opening them...can such software/applications contain spyware/viruses/malware when opened or is it through browsers only?

thanks
Claudine

 

You're right to scan the files before openning and yes they can contain malware not caught when downloading them.

ZIP files are a special case, they are compressed and the AV will not filter them untill you try to open them from the hard drive.

Anti malware programs mostly come into play when a file wants to do something - such as alter a system setting and so on. This file is inert in a ZIP or any other download file and is not apparent untill you click on the file.

Regards - Charles

 

hmmm so what do you suggest us to do? unzip the files, and scan the files afterwards before opening them? can the malware still run then?

 

Hi Claudine,

Un zipping will trigger the AV.

And scanning with a anti malware program at that point would catch an execute or some other malicious file, provided that both AV and anti malware are up to date and have signiture definitions that catch the potential malware.

Everything I've described is on a basic level. The top tier AV's/Anti malware programs combine some of the functions of both and also use something called Hueristics, which means not only relying on signiture files to spot malicious files but also by their behavior.

Take some time to look at the posts in this section, General Security, where these issues are discussed in various threads over time - what are the best programs and at what cost, not only in the money sense, but also in resource/complication sense.

Regards - Charles

 

AV means antivirus programs no?

thanks
Claudine

 

Yes it does

Regards - Charles

 

Shall I let this access my network?

Generic Host Processes for Win32 Services is trying to connect to rv.rozenan.com [72.36.141.34] using remote port 80

C:\WINDOWS\system32\svchost.exe

thanks
Claudine

 

Hi Claudine,

The general rule on getting a question from the firewall like that is to deny it on a one time basis - there is a remember this setting option in Sygate's pop up dialog box. If you wanted to make it permanent, then you would tick that setting and Sygate will not ask again, Sysgate will allow it or not allow it as you indicated. If not allowing a connection then stops your system from working, then you can allow, again on a one time basis and then take the time to find out what the connection is.

Go into the program page - the list of programs that have asked for web connections. Click on each, that will take you to another page where one of the options is to allow that particular program to act as server (something like that, don't remember the exact phrase). Check the NO - I think by default its checked yes. What act as server means is it allows the application on your system to actively listen for communications from the web. That holds Ports open needlessly and the only programs that need to do that are instant Chat applications such as AIM.

I looked up 72.36.141.34 and here is where to do that: http://www.arin.net/whois/

That site will return the name behind the Net address.

This one returned the name Layered Technologies, Inc.

I searched Google on Layered Technologies, Inc. and appears to be dodgy. The site has been associated with spyware and malware according to some blogs referenced in the google results.

So, for this particular instance, I think the right thing to do is not to allow the connection. So the next time you get a query like this from Sygate, then you can go thru the steps I did with using the Whois site and google. If its not clearcut, then ask here.

Regards - Charles

 

Ok thanks a lot Charles