Using the Free Zonealarm Firewall
Author: Patricia Lynn
This tutorial will help you learn how a firewall works and how to train Zonealarm - a very popular free firewall. When configuring Zonealarm, opt for the highest security settings. After installation, Zonealarm will automatically start at each reboot. Do not shut it down.
Before installing Zonealarm, turn off the Windows XP firewall. Click Start, Control Panel, and Windows Firewall. Then click the “off” button and click OK. The Windows XP firewall is not highly regarded because it does not block outgoing requests.
How the firewall works
When Zonealarm is running, it it will alert you when a program wants to enter or exit your PC by providing a pop-up window. You must reply to the alert by choosing Allow or Deny. Also, there is a little box you can check that says “remember this setting.” We will refer to this as the “always” selection. If you don’t check this box, the next time the same program makes a request, Zonealarm will ask you again. If you do check the “always” box, it won’t. Don’t worry - your decision is not irreversible.
If you get annoyed at your firewall and just click Allow each time you get an alert, you might as well not use a firewall because you are not letting it protect your PC. We suggest you keep a small notebook by your PC to log the program that caused each Alert and to document what action you chose. This will help you become familiar with the programs on your PC that want access, and also help you train Zonealarm so that eventually you will receive very few Alerts.
In the beginning you will get a lot of Alerts because many of the applications running on your PC, and some Windows programs, will want to access the Internet. Many of these applications do not need access to the Internet; they want to look for program updates, or to send usage statistics home. You need to decide ahead of time which programs you want to stay updated (i.e. Word, Adobe) to stay updated. When you get an Alert and you know for sure that that it is coming from a legitimate program on your PC, say “always Allow.” and the program will not bother asking for permission again. If you aren’t 100% sure, click Deny and note that in your log. Each alert will provide the program name. If you don't recognize the file listed, look it up on the Internet before replying to the Alert.
Most of this is common sense. If you start a new program and you receive an alert, the program probably generated the alert. If an alert pops up out of the blue, be careful. We suggest you Deny and write down the program name and your actions in your log. Also look up the program name on the Internet and write your findings in your log. If nothing bad happens, do the same thing the next time you get the same alert. After several times, click “always” Deny and that particular program will not bother you again. This is how you properly train a firewall.
However, if after you click Deny, an application you had open stops working properly, end the application and restart it. It it still fails to work, end it. Then go into Zonealarm, click the Programs tab, right-click the application name, and click Remove. Start the application again. Since you removed the entry from Zonealarm's list, a new alert will be generated. This time click Allow and see if the program works properly. If so, note this in your log. Then, the next time you use this application and receive the Zonealarm alert, you may click “always” Allow and you should not hear from this application again.
Programs you should “always Allow”
The following programs need to access the Internet. When you get the first Alert from Zonealarm, you should respond “always Allow:” Zonealarm (zlclient.exe), anti-virus software (Avast program name begins with either avast or asp), other anti-malware software, (i.e. ad-aware.exe and spybotSD.exe), your email program (outlook.exe, msimn.exe, thunderbird.exe), and your browsing program (iexplore.exe, firefox.exe, mozilla.exe). A Windows program called svchost.exe needs access in order for your PC to access the Internet.
Note: When your browser, anti-virus, or anti-malware program has a major update, it will generate a Zonealarm Alert even though you previously said “always Allow.” The Alert will say “this program has changed since the last time it ran.” Just say “always Allow” again.
Handling other Alerts
What about the programs you don’t recognize that generate Zonealarm Alerts? If you’ve just launched an application and you get a Zonealarm Alert right away, the program you just launched is probably the culprit. First log the program name in your logbook. Then click Deny and see what happens. Everything will probably continue running just fine and, if so, note this in your logbook. You can look the program up on the Internet. There’s a lot of chatter in security forums about programs that generate Zonealarm Alerts but not a lot of census. Sometimes it will be a Windows program; sometimes folks won’t know what it is. Occasionally someone will say it is a virus posing as a Windows program. If you’re scanning your PC each week, don’t panic; it probably isn’t a virus. Remember - unless you are 100% sure, Deny, Deny, Deny!
Zonealarm is your friend, but you need to train it. This is how: when you get an Alert, write the program name in your logbook and indicate that you clicked Deny. If all proceeds normally, indicate this in your log. Then about the 3rd or 4th time you get an Alert for that program, choose “always Deny” and Zonealarm will not bug you about that program anymore! This is how you eventually stop getting Alerts.
You may not want to “always Deny” your media-playing programs (i.e.. wmplayer.exe, quicktimeplayer.exe) in case they need access if you’re trying to play a media file from a website. If you use Instant Messaging, chatter on the Internet says you should just click Allow each time and not “always Allow.” And a special note about Word: when you are copying and pasting from the Internet into a Word document, Word will need access and you should say Allow. If Word asks for access at some other time, just click Deny. If you want Word to update itself automatically, click Always Allow.
For what it’s worth, here are some programs for which we’ve clicked “always Deny” without a problem. However, your PC is unique, so we make no guarantees! They are: DSLog (dslog.exe); Support (support.exe); Update Checker Module (jucheck.exe) - this is Java wanting to update itself; services.exe; Windows Explorer (explorer.exe); Run a DLL as an app (rundll32.exe); Spooler SubSystem App (spoolsv.exe); LSA Shell (Export Version); and Dr.Watson (drwtsn32.exe) (if you don't send his error reports to Microsoft.
Looking at the Zonealarm list of programs
To see the list of programs that have asked Zonealarm for access, maximize Zonealarm on your screen and click on the Programs Control tab. Then, at the top, click the Programs tab and view your list. If you said Allow or Deny, there will be ? in the 1st column. If you said “always Allow” there will be green checkmarks. If you said “always Deny” there will be red Xs. You can click on a program setting and change it. Also, if you ever have a situation where your browser, email, or anti-malware program is hung up, simply right-click the program name and click Remove. Close your program and relaunch it. Zonealarm will be forced to generate an Alert for the program and you choose Allow or always Allow. This seldom happens, but that’s how you handle it.
Programs asking for “server rights”
When you look at the “Program Control” tab in Zonealarm, you’ll see two columns: Access and Server. So far we’ve only talked about requests for Internet Access, so our choices have been reflected in the 1st column. Occasionally you’ll get a Zonealarm Alert saying a program “wants to act as a server,” or “wants to accept connections from the Internet.” Allowing a program to act as a server means that an outside connection can access your PC through that program! Most malware want server rights, so beware! Typically, the only programs that may need server rights are the file sharing programs like Bearshare, or games that require point-to-point connections with other players across the Internet.
A few times we’ve had an Alert that the Windows program svchost.exe “wants to accept connections from the Internet” and when we said Deny, the Internet browser stopped working. We closed the browser and reopened it, and it worked just fine. The chatter on the Internet says its OK to allow this program to accept connections, so it's up to you. There is a virus posing as svchost.exe, so if you haven’t scanned for viruses in the last week, I’d Deny the request and immediately do a thorough virus scan just to be safe.
One more time?
For those of you who are still a little uncertain of how a firewall program works, let’s play a game. Let’s say you have a guard (your firewall) sitting by the door to your apartment. First of all, your guard will automatically block anyone from coming in unless you have specifically given that person permission. Secondly, the guard will be monitoring anybody requesting to leave your apartment and when someone does, he’ll check his list.
- Your spouse, Chris, wants to enter or leave the apartment. The guard sees that Chris is “always Allow” so he lets Chris in or out.
- Your cat, Fluffy, wants to leave the apartment. The guard sees that Fluffy is “always Deny” so he does not let Fluffy out.
- A salesperson wants to enter the apartment. The guard does not see this person on the list, so he asks you what to do. You will Allow or Deny depending on the person.
- Your 10-year-old son, Jason, wants to leave the apartment. His name is on the list with a big ? after it because you want the guard to ask you (Alert) each and every time Jason wants to leave. You will Allow or Deny depending on the circumstances!
