![[Steve Friedl Logo]](/images/unixwiz-logo-140x80.gif){kind=logo}
This site uses advanced css techniques
In June 2004, Zone Alarm was exhibiting some curious behavior in that it would check for updates from sites other than the proper "update.zonelabs.com", and this tool was built to help track it down.
A discussion of this problem can be found at DSLREports in this thread in the security forum, with information about this tool in this thread.
This behavior seems to be limited to 5.0.x software, and there is some suspicion that ZoneAlarm is incorrectly interpreting "regular web access" as the use of a proxy server, so it attempts to check for updates via that web server. This has baffled a lot of people.
zawatch is a small console-mode application that keeps an
eye on these registry values used by ZoneAlarm for proxy parameters:
HKEY_LOCAL_MACHINE\Software\Zone Labs\HttpProxyEnabled [REG_DWORD] HKEY_LOCAL_MACHINE\Software\Zone Labs\HttpProxyServer [REG_SZ] HKEY_LOCAL_MACHINE\Software\Zone Labs\HttpProxyPort [DWORD]
When the program starts, it reports the current values, and then waits for them to change. When either (or both) of them change, a popup box is displayed:
This program uses the RegNotifyChangeKeyValue() Win32 API call, and as such will use essentially zero CPU time. We're notified only when the changes occur, so "polling" is not needed; this make the program very efficient.
Note also that if ZoneAlarm changes both registry values, it's possible that two separate notifications will be received (one for each update). We've tried to account for this in the code to fold both changes into one, but it's not a bug if this merging is not successful.
This program is entirely readonly with respect to the registry and to the filesystem; it never modifies anything. It performs no network activity of any kind.
First download the executable (see below) and put ZAWATCH.EXE in a convenient place. We normally run this from the command line, but it's also possible to run it from a shortcut on the desktop (when doing so, configure the window to start "Minimized").
It doesn't require any command line parameters (though some are available for testing - see below), and it runs in a console window producing output. This window can be minimized to keep it out of the way (sorry, putting it in the system tray was more work than we cared to undertake even though it's a reasonable request).
It's safe to put this program in the startup group to launch automaticaly at boot time.
To exit the program, just close the window at any time.
By default, this program always watches the two keys mentioned above, but when testing to insure that registry changes are detected, we were a bit reticent about modifying them while ZoneAlarm ws running, so the --testing parameter can be given on the command line to enable a third registry value: ZAWatchTestWord.
When zawatch detects that any of the three values change, it displays the popup box; this makes it easy to check this by opening up REGEDIT and manually adding or changing that value without any danger of interfering with ZoneAlarm itself.
If, during regular surfing, the popup box appears, please look at the console window to see what the settings have changed to:
C> zawatch zawatch 1.0 - 2004-06-19 - http://www.unixwiz.net/tools/ Watching: HKEY_LOCAL_MACHINE\Software\Zone Labs\HttpProxyEnabled HKEY_LOCAL_MACHINE\Software\Zone Labs\HttpProxyServer Now: HttpProxyEnabled=0 HttpProxyServer=(none) PROXY CHANGE NOTIFY at Sat Jun 19 10:58:45 2004 Old: Enabled=0 Port=0 Server=(none) Port=0 New: Enabled=1 Port=80 Server=www.dslreports.com
Try to remember what you were doing at the time: you're now a bit closer to reproducing the behavior.
But the problem is not "using a proxy", but "mis-detecting a proxy", and once the transition to using the wrong one has been made, ZoneAlarm will continue to use it until restarted. In order to "try again" with regard to this misdetection, we need to restart ZoneAlarm to get it to start the proxy-detection process over again.
Sometimes merely stopping and restarting ZoneAlarm is sufficient to get it to clear the proxy settings, but if an error dialog suggests that the "TrueVector Monitoring" will remain, so will the proxy settings.
We've found that by going into regedit and manually deleting the values of interest, the next ZoneAlarm update actually uses them, so no reboot is needed.
Note: restarting ZoneAlarm will probably reset your network connections, so be sure to save your work before you do do. There is no need to reboot the computer.
We invite you to post your circumstances of misdetection to DSLReports.
The program normally is run without parameters, but a few are supported:
This program is available in source and binary form. We promise that the source contains no shenanigans, that the binary was built from the source provided, but we don't promise that there are no bugs.
The .EXE was compiled with MSVC6 on a Windows 2000 system, and it was not built with UNICODE support. We think this will run on Win9x/ME as well but have not tested it (feedback welcome).
Though we've been working closely with Zone Labs to research this curious behavior, this program is a private effort and is not endorsed or sponsored by Zone Labs. They have neither written nor reviewed the code and take no responsibility for it.
![[popup box - ZoneAlarm registry changed]](../images/zawatch-popup.gif)
![[Steve's Email]](/images/steve-email.gif)