Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

How does zonealarm ...

1 view
Skip to first unread message

Hq741

unread,
Nov 22, 2009, 7:22:22 PM11/22/09
to
Hi,

does anyone know which winsock function zone-alarm uses to discover network or socket events ?

Greets
hq


David Schwartz

unread,
Nov 22, 2009, 8:00:51 PM11/22/09
to

It doesn't use a winsock function for that purpose. If it did, it
couldn't detect accesses by programs that don't use Winsock.

DS

Hq741

unread,
Nov 22, 2009, 8:52:58 PM11/22/09
to

"David Schwartz" <dav...@webmaster.com> wrote:

> Hi,
>
> does anyone know which winsock function zone-alarm uses to discover network or socket events ?
>
> Greets
> hq

>It doesn't use a winsock function for that purpose. If it did, it
>couldn't detect accesses by programs that don't use Winsock.

>DS

Can you say what other functions or processes that are ?

hq

David Schwartz

unread,
Nov 22, 2009, 10:07:34 PM11/22/09
to
On Nov 22, 5:52 pm, "Hq741" <n...@notformail.no> wrote:

> >It doesn't use a winsock function for that purpose. If it did, it
> >couldn't detect accesses by programs that don't use Winsock.

> Can you say what other functions or processes that are ?

I'm not sure I understand what you're asking. If my memory serves me
correctly, ZoneAlarm interposes itself in at least two places. First,
it puts itself right in front of the network card driver(s). This
allows is to see every packet that is sent or received. Second, it
puts itself between processes and the network hooks they use. This
allows it to know which process made which request.

So if Internet Explorer opens a connection to www.google.com port 80,
ZoneAlarm will see that program make that function call. It will then
make a note that the connection is authorized. Then when it sees an
outbound TCP packet hit the network card, it will know that this
packet is (at least, most likely) pursuant to an authorized TCP
connection.

That's just scratching the surface, it's actually a lot more
complicated than that. But the basic premise behind your question,
that there's some Winsock call that allows an entire system to be
securely monitored, is false. You need to monitor at multiple points,
most of them at a much lower level, and you need to cross-reference
high-level events with low-level events to detect subterfuge.

DS

Hq741

unread,
Nov 22, 2009, 10:19:52 PM11/22/09
to

"David Schwartz" <dav...@webmaster.com> wrote:

>DS

Thx for your explanation ... i�m a bit "lost in space" with network functions

but thats off topic so i better change to a network programming group

bye

hq


Skybuck Flying

unread,
Nov 25, 2009, 11:14:04 AM11/25/09
to

"Hq741" <n...@notformail.no> wrote in message
news:4b09d5ed$0$6573$9b4e...@newsspool3.arcor-online.net...

> Hi,
>
> does anyone know which winsock function zone-alarm uses to discover
> network or socket events ?

Nope I don't know what zone alarm uses...

But sockets can inform the user of certain events... I think via callbacks
or something.

Check the winsock 2 documentation ! ;)

(For example network up/down or ip changed or stuff like that...).

Bye,
Skybuck.


Alun Jones

unread,
Dec 14, 2009, 8:39:32 PM12/14/09
to

"Hq741" <n...@notformail.no> wrote in message
news:4b09eb23$0$7631$9b4e...@newsspool1.arcor-online.net...

If you're writing something similar today, you might try using the Windows
Filtering Platform, which is specifically designed to allow custom firewalls
(and similar tools) to intercept, examine, and modify IP traffic passing
through the Windows network stack.

Alun.
~~~~

0 new messages