Sponsored by..

Wednesday, 9 July 2008

ZoneAlarm: "The firewall has blocked Internet access to.."

If you have recently patched your Windows computer with KB951748 and have ZoneAlarm installed then you'll probably find that everything has stopped working with a message similar to:
ZoneAlarm Security Alert
Protected
The firewall has blocked Internet access to whatever.com (0.0.0.0) (HTTP) from your computer (TCP Flags: S)


This is because the Microsoft patch you just applied has made some fairly significant changes to the way your PC looks up internet names (such as web pages, email hosts etc) and ZoneAlarm isn't aware of those changes and is consequently having a panic.

It isn't really a fault with the patch, and given the nature of the change, you can perhaps expect ZoneAlarm not to cope [see note below]. If you really want some more technical background read this article at the Internet Storm Center: Multiple Vendors DNS Spoofing Vulnerability.

As a temporary workaround, the best advice is to deinstall the KB951748 until ZoneAlarm is updated. It is an important update, but you are either going to have to disable ZoneAlarm or remove the patch and at the moment my advice would be to stick with ZoneAlarm.

To remove the patch in Windows XP (Vista will be similar):
  1. Click Start and select Control Panel (or Start.. Settings.. Control Panel depending on your setup).
  2. Open "Add or Remove Programs"
  3. Tick "Show Updates"
  4. Scroll down (probably very near the bottom of the list) to Security Update for Windows XP (KB951748) (Vista may be worded differently, but the key thing to look for is KB951748).
  5. Click Remove
  6. Follow the steps to remove the patch and then reboot
Keep an eye out on the ZoneAlarm Official Announcements forum for updates - hopefully your copy of ZoneAlarm should download a fix for it automatically. When you have downloaded the update for ZoneAlarm, then visit Windows Update and then reapply the patch.

Update 1:
Sandi made the following comment:
It is not necessary to uninstall the patch, or disable/remove Zonealarm. Simply reset the ZoneAlarm database:

http://forum.zonelabs.org/zonelabs/board/message?board.id=cfg&message.id=52727

"To solve this, just reset the ZA database and the ZA will be "fresh" as when it was first installed:


Boot your computer into the Safe Mode
Navigate to the c:\windows\internet logs folder
Delete the backup.rdb, iamdb.rdb, *.ldb and the tvDebug files in the folder
Clean the Recycle Bin
Reboot into the normal mode
ZA will be just like new with no previous settings or data


Once this is finished, reboot back into the normal mode and in the new network found windows, set the new network to Trusted.
Then do this to ensure the ZA is setup properly:

Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

1. Go to Run and type in command and hit 'ok', and in the command then type in ipconfig /all then press the enter key. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side. Make sure there is a space between the ipconfig and the /all, and the font is the same (no capitals).
2. In ZA on your machine on the Firewall, open the Zones tab, click Add and then select IP Address. Make sure the Zone is set to Trusted. Add the DNS IP(s) .
3. Click OK and Apply. Then do the same for the DHCP server.
4. The localhost (127.0.0.1) must be listed as Trusted.
5. The Generic Host Process (svchost.exe) as seen in the Zone Alarm's Program's list must have server rights for the Trusted Zone.
Plus it must have both Trusted and Internet Access."
Update 2:
ZoneAlarm have a press release with a couple of workarounds here.

Workaround to Sudden Loss of Internet Access Problem

Date Published : 8 July 2008

Date Last Revised : 9 July 2008

Overview : Microsoft Update KB951748 is known to cause loss of internet access for ZoneAlarm users on Windows XP/2000. Windows Vista users are not affected.

Impact : Sudden loss of internet access

Platforms Affected : ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Anti-Spyware, and ZoneAlarm Security Suite


Recommended Actions -

Download and install the latest versions which solve the loss of internet access problem here:

  • ZoneAlarm Internet Security Suite
  • ZoneAlarm Pro
  • ZoneAlarm Antivirus
  • ZoneAlarm Anti-Spyware
  • ZoneAlarm Basic Firewall
  • - or follow the directions below.

    Option 1: Move Internet Zone slider to Medium

    1. Navigate to the "ZoneAlarm Firewall" panel
    2. Click on the "Firewall" tab
    3. Move the "Internet Zone" slider to medium

    Option 2: Uninstall the hotfix

    1. Click the "Start Menu"
    2. Click "Control Panel", or click "Settings" then "Control Panel"
    3. Click on "Add or Remove Programs"
    4. On the top of the add/remove programs dialog box, you should see a checkbox that says "show updates". Select this checkbox
    5. Scroll down until you see "Security update for Windows (KB951748)"
    6. Click "Remove" to uninstall the hotfix


    I must say what is kind of annoying about this whole thing is that ZoneAlarm is owned by Checkpoint who will definitely have been in on the whole DNS update issue and could have updated the product in a more timely manner. Many users of ZoneAlarm have been left high and dry because they don't have the technical skills to fix this.

    3 comments:

    Unknown said...

    It is not necessary to uninstall the patch, or disable/remove Zonealarm. Simply reset the ZoneAlarm database:

    http://forum.zonelabs.org/zonelabs/board/message?board.id=cfg&message.id=52727

    "To solve this, just reset the ZA database and the ZA will be "fresh" as when it was first installed:


    Boot your computer into the Safe Mode
    Navigate to the c:\windows\internet logs folder
    Delete the backup.rdb, iamdb.rdb, *.ldb and the tvDebug files in the folder
    Clean the Recycle Bin
    Reboot into the normal mode
    ZA will be just like new with no previous settings or data


    Once this is finished, reboot back into the normal mode and in the new network found windows, set the new network to Trusted.
    Then do this to ensure the ZA is setup properly:

    Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

    1. Go to Run and type in command and hit 'ok', and in the command then type in ipconfig /all then press the enter key. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side. Make sure there is a space between the ipconfig and the /all, and the font is the same (no capitals).
    2. In ZA on your machine on the Firewall, open the Zones tab, click Add and then select IP Address. Make sure the Zone is set to Trusted. Add the DNS IP(s) .
    3. Click OK and Apply. Then do the same for the DHCP server.
    4. The localhost (127.0.0.1) must be listed as Trusted.
    5. The Generic Host Process (svchost.exe) as seen in the Zone Alarm's Program's list must have server rights for the Trusted Zone.
    Plus it must have both Trusted and Internet Access."

    Sandi

    ppmoore said...

    I found this blog through a Google search. Many thanks for the comments posted here.

    I tried using the procedure to reset the ZA database in XP safe mode, but it didn't work. However, removing the security patch fixed the problem.

    Paul

    pear said...

    Many thanks to you, kind Dynamoo. Deleting the patch worked for me, too!