Anyone know Zone Alarm settings for Windows Defender?

[microman]

Yes, I've already tried leaving this question on the Zone Alarm forums but
the Administrator there immediately removed it.

Been running WD under WinXP SP2 for some time. I've configured WD for me to
do manual updates and that function works. But in my ZAFree firewall, I'm not
sure what Program Control settings I should configure for a) WD Command Line
Utilty and b) WD User Interface. I refer to the four settings under Access
and Server. Anyone know what these should be?

That said, I'm currently having trouble with MpCmdRun.exe constantly
attempting to make outward connections with all manner of websites I've
visited. I see these listed in ZA's Alerts & Logs. Is this legitimate,
bearing in mind that I get my WD updates manually (via the Help function in
the main WD window)? And yes, I have configured WD itself to get the updates
manually. At present, I've got all these attempted connections blocked in ZA.
Is MpCmdRun.exe trying to discover the IP addresses of those websites, or
what exactly?

 

[Bill Sanderson]

Something is being reported incorrectly, I suspect.

mpcmdrun should be contacting Microsoft's update servers, or the servers
involved in Spynet reporting, perhaps, and nothing else.

In options, have you turned off the option of checking for definition
updates before running a scheduled scan?

Have you unjoined Spynet (if you had ever joined it?)

I think with these settings changes, mpcmdrun should not be talking to
anything.

I'm still looking for a KB article which I think exists that gives the
servers that it needs to connect to.

 

[Kayman]

Yes, I've already tried leaving this question on the Zone Alarm forums but
the Administrator there immediately removed it.

Do yourself a favor and uninstall ZA in 'Add or Remove Programs' or use
http://zonealarm.donhoover.net/uninstall.html
If the ZA removal tool doesn't work satisfactory use this:
Revo Uninstaller Freeware - Remove unwanted programs and traces
easily
http://www.revouninstaller.com/
and/or
RegSeeker
http://www.hoverdesk.net/freeware.htm
RegSeeker will remove all associated detritus (registry keys,files
and folders) from any application. I found this application user
friendly and very effective but suggest *not* to use the 'Clean the
Registry' option.
Click onto 'Find in registry' and in the 'Search for' box type
*ZA and/or ZoneAlarm*; The pertinent registry keys can then be safely
deleted (just in case, ensure that the 'Backup before deletion' is
checked).
Repeat the task by typing in the Search for' box *ZoneAlarm*. You can
then go on search and remove associated files as well.
Then use NTREGOPT to compact the registry; Follow instructions.
http://www.larshederer.homepage.t-online.de/erunt

Activate and utilize the Win XP SP2 built-in Firewall; Uncheck *all*
Programs and Services under the Exception tab.
Read through:
Understanding Windows Firewall.
http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx

Using Windows Firewall.
http://www.microsoft.com/windowsxp/using/networking/security/winfirewall.mspx

In conjunction with WinXP SP2 Firewall use:
Seconfig XP 1.0
http://seconfig.sytes.net/
(http://www.softpedia.com/progDownload/Seconfig-XP-Download-39707.html)
Seconfig XP is able configure Windows not to use TCP/IP as transport
protocol for NetBIOS, SMB and RPC, thus leaving TCP/UDP ports 135, 137-139
and 445 (the most exploited Windows networking weak point) closed.)

WindowsDefender isn't a bad application
http://www.pcworld.com/article/id,136195/article.html
"...Windows Defender did excel in behavior-based protection, which detects
changes to key areas of the system without having to know anything about
the actual threat."

Suggest you focus more on SECURITY instead of 3rd party software!

 

[microman]

Something is being reported incorrectly, I suspect.

mpcmdrun should be contacting Microsoft's update servers, or the servers
involved in Spynet reporting, perhaps, and nothing else.

In options, have you turned off the option of checking for definition
updates before running a scheduled scan?

Have you unjoined Spynet (if you had ever joined it?)

I think with these settings changes, mpcmdrun should not be talking to
anything.

I'm still looking for a KB article which I think exists that gives the
servers that it needs to connect to.

Bill,

Why should MpCmdRun.exe be trying to contact any Microsoft update servers at
all, since I've always elected to do my updates manually, using the option in
Help? Hmm, I'm beginning to think that I'm assuming something wrongly about
that.

Perhaps there's a subtle thing going on here. I don't opt to have WD do
regular scans, since (again) I do all my scans manually. In Options, this has
left the WD setting "Check for updated definitions before scanning" enabled
but greyed out. So, perhaps what I need to do is temporarily enable
auto-scanning, then untick that "Check for ...." option, then disable
auto-scanning again? I'll give it a try and report back.

Perhaps you yourself wouldn't be familiar with Zone Alarm but, on the whole,
ZA works quite well (when configured properly). I've been using ZA for some
years.

The really pertinent query I have, though, is why MpCmdRun.exe should be
connecting to the various URLs/websites that I see in the ZA log. I've been
Googling those, BTW, and as far as I've been able to tell, they're
trustworthy sites. Could these be genuine attempted connections, concerned
with obtaining the IP address and general signatures of those sites, prior to
connecting to SpyNet? To me, that'd be a key bit of information that'd put my
mind at rest. Please let me know if I'm thinking along the right lines.

Meantime, I did some mugging up on SpyNet and have now reconfigured my WD
from Basic membership to Non-membership, to see if it'd stop the attempted
MpCmdRun connections, but it hasn't. (As far as I could tell, from notes that
I found on WD, you can opt in and out of Basic SpyNet membership. I trust
that's true).

In the meantime, had

 

[Bill Sanderson]

Bill,

Why should MpCmdRun.exe be trying to contact any Microsoft update servers
at
all, since I've always elected to do my updates manually, using the option
in
Help? Hmm, I'm beginning to think that I'm assuming something wrongly
about
that.

Perhaps there's a subtle thing going on here. I don't opt to have WD do
regular scans, since (again) I do all my scans manually. In Options, this
has
left the WD setting "Check for updated definitions before scanning"
enabled
but greyed out. So, perhaps what I need to do is temporarily enable
auto-scanning, then untick that "Check for ...." option, then disable
auto-scanning again? I'll give it a try and report back.

Perhaps you yourself wouldn't be familiar with Zone Alarm but, on the
whole,
ZA works quite well (when configured properly). I've been using ZA for
some
years.

The really pertinent query I have, though, is why MpCmdRun.exe should be
connecting to the various URLs/websites that I see in the ZA log. I've
been
Googling those, BTW, and as far as I've been able to tell, they're
trustworthy sites. Could these be genuine attempted connections, concerned
with obtaining the IP address and general signatures of those sites, prior
to
connecting to SpyNet? To me, that'd be a key bit of information that'd put
my
mind at rest. Please let me know if I'm thinking along the right lines.

Meantime, I did some mugging up on SpyNet and have now reconfigured my WD
from Basic membership to Non-membership, to see if it'd stop the attempted
MpCmdRun connections, but it hasn't. (As far as I could tell, from notes
that
I found on WD, you can opt in and out of Basic SpyNet membership. I trust
that's true).

In the meantime, had

I quite agree that I see no reason either why mpcmdrun should attempt to
connect to a non-Microsoft site, or even a Microsoft site if you are not
doing scheduled scans, and have not joined Spynet. I'm quite certain that
it does not do any form of analysis of web sites visited, etc. Thats why I
suggested that something is being mis-reported. I have a very distant
memory of some issue like this from the beta, but far to distant to recall
how we resolved what was really happening.

Are you running both the Microsoft Firewall and Zone Alarm, by any chance?
If so, try turning off the Microsoft Firewall.

 

[microman]

I quite agree that I see no reason either why mpcmdrun should attempt to
connect to a non-Microsoft site, or even a Microsoft site if you are not
doing scheduled scans, and have not joined Spynet. I'm quite certain that
it does not do any form of analysis of web sites visited, etc. Thats why I
suggested that something is being mis-reported. I have a very distant
memory of some issue like this from the beta, but far to distant to recall
how we resolved what was really happening.

Are you running both the Microsoft Firewall and Zone Alarm, by any chance?
If so, try turning off the Microsoft Firewall.

No, definitely not. Never have done. I check in XP's Security Centre from
time to time. I think ZA would object if two software firewalls tried to
operate.

In one or two googles I've done, some people have suggested that MpCmdRun
should be enabled in any firewall regardless. However, with my ZA saying that
it's trying to connect with a whole variety of websites/URLs, I'm not jkeen
to do that unless and until I can find out exactly how WD is meant to work in
this respect.

In the Join MS SpyNet part of WD, under Basic membership, it does say this:

"WD sends basic information to MS about software it detects, including where
it came from, and actions that you apply .....".

 

[microman]

No, definitely not. Never have done. I check in XP's Security Centre from
time to time. I think ZA would object if two software firewalls tried to
operate.

In one or two googles I've done, some people have suggested that MpCmdRun
should be enabled in any firewall regardless. However, with my ZA saying that
it's trying to connect with a whole variety of websites/URLs, I'm not jkeen
to do that unless and until I can find out exactly how WD is meant to work in
this respect.

In the Join MS SpyNet part of WD, under Basic membership, it does say this:

"WD sends basic information to MS about software it detects, including where
it came from, and actions that you apply .....".

Bill,

I've changed that Option setting in WD and have monitored MpCmdRun.exe in
ZA. Unfortunately, it's not made any difference at all. MpCmdRun has,
according to ZA, made attempts to connect with the few websites that I've
just visited in the last 10 minutes or so - actually three websites, of which
ZA fully identifies one but leaves the other two blank.

Like I say, I want to know what's going on here. Why is MpCmdRun attempting
to connect with these sites?

 

[Bill Sanderson]

No, definitely not. Never have done. I check in XP's Security Centre from
time to time. I think ZA would object if two software firewalls tried to
operate.

In one or two googles I've done, some people have suggested that MpCmdRun
should be enabled in any firewall regardless. However, with my ZA saying
that
it's trying to connect with a whole variety of websites/URLs, I'm not
jkeen
to do that unless and until I can find out exactly how WD is meant to work
in
this respect.

In the Join MS SpyNet part of WD, under Basic membership, it does say
this:

"WD sends basic information to MS about software it detects, including
where
it came from, and actions that you apply .....".

WD does send information about detections and the users choices in relation
to detections, but onlu when you join SpyNet. So--with that unchecked, I
think it not be connecting out, but I might be missing something--this is
puzzling: It shouldn't be active at all, I'd think, and it definitely
shouldn't be trying to connect to random web sites.

If I get some time later tonight, which I may not, I'm afraid--I'll see if
by digging onto the privacy links or KB articles, there's any further
description of the interactions involved--sometimes there's a good bit of
detail if you click on the privacy links.

 

[microman]

WD does send information about detections and the users choices in relation
to detections, but onlu when you join SpyNet. So--with that unchecked, I
think it not be connecting out, but I might be missing something--this is
puzzling: It shouldn't be active at all, I'd think, and it definitely
shouldn't be trying to connect to random web sites.

If I get some time later tonight, which I may not, I'm afraid--I'll see if
by digging onto the privacy links or KB articles, there's any further
description of the interactions involved--sometimes there's a good bit of
detail if you click on the privacy links.

Bill,

Yes, I'd be grateful if you could dig deeper on this. I myself have already
done some searches of KB articles but have not turned up anything that refers
to this particular problem.

This morning I've had three more attempted outgoing connections by MpCmdRun
- one to an unspecified DNS, one to vwrpx2.Ihr.xpc-mii.net, and the other to
980707.websites.xs4all. I tried googling those addresses but came up with
zilch. Some destinations that get listed against MpCmdRun are genuine
websites but there are quite a few where they appear to be unknowns, like the
two I've mentioned.

I've naturally wondered whether my MpCmdRun.exe might have been hijacked by
some sort of intrusion but I've done a search on my machine for that program
and the only place it's residing is where it should be, in Program
Files\Windows Defender. I've also scanned my PC with WD itself and with my
antivirus client, both of which I update manually but nonetheless keep bang
up-to-date, and found nothing untoward.

This strange behaviour by MpCmdRun could, I suppose, be due to a shortcoming
in ZA, rather than in the exe itself attempting to make external connections.
However, there's no way of knowing that.

ZA blocks these outward connections, except in the case where I'm doing a
manual update of WD definitions. I'm not to know, however, if there might be
other outward connections taking place that are not shown.

In other respects of general usage of my PC, I've not noticed any peculiar
behaviour (slowdowns or changes to webpages) but my router has logged a
couple of TCP Port Scan attempted intrusions and several dozens of UDP Null
Port attempted intrusions. However, those might have accrued over several
months and are probably regarded, anyway, as just 'background noise' at the
WAN interface.

 

[microman]

Bill,

Yes, I'd be grateful if you could dig deeper on this. I myself have already
done some searches of KB articles but have not turned up anything that refers
to this particular problem.

This morning I've had three more attempted outgoing connections by MpCmdRun
- one to an unspecified DNS, one to vwrpx2.Ihr.xpc-mii.net, and the other to
980707.websites.xs4all. I tried googling those addresses but came up with
zilch. Some destinations that get listed against MpCmdRun are genuine
websites but there are quite a few where they appear to be unknowns, like the
two I've mentioned.

I've naturally wondered whether my MpCmdRun.exe might have been hijacked by
some sort of intrusion but I've done a search on my machine for that program
and the only place it's residing is where it should be, in Program
Files\Windows Defender. I've also scanned my PC with WD itself and with my
antivirus client, both of which I update manually but nonetheless keep bang
up-to-date, and found nothing untoward.

This strange behaviour by MpCmdRun could, I suppose, be due to a shortcoming
in ZA, rather than in the exe itself attempting to make external connections.
However, there's no way of knowing that.

ZA blocks these outward connections, except in the case where I'm doing a
manual update of WD definitions. I'm not to know, however, if there might be
other outward connections taking place that are not shown.

In other respects of general usage of my PC, I've not noticed any peculiar
behaviour (slowdowns or changes to webpages) but my router has logged a
couple of TCP Port Scan attempted intrusions and several dozens of UDP Null
Port attempted intrusions. However, those might have accrued over several
months and are probably regarded, anyway, as just 'background noise' at the
WAN interface.

Bill,

I don't know if this gives us a clue or not but I've discovered that if I
expose all protected OS files in Windows Explorer, then I see some 35
instances of the inclusion of MpCmdRun.exe. In other words, MpCmdRun.exe is
actually where it normally should be, in C:\Program Files\Windows Defender,
but it's also in C:\Windows\Prefetch and is also part of a file called
MPCMDRUN.EXE-177DBF1A.pf. Further, it appears in several different guises in
temporary Internet files, in Docs & Settings.

I've no idea what the Prefetch folder normally does, or why MpCmdRun should
be referenced throughout all my Internet sessions via the Temporary Internet
files - but perhaps you do!

 

[Stu]

Sorry to `chip in` here. But I was trolling thru some MS sites the other day
and was surprised to see a reference to the fact that, among other things, WD
does interact with certain MS sites to check if you are running genuine
Windows software - among other things this included MS Ofice as well as the
OS itself. Why would they do that if validation is required before
downloading and installing? Is this a double safety check for authentic
software?

I run ZA Pro but have never seen any references such as described in its log
file.

Stu

 

[microman]

Sorry to `chip in` here. But I was trolling thru some MS sites the other day
and was surprised to see a reference to the fact that, among other things, WD
does interact with certain MS sites to check if you are running genuine
Windows software - among other things this included MS Ofice as well as the
OS itself. Why would they do that if validation is required before
downloading and installing? Is this a double safety check for authentic
software?

I run ZA Pro but have never seen any references such as described in its log
file.

Stu

Stu,

Thanks for your input. I'm running the Free version of ZA, the 6.1 version.
I've been using it for what seems like years and have never really had a
problem with it till now, with this Windows Defender process. There are
probably some differences in the way that ZA Pro treats and presents
server/access in Program Control.

Note that ZA Free lists two Defender processes in Program Control - WD
Command Line Utility and WD USer Interface. The Interface seems to work fine,
it's the CL Utility (MpCmdRun.exe) that's giving the problem.

Why, in any event, should a process that, by its very name and which would
normally be user-driven at a command-line prompt, be always trying to connect
to a website or other URL?

According to what I see in Alerts & Logs in ZA, MpCmdRun definitely makes
attempts to connect with websites, mostly non-Microsoft websites. As far as I
can tell, they're genuine websites - like, I see that a few minutes ago it
tried to connect with the website of my electricity supplier, which a moment
before I'd visited.

One thing I'm going to try is to put all the settings for WD CL Utility in
Program Control to question-mark status. At present, I set them all initially
to blocked (crosses). Then, when a pop-up occurs, respond by Denying access
and asking it to remember that setting. Maybe ZA Free doesn't register the
settings unless you go through the Deny/Allow pop-up process. I've already
dealt with it just now, asking for Internet Access.

Perhaps my denying WD CL Utility any access to the Internet is wrong.
Perhaps it is quite necessary for WD to occasionally connect with Microsoft
behind the scenes but, given that it's instead trying to connect with many of
the websites I visit, I think it's best that I block all such access.

 

[microman]

Stu,

Thanks for your input. I'm running the Free version of ZA, the 6.1 version.
I've been using it for what seems like years and have never really had a
problem with it till now, with this Windows Defender process. There are
probably some differences in the way that ZA Pro treats and presents
server/access in Program Control.

Note that ZA Free lists two Defender processes in Program Control - WD
Command Line Utility and WD USer Interface. The Interface seems to work fine,
it's the CL Utility (MpCmdRun.exe) that's giving the problem.

Why, in any event, should a process that, by its very name and which would
normally be user-driven at a command-line prompt, be always trying to connect
to a website or other URL?

According to what I see in Alerts & Logs in ZA, MpCmdRun definitely makes
attempts to connect with websites, mostly non-Microsoft websites. As far as I
can tell, they're genuine websites - like, I see that a few minutes ago it
tried to connect with the website of my electricity supplier, which a moment
before I'd visited.

One thing I'm going to try is to put all the settings for WD CL Utility in
Program Control to question-mark status. At present, I set them all initially
to blocked (crosses). Then, when a pop-up occurs, respond by Denying access
and asking it to remember that setting. Maybe ZA Free doesn't register the
settings unless you go through the Deny/Allow pop-up process. I've already
dealt with it just now, asking for Internet Access.

Perhaps my denying WD CL Utility any access to the Internet is wrong.
Perhaps it is quite necessary for WD to occasionally connect with Microsoft
behind the scenes but, given that it's instead trying to connect with many of
the websites I visit, I think it's best that I block all such access.

Bill, Stu and others,

I think I've finally found a solution to this problem, though I still can't
vouch for Windows Defender attempting to make those connections.

My little test, mentioned above, seems to have done the trick. It seems that
you can't simply rely on just plonking crosses (blocks to the outward
connections) in the Program Control table of ZA, you have to do it by
inserting question-marks in all four categories in the table and then waiting
for a Windows Defender pop-up to occur. If you then Deny the connection, the
cross will then get automatically put into the table (something I already
appreciated) but, more importantly, ZA does not then flag the attempted
outward connection and put it into its Alerts & Logs list. With most
programs, you can just insert crosses manually into the table but it seems
that, with a few, that's not good enough. The connections will still be
blocked but ZA will continually flag them and insert them into Alerts & Logs.

Anyway, I use the question-mark method and, sure enough, WD CL Utility very
soon attempted to make an Internet connection. In the pop-up, I denied it and
asked it to remember that. Since then, I've cleared the list in Alerts & Logs
and no further alerts have appeared there. Well, so far, anyway!

This doesn't mean that WD CL Utility is no longer making those attempts,
though; it just means that ZA is not flagging them up. In Program Control,
Trusted Access is still left question-marked, as is Trusted Server, and so
I'll also deal with those in a similar manner if WD CL Utility also causes a
pop-up alert for those.

It's still a complete mystery, though, as to why WD CL Utility (MpCmdRun)
should be making those outward attempted connections at all ...... whoops,
there's the pop-up for WD CL Utility again, this time asking for permission
to access my Trusted Zone.

As far as I'm aware, WD (as an overall program) should not be constantly
trying to connect with any Microsoft sites and especially not other sites.
I've got automatic scheduling of scanning disabled and I do all WD scanning
manually. I also check for updated definitions manually (that uses the WD
User Interface, with which there's no problem).

So, Bill, I'm inclined to think there's a quite serious bug in WD, in the CL
part of it, that causes constant and unwarranted outward connections.

As an aside, in WD, there's no explanation whatever of WD CL Utility - what
it is exactly, what it does, and how to use it. As I say, I've always assumed
that it's a non-GUI function, something that the user would instigate via a
command prompt.

 

[microman]

Bill, Stu and others,

I think I've finally found a solution to this problem, though I still can't
vouch for Windows Defender attempting to make those connections.

My little test, mentioned above, seems to have done the trick. It seems that
you can't simply rely on just plonking crosses (blocks to the outward
connections) in the Program Control table of ZA, you have to do it by
inserting question-marks in all four categories in the table and then waiting
for a Windows Defender pop-up to occur. If you then Deny the connection, the
cross will then get automatically put into the table (something I already
appreciated) but, more importantly, ZA does not then flag the attempted
outward connection and put it into its Alerts & Logs list. With most
programs, you can just insert crosses manually into the table but it seems
that, with a few, that's not good enough. The connections will still be
blocked but ZA will continually flag them and insert them into Alerts & Logs.

Anyway, I use the question-mark method and, sure enough, WD CL Utility very
soon attempted to make an Internet connection. In the pop-up, I denied it and
asked it to remember that. Since then, I've cleared the list in Alerts & Logs
and no further alerts have appeared there. Well, so far, anyway!

This doesn't mean that WD CL Utility is no longer making those attempts,
though; it just means that ZA is not flagging them up. In Program Control,
Trusted Access is still left question-marked, as is Trusted Server, and so
I'll also deal with those in a similar manner if WD CL Utility also causes a
pop-up alert for those.

It's still a complete mystery, though, as to why WD CL Utility (MpCmdRun)
should be making those outward attempted connections at all ...... whoops,
there's the pop-up for WD CL Utility again, this time asking for permission
to access my Trusted Zone.

As far as I'm aware, WD (as an overall program) should not be constantly
trying to connect with any Microsoft sites and especially not other sites.
I've got automatic scheduling of scanning disabled and I do all WD scanning
manually. I also check for updated definitions manually (that uses the WD
User Interface, with which there's no problem).

So, Bill, I'm inclined to think there's a quite serious bug in WD, in the CL
part of it, that causes constant and unwarranted outward connections.

As an aside, in WD, there's no explanation whatever of WD CL Utility - what
it is exactly, what it does, and how to use it. As I say, I've always assumed
that it's a non-GUI function, something that the user would instigate via a
command prompt.

Bill, Stu,

HECK, NO, IT'S STILL DOING IT. I SPOKE TOO SOON.

Yup, just seen two instances of it in Alerts & Logs - one to a destination
DNS that's not identified and the other to a destination DNS called
a1815.g.akamai (84.53.177.17.53) - whatever that is! Both blocked, of course.

Aaaaargh!

 

[microman]

Bill, Stu,

HECK, NO, IT'S STILL DOING IT. I SPOKE TOO SOON.

Yup, just seen two instances of it in Alerts & Logs - one to a destination
DNS that's not identified and the other to a destination DNS called
a1815.g.akamai (84.53.177.17.53) - whatever that is! Both blocked, of course.

Aaaaargh!

Apparently, that akamai site is used by Zonelabs to deliver ZA program
updates and antivirus updates. Well, my ZA Free doesn't incorporate
antivirus; I use something separate for that. And I don't automatically get
ZA program updates; if I want to update ZA Free, I do it manually.

From what I've since read in the various forums at Zonelabs, the newer and
fuller versions of ZA incorporate some undesirable functions that work behind
the user's back. Some would regard it as spyware. My old Free version isn't
supposed to be as afflicted. In effect, the fuller and newer versions of ZA
have themselves become spyware. Others say that Microsoft is also indulging
in similar things, with many of its programs. Thus, that might account for
why MpCmdRun.exe is constantly trying to connect with the Internet, though
what's so odd is that most of the time it's with websites I've just visited.
Why, in heaven's name? And virtually all browsers seem to be going this way
now - themselves incorporating 'phoning home' processes that take place in
the background, without the user's knowledge. It's enough to make you want to
switch to Linux!