Cleaning ZoneAlarm program control
An annoying feature of ZoneAlarm is that it accumulates, under the program control panel, lots of programs which no longer exists on your computer (including installers, program starting in %TEMP and many other which may never appear). In turns, it appears the Firewall gets slower and certainly, the list of program becomes so cluttered that it is impossible to see what is important and what not.
For this reason, I created a zastrip code - this could be run under cygwin followingf the below steps:
- Double click on the ZA icon
- Go to Overview -> Preferences. Under the "Backup and Restore Security Settings", use Backup and give the file a name (let us say the name is ZA-Setup.xml)
- Open a cygwin shell and go in the directory where you saved ZA-Setup.xml
- Execute the command: % zastrip ZA-Setup.xml ZA-Setup-new.xml - a new cleaned up xml is created.
- Go to the ZoneAlarm window and now, use "Restore" and chose the file ZA-Setup-new.xml ... and voila! A clean entry list is now loaded.
Note a few options:
- If you may set the ZADEEPCLEAN environment variable prior (unde csh, use % setenv ZADEEPCLEAN 1), zastrip will also cleanup several other Windows process having the tendency to accumulate in the ZA configuration. However, this will remove all such entries and you may need to then re-assess the security access for those.
- If you have indexed your files under cygwin using updatedb and able to use the locate command, you may also set the ZAUSELOCATE environment variable. This option may however not be what you want - if a program is found by name (whatever the location), zastrip would then not remove the entry.
Code follows, feel free to send me a comment and suggestions
---------------------- cut here ---------------------------->
#!/usr/local/bin/perl
#
# (c) J.Lauret 2005 - 2010, GPL
# Clean up the ZA configuration file dumped into XML i.e.
# - removes entries where all is accept (no use)
# - removes commonly repeated entries (CMD etc ...)
# - possibly removes other frequent entries (define ZADEEPCLEAN)
# - possibly use locate DB to make a deeper clean (define ZAUSELOCATE)
#
unlink(glob("/tmp/zastrip*.log"));
if ( $#ARGV == -1){
die "First argument must be a ZoneAlarm backup file name\n";
}
open(FI, "$ARGV[0]") || die "Could not open input [$ARGV[0]]\n";
$filout = $ARGV[1] || "$ARGV[0]-tmp";
open(FO,">$filout") || die "Could not open output [$filout]\n";
open(FF,">/tmp/zastrip$$.log");
$ELIMINATE{"CMD.EXE"} = 1;
$ELIMINATE{"TASKMGR.EXE"} = 1;
$ELIMINATE{"WINLOGON.EXE"} = 1;
$ELIMINATE{"savedump.exe"} = 1;
$ELIMINATE{"AOLDIAL.EXE"} = 1;
$ELIMINATE{"IEXPLORE.EXE"} = 1;
$ELIMINATE{"EXPLORER.EXE"} = 1;
$ELIMINATE{"USERINIT.EXE"} = 1;
$ELIMINATE{"AT.EXE"} = 1;
$ELIMINATE{"RUNONCE.EXE"} = 1;
$ELIMINATE{"dllhost.exe"} = 1;
$ELIMINATE{"AOL.EXE"} = 1;
$ELIMINATE{"AOLDial.exe"} = 1;
if ( defined($ENV{ZADEEPCLEAN}) ){
$ELIMINATE{"TRILLIAN.EXE"} = 1;
$ELIMINATE{"MSIMN.EXE"} = 1;
$ELIMINATE{"YPAGER.EXE"} = 1;
$ELIMINATE{"AIM.EXE"} = 1;
$ELIMINATE{"ICQLITE.EXE"} = 1;
$ELIMINATE{"MSMSGS.EXE"} = 1;
$ELIMINATE{"MANTISPM.EXE"} = 1;
$ELIMINATE{"CTFMON.EXE"} = 1;
$ELIMINATE{"DUMPREP.EXE"} = 1;
$ELIMINATE{"IEXPLORER.EXE"}= 1;
$ELIMINATE{"EXCEL.EXE"} = 1;
$ELIMINATE{"OUTLOOK.EXE"} = 1;
$ELIMINATE{"POWERPNT.EXE"} = 1;
$ELIMINATE{"WINWORD.EXE"} = 1;
}
#+
# The above makes lots of entries. Please, read the note
#-
# DO NOT include this if you had set accpt/deny rules based on
# explorer launching apps
# $ELIMINATE{"iexplorer.exe"}= 1;
$take = 1;
$OK = 1;
while ( defined($line = <FI>) ){
if ( $line =~ /(<program path=)(.*)(action=)(.*)/ ){
$prgm = $2;
$cntrl= $4;
$prgm =~ s/(^")(.*)(".*$)/$2/;
if ( defined($ELIMINATE{$prgm}) ||
defined($ELIMINATE{uc($prgm)}) ||
$prgm =~ m/windowsxp-kb/i ||
$prgm =~ m/underway/i || # this is a personal dir
$prgm =~ m/Documents\\Packages/i || # this is where packages are downloaded
$prgm =~ m/Packages\\Evaluation/i || # this is where evaluation packages are located
$prgm =~ m/\\Temp/i || # this is OK for ANY Windows users
$prgm =~ m/unins000.exe/i ){ # lots of those too can be eliminated (run once)
$take = 0;
} else {
if ( $prgm !~ m/\\/ && defined($ENV{ZAUSELOCATE}) ){
# We cna use locate to locate programs which are not
# referenced by a path and see if they exist or not
# but this assumes you have run an updatedb first ...
if ( ! defined($SCANNED{uc($prgm)}) ){
chomp($res = `/usr/bin/locate -i $prgm`);
if ($res eq ""){
print FF "Would eliminate [$prgm]\n";
} else {
print FF "Matched [$prgm] [$res]\n";
}
$SCANNED{uc($prgm)} = $res;
}
$OK = 0 if ($SCANNED{uc($prgm)} eq "");
}
if ( ! -e $prgm && $prgm =~ m/[CDEF]:\\/i){
# Eliminate program which are not found but refered
# to as C:\, D:\, ... programs. E:\ for example (typical CD
# drive) would be removed.
$OK = 0;
} elsif ( $cntrl =~ m/allowTrusted=\"ask\"/ &&
$cntrl =~ m/allowTrustedServer=\"ask\"/ &&
$cntrl =~ m/allowInternet=\"ask\"/ &&
$cntrl =~ m/allowInternetServer=\"ask\"/ &&
$cntrl =~ m/sendMailPermission=\"ask\"/ &&
$cntrl !~ m/appsec=\"kill\"/ ){
# Eliminate it too, nothing special as all is "ask"
# and kept forever
$OK = 0;
}
print FF "$OK $prgm\n";
}
}
if ( $take && $OK ){
print FO $line;
}
# everytime we meet this line, we need to restore both flags
# because the relevant lines are by block (not line by line)
if ($line =~ m/<\/program>/){
$OK = 1;
$take = 1;
}
}
#
# pathNameOnly="false" passLock="false"
# moduleCheck="true" privacy="false" ctflt="false"
# trustedParent="ask" enableOpenProcess="ask"
# skimpChecksum="11c0acf9-1de00359-0aa43999-3b716aa8"
#
# omp="true" hideBeforeUse="false" isSystemFile="false"
# alertOnBlock="true" permSource="unknown" desiredSource="remote"
# netAccessed="true" TTL="900" appsec="AskSD" programObservation="2147483648">
#
close(FI);
close(FO);
close(FF);
<-------------------------------------------------------------
- jeromel's blog
- Login or register to post comments