Understanding OSFirewall Alerts

Updated

OSFirewall alerts show, when programs or processes on your computer try to change the OS settings or the Internet Explorer settings. Some of the alerts require your response, some do not. For the alerts that require your response, if you are not sure whether to allow or to deny the action, click More Info in the alert box. This opens a web page that shows SmartDefense Advisor information for this alert, which can help you decide how to respond to it.

There are three types of OSFirewall alerts:

  • Malicious - show when ZoneAlarm software detects a known virus, worm, trojan, or other malware. These alerts do not require a response from you.
  • Medium-rated Suspicious - show when a trusted program tries to change the default behavior of another program. A typical example is a program that tries to change the Internet Explorer search page. Medium-rated Suspicious alerts require that you respond with Allow or Deny. See the table below for the help with the response.

    Modification of the startup directory A program tries to set itself to run each time your computer starts. Unless you install this program, or are fully aware of it, you should deny this action, since it can be spyware.
    Modification of browser search defaults A program tries to change the Internet Explorer search settings. Unless you want to change those yourself, you should deny this action.
    Unloading of driver A program tries to unload a driver of another program. There is no legitimate reason for this action, and you should deny it.
  • High-rated Suspicious - show when a program tries to perform an action that can be dangerous. Access to disk bypassing the file system is one of the examples of high-rated suspicious behavior. These alerts require you to respond with Allow or Deny. See the table below for help with the response.

    Modification of program A program tries to change another program, possibly to prevent it from running, or tries to run product updates. Unless you are upgrading your product, deny this action.
    Accessing system registry The process is trying to modify registry entries. Deny this action.
    Launching an unknown or bad program from a good one A program tries to start another program. Unless a program has a reason to open another program (for example, a Word document with a link to a browser) you should deny this action.
    A program is trying to kill another program A program tries to stop another trusted program. Unless this is a result of your actions, such as use of Task Manager to end a program or process, or a software installation that requires a reboot of your computer, you should deny this action.
    Modifying network parameters A program tries to change your network settings, possibly to re-route your traffic to a malicious web site and to steal important personal information. Unless you try to run TCP/IP tuning software, you should deny this action.
    Installation of driver A program tries to load a driver. Unless you try to install an anti-virus, anti-spyware, firewall, VPN, or other kind of system tools, you should deny this action.
    Sending Windows messages A program tries to send messages to another program. It could try to force that program to perform certain functions. Unless you try to install software that needs to communicate with another program, you should deny this action.
    Invoking open process/thread A program tries to control another program. System applications can do this legitimately. Unless you trust the program that tries to perform the action, deny it.
    Monitoring keyboard and mouse input A program tries to record your keyboard strokes and mouse input. Unless you try to run a program that uses this type of input, such as narration software, you should deny this action.
    Remote control of keyboard and mouse input A remote program tries to control your keyboard and mouse input. Unless you try to run a software with remote control privileges, deny this action.
    Modification of physical memory A program tries to read or change information in physical memory that belongs to another program. Unless you try to run a gaming, video, or system utility software, you should deny this action.
    Injection of code into a program or system service A program tries to inject code into another program, which can disable that program or its services. Unless you try to run special software that must change the behavior of another program, deny this action.
    Transmission of Dynamic Data Exchange (DDE) input A program tries to send DDE input to another program. This way it can give the other program access to the Internet, or share some information with it. Unless you trust the program, deny this action.
    Deletion of a run key A program tries to delete a run key. This is a normal behavior for programs that must run at start-up, but are canceled. Unless it is such a program, you should deny this action.

Notes:

  • If you select Remember This Setting before you click Allow or Deny, the ZoneAlarm software remembers your answer, and applies the remembered setting automatically when the program tries to perform the same action at a later time.
  • If SmartDefense Advisor is set to Auto, your setting will remain effective, unless SmartDefense Advisor gets updated with a different setting, or until you change the setting manually.
Was this article helpful?

Have more questions?

Submit Request