|
Step 1. Click Options
LOG FILE
ClearZone automatically points to the ZoneAlarm log file, ZALog.TXT file in the Internet Logs folder in your Windows (or WinNT) folder. If you want to use a different log file (from another machine, for instance), enter its path or use the browse button to point at it.
Current versions of ZoneAlarm are Comma delimited. Earlier versions were Tab delimited. Select the delimiter type for your log file.
WHOIS
A Whois lookup finds and displays information about the parties to whom an Internet address (IP) is registered. An email address is often included for use in sending a complaint concerning unauthorized attempts to access your computer.
The ClearZone "WhoIs" button will do a basic WhoIs query using your default browser, if you have not set a path to a third-party utility as discussed below.
An external third party Whois utility must be able to take an IP address on its command line, to work from the
ClearZone "WhoIs" button. So far, SmartWhoIs and NeoTrace are the only ones I have found that work this way. If you would like to purchase SmartWhoIs,
CLICK
HERE.
To use an external WhoIs, check the "External WhoIs" box in the Options window, then either enter the path and filename of the utility or use the handy Browse button. To use SmartWhoIs, point to the interface file
SWLAUNCHER.EXE in the ClearZone folder.
Click OK to save your Options settings.
Step 2. Importing the ZoneAlarm Log file
Go to the Browse Menu and select ZoneAlarm Interceptions to see the imported data. Only FWIN and FWOUT records are imported. PE entries refer to the attempts of registered applications in your computer to access the Internet. They can be viewed using Browse|View ZoneAlarm Log.
When the import is finished, you could delete the ZALog.TXT file and let
ZoneAlarm create a new one. There have been some requests for me to automatically delete the log file but I feel it should be the responsibility of the user to decide whether the log file should be deleted and when.
If you get an attack after the browse is open, click the "Import" button to include the new attacks.
To automatically adjust all of the columns to the minimum width required, right click any row in the table and select Adjust All Widths. (The remaining items in this menu are for users with advanced database experience.)
Step 3. Sorting the data
Click on one of the tabs (Record Order, Time & Date, Source) to sort the listing in the order desired. Clicking on the Date & Time tab sorts in DESCENDING order, latest attack first. Record Order sorts in Ascending order.
If you click on a column label, the listing will automatically sort on that field. Clicking again sorts the table in opposite order (Ascending/Descending).
NOTE: Clicking on the TIME label will sort the records by time, without regard to date. The usual way to sort on the TIME column is to use the Date & Time TAB.
Step 4. Reporting Attacks
1. WHOIS QUERY
Click the attack row to be reported, then click the "WhoIs" button. A Whois query will be performed using the Source IP address
(Source if FWIN, Destination IP if FWOUT) of the selected attack. Make note of the email address to use to report your comments. (You will need the clipboard for another purpose.) Usually, you can send abuse reports to abuse@domain, but this is not always the case.
2. RECORD THE ATTACK
Click the "Email Attack" button to copy a standard message including the selected row's log details to the clipboard, for transfer to your email. If multiple attack rows are to be reported, use the "Multi-Record Export Method" detailed below, to create a file for attaching to the email. When "Email Attack" is clicked, a green dot appears in the second column from the left, indicating that the attack has been "reported". This reminder will be retained, even if you "Import" again.
3. CREATE THE EMAIL MESSAGE
Open your email client, enter the email address of the ISP into the "To:"
field and enter an appropriate "Subject:". Now place the cursor in the
body of the email message and Paste the attack details. (CTRL-V works as well) Send the email.
BROWSE WINDOW FEATURES
BROWSE | VIEW ZONEALARM LOG FILE opens/returns to a display of the raw data in the log. No data operations are possible.
BROWSE | ZONEALARM INTERCEPTIONS opens/returns to the primary
ClearZone window. The logged records are displayed as rows, with each field in a separate column, and can be Sorted, Tagged and Exported. Initially, all
FWIN / FWOUT records appear.
The icons below the menu bar are used to navigate through the rows. The function of each will pop up when the mouse is hovered over the icon for a second.
SORTING
The tabs at the top of the listing display the rows in one of three predetermined orders:
"By Record No." displays the rows in the order in which they were originally logged (in Time order within Date order, in ascending Date order.
"By Date/Time" displays the rows in Time order within Date order, in reverse Date order. The effect is the opposite of By Record Order.
"By Source" displays the rows in Source IP order. All of the attacks from a Source IP are displayed together. A serious/persistent attack is easy to identify by multiple rows with the same Source IP address.
The columns used by the tab sorts are colored cyan.
TAGGING
Tagging is used in preparation for exporting multiple selected rows as a group to an external file, for attaching to an email or processing in a spreadsheet. Click on the first row to be exported, then click the "Tag" button. A red dot will appear in the row's left column, indicating that the row is Tagged. Now click the tag column of all other rows in the group to be exported. A row's tag can be removed by clicking the tag column again.
Between the "Rev tag" and "Whois" buttons at the bottom of the window is a 3-function button, labeled with the display function it will perform when next clicked. Each time the button is clicked, the listing changes to display only the "Tagged", only the "Untagged" or "All" rows and the button label cycles to the next function.
When the desired rows are all tagged, click the 3-function button until its label becomes "Tagged". Then click once more. All un-Tagged rows will disappear. If the rows are not sorted in the order you want, clicking one of the tabs will probably do the job (for instance, Date & Time is a good ordering for reporting an attack).
MULTI-RECORD EXPORTING
With only the tagged rows displayed, right click any row and select Output from the popup menu. Select whether you want a text file (CSV-Comma Separated Value) or an HTML file. The latter can be displayed as a nicely formatted table, in a browser or an email client set up to display HTML.
Several other buttons are also provided for mass tagging operations:
"tag All" tags all attack records.
"Untag all" removes the red tag from any tagged attacks.
"Rev tags" inverts existing tagging. Previously tagged records are un-tagged and un-tagged attacks are tagged.
GRAPHING
Pressing the GRAPH button on the Browse window will display the graph
of the data in the database as shown above.
FEEDBACK!
Your feedback is appreciated!
I am actively seeking input from you, the users, to determine the
development direction of the product. What other features would you like
to see? Have an idea or a suggestion? Please click on the email link
below and send me your comments.
Ben E. Brady
Brady & Associates, LLC.
ClearZone Home Page
Version History:
6.1 Released September 18, 2001
Modified Email report to add attack type and raw data from log file.
Added support for FWROUTE log entry type for WhoIs trace.
6.0 Released June 14, 2001
Added Query Wizard, Report Wizard and Spreadsheet Wizard functionality.
Added user customizable View Wizard.
Changed default screen resolution to 800 X 600 to eliminate horizontal
scrolling.
Added procedure to clear New Attacks flag in database.
5.8 Released May 1, 2001
Added new graphing capabilities.
5.7 Released April 17, 2001
New Ports.TPS file created with more trojan ports definitions.
5.6 Released April 5, 2001
Added capability to empty ClearZone database prior to importing
new records.
Added capability to enable / disable duplicate log entry checking during
import.
* Modified format of the ClearZone database for future expansion.
Modified GMT calculation to correctly handle odd time zones.
Modifed import process to increase the speed of the import for very large
files.
5.5 Released March 28, 2001
Added capability to recognize log entries where the Source IP and
Destination IP is the same.
Added column coloring to display "private" network IP
addresses.
Added column header sorting for alternate sort orders.
Added Graphing, HTML and CSV output.
Modifed QBE to use more intuitive interface for submitting queries.
Modified resizing of window controls for maximizing the application.
Modified the layout of the Browse window to display the data more
appropriately.
Removed the 'tool tip' pop-up on the browse. Many users complained that it
was annoying them.
Removed the Window menu selection from the main application frame. 5.2,
5.3, 5.4 Not Released - internal distribution only.
5.1 Released March 26, 2001
Added query by example to allow ad-hoc filtering of browse.
Added batch delete of records from ClearZone database.
Added hard copy reports of log entries by date & time and source IP
address.
Modified import process to handle changes made in the ZALog.TXT file.
5.0 Released March 25, 2001
Added source and
destination port information display to help aid the user in determining
the type of log entry and possible purpose of the packet.
4.7 Released March 21, 2001
Changed Import process to use MD5 signatures in order to compare records
during import in the prevention of posting duplicate records.
Changed the size of the buffer used in reading the log file in order to
speed up the Import process.
4.5 Released March 7, 2001
Added warning to pop-up dialog box to alert user of Shields Up web site IP
addresses when Email Attack button is pressed.
4.4 Released March 6, 2001
Added a pop-up message to educate users with regard to reporting log
entries to a well known port scanning web site.
4.2 Released January, 03, 2001
Corrected a problem with saving the options to the ClearZone.INI file in
the folder where ClearZone is installed.
4.1 Released November 10, 2000
Added the ability update the software using Digital Transit update
technology. Replaced the ARIN WhoIs query with SpamCop query to make
determination of abuse email addresses easier.
4.0 Released August 31, 2000
Minor enhancements to the user interface including the additions to Online
Help, Email Support menu options.
3.9 Released August 23, 2000
Made changes to the Options screen to make ClearZone compatible with
ZoneAlarm Pro. Change added 'semicolon' to the list of allowed log file
delimiters.
Fixed an error that would save options to the ClearZone.INI file in the
wrong location. ClearZone.INI file should be in the same folder as
the executable file.
3.8 Released August 23, 2000
Made a minor modification to the internal Whois process that allows the
use of the Destination IP address for the query when submitting 'FWOUT'
attacks. External Whois queries were already using the destination
IP for 'FWOUT attacks.
3.7 Released August 4, 2000
Added capability to minimize to the system tray and shutdown with
Windows shutdown
3.6 Released July 31, 2000
Changes made to registration module to add functionality for online
registration to be implemented in a future release.
3.5 Released July 30, 2000
Corrected a small problem where the "Email Attack" button was
not being enabled for FWOUT type attacks.
Corrected a problem with the View ZoneAlarm Log file that would cause a
GPF.
3.4 Released July 25, 2000
Minor cosmetic enhancements. Added popup tool tips to buttons and other window components that didn't have them already.
3.3 Released July 24, 2000
Navigation buttons have been added to a toolbar above the browse window.
This will allow the user to move up and down the browse easier. The text on the Tagged / Untagged / Show All button has been fixed to show what the mode of the browse will be when the button is pressed rather than the current display mode. Minimize/Maximize buttons have been added to the browse window in order for the user to resize the window.
3.2 Released July 21, 2000
The program has been modified to READ the registry entries for ZoneAlarm in order to get the correct path and delimiter for the log file. The Options settings screen will still allow you to change the path of the log file in the event that you want to import a different log file from another machine.
If you change the delimiter in the Options screen to import a different
file format, ClearZone will re-read the ZoneAlarm registry entries the
next time ClearZone is started to correct the entry for your particular
installation of ZoneAlarm.
3.1 Released July 20, 2000
The WhoIs functionality was changed to allow the use of the Destination IP address for FWOUT type attacks.
3.0
Changed the format of the ClearZone.TPS data file in order to implement a mechanism for tracking which attacks had been emailed to the ISP. You must delete the ClearZone.TPS file and allow the program to re-create it in order to use the new format.
2.0
Increased the number of categories for the graphing output.
Modifications made to the "Purchase CleaZone" button on the About screen to make purchasing and registration of
ClearZone even easier for the user!
1.9
Added message to display to user when the Email Attack button has been pressed that the attack details have been copied to the clipboard.
1.8
Added new functionality for the use of an INTERNAL WhoIs query. This will allow you to use the internal code for querying the ARIN database or use an external program like SmartWhoIs or NeoTrace.
1.7
Added more column sorting capability to Browse ZoneAlarm Interceptions window. Now the user can click on the column heading to sort the column in ascending or descending order.
Added colored text to the tabs on the browse window to allow the user to see the current tab selection.
1.6
Corrected a defect in the Registration procedure that could, in some cases, render the program permanently locked.
1.5
Corrected a defect that displayed an erroneous message on the status bar of the main window when the Options window was open.
Corrected a defect that would allow you to "view" a non-existent log file.
1.4 Released July 8, 2000
Corrected a defect that caused an error when starting the program and no Options had been set.
Change to format of .INI file to post the version number to the ClearZone.INI file
Change to install program to display the version number while installing program.
Added Version History section to the Online Help HTML page on the site.
1.3 Released July 8
Added WhoIs Trace Utility Path to Options.
Added SWLAUNCHER.EXE to the installation program in order to allow
ClearZone to call SmartWhoIs with the IP Address on the command line for SmartWhoIs.
Added Import button to Browse ZoneAlarm Interceptions window.
Limited the import process to only import the FWIN and FWOUT entries in the log since these are the only entries the user would want to send to the ISP for investigation.
Added links to the Help menu for Online Help and Registration information display.
1.2 Released July 7
Modified import process to increase speed of import.
Corrected log file parsing for correct processing of GMT time based upon time zone offset detected by ZA.
Added delimiter choice to Options window.
1.1 Released July 5
First public release of ClearZone Report Utility
|