X
Tap here to go to the mobile version of the site.

Support Forum

Firefox asks Zone Alarm firewall for new access several (many) times daily even though it has been granted at elevated privilege level.

Rob
Posted

I have Zone Alarm set to have new applications ask me to approve requests to access the Internet or system processes. With new programs, this approval process usually stabilizes in a few minutes or with a second use of the application. Firefox constantly asks for permission to access the Internet and sometimes systems processes virtually every time you load it and sometimes more often than that. In a busy day, it is not unusual to grant permission 20 or more times. I have been using Firefox for years and have Zone Alarm set to grant firefox.exe, pingsender, maintenance service, etc. "Super" privileges which means that it should not be asking. To be clear NO other among 30 or so programs that I use frequently have this problem. This is Firefox specific. The only similar issue I have observed is when my anti-virus completely changes out its main programs every few weeks. After that, I get a few requests for permission in the first 30 minutes before it stabilizes.

I have Zone Alarm set to have new applications ask me to approve requests to access the Internet or system processes. With new programs, this approval process usually stabilizes in a few minutes or with a second use of the application. Firefox constantly asks for permission to access the Internet and sometimes systems processes virtually every time you load it and sometimes more often than that. In a busy day, it is not unusual to grant permission 20 or more times. I have been using Firefox for years and have Zone Alarm set to grant firefox.exe, pingsender, maintenance service, etc. "Super" privileges which means that it should not be asking. To be clear NO other among 30 or so programs that I use frequently have this problem. This is Firefox specific. The only similar issue I have observed is when my anti-virus completely changes out its main programs every few weeks. After that, I get a few requests for permission in the first 30 minutes before it stabilizes.
Quote

Additional System Details

Installed Plug-ins

Cisco CODEC WideVine encrypted media decoder

Application

  • User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0

More Information

jscher2000
  • Top 10 Contributor
8767 solutions 71704 answers

Helpful Reply

Hi Rob, thank you for the info. Firefox 68 uses a new approach to launch. There is a launcher process in firefox.exe that starts the browser with reduced privileges (medium integrity/standard user) if you start with admin privileges. Could you test starting Firefox with the -no-deelevate switch to see whether that makes any difference?

It's probably simplest to modify your Firefox shortcut. That would be either:

  • Right-click a Firefox desktop shortcut, then click Properties
  • Right-click a Firefox icon pinned to the Taskbar then right-click Mozilla Firefox, then click Properties

Windows should show the Shortcut tab and select the Target field. The Target usually is along the following lines:

  • "C:\Program Files\Mozilla Firefox\firefox.exe"
  • "C:\Program Files (x86)\Mozilla Firefox\firefox.exe"

You would add a space and then the new switch, either:

  • "C:\Program Files\Mozilla Firefox\firefox.exe" -no-deelevate
  • "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -no-deelevate

Any difference?

Hi Rob, thank you for the info. Firefox 68 uses a new approach to launch. There is a launcher process in firefox.exe that starts the browser with reduced privileges (medium integrity/standard user) if you start with admin privileges. Could you test starting Firefox with the -no-deelevate switch to see whether that makes any difference? It's probably simplest to modify your Firefox shortcut. That would be either: * Right-click a Firefox desktop shortcut, then click Properties * Right-click a Firefox icon pinned to the Taskbar then right-click Mozilla Firefox, then click Properties Windows should show the Shortcut tab and select the Target field. The Target usually is along the following lines: * "C:\Program Files\Mozilla Firefox\firefox.exe" * "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" You would add a space and then the new switch, either: * "C:\Program Files\Mozilla Firefox\firefox.exe" -no-deelevate * "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -no-deelevate Any difference?
Was this helpful to you? 1
Quote

Question owner

Thank you jscher2000. I made the change and, so far, it has solved the problem. I'll report back if I see anything after I have used it longer. I have only mad a few test opens and closes so far. Thanks again.

Thank you jscher2000. I made the change and, so far, it has solved the problem. I'll report back if I see anything after I have used it longer. I have only mad a few test opens and closes so far. Thanks again.
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8767 solutions 71704 answers

Hi Rob, if that makes the difference, I wonder whether ZoneAlarm can be updated/configured not to require repeated confirmation for Firefox running as a medium integrity process. It's worth asking them if you have a support channel.

Hi Rob, if that makes the difference, I wonder whether ZoneAlarm can be updated/configured not to require repeated confirmation for Firefox running as a medium integrity process. It's worth asking them if you have a support channel.
Was this helpful to you?
Quote

Question owner

Your solution continues to work. I have not had a request for authorization since running Firefox with elevated privileges. ZoneAlarm allows complete control over privileges and firefox.exe was already given the highest level possible and to automatically grant in and outbound local and Internet connections. Other programs on the acceptable programs list do not trigger a request for approval, including those operating as lower integrity processes.

Is there a clear security benefit to running Firefox as a medium integrity process? Any benefit would seem to be offset by having to grant it privileges to bypass this level. If there are, I can experiment with different configurations among the six variables that can be controlled for each program or process in the firewall.

Your solution continues to work. I have not had a request for authorization since running Firefox with elevated privileges. ZoneAlarm allows complete control over privileges and firefox.exe was already given the highest level possible and to automatically grant in and outbound local and Internet connections. Other programs on the acceptable programs list do not trigger a request for approval, including those operating as lower integrity processes. Is there a clear security benefit to running Firefox as a medium integrity process? Any benefit would seem to be offset by having to grant it privileges to bypass this level. If there are, I can experiment with different configurations among the six variables that can be controlled for each program or process in the firewall.
Was this helpful to you?
Quote
jscher2000
  • Top 10 Contributor
8767 solutions 71704 answers

Rob said

Is there a clear security benefit to running Firefox as a medium integrity process? Any benefit would seem to be offset by having to grant it privileges to bypass this level. If there are, I can experiment with different configurations among the six variables that can be controlled for each program or process in the firewall.

If a medium integrity process is compromised by malware, it can't do as much damage to the system. However, I haven't read any specific case studies comparing the results with different vulnerabilities to be able to tell you the details.

On the ZoneAlarm side, it would be useful to understand why firefox.exe is handled in such a drastically different way when run with administrative privileges (Firefox 67 or -no-deelevate) vs. standard user privileges (Firefox 68 default).

''Rob [[#answer-1239451|said]]'' <blockquote>Is there a clear security benefit to running Firefox as a medium integrity process? Any benefit would seem to be offset by having to grant it privileges to bypass this level. If there are, I can experiment with different configurations among the six variables that can be controlled for each program or process in the firewall. </blockquote> If a medium integrity process is compromised by malware, it can't do as much damage to the system. However, I haven't read any specific case studies comparing the results with different vulnerabilities to be able to tell you the details. On the ZoneAlarm side, it would be useful to understand why firefox.exe is handled in such a drastically different way when run with administrative privileges (Firefox 67 or -no-deelevate) vs. standard user privileges (Firefox 68 default).
Was this helpful to you?
Quote
Ask a question

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.