Serious Discussion ZoneAlarm by Check Point Info, Guides, Tests

Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,743
Razza said:
How is Avast more suited I take Avast doesn't have size limit?
Click to expand...
Avast, Avira and Bitdefender are fundamentally different engines consisting of more signatures, generic detections and to some extent heuristics. Signatures contain instructions (rules) looking like "from byte x to byte y look for z". Hence they don't need to have a limit at all. Avast uses an arsenal of machine learning and static analysis at runtime as well as on their cloud.
Norton, Defender, Sophos and many others are engines based primarily on static analysis. Such engines need to have a limit for performance reason. They both have advantages and disadvantages.
Decopi said:
1. If Sophos engine is capable of handling password-protected zips, can we infer that ZAESNG based on Sophos engine is capable to do the same? Or not necessarily? To be based on a Sophos and Kaspersky engine means to have same capabilities as Sophos and Kasperky engines have?
Click to expand...
They use Sophos locally and have all capabilities of their SDK. In addition, threat emulation can capture passwords for zips in emails and uses a dictionary of passwords that attackers commonly may use. This dictionary includes "infected". Downloading malware from various places results in successful block before you even take the file out of the archive.
Kaspersky provides only feeds, once they come across something, they send the hash to ThreatCloud. This is like a more effective and advanced Panda Cloud Antivirus built-in to ZA together with all other technologies.
Decopi said:
2. Here in this thread, are you always using ZAESNG in your tests? Or sometimes you use Harmony EndPoint?
Click to expand...
I always use ZA. Harmony Endpoint is on another system, I am testing it before I become a business customer. These reports are from ZA saved in the directory you mentioned, I go and open from there.
Decopi said:
What about connections? Sorry to ask, it's not totally clear to me, "terminate" means that the stealer started
Click to expand...
Terminate means the process was suspended immediately together with all connections. But the file wasn't deleted because it is signed. In Harmony Endpoint this can be changed (all files related to an attack can be deleted) but in some cases it can cause issues. For example if you have an abused driver, instead of just suspending the attack, it will delete the driver too. You will have to reinstall it then.
For exploits, Harmony and ZA always just end the process without deletion. Meaning if you have vulnerable VLC and a malicious video file, the attack will be suspended but neither the file (you are welcome to delete it manually) nor the VLC player will be deleted (you as admin are welcome to look for updated version).
 
Last edited:
  • Like
  • Applause
  • Thanks
Reactions: Nevi, Jonny Quest, piquiteco and 6 others
K

kamiloxf

Level 1
Apr 3, 2016
27
Kongo said:
Sample detected by Deep Instinct on VirusTotal for a few days now. Still not detected by static AI on my system. 😌
Click to expand...
For me, Static AI blocked this file a moment after unpacking
 

Attachments

  • chrome_5EQTMRuo0c.png
    chrome_5EQTMRuo0c.png
    11.8 KB · Views: 128
  • Wow
  • Like
Reactions: Nevi, piquiteco and Kongo
simmerskool

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
ZA/ESNG snafu with Windows Security Center, I think I may have mentioned this "error" before... win10 WSC reports that both windows_defender_firewall AND ZA firewall are off but ZA app shows its firewall is green and ON. If I was ZA / Checkpoint that would be an error that I would quickly fix as it erodes confidence in ZA.
 
  • Like
Reactions: Nevi, Decopi, franz and 3 others
Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,743
simmerskool said:
ZA/ESNG snafu with Windows Security Center, I think I may have mentioned this "error" before... win10 WSC reports that both windows_defender_firewall AND ZA firewall are off but ZA app shows its firewall is green and ON. If I was ZA / Checkpoint that would be an error that I would quickly fix as it erodes confidence in ZA.
Click to expand...
The error is presented in ZoneAlarm, yes. It is scheduled to be fixed with the next build. Check Point products receive updates almost every month, the engines are far newer (86.80 is the recommended because it has few hotfixes, 87.30 is the latest). In ZoneAlarm the engines are 86.67.19.
 
  • Like
  • Thanks
Reactions: Nevi, piquiteco and simmerskool
N

NormanF

Level 8
Verified
Jan 11, 2018
356
Trident said:
The error is presented in ZoneAlarm, yes. It is scheduled to be fixed with the next build. Check Point products receive updates almost every month, the engines are far newer (86.80 is the recommended because it has few hotfixes, 87.30 is the latest). In ZoneAlarm the engines are 86.67.19.
Click to expand...

The separate firewall in ZoneAlarm Home is removed in Harmony. It has a firewall/application control but it doesn't replace Windows Firewall.
 
  • Like
Reactions: simmerskool
simmerskool

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
NormanF said:
The separate firewall in ZoneAlarm Home is removed in Harmony. It has a firewall/application control but it doesn't replace Windows Firewall.
Click to expand...
also the Harmony firewall /app control is not a default deployment, so still learning, but I think it then requires an edited deployment policy.
 
  • Like
Reactions: flaubert1971
N

NormanF

Level 8
Verified
Jan 11, 2018
356
simmerskool said:
also the Harmony firewall /app control is not a default deployment, so still learning, but I think it then requires an edited deployment policy.
Click to expand...

Its shown as on in the client but Windows Security reports the firewall is still being run by Windows. The AV on the other is managed by Checkpoint Anti Malware.
 
  • Like
Reactions: simmerskool
Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,743
Program Control on Harmony Endpoint is very powerful, not sure how it will be implemented in ZoneAlarm.
Note: Program Control on HEP requires that AppScan is used first. More information is available in the admin guide.

1687108203453.png
1687108238648.png


Program Control has the following abilities in HEP:
-Allow (do nothing)
-Block connection, allow app to run offline
-Terminate application upon attempt to go online
-Terminate Application upon execution (unable to launch, very suitable for LOtLBins)
 
  • Like
Reactions: piquiteco and simmerskool
N

NormanF

Level 8
Verified
Jan 11, 2018
356
Trident said:
Program Control on Harmony Endpoint is very powerful, not sure how it will be implemented in ZoneAlarm.
Note: Program Control on HEP requires that AppScan is used first. More information is available in the admin guide.

View attachment 276260View attachment 276261

Program Control has the following abilities in HEP:
-Allow (do nothing)
-Block connection, allow app to run offline
-Terminate application upon attempt to go online
-Terminate Application upon execution (unable to launch, very suitable for LOtLBins)
Click to expand...

I couldn't find out where to download the appscan tool on the site to set up the application control. They do give instruction on how to upload the completed appscan xml file from your C: drive.
 
  • Like
Reactions: simmerskool
N

NormanF

Level 8
Verified
Jan 11, 2018
356
Trident said:
Program Control on Harmony Endpoint is very powerful, not sure how it will be implemented in ZoneAlarm.
Note: Program Control on HEP requires that AppScan is used first. More information is available in the admin guide.

View attachment 276260View attachment 276261

Program Control has the following abilities in HEP:
-Allow (do nothing)
-Block connection, allow app to run offline
-Terminate application upon attempt to go online
-Terminate Application upon execution (unable to launch, very suitable for LOtLBins)
Click to expand...

Speaking of ZA, its NextGen Free Firewall remains unavailable for Windows 11 despite its release earlier this year.
 
  • Like
Reactions: simmerskool
simmerskool

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
  • Like
Reactions: Nevi, piquiteco, kev7 and 2 others
Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,743
simmerskool said:
golly, I missed one, but since I'm currently running checkpoint harmony it should have blocked the one I missed...
Click to expand...
I got all of them right 😀
I like the UX of this campaign, I wonder if rebranding is coming soon. Check Point got rebranding last year and since then it looks very fresh and modern. There are nice animations across the whole portal. Their logo is a bit similar to Symantec though. But then again, Symantec has always been an inspiration for many. Kaspersky almost completely copied their Insight system together with the UX and GData had copied their CPU monitor before.

IMG_1651.png
 
  • Like
Reactions: Nevi, Jonny Quest, piquiteco and 4 others
D

Decopi

Level 6
Verified
Oct 29, 2017
252
Trident said:
New: ZoneAlarm Phishing Quiz
www.zonealarm.com

ZoneAlarm Phishing Quiz | Test Your Phishing Detection Skills | ZoneAlarm

Take ZoneAlarm's Phishing Quiz and discover how well you can identify phishing attempts. Improve your online security by learning to spot the telltale signs of phishing emails.
www.zonealarm.com www.zonealarm.com
Click to expand...

Trying to identify phishing by reading webpage or email content... can be misleading. Specially because modern phishing webpages/emails have perfect icons, texts, graphics etc. Not to mention that nowadays even ChatGPT is being used to write phishing texts.

IMHO the best way to identify phishing is by mouse-hovering links = paying attention to web addresses. It's not a perfect method, but helps to identify 90% of phishing.
Unfortunately this ZA test does not allow to do that with the links.

The bad news is that (IMHO) I don't think Average Joe is able to identify phishing by text nor by checking the links. Most Average Joes are compulsive mouse-clickers, they click everything without reading.
 
Last edited:
  • Like
  • +Reputation
Reactions: Nevi, Jonny Quest, piquiteco and 3 others

Similar threads

Trident
    • Like
    • +Reputation
    • Hundred Points
Serious Discussion Harmony Endpoint by Check Point
Replies
677
Views
45,575
Other security for Windows, Mac, Linux
Sandbox Breaker
Sandbox Breaker
Trident
    • Like
    • Hundred Points
    • Applause
New Update Harmony Endpoint Release Notes and Roadmaps
Replies
56
Views
6,811
Other security for Windows, Mac, Linux
Trident
Trident
Trident
    • Like
    • Thanks
New Update ZoneAlarm Extreme Security NextGen Release Notes
Replies
5
Views
1,503
Other security for Windows, Mac, Linux
simmerskool
simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top