Serious Discussion ZoneAlarm by Check Point Info, Guides, Tests

[Trident]

Good evening,

This thread is everything about ZoneAlarm by Check Point.

Before we get to the ZoneAlarm tests, guides and forensic reports (my favourite part of it), it will be best to get familiar with what's inside ZoneAlarm.

ZoneAlarm is a rebrand of Check Point Harmony Endpoint (previously SandBlast Agent) which includes few components, called "blades".
The following blades are used in ZoneAlarm Extreme Secuity NextGen:

• Anti-Malware: This is standard, heuristics(mainly), signatures and generic detections provided by Sophos (Sophos AntiVirus Interface or SAVI) AV. This blade provides online and offline protection against known and unknown threats. Also detects malware targeting other platforms (Linux, MacOS and Android) and provides unarchiving abilities as well as True File Type parser that will insect fie properties such as Magic Bytes to determine the real format. The Sophos behavioural genotype by itself relies on Dynamic Analyses. Additional Link

Pre-execution: the behavior of code is analyzed before it runs and is prevented from running if it is considered to be suspicious or malicious (e.g. Behavioral Genotype ®, Suspicious File Detection)

• Static Analysis or NextGen AV (proprietary): examines attributes of executable files to detect *somewhat* unknown threats without having signatures created. The assumption that such engines always detect unknow threats is wrong, they still have to be trained before they can do so. Static analysis has limited (second to none) effectiveness on packers as well (these will be better covered by Sophos dynamic analysis as well as Behavioural Guard). In ZoneAlarm, only high confidence detections from static analysis are treated to minimise false positives.
• File Reputation Engine powered by ThreatCloud. Provides reputation lookups based on hashes (I am still trying to find out the formats supported). Includes feeds from third parties such as Kaspersky and Cisco Talos as well as propriatery feeds from crawlers, in-product telemetry and the Check Point Research. Also includes proprietary signatures. The Kaspersky, Cisco Talos and proprietary signatures can frequently be seen in the forensic reports (sometimes there are multiple detections). File reputation engine uses local cache to minimise look-ups.
• Behavioural Guard, Forensics, Anti-Bot, Anti-Exploit and Anti-Ransomware blades: Monitor all system events (file, registry, network-related) to record, classify and reverse malicious behaviour. Detailed forensic reports are generated such as the one here. The same report is generated by ZoneAlarm as well, we'll get to it soon.
• Threat Emulation and Threat Extraction (also known as Content Disarm and Reconstruct/CDR): This component is very actively developed, see release notes. It captures files and archives downloaded through browser or saved through email clients and sends them for emulation. Check Point emulation is highly resistant to evasion (they have a tool that scans for VM artefacts as well as articles focused on VM evasion. Threat emulation supports over 70 file types (up to 15MB), including executables, java apps, documents and scripts. Documents are automatically cleaned from any executable content (macros, ole objects and others). They are also scanned for suspicious links. Threat emulation severely boosts security where it is needed and works even without the extension if downloads are saved in Downloads or Desktop folders. Introducing malware through other methods (not via download or email attachments) will result in decreased effectiveness as files will not be emulated. Hopefully the right click to emulate that was in ZA before will be back.
• Threat emulation generates detailed reports such as the one here (available in ZA as well): Threat Details Report
• Malware DNA is used to provide rich context.

Useful resources:
ZoneAlarm Release notes
Check Point Research
ZoneAlarm Trial Downloads
Check Point engines release notes (used in ZA)
ZoneAlarm license valid for quite some time: 845DGV

The thread will be updated with more content when available.

 

[kev7]

thank you

 

[piquiteco]

@Trident @simmerskool Yesterday of yesterday I installed ZoneAlarm Extreme Security NextGen again and put into action Supposed "Game" that actually is stealer malware @Kongo had posted here and my credit goes to him too I downloaded here the sample. I extracted the compressed file scanned the extracted file and The ZA did not detect anything, so I decided to run it, as soon as I ran it the ZA did not block, neither the AV module let alone the Firewall, probably I was robbed, I tested it on the real production computer even, plus the ZA had no reaction. What a disappointment. Extracting the packaged .exe file not so ZA detected it. Could not record and take a screenshot because it was on my real machine. Conclusion the threat emulator looking at the process the memory went up a lot even the CPU I left a while the malware did the party was running and using high CPU usage and nothing of ZA detect or block or then eliminate the threat. Enjoying that I am with the hand in the dough, I restored the image and this I tested with CIS and he blocked with the hips, but after disabling the hips malpare ran straight, nor sandbox was capas to save it, but blocked by the firewall preventing data theft, that's why I say the Windows firewall is useless, I also tested MS Defender, as soon as I extracted the compressed malware, it already detected it like Trojan:Win32/Wacatac.B!ml, I knew MS DEFENDER would detect it because of the hash and also @SeriousHoax had tested it and you can check here his test. The sample link you can find easily and I left it in the post, I confess I was surprised because ZA didn't detect anything even before and after in the run. I am not saying that kaspersky or bitdefender are kings, but @Trident praising thinking to myself is ZA really that good? Honestly I would not trust him. It is obvious with or without AV I would not run the suspicious .exe file and a gamer that only knows how to play? download and run this supposed game and have ZA installed how is that? Probably your computer would end up infected and to be sad your data stolen. Test it yourself and draw your own conclusions. Not one AV is perfect, but I think ZA has failed. I apologize

Spoiler: Stealer Malware

 

[I Walk MY Way]

rule 1 No AV Firewall Or security suite, is fool proof, Given the right sample They all will fail even ZoneAlarm..

 

[Trident]

rule 1 No AV Firewall Or security suite, is fool proof, Given the right sample They all will fail even ZoneAlarm..

They already failed, all of them. On one of my previous tests. And they can fail again.
This file exceeds the emulation size (emulation on ZA supports 15 and in Harmony Endpoint supports 50 MB). The sample is 65 MB in size. Detection on VT is very low. It contacts CnC server which appears to still not be down (bbynetwork[.]nl). Bottom line is we are not praising it, we are just discussing software that is more niche here and is not bad. Like all other AVs, it is not 100%.

I’ll test it as well when I’m home.

 

[Decopi]

They already failed, all of them. On one of my previous tests. And they can fail again.
This file exceeds the emulation size (emulation on ZA supports 15 and in Harmony Endpoint supports 50 MB). The sample is 65 MB in size. Detection on VT is very low. It contacts CnC server which appears to still not be down (bbynetwork[.]nl). Bottom line is we are not praising it, we are just discussing software that is more niche here and is not bad. Like all other AVs, it is not 100%.

@Trident , sorry for the question a bit out of the ZA thread:

I always use my Firewall in hardened mode, with rules denying all and any connection, except the connections I authorize.
In the beginning took me around ten days until I managed to stabilize the connections, especially those of Windows. But honestly, with time and testing I confirmed that Windows really needs very few connections to work. Since then, my hardened firewall never gave me problems.

Please, my question is whether these malwares with 65MB, or other malwares that escape AVs, how effective is hardening firewall against these pests? Blocking connections can avoid malware damages? In the case of stealer malwares, blocking connections may avoid damages. But what about encryptors? Or what about other malwares, that don't use connections and can open backdoors etc?

 

[Trident]

Please, my question is whether these malwares with 65MB, or other malwares that escape AVs, how effective is hardening firewall against these pests? Blocking connections can avoid malware damages? In the case of stealer malwares, blocking connections may avoid damages. But what about encryptors? Or what about other malwares, that don't use connections and can open backdoors etc?

Except in the case of ransomware (which can easily be mitigated via backup/restore and I don't even consider it to be a threat), everything else will cease to work properly disconnected from the web. Problem is various threats can inject code in trusted processes that are already allowed to connect (LOtLBins) and perform their dirty duties this way. If hardened firewall is combined with LOtLBin restrictions (disabling various script interpreters including PowerShell as I don't see which home user will need complicated scripts), then code injection will fail too. Malware will not be able to do anything apart from damaging system and data.

 

[Decopi]

Except in the case of ransomware (which can easily be mitigated via backup/restore and I don't even consider it to be a threat), everything else will cease to work properly disconnected from the web. Problem is various threats can inject code in trusted processes that are already allowed to connect (LOtLBins) and perform their dirty duties this way. If hardened firewall is combined with LOtLBin restrictions (disabling various script interpreters including PowerShell as I don't see which home user will need complicated scripts), then code injection will fail too. Malware will not be able to do anything apart from damaging system and data.

Back to ZA, a more granular ZA firewall could have minimized damages of the sneaky 65MB stealer malware?
I ask because that was precisely one of my suggestions to improve the current ZA. I'm not saying that a complex firewall is necessary. But if at least the ZA firewall had options to "block everything" + "connect only what is authorized", maybe this simple option would already improve the current ZA firewall (which only has one "on" + "off").
I'm trying to say that perhaps few small improvements in current ZA (which has a too minimized UI) could cause big improvement in protection. Am I wrong?

 

[Trident]

Back to ZA, a more granular ZA firewall could have minimized damages of the sneaky 65MB stealer malware?
I ask because that was precisely one of my suggestions to improve the current ZA. I'm not saying that a complex firewall is necessary. But if at least the ZA firewall had options to "block everything" + "connect only what is authorized", maybe this simple option would already improve the current ZA firewall (which only has one "on" + "off").
I'm trying to say that perhaps few small improvements in current ZA (which has a too minimized UI) could cause big improvement in protection. Am I wrong?

It definitely would have. They used to have the OSFirewall before (HIPS) and they used to have Program Control (reputation-based allow/deny mechanism). With the NextGen they killed both and program control is now awaiting to come back. Program Control has been highly requested by everyone, I saw in 87.00 of Harmony Endpoint it was also revamped. Disabling connections for untrusted executables goes a long way. In the version 4 they decoupled firewall and anti-bot from everything else (most likely to deliver quicker updates independently from the engines and everything).

The malware has detection by Kaspersky so it is in Check Point threatcloud, not sure why it wasn’t detected. I will need to have a look.

 

[piquiteco]

Back to ZA, a more granular ZA firewall could have minimized damages of the sneaky 65MB stealer malware?
I ask because that was precisely one of my suggestions to improve the current ZA. I'm not saying that a complex firewall is necessary. But if at least the ZA firewall had options to "block everything" + "connect only what is authorized", maybe this simple option would already improve the current ZA firewall (which only has one "on" + "off").
I'm trying to say that perhaps few small improvements in current ZA (which has a too minimized UI) could cause big improvement in protection. Am I wrong?

Yes, at least when I tested CIS/CF and it blocked the malware stealer's connection from sending the stolen data, unless it hijacked a legitimate Windows process or hitchhiked a ride I can say.

 

[simmerskool]

I have not tested ZA/ESNG against any specific malware, but have been running it on my primary VM the past 4+ days. I have experienced zero (0) events, no slowdowns, no hiccups of any kind. I am eager to see more malware testing. I see that AV-Lab Cybersecurity Foundation (Poland) tested ZA anti-ransomware and noted: "All the encrypted files have been brought back and saved intact in the folders they were stored in originally. ZoneAlarm Anti-Ransomware brings Check Point’s experience ZoneAlarm Anti-Ransomware is developed by Check Point, that’s why it employs Threat Emulation technology of Sandblast products. We have tested the said protection technology a couple of weeks ago (Check Point’s Sand Blast for Browser solution was the only one to block all the malware samples)." (Jan 2019). So this is "old" info and I'm assuming ZA is getting better.

ZoneAlarm Anti-Ransomware Review » AVLab Cybersecurity Foundation

ZoneAlarm Anti-Ransomware is a very good anti-ransomware tool. It can be installed on both personal and business computers.

avlab.pl

 

[Trident]

Yes, at least when I tested CIS/CF and it blocked the malware stealer's connection from sending the stolen data, unless it hijacked a legitimate Windows process or hitchhiked a ride I can say.

I am looking at the behaviour, I don’t think it hijacked any processes but it needs a better look. It has been blocked from connecting.

 

[Decopi]

It definitely would have. They used to have the OSFirewall before (HIPS) and they used to have Program Control (reputation-based allow/deny mechanism). With the NextGen they killed both and program control is now awaiting to come back. Program Control has been highly requested by everyone, I saw in 87.00 of Harmony Endpoint it was also revamped. Disabling connections for untrusted executables goes a long way. In the version 4 they decoupled firewall and anti-bot from everything else (most likely to deliver quicker updates independently from the engines and everything).

The malware has detection by Kaspersky so it is in ZoneAlarm threatcloud, not sure why it wasn’t detected. I will need to have a look.

Yeah, thanks to your comments I know Program Control will be included... it's really a must.
I just wonder why ZA has a too minimized UI, at the point that the lack of some few options could have significant positive impact in protection? (ie Program Control, Firewall options etc).
It's a rhetorical question, you don't need to answer me.

I love minimized UIs.
I just don't understand why ZA or Bitdefender etc offer UIs so minimized.
Perhaps is because 99% of the users don't care about options or customization, and they prefer "plug and play" options.
Another possibility is that even with a minimized UI, the default configuration might represent enough protection for 99% of the average users. Or perhaps ZA with its minimized UI can stop the 65MB stealer malware with the ZoneAlarm threatcloud. I mean, perhaps the minimized UI is not related to better or worse protection.

 

[Trident]

Yeah, thanks to your comments I know Program Control will be included... it's really a must.
I just wonder why ZA has a too minimized UI, at the point that the lack of some few options could have significant positive impact in protection? (ie Program Control, Firewall options etc).
It's a rhetorical question, you don't need to answer me.

I love minimized UIs.
I just don't understand why ZA or Bitdefender etc offer UIs so minimized.
Perhaps is because 99% of the users don't care about options or customization, and they prefer "plug and play" options.
Another possibility is that even with a minimized UI, the default configuration might represent enough protection for 99% of the average users. Or perhaps ZA with its minimized UI can stop the 65MB sealer malware with the ZoneAlarm threatcloud. I mean, perhaps the minimized UI is not related to better or worse protection.

The problem here is this is copy of Harmony Endpoint and there is a lot going on there. Giving all that control to home users is not necessary and can mess up quite a lot of systems, which will only result in bad reputation, complaints here and there (without mentioning the settings that were modified prior to that) and support tickets. So such technology needs to be carefully controlled when deployed on a wide mass of home users. This is why they’ve configured a certain policy and have locked it. The program control was removed to get revamped. Like many other things were removed too, they had TuneUP, Backup, Anti-Spam, Identity protection, they removed everything and now they are readding some features slowly.

 

[simmerskool]

...
I just wonder why ZA has a too minimized UI, at the point that the lack of some few options could have significant positive impact in protection? (ie Program Control, Firewall options etc).
I love minimized UIs.
I just don't understand why ZA offer UIs so minimized.
Perhaps is because 99% of the users don't care about options or customization, and they prefer "plug and play" options.
Another possibility is that even with a minimized UI, the default configuration might represent enough protection for 99% of the average users.

I am not necessarily a fan of plug & play, but with ZA/ESNG I like its UI, and I assume that ZA is default tweaked at factory for maximum protection while at the same time not slowing down my pc. Perhaps we are too aware of AV that can be enhanced or hardened, or come out of the box without sufficient protection, but why should that be the norm? I assume ZA default config is the max config, why should user have to dig thru the UI to throw a switch to gain more protection. If and when ZA offers other features, great, as long as they do not become bloatware, slowdown the system, or nag me to spend more money.

 

[Shadowra]

ZoneAlarm will be tested today and should be released on Monday or Wednesday evening

 

[Trident]

Though ZoneAlarm like any AV and specially a home one inevitably can miss malware, here is one interesting forensic report:
VT 5/71 (low detection) not sure about behavioural blocking engines.

ZoneAlarm detections:

VT 4/59

 

[Sorrento]

High on resources, uses a lot of space compared to others not necessary an issue to me but could be to others. Though any potential form of bloat is an issue to me, as I like a lean as possible install other AV's manage to run with much less size??

 

[Decopi]

I am not necessarily a fan of plug & play, but with ZA/ESNG I like its UI, and I assume that ZA is default tweaked at factory for maximum protection while at the same time not slowing down my pc. Perhaps we are too aware of AV that can be enhanced or hardened, or come out of the box without sufficient protection, but why should that be the norm? I assume ZA default config is the max config, why should user have to dig thru the UI to throw a switch to gain more protection. If and when ZA offers other features, great, as long as they do not become bloatware, slowdown the system, or nag me to spend more money.

I agree with you, but:

With regards to security software, personally I only care about protection capabilities and hardware performance... that's all.

ZA hardware performance doesn't worry me.
Therefore, I'm only focused on ZA protection capabilities.

Now and in my context, if you take the sneaky 65MB stealer malware case, and you see that a simple option in the firewall could have helped to minimize its damages, and in the other hand you see that current ZA firewall has just an ON/OFF... perhaps is time to add few simple options in ZA firewall.
When a minimized UI or any default settings are having bad protection reputation... perhaps is time for changes.

Two further comments:

1. I believe @Trident is enthusiastic about ZA, because he knows Harmony Endpoint (product), and perhaps he can foresee where current ZA development is going (or at least he can foresee the potential of current ZA). And there is no doubt that ZA is improving ZAESNG at each new version, adding important features, and also being responsive to different user requests. So, for me there is no doubts that current ZAESNG is actively under development, and its protection capabilities can be improved soon.

2. @Trident also mentioned that the 65MB stealer malware should be be blocked by ZoneAlarm threatcloud.
Main ZA "blades" are based in Sophos and Kaspersky stuff. So, we can expect a solid ZA protection.
Perhaps the stealer malware case needs to be reproduced under more strict lab conditions.
I'm trying to say that sometimes bad protection reputation is a consequence of specific tests (which are not reflecting real-life).

 

[Trident]

Testing a fake crack, constituting of inflated file: