- Feb 7, 2023
- 2,349
Good evening,
This thread is everything about ZoneAlarm by Check Point.
Before we get to the ZoneAlarm tests, guides and forensic reports (my favourite part of it), it will be best to get familiar with what's inside ZoneAlarm.
ZoneAlarm is a rebrand of Check Point Harmony Endpoint (previously SandBlast Agent) which includes few components, called "blades".
The following blades are used in ZoneAlarm Extreme Secuity NextGen:
ZoneAlarm Release notes
Check Point Research
ZoneAlarm Trial Downloads
Check Point engines release notes (used in ZA)
ZoneAlarm license valid for quite some time: 845DGV
The thread will be updated with more content when available.
This thread is everything about ZoneAlarm by Check Point.
Before we get to the ZoneAlarm tests, guides and forensic reports (my favourite part of it), it will be best to get familiar with what's inside ZoneAlarm.
ZoneAlarm is a rebrand of Check Point Harmony Endpoint (previously SandBlast Agent) which includes few components, called "blades".
The following blades are used in ZoneAlarm Extreme Secuity NextGen:
- Anti-Malware: This is standard, heuristics(mainly), signatures and generic detections provided by Sophos (Sophos AntiVirus Interface or SAVI) AV. This blade provides online and offline protection against known and unknown threats. Also detects malware targeting other platforms (Linux, MacOS and Android) and provides unarchiving abilities as well as True File Type parser that will insect fie properties such as Magic Bytes to determine the real format. The Sophos behavioural genotype by itself relies on Dynamic Analyses. Additional Link
Pre-execution: the behavior of code is analyzed before it runs and is prevented from running if it is considered to be suspicious or malicious (e.g. Behavioral Genotype ®, Suspicious File Detection)
- Static Analysis or NextGen AV (proprietary): examines attributes of executable files to detect *somewhat* unknown threats without having signatures created. The assumption that such engines always detect unknow threats is wrong, they still have to be trained before they can do so. Static analysis has limited (second to none) effectiveness on packers as well (these will be better covered by Sophos dynamic analysis as well as Behavioural Guard). In ZoneAlarm, only high confidence detections from static analysis are treated to minimise false positives.
- File Reputation Engine powered by ThreatCloud. Provides reputation lookups based on hashes (I am still trying to find out the formats supported). Includes feeds from third parties such as Kaspersky and Cisco Talos as well as propriatery feeds from crawlers, in-product telemetry and the Check Point Research. Also includes proprietary signatures. The Kaspersky, Cisco Talos and proprietary signatures can frequently be seen in the forensic reports (sometimes there are multiple detections). File reputation engine uses local cache to minimise look-ups.
- Behavioural Guard, Forensics, Anti-Bot, Anti-Exploit and Anti-Ransomware blades: Monitor all system events (file, registry, network-related) to record, classify and reverse malicious behaviour. Detailed forensic reports are generated such as the one here. The same report is generated by ZoneAlarm as well, we'll get to it soon.
- Threat Emulation and Threat Extraction (also known as Content Disarm and Reconstruct/CDR): This component is very actively developed, see release notes. It captures files and archives downloaded through browser or saved through email clients and sends them for emulation. Check Point emulation is highly resistant to evasion (they have a tool that scans for VM artefacts as well as articles focused on VM evasion. Threat emulation supports over 70 file types (up to 15MB), including executables, java apps, documents and scripts. Documents are automatically cleaned from any executable content (macros, ole objects and others). They are also scanned for suspicious links. Threat emulation severely boosts security where it is needed and works even without the extension if downloads are saved in Downloads or Desktop folders. Introducing malware through other methods (not via download or email attachments) will result in decreased effectiveness as files will not be emulated. Hopefully the right click to emulate that was in ZA before will be back.
- Threat emulation generates detailed reports such as the one here (available in ZA as well): Threat Details Report
- Malware DNA is used to provide rich context.
ZoneAlarm Release notes
Check Point Research
ZoneAlarm Trial Downloads
Check Point engines release notes (used in ZA)
ZoneAlarm license valid for quite some time: 845DGV
The thread will be updated with more content when available.
Last edited: