Serious Discussion ZoneAlarm by Check Point Info, Guides, Tests

Trident

Level 29
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,809
Threat emulation for the same (one of the files downloaded by the inflated malware):
1686392164526.png
1686392221773.png

1686392259763.png
1686392290975.png

1686392339104.png
1686392373540.png
 
Last edited:

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,091
  • Like
Reactions: Bushman and Trident

Trident

Level 29
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,809
Do you access this report with ZA/ESNG or with Checkpoint Harmony, or both? (or I'm not seeing ZA reports because it has not detected any malware on my VM??)
Forensic reports from ZoneAlarm are saved in C:\ProgramData\CheckPoint\DBStore\Events.

Every folder there represents one incident and the folder name carries the incident ID. Open any HTML file inside the folder to get started.

Threat emulation reports are saved in C:\ProgramData\CheckPoint\Endpoint Security\Threat Emulation.
They are archived. Unarchive the content to view the reports.

Harmony Endpoint contains easier way to access these reports and they are organised on a timeline as well as centrally accessed and for all machines. On ZoneAlarm you can open them locally from the folders above.
Download Eicar Test file to generate a report.
 

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,091
I agree with you, but:
With regards to security software, personally I only care about protection capabilities and hardware performance... that's all.
ZA hardware performance doesn't worry me.
Therefore, I'm only focused on ZA protection capabilities.

Now and in my context, if you take the sneaky 65MB stealer malware case, and you see that a simple option in the firewall could have helped to minimize its damages, and in the other hand you see that current ZA firewall has just an ON/OFF... perhaps is time to add few simple options in ZA firewall.
When a minimized UI or any default settings are having bad protection reputation... perhaps is time for changes.
@Decopi, we seem to mostly agree. I would prefer that ZA block that sneaky 65mb stealer malware without the user having to throw a switch in firewall. That's my only point. Why do I want to install an AV with default reduced protection, and then have to tweak it for max protection? (perhaps there's something I'm missing :unsure:) I assume ZA is configuring it features to max protection as default since ZA has nothing to tweak. If it failed with that 65mb malware, ZA should fix that by default without user needing to tweak its firewall. (aside if I want to tweak a firewall, then I run CF@cs).

1686396488738.png


no events here after continuously running ZA for +4.7 days. have not DL'd eicar yet. The few ZA popups generated have been this file is good, or this is not phishing site which are unobtrusive.
 
Last edited:

Decopi

Level 6
Verified
Oct 29, 2017
269
@Decopi, I would prefer that ZA block that sneaky 65mb stealer malware without the user having to throw a switch in firewall. That's my only point.

There is no perfect security software.
Therefore, you always will need to live in two dimensions: 1) Default settings or 2) Customized settings.
If the minimalist UI doesn't allow customized settings, then you are forced to live with default settings.
And that's my only point.
I think minimalist UIs must leave some room for few customization. I don't mean to ruin the minimalist style. I like minimalism. But IMHO ZA UI needs few options, among them, a basic granular firewall.

Why do I want to install an AV with default reduced protection, and then have to tweak it for max protection?

Because different users have different profiles.
For average Joe, default settings usually are enough. Hardening settings for average Joe profile will be a nightmare, because average Joes don't know how to deal with hardened settings (it blocks too much stuff for them, and they don't know how to unblock needed stuff).
Now, for users like me, I always need to harden default settings, because I use to be exposed to cyber threats, and I know how to block, unblock, allow, disable stuff.

(perhaps there's something I'm missing :unsure:) I assume ZA is configuring it features to max protection as default since ZA has nothing to tweak. If it failed with that 65mb malware, ZA should fix that by default without user needing to tweak its firewall. (aside if I want to tweak a firewall, then I run CF@cs).

I don't believe "default settings" are configured to maximum protection.
I believe "default settings" are configured to "average use".
There is no security software with "default settings" and "maximum security" at the same time.
Default settings is about default use, and security level is about user profile... two different things.
 
Last edited:

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,091
There is no perfect security software.
Therefore, you always will need to live in two dimensions: 1) Default settings or 2) Customized settings.

Because different users have different profiles.
For average Joe, default settings usually are enough. Hardening settings for average Joe profile will be a nightmare, because average Joes don't know how to deal with hardened settings (it blocks too much stuff for them, and they don't know how to unblock needed stuff).
Now, for users like me, I always need to harden default settings, because I use to be exposed to cyber threats, and I know how to block, unblock, allow, disable stuff.

I don't believe "default settings" are configured to maximum protection.
I believe "default settings" are configured to "average use".
There is no security software with "default settings" and "maximum security" at the same time.
Default settings is about default use, and security level is about user profile... two different things.
We disagree on a few points above: I suggest there is no need for two dimensions, at the moment ZA/ESNG seem to agree since it does not have settings, ie, one dimension, which is ok for me as long as I'm not getting infected. (no events here, yet)
Average Joe should be using MS Defender. I agree you & me and some others need or like "hardened." I want ZA to be default configured hardened out of the box.
As for how "hard" ZA is default configured, we'll understand that better when we start seeing the tests at MT and labs.
Again my sense is that ZA is both default & maximum at the same time. I could be wrong... but if I can't tweak it, I assume default is max. Can it be improved, sure!
@Trident seems to have a line into ZA to make suggested improvements.
 

Trident

Level 29
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,809
we seem to mostly agree. I would prefer that ZA block that sneaky 65mb stealer
Missing malware is normal and doesn’t mean the software is mediocre or badly developed. Specially when we are talking about 1 sample 😀
I haven’t seen anyone not missing malware yet and if I download Trend Micro, it will miss hundreds (even though on other tests here it’s been praised). It takes a lot of time and digging to find a ZoneAlarm compromise (in total I have about 112 incidents blocked) whilst some others are getting compromised 5 minutes after installation so I think that’s worth something.

Of course, a good program control will prevent the damage and unfortunately as @Decopi mentioned is missing. Hence many users are pushing to get it. We have to wait and see.
 
Last edited:

Trident

Level 29
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,809
Yeah, and here is another Russian video from 3 months ago.
It misses some malware there and some PUPs but I don’t even know where they got this version, this one doesn’t get updates since 2022 and emulation is also blocked. If you try and emulate a file it won’t work. As of March last year, it has been replaced with the NextGen.
 

Decopi

Level 6
Verified
Oct 29, 2017
269
It misses some malware there and some PUPs but I don’t even know where they got this version, this one doesn’t get updates since 2022 and emulation is also blocked. If you try and emulate a file it won’t work.

Yeah, that's one of the reason originally I wasn't convinced to share this ruský test.
As I said, this video is totally in Russian, no texts, too long, and difficult to follow for non Russian speakers.
Also, from the beginning is possible to see the tester using a very old version of ZA.
Considering ZAESNG is under development, I think only recent tests (from last 2 moths) are interesting.
 

Trident

Level 29
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,809
Yeah, that's one of the reason originally I wasn't convinced to share this ruský test.
As I said, this video is totally in Russian, no texts, too long, and difficult to follow for non Russian speakers.
Also, from the beginning is possible to see the tester using a very old version of ZA.
Considering ZAESNG is under development, I think only recent test (from last 2 moths) are interesting.
Yeah that one from Comms TV or whatever the channel is called is a very recent one.
ZoneAlarm passed clean whilst others like Trend Micro and Bitdefender weren’t that fortunate.

Mine was recent as well, but was before the addition of anti-bot and was also a very difficult one, much more difficult then needed to draw valuable conclusion for home users. It was mostly for geeks.
For now we can see protection is OK but not wow and needs more work.
 

Decopi

Level 6
Verified
Oct 29, 2017
269
Yeah that one from Comms TV or whatever the channel is called is a very recent one.
ZoneAlarm passed clean whilst others like Trend Micro and Bitdefender weren’t that fortunate.

Mine was recent as well, but was before the addition of anti-bot and was also a very difficult one, much more difficult then needed to draw valuable conclusion for home users. It was mostly for geeks.
For now we can see protection is OK but not wow and needs more work.

Exactly, you're right.
I'm not saying ZA is perfect. But seems to me lot of users are judging ZA based in old versions.
That's the reason and purpose of this new thread, to test the latest ZA version, confirming or rejecting its new protection capabilities.
There is no need to share ZA info before past March, because the last ZA changed in the past 3 months.
 

Trident

Level 29
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,809
@Trident how much is harmony endpoint?
Harmony Endpoint depends on the reseller and number of devices but as single license is usually about £60 per year, per device. If you buy in huge bulk (something which I will have to do soon) it will be a lot cheaper. You could get Harmony Total (which includes the Email and Collaboration Suite) and everything for 150 devices for about £30 per device.
There is no need to share ZA info before past March, because the last ZA changed in the past 3 months.
Yeah, that’s very accurate. Before the addition of anti-bot I didn’t like it too much and it wasn’t ready to protect a system properly.

The UK government has Harmony Endpoint as well on their digital marketplace and I believe it’s their officially-recommended software as well as what the NHS uses.

They sell it for £18.00. I will Create a Check Point Harmony thread as well soon so we don’t confuse users.
 

likeastar20

Level 8
Verified
Mar 24, 2016
374
The UK government has Harmony Endpoint as well on their digital marketplace and I believe it’s their officially-recommended software as well as what the NHS uses.

They sell it for £18.00. I will Create a Check Point Harmony thread as well soon so we don’t confuse users.
Doesn't seem that much, for example I was quoted $42 for Deepinstinct. What other cheap endpoint products do you know of?
 

Trident

Level 29
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,809
Doesn't seem that much, for example I was quoted $42 for Deepinstinct. What other cheap endpoint products do you know of?
It all depends on the reseller, they work for percentage. I am not aware of other cheap products tbh, I am not really interested in free and cheap 😀😅
Check Point is more complete than Deep Instinct. One of the DI founders is an ex-Check Point employee.
 

Trident

Level 29
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,809
please may i ask ? are these also version 3 instead of version 4 ? thank you
I am testing version 4 only and that incident with the inflated file was triggered by anti-bot. It means that if it was version 3 it would’ve been a miss. The one on Comms TV has been version 3 as well. @Shadowra today has tested version 4.
 

Shadowra

Level 34
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,356
I am testing version 4 only and that incident with the inflated file was triggered by anti-bot. It means that if it was version 3 it would’ve been a miss. The one on Comms TV has been version 3 as well. @Shadowra today has tested version 4.

I actually shot the video.
During the URLs, I bypassed ZoneAlarm's Web Shield, it was handling downloads and it took more than 20 MINUTES to download...
All in all, it did fine. But not everything is perfect. That's all I'll say, as the video will be out in a few days :)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top