Serious Discussion ZoneAlarm by Check Point Info, Guides, Tests

[simmerskool]

Missing malware is normal and doesn’t mean the software is mediocre or badly developed. Specially when we are talking about 1 sample
I haven’t seen anyone not missing malware yet and if I download Trend Micro, it will miss hundreds (even though on other tests here it’s been praised). It takes a lot of time and digging to find a ZoneAlarm compromise (in total I have about 112 incidents blocked) whilst some others are getting compromised 5 minutes after installation so I think that’s worth something.

Of course, a good program control will prevent the damage and unfortunately as @Decopi mentioned is missing. Hence many users are pushing to get it. We have to wait and see.

for clarification: if ZA wants to add some control tweaks I am not against it, I just prefer that when I install or update, that it is configured max perhaps with option to tweak it down (for some unknown reason...) Or, I am not bothered so far by lack of user controls in ZA. I cannot really find anything to fault other than when I tried to send feedback ZA balked auto-sending a log file. But now I'm in the VM running F-Secure, can you tell the difference? Me neither, both good. Both feel about the same at the keyboard.

 

[Trident]

took more than 20 MINUTES to download...

They have a weird behaviour I discussed with them. When you download malware sometimes anti-malware, file reputation or static analysis detect immediately the browser cache but emulation just keeps going and going and going and never ends. This behaviour will be changed, they confirmed. On documents they made the emulation quicker, they can now statically deobfuscate macros.

just prefer that when I install or update, that it is configured max perhaps with option to tweak it down

I believe it uses the default Harmony Endpoint policy. I have access to review the policy configuration (I know how they store it and how to open) but it will take a lot of time to compare everything one by one. It only makes sense to be using their Default sometimes called Recommended policy.

 

[Shadowra]

They have a weird behaviour I discussed with them. When you download malware sometimes anti-malware, file reputation or static analysis detect immediately the browser cache but emulation just keeps going and going and going and never ends. This behaviour will be changed, they confirmed.

What I noticed. I'll put a message for my choice.

 

[simmerskool]

Doesn't seem that much, for example I was quoted $42 for Deepinstinct. What other cheap endpoint products do you know of?

I have DeepInstinct running on physical & virtual win10. $42 /ea. I looked at Harmony and it was 62 Pounds (maybe Euros?) but waiting for the smoke to clear with ZAESNG before jumping into Harmony, as ZA may be enough (for me).

It only makes sense to be using their Default sometimes called Recommended policy.

Agree, for now I continue to assume the ZA default / recommended policy is hardened enough => approaching perfect

 

[Trident]

Agree, for now I continue to assume the ZA default / recommended policy is hardened enough => approaching perfect

Yeah because nobody wants false positives as well. You will waste time to deal with them, to whitelist, redownload… it’s not any better than missed malware. The accepted false positive rate on a home solution is actually 0. Anything above 0 is too much and is not acceptable. For the business products it is expected to have an admin who’s getting paid to deal with that.

 

[simmerskool]

Yeah because nobody wants false positives as well. You will waste time to deal with them, to whitelist, redownload… it’s not any worse than missed malware. The accepted false positive rate on a home solution is actually 0. Anything above 0 is too much and is not acceptable. For the business products it is expected to have an admin who’s getting paid to deal with that.

amidst this discussion, I actually forgot about false+ as I very rarely get them. Haven't gotten any false+ with ZA yet. Nearly perfect (for me) until @Shadowra tells us otherwise

 

[Trident]

amidst this discussion, I actually forgot about false+ as I very rarely get them. Haven't gotten any false+ with ZA yet. Nearly perfect (for me) until @Shadowra tells us otherwise

I had one. Dell released a utility that updates their recovery environment and forgot to sign it. The utility worked for a while and was flagged by Anti-Ransomware (no files were detected as being encrypted). The Sophos engine is known not to love various snake oil programs. I don’t use or recommend such.

 

[Sandbox Breaker]

Good evening,

This thread is everything about ZoneAlarm by Check Point.

Before we get to the ZoneAlarm tests, guides and forensic reports (my favourite part of it), it will be best to get familiar with what's inside ZoneAlarm.

ZoneAlarm is a rebrand of Check Point Harmony Endpoint (previously SandBlast Agent) which includes few components, called "blades".
The following blades are used in ZoneAlarm Extreme Secuity NextGen:

• Anti-Malware: This is standard, heuristics(mainly), signatures and generic detections provided by Sophos (Sophos AntiVirus Interface or SAVI) AV. This blade provides online and offline protection against known and unknown threats. Also detects malware targeting other platforms (Linux, MacOS and Android) and provides unarchiving abilities as well as True File Type parser that will insect fie properties such as Magic Bytes to determine the real format. The Sophos behavioural genotype by itself relies on Dynamic Analyses. Additional Link

• Static Analysis or NextGen AV (proprietary): examines attributes of executable files to detect *somewhat* unknown threats without having signatures created. The assumption that such engines always detect unknow threats is wrong, they still have to be trained before they can do so. Static analysis has limited (second to none) effectiveness on packers as well (these will be better covered by Sophos dynamic analysis as well as Behavioural Guard). In ZoneAlarm, only high confidence detections from static analysis are treated to minimise false positives.
• File Reputation Engine powered by ThreatCloud. Provides reputation lookups based on hashes (I am still trying to find out the formats supported). Includes feeds from third parties such as Kaspersky and Cisco Talos as well as propriatery feeds from crawlers, in-product telemetry and the Check Point Research. Also includes proprietary signatures. The Kaspersky, Cisco Talos and proprietary signatures can frequently be seen in the forensic reports (sometimes there are multiple detections). File reputation engine uses local cache to minimise look-ups.
• Behavioural Guard, Forensics, Anti-Bot, Anti-Exploit and Anti-Ransomware blades: Monitor all system events (file, registry, network-related) to record, classify and reverse malicious behaviour. Detailed forensic reports are generated such as the one here. The same report is generated by ZoneAlarm as well, we'll get to it soon.
• Threat Emulation and Threat Extraction (also known as Content Disarm and Reconstruct/CDR): This component is very actively developed, see release notes. It captures files and archives downloaded through browser or saved through email clients and sends them for emulation. Check Point emulation is highly resistant to evasion (they have a tool that scans for VM artefacts as well as articles focused on VM evasion. Threat emulation supports over 70 file types (up to 15MB), including executables, java apps, documents and scripts. Documents are automatically cleaned from any executable content (macros, ole objects and others). They are also scanned for suspicious links. Threat emulation severely boosts security where it is needed and works even without the extension if downloads are saved in Downloads or Desktop folders. Introducing malware through other methods (not via download or email attachments) will result in decreased effectiveness as files will not be emulated. Hopefully the right click to emulate that was in ZA before will be back.
• Threat emulation generates detailed reports such as the one here (available in ZA as well): Threat Details Report
• Malware DNA is used to provide rich context.

Useful resources:
ZoneAlarm Release notes
Check Point Research
ZoneAlarm Trial Downloads
Check Point engines release notes (used in ZA)
ZoneAlarm license valid for quite some time: 845DGV

The thread will be updated with more content when available.

@Trident What do you know about their Linux version?

 

[Trident]

@Trident What do you know about their Linux version?

Their Linux version of Harmony Endpoint includes Anti-Malware (Sophos), Behavioural Guard and Threat Hunting (you can search manually for IoCs and other signs of active infection. It is actively maintained and developed but I’ve not tested it.

ZoneAlarm is not offered for Linux.

 

[Sandbox Breaker]

Their Linux version of Harmony Endpoint includes Anti-Malware (Sophos), Behavioural Guard and Threat Hunting (you can search manually for IoCs and other signs of active infection. It is actively maintained and developed but I’ve not tested it.

ZoneAlarm is not offered for Linux.

Looks like clam av processes on the server I have it installed on.

 

[Trident]

Looks like clam av processes on the server I have it installed on.

They most likely use ClamAV to run custom Yara rules on Linux. I haven’t got Linux installed anywhere to inspect it properly. It never works with any of my devices and for business I wouldn’t even think about dealing with that. Are you able to find the Sophos database? They should be storing it somewhere.

 

[kev7]

hi, is it possible to try checkpoint Harmony endpoint trial would that be ok for a home user?

 

[Trident]

hi, is it possible to try checkpoint Harmony endpoint trial would that be ok for a home user?

It will be OK. If you have any questions about Harmony Endpoint, I will create a thread related to Harmony.

Harmony Endpoint (SandBlast Agent) Free Trial | Endpoint Security | Check Point Software

Harmony Endpoint (formerly SandBlast Agent) is a complete EPP and EDR solution built to prevent the most imminent threats to the endpoint, while quickly minimizing breach impact with autonomous detection and response.

pages.checkpoint.com

Update: the thread is now created.

Serious Discussion - Harmony Endpoint by Check Point

This thread is for posts related to Check Point Harmony. Harmony Endpoint Trial: https://pages.checkpoint.com/harmony-endpoint-trial.html What's included in Check Point Harmony Endpoint? Check Point Harmony Endpoint comes in few editions. Features will be compared first and then we will have...

malwaretips.com

 

[kev7]

hi is it had to set up and does it also include the threat Emulation what other features does it contain please thank you very much

 

[Razza]

I've been tested ZA in a vm for last week or so, not noticed any major issues, a minor issue if you download a malicious file it seem to take ages before the pop up saying it was blocked the easy way is to use a file that you know that will detected if you try to download eicar_com.zip on my vm it take over 15s for the notification not sure if ZA or Chrome that causing the delay.

 

[Trident]

I've been tested ZA in a vm for last week or so, not noticed any major issues, a minor issue if you download a malicious file it seem to take ages before the pop up saying it was blocked the easy way is to use a file that you know that will detected if you try to download eicar_com.zip on my vm it take over 15s for the notification not sure if ZA or Chrome that causing the delay.

The incident remediation and investigation, and forensic report generation cause the delay. Notification appears once everything is done.

 

[Decopi]

I've been tested ZA in a vm for last week or so, not noticed any major issues, a minor issue if you download a malicious file it seem to take ages before the pop up saying it was blocked the easy way is to use a file that you know that will detected if you try to download eicar_com.zip on my vm it take over 15s for the notification not sure if ZA or Chrome that causing the delay.

Please, feel free to share more details about your test.
Even better, it'll be amazing if you can share a video. It doesn't need to be fancy, with music, edited etc. It'll be enough a simple raw video, showing your test. Thanks in advance.

 

[Razza]

The incident remediation and investigation, and forensic report generation cause the delay. Notification appears once everything is done.

I forgot about the reports might be been the delay, the forensic report are quite detailed wonder if ZA is going to remove the forensic report from the product at some stage since it not a feature you normally find in a non endpoint product.

 

[Trident]

I forgot about the reports might be been the delay, the forensic report are quite detailed wonder if ZA is going to remove the forensic report from the product at some stage since it not a feature you normally find in a non endpoint product.

I hope they won't, I will cry if they do
I suggested to display them for home users. We'll see.

 

[Razza]

Please, feel free to share more details about your test.
Even better, it'll be amazing if you can share a video. It doesn't need to be fancy, with music, edited etc. It'll be enough a simple raw video, showing your test. Thanks in advance.

it wasn't a test as such it was just a observation, it seem very slow for the notification, @Trident answered the most likely cause of the delay.