Serious Discussion ZoneAlarm by Check Point Info, Guides, Tests

Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Razza said:
it wasn't a test as such it was just a observation, it seem very slow for the notification, @Trident answered the most likely cause of the delay.
Click to expand...
I have observed it, that’s how I know. Once you download malware, the forensic service is active. It passes parameters to the remediation service so then that becomes active (this service will be merged with the rest soon). Finally when the forensic report is saved and there is no more activity, the notification appears.

Daily dose of testing:
1686492986354.png

I downloaded one safe (suspicious in nature file) to see if it will be flagged as FP. It wasn't.

VirusTotal

VirusTotal
www.virustotal.com www.virustotal.com
1686493168513.png

1686493415481.png


I tested Webroot just now, took about 10 minutes to get the system infected 😅
 
  • Like
  • Wow
  • Thanks
Reactions: Nevi, Sorrento, Moonhorse and 5 others
Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Kongo said:
It took that long? 😮
Click to expand...
I was a bit gentle to it in the beginning 😀
It removed some dropped/downloaded malware.
Then I got uninterested in this anymore. About 7-8 infections were merrily running with heuristics set to max. So not always tweaking this and that helps.
In the Webroot case with tweaks and without, it’s just bad. And they are selling it for £65.

I’m getting my ZoneAlarm back now.

Apparently Sophos engine is capable of handling password-protected zips. In the files used to test Webroot (less than successfully) Sophos detected malware.

Detailed Analysis - Mal/DrodZp-A - Viruses and Spyware - Erkennen und Entfernen von Web-Bedrohungen, Viren und Spyware | Sophos - Threat Center

www.sophos.com www.sophos.com
1686500440923.png


Additional script test (malicious document not emulated or cleaned, downloaded during the webroot time)

1686501376792.png
1686501399895.png
1686501431285.png
1686501483934.png
1686501513699.png
1686501549831.png
1686501593453.png


Btw this is how I like tests, with few samples every day so I can pick and understand them, otherwise too many samples at one is not as effective test.
 
  • Like
  • Applause
Reactions: Nevi, Sorrento, roger_m and 2 others
simmerskool

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,094
Razza said:
I've been tested ZA in a vm for last week or so, not noticed any major issues, a minor issue if you download a malicious file it seem to take ages before the pop up saying it was blocked the easy way is to use a file that you know that will detected if you try to download eicar_com.zip on my vm it take over 15s for the notification not sure if ZA or Chrome that causing the delay.
Click to expand...
I've been using ZA in VM too for about a week. Have not tried to intentionally DL malware, but the files I have downloaded, I seem to get a quick response from ZA that they are good.
 
  • Like
Reactions: Sorrento and Trident
Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Razza said:
Webroot is a pretty rubbish product, WD probably survive longer
Click to expand...
Btw I didn't check and I should have, does webroot plug into the AMSI at all? On executables they are so-so, leaning towards OK. But it seems like Webroot totally forgot there are other malware formats as well. Do you know if they have AMSI provider built-in? or @Kongo @Decopi @Shadowra
 
  • Like
Reactions: Sorrento, Kongo and simmerskool
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,504
Trident said:
Btw I didn't check and I should have, does webroot plug into the AMSI at all? On executables they are so-so, leaning towards OK. But it seems like Webroot totally forgot there are other malware formats as well. Do you know if they have AMSI provider built-in? or @Kongo @Decopi @Shadowra
Click to expand...
Absolutely no idea, sorry. I didn't check out Webroot for quite a while...
 
  • Like
Reactions: Nevi, Sorrento, simmerskool and 1 other person
Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Kongo said:
Absolutely no idea, sorry. I didn't check out Webroot for quite a while...
Click to expand...
I was curious to see in which class ZoneAlarm falls. So in the coming days I will compare it to Norton, Bitdefender and I wanted to compare it to Webroot as well (as they are both not the most major). Definitely Webroot and ZoneAlarm are not similar, they are the sun and the moon. That's a good sign.
 
  • Like
Reactions: Nevi, Sorrento, simmerskool and 2 others
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,504
Trident said:
I was curious to see in which class ZoneAlarm falls. So in the coming days I will compare it to Norton, Bitdefender and I wanted to compare it to Webroot as well (as they are both not the most major). Definitely Webroot and ZoneAlarm are not similar, they are the sun and the moon. That's a good sign.
Click to expand...
The latest big new feature I recall was the "Evasion Shield" to block script-based attacks. Maybe you find something about AMSI in their articles
 
  • Like
Reactions: Sorrento, simmerskool and Trident
Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Kongo said:
The latest big new feature I recall was the "Evasion Shield" to block script-based attacks. Maybe you find something about AMSI in their articles
Click to expand...
That shield is not in home products though and the foreign code shield is absent as well. Not sure also if they block connections system-wide (anti-bot). I didn't see any evidence that they do.
 
  • Like
  • Wow
Reactions: Sorrento, simmerskool and Kongo
Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
  • Like
  • Thanks
Reactions: Sorrento, simmerskool, Decopi and 1 other person
D

Decopi

Level 6
Verified
Oct 29, 2017
252
Trident said:
Btw I didn't check and I should have, does webroot plug into the AMSI at all? On executables they are so-so, leaning towards OK. But it seems like Webroot totally forgot there are other malware formats as well. Do you know if they have AMSI provider built-in? or @Kongo @Decopi @Shadowra
Click to expand...

AFAIK, Webroot always talked about "enhancing" (complementing or expanding) AMSI capabilities... but TBH, I don't think Webroot is integrated to AMSI... I don't remember to see an option inside Webroot to enable AMSI intergration (as other security software use to have)... I also never read about Webroot fully integrated with AMSI.
 
  • Like
Reactions: Sorrento, simmerskool, Kongo and 1 other person
Kongo

Kongo

Level 36
Verified
Top Poster
Well-known
Feb 25, 2017
2,504
  • Like
  • Wow
Reactions: Sorrento, simmerskool and Trident
Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Decopi said:
AFAIK, Webroot always talked about "enhancing" (complementing or expanding) AMSI capabilities... but TBH, I don't think Webroot is integrated to AMSI... I don't remember to see an option inside Webroot to enable AMSI intergration (as other security software use to have)... I also never read about Webroot fully integrated with AMSI.
Click to expand...
Very weird... I've never seen anyone completely ignoring fileless malware in home solutions. I mean fair enough, nobody will start performing targeted attacks against them but if you have "evasion shield" then why should it be absent from home software... you never know what users will download.

Btw that stealer is signed. Under default policy ZA and Harmony Endpoint terminate trusted files but don't delete them (the original file remained on the system). This is why it may look like ZoneAlarm didn't do anything... coupled with the slow message that takes time to appear... I forgot to add in the post above. Only on Harmony Endpoint this setting can be changed to get trusted files deleted and not just terminated.

Kongo said:
Sample detected by Deep Instinct on VirusTotal for a few days now. Still not detected by static AI on my system. 😌
Click to expand...
Experimental models they said... this file is very evasive... it can easily slip past many defenses.
 
  • Like
  • +Reputation
Reactions: Nevi, Sorrento, simmerskool and 2 others
Razza

Razza

Level 4
Verified
Well-known
Aug 12, 2014
163
Trident said:
I was curious to see in which class ZoneAlarm falls. So in the coming days I will compare it to Norton, Bitdefender and I wanted to compare it to Webroot as well (as they are both not the most major). Definitely Webroot and ZoneAlarm are not similar, they are the sun and the moon. That's a good sign.
Click to expand...
That will be a interesting comparison, if you got extra time any chance you can add Avast to the mix, my limited testing Avast is very effective and quite a number of inflated files I've tested Avast seem to detect them before execution.
 
  • Like
Reactions: Nevi, Sorrento, simmerskool and 1 other person
Trident

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,737
Razza said:
That will be a interesting comparison, if you got extra time any chance you can add Avast to the mix, my limited testing Avast is very effective and quite a number of inflated files I've tested Avast seem to detect them before execution.
Click to expand...
These inflated files in ZoneAlarm are handled by Behavioural Guard, there is one test from yesterday but many refuse to run when ZoneAlarm is installed and just terminate. Not sure if they are deterred by "forensics" that's in one of the processes name or something else. The ones that run (PrivateLoader by CozyBear I am talking about) download quite a lot of stuff including Amadey stealer and it is all detected. ZoneAlarm like Defender and many others has a scan limit (in Harmony it can be uplifted). Though boosting the limit is useless. Microsoft increased their scan limit from 700 MB to over a gigabyte and they now inflate them to 1.2 GB and they are not scanned again. Avast engine is better suited to these.
 
  • Like
Reactions: Sorrento, simmerskool and Razza
D

Decopi

Level 6
Verified
Oct 29, 2017
252
Trident said:
Apparently Sophos engine is capable of handling password-protected zips. In the files used to test Webroot (less than successfully) Sophos detected malware.

Detailed Analysis - Mal/DrodZp-A - Viruses and Spyware - Erkennen und Entfernen von Web-Bedrohungen, Viren und Spyware | Sophos - Threat Center

www.sophos.com www.sophos.com
View attachment 276073
Click to expand...

@Trident , please allow me simple questions from my very ignorant side:

1. If Sophos engine is capable of handling password-protected zips, can we infer that ZAESNG based on Sophos engine is capable to do the same? Or not necessarily? To be based on a Sophos and Kaspersky engine means to have same capabilities as Sophos and Kasperky engines have?

2. Here in this thread, are you always using ZAESNG in your tests? Or sometimes you use Harmony EndPoint?

3. Your attached forensic images are from Harmony EndPoint? Or from your ZAESNG at C:/Program Data/Check Point/Endpoint Security/Threat Emulation/Reports?

Trident said:
Btw this is how I like tests, with few samples every day so I can pick and understand them, otherwise too many samples at one is not as effective test.
Click to expand...

Yeah, it's another great way to test. Besides the fact of giving you a full and better comprehension, few samples every day also offer high quality tests because reflect zero-day-attack responses or at least reflect latest pest protection capabilities.

Trident said:
Btw that stealer is signed. Under default policy ZA and Harmony Endpoint terminate trusted files but don't delete them (the original file remained on the system). This is why it may look like ZoneAlarm didn't do anything... coupled with the slow message that takes time to appear... I forgot to add in the post above. Only on Harmony Endpoint this setting can be changed to get trusted files deleted and not just terminated.
Click to expand...

4. What about connections? Sorry to ask, it's not totally clear to me, "terminate" means that the stealer started (and only then was terminated). So, it sounds that the stealer wasn't stopped or blocked to run. If that is the case, did the stealer manage to make any connections? Or the stealer never ran at all, nor succeeded to make connections etc?
 
Last edited:
  • Like
  • Applause
Reactions: Sorrento, simmerskool and Trident

Similar threads

Trident
    • Like
    • +Reputation
    • Hundred Points
Serious Discussion Harmony Endpoint by Check Point
Replies
677
Views
45,286
Other security for Windows, Mac, Linux
Sandbox Breaker
Sandbox Breaker
Trident
    • Like
    • Hundred Points
    • Applause
New Update Harmony Endpoint Release Notes and Roadmaps
Replies
56
Views
6,744
Other security for Windows, Mac, Linux
Trident
Trident
Trident
    • Like
    • Thanks
New Update ZoneAlarm Extreme Security NextGen Release Notes
Replies
5
Views
1,493
Other security for Windows, Mac, Linux
simmerskool
simmerskool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top