Serious Discussion ZoneAlarm by Check Point Info, Guides, Tests

Trident

Level 26
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,529
it wasn't a test as such it was just a observation, it seem very slow for the notification, @Trident answered the most likely cause of the delay.
I have observed it, that’s how I know. Once you download malware, the forensic service is active. It passes parameters to the remediation service so then that becomes active (this service will be merged with the rest soon). Finally when the forensic report is saved and there is no more activity, the notification appears.

Daily dose of testing:
1686492986354.png

I downloaded one safe (suspicious in nature file) to see if it will be flagged as FP. It wasn't.
1686493168513.png

1686493415481.png


I tested Webroot just now, took about 10 minutes to get the system infected 😅
 

Trident

Level 26
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,529
It took that long? 😮
I was a bit gentle to it in the beginning 😀
It removed some dropped/downloaded malware.
Then I got uninterested in this anymore. About 7-8 infections were merrily running with heuristics set to max. So not always tweaking this and that helps.
In the Webroot case with tweaks and without, it’s just bad. And they are selling it for £65.

I’m getting my ZoneAlarm back now.

Apparently Sophos engine is capable of handling password-protected zips. In the files used to test Webroot (less than successfully) Sophos detected malware.
1686500440923.png


Additional script test (malicious document not emulated or cleaned, downloaded during the webroot time)

1686501376792.png
1686501399895.png
1686501431285.png
1686501483934.png
1686501513699.png
1686501549831.png
1686501593453.png


Btw this is how I like tests, with few samples every day so I can pick and understand them, otherwise too many samples at one is not as effective test.
 

simmerskool

Level 30
Verified
Top Poster
Well-known
Apr 16, 2017
1,995
I've been tested ZA in a vm for last week or so, not noticed any major issues, a minor issue if you download a malicious file it seem to take ages before the pop up saying it was blocked the easy way is to use a file that you know that will detected if you try to download eicar_com.zip on my vm it take over 15s for the notification not sure if ZA or Chrome that causing the delay.
I've been using ZA in VM too for about a week. Have not tried to intentionally DL malware, but the files I have downloaded, I seem to get a quick response from ZA that they are good.
 

Trident

Level 26
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,529
Webroot is a pretty rubbish product, WD probably survive longer
Btw I didn't check and I should have, does webroot plug into the AMSI at all? On executables they are so-so, leaning towards OK. But it seems like Webroot totally forgot there are other malware formats as well. Do you know if they have AMSI provider built-in? or @Kongo @Decopi @Shadowra
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,450
Btw I didn't check and I should have, does webroot plug into the AMSI at all? On executables they are so-so, leaning towards OK. But it seems like Webroot totally forgot there are other malware formats as well. Do you know if they have AMSI provider built-in? or @Kongo @Decopi @Shadowra
Absolutely no idea, sorry. I didn't check out Webroot for quite a while...
 

Trident

Level 26
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,529
Absolutely no idea, sorry. I didn't check out Webroot for quite a while...
I was curious to see in which class ZoneAlarm falls. So in the coming days I will compare it to Norton, Bitdefender and I wanted to compare it to Webroot as well (as they are both not the most major). Definitely Webroot and ZoneAlarm are not similar, they are the sun and the moon. That's a good sign.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,450
I was curious to see in which class ZoneAlarm falls. So in the coming days I will compare it to Norton, Bitdefender and I wanted to compare it to Webroot as well (as they are both not the most major). Definitely Webroot and ZoneAlarm are not similar, they are the sun and the moon. That's a good sign.
The latest big new feature I recall was the "Evasion Shield" to block script-based attacks. Maybe you find something about AMSI in their articles
 

Trident

Level 26
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,529
The latest big new feature I recall was the "Evasion Shield" to block script-based attacks. Maybe you find something about AMSI in their articles
That shield is not in home products though and the foreign code shield is absent as well. Not sure also if they block connections system-wide (anti-bot). I didn't see any evidence that they do.
 

Trident

Level 26
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,529

Decopi

Level 6
Verified
Oct 29, 2017
249
Btw I didn't check and I should have, does webroot plug into the AMSI at all? On executables they are so-so, leaning towards OK. But it seems like Webroot totally forgot there are other malware formats as well. Do you know if they have AMSI provider built-in? or @Kongo @Decopi @Shadowra

AFAIK, Webroot always talked about "enhancing" (complementing or expanding) AMSI capabilities... but TBH, I don't think Webroot is integrated to AMSI... I don't remember to see an option inside Webroot to enable AMSI intergration (as other security software use to have)... I also never read about Webroot fully integrated with AMSI.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,450

Trident

Level 26
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,529
AFAIK, Webroot always talked about "enhancing" (complementing or expanding) AMSI capabilities... but TBH, I don't think Webroot is integrated to AMSI... I don't remember to see an option inside Webroot to enable AMSI intergration (as other security software use to have)... I also never read about Webroot fully integrated with AMSI.
Very weird... I've never seen anyone completely ignoring fileless malware in home solutions. I mean fair enough, nobody will start performing targeted attacks against them but if you have "evasion shield" then why should it be absent from home software... you never know what users will download.

Btw that stealer is signed. Under default policy ZA and Harmony Endpoint terminate trusted files but don't delete them (the original file remained on the system). This is why it may look like ZoneAlarm didn't do anything... coupled with the slow message that takes time to appear... I forgot to add in the post above. Only on Harmony Endpoint this setting can be changed to get trusted files deleted and not just terminated.

Sample detected by Deep Instinct on VirusTotal for a few days now. Still not detected by static AI on my system. 😌
Experimental models they said... this file is very evasive... it can easily slip past many defenses.
 

Razza

Level 4
Verified
Well-known
Aug 12, 2014
164
I was curious to see in which class ZoneAlarm falls. So in the coming days I will compare it to Norton, Bitdefender and I wanted to compare it to Webroot as well (as they are both not the most major). Definitely Webroot and ZoneAlarm are not similar, they are the sun and the moon. That's a good sign.
That will be a interesting comparison, if you got extra time any chance you can add Avast to the mix, my limited testing Avast is very effective and quite a number of inflated files I've tested Avast seem to detect them before execution.
 

Trident

Level 26
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,529
That will be a interesting comparison, if you got extra time any chance you can add Avast to the mix, my limited testing Avast is very effective and quite a number of inflated files I've tested Avast seem to detect them before execution.
These inflated files in ZoneAlarm are handled by Behavioural Guard, there is one test from yesterday but many refuse to run when ZoneAlarm is installed and just terminate. Not sure if they are deterred by "forensics" that's in one of the processes name or something else. The ones that run (PrivateLoader by CozyBear I am talking about) download quite a lot of stuff including Amadey stealer and it is all detected. ZoneAlarm like Defender and many others has a scan limit (in Harmony it can be uplifted). Though boosting the limit is useless. Microsoft increased their scan limit from 700 MB to over a gigabyte and they now inflate them to 1.2 GB and they are not scanned again. Avast engine is better suited to these.
 

Decopi

Level 6
Verified
Oct 29, 2017
249
Apparently Sophos engine is capable of handling password-protected zips. In the files used to test Webroot (less than successfully) Sophos detected malware.
View attachment 276073

@Trident , please allow me simple questions from my very ignorant side:

1. If Sophos engine is capable of handling password-protected zips, can we infer that ZAESNG based on Sophos engine is capable to do the same? Or not necessarily? To be based on a Sophos and Kaspersky engine means to have same capabilities as Sophos and Kasperky engines have?

2. Here in this thread, are you always using ZAESNG in your tests? Or sometimes you use Harmony EndPoint?

3. Your attached forensic images are from Harmony EndPoint? Or from your ZAESNG at C:/Program Data/Check Point/Endpoint Security/Threat Emulation/Reports?

Btw this is how I like tests, with few samples every day so I can pick and understand them, otherwise too many samples at one is not as effective test.

Yeah, it's another great way to test. Besides the fact of giving you a full and better comprehension, few samples every day also offer high quality tests because reflect zero-day-attack responses or at least reflect latest pest protection capabilities.

Btw that stealer is signed. Under default policy ZA and Harmony Endpoint terminate trusted files but don't delete them (the original file remained on the system). This is why it may look like ZoneAlarm didn't do anything... coupled with the slow message that takes time to appear... I forgot to add in the post above. Only on Harmony Endpoint this setting can be changed to get trusted files deleted and not just terminated.

4. What about connections? Sorry to ask, it's not totally clear to me, "terminate" means that the stealer started (and only then was terminated). So, it sounds that the stealer wasn't stopped or blocked to run. If that is the case, did the stealer manage to make any connections? Or the stealer never ran at all, nor succeeded to make connections etc?
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top