Serious Discussion ZoneAlarm by Check Point Info, Guides, Tests

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
How is Avast more suited I take Avast doesn't have size limit?
Avast, Avira and Bitdefender are fundamentally different engines consisting of more signatures, generic detections and to some extent heuristics. Signatures contain instructions (rules) looking like "from byte x to byte y look for z". Hence they don't need to have a limit at all. Avast uses an arsenal of machine learning and static analysis at runtime as well as on their cloud.
Norton, Defender, Sophos and many others are engines based primarily on static analysis. Such engines need to have a limit for performance reason. They both have advantages and disadvantages.
1. If Sophos engine is capable of handling password-protected zips, can we infer that ZAESNG based on Sophos engine is capable to do the same? Or not necessarily? To be based on a Sophos and Kaspersky engine means to have same capabilities as Sophos and Kasperky engines have?
They use Sophos locally and have all capabilities of their SDK. In addition, threat emulation can capture passwords for zips in emails and uses a dictionary of passwords that attackers commonly may use. This dictionary includes "infected". Downloading malware from various places results in successful block before you even take the file out of the archive.
Kaspersky provides only feeds, once they come across something, they send the hash to ThreatCloud. This is like a more effective and advanced Panda Cloud Antivirus built-in to ZA together with all other technologies.
2. Here in this thread, are you always using ZAESNG in your tests? Or sometimes you use Harmony EndPoint?
I always use ZA. Harmony Endpoint is on another system, I am testing it before I become a business customer. These reports are from ZA saved in the directory you mentioned, I go and open from there.
What about connections? Sorry to ask, it's not totally clear to me, "terminate" means that the stealer started
Terminate means the process was suspended immediately together with all connections. But the file wasn't deleted because it is signed. In Harmony Endpoint this can be changed (all files related to an attack can be deleted) but in some cases it can cause issues. For example if you have an abused driver, instead of just suspending the attack, it will delete the driver too. You will have to reinstall it then.
For exploits, Harmony and ZA always just end the process without deletion. Meaning if you have vulnerable VLC and a malicious video file, the attack will be suspended but neither the file (you are welcome to delete it manually) nor the VLC player will be deleted (you as admin are welcome to look for updated version).
 
Last edited:

kamiloxf

Level 1
Apr 3, 2016
36
Sample detected by Deep Instinct on VirusTotal for a few days now. Still not detected by static AI on my system. 😌
For me, Static AI blocked this file a moment after unpacking
 

Attachments

  • chrome_5EQTMRuo0c.png
    chrome_5EQTMRuo0c.png
    11.8 KB · Views: 181

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
ZA/ESNG snafu with Windows Security Center, I think I may have mentioned this "error" before... win10 WSC reports that both windows_defender_firewall AND ZA firewall are off but ZA app shows its firewall is green and ON. If I was ZA / Checkpoint that would be an error that I would quickly fix as it erodes confidence in ZA.
 

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
ZA/ESNG snafu with Windows Security Center, I think I may have mentioned this "error" before... win10 WSC reports that both windows_defender_firewall AND ZA firewall are off but ZA app shows its firewall is green and ON. If I was ZA / Checkpoint that would be an error that I would quickly fix as it erodes confidence in ZA.
The error is presented in ZoneAlarm, yes. It is scheduled to be fixed with the next build. Check Point products receive updates almost every month, the engines are far newer (86.80 is the recommended because it has few hotfixes, 87.30 is the latest). In ZoneAlarm the engines are 86.67.19.
 

NormanF

Level 9
Verified
Jan 11, 2018
404
The error is presented in ZoneAlarm, yes. It is scheduled to be fixed with the next build. Check Point products receive updates almost every month, the engines are far newer (86.80 is the recommended because it has few hotfixes, 87.30 is the latest). In ZoneAlarm the engines are 86.67.19.

The separate firewall in ZoneAlarm Home is removed in Harmony. It has a firewall/application control but it doesn't replace Windows Firewall.
 
  • Like
Reactions: simmerskool

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779
The separate firewall in ZoneAlarm Home is removed in Harmony. It has a firewall/application control but it doesn't replace Windows Firewall.
also the Harmony firewall /app control is not a default deployment, so still learning, but I think it then requires an edited deployment policy.
 
  • Like
Reactions: flaubert1971

NormanF

Level 9
Verified
Jan 11, 2018
404
also the Harmony firewall /app control is not a default deployment, so still learning, but I think it then requires an edited deployment policy.

Its shown as on in the client but Windows Security reports the firewall is still being run by Windows. The AV on the other is managed by Checkpoint Anti Malware.
 
  • Like
Reactions: simmerskool

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Program Control on Harmony Endpoint is very powerful, not sure how it will be implemented in ZoneAlarm.
Note: Program Control on HEP requires that AppScan is used first. More information is available in the admin guide.

1687108203453.png
1687108238648.png


Program Control has the following abilities in HEP:
-Allow (do nothing)
-Block connection, allow app to run offline
-Terminate application upon attempt to go online
-Terminate Application upon execution (unable to launch, very suitable for LOtLBins)
 

NormanF

Level 9
Verified
Jan 11, 2018
404
Program Control on Harmony Endpoint is very powerful, not sure how it will be implemented in ZoneAlarm.
Note: Program Control on HEP requires that AppScan is used first. More information is available in the admin guide.

View attachment 276260View attachment 276261

Program Control has the following abilities in HEP:
-Allow (do nothing)
-Block connection, allow app to run offline
-Terminate application upon attempt to go online
-Terminate Application upon execution (unable to launch, very suitable for LOtLBins)

I couldn't find out where to download the appscan tool on the site to set up the application control. They do give instruction on how to upload the completed appscan xml file from your C: drive.
 
  • Like
Reactions: simmerskool

NormanF

Level 9
Verified
Jan 11, 2018
404
Program Control on Harmony Endpoint is very powerful, not sure how it will be implemented in ZoneAlarm.
Note: Program Control on HEP requires that AppScan is used first. More information is available in the admin guide.

View attachment 276260View attachment 276261

Program Control has the following abilities in HEP:
-Allow (do nothing)
-Block connection, allow app to run offline
-Terminate application upon attempt to go online
-Terminate Application upon execution (unable to launch, very suitable for LOtLBins)

Speaking of ZA, its NextGen Free Firewall remains unavailable for Windows 11 despite its release earlier this year.
 
  • Like
Reactions: simmerskool

simmerskool

Level 38
Verified
Top Poster
Well-known
Apr 16, 2017
2,779

Trident

Level 34
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
golly, I missed one, but since I'm currently running checkpoint harmony it should have blocked the one I missed...
I got all of them right 😀
I like the UX of this campaign, I wonder if rebranding is coming soon. Check Point got rebranding last year and since then it looks very fresh and modern. There are nice animations across the whole portal. Their logo is a bit similar to Symantec though. But then again, Symantec has always been an inspiration for many. Kaspersky almost completely copied their Insight system together with the UX and GData had copied their CPU monitor before.

IMG_1651.png
 

Decopi

Level 8
Verified
Oct 29, 2017
361
New: ZoneAlarm Phishing Quiz

Trying to identify phishing by reading webpage or email content... can be misleading. Specially because modern phishing webpages/emails have perfect icons, texts, graphics etc. Not to mention that nowadays even ChatGPT is being used to write phishing texts.

IMHO the best way to identify phishing is by mouse-hovering links = paying attention to web addresses. It's not a perfect method, but helps to identify 90% of phishing.
Unfortunately this ZA test does not allow to do that with the links.

The bad news is that (IMHO) I don't think Average Joe is able to identify phishing by text nor by checking the links. Most Average Joes are compulsive mouse-clickers, they click everything without reading.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top