Serious Discussion ZoneAlarm by Check Point Info, Guides, Tests

Decopi

Level 6
Verified
Oct 29, 2017
252
I started to retest ZAESNG:
Version number: 4.2.121.19549
Anti-Ransomware: 4.2.77.19549
Antivirus version: 3.85
Signature version: 202307121001
Engine version: 86.72.12
Firewall version: 8.68.72.3
Anti-Bot version: 8.68.72.14

Definitely the App Control is a step forward.
However, the default seems to be "allow all", and the user needs to deny manually. I don't like it. But ZA can easily improve that, if they add a simple general "allow all", "deny all" and "automatic". Also it'll be nice if ZA adds another option, allowing the user (manually) to choose in advance which apps are going to be allowed/blocked.

The Firewall control improvement, also is positive.
However, IMHO, it's wrong to mix App Control with Firewall. Mainly because firewall functions are not restricted to apps!
IMHO, Firewall control should be separated (allowing not only to control apps, but also to control any other connection).
And again, the App Control default seems to be "allow all", therefore the Firewall default seems to be "allow all" too... and that's bad!

I don't think ZA designed a bad App + Firewall Control because they want to keep the minimalist layout. I remember that WiseVector had separated controls for Apps and Firewall, and both worked like a charm. And WiseVector was minimalist. So, I think ZA still needs to improve both, App Control and Firewall. The current App Control is not adding security layers. And the current Firewall Control, the same. I don't think both controls need lot of improvements, but I do believe both need to be separated, and both need small improvements.

Changing subject, the RAM consumption dropped a lot, around -35% compared to two months ago version.
But the Beta version is a little unstable, and has small bugs.

This weekend I'll try to test some malwares against this new ZA version.
But at first glance, I like to see that ZA is working, I recognize progress, new features, and I hope ZA will keep adding new improvements.

PS: I sent them a message sharing with them my impressions.
 
Last edited:

Sandbox Breaker

Level 9
Well-known
Jan 6, 2022
436
I started to retest ZAESNG:
Version number: 4.2.121.19549
Anti-Ransomware: 4.2.77.19549
Antivirus version: 3.85
Signature version: 202307121001
Engine version: 86.72.12
Firewall version: 8.68.72.3
Anti-Bot version: 8.68.72.14

Definitely the App Control is a step forward.
However, the default seems to be "allow all", and the user needs to deny manually. I don't like it. But ZA can easily improve that, if they add a simple general "allow all", "deny all" and "automatic". Also it'll be nice if ZA adds another option, allowing the user (manually) to choose in advance which apps are going to be allowed/blocked.

The Firewall control improvement, also is positive.
However, IMHO, it's wrong to mix App Control with Firewall. Mainly because firewall functions are not restricted to apps!
IMHO, Firewall control should be separated (allowing not only to control apps, but also to control any other connection).
And again, the App Control default seems to be "allow all", therefore the Firewall default seems to be "allow all" too... and that's bad!

I don't think ZA designed a bad App + Firewall Control because they want to keep the minimalist layout. I remember that WiseVector had separated controls for Apps and Firewall, and both worked like a charm. And WiseVector was minimalist. So, I think ZA still needs to improve both, App Control and Firewall. The current App Control is not adding security layers. And the current Firewall Control, the same. I don't think both controls need lot of improvements, but I do believe both need to be separated, and both need small improvements.

Changing subject, the RAM consumption dropped a lot, around -35% compared to two months ago version.
But the Beta version is a little unstable, and has small bugs.

This weekend I'll try to test some malwares against this new ZA version.
But at first glance, I like to see that ZA is working, I recognize progress, new features, and I hope ZA will keep adding new improvements.

PS: I sent them a message sharing with them my impressions.
They need intelegent execution control like Kaspersky, voodooshield and others. I can't wait.
 

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
@Decopi in my opinion Application Control is just where it belongs, part of firewall. It is the firewall job to manage connections. The firewall already applies a series of rules. It has few allow rules and the last one is called “Cleanup Rule” where all traffic not allowed goes and is blocked. The application control takes care of limiting the apps. Together, they ensure connection not desired by the user and not needed are not initiated.

What must be done from here:
-I believe firewall should automatically apply blocks to apps not classified as safe (the Check Point ThreatCloud network knows what’s safe and what’s not).
-Perhaps user prompt so user can decide
-Option to terminate apps, not just to block their connection (that’s in Harmony Endpoint).
Option to add apps in advance (as mentioned by Decopi).

Nevertheless, app control indeed is a positive improvement. Also, I hope before final release, engines will be updated to 86.80 as well and not 86.72.
 

Decopi

Level 6
Verified
Oct 29, 2017
252
@Decopi in my opinion Application Control is just where it belongs, part of firewall. It is the firewall job to manage connections.

I can imagine a scenario, where ZA says: "Let's build the most minimalist software, where almost everything behaves automatically".
In this scenario, App Control and Firewall Control really are not needed as part of the UI. As you perfectly explained here:

The firewall already applies a series of rules. It has few allow rules and the last one is called “Cleanup Rule” where all traffic not allowed goes and is blocked. The application control takes care of limiting the apps. Together, they ensure connection not desired by the user and not needed are not initiated.

And ZA and you are right!, this can be one scenario, it's totally valid and depends on ZA approach.

So, why I don't like it?
Because this approach will work only for a "safe - list"... made by ZA. And "safe - lists" are useful, and they help!, but in a zero-day-attack scenario, software never should trust "safe - lists".
Important to remind that I like the minimalist approach! I just never liked the "too minimalist ZA" approach. I don't feel comfortable with the:
a. Check a safe-list
b. "Allow all" (that it's on the safe-list)
In short: If ZA approach is based on "safe-list => Allow All"... then, the current App Control/Firewall Control is almost useless, because users can block only stuff under ZA "safe-list". This ZA approach is not adding security, it adds only a small degree of administrative control for safe-listed stuff.

Again, I grant you that ZA approach will work for Average Joe's, they're going to be happy with an automatic software, silent, no decisions need to be taken from Average Joe.
But personally, I don't like it, I don't feel comfortable (with the "a." above). And I believe that small improvements can make the current App Control + Firewall Control much more powerful. If ZA already took the effort to create a small UI for App Control + Firewall Control, then now another small step will make it very powerful.

What must be done from here:
-I believe firewall should automatically apply blocks to apps not classified as safe (the Check Point ThreatCloud network knows what’s safe and what’s not).
-Perhaps user prompt so user can decide
-Option to terminate apps, not just to block their connection (that’s in Harmony Endpoint).
Option to add apps in advance (as mentioned by Decopi).

Nevertheless, app control indeed is a positive improvement. Also, I hope before final release, engines will be updated to 86.80 as well and not 86.72.

Now you're talking! Hell, yeah! 🤣

ZA can keep current approach! I'm not talking about structural changes. I'm talking about "complements", small further steps, for example:

1. App and Firewall with separated UI controls. An unified alternative might be a Firewall Control, with the option of terminating processes.

2. As @Trident said, ZA can keep current approach, but can offer a kind of "Advanced Options":
2.1 General options ("Block All", "Allow All", "Automatic", "Manual") for both, App Controls and the Firewall Controls.
2.2. The "Manual" option should allow users to block any connection + any process, not just known or safe Apps.
2.3 The "Manual" option is not quiet/silent, needs the @Trident suggestion "user prompt => user can decide"

In short, if Average Joe wants a silent ZAESNG, he can choose the "automatic" option (based on ZA safe-list + few logical rules). This Joe will need to trust ZA, but he'll gain a silent peaceful software.
And if another user wants "Advanced Options", then he'll gain small control over any process (execution AND connection), but he'll need to deal with ZA pop-ups.
 
Last edited:

NormanF

Level 8
Verified
Jan 11, 2018
363
The automatic mode is because few people download anything dangerous and users assume software will be trusted.

That works in a home environment but in a corporate setting, administrators may want to check on what's allowed to run on an endpoint.
 

Trident

Level 28
Thread author
Verified
Top Poster
Well-known
Feb 7, 2023
1,758
I can imagine a scenario, where ZA says: "Let's build the most minimalist software, where almost everything behaves automatically".
Yeah, the thing is ZoneAlarm for years was this bloated, geeky, nerdy software. I remember their “malware detected” notification which was a whole window, Symantec-Endpoint-Protection-style.
So how do you break free from this image?
You start all over and you build something that is extremely simplistic. Then upon re-adding components, you do it carefully, not go back to the previous experience.
The user is paying to take decisions instead of them (majority of users). So you harness powerful endpoint engines and do everything automatically.

So in this case, firewall applies triple filter:
First, Application Control decides what apps and processes can connect.
Second, already allowed apps and processes are subject to the rules list.
Third, already allowed apps, processes and traffic is subject to URL filter. Traffic will be allowed only if it’s not to a known C&C and the Check Point network handles C&Cs very well.

Again back to Symantec and Norton (as Check Point has always been inspired by Symantec in everything they do and I guess for them Norton/Symantec are the absolute leaders and Gil was always friends with Gary Hendrix), SEP/Norton firewall is controlled by reputation. Similar thing could be done in ZoneAlarm where firewall automatically blocks never-before-seen executables. User can opt to block LOLBins from connecting.

I think similar setup is coming to ZoneAlarm as well.

@NormanF on a corporate environment it’s totally different.
 

NormanF

Level 8
Verified
Jan 11, 2018
363
Yeah, the thing is ZoneAlarm for years was this bloated, geeky, nerdy software. I remember their “malware detected” notification which was a whole window, Symantec-Endpoint-Protection-style.
So how do you break free from this image?
You start all over and you build something that is extremely simplistic. Then upon re-adding components, you do it carefully, not go back to the previous experience.
The user is paying to take decisions instead of them (majority of users). So you harness powerful endpoint engines and do everything automatically.

So in this case, firewall applies triple filter:
First, Application Control decides what apps and processes can connect.
Second, already allowed apps and processes are subject to the rules list.
Third, already allowed apps, processes and traffic is subject to URL filter. Traffic will be allowed only if it’s not to a known C&C and the Check Point network handles C&Cs very well.

Again back to Symantec and Norton (as Check Point has always been inspired by Symantec in everything they do and I guess for them Norton/Symantec are the absolute leaders and Gil was always friends with Gary Hendrix), SEP/Norton firewall is controlled by reputation. Similar thing could be done in ZoneAlarm where firewall automatically blocks never-before-seen executables. User can opt to block LOLBins from connecting.

I think similar setup is coming to ZoneAlarm as well.

@NormanF on a corporate environment it’s totally different.

If its riskware, it will be automatically blocked and quarantined/deleted without user intervention according to the rules set in the cloud. There's a reason Microsoft Smart Control has no user intervention or user exclusion. That's also why endpoint security suites have the same set up. Of course with the latter, admins and power users may decide to override their security software's action but it doesn't change the point home users go along with a set it and forget it security means of protecting their computer.
 

TaoHouZi

New Member
May 13, 2020
3
When I decompress the sample package, if there are multiple samples, there will be a lot of independent pop-up windows instead of merging pop-up windows, which is very inconvenient.
 
  • Like
Reactions: piquiteco and Kongo

simmerskool

Level 31
Verified
Top Poster
Well-known
Apr 16, 2017
2,073
I have checkpoint harmony on 1 virtual machine, and I ran ZA Next Gen for awhile too...
I just created a new win10_VM running MS Defender, ZoneAlarm free firewall, and CyberLock 7.65. This seems like a very strong combo and mostly free except for CL which is minimal $ IMO. I got an email from SE Labs today, latest test reports, and MS Defender did very well again, and ZA free is running a few checkpoint processes including Threat Emulation and Forensics Recorder, and the ZA firewall GUI is clean and easy to understand. And CyberLock completes the security (unless it's overkill). The only Con I'm seeing, system seems to slowdown a noticeable tad, and I see that too with Harmony (perhaps the "price" that checkpoint users have to pay for its excellent security?) So far, the slowdown is livable.
 

Shadowra

Level 34
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,335
Hello :)

Seen on ZoneAlarm Free :) (it uses Sophos though...)

Capture d'écran 2024-01-29 234113.png
 

vonvon

Level 2
Verified
Nov 25, 2014
94
On my computer, Zonealarm extreme security does not like iobit driver booster which I have known and used for years but I can easily restore the file and it is excluded afterwards. Zonealarm extreme security works very well for me without any noticeable slowdown of the computer.
 

vonvon

Level 2
Verified
Nov 25, 2014
94
I'm still getting used to ZoneAlarm. I like the minimalist interface, I like less the folders created in the download and documents folders (honeypots?) and the interception of downloads in Firefox, I would have preferred post-download processing. Otherwise, apart from a few false positives with Iobit and CopyTrans, the impression of security is good.
 

Dave Russo

Level 21
Verified
Top Poster
Well-known
May 26, 2014
1,068
On my computer, Zonealarm extreme security does not like iobit driver booster which I have known and used for years but I can easily restore the file and it is excluded afterwards. Zonealarm extreme security works very well for me without any noticeable slowdown of the computer.
Kaspersky gives me a warning(program bundled with other, which I hit ignore) Gdata and Malwarebytes also, at least in the past didn't like iobit driver booster either
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top