Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Security Apps
Other security for Windows, Mac, Linux
ZoneAlarm by Check Point Info, Guides, Tests
Message
<blockquote data-quote="Trident" data-source="post: 1043770" data-attributes="member: 99014"><p>Good evening,</p><p></p><p>This thread is everything about ZoneAlarm by Check Point.</p><p></p><p>Before we get to the ZoneAlarm tests, guides and forensic reports (my favourite part of it), it will be best to get familiar with what's inside ZoneAlarm.</p><p></p><p>ZoneAlarm is a rebrand of Check Point Harmony Endpoint (previously SandBlast Agent) which includes few components, called "blades".</p><p>The following blades are used in ZoneAlarm Extreme Secuity NextGen:</p><p></p><ul> <li data-xf-list-type="ul">Anti-Malware: This is standard, heuristics(mainly), signatures and generic detections provided by Sophos (<a href="https://assets.sophos.com/X24WTUEQ/at/pmcvfp2sfvfsg5qjfjj8624/sophos-antivirus-sdk-ds.pdf" target="_blank">Sophos AntiVirus Interface or SAV</a>I) AV. This blade provides online and offline protection against known and unknown threats. Also detects malware targeting other platforms (Linux, MacOS and Android) and provides unarchiving abilities as well as True File Type parser that will insect fie properties such as Magic Bytes to determine the real format. The Sophos <a href="https://support.sophos.com/support/s/article/KB-000033621?language=en_US" target="_blank">behavioural genotype</a> by itself relies on Dynamic Analyses. <a href="https://www2.computerworld.com.au/article/165284/sophos_invents_foolproof_malware_scanner/" target="_blank">Additional Link</a></li> </ul><p></p><ul> <li data-xf-list-type="ul"><a href="https://blog.checkpoint.com/security/preventing-the-unknown-with-static-analysis/" target="_blank">Static Analysis or NextGen AV (proprietary)</a>: examines attributes of executable files to detect *somewhat* unknown threats without having signatures created. The assumption that such engines always detect unknow threats is wrong, they still have to be trained before they can do so. Static analysis has limited (second to none) effectiveness on packers as well (these will be better covered by Sophos dynamic analysis as well as Behavioural Guard). In ZoneAlarm, only high confidence detections from static analysis are treated to minimise false positives.</li> <li data-xf-list-type="ul">File Reputation Engine powered by <a href="https://www.checkpoint.com/infinity/threatcloud-ai/" target="_blank">ThreatCloud</a>. Provides reputation lookups based on hashes (I am still trying to find out the formats supported). Includes feeds from third parties such as Kaspersky and Cisco Talos as well as propriatery feeds from crawlers, in-product telemetry and the Check Point Research. Also includes proprietary signatures. The Kaspersky, Cisco Talos and <a href="https://threatwiki.checkpoint.com/threatwiki/public.htm" target="_blank">proprietary signatures</a> can frequently be seen in the forensic reports (sometimes there are multiple detections). File reputation engine uses local cache to minimise look-ups.</li> <li data-xf-list-type="ul"><a href="https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-HEP/Behavioral-Protection.htm" target="_blank">Behavioural Guard, Forensics, Anti-Bot, Anti-Exploit and Anti-Ransomware</a> blades: Monitor all system events (file, registry, network-related) to record, classify and reverse malicious behaviour. Detailed forensic reports are generated such as the one <a href="https://forensics.checkpoint.com/astaroth/" target="_blank">here</a>. The same report is generated by ZoneAlarm as well, we'll get to it soon.</li> <li data-xf-list-type="ul"><a href="https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics-TPG/Threat-Emulation-Solution.htm" target="_blank">Threat Emulation and Threat Extraction</a> (also known as Content Disarm and Reconstruct/CDR): This component is very actively developed, see <a href="https://support.checkpoint.com/results/sk/sk95235" target="_blank">release notes</a>. It captures files and archives downloaded through browser or saved through email clients and sends them for emulation. Check Point emulation is highly resistant to evasion (they have a <a href="https://github.com/CheckPointSW/InviZzzible" target="_blank">tool</a> that scans for VM artefacts as well as articles focused on <a href="https://evasions.checkpoint.com/" target="_blank">VM evasion</a>. Threat emulation supports over 70 file types (up to 15MB), including executables, java apps, documents and scripts. Documents are automatically cleaned from any executable content (macros, ole objects and others). They are also scanned for suspicious links. Threat emulation severely boosts security where it is needed and works even without the extension if downloads are saved in Downloads or Desktop folders. Introducing malware through other methods (not via download or email attachments) will result in decreased effectiveness as files will not be emulated. Hopefully the right click to emulate that was in ZA before will be back.</li> <li data-xf-list-type="ul">Threat emulation generates detailed reports such as the one here (available in ZA as well): <a href="https://forensics.checkpoint.com/remcos_te/ThreatEmulationReport.html" target="_blank">Threat Details Report</a></li> <li data-xf-list-type="ul"><a href="https://blog.checkpoint.com/security/malware-dna-threat-intelligence-insights-genetic-security-ancestry/" target="_blank">Malware DNA</a> is used to provide rich context.</li> </ul><p>Useful resources:</p><p><a href="https://www.zonealarm.com/software/extreme-security-nextgen/release-history" target="_blank">ZoneAlarm Release notes</a></p><p><a href="https://research.checkpoint.com/" target="_blank">Check Point Research</a></p><p><a href="https://www.zonealarm.com/software/free-downloads" target="_blank">ZoneAlarm Trial Downloads</a></p><p><a href="https://support.checkpoint.com/results/sk/sk117536" target="_blank">Check Point engines release notes (used in ZA)</a></p><p>ZoneAlarm license valid for quite some time: 845DGV</p><p></p><p>The thread will be updated with more content when available.</p></blockquote><p></p>
[QUOTE="Trident, post: 1043770, member: 99014"] Good evening, This thread is everything about ZoneAlarm by Check Point. Before we get to the ZoneAlarm tests, guides and forensic reports (my favourite part of it), it will be best to get familiar with what's inside ZoneAlarm. ZoneAlarm is a rebrand of Check Point Harmony Endpoint (previously SandBlast Agent) which includes few components, called "blades". The following blades are used in ZoneAlarm Extreme Secuity NextGen: [LIST] [*]Anti-Malware: This is standard, heuristics(mainly), signatures and generic detections provided by Sophos ([URL='https://assets.sophos.com/X24WTUEQ/at/pmcvfp2sfvfsg5qjfjj8624/sophos-antivirus-sdk-ds.pdf']Sophos AntiVirus Interface or SAV[/URL]I) AV. This blade provides online and offline protection against known and unknown threats. Also detects malware targeting other platforms (Linux, MacOS and Android) and provides unarchiving abilities as well as True File Type parser that will insect fie properties such as Magic Bytes to determine the real format. The Sophos [URL='https://support.sophos.com/support/s/article/KB-000033621?language=en_US']behavioural genotype[/URL] by itself relies on Dynamic Analyses. [URL='https://www2.computerworld.com.au/article/165284/sophos_invents_foolproof_malware_scanner/']Additional Link[/URL] [/LIST] [LIST] [*][URL='https://blog.checkpoint.com/security/preventing-the-unknown-with-static-analysis/']Static Analysis or NextGen AV (proprietary)[/URL]: examines attributes of executable files to detect *somewhat* unknown threats without having signatures created. The assumption that such engines always detect unknow threats is wrong, they still have to be trained before they can do so. Static analysis has limited (second to none) effectiveness on packers as well (these will be better covered by Sophos dynamic analysis as well as Behavioural Guard). In ZoneAlarm, only high confidence detections from static analysis are treated to minimise false positives. [*]File Reputation Engine powered by [URL='https://www.checkpoint.com/infinity/threatcloud-ai/']ThreatCloud[/URL]. Provides reputation lookups based on hashes (I am still trying to find out the formats supported). Includes feeds from third parties such as Kaspersky and Cisco Talos as well as propriatery feeds from crawlers, in-product telemetry and the Check Point Research. Also includes proprietary signatures. The Kaspersky, Cisco Talos and [URL='https://threatwiki.checkpoint.com/threatwiki/public.htm']proprietary signatures[/URL] can frequently be seen in the forensic reports (sometimes there are multiple detections). File reputation engine uses local cache to minimise look-ups. [*][URL='https://sc1.checkpoint.com/documents/Infinity_Portal/WebAdminGuides/EN/Harmony-Endpoint-Admin-Guide/Topics-HEP/Behavioral-Protection.htm']Behavioural Guard, Forensics, Anti-Bot, Anti-Exploit and Anti-Ransomware[/URL] blades: Monitor all system events (file, registry, network-related) to record, classify and reverse malicious behaviour. Detailed forensic reports are generated such as the one [URL='https://forensics.checkpoint.com/astaroth/']here[/URL]. The same report is generated by ZoneAlarm as well, we'll get to it soon. [*][URL='https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_ThreatPrevention_AdminGuide/Topics-TPG/Threat-Emulation-Solution.htm']Threat Emulation and Threat Extraction[/URL] (also known as Content Disarm and Reconstruct/CDR): This component is very actively developed, see [URL='https://support.checkpoint.com/results/sk/sk95235']release notes[/URL]. It captures files and archives downloaded through browser or saved through email clients and sends them for emulation. Check Point emulation is highly resistant to evasion (they have a [URL='https://github.com/CheckPointSW/InviZzzible']tool[/URL] that scans for VM artefacts as well as articles focused on [URL='https://evasions.checkpoint.com/']VM evasion[/URL]. Threat emulation supports over 70 file types (up to 15MB), including executables, java apps, documents and scripts. Documents are automatically cleaned from any executable content (macros, ole objects and others). They are also scanned for suspicious links. Threat emulation severely boosts security where it is needed and works even without the extension if downloads are saved in Downloads or Desktop folders. Introducing malware through other methods (not via download or email attachments) will result in decreased effectiveness as files will not be emulated. Hopefully the right click to emulate that was in ZA before will be back. [*]Threat emulation generates detailed reports such as the one here (available in ZA as well): [URL='https://forensics.checkpoint.com/remcos_te/ThreatEmulationReport.html']Threat Details Report[/URL] [*][URL='https://blog.checkpoint.com/security/malware-dna-threat-intelligence-insights-genetic-security-ancestry/']Malware DNA[/URL] is used to provide rich context. [/LIST] Useful resources: [URL='https://www.zonealarm.com/software/extreme-security-nextgen/release-history']ZoneAlarm Release notes[/URL] [URL='https://research.checkpoint.com/']Check Point Research[/URL] [URL='https://www.zonealarm.com/software/free-downloads']ZoneAlarm Trial Downloads[/URL] [URL='https://support.checkpoint.com/results/sk/sk117536']Check Point engines release notes (used in ZA)[/URL] ZoneAlarm license valid for quite some time: 845DGV The thread will be updated with more content when available. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
