ZoneAlarm ForceField: Compromised in sixty seconds
- 22 May, 2008 09:45
Check Point Software's new Web browser security software, called ZoneAlarm ForceField, integrates a host-based firewall, anti-spyware, Web site rating, anti-phishing, and keylogger-jamming into a limited virtualization environment with the elegant user interface you've come to expect from the ZoneAlarm brand. Its goal is to provide superior anti-malware protection against the increasingly prevalent and complex threats posed to Internet surfers.
To be frank, I've reviewed similar over-marketed and under-effective virtualized or "sandbox" security clients over the years (most notably GreenBorder, subsequently acquired by Google), all of which promised to provide superior protection against all malicious Internet threats. Unfortunately, although ForceField does offer some real improvements over the other products I've reviewed, it wasn't enough to stop malware from infecting my test systems. In less than a minute, by clicking only my third malicious Web site link, my test system was silently compromised without so much as a chirp out of ForceField. This is not to say that ForceField didn't deliver some protection and detection, but I'm getting ahead of my review.
Although I am overly skeptical of limited virtualization products, I'm a big fan of both Check Point and ZoneAlarm, and I was eager to see what the solution brought to the space. Unfortunately, Check Point's accompanying whitepaper re-awakened my initial skepticism by using new, unnecessary technical jargon ("Web-based Super Attacks," "New Advanced Technologies") and over-promising the protection ForceField can provide ("reject all changes to the user's PC unless the user specifically solicits them"), while overly criticizing traditional defenses.
Browsing for trouble
Much of what ForceField claims to do (file and registry virtualization, blocking drive-by-downloads, and so on) is also claimed by Microsoft in Windows Vista and Internet Explorer 7 Protected Mode. Accordingly, I ran the tests on unpatched versions of Windows XP Pro SP2 with Internet Explorer 6 and Firefox 2.0, with intentionally older versions of common browser add-ons. I wanted to give malicious Web sites ample opportunity to infect the underlying operating system while giving ForceField the best chance of being the sole blocker (versus measuring unexpected browser or operating system defenses).
I then installed ZoneAlarm ForceField v.1.0.331.0 with default settings and surfed to dozens of known malicious, live Web sites. I opened malicious links listed on www.shadowserver.org and www.dshield.org, and found others by searching for Web sites with the string "killwow1.cn/g.js" in the source code. The latter string is associated with thousands of recent, maliciously infected Web sites. Note: Don't attempt to duplicate my query unless you are prepared to wrangle with malicious code.
Installation of ForceField went smoothly as promised. The footprint is small (just 4MB to 5MB), and configuration is minimal. After installation, a small ForceField icon appears on the status bar, and a new ForceField menu bar is added to the browser. Clicking on the icon allows access to the limited and self-explanatory configuration menu.
The only notable option that needs more explanation is the Clear button. This button is to be clicked when the user decides that the data in the virtualized browser environment should be deleted prior to ForceField deciding on its own. This option is a benefit as well as one of the weaknesses of this product and its similar cousins. Asking end-users to decide when to reset virtual environments is circular logic. If end-users could consistently and appropriately recognize when they were exposed to malware in the first place, they wouldn't need the virtual environment.
Babies and bathwater
Although ForceField does an okay job on its own when deciding what to keep and reject, it was occasionally fooled, sometimes getting rid of items I thought were more permanent and vice-versa. For example, it consistently reset my personally selected home page, but left maliciously installed programs alone.
ForceField did stop many malicious Web sites from loading and many malicious programs from being installed, although its own count seemed unrealistically elevated. For example, it reported stopping more than 16,000 threats from the first seven sites I visited, but my network sniffer showed the true number to be below 60. I'm not sure how ForceField is counting threats. Plus, although ForceField did prevent many malicious Web sites from loading, it would often simply caution me from inputting personal information on the site I was visiting, when in reality the site was trying to inject me with malware and never attempted to collect personal information.
There were many false negatives, where ForceField failed to report anything suspicious when malware was definitely present. ForceField also failed to prevent a number of malware infections. One rootkit was installed as a service, and several others installed using malformed multimedia content. ForceField would allow me to install many common browser add-ons, but prevented me from installing legitimate new language packs. Browser performance was significantly affected overall, and often the browser seemed locked up or had to be prodded with multiple reloads to finish displaying the requested page.
ForceField has some other interesting features such as the Private Browser option, which blocks cookies and allows you to browse the Web without an audit trail, keeping the browser history, file download list, and other local trackers clear of evidence. You can also open an unprotected browser session. ForceField is obviously a consumer-focused product as it lacks enterprise management features, detailed logs, reports, and almost any type of granularity.
ForceField is a good companion product to the ZoneAlarm Firewall. I tested the latest version of ZoneAlarm against the same malicious Web sites, and ForceField blocked more than the firewall component did on its own. By the same token, the firewall offered some protections that ForceField alone does not provide. For instance, the firewall blocked many outbound communication attempts by malware that slipped by ForceField, and alerted on a few malicious Web sites that ForceField didn't detect.
More telling in the grand scheme of things, ForceField proved less effective than a fully patched version of Windows XP SP3 running Internet Explorer 7 and fully patched applications. Exposing the patched system to the same malicious sites I used to test ForceField, I discovered that all malicious drive-by-download programs were prevented even when the malicious Web sites were displayed, besting the prevention provided by ForceField on unpatched systems. ForceField could possibly offer some detection and prevention advantages for zero-day exploits, and even in my limited test cases, definitely offers improved alerting and detection over a system without any anti-malware software installed. But it didn't provide better protection than a fully patched system.
Overall, I found ZoneAlarm ForceField to deliver slightly above average protection (due to the anti-spyware and anti-phishing detection capabilities) as compared to other security sandbox products I've tested, but I'm still not convinced that any product of this type offers complete enough protection to be strongly recommended.