Review: ZoneAlarm ForceField

by Steve Ragan - May 27 2008, 11:06

In this review, I’m going to cover ZoneAlarm ForceField. Recently, I wrote an opinion on the review published by InfoWorld in which they covered ZoneAlarm ForceField. I disagreed with the overall review and the methods used. With that said, I tested ForceField for myself. Here are my results.

Force Field gets a new review. How do you think it did? (IMG:J.Anderson)

ForceField was first released as a public beta last September. The program virtualizes only those parts of the user’s operating system that interact with the Internet. The virtualization technology in ForceField forms a bubble of sorts around the browser so that all unknown or unwanted changes from silent installs, better-known as drive-by downloads, are made to a virtualized file system and disappear completely once the user is finished surfing.This Test of ForceField is designed to mirror the tests performed by InfoWorld. However, there is one catch; the systems that are going to be tested are all fully patched.There was much thought placed into how this review of ZoneAlarm ForceField was to be conducted. The InfoWorld test used systems that were lacking with regard to current updates and operating system patches. This defeats the general rule of best practice with regard to security. As such, the Tech Herald review of ZoneAlarm ForceField will not mirror the InfoWorld testing environment as originally stated in the opinion article. This test is performed with the following settings and installed applications.Settings:
Windows XP SP3 (Completely patched w/ Internet Explorer 7)
1024MB RAM Dual Core Pentium @ 3.40 GHzApplications:
Adobe Reader 8
AVG Free 8.0
Open Office Portable
ZoneAlarm ForceFieldInstall of ForceField was straight to the point. Other than picking out where to install the software, there were no settings or options to configure. Once installed, you are asked to register the software or start your free trial. After that, the browser is launched and you are shown a website, which explains how to read the ForceField display. (ForceField currently works with both Internet Explorer and Firefox.)

Usage:There are four buttons in the ForceField display; the master control button, which is marked by the ForceField logo, Protection Activity, Site Status, and Private Browser. Briefly, here is a rundown of what they do.

Master Control - This button, as seen in the image, offers quick access to the program's settings, Web-links (ForceField and ZoneAlarm Online), and help.The settings section allows control over updates, confirmation control, and startup. The advanced settings tab will offer various functions including what levels of web protection you want, and if you want to enable or disable virtualization.

(Note: It is wise to leave all of the advanced options enabled if you want full protection out of the software. Also, virtualization is the key to ForceField, disabling this will make the reasoning behind the program moot.)Protection Activity – Gives you an overview of what you have been protected from on the current website. If you hold your mouse over the button, it offers an at-a-glance look at the protection information as well.

Site Status – Offers information on the site. It will tell you if the site is malicious, as well as offer other information such as how long the site has been around. Holding a mouse over this icon will offer basic information.

Private Browser – This button will offer single click access to a single browser where nothing is logged. When using this option, the ForceField bar turns a lovely shade of blue, and alerts the user to the no logging changes.

Security Testing:This test and review will use the same sets of data that InfoWorld used. To quote the InfoWorld review, “I opened malicious links listed on [shadowserver.org] and [dshield.org], and found others by searching for Web sites with the string "killwow1.cn/g.js" in the source code.” The third link, according to the report, infected the system.Starting with Shadowserver.org, the list for 14/05/2008 was the sample data used. (At the time of this writing, it was the most current.) In this test, all of the listed sites (seventy-seven), were visited. Unlike past reviews, where security software is rated on what it blocks or removes, there is special attention paid to the percentage of sites blocked or missed. While there was no mention of exactly how many sites from Shadowserver.org were visited in the InfoWorld review, all of the listed sites were hit for the Tech Herald review in order to offer the best sample of known malicious data from this source.Interesting test notes (Shadowserver.org):- Sites that pull a “RED” alert from ForceField are prevented from loading. You are told, “Nothing bad has happened yet,” and offered a chance to go back to a page that simply says, “You are safe now.”- Twenty-eight sites were blocked by both AVG Free 8.0 and ForceField.- Seventeen sites were blocked by AVG Free 8.0 but missed by ForceField.- Sixteen sites were blocked by ForceField but missed by AVG Free 8.0.- Of the sites blocked by both AVG Free 8.0 and ForceField or by ForceField alone, ForceField showed eight “RED” alerts and thirty-six “Yellow” alerts.- Both security applications failed to block six sites.- There were ten sites on the Shadowserver.org list that were in error (Suspended, 404, 403, etc.).The Shadowserver.org test offered a data list of seventy-seven confirmed to be malicious. With the error websites removed, there were sixty-seven websites visited.Based on the Shadowserver.org test alone, the InfoWorld review is blown out of the water. ForceField did exactly what it promised. It offered a warning or outrightly refused to load a site on forty-four sites out of the sixty-seven tested. That is just over sixty-five percent coverage on its own. However, when you factor in the blocking average of AVG Free 8.0, which was sixty-seven percent or forty-five out of sixty-seven sites tested, you can see the power of the two programs.In all, there were sixty-one sites flagged. That is a success rate of ninety-one percent for the test. The object was to use ForceField as it was intended, as another layer of security on a patched and updated system with some sort of anti-Malware scanning already in place.(NOTE: AVG Free 8.0 details: http://tinyurl.com/4gvkgy)The next test was on dshield.org. If you are not familiar, dshield.org is a useful resource as it lists various data on attacking IP address, targeted ports, and more. One of the common uses for this site is to collect IP addresses to block. Dshield offers a Top 10 list of attacking IP addresses, so for this test, the Top 10 list was used. The InfoWorld review of ForceField only mentioned using dshield.org, and not the methods.Interesting test notes (dshield.org):- Out of ten sites, four showed no web server like activity. The other six that were web pages failed to be blocked by either AVG Free 8.0 or ForceField.- One page was a Chinese Beijing Olympics login portal- Another page was an IIS informational pageThe test here is inconclusive. It is unknown if the issues mentioned in the InfoWorld review are linked to dshield.org testing. After the dshield.org part of the test, AVG Free 8.0 was used to scan the system. The system scan was started to check the health of the system after six of the ten dshield.org sites were not blocked when they loaded web pages. These sites might not be black listed by either security program for several reasons. However, because they are known as attacking sites, they could be malicious to the passer by online.There is also the fact that dshield.org lists only IP address, and not the structure of the website. Therefore, if there were malicious files on one of the six sites that loaded, simply viewing the main IP on port 80 might not be enough to trigger any type of attack.There is nothing to say about this test, that isn’t obvious, ForceField and AVG Free 8.0 both failed to stop six out of the ten sites. The status of those sites are known, they have been reported as attacking IP addresses. With that said, there is also no proof they are harmful to a user by merely visiting them. The scan of the system located several tracking cookies, from DoubleClick, Trafficmp, Webtrends, Mediaplex, 2o7, and others, but nothing malicious.

The third test involved searching Google for "killwow1.cn/g.js" and attempting to visit pages that are shown to be malicious. As of 2008/26/05, 44,300 sites were returned by this search. Of these forty-four thousand plus sites, maybe a hand full are malicious. AVG Free 8.0 uses Link Scanner, which places a small red ‘X’ next to a malicious search result. During the test, the first twenty flagged links (those with a red ‘X’) were accessed. According the InfoWorld review, it was the third link that infected the under patched system.In this test, the third link with a red ‘X’ was a site named SeekingandFinding.com. While it is not known what the malicious payload was that attacked the test system, it did cause ForceField to throw an error and asked to report information. On top of that, the system itself locked up and needed a reboot.Once the system was back online after the restart, the test was launched again. There were no notable changes to the system; so far, the only issue from loading that page was a system freeze. The third link, again Seekingandfinding.com, wants to load a ‘Shell WebView Content and Control Library’ according to Internet Explorer. The browser blocked the ActiveX control; however, ForceField now shows twelve items blocked according to the Protection Activity button. (Note: Remember these links are being followed against the warnings issued by AVG Free 8.0.)

Another website, understanding-islam.com, wants to load ‘Microsoft Data Access – Remote Data Services’. However, once again Internet Explorer blocked the ActiveX and ForceField blocked twelve threats. At this point all three of the original sites were loaded again post system crash with no errors. For the next set of sites, Google blocked one of them with a Malware warning. The other two sites visited during this set were uneventful, as Internet Explorer blocked content on one site, and denied an ActiveX control on another.According to Google, “Of the 266 pages we tested on the site over the past 90 days, 40 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 05/18/2008, and the last time suspicious content was found on this site was on 05/14/2008. Malicious software includes 40 Trojan(s), 6 exploit(s), and 2 scripting exploits. Successful infection resulted in an average of 18 new processes on the target machine.” (Note: These details come from the added information recently reported on here: http://tinyurl.com/4b4odw)The results of this test made another point about layered security. Google blocked four sites, Internet Explorer prevented ActiveX exploitation, AVG Free 8.0 warned about the links being harmful before they were accessed, and to top it off, ForceField averaged twelve actions per page blocking malicious content.In the opinion on the InfoWorld review, I made a point that if you want a test to fail, it will. Likewise, if I want a test to pass I can make it pass. With that in mind, every test performed can be replicated. These results can be tested by anyone.The test and review of ZoneAlarm ForceField proves without a doubt that the InfoWorld review of ForceField was way off the mark. The largest problem, is that to ensure a fair and proper test, you need to start with a clean, fully patched system. If during this test, I had used XP SP2, Internet Explorer 6, and left off a few months worth of patches, all of the exploits would have worked.ForceField is not a cure all security program. During this test, it is obvious that AVG Free 8.0 made up for the lack of protection that ForceField offers. The thing that makes ForceField shine is that it works with Firefox or Internet Explorer and any other security suite you have. When used in conjunction with other security software, ForceField offers a serious layer of defense to a computer. AVG Free 8.0 was tested here, but ForceField also worked with Norton 360 2.0 (The testing with 360 was different, as many features overlapped.), and AVG Internet Security 8.0, just to name a few.Overall, if used properly, ForceField is a great tool. You simply have to remember the rules with security to get the most out of it. These rules are simple. Update and patch daily. Layer your security, and use a little common sense.ZoneAlarm ForceField earns a solid 98 out of 100 for the actions demonstrated during these tests. It crashed once, but still managed to protect the system before it went down in a blaze of glory. Take the trial for a spin, and if you like it, the cost is affordable to keep it.Note:The system crash was preempted by a virtual memory warning. This happened as a known malicious site was being loaded. There is no solid proof, one way or another, that the site caused the crash or a program error caused the crash. There is also the fact the VM machine running the test at the time could have caused the crash.During this test, most of the sites visited or linked too because of an Injection Attack were in Chinese. With that said, there were no translation packs downloaded to the virtual system.

Comment on this Story

Interested in a more interactive TTH? Join our Facebook Group
Want regular updates from The Tech Herald? Follow us on Twitter

Comment on this Story

Note our older Talkback system is still running below. We hope to import existing comments into the new system shortly. Guest posting is still allowed, however, you can now login with any number of social network accounts.

Talkback

Add your comment (no registration required)

page: 1

JoeAug 13th, 2008 - 08:22:13

Just what is the percentage of 'Completely patched' consumer PCs?
The 'Completely patched' PC is protected mainly by the Completely patched OS itself!. So you would not know how good a security software is unless the OS is NOT 'Completely patched'. I have Windows XP Pro SP2 and will not download SP3 and break many programs. I Haven't downloaded any patches for over 9 months and had no problems whatsoever. I'm using mainly Outpost Pro firewall with Kaspersky Antivirus. There are various virtualization solutions that are free and far more effective than this piece of crab. (Altiris Software Virtualization Solution, Returnil Virtual System, VirtualBox.etc.)

Report this comment

AndroclesOct 26th, 2008 - 13:26:39

I appreciate the straight talk about the product. I have been considering purchasing ForceField and wanted to have some feedback about its power.

Report this comment

DmitriNov 2nd, 2008 - 15:29:43

Steve, thank you for a great article. What do you have to say about the following keylogging protection claims? This is the main reason I got attracted to ForceField.

'Blocks programs that secretly record your screen or your typing in order to collect your personal information.
ForceField does not have to scan for and detect keyloggers and screen grabbers. Instead, it blocks the operating system calls that are used by keyloggers and screen grabbers, so there is no need to worry whether they will be detected in time.'
(Found in ForceField help file on their website)

I can't find any independent reviews of such anti-keylogger functionality (either in ForceField or other possible apps). Any help would be greatly appreciated!

I do regular backups, so if my system gets compromised, I can restore fairly quickly (I use Acronis). BUT, if my passwords to banks accounts and even gmail are stolen, then it could lead to a real loss of money. I'm sure a lot of users would share my sentiment.

If the above claims are true, that means 100% protection against keylogging damage - is this right? No program can ensure 100% it will catch all malware, but if a piece of software could block every program from accessing keystrokes & screen (except for the browser itself)...

Thanks to all who could answer this,
Dmitri.

Report this comment

Steve Ragan - TTHNov 4th, 2008 - 03:28:17

@DmitriThanks for the comment and the question.

The reason why I did not include the Keylogging protection in the review, (such as install one, and see if it really did block the attempts) was because of the underlying nature of the software itself.

I left off some aspects of testing, either because they were covered by other reviews, or because they repeated processes that were not a part of the scope of the software, that is, a single layer of defense.

This layer focuses simply on malicious web content and adds the extras of Keylogging and other base protections. It was because Keylogging is a simple addition and not the true focal point of the software that I did not include that aspect of testing.

When I was given the software to review, I was well aware that this is not an end all solution. Even the company confirmed this when I asked them about the software when I wrote an opinion piece on a review for it.

“ForceField is not designed to be used as the only security product on a PC as tested by InfoWorld. That is like testing an anti-Spyware product alone and finding viruses still pass through.” -John Gable, director of product management, Check Point ZoneAlarm consumer division

ForceField is a great layer of defense, Yet, I cannot stress enough that relying on ForceField to protect you from Keylogging would be a serious mistake.

A few minutes before I posted this answer, I ran a simple test on a virtual computer running the same specs used in the review. I used five known keylogging Trojans, all established, each one was blocked. As expected.

You mentioned “If the above claims are true, that means 100% protection against keylogging damage - is this right? No program can ensure 100% it will catch all malware, but if a piece of software could block every program from accessing keystrokes & screen (except for the browser itself)...”

You are 100% correct; nothing will block or stop 100% of the attacks available now or in the future. It isn’t possible. So ForceField caught my five samples. Well, it should have, as each one is old and well-known.

However, one other aspect is that in order for ForceField to catch them, I had to disable AVG 8.0; it caught them from the onset long before ForceField knew they were there.

ForceField is only effective on a system if it is used as one of several layers of security defense. You, Dmitri, have the right thinking by backing up software, and while not mentioned I will assume you are using AV software.

Those are examples of defense layers. Backup what is important, and guard against attack by using security software and even hardware.

Again, ForceField is a layer of protection, and I would encourage anyone wanting to test it to remember that. While they claim 100% remember, 100% could mean known keylogging signatures and actions. Criminals are crafty, so there is no true way to block 100% of anything. No disrespect to Check Point, but even they are aware of this.

Report this comment

mateoMar 6th, 2009 - 23:13:01

I use BufferZone-a similar concept (sandboxing) but in my experience it's significantly better than ZA. Virtualized more than the browser - covers IM clients, P2P sites, USB drives, etc. Free 1-month trial, and keeps me cookin a lot faster than antivirus alone.

try it on trustwareDOTcom

Report this comment

page: 1

Add your comment (no registration required)

Security

Review: ZoneAlarm ForceField

Comment on this Story

Talkback

Latest

Latest Articles on Monsters&Critics

In The Tech Herald

Site

The Fine Print