Review: ZoneAlarm ForceFieldby Steve Ragan - May 27 2008, 15:06
Force Field gets a new review. How do you think it did? (IMG:J.Anderson)
In this review, I’m going to cover ZoneAlarm ForceField. Recently, I wrote an opinion on the review published by InfoWorld in which they covered ZoneAlarm ForceField. I disagreed with the overall review and the methods used. With that said, I tested ForceField for myself. Here are my results.
ForceField was first released as a public beta last September. The program virtualizes only those parts of the user’s operating system that interact with the Internet. The virtualization technology in ForceField forms a bubble of sorts around the browser so that all unknown or unwanted changes from silent installs, better-known as drive-by downloads, are made to a virtualized file system and disappear completely once the user is finished surfing.
This Test of ForceField is designed to mirror the tests performed by InfoWorld. However, there is one catch; the systems that are going to be tested are all fully patched.
There was much thought placed into how this review of ZoneAlarm ForceField was to be conducted. The InfoWorld test used systems that were lacking with regard to current updates and operating system patches. This defeats the general rule of best practice with regard to security. As such, the Tech Herald review of ZoneAlarm ForceField will not mirror the InfoWorld testing environment as originally stated in the opinion article. This test is performed with the following settings and installed applications.
Windows XP SP3 (Completely patched w/ Internet Explorer 7)
1024MB RAM Dual Core Pentium @ 3.40 GHz
Adobe Reader 8
AVG Free 8.0
Open Office Portable
Install of ForceField was straight to the point. Other than picking out where to install the software, there were no settings or options to configure. Once installed, you are asked to register the software or start your free trial. After that, the browser is launched and you are shown a website, which explains how to read the ForceField display. (ForceField currently works with both Internet Explorer and Firefox.)
There are four buttons in the ForceField display; the master control button, which is marked by the ForceField logo, Protection Activity, Site Status, and Private Browser. Briefly, here is a rundown of what they do.
Master Control - This button, as seen in the image, offers quick access to the program's settings, Web-links (ForceField and ZoneAlarm Online), and help.
The settings section allows control over updates, confirmation control, and startup. The advanced settings tab will offer various functions including what levels of web protection you want, and if you want to enable or disable virtualization.
(Note: It is wise to leave all of the advanced options enabled if you want full protection out of the software. Also, virtualization is the key to ForceField, disabling this will make the reasoning behind the program moot.)
Protection Activity – Gives you an overview of what you have been protected from on the current website. If you hold your mouse over the button, it offers an at-a-glance look at the protection information as well.
Site Status – Offers information on the site. It will tell you if the site is malicious, as well as offer other information such as how long the site has been around. Holding a mouse over this icon will offer basic information.
Private Browser – This button will offer single click access to a single browser where nothing is logged. When using this option, the ForceField bar turns a lovely shade of blue, and alerts the user to the no logging changes.
This test and review will use the same sets of data that InfoWorld used. To quote the InfoWorld review, “I opened malicious links listed on [shadowserver.org] and [dshield.org], and found others by searching for Web sites with the string "killwow1.cn/g.js" in the source code.” The third link, according to the report, infected the system.
Starting with Shadowserver.org, the list for 14/05/2008 was the sample data used. (At the time of this writing, it was the most current.) In this test, all of the listed sites (seventy-seven), were visited. Unlike past reviews, where security software is rated on what it blocks or removes, there is special attention paid to the percentage of sites blocked or missed. While there was no mention of exactly how many sites from Shadowserver.org were visited in the InfoWorld review, all of the listed sites were hit for the Tech Herald review in order to offer the best sample of known malicious data from this source.
Interesting test notes (Shadowserver.org):
- Sites that pull a “RED” alert from ForceField are prevented from loading. You are told, “Nothing bad has happened yet,” and offered a chance to go back to a page that simply says, “You are safe now.”
- Twenty-eight sites were blocked by both AVG Free 8.0 and ForceField.
- Seventeen sites were blocked by AVG Free 8.0 but missed by ForceField.
- Sixteen sites were blocked by ForceField but missed by AVG Free 8.0.
- Of the sites blocked by both AVG Free 8.0 and ForceField or by ForceField alone, ForceField showed eight “RED” alerts and thirty-six “Yellow” alerts.
- Both security applications failed to block six sites.
- There were ten sites on the Shadowserver.org list that were in error (Suspended, 404, 403, etc.).
The Shadowserver.org test offered a data list of seventy-seven confirmed to be malicious. With the error websites removed, there were sixty-seven websites visited.
Based on the Shadowserver.org test alone, the InfoWorld review is blown out of the water. ForceField did exactly what it promised. It offered a warning or outrightly refused to load a site on forty-four sites out of the sixty-seven tested. That is just over sixty-five percent coverage on its own. However, when you factor in the blocking average of AVG Free 8.0, which was sixty-seven percent or forty-five out of sixty-seven sites tested, you can see the power of the two programs.
In all, there were sixty-one sites flagged. That is a success rate of ninety-one percent for the test. The object was to use ForceField as it was intended, as another layer of security on a patched and updated system with some sort of anti-Malware scanning already in place.
(NOTE: AVG Free 8.0 details: http://tinyurl.com/4gvkgy)
The next test was on dshield.org. If you are not familiar, dshield.org is a useful resource as it lists various data on attacking IP address, targeted ports, and more. One of the common uses for this site is to collect IP addresses to block. Dshield offers a Top 10 list of attacking IP addresses, so for this test, the Top 10 list was used. The InfoWorld review of ForceField only mentioned using dshield.org, and not the methods.
Interesting test notes (dshield.org):
- Out of ten sites, four showed no web server like activity. The other six that were web pages failed to be blocked by either AVG Free 8.0 or ForceField.
- One page was a Chinese Beijing Olympics login portal
- Another page was an IIS informational page
The test here is inconclusive. It is unknown if the issues mentioned in the InfoWorld review are linked to dshield.org testing. After the dshield.org part of the test, AVG Free 8.0 was used to scan the system. The system scan was started to check the health of the system after six of the ten dshield.org sites were not blocked when they loaded web pages. These sites might not be black listed by either security program for several reasons. However, because they are known as attacking sites, they could be malicious to the passer by online.
There is also the fact that dshield.org lists only IP address, and not the structure of the website. Therefore, if there were malicious files on one of the six sites that loaded, simply viewing the main IP on port 80 might not be enough to trigger any type of attack.
There is nothing to say about this test, that isn’t obvious, ForceField and AVG Free 8.0 both failed to stop six out of the ten sites. The status of those sites are known, they have been reported as attacking IP addresses. With that said, there is also no proof they are harmful to a user by merely visiting them. The scan of the system located several tracking cookies, from DoubleClick, Trafficmp, Webtrends, Mediaplex, 2o7, and others, but nothing malicious.
The third test involved searching Google for "killwow1.cn/g.js" and attempting to visit pages that are shown to be malicious. As of 2008/26/05, 44,300 sites were returned by this search. Of these forty-four thousand plus sites, maybe a hand full are malicious. AVG Free 8.0 uses Link Scanner, which places a small red ‘X’ next to a malicious search result. During the test, the first twenty flagged links (those with a red ‘X’) were accessed. According the InfoWorld review, it was the third link that infected the under patched system.
In this test, the third link with a red ‘X’ was a site named SeekingandFinding.com. While it is not known what the malicious payload was that attacked the test system, it did cause ForceField to throw an error and asked to report information. On top of that, the system itself locked up and needed a reboot.
Once the system was back online after the restart, the test was launched again. There were no notable changes to the system; so far, the only issue from loading that page was a system freeze. The third link, again Seekingandfinding.com, wants to load a ‘Shell WebView Content and Control Library’ according to Internet Explorer. The browser blocked the ActiveX control; however, ForceField now shows twelve items blocked according to the Protection Activity button. (Note: Remember these links are being followed against the warnings issued by AVG Free 8.0.)
Another website, understanding-islam.com, wants to load ‘Microsoft Data Access – Remote Data Services’. However, once again Internet Explorer blocked the ActiveX and ForceField blocked twelve threats. At this point all three of the original sites were loaded again post system crash with no errors. For the next set of sites, Google blocked one of them with a Malware warning. The other two sites visited during this set were uneventful, as Internet Explorer blocked content on one site, and denied an ActiveX control on another.
According to Google, “Of the 266 pages we tested on the site over the past 90 days, 40 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 05/18/2008, and the last time suspicious content was found on this site was on 05/14/2008. Malicious software includes 40 Trojan(s), 6 exploit(s), and 2 scripting exploits. Successful infection resulted in an average of 18 new processes on the target machine.” (Note: These details come from the added information recently reported on here: http://tinyurl.com/4b4odw)
The results of this test made another point about layered security. Google blocked four sites, Internet Explorer prevented ActiveX exploitation, AVG Free 8.0 warned about the links being harmful before they were accessed, and to top it off, ForceField averaged twelve actions per page blocking malicious content.
In the opinion on the InfoWorld review, I made a point that if you want a test to fail, it will. Likewise, if I want a test to pass I can make it pass. With that in mind, every test performed can be replicated. These results can be tested by anyone.
The test and review of ZoneAlarm ForceField proves without a doubt that the InfoWorld review of ForceField was way off the mark. The largest problem, is that to ensure a fair and proper test, you need to start with a clean, fully patched system. If during this test, I had used XP SP2, Internet Explorer 6, and left off a few months worth of patches, all of the exploits would have worked.
ForceField is not a cure all security program. During this test, it is obvious that AVG Free 8.0 made up for the lack of protection that ForceField offers. The thing that makes ForceField shine is that it works with Firefox or Internet Explorer and any other security suite you have. When used in conjunction with other security software, ForceField offers a serious layer of defense to a computer. AVG Free 8.0 was tested here, but ForceField also worked with Norton 360 2.0 (The testing with 360 was different, as many features overlapped.), and AVG Internet Security 8.0, just to name a few.
Overall, if used properly, ForceField is a great tool. You simply have to remember the rules with security to get the most out of it. These rules are simple. Update and patch daily. Layer your security, and use a little common sense.
ZoneAlarm ForceField earns a solid 98 out of 100 for the actions demonstrated during these tests. It crashed once, but still managed to protect the system before it went down in a blaze of glory. Take the trial for a spin, and if you like it, the cost is affordable to keep it.
The system crash was preempted by a virtual memory warning. This happened as a known malicious site was being loaded. There is no solid proof, one way or another, that the site caused the crash or a program error caused the crash. There is also the fact the VM machine running the test at the time could have caused the crash.
During this test, most of the sites visited or linked too because of an Injection Attack were in Chinese. With that said, there were no translation packs downloaded to the virtual system.