 New! Independent Tests Overview
|
|
ZoneAlarm products have been evaluated and tested by number of independent organizations and competitors. We’ve recently received several test results and are in the process of publishing them in HTML on our website. This includes the test results indicated below as well as performance testing.
New! Boot Protection and Stability Under Siege
See test results from
KoreLogic (PDF)
that demonstrate differences in protection during the boot or start-up of a computer and the ability of security software to withstand an onslaught of attacks.
Traditional testing methods are no longer sufficient for testing PC security effectiveness. It is no longer enough to simply put viruses on a computer and see what is detected. Instead, the complete computer life cycle must be tested. This new testing approach highlights the importance of boot protection and the ability for security software to withstand an onslaught of attacks while still maintaining its defenses.
Antivirus
Virus Bulletin is the leading specialist publication in the field of viruses and related malware. In the publication's
April 2008 comparative review,
Virus Buletin awarded Check Point ZoneAlarm its VB100 certification.
Learn more
at Virus Bulletin/ VB100M or see our
awards page.
AV-Comparatives is an independent organization that tests how well different antivirus engines detect viruses and other aspects of the scan. For comparison purposes, look for test results of Kaspersky, which has the same scanning engine that ZoneAlarm introduced in version 7.0. See Anti-Virus Comparative tests February 2008 Copyright © by AV-Comparatives® Learn more at
www.av-comparatives.org
- Tested on Windows XP SP2.
| Firewall Tests using Independent Tools |
 Pass |
 Fail |
|
|
|
TESTS
(Click on test name for more details)
|
ZoneAlarm®
Internet
Security Suite |
Norton®
Internet Security |
McAfee®
Suite |
Microsoft®
OneCare |
|
>> TooLeaky
Tooleaky opens your default web browser with a command line. If the web browser is allowed to access port 80, all data will able to be transmitted to a remote address, possibly including passwords or credit card numbers. If your firewall fails the test, this means that your firewall doesn't checks application that launch others.
|
|
|
N/A |
|
|
>> Firehole
FireHole uses your default web browser to transmit data to a remote host. To do this, it installs a DLL file onto your PC in same process space as a trusted application, so it has a greater probability of accessing the Internet stealthily. If your firewall fails this test, then your firewall doesn't control applications that launch others, and is also vulnerable to DLL injection.
|
|
|
|
|
|
>> LeakTest
Leaktest was designed to test whether just renaming a malicious program with the name of an authorized application could allow it to bypass your firewall. If your firewall fails, then your firewall trusts your applications by there name (characters) instead of by a crypted fingerprint, e.g., MD5 (Message-Digest algorithm 5) which is a widely-used cryptographic hash function with a 128-bit hash value.
|
|
|
|
|
|
>> DNSTester
On XP all DNS requests from various applications are transmitted to the DNS client (SVCHOST.EXE). This behavior can be used to transmit data to a remote computer by crafting a special DNS request without the firewall noticing it. DNStester uses this kind of DNS recursive request to bypass your firewall. If your firewall fails this test, then your firewall checks too late for DNS requests.
|
|
|
|
|
|
>> Ghost
Generally, when an application accesses the Internet, your firewall uses the Windows API to retrieve the parent PID. Ghost changes the PID by shutting itself down and restarting to continue to send data. If your firewall fails this test, then your firewall's parent/child network access monitoring is checking too late.
|
|
|
|
|
|
>> Surfer
Many firewalls catch a direct ShellExecute or CreateProcess while calling Internet Explorer (IE) and giving it paramaters. To avoid detection, Surfer creates a hidden desktop and launches IE inside of it with no URL. Surfer then launches another instance of itself, and close the first one. Then it use the DDE protocol (Direct Data Exchange), an old protocol for inter-process data exchange (similar to OLE). If your firewall fails this test, then your firewall does not check for the DDE inter-process protocol, or has weak parent/child monitoring.
|
|
|
|
|
|
>> Yalta
Yalta has both a classical test, and an advanced test. The classical test tries to send UDP packets toward ports that are often allowed, e.g., 53 (DNS), 21 (FTP). The advanced test uses a driver to send packets directly to the network interface, going under TCP/IP layer. If your firewall fails this test, then your firewall may allow traffic that you did not initiate on pre-configured ports.
|
|
|
|
|
|
>> Outbound
OutBound tries to send TCP packets with a few flags enabled directly to the network, trying to bypass your firewall. To reserve CPU and system resources, many firewalls do not filter these kind of packets. If your firewall fails this test, then your firewall does not check lower than the Windows IP layer, and/or checks only new connections.
|
|
|
|
|
|
>> Copycat
Copycat uses direct code injection (without creating an additional thread) into a Web browser to avoid firewall detection. If your firewall fails this test, then your firewall is vulnerable to process injection.
|
|
|
|
|
|
>> Thermite
Thermite injects it's code into the target process directly by creating an additional malicious thread within that process that is totally invisible to some firewalls. If your firewall fails this test, then your firewall is vulnerable to process injection.
|
|
|
|
|
|
>> PCAudit
PCAudit uses DLL injection to inject it's code (as a DLL) into authorized applications. If your firewall fails this test, then your firewall is vulnerable to DLL injection.
|
|
|
|
|
|
>> PCAudit2
PCAudit2 uses a different DLL injection method than the first version of PCAudit to bypass firewalls that can block PCAudit. If your firewall fails this test, then either your firewall is vulnerable to DLL injection, or your firewall has a DLL injection protection feature that is not efficient.
|
|
|
|
|
|
>> Wallbreaker
WallBreaker uses explorer.exe to access the Internet. It includes a variant test which launches cmd.exe which then launch explorer.exe. In another test Wallbreaker sets a scheduled task by using "AT.exe" which in turn executes the task via "svchost", creating a batch file (".bat" extension) with a random filename in your directory.
|
|
|
|
|
|
>> MBTest
MBtest sends packets directly to the NIC to try to bypass your firewall. To do this, it sends differents kind of packet, varying size, protocol and type. In theory MBtest could copy needed files by itself without a reboot. If your firewall fails this test, then your firewall may only check high level network traffic, missing low level traffic.
|
|
|
|
|
|
>> AWFT
AWFT has 10 tests, including (1) attempting to load a copy of your default browser and patch it in memory before it executes, creating a thread on a loaded copy of your default browser, (2) creating a thread on Windows Explorer, (3) attempting to load a copy of the default browser from within Windows Explorer and patch it in memory before execution, (4) performing an heuristic search for proxies and other software authorized to access the Internet on port 80, then loading a copy and patches it in memory before execution from within a thread on Windows Explorer, and (5) performing an heuristic search for proxies and other software authorized to access the Internet on port 80, then requesting the user to select one of them to create a thread on the select process.
|
|
|
|
|
|
>> Breakout
Breakout sends a URL to your Internet Explorere (IE) address bar via the 'SendMessage' Windows API in order to launch. If your firewall fails this test, then your firewall does not check for the 'messages' sent to your applications windows.
|
|
|
|
|
|
>> Breakout2
Breakout2 creates and HTML page locally that points to its target URL. Then, it enables Active Desktop and sets its HTML page as your desktop wallpaper. If your firewall fails this test, then your firewall does not check for Active Desktop abuse.
|
|
|
|
|
|
>> CPIL
CPIL tries to find explorer.exe and patch its memory. Then with the infected explorer.exe, CPIL attempts to transmit data to remote servers using your default browser. If your firewall fails this test, then it may fail to monitor suspicious code injection.
|
|
|
|
|
|
>> Jumper
Instead of directly modifying the target process memory, Jumper makes the target load its foriegn DLL by itself. To do so, Jumper writes to the 'AppInit_DLLs' registry entry, and then kills explorer.exe which is reloaded automatically by Windows. Once inside the Jumper DLL modifies your Internet Explorere (IE) start page registry entry with all the data it wants to transmit, and then launches IE. If your firewall fails this test, then your firewall is not monitoring the critical registry entries.
|
|
|
|
|
|
>> PCFlank
PCFlank uses OLE automation to check how your firewall handles the situation of one program attempting to manage the behavior of another (trusted) program. If your firewall fails this test, then your firewall is leaky and you should take additional measures to secure your computer.
|
|
|
|
|
|
|
Note: These tests were run using independent, publicly available freeware. The following product versions were used: ZoneAlarm® Internet Security Suite 7.0 beta1, Norton Internet Security Suite v7.1, McAfee Internet Security v9 Trial, MS Windows Live OneCare v1.1.1067.8 with Windows Defender. Believed accurate based on research performed the week of October 26, 2006, this list of leak tests is not exhaustive. Tests were conducted using Windows XP SP2 and all MS Updates. The ZoneAlarm® Program Control was set to Maximum, the setting that most users are in either by default or after a short learning period. Leak tests required an Auto Detect OFF setting on all products. Some security software prevents several of the common leak tests used to evaluate firewall security from being run in the first place, treating these leak tests as malicious software. Setting Auto-Detect to OFF for all tested products delivered what we consider a more accurate representation. It did affect results of some leak tests. For example, turning Auto-Protect off effected the testing of these threats for Norton: firehole, copycat, thermite, breakout, and breakout2.
|
|
|
|