Our guest this week in our Security for Everyone series is ZoneAlarm Internet Security 2010. ZoneAlarm is one of the established players on the home security market, especially through the scope of their freeware desktop firewall solution. Check Point Software Technologies have recently blessed their suite with Windows 7 compatibility, thus joining the game of home security solutions. Read on to see how well they are playing so far.
The first impression was distinctly favorable. ZoneAlarm Internet Security 2010 sports a handy and quick install program that does not ask too many questions. The procedure is straightforward and easy to follow. While the install program can install a browser toolbar, you can choose not to do so without any adverse impact. You can also skip providing your e-mail address if you do not want to receive additional information.
During the installation procedure, a first scan is run in order to check for any malware already on the system. This is a very effective solution, as some malware programs block access to the Registry, thus making it impossible to install anti-virus solutions after the system has been infected. On the previously-infected test system, ZoneAlarm Internet Security 2010 managed to wipe out some of the culprits and install cleanly. While not all the malware was removed during this phase, ZoneAlarm Internet Security 2010 did at least sneak itself unto the system. The install procedure also allows for some initial configuration. Zone Alarm defaults to a non-intrusive profile, trying to get the best out of its Auto-Learn feature.
When running ZoneAlarm Internet Security 2010 for the first time you are greeted by a simple interface. While relatively bulky in looks, the interface is efficient and designed for minimal intrusion. The program will suggest that you perform a first "deep scan", which (a fair warning) takes quite a long time. Subsequent scans will not take that long, but running the first scan is recommended by ZoneAlarm Internet Security 2010 in order to establish a secure environment in the first place.
Ease of use and configuration
For the most part, configuring ZoneAlarm Internet Security 2010 is fairly easy. This is mostly due to the very simple interface. The main screen provides easy access to the configuration pane for every module, so finding a setting is not too complicated. Unfortunately, the basic behavior of the program is not too rich in customization options. The anti-virus configuration pane considers everything, including scan and update scheduling, to be advanced options. The most confusing part is the firewall and program control configuration. ZoneAlarm Internet Security 2010 uses the concept of Zones for its firewall. Depending on what network you connect to and on where inbound connection attempts come from, the firewall will apply various rules.
While this sounds like a reasonable solution, it is virtually impossible for a novice user to configure the behavior of these zones. Someone who wants to share a printer on an otherwise insecure network (and thus want to use the High protection setting, but allowing printer sharing) is out of luck unless he can make his way through terms like ICMP, Outgoing DNS and NetBIOS. It is thus next to impossible to add exceptions for regular operations, such as file or printer sharing, without having some knowledge about networking.
The Program Control feature (which I will cover later) monitors and, if required, limits or blocks a program's access to the computer and network resources. Unfortunately, it suffers from similar misfortunes. First of all, it is unclear where exactly you have to look if you want to enable a program's access to the network. Second, Check Point Software decided to put all their ergonomy eggs in one basket and decided not to give too many configuration options outside the Auto-learn feature. The other three modes are difficult to cope with in their default state: Maximum program control mode will nag you about next to everything. Minimum mode will screen only "some" programs (but there is no information about what "some" means) and disabling Program control will leave the system insecure.
Now the good news is that you can customize the Program Control features. The bad news is that you need to do a hefty amount of documentation reading because there is no in-line description of each setting. The customization dialogue allows you to enable Advanced Program control, Application Interaction Control, Timing Attack Prevention and Microsoft Catalog Utilization but there is no description of what these are and what they do. The documentation does explain each of them, but not in layman's terms.
This would not be much of a problem if the auto-learn feature was solid. Under normal circumstances, given our series' scope and objectives, I would quietly dust these options under the "advanced options are separated from basic options" carpet and call it a day. However, the auto-learn feature is still rather far from perfect. During the auto-learn period, the system is less secure that under normal circumstances. Based on the data gathered in the first three weeks of use, the program will automatically switch to Maximum security mode. Unfortunately, "less secure" is an understatement. During the first three weeks, if you do not change the Program Control mode, you will get very few alerts but you will also get a security level that is hardly worth the "ZoneAlarm" tag.
While running the first firewall tests, I was rather incredulous. The firewall acted much more poorly than I expected; the ZoneAlarm series is well-known for its personal firewall solutions. However, ZoneAlarm Internet Security 2010 leaked a lot of information to scanners. Some of the exploits I tried actually made it far enough that ZoneAlarm Internet Security 2010 required a reboot in order to clean up the mess left after blocking the attack.
Re-running the firewall tests after disabling the auto-learn mode and spending a few hours actually reading the manual instead of just glancing over it to see how helpful it is if you ever get stuck, the firewall started to act as it should have. It leaked very little information to the scanners and blocked all the exploits I tried. Other than this, the firewall proved solid enough; disabling it was not possible by any means and it blocked every possible kind of attack.
The culprit in this case seems to be the Program Control's auto-learn mode. Due to its inefficiency, spyware and trojans can very easily sneak behind the firewall and leak information. The Program Control modules brings aboard a close friend, the SmartDefense Advisor, which tries to configure program access whenever it can by default. The option of letting it do just what its name says (i.e. give advice when a security alert is displayed) is not the one selected by default.
Unfortunately, this heavily limits the usefulness of ZoneAlarm Internet Security 2010. I cannot say how good the auto-learn feature gets after three weeks of use, but even if it is good enough, there is a good chance you will end up with a half-crippled system by then. The firewall is shaky in the first three weeks of use and, as we will immediately see, the anti-malware module does not help it. As a consequence, not only can spyware sneak in on the system relatively easy, but in the absence of a heavily-guarding firewall it will also leak out a lot of information.
It is even more unfortunate that ZoneAlarm Internet Security 2010 actually includes firewall technologies with serious potential for success. For instance, it offers an OSFirewall feature, which tries to extend firewall monitoring to the operating system level. Disabling the auto-learn feature will actually turn ZoneAlarm's firewall into a really strong one, albeit somewhat nagging and not too easy to configure and use for novices.
Antivirus and antispyware features
ZoneAlarm Internet Security 2010 had one of the weakest performances in our series when it came to anti-malware protection. This came as a surprise, given the fact that it uses Kaspersky's anti-virus engine, but after repeating the tests twice I had to give up. The anti-virus engine missed quite a few of the infected test files. Its score was especially poor with rootkits, where it failed to detect almost half of them and failed to remove most of those it detected. It managed to detect most of the other threats, but failed to remove their vast majority and only managed to quarantine them.
On the bright side, I would have to point out that the performance impact was probably the smallest in our series. You can barely notice there's an anti-virus in the background but the boot time almost doubled. Again, there are features that actually have a great deal of potential. For instance, the real-time scanner does a very good job when dealing with downloads but it is not helpful if the signatures and the underlying anti-virus engine are unable to offer enough protection.
ZoneAlarm Internet Security 2010 is, at this moment, a somewhat sub-par effort. Not counting the anti-malware features, it does have a solid technological foundation. However, the efforts of making the powerful tools easy to use ended up limiting their efficiency. ZoneAlarm Internet Security 2010 can offer a good degree of protection, but that requires a significant configuration effort that is beyond the skills (and quite possibly time constraints) of a novice user.
If you want to try it out by yourself, you can find the trial version here.