View and vote on the article here: Software Review of ZoneAlarm Anti-Spyware 6
Software Review of ZoneAlarm Anti-Spyware 6| Category | | | Summary | ********************************************************************************
This application is designed for Windows users (98SE/ME/2000/Pro/XP) using a Pentium III 450 MHz or higher. While Anti-Spyware 6 can be used for network protection, I'm writ |
| | Body | ********************************************************************************
This application is designed for Windows users (98SE/ME/2000/Pro/XP) using a Pentium III 450 MHz or higher. While Anti-Spyware 6 can be used for network protection, I'm writing for single computer users.
********************************************************************************
Back in 1999 I became aware of Steve Gibson's work in providing wonderful free applications to save individual users from the dangers of the Internet, and began using ZoneAlarm. (Steve Gibson is not associated with ZoneLabs and continues to develop applications at Gibson Research.) This was, and still is, referred to by a lot of people as a firewall although there was some discussion about whether it was a true firewall by definition. All this made little difference to me - ZoneAlarm functioned the way I thought a firewall should, by making my computer essentially invisible while I was connected to the Net.
ZoneAlarm did this first of all by "sealing" ports, which means if someone tried, let's say, connecting to my computer through an FTP (File Transfer Protocol) port, not only would they be unable to see that I had one, but my computer would not acknowledge the requested connection. If someone knew my IP address and tried to scan my computer for open ports, it would appear that my computer was not connected to the Net. The second thing ZoneAlarm did was control access to the Net for every application on my computer.
It gave me three choices:
1. Deny access completely.
2. The application would ask for permission.
3. The application might access the Net without asking.
When a new application was added, ZA would allow the user to easily change permission settings. The result of this application control was that if an application contained spyware that tried to send your personal information to someone you may not want to send it to (known as "phoning home"), or if you accidentally opened an attachment that attempted to connect to, let's say, an IRC channel where a bot controller was waiting to turn your computer into a "zombie", a warning would pop up and ask if the application should be given access to the Net. Another useful feature was that the ZA access dialogue pop-up showed the name of the application, which made finding the offending file a lot easier.
The current version of the ZoneAlarm firewall is still available free to users for "non-business use. While this updated version is a little more complex, it still seals your ports and allows the setting of permissions for every application that requests access to the Net. In addition to the free firewall, Zonelabs offers several security related applications that may make your decision on protection rather complicated. They have five applications to choose from:
1. A complete "ZoneAlarm Internet Security Suite" which includes all of the rest of the listed items;
2. "ZoneAlarm Pro", the firewall by itself;
3. "ZoneAlarm Anti-Spyware";
4. "ZoneAlarm Antivirus";
5. "IMsecure Pro";
Besides the suite, each of the four other applications have specialized functions which are not available in any other of the four.
If you are planning to purchase more than two of these applications, it makes sense from not only a security standpoint but also an economic one to go with the Security Suite. Each of these applications is available for a free fifteen day trial from here.
The Anti-Spy application retails for $29.95 USD and also includes the firewall.
Installing 6.1.514.00
Since I am perfectly happy with my old (1999) version of the firewall, I was hoping ZA Anti-Spy would allow me to install to a new folder. Unfortunately, even though I am apparently offered a choice, the path to the ZoneLabs folder is hard coded and I had to make other provisions to be able to re-install my older version after this test.
I chose to update rather than do a clean install. The first attempt resulted in a missing DLL and couldn't load the program. The second attempt resulted in a completely failed install after un-installing my older version.
On my third attempt I opted for the "Clean Install" which worked just fine. The process of determining my settings began with an offer to join the "DefenseNet community protection network", and "share my settings anonymously and automatically." It further stated this information will be transmitted once a day no matter how I configure the "Alert me before I make contact" setting. Being a bit suspicious by nature and since this is only a trial, I opted out. For anyone deciding to join this network, there is a provision to opt out later.
ZoneLabs states: "Anti-Spyware's database is filled with today's most relevant spyware, which is gathered in part by DefenseNet, a millions-strong community of ZoneAlarm customers who submit spyware samples to our researchers."
The next option is whether to use the SmartDefense Advisor which is basically an update of definitions, and it offers the user a number of choices regarding its usage. The first choice is to set to update automatically whenever there is an update for a security setting, and the second is that it will advise and let the user decide manual settings. There is a note that the browser will be reconfigured for this. A third option is not to receive advisories or update automatically.
Again, since I'm only testing, I chose this option. My assumption is that ZA will phone home at least once a day if you join DefenseNet, so the automatic update may be the most convenient way to go for a user that doesn't want to get involved with manual updates. I also chose this option to keep my browsers from being altered. If you choose not to join DefenseNet, you are offered the choice of updating weekly or monthly.
After a reboot, I was offered a three minute movie to show how ZoneAlarm Anti-Spy 6 protects me. I thought I may have chosen a bad day because the redirect couldn't find the server, and I bought the popcorn for nothing. The next step was to choose whether my detected Internet connection should be in the Internet or in the "Trusted" zone. The trusted zone would be used for a network that was trusted (in the home or office, for example).
One oddity that I noticed right away is that after I tried the movie, tried again, and typed the previous sentence, I got a popup asking if I should allow Firefox to access the Net. A notable difference here between my old version and the new, is that the old version would show the pop-up immediately if I had just added a new application and tried to access the Net. This long delay could be confusing the first time an application is used, and also explains why the server was inaccessible.
Another point of confusion for an inexperienced user that may have chosen to try or buy only the Anti-Spy is that the user interface is set up for the complete suite. One may get the impression from seeing the extra buttons, that they are being protected by the non-existent features. Speaking of non-existent features, there is an anti-virus monitor which checks AV applications to see that they are running and up-to-date. However, I am warned that this may not support all AV products.
Mail Safe quarantines any inbound mail attachments that may contain viruses, and halts any outbound mail that displays virus-like activity. The blocked files include such things as URLs, so a user may want to check the block list for certain things they may not want quarantined.
As in the older version, any "attempts" on your security are logged. In essence, this will log every ping you may get, and since most sites you visit, and your ISP, will ping you, the log gets very large, very fast. It's typical for me to get over a thousand log entries a day so I prefer to turn logging off. ZoneAlarm also offers the option of a pop-up on every attempt, and I advise turning this off. Believe me; you really don't want to know every time you get a ping. Remember, with the firewall running, you are stealthed, meaning nobody knows you are online.
On its first scan, with no access to the Net, Anti-Spy identified my CyberArmy Command Toolbar as a "Hotbar" installation and recommended quarantine. While Hotbar is a "phone home" application, and a real threat, my CA toolbar is not set up to access the Net automatically. This leads me to suspect that there will be a number of false positive identifications and may lead an unknowing user to delete, or render useless, perfectly harmless applications.
I have an archive folder containing 42 tracking cookies, and among those I have a DoubleClick cookie and a FastClick cookie. They contain altered information, and have had their permissions changed to read-only. ZoneAlarm missed them. Now, since I beta-test new definitions files for AdAware, I decided to compare Ad-Aware to Anti-Spy 6. AdAware picked up my archive file and the two in the cookie file.
In my first foray into the wild, I went to a few sources of tracking cookies. AntiSpy takes 102 minutes to scan files and comes up with a clean scan. Adaware takes thirteen minutes, finds all my archived items, all my altered items, and two new items from DoubleClick and CasaleMedia:
-----------------------------------------
Tracking Cookie Object Recognized!
Type: IECache Entry
Data: 1746@doubleclick[1].txt
TAC Rating: 3
Category: Data Miner
Comment:
Value: c:\WINDOWS\TEMP\Cookies\1746@doubleclick[1].txt
Tracking Cookie Object Recognized!
Type: IECache Entry
Data: 1746@casalemedia[1].txt
TAC Rating: 3
Category: Data Miner
Comment:
Value: c:\WINDOWS\TEMP\Cookies\1746@casalemedia[1].txt
Disk Scan Result for c:\
-----------------------------------------
For a sample of another type of malware, I hit a few more known offending sites, and after another long wait, I got a clean scan from AntiSpy. Ad-Aware takes thirteen minutes and picks up the two I expected:
-----------------------------------------
WhenU.SaveNow Object Recognized!
Type: Regkey
Data:
TAC Rating: 2
Category: Misc
Comment:
Rootkey: HKEY_CLASSES_ROOT
Object: clsid\{d5de8d20-5bb8-11d1-a1e3-00a0c90f2731}
VirtualBouncer Object Recognized!
Type: Regkey
Data:
TAC Rating: 5
Category: Malware
Comment:
Rootkey: HKEY_CLASSES_ROOT
Object: clsid\{0713e8a2-850a-101b-afc0-4210102a8da7}
-------------------------------
Overall, I'm not impressed with Anti-Spy. While attempting to make security an automatic process for users who don't want to run several special purpose applications, I feel they have done a poor job of making things clear enough for beginning users to protect themselves adequately.
I admit that it's only my opinion, but the install and the on-site information borders on being deceptive and I don't appreciate that behavior from a security application I am asked to trust. The failure to detect DoubleClick tracking cookies, both in the folder and fresh from the wild, surprises me, and the failure to detect my archived cookies and the two other offenders may indicate a marginal database. The time it takes to do a full scan surprises me as well and is likely to deter users from scanning regularly.
If ZoneLabs is relying on their user base for database submissions, they may get better as time passes, however, at this point I can't recommend this application. My suggestion would be to get the free ZA firewall, get the free version of AdAware for it's anti-spy capabilities, and learn to use both. This is no harder than using ZoneAlarm Anti-Spy, takes a lot less time to run, and I believe you will be more secure. The next step is to begin researching a good anti-virus application to round out your security suite.
|
|
This article was imported from zZine. (original author: 1746)
There are no replies to this post yet.
|