Application Control

Using Application Control for Application Security

The ZoneAlarm Application Control module is on by default and is set to Auto mode. In this mode, it silently assigns permissions to programs. When a program tries to access the network illegally, or to act as a server, the Application Control module works together with SmartDefense Advisor to check this program against a database of known safe programs. These are some well known programs:

  • Web browsers - such as Internet Explorer, Chrome, Firefox, Opera
  • Email applications - such as Microsoft Outlook, Opera Mail
  • Instant messengers - such as Yahoo! IM, Google Talk
  • Anti-virus applications - such as Symantec Norton, Avast
  • Document processing and archiving utilities - such as WinZip, Adobe Acrobat
  • ZoneAlarm software applications

The ZoneAlarm Application Control module also uses OSFirewall to detect any malicious activity against your computer's operating system.

When ZoneAlarm cannot validate a program, or discovers a program that tries a suspicious action, it generates an alert. For more details on alerts, see Understanding Application Control Alerts and Understanding OSFirewall Alerts.

To customize the way your computer handles application access permissions, or to reduce the number of alerts, see Managing Basic Application Control Settings and Configuring Advanced Application Control Settings.

Turning Application Control On and Off

To turn Application Control on or off:

  1. Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
  2. Move the Application Control ON/OFF slider to ON or OFF position, as necessary.

If ZoneAlarm Application Control is on, the Application Control status line shows the message Blocks dangerous behaviors and unauthorized Internet transmissions, and the main status bar shows the message YOUR COMPUTER IS SECURE.

If ZoneAlarm Application Control is off, the Application Control status line shows the warning Application control is not properly set, and the Fix Now button below. The main status bar shows the warning YOUR COMPUTER IS AT RISK, and the Fix Now! button next to it. Click one of the Fix Now! buttons to turn Application Control on again.

Managing Basic Application Control Settings

You can change general Application Control settings as necessary - for example, if you want to reduce the number of alerts, or to have a better control of the application network access and server access rules.

To modify General Application Control Settings:

  1. Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
  2. Click Settings in the Application Control section.
  3. In Current Settings, move the Network firewall slider to one of these settings:
    Max. The most secure setting, but creates the most alerts. Every program must ask for, and receive, permission for network access, Internet access, and for server privileges.
    Auto. This default setting - not as secure as the Max setting, but minimizes alerts by working in auto-learn mode. In this mode, ZoneAlarm software auto-learns the programs that you use the most, and later grants permissions to them without alert interruptions.
    Min. The least secure setting, but produces the least amount of alerts. It can make your computer susceptible to attacks by the latest malware, also known as zero-day threats.
    Off Turns the Application Control security module completely off - the Network firewall and the DefenseNet.
    Note: The main status bar shows the warning YOUR COMPUTER IS AT RISK. Change the Network firewall setting back to Min, Auto, or High, or click Fix Now! in the main status bar, to turn Application Control back on.
  4. In Current Settings, move the Your DefenseNet slider to one of these settings:
    Auto The default setting. Application Control module queries the ZoneAlarm server for an access policy for each program that asks for network or server permissions. Then, it decides to allow or to deny access, silently, without alerts. If a program is not in the server database, an alert shows and you must decide whether to allow or to deny access to that program.
    Note: Network firewall must be on - in Max, Auto, or Min mode
    Manual For each program that asks for access permissions, you must decide to allow or to deny access, based on your knowledge or on the advice from the SmartDefense Advisor. Application Control module does not make automatic decisions.
    Note: Network firewall must be on - in Max, Auto, or Min mode.
    Off DefenseNet is completely off, and the Application Control module does not contact the ZoneAlarm server for access policy information.

Configuring Advanced Application Control Settings

You can further customize Application Control settings, based on application behavior, application component behavior, and other specific factors.

To get to Advanced Application Control settings:

  1. Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client.
  2. Click Settings in the Application Control section.
  3. Click Advanced Settings.
    The Application Control Settings window opens.
  4. Make necessary configuration changes:
    • Enable advanced controls - application, service, and component controls
    • Change OSFirewall settings
    • Configure settings for suspicious program behaviors - connection attempts and attempts to act as a server
    • Configure permissions for individual programs
    • Configure permissions for program components
  5. Click OK.

Enabling Advanced Controls

To turn on advanced application controls:

  1. In the Application Control Settings window, select the Application Control tab.
  2. From the navigation tree in the Application Control Settings window, select Advanced Control options as necessary:
    • Enable Advanced Application Control - prevents malicious applications that try to abuse standard Windows service calls
    • Enable Application Interaction Control - blocks untrusted programs from launching trusted programs for Internet access
    • Enable Timing Attack Prevention - prevents malicious programs from exploiting kernel timing vulnerabilities for execution of untrusted code
    • Enable Microsoft Catalog Utilization (selected by default) - to prevent alerts for programs that are in the MS Windows database of known and trustworthy applications.
      Note - ZoneAlarm software can still show alerts about programs that are cataloged in the MS Windows database, if they try to act as a server outside of the Trusted Zone.

To enable services control:

In the Application Control tab, select Enable Services Control.

To configure component control:

  1. Enable component control - in the Application Control tab, select Enable Component Control.
  2. Configure components:
    1. From the navigation tree, select View Components, then select a program component from the list that shows.
    2. Right-click on the Permission field.
    3. Select new permission - Allow (to automatically grant permissions), Deny (to automatically deny permissions), or Ask (to ask for permissions when component runs).
    Note - to change MS Windows Access Control properties, while a component is selected, click View Properties. Change properties in the window that opens. Refer to MS Windows Help for instructions.

Changing OSFirewall Settings

OSFirewall is enabled by default and detects when programs try to do one of these types of suspicious actions:

  • Install ActiveX
  • Change the hosts file
  • Change IE search page
  • Change which programs load at startup

By default, OSFirewall reacts to those actions according to the program permissions. To change permissions for a specific program, refer to Customizing Program Access Permissions see "Configuring Permissions for Individual Programs" on page 49. You can also change OSFirewall settings to react identically to all actions of the same suspicious activity type.

To change OSFirewall settings:

  1. From the navigation tree in the Application Control Settings window, select OSFirewall.
  2. Make sure Enable OSFirewall is selected.
  3. Right-click on the OSFirewall rule you want to change, and select an action:
    • Allow
    • Deny
    • Ask
    • Use Program Settings (default)
  4. Click OK.

Configuring Settings for Suspicious Program Behaviors

Some programs can try to gain access to or to act as a server for the computers in your Trusted Zone or your Public Zone. By default, Application Control asks for permission for a program to connect or to act as a server on every such attempt. You can configure Application Control to always allow or always deny each type of connection.

To configure settings for suspicious program behavior:

  1. From the navigation tree in the Application Control Settings window, select Advanced.
  2. In the Connection Attempts section, select one of the permissions for attempts to connect to the Trusted Zone and to the Public Zone - Always allow access, Always deny access, or Always ask for permission (default).
  3. In the Server Attempts section, select one of the permissions for attempts to act as a server to the Trusted Zone and to the Public Zone - Always accept the connection, Always deny the connection, or Always ask before connecting (default).
  4. In the Alerts & Functionality section, select relevant alerts and rules:
    • Show alert when Internet access is denied
    • Deny access if permission is set to ask and the TrueVector service is running but ZoneAlarm is not (selected by default)
      TrueVector is a ZoneAlarm security service that monitors Internet traffic and generates alerts for suspicious access attempts. It shows as vsmon.exe service in the MS Windows list of processes and continues to run, even if ZoneAlarm is not running.
    • Require password to allow a program temporary Internet access (selected by default)
  5. If you want to return to the original settings, click Reset to default.
  6. Click OK.

Configuring Permissions for Individual Programs

ZoneAlarm software tracks programs that try to access the Internet or a local network, or to gain server privileges, and assigns access permissions to them. You can change permissions for individual programs on the list, add a program to the list, or remove a program from the list.

To change permissions for a program on the list:

  1. In the ANTIVIRUS & FIREWALL panel, go to Settings at Application Control, and select View Programs.
    You can also select View Programs from the navigation tree in the Application Control Settings window.
  2. In the View Programs window that opens, select a program.
    The information about the highlighted program shows in the Detail area below the list of programs.
  3. Click in the fields and select parameter values:
    Programs The name of a program.
    Note: You cannot change this field.
    SmartDefense Defines the level of SmartDefense Advisor control:
    • Auto - SmartDefense Advisor defines the access policy
    • Custom - manually define the access policy and the trust level by changing the values of Outbound Trusted, Outbound Internet, Inbound Trusted, and Inbound Internet fields.
      Note - if you change one or more of these fields, the value in the SmartDefense field will automatically change to Custom
    • System - the program is used by the operating system, and SmartDefense Advisor does not define the access policy for it
      Note - If you try to change the value in SmartDefense field or one of the other fields for a system program, a warning will show - This is the system program, are you sure you want to change it?. Be careful, changing system program policies can interfere with normal operation of your computer.
    Trust Level Define the actions that a program is permitted to do:
    • Super - the program can perform suspicious actions without seeking permission, and no alerts are displayed
    • Trusted - the program can perform suspicious actions without seeking permission, but unknown programs must ask for permission
    • Restricted - the program can perform trusted-level actions but cannot perform suspicious actions
    • Ask - a Suspicious Behavior alert shows during run time, and lets you decide whether to allow or to deny access
    • Kill - the program does not get any access and cannot run
    • No Enforcement - the program can run without any restrictions and is not monitored by ZoneAlarm
      NOTE: We do not recommend overwriting the default value of the Trust Level parameter, because the ZoneAlarm software assigns policies to known programs automatically, and the SmartDefense Advisor security team constantly monitors and updates the database of these programs.
    Outbound Trusted Defines permissions for sending data to the Trusted Zone:
    • Allow - lets all outbound traffic go out to the Trusted Zone
    • Deny - does not let any outbound traffic go out to the Trusted Zone
    • Ask - at run time, asks for permission for the program to send traffic to the Trusted Zone
    Outbound Internet Defines permissions for sending data to the Internet:
    • Allow - lets all outbound traffic go out to the Internet
    • Deny - does not let any outbound traffic go out to the Internet
    • Ask - at run time, asks for permission for the program to send traffic to the Internet
    Inbound Trusted Defines permissions for data sent from the Trusted Zone:
    • Allow - lets all inbound traffic from the Trusted Zone
    • Deny - does not let any inbound traffic from the Trusted Zone
    • Ask - at run time, asks for permission for the program to receive inbound traffic from the Trusted Zone
    Inbound Internet Defines permissions for data sent from the Internet:
    • Allow - lets in all inbound traffic from the Internet
    • Deny - does not let in any inbound traffic from the Internet
    • Ask - at run time, asks for permission for the program to review inbound traffic from the Internet

To add a program to the list:

  1. Click Add.
    The Add Program window opens.
  2. Select the executable file of the program you want to add (with .exe file extension).
  3. Click Open.
    The Add Program window closes, and the program shows on the list. By default, after you add a program to the list, its SmartDefense setting is Auto, and all the other settings are Ask.

To remove a program from the list:

  1. Select a program from the list.
  2. Click Remove.
    The Delete Confirmation window opens.
  3. Click Yes to confirm the deletion.
    The program disappears from the list.

Customizing Program Options

For each program, you can further customize Security options, define Send Mail privileges, and configure Expert Rules.

To get to the customization options:

In the View Programs tab of the Application Control Settings window, select a program and click Options.

The Program Options window opens.

To customize Security program options:

  1. In the Program Options window, select Security tab.
  2. Select security options, as necessary:
    • Advanced Application Control > This program may use other programs to access the Internet
    • Advanced Application Control > Allow Application Interaction
    • Outbound Email Protection > Enable Outbound Email Protection for this program (selected by default)
    • Authentication > Authenticate Components (selected by default)
    • Authentication > Authenticate program by full path name only
    • Authentication > Program changes frequently

To define Send Mail privileges:

  1. In the Program Options window, select Send Mail tab.
  2. Select a Change the setting to allow the program to send/receive email option:
    • Allow (default)
    • Block
    • Ask

To configure Expert Rules:

  1. In the Program Options window, select Expert Rules tab.
  2. Click Add.
  3. Continue as the Adding Expert Rules (on page 38) section describes.

To change MS Windows Access Control properties for a program:

  1. In the Program Options window, select a program and click View Properties.
  2. In the window that opens, change properties as necessary. For instructions, see MS Windows Help.

Configuring Permissions for Program Components

You can change permissions for individual program components or remove a component from the list. Program components are DLLs that are allowed to load by trusted processes.

To change permissions for a program component:

  1. From the navigation tree in the Application Control Settings window, select the View Components tab.
    The Components table shows the name, the description and the default Access permission for each of the detected components.
  2. Select a component.
  3. Click in the Access field and select one of these:
    • Allow
    • Deny
    • Ask

To remove a component from the list:

  1. Select a component.
  2. Click Remove.

To learn more about a component:

Click View Properties. The Windows program properties window opens. See MS Windows Help for more information on program properties.

Understanding Application Control Alerts

ZoneAlarm software generates alerts for programs it cannot validate. These are typical Application Control alerts:

New Program A new unknown program tries to connect to a network in the Public Zone or the Trusted Zone.
Repeat Program A program, that tries to connect to a network in the Public Zone or the Trusted Zone, already asked for the access permission before, and you did not choose to remember your selection.
Changed Program A program, that tries to connect to a network in the Public Zone or the Trusted Zone, changed.
New Program Component A program, that tries to connect to a network in the Public Zone or the Trusted Zone, has one or more components that the Application Control did not yet validate. This helps protect you from hackers that add new components to trusted programs to get around your Application Control restrictions.
Changed Program Component A program, that tries to connect to a network in the Public Zone or the Trusted Zone, has a component that changed.
Server Program A program tries to act as a server.
NOTE: Hacker programs often act as servers and passively wait for instructions. Even though some safe applications, like mail programs, need to act as servers, be careful to give server permissions only to programs that you trust and know.
Advanced Program A program tries to use another program to connect to the Internet, or it tries to manipulate functions of another program in some way.
NOTE: Some legitimate programs behave in this way too. If you trust the program, then you can give it access permissions. In cases like this, if you deny access, it may result in interrupted program activity.

When a program alert shows, the Application Control module asks you if you want to allow or to deny access to the program.

  • Click Allow to give the access to the program.
  • Click Deny to deny the access to the program.
Notes -
  • If you need more information before you make a decision, click the small arrow button next to Show More Info, then click More Information Available to get to the SmartDefense Advisor information web page.
  • If you want the Application Control to remember your selection, select Remember this setting before you click Allow or Deny

Understanding OSFirewall Alerts

OSFirewall alerts show, when programs or processes on your computer try to change the OS settings or the Internet Explorer settings. Some of the alerts require your response, some do not. For the alerts that require your response, if you are not sure whether to allow or to deny the action, click More Info in the alert box. This opens a web page that shows SmartDefense Advisor information for this alert, which can help you decide how to respond to it.

There are three types of OSFirewall alerts:

  • Malicious - show when ZoneAlarm software detects a known virus, worm, trojan, or other malware. These alerts do not require a response from you.
  • Medium-rated Suspicious - show when a trusted program tries to change the default behavior of another program. A typical example is a program that tries to change the Internet Explorer search page. Medium-rated Suspicious alerts require that you respond with Allow or Deny. See the table below for the help with the response.
    Modification of the startup directory A program tries to set itself to run each time your computer starts. Unless you install this program, or are fully aware of it, you should deny this action, since it can be spyware.
    Modification of browser search defaults A program tries to change the Internet Explorer search settings. Unless you want to change those yourself, you should deny this action.
    Unloading of driver A program tries to unload a driver of another program. There is no legitimate reason for this action, and you should deny it.
  • High-rated Suspicious - show when a program tries to perform an action that can be dangerous. Access to disk bypassing the file system is one of the examples of high-rated suspicious behavior. These alerts require you to respond with Allow or Deny. See the table below for help with the response.
    Modification of program A program tries to change another program, possibly to prevent it from running, or tries to run product updates. Unless you are upgrading your product, deny this action.
    Accessing system registry The process is trying to modify registry entries. Deny this action.
    Launching an unknown or bad program from a good one A program tries to start another program. Unless a program has a reason to open another program (for example, a Word document with a link to a browser) you should deny this action.
    A program is trying to kill another program A program tries to stop another trusted program. Unless this is a result of your actions, such as use of Task Manager to end a program or process, or a software installation that requires a reboot of your computer, you should deny this action.
    Modifying network parameters A program tries to change your network settings, possibly to re-route your traffic to a malicious web site and to steal important personal information. Unless you try to run TCP/IP tuning software, you should deny this action.
    Installation of driver A program tries to load a driver. Unless you try to install an anti-virus, anti-spyware, firewall, VPN, or other kind of system tools, you should deny this action.
    Sending Windows messages A program tries to send messages to another program. It could try to force that program to perform certain functions. Unless you try to install software that needs to communicate with another program, you should deny this action.
    Invoking open process/thread A program tries to control another program. System applications can do this legitimately. Unless you trust the program that tries to perform the action, deny it.
    Monitoring keyboard and mouse input A program tries to record your keyboard strokes and mouse input. Unless you try to run a program that uses this type of input, such as narration software, you should deny this action.
    Remote control of keyboard and mouse input A remote program tries to control your keyboard and mouse input. Unless you try to run a software with remote control privileges, deny this action.
    Modification of physical memory A program tries to read or change information in physical memory that belongs to another program. Unless you try to run a gaming, video, or system utility software, you should deny this action.
    Injection of code into a program or system service A program tries to inject code into another program, which can disable that program or its services. Unless you try to run special software that must change the behavior of another program, deny this action.
    Transmission of Dynamic Data Exchange (DDE) input A program tries to send DDE input to another program. This way it can give the other program access to the Internet, or share some information with it. Unless you trust the program, deny this action.
    Deletion of a run key A program tries to delete a run key. This is a normal behavior for programs that must run at start-up, but are canceled. Unless it is such a program, you should deny this action.
    Notes -
    • If you select Remember This Setting before you click Allow or Deny, the ZoneAlarm software remembers your answer, and applies the remembered setting automatically when the program tries to perform the same action at a later time.
    • If SmartDefense Advisor is set to Auto, your setting will remain effective, unless SmartDefense Advisor gets updated with a different setting, or until you change the setting manually.
© Check Point Software Technologies Ltd.

All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.

RESTRICTED RIGHTS LEGEND:

Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.

TRADEMARKS:

Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our trademarks.

Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html for a list of relevant copyrights and third-party licenses.