The ZoneAlarm Application Control module is on by default and is set to Auto mode. In this mode, it silently assigns permissions to programs. When a program tries to access the network illegally, or to act as a server, the Application Control module works together with SmartDefense Advisor to check this program against a database of known safe programs. These are some well known programs:
The ZoneAlarm Application Control module also uses OSFirewall to detect any malicious activity against your computer's operating system.
When ZoneAlarm 2018 cannot validate a program, or discovers a program that tries a suspicious action, it generates an alert. For more details on alerts, see Understanding Application Control Alerts and Understanding OSFirewall Alerts.
To customize the way your computer handles application access permissions, or to reduce the number of alerts, see Managing Basic Application Control Settings and Configuring Advanced Application Control Settings.
To turn Application Control on or off:
If ZoneAlarm Application Control is on, the Application Control status line shows the message Blocks dangerous behaviors and unauthorized Internet transmissions, and the main status bar shows the message YOUR COMPUTER IS SECURE.
If ZoneAlarm Application Control is off, the Application Control status line shows the warning Application control is not properly set, and the Fix Now button below. The main status bar shows the warning YOUR COMPUTER IS AT RISK, and the Fix Now! button next to it. Click one of the Fix Now! buttons to turn Application Control on again.
You can change general Application Control settings as necessary - for example, if you want to reduce the number of alerts, or to have a better control of the application network access and server access rules.
To modify General Application Control Settings:
|Max.||The most secure setting, but creates the most alerts. Every program must ask for, and receive, permission for network access, Internet access, and for server privileges.|
|Auto.||This default setting - not as secure as the Max setting, but minimizes alerts by working in auto-learn mode. In this mode, ZoneAlarm 2018 software auto-learns the programs that you use the most, and later grants permissions to them without alert interruptions.|
|Min.||The least secure setting, but produces the least amount of alerts. It can make your computer susceptible to attacks by the latest malware, also known as zero-day threats.|
Turns the Application Control security module completely off - the Network firewall and the DefenseNet.
Note: The main status bar shows the warning YOUR COMPUTER IS AT RISK. Change the Network firewall setting back to Min, Auto, or High, or click Fix Now! in the main status bar, to turn Application Control back on.
The default setting. Application Control module queries the ZoneAlarm server for an access policy for each program that asks for network or server permissions. Then, it decides to allow or to deny access, silently, without alerts. If a program is not in the server database, an alert shows and you must decide whether to allow or to deny access to that program.
Note: Network firewall must be on - in Max, Auto, or Min mode
For each program that asks for access permissions, you must decide to allow or to deny access, based on your knowledge or on the advice from the SmartDefense Advisor. Application Control module does not make automatic decisions.
Note: Network firewall must be on - in Max, Auto, or Min mode.
|Off||DefenseNet is completely off, and the Application Control module does not contact the ZoneAlarm server for access policy information.|
You can further customize Application Control settings, based on application behavior, application component behavior, and other specific factors.
To get to Advanced Application Control settings:
To turn on advanced application controls:
To enable services control:
In the Application Control tab, select Enable Services Control.
To configure component control:
OSFirewall is enabled by default and detects when programs try to do one of these types of suspicious actions:
By default, OSFirewall reacts to those actions according to the program permissions. To change permissions for a specific program, refer to Customizing Program Access Permissions see "Configuring Permissions for Individual Programs" on page 49. You can also change OSFirewall settings to react identically to all actions of the same suspicious activity type.
To change OSFirewall settings:
Some programs can try to gain access to or to act as a server for the computers in your Trusted Zone or your Public Zone. By default, Application Control asks for permission for a program to connect or to act as a server on every such attempt. You can configure Application Control to always allow or always deny each type of connection.
To configure settings for suspicious program behavior:
ZoneAlarm 2018 software tracks programs that try to access the Internet or a local network, or to gain server privileges, and assigns access permissions to them. You can change permissions for individual programs on the list, add a program to the list, or remove a program from the list.
To change permissions for a program on the list:
The name of a program.
Note: You cannot change this field.
Defines the level of SmartDefense Advisor control:
Define the actions that a program is permitted to do:
Defines permissions for sending data to the Trusted Zone:
Defines permissions for sending data to the Internet:
Defines permissions for data sent from the Trusted Zone:
Defines permissions for data sent from the Internet:
To add a program to the list:
To remove a program from the list:
For each program, you can further customize Security options, define Send Mail privileges, and configure Expert Rules.
To get to the customization options:
In the View Programs tab of the Application Control Settings window, select a program and click Options.
The Program Options window opens.
To customize Security program options:
To define Send Mail privileges:
To configure Expert Rules:
To change MS Windows Access Control properties for a program:
You can change permissions for individual program components or remove a component from the list. Program components are DLLs that are allowed to load by trusted processes.
To change permissions for a program component:
To remove a component from the list:
To learn more about a component:
Click View Properties. The Windows program properties window opens. See MS Windows Help for more information on program properties.
ZoneAlarm 2018 software generates alerts for programs it cannot validate. These are typical Application Control alerts:
|New Program||A new unknown program tries to connect to a network in the Public Zone or the Trusted Zone.|
|Repeat Program||A program, that tries to connect to a network in the Public Zone or the Trusted Zone, already asked for the access permission before, and you did not choose to remember your selection.|
|Changed Program||A program, that tries to connect to a network in the Public Zone or the Trusted Zone, changed.|
|New Program Component||A program, that tries to connect to a network in the Public Zone or the Trusted Zone, has one or more components that the Application Control did not yet validate. This helps protect you from hackers that add new components to trusted programs to get around your Application Control restrictions.|
|Changed Program Component||A program, that tries to connect to a network in the Public Zone or the Trusted Zone, has a component that changed.|
A program tries to act as a server.
NOTE: Hacker programs often act as servers and passively wait for instructions. Even though some safe applications, like mail programs, need to act as servers, be careful to give server permissions only to programs that you trust and know.
A program tries to use another program to connect to the Internet, or it tries to manipulate functions of another program in some way.
NOTE: Some legitimate programs behave in this way too. If you trust the program, then you can give it access permissions. In cases like this, if you deny access, it may result in interrupted program activity.
When a program alert shows, the Application Control module asks you if you want to allow or to deny access to the program.
OSFirewall alerts show, when programs or processes on your computer try to change the OS settings or the Internet Explorer settings. Some of the alerts require your response, some do not. For the alerts that require your response, if you are not sure whether to allow or to deny the action, click More Info in the alert box. This opens a web page that shows SmartDefense Advisor information for this alert, which can help you decide how to respond to it.
There are three types of OSFirewall alerts:
|Modification of the startup directory||A program tries to set itself to run each time your computer starts. Unless you install this program, or are fully aware of it, you should deny this action, since it can be spyware.|
|Modification of browser search defaults||A program tries to change the Internet Explorer search settings. Unless you want to change those yourself, you should deny this action.|
|Unloading of driver||A program tries to unload a driver of another program. There is no legitimate reason for this action, and you should deny it.|
|Modification of program||A program tries to change another program, possibly to prevent it from running, or tries to run product updates. Unless you are upgrading your product, deny this action.|
|Accessing system registry||The process is trying to modify registry entries. Deny this action.|
|Launching an unknown or bad program from a good one||A program tries to start another program. Unless a program has a reason to open another program (for example, a Word document with a link to a browser) you should deny this action.|
|A program is trying to kill another program||A program tries to stop another trusted program. Unless this is a result of your actions, such as use of Task Manager to end a program or process, or a software installation that requires a reboot of your computer, you should deny this action.|
|Modifying network parameters||A program tries to change your network settings, possibly to re-route your traffic to a malicious web site and to steal important personal information. Unless you try to run TCP/IP tuning software, you should deny this action.|
|Installation of driver||A program tries to load a driver. Unless you try to install an anti-virus, anti-spyware, firewall, VPN, or other kind of system tools, you should deny this action.|
|Sending Windows messages||A program tries to send messages to another program. It could try to force that program to perform certain functions. Unless you try to install software that needs to communicate with another program, you should deny this action.|
|Invoking open process/thread||A program tries to control another program. System applications can do this legitimately. Unless you trust the program that tries to perform the action, deny it.|
|Monitoring keyboard and mouse input||A program tries to record your keyboard strokes and mouse input. Unless you try to run a program that uses this type of input, such as narration software, you should deny this action.|
|Remote control of keyboard and mouse input||A remote program tries to control your keyboard and mouse input. Unless you try to run a software with remote control privileges, deny this action.|
|Modification of physical memory||A program tries to read or change information in physical memory that belongs to another program. Unless you try to run a gaming, video, or system utility software, you should deny this action.|
|Injection of code into a program or system service||A program tries to inject code into another program, which can disable that program or its services. Unless you try to run special software that must change the behavior of another program, deny this action.|
|Transmission of Dynamic Data Exchange (DDE) input||A program tries to send DDE input to another program. This way it can give the other program access to the Internet, or share some information with it. Unless you trust the program, deny this action.|
|Deletion of a run key||A program tries to delete a run key. This is a normal behavior for programs that must run at start-up, but are canceled. Unless it is such a program, you should deny this action.|
All rights reserved. This product and related documentation are protected by copyright and distributed under licensing restricting their use, copying, distribution, and decompilation. No part of this product or related documentation may be reproduced in any form or by any means without prior written authorization of Check Point. While every precaution has been taken in the preparation of this book, Check Point assumes no responsibility for errors or omissions. This publication and features described herein are subject to change without notice.
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR 52.227-19.
Refer to the Copyright page http://www.checkpoint.com/copyright.html for a list of our trademarks.
Refer to the Third Party copyright notices http://www.checkpoint.com/3rd_party_copyright.html for a list of relevant copyrights and third-party licenses.