Spyware, Viruses, & Security forum

General discussion

Is it true Zonealarm firewall is not effective??

I read this on a recent post

Neither ZoneAlarm nor Comodo have dynamic packet filtering, and are vulnerable to worms. I've actually been contacted by people who used each of them, when their systems were overrun by the SQL Slammer and Stack Bot that came out in October. I suggest you use Kerio or BlackICE. These are both easy to use, and the only firewalls I'm acquainted with that are ICSA certified.

This is the first I have heard of this and always thought that Zone alarm firewall was th best of the best
Anyone know about this?

Discussion is locked
You are posting a reply to: Is it true Zonealarm firewall is not effective??
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: Is it true Zonealarm firewall is not effective??
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Untrue... lots of opinionated verbiage going around...

In reply to: Is it true Zonealarm firewall is not effective??

Don't believe it... been using ZoneAlarm over 10 years. Never received any of the things mentioned. Nothing but excellent results here.


Collapse -
ROFL@Glenn. I just now saw your post Glenn

In reply to: Untrue... lots of opinionated verbiage going around...

and I love your choice of words for this situation. "opinionated verbiage". LOL

Collapse -
Yeah, Roddy! I though that appropriate...

In reply to: ROFL@Glenn. I just now saw your post Glenn

In retrospect I should have added 'excessive' before opinionated. Wink

All the best!


Collapse -
(NT) Good job. :)

In reply to: Yeah, Roddy! I though that appropriate...

Collapse -
A fortress with the gates open.

In reply to: Is it true Zonealarm firewall is not effective??

What analogy can I use here? I've heard such but then I discovered the owners had opened ports to use P2P software, ran "cracks" and more.

Since most firewalls allow the owners to configure the firewall, all could fail as you noted.


Collapse -
Well Kerio has a problem too

In reply to: Is it true Zonealarm firewall is not effective??

It has unpatched vulnerabilities. If the reports that you received about ZoneAlarm and Comodo are true and is vulnerable to worms, that is normal for any software. Any software in general has it's own vulnerability. It's only a matter of time for researcher to discover it. If it's known to the vendor, they will sure make an advisory and fix.

The bottom line is don't depend in 1 software tool alone.
Certification is nice but certification does not fix any current and future vulnerabilities in a software.

Best of best depends on a user who uses the product. User A can say Product B is the best while User B can say Product C is the best. There's no best really.
Some feel freeware is the best deal. While others feel freeware is not enough. It all depends on the user .. really.

Collapse -
I use Zonealarm paid version Firewall

In reply to: Well Kerio has a problem too

And as far as I know you can not run more than one firewall as they would conflict
I do run other protection including a hardware firewall in my router and was just concerned about the negative report on Zone alarm I had never heard before

Collapse -

In reply to: I use Zonealarm paid version Firewall

Not recommended to run 2 firewall software. Since you paid for ZA, you have the option to contact their support to check whether the report you received is true. You need to show them proof (e.g. link)

Collapse -

In reply to: Is it true Zonealarm firewall is not effective??

That was my post you read. While I know it creates a lot of controversy to "slam" one of the most popular firewalls in existence, I only do this because I know something. Let me try to explain:

While I understand that ZoneAlarm might not get infected as quickly due its ability to hide ports and its mature HIPS, and while it is possible that my two colleagues were indeed using P2P or visiting rogue websites, I have four things I can tell you:

First, both machines were infected with IRC Flood, which was one of the trojans that was piggybacking these worms. Second, and as you've already read, ZA does not have SPI (Stateful Packet Inspection). Third, while neither of the first two issues actually prove that it was the botnet worms that carried this trojan in, I've cleaned out machines with three other brands of firewalls that all had the same infection. The other three firewalls were Comodo, Sygate, and two different versions of McAfee (AOL S&SC and MSC). Can you guess what all four of these firewalls have in common? No SPI!!! Finally, there are two computers in my home network (we have a wireless router with a NAT firewall, not SPI). My grandma's machine was using MSC (McAfee Security Center) courtesy of Comcast. I had to disinfect her machine two or three times before I saw on the news (October 9) what was happening. I had BlackICE on my machine toward the beginning, but I've had Safety.Net since about the end of October. My machine has never been hit.

Here's an article that talks about the botnet/worm "epidemic": http://www.nytimes.com/2007/01/07/technology/07net.html?_r=1&hp&ex=1168146000&en=d8e4c5dbbdaaa422&ei=5094&partner=homepage&oref=slogin

And here's an article that talks about the difference between ZoneAlarm and BlackICE, an ICSA-certified SPI firewall. Mind you, this letter is seven years old, and it's from ISS (the makers of BlackICE), but the information is all true: http://www.iss.net/security_center/advice/Support/KB/q000132/default.htm

Bottom line: All the machines I've cleaned in the past three months with IRC Flood have had "simple" firewalls (non-SPI) on them. I've cleaned one person's machine that actually had BlackICE on it, but I didn't find IRC Flood on it, and he uses LimeWire and clicks every e-mail link in his inbox that says anything about sex (I've long since given up trying to get him to stop; he won't.).

The botnet worms I've been talking about are coming from infected zombies. The worms are self-propagating. They generate random IP addresses and see if they get a response. In cases of simple firewalls such as ZoneAlarm, your only hope of avoiding infection is for all requested ports to be hidden. If they are not, and if a trusted application is assigned to any one of those ports, the worm now has open entry, and ZoneAlarm will not stop it. It may try to block the IRC Flood trojan from phoning home, but the bad news is that you are still infected.

Here's how stateful firewalls work: Whenever you open an Internet application, the firewall loads this information into memory on a "state table." It keeps track of the syntax and the ports in use by the application, and monitors the corresponding incoming packets in sequential order. By doing this, the firewall knows whether or not an incoming packet is part of a handshake that you, the user, solicited. In addition, modern SPI firewalls use "deep packet inspection." Packet headers can be spoofed, so newer-generation SPI firewalls will inspect the full contents of every packet to verify consistency. And unlike simple firewalls, which are basically application switchboards, a stateful firewall monitors ALL incoming traffic, whether the communicating application on your machine is trusted or not.

Don't get me wrong. SPI firewalls have their weaknesses too. Their whole deal is to keep intruders out. That won't stop you from visiting a rogue webpage and exposing yourself to drive-by infection; if you solicited the connection, it's not considered an intruder. In fact, I'll be honest with you...ZoneAlarm would be more likely to block something like that than my firewall (Safety.Net) would be. But I try to use discretion when I surf. I use Opera most of the time, and I have SiteAdvisor installed in IE and Firefox Portable. In addition, I do follow my own rules. In case you've read my posts about not visiting any site that's not green, understand that I don't do this either. Happy I also use Cyberhawk on top of my other security software. And my machine hasn't seen an infection in over a year (other than tracking cookies)!

As you may already have read, there are four firewalls I'm acquainted with that have stateful inspection. Once again, they are BlackICE, Kerio, Safety.Net, and Jetico. The free version of Kerio doesn't have HIPS, and could be vulnerable to a buffer overflow attack, but you could augment this with a dedicated HIPS product like Novatix Cyberhawk, which is also free. As an added bonus, Cyberhawk is much, much quieter than ZoneAlarm's, Comodo's, or Jetico's HIPS; and yet, according to Ian "Gizmo" Richards, it's the most effective non-sandbox HIPS available.

My intention is not to upset anyone, and I haven't been posting this "propaganda" all over CNET because of anything personal against ZoneLabs, Comodo, or anyone else. And no, I'm not getting kickback from Sunbelt, ISS, NetVeda, or Jetico either. Happy I just want to share with you some information I have that I consider to be invaluable. Do whatever you want with it; I promise I won't lose any sleep over it. As long as MY system (and now my grandma's as well) stays clean, it makes no difference to me.

Collapse -

In reply to: explanation

I said ZoneAlarm would not stop a worm if it contacted an unhidden, open port; not necessarily true. ZoneAlarm will stop it if the trojan doesn't pull it down first, and if the HIPS detects it, and if the user correctly identifies the alert as an alert to an attack and denies it. But notice how many variables you have! If the requested port is open, and the worm gets past the network layer and into memory, it's all up to the HIPS' resistance to termination, its ability to detect the worm, and finally, the user's decision.

A firewall with stateful inspection, on the other hand, won't let the worm get past the network layer in the first place. And the only chance a hostile trojan would have of pulling down the firewall would be for the worm to successfully smuggle it through the network layer and into memory. Wink

Collapse -
You're Placing Too Much Importance On Firewalls

In reply to: correction

Whether SPI or not, most worms and trojans gain access by much easier means.. In almost all cases, the malware gains access through e-mail, instant messaging, P2P file sharing downloads, Windows file sharing access, or incorrect passwords on the "administrator" login, all of which firewalls are set to "allow" through their barrier.. Once inside the computer, any good malware has the ability to disable firewalls and antivirus programs so they aren't of value anyway. Most trojans, spyware, and such are better protected by an overall protection scheme of which the firewall is a very small part. (For example; Unless a user is on a network and needs to share files, disabling "File and Printer Sharing" in Windows shuts down an entire avenue of infection. And if sharing IS required, then do it correctly.. NEVER share the entire C drive and don't give other users "Full" write access to the files.) For most bad guys that want to gain access to a computer for bot/net purposes, a software firewall whether SPI or not, is little challenge. If on a network, most should be using layered firewalls anyway... A hardware router with SPI and then a software of some type.

Please be aware that firewalls are reviewed constantly and BlackICE is NOT necessarily one of the premier programs out there.. ZA is generally reviewed better in terms of protection and like most software firewall tests, it DOES hide/stealth all ports. Most do. But as we all know.. a review is just the opinion of testers about which program THEY think is the best.. Users should do the research and make up their own mind. Simply typing "Firewall Reviews" into Google finds a lot of reading material.

Hope this helps.


Collapse -
a firewall by itself is not enough

In reply to: You're Placing Too Much Importance On Firewalls

I wonder if you read my post all the way through, or were you already working on a comeback? I did mention later on that SPI firewalls are in fact particularly vulnerable when you deliberately expose yourself to drive-by and P2P threats, and that ZoneAlarm would be likely to outdo Safety.Net in this case. I also mentioned that I follow my own simple set of rules to minimize these threats, and that my firewall is not the only protection I have running.

In the end, this is what you should have gotten out of all my rambling and rhetoric: Now that hackers are employing the self-propagating capabilities of worms to drop trojans for them, allowing them to create much larger botnets much faster, you don't even have to be surfing to be infected. As long as your computer is on, and your ethernet connected, you are a sitting duck if you use a simple firewall.

If you haven't been infected yet, good for you. But the keyword is "YET." Because of the simple fact that more people are becoming aware of spam and phishing and such, the only choice professional cyber-criminals have is to get more aggressive. While it's an ongoing "cat and mouse" game with simple firewall vendors, who have to release new versions every month, stateful firewalls have been using the same concept for nearly a decade (with the one major addition of deep packet inspection) and are updated much less frequently; except BlackICE, which updates its intrusion definition database constantly. My firewall hasn't gotten an update in almost two years, and that's not because NetVeda is no longer in business. The fact is, they've long since been ready for this.

Only a firewall with SPI (the EXACT same technology used in hardware firewalls, except the cheaper NAT firewalls) can be expected to block an intruder every single time. That is their primary function, and they do it very well. Software SPI firewalls use kernel drivers placed just above the network layer (W2K and WXP only). Because an SPI firewall can detect an intruder instantly, the packets can never make it past the network layer and into memory. And if it's not in memory, how can it be expected to defeat the firewall? A buffer overflow attack, perhaps, which is why we now have HIPS. Wink

If you are a die-hard ZoneLabs fanatic who will stick with them until the end, no matter what happens, by all means march, soldier. But hopefully at least ONE person was enlightened by the truth of everything I said. If so, my job is done.

Collapse -

In reply to: a firewall by itself is not enough

I don't think Grif is a ZA die-hard. I understand this correctly, he is only informing you that any firewall is ineffective if the user allow the firewall to allow the communication of a program and the port in use. The program for example: messengers, p2p, email, browser etc

Whatever firewall is in use, hardware or software, if the user explicitly allow the port and the communication and the malware 'slips - in' since it is allowed or if the user execute it, then the firewall has nothing to do with it since the user intructed it to allow the communications.

The Antivirus and antispyware will play the role there. To block/stop the infection if known in their database.

Firewall is for intruders but if a firewall has no signature like a software firewall can offer, then a hardware firewall is IMHO not very effective.

Both should work together - Firewall hardware and software.
That is if one really need both. One will do it but it really depends on the user what he want to use.

Antivirus and other security tools is the one to depend in the end and that is if the known intruder behave like what they have in the database.

Collapse -
not so

In reply to: hhhmm

SPI firewalls block intruders. And let me politely say that you are incorrect in your second paragraph. Stateful firewalls monitor ALL incoming traffic, whether the communicating application is trusted or not.

Let me give you an example: Let's pretend you are using Comodo, the firewall that claims to pass ALL the leaktests, and you are instant messaging back and forth with a friend on Windows Live. Since Comodo recognizes Windows Live as a trusted application, it does not monitor ANY incoming traffic from the ports Windows Live is using. A stateful firewall does, and it can tell by way of a three-way-handshake whether someone is trying to "slip by" using the ports in use by Windows Live.

Remember, SPI firewalls install kernel drivers just above the network layer, and they monitor the syntax, used ports, and sequential order of packets in the state table. Any incoming connection from a third party is easily detected, because their information is not in the state table. And they don't get their information on the state table unless YOU (the user) connect to THEM.

Trust me, it works. This is the same technology hardware firewalls use. What most people don't realize, however, is that software SPI firewalls can work just as well on an NT-based operating system, because the driver has total control over all the packets travelling through the network layer. Any more questions?

Collapse -
don't get me wrong

In reply to: not so

I'm not saying a firewall by itself will protect you from everything. I'm just saying your firewall is your first line of defense, and as such, it should be able to block ALL intruders at ALL times. Simple firewalls do not, simply put. Wink

The reason I've been saying so much about firewalls is because that's the main topic of this thread. Of course, you also need up-to-date antivirus and antispyware with real-time protection. In addition, I recommend a dedicated HIPS product, which can help complement your existing signature-based security apps with behavior analysis. Cyberhawk is one of the best (outside of sandbox programs), while somehow managing to be quiet almost all the time.

In addition, I recommend a certain degree of discipline when using the Internet. IM and VoIP are okay, as long as you have an SPI firewall and know the person you're talking to. P2P and torrent clients are NOT okay. If you use these, you're asking for trouble whether or not you have a good firewall and a host of other security produts in place.

If you use IE and/or Firefox, I recommend McAfee SiteAdvisor. And if you observe the same discipline I do, and stay away from any site that's not green unless you know and trust the source, you'll be a lot better off. Hope this helps!

Collapse -
Of course I'm aware what is SPI Firewall

In reply to: don't get me wrong

If not, I won't be enabling it in my router's configuration Wink

What I'm trying to express to you is firewall, in this case, with SPI, will protect from attacks, intrusions.

See this scenario: SPI enabled and software firewall then allow an instant messenger to communicate online (inbound/outbound), if there's malware that hacked/cracked a password and sent all contacts of the hacked acct a link to view an image that is actually not image but an infected plug-in that is loaded by the browser.
What will happen? Did SPI protected a user? Nope. It actuall allow it.

Your contributions here is appreciated. Just commenting that you think another fellow mod is a die-hard fan of ZA which I don't think his comments is about.

Firewall is a great addition to secure and one of the first line of defense and nope it wont block ALL intruders at ALL times. If that is true then we won't see big companies or organizations being attacked/hacked/DDoS etc and those big companies hired and spend security solutions that is not low budget AFAIK.

There is something wrong of course and who knows? Did they apply the patches at once or they delayed it due to conflicts at their work. There are many issues and incidents that SPI firewalls is not the answer at all.

Collapse -
context, context

In reply to: Of course I'm aware what is SPI Firewall

I'm sorry if I gave you that impression. Notice that I said "If," which is the keyword. I'm actually a Level III in English at Delta College, having achieved perfect scores in Reading and Writing. I also completed English 1A recently, leaving only English 1D for me to fulfill the IGETC requirements for transfer to a UC or CSU. I'm pretty good about the context I use. Wink

And again, I did say that an SPI firewall by itself will not by any means provide you with a complete solution. But that's not the topic of this thread. In any case, I have provided my short version of a reasonably well-rounded security solution in my previous post. If anyone would like an in-depth review, I'd be happy to give one. Just ask me. Happy

Collapse -
Still, You Place Too Much Importance On Firewalls..

In reply to: a firewall by itself is not enough

Unfortuntely, despite your last statement, the only reason I'm making comments again, is that your "truth" is NOT.. Since the topic is about software firewals, SPI firewalls are not all the same and you make it appear as if all that's needed is SPI ability and as a result, you don't like ZoneAlarm.. In fact, software firewalls only have bits and pieces of SPI detection ability. (See THIS LINK that I provided for you in the "Newbies" forum.). And yes, even ZoneAlarm has SPI traits in it's ability to determine the "state" of program access. (By the way, because most of my experience is in the corporate world with networks and System admin work,-I'm also a McAfee moderator- I actually tend to prefer the McAfee corporate firewalls and network gateway software when it comes to effectiveness-but I DO recommend ZoneAlarm for a variety of reasons to my private customers and home users.)

But that's beyond the point.. The original question in this topic was: "Is it true Zonealarm firewall is not effective??"

I'll say, yes it is..unless it doesn't work well on your particular computer..which happens with any software type.. It's generally rated among the top in software firewalls, as much as that goes. Still, none of them are perfect and should be used as only PART of the over-all protection plan.

Hope this helps.


Collapse -

In reply to: Still, You Place Too Much Importance On Firewalls..

You're right. Your firewall is not the only component you need. If you would pay attention to what I've been posting, you would see that I've already said that more than once.

I don't want to mess with the site you linked to. It has a yellow rating in SiteAdvisor, which reports adware or other potentially unwanted programs. All I can tell you is this: Where ZoneAlarm, Comodo, McAfee (AOL S&SC and MSC), and Sygate (VCOM SS7) have failed; BlackICE, Kerio, and Safety.Net have all succeeded. I tried Jetico, but IE couldn't find server after a default installation, so I can't tell you anything about that.

I haven't used ZoneAlarm here, so I can't tell you if it would protect my system or not. But it failed on two machines I know of, and methinks I understand how an SPI firewall works. I've already explained it.

Collapse -
one more thing...

In reply to: sorry...

I know the original topic here was about ZoneAlarm. You also pointed out to me in another thread that the topic there was "Windows Firewall or ZoneAlarm," and that I had basically evaded that topic completely. Please forgive me, but I have a question for you...

If someone asked you, "Should I jump off the Golden Gate Bridge, or should I jump off the Bay Bridge," how would you respond? Would you tell them there was another way, or would you just say, "Well, I would recommend the Bay Bridge, because it's less of a drop?"

All I want to do is help. And in case you haven't noticed, I know what I'm talking about. Happy

Collapse -
That's Too Bad...

In reply to: one more thing...

"And in case you haven't noticed, I know what I'm talking about."

Personal opinions of oneself are exactly that..opinions held by yourself. I've tried to point out that you need to explorer further "what you're talking about" in regards to computer security and firewalls. That's also good advice for MYSELF and all users as well.

In fact, you have helped a great deal.. Keep up the good work. That's what discussion forums are all about.

And as to the Bay Bridge analogy... you might want to throw that question before someone who studies suicides.. A psychologist would probably tell you it has nothing to do with computers...

Hope this helps.


Collapse -
I apologize

In reply to: That's Too Bad...

A) I know what I'm talking about refers to my knowledge of SPI firewall technology, not my general opinion of myself.

B) My analogy was not to be taken literally. If someone actually asked me that question, I too would put them on the phone with a professional immediately. But as far as computers are concerned, that's just what Windows Firewall and ZA Free are...suicide.

To be honest with you, I don't disbelieve that ZA Pro has potential. If it didn't the entire World Wide Web wouldn't be raving about it. But few people question the effectiveness of an industrial hardware firewall, and I know from personal experience, as well as technical knowledge, that its software counterpart can be equally effective (on a stable, NT-based operating system). Hence the comment, "I know what I'm talking about."

At any rate, it's becoming clear to me that I've offended you. Please forgive me; that was not my intention. I apologize.

Collapse -
Incorrect Interpretations...

In reply to: I apologize

You certainly didn't offend me... As I mentioned earlier, that's what forums are best at.. Discussions and responsible debate..

The Windows Firewall and ZoneAlarm are NOT suicide, nor are they a bad product.. They are tools which serve their purpose depending on a need and millions of users make use of them effectively without being infected. There may be better products for certain needs but only the circumstances will tell which product to use.

And, "I know what I'm talking about" is indeed a general opinion of oneself.

Hope this helps.


Collapse -
(NT) whatever

In reply to: Incorrect Interpretations...

Collapse -
moderators' / others vote please

In reply to: Is it true Zonealarm firewall is not effective??

Hi, I'm currently evaluating my ZA free firewall which I've been using for 2 years now. Can't really say if it's really effective or not. But the icon on the notification area always turns red and green stripped colour, seems to be showing lots of incoming traffic activities and quite a lot of attempted intrusions seems to have been blocked by ZA. Feels to me like it's quite effective, not sure. Heard about Kerio and Sygate. Are they better than ZA?

Collapse -
Better or worse is in the eyes of the beholder...

In reply to: moderators' / others vote please

I am well pleased with ZoneAlarm Free for a long time with good results. Just check the Overview/Status section to see how many intrusions have been blocked... you may be amazed at the results.

Hope this helps.


Collapse -
If you have been using a product for 2 years

In reply to: moderators' / others vote please

already and are happy with it, why change?

Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


This one tip will help you sleep better tonight

A few seconds are all you need to get a better night's rest.