Sandbox Security Versus the Evil Web

ZoneAlarm ForceField 1.1

Check Point's ZoneAlarm ForceField requires Windows XP Professional SP2 or later, and works with Internet Explorer (6.0 and later) and Firefox (2.0 and later) browsers. It prevents "silent" malware downloading and keyloggers, while providing anti-phishing services, Web site inspection, and privacy components. As shown in Figure 1, ForceField can open a protected or private browser session, the latter of which adds the ability to erase browser session markers. Once a protected browser session is opened, protection is indicated by the additional toolbar (Figure 2).

ForceField accurately prevented silent infections, although it did not prevent the Adobe Flash clipboard hijack. During the first round of testing a few weeks ago I was able to bypass ForceField by using a completely different malicious Flash buffer overflow file. During the later, and longer, second round for this review, ForceField held up without allowing a single silent infection. ForceField's user interface, although not the best in the competition, certainly held its own. Warning messages were easy to understand and presented at appropriate times.

For these reasons, and the fact that I have liked both Check Point and Zone Alarm software for a long time, I wanted to award a glowing review to this product. However, it's hard to give a strong recommendation to a product that only works to prevent "silent" drive-by downloads. While this is good, a fully patched system will do the same, albeit without the same level of warnings. These days, a large portion of malware is intentionally downloaded and installed by the end-user because of incredibly realistic social engineering. This is a hard deficiency to overlook.

Second, ForceField is prone to false negatives, detecting many of my very malicious test Web sites as safe or merely suspicious. In my testing of hundreds of malicious links, it became almost surprising to see ForceField call a Web site definitely malicious. These two complaints alone make it hard to bestow a strong recommendation, but ForceField also caused an unintentional DoS problem, which I think reveals a serious design flaw.

Frequent exploit attempts from a single Web site (which is pretty common) caused ForceField to create and re-create numerous processes (Figure 4), leading to 100 percent CPU utilization (Figure 5). Even killing the malicious browser session would not stop the DoS, as ForceField was now out of control.

Lastly, some integrated applications, such as instant messaging, can open additional browser sessions that escape ForceField's protection. And clearing ForceField's virtualized session data often removed browser settings I had hoped to keep.

ForceField does provide additional security value, but is not nearly as strong as some of the competitors. For most users, Prevx is the best choice for Web browser protection. Technical users will find a lot to like in Sandboxie.