ZoneAlarm ForceField Complicates Browser Security

Check Point's ZoneAlarm ForceField uses virtualization, inline download scanning and DNS validation services to secure browsers, but the software leaves a lot to be desired.

Check Point's ZoneAlarm ForceField is designed to secure Web browsing sessions through the use of browser virtualization, inline download scanning and DNS validation services. However, I found the overall experience of using the software fraught with management and usage woes, coupled with inconsistent behavior-calling into question the efficacy of the software.

Check Point's ZoneAlarm ForceField is targeted at a consumer audience, and, as such, the product does not include a centralized management console or the like. The software is priced at $29.95 a year for one PC (discounted to $84.95 for three PCs over two years)-not expensive, but, given my test results, I'd question whether it is worth any price at this time.

In essence, browser virtualization creates a shadow file system used specifically by the browser, isolating anything downloaded or installed (either intentionally or unintentionally) via a Web browser from the operating system proper. So, while malware could technically be downloaded and installed on a PC, it would be written to a temporary area and could be deleted permanently with the click of a button from the virtual subsystem.

To the virtualized protection, ForceField adds additional services aimed at helping users make intelligent surfing and downloading decisions.

ForceField performs DNS validation services that will identify potential trouble spots, showing the user when the site was first registered, where it is hosted globally and whether the site has a reputation for foisting malware on users. This data is presented to the user on the browser toolbar, which will shine green, yellow or red depending on the level of threat assessed by the software. (ForceField works on Windows XP and Vista, on either Internet Explorer 6 and 7 or Firefox 2 and 3.)

ForceField also offers inline malware scans of data downloads, as the software replaces the browser's usual download helper tool with its own process. Check Point designed ForceField to heuristically recognize when a download was initiated by a user, capturing the data in the virtualized instance to run the malware scan before writing the data to the regular file system; driveby downloads simply are discarded.

That all sounds good, but I quickly grew suspicious of ForceField's inline scanning capabilities. ForceField failed to correctly identify several of my test downloads, including the commonly used Eicar test sample (, as malware. After scanning the files, ForceField merrily wrote the data to my regular file system without warning me of anything-leaving it up to my already installed anti-virus software to clean up the mess.

Indeed, ForceField was designed to be complementary to an anti-virus solution installed on the same workstation, as it doesn't provide many of the protections offered by most anti-malware platforms. For example, ForceField won't scan or virtualize code that comes in via e-mail, nor will it protect against malware introduced via portable storage devices. And, as my tests showed, even ForceField's raison d'??¼tre-Web browsing protection-needed an assist from other software.

More annoyingly, I found that with ForceField, it suddenly became more difficult to keep my system up-to-date-particularly the Firefox browser. For example, ForceField let me keep my Firefox extensions up-to-date, both in the virtual environment and on the regular file system, but automated updates of the browser itself were written only to the virtual environment. If I cleared the virtual file system, I lost the updates. To update the application properly, I had to open an unprotected session (an option possible from the ForceField toolbar) to complete the upgrade.

In fact, in the two months I used Forcefield on my primary desktop, I found I had to spend entirely too much time handholding the security application for my comfort.

For example, with Version 1.0 of ForceField, the virtualized browser data for Firefox would get corrupted with certain common power events, such as putting the computer into an S3 sleep state. After waking the computer, all Firefox Extensions, including ForceField itself, would be in a perpetual limbo. They were installed, but not active, pending a browser restart that ForceField would not allow to complete. This meant that although ForceField was active and operational in IE, it disabled all my third-party security for FireFox-including my ad blocker and ForceField itself.

Check Point fixed this problem with Version 1.1 of ForceField (released in early July), which also added support for Firefox 3.0. But ForceField refused to tell me that an update existed via its integrated update tools, requiring me to visit CheckPoint's ZoneAlarm Web site to download and install the updated code.

Senior Analyst Andrew Garcia can be reached at