ZoneAlarm AV question

Discussion in 'other anti-virus software' started by Firecat, Apr 25, 2007.

Thread Status:
Not open for further replies.
  1. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Does ZoneAlarm Antivirus scan all files irrespective of file extension on-access? Because I remember that its on-access scanner did not pick up certain infected files that the on-demand scanner did, stored on my HD. These files were of nonstandard extension (*.VIR, *.PL, etc.). Does anyone know for sure whether ZA scans all file extensions in real-time scanner, or did I have a botched installation?

    Personally, I think ZoneAlarm/Check Point made the wrong decision in opting for the KAV engine, but who am I to argue? :p :ninja:
     
  2. Sjoeii

    Sjoeii Registered Member

    Joined:
    Aug 26, 2006
    Posts:
    1,240
    Location:
    52?18'51.59"N + 4?56'32.13"O
    In my experience the on access scanner scans all files irrespective of file extension.
    To me it worked pretty well. The on-demand scanner didn't find more than the on-access scanner.
     
  3. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    If I remember correctly (and I do) people generally thought it was a great choice. So I have to ask you whose engine should they have chosen and why?
     
  4. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Don't get me wrong, Kaspersky is a great engine with excellent detection rates and nice updates, all of which ZA has inherited. But the way it has been implemented, and going forward into the future, this will show itself has being the wrong choice.

    1) Slow scanning of large files (ZA support even admitted this to me) due to not using iChecker/iSwift/iStreams.

    2) Some engine peculiarities as well as the fact that Kaspersky is now hiding engine features from its partners.

    3) Not so good removal of adware/spyware (This I only observed in ZAAV, not sure if its true for KAV too)

    4) ZAAV also has quite a few bugs especially relating to the license period (I've personally experienced this and even the latest version didn't fully solve it)

    For example, ZA won't get the new heuristic engine that KAV has planned for version 7.0 (and neither will any KAV clone), which will mean that every user who bought this AV, thinking it to be the "same great protection" as Kaspersky and indirectly paying Kaspersky by buying ZoneAlarm AV will get a raw deal, because it will *not* be the "same great protection" anymore. I can't understand why Kaspersky is so afraid of its partners. If their partners frankly have better products, they should compete in some other way instead of withholding features.

    When the heuristic engine releases, over time this problem will manifest itself and everyone's going to feel pretty bad. There are quite a few other engine vendors who do NOT do this, such as BitDefender, Norman, Dr.Web, AVG or even AVIRA (You buy a license to use the engine - You get to use it, no withholding whatsoever). For example, when BitDefender released HIVE and B-HAVE, GDATA AVK got it, BullGuard got it, every AV using its engine got it. They didn't withhold this feature like Kaspersky is doing. Nobody has done this except Kaspersky. Virus Chaser deliberately chose to disable the heuristics engine of Dr.Web, as did Ashampoo with the AVIRA engine with the real-time scanner. This feature is always available to them, and they can enable it anytime they wish. They just choose not to.

    So yeah, damn right I think using the KAV engine is a bad choice for any vendor who wishes to use a longstanding AV engine, because I have little patience for such underhanded practices.
     
  5. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Excellent explanation. Thank you Firecat as it wasn't enough to say it was a wrong choice and leave it at that. I was seeking more and got it.
     
  6. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Hi!
    and can I ask you where you got this information from or it is like the one on non cleaning capability that before was a rumour and now has become a fact, or is it a secret source you cannot mention (as I see in other posts)?

    Unless you know the ZA contract with Kaspersky, you do not actually know if SDK may be updated to have same detection as version 7. The contrary is also true. You simple don't know.

    It is normal that Kaspersky will deny as it did with version 6, since if they do otherwise no one will move from existing clones to KAV/KIS 7. And for sure, if SDK package will be updated, it will be only after the KAV/KIS 7 release not to give any advantage to competitors.

    Sorry if this message sounds a bit harsh, but please backup your statements with facts and I will shutup forever :)

    Fax
     
  7. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    What you say is also true, so I will give ZA the benefit of the doubt for now. But considering that this time the heuristic analyzer is integrated in KAV as a separate module and not as part of the database updates, the likelihood of clones getting it is very very little.

    Also, I remember Don Pelotas telling me that I shouldn't be so sure about this new heuristic analysis engine being included in KAV clones, but he refused to elaborate as well. He just said that it could be very well different from the standard routine this time.

    Anyway, back to the question: I wonder why ZA was not scanning all file extensions on-access on my PC. I'll need to reinstall it and see if that changes anything...
     
  8. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost

    Yep, for sure, it will need an SDK package update since the new heuristics is not just signature based but implemented via an emulator... but this does not mean that a new SDK package cannot be released.

    What I am trying to say is: even if an SDK for OEM is planned it will be never disclosed by KL, for sure not before releasing KIS/KAV 7.
    It goes against any businness common sense...

    And on the question... never got leftovers from on access scanning...
    Are you sure that were real malware and not "not a virus" type of riskware (I think that with version 302 there were some problems on "not a virus" on access/on demand) ?
    Or it could be a revised virus signature that updated the cleaning bits of the detection... so you got after 'on demand'.

    Anyway, thanks FireCat for clarifying it... now looks much better and sorry again for my 'rude' message.

    Fax
     
  9. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Hello,

    No problems, sometimes even I act unfairly and behave rudely :)
    Anyway, on topic, I believe yes they were Adware samples, but I tried it with the 337 version also and saw the same thing. Pretty strange. I'll install it again in a few days and see whats up. :)
     
  10. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    All I have on issues ZA AV listed is "If you set an item to be ignored by a security scan, it is not displayed in the log viewer of the Alerts and Logs panel. CR00207421" this is dated January 15, 2007. Was that before or after the KAV merge?

    ZA Anti-virus / Anti-spyware Issues, January 15, 2007

    When trying to restore spyware that has been quarantined, you may receive an error if you attempt to restore spyware that was previously restored.
    Before attempting to restore a file from the quarantine, make sure your computer has enough free disk space to accommodate the file. [40435]
    If you close the scan window while a scan is running, then reopen the window to the same scan, the duration of the scan may display incorrectly. CR00207934
    Sometimes ZoneAlarm starts an update during an antivirus or anti-spyware scan. This can lead to erroneous scan results. You should re-run the scan following the update. CR00207772
    The list view is set to a specific size which may not show all data. You can select the right edge of the list view and expand the column to see all of the data. CR00207535
    If a scan has detected many objects, and you decide to quarantine all objects, the ZoneAlarm user interfacewill update frequently when each item is quarantined. CR00207531
    If you set an item to be ignored by a security scan, it is not displayed in the log viewer of the Alerts and Logs panel. CR00207421
    If you minimize the update progress window to the task bar, clicking the view update button will not bring the window back up. To show the window again, select the update dialog from the task bar. CR00207344
    The count of scanned files can be off by one or more. CR00207122
    Occasionally the AV scanner cannot access a file due to the target file permissions. CR00206763
    In rare cases, the Scan panel may not load at start up. Try restarting the client or rebooting the machine. CR00206728
    ZA (IClient) doesn't check for absence of damaged spyware.dat CR00206627
    Sometimes the last scan time can be displayed in error. CR00206605
    New spyware scan starts with spyware count derived from previous scan CR00206562
    ZoneAlarm Antivirus will automatically quarantine archives that contain "not-a-virus" files. [CR00207999]
    ZoneAlarm may not display alerts when blocking programs.
     
  11. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    This release note refers to 7.0.302.000 so, was the first ZA release with the KAV engine.

    Fax
     
  12. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Fax, can you do me a favour? Currently I do not have ZAAV installed so I need you to check this. See if you find a file named prloader.dll in the directory where the KAV update components of ZA are stored (I forgot the directory now). This file is not there in *all* products that use the KAV engine, but if it is there, and its version 6.0, it will confirm that ZA is indeed using the latest version. ;)

    You see, the current databases for Kaspersky have always been the same (i.e. since KAV 4.5). So, KAV with the new database format and extended databases/x-bases was called as the Prague project. This has been optimized again and again for 5.0 and 6.0, but the core remained mostly the same. prloader.dll is the "Prague Loader", and it probably has something to do with loading the engine into memory for scanning. :)
     
  13. brave71_heart

    brave71_heart Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    6
    Hello Firecat,
    I'm using ZoneAlarm Security Suite version:7.0.337.000. and i have prloader.dll.
     
  14. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Whats the version number of this DLL file? And the file size? There are two versions of prloader.dll it seems, one for 5.0 and one for 6.0 :)
     
    Last edited: Apr 29, 2007
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Hi!
    prloader is in the 'avsys' folder and its version 6.0.1.311.

    As originally reported to you in another post, most dll and system files are marked 6 (6.0, 6.12, 6.2). Of course, you have also few version 5 files.
    So, I assume that KAV SDK 5 as any other decent security tool is a living product, evolving naturally and silently to latest versions....

    By the way, I would be interested to know where you found this information, may be 'prloader' its yet again another legend (there are many legends around)

    Cheers,
    Fax
     
    Last edited: Apr 29, 2007
  16. rookieman

    rookieman Registered Member

    Joined:
    Mar 26, 2006
    Posts:
    409
    My opinion would be that ever since Checkpoint has ran Zonealarm that it has gone down hill.I talked my friends into buying it and when they found out that the antivirus wasn't working i got a few calls.I got rid of it altogether because it should have it's own uninstaller(it was hell to get rid of).They have hidden Kaspersky files in the free version.It just seemed that the new version that was released was really a BETA and the customer had to iron out the probs.I used the product and you had to mess around with it to much to get it to work.So i did the right thing i got Kis6 and i don't have all those probs anymore.This company just seems to lag behind and release versions that are not complete:thumbd:
     
  17. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I saw this DLL file in Kaspersky 6.0 first, and then again it was mentioned in several eScan fre logs. I remember than in the past eScan used the KAV 4.5 engine and they didn't update to 5.0 engine because they felt the changes were not substantial enough and also there was some problem with language support apparently (The exact details were never revealed, and I don't think I'll ever get that info). Then, a few months ago I asked their support which version of the KAV engine they are using now, and got the reply "The latest". I doubted them at first, but apparently the free version has the prloader.dll at version 6, as seen in the logs.

    But even without the eScan reference, this file was present also in KAV 5 (and rebrands). I had no idea what this meant, and then I later found a Kaspersky analyst's webpage and in there I read that KAV 4 in its early stages was codenamed "Prague". So, putting two and two together, I came to this conclusion about prague loader, because there were again two versions of prloader.dll. KAV 4.x never had this file though, so I suppose they were introduced as some form of optimization to the KAV 4 databases/engines. :)

    One speciality about ZoneAlarm is that its update logs show reference to KAV Workstation 5.0. PC Tools AV 2.0 would only show reference to KAV Personal 5.0. :doubt:
     
  18. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Uuuhm, interesting!
    Nice investigation...

    Just opened up the DLL and inspected and indeed there is reference to ...\prague\Loader, prague load/unload plug-in, kernel hook, etc...

    Oh! Didn't know that PC tools AV is KAV!!!
    Huge inflation of KAV engines around... KL is becoming a sort of monopolist :eek:

    Thanks,
    Fax
     
    Last edited: Apr 29, 2007
  19. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    It *was* based on KAV (without extended database), but with the 3.0 version they switched to VirusBuster. The reason they described was that they didn't like the fact that the KAV engine was non-modifiable (i.e. object code, I'm not exactly sure what it means), and that using the KAV engine, PC Tools would never be able to modify the AV as it wished and get the features they wanted. I'm not sure how valid that claim is though.

    They refuse to tell which AV engine they use now, but there is enough reason to believe it is VirusBuster, judging by the detection names and the exact names of the same packer detections that VirusBuster does. :)
     
  20. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Probably they wanted the source code to be able to modify it... It is normal that KL would never open up the source to a potential competitor.

    Fax
     
    Last edited: Apr 29, 2007
  21. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    I think that the Prague project is significant because before version 4 AVP did not support the extended databases, and there was a new heuristic analyzer with 4.x (AFAIK).

    Isn't that to be expected when you have world leading technology? ;)
     
  22. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    So why does VirusBuster allow this? I think KL was right in not allowing modification, but how VirusBuster allows this is strange to me. o_O

    Anyway, if they did modify the VirusBuster engine, it is still very clear that they have not done a good job at it because PC Tools is still practically the same engine as VirusBuster. The only difference I could see was in the numbering format of the database updates. Detection rates are about the same as VirusBuster.
     
  23. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    May be everything boils down to cost... probably KAV was too expensive for them to keep.

    Fax
     
  24. brave71_heart

    brave71_heart Registered Member

    Joined:
    Apr 29, 2007
    Posts:
    6
    Version # 6.0.1.311
    File size 180 KB (184,445 bytes)
     
  25. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,723
    Location:
    localhost
    Just for your information... SDK KAV in ZA is getting updated again...
    So, now the KAV main kernel driver, Klif, is version 7 (ZA 7.1 beta for VISTA)

    I guess, the SDK KAV engine is not a dead product but getting constantly updated to most recent versions.

    Remain to be seen if, how and when the new features in 7 will be moving to SDK.

    Cheers,
    Fax
     
Loading...
Thread Status:
Not open for further replies.