The other day, when my friend’s laptop spit-up a warning from ZoneAlarm that she was no longer protected, I stood over her shoulder and instructed her to update the firewall. The warning was basically a scare tactic, of course. Without the update she would still be protected, just as protected as she had been the day before. She just wouldn’t have any new whiz-bang features included in the update, nor would she be able to take advantage of any new security enhancements.
We ran the default install. This was Windows, so there had to be a reboot. After that, we opened the browser to find that the homepage had been reset to a ZoneAlarm themed Google search page. We had not opted-in to any such change; the ZoneAlarm folks had just taken it on themselves to hijack Firefox’s revenue, which I didn’t think cricket.
A ZoneAlarm toolbar was also installed, taking up screen space and not seeming to offer any useful puprose. It was eliminated and the home page was reset back to Google. I should’ve seen this coming. Since ZoneAlarm was purchased by Check Point a few years back, their marketing has gotten increasingly pushy.
I decided then and there that it’s time to find another software firewall solution for the Windows machines I maintain. Making changes without asking first is completely unacceptable behavior.
The next day I was at another Windows machine, this time a desktop, when the same warning box I’d seen the day before popped-up, repeating the same lie. I was not protected. I needed to upgrade.
Wishing to avoid the previous problems with unasked for settings changes, this time I chose the custom install. Unfortunately, that didn’t seem to matter. ZoneAlarm downloaded and installed without any input from me, other than to make sure I ticked-off the EULA. When it finished, it asked me if I wanted to reboot and I said yes. Nowhere along the way did it give me the opportunity to opt out of anything.
After reboot, I found that the ZoneAlarm toolbar was installed and that the homepage was changed. I manually rolled all the changes back, one by one, becoming firmer in my resolve to find an alternative firewall to use with Windows. Later I would discover another change, my search box now pointed to ZoneAlarm’s Google account.
These guys were being too damned pushy. I’m sure they think they’re entitled because they’re letting me use their software free, but that doesn’t sit too well with this Linux user.
I’ve been using ZoneAlarm since it was in beta, after seeing a recommendation from Windows security guru Steve Gibson. After using the free version for several years, I eventually purchased the more configurable paid version when I needed to set up a Windows network in my home. Since then, I’ve used the free version on any Windows box I maintain, as I don’t trust the firewall built-in to Windows.
Almost immediately after ZoneAlarm was sold to Check Point several years back, the product started to become dumbed down with less control given to the user. However it remained a solid firewall which always passes Gibson’s Shields Up tests. Unfortunately, as the firewall became more idiot proof, their marketing techniques became more aggressive. A few years back, after I’d successfully opted-out of the toolbar on a default install, I discovered traces left behind, as a deactivated toolbar in my Firefox settings.
Programs that change default settings upon installation are all too common an occurrence on Windows machines, especially in the freeware realm. Indeed, it’s true that a program like ZoneAlarm offers a valuable service at no cost. However, to my way of thinking, changing settings on a users computer is something akin to a cyber version of “breaking and entering” and should be a crime.
With Linux, of course, there’s no need for a third party firewall, as a firewall is built into the kernel. Even if a separate firewall was necessary, most likely it would come in the form of a completely free and open source program that would never think of violating the users settings for commercial gain.
ZoneAlarm, it’s been a nice ten years and I wish you well, but you have to go now. We can’t be friends any longer. Taking over users computers without asking first is completely unacceptable behavior.
Christine Hall has been a journalist since 1971. In 2001, she began writing a weekly consumer computer column and started covering Linux and FOSS in 2002 after making the switch to GNU/Linux. Follow her on Twitter: @BrideOfLinux
CheckpoinT? That explains a few things. When I recommended ZoneAlarm, people used to tell me jow happy they were with it — not so much, anymore.
And that was an excellent example of the kind of thing that makes Free software a whole different paradigm from freeware.
I used ZoneAlarm for years, it was such a joy to use. Then this software became bloody and GUI too complicated and annoying. On the top of this I have had many problems in Windows – like blocking some software to run properly – which was mix of firewall, antivirus and other anti- software. The problem I also had is: ZoneAlarm is only permitted to use for personal use, but I also needed it for my work.
I have search the web in deep and found out an EXCELLENT alternative: Comodo Internet Security, you can download if from e.g. http://www.filehippo.com/download_comodo/
Comodo is not just a firewall, it is also a anti-virus and sand-box tool (any untrusted program is run in sandbox, so runs without a problem, but it can change any system files). So I have uninstalled ZoneAlarm firewall, uninstall anti-virus and other anti- software and since my computer is running much much better. And what is cool Comodo sets default settings very good and there is no need to change any settings if not desired, but I like to tweek and Comodo lets you tweek into deep. Excellent product, free to use also for commercial users. Sure there is also a PRO version, that I have never tried, but if free product is such an excellent software, PRO must be something very very very cool.
>Defining the Difference Between Freeware and Free Software
Sorry but you did NOT do this.
Its all about your Zonealarm experience.
I was curious to see you explaining the diference and you failed in doing that.
F
Good article. I agree completely that “freeware” making changes to user computers is unacceptable. On Windows 7 machines, I don’t see the need for any third-party firewall such as ZoneAlarm. The built-in Windows 7 firewall is very robust and highly configurable and is perhaps more transparent than the firewall built into the Linux kernel.
I just ran the excellent firewall security tools by Steve Gibson against my Windows 7 system with only the built-in firewall with the default settings and it passed all the tests. My machine is behind a wireless router and this will be the case for most users.
For those users who are directly connected to the Internet, they may have to make some further adjustments to further lock down public access to their computer ports but I think this task is probably easier on Windows 7 than on most Linux distributions.
Those using earlier versions of Windows would do well to upgrade to Windows 7.
Nice summation, and I agree that ZoneAlarm was a pretty good product years ago, not so much after Check Point took over. But I can’t help bringing up the point about not trusting Microsoft’s integral firewall. When it comes down to effectiveness, the WinXP firewall is definitely not a real contender but Win7 has a much better one. If the question is about trusting the company behind it, I’d say it’s a real toss up between the lack of business ethics with Microsoft and Check Point. In either case, I don’t think you’ll find much of a difference between a configured Win7 firewall or ZoneAlarm when you run ‘Shields Up’. If you’re on WinXP, well never mind…
@Mojeaix Actually, the iptables are set “out of the box” on most Linux distros. Every Linux box I have passes Steve Gibson’s test as completely stealth, going back to the day when Windows machines were jumping up and down and waving at any hacker that was looking for a computer to infect.
@Chris Hall, good point on the default settings on the iptables on Linux. I am a big fan of Linux, especially in the server space. On the desktop I think the various distributions can do a better job showing end-users how the Linux firewall protects their computers from intrusion and help them make better decisions when managing ports for needed access.
@Mojeaix Since you’re using the router, I wouldn’t mind betting that the router has a built in firewall, and it’s probably linux based, so your front-end line of defence will still be linux and NAT.
@Amy, your quite right. Windows machines behind NAT routers is a common configuraion which further removes the need for 3rd party solutions like ZoneAlarm. When Windows 7 is connected directly to the Internet without an intervening router some care is needed to ensure services for file and printer sharing and remote desktop access aren’t turned on, but by default it should be very secure. There might be still unkown potential security exploits to worry about, but all OSes (including those embedded in routers) are susceptible to this.
You missed another feature of Zone Alarm. It has been reporting in to the mothership for many years, looking for multiple users with single addresses. This is an attempt to find and take advantage of corporate or government users violating the terms of service (home use only). The only way to stop the behaviour was to alter the hosts file to redirect zonelabs.com to 127.0.0.1.
@Paul We’ve got to be pretty sure it’s been calling home for other reasons as well, such as collecting data on your surfing habits. Why else would they be trying so hard to push their toolbar on all their users?
I tried the Comodo firewall a while ago and it seemed like an adequate alternative to ZoneAlarm. Since most of my Windows work is inside virtual machines I don’t need a firewall anymore.
I used AVG anti-virus for years on Windows systems but it too became rather bloated with web-link screening and the like. With VMs I don’t really need it.
@Mojealx
When you are behind a NAT firewall/router, any firewall you have on the PC itself is irrelevant to incoming traffic. Unless you have specifically opened a port-forward, then nothing from outside will be able to get in unless it is replying to an outgoing package. Win95 would pass Gibson’s security tests at 100% on the same network.
A firewall on a PC does three things. It can limit traffic by program, user, or other filtering that the firewall/router box cannot see. It will block or filter traffic from other devices on the inside of the network. And it will work if you connect to an unsafe network (such as a wireless network or a mobile network).
The Windows built-in firewall is quite good at blocking incoming packets. It’s not perfect – you are /always/ better with a hardware firewall/router. Third-party firewalls like ZoneAlarm add absolutely /nothing/ to this. They may make it easier to configure, or give friendlier warnings, but they don’t make it safer in any way.
Linux iptables firewalls are exactly as solid as you configure them to be. If they are turned off, or misconfigured, there will be weaknesses. If they are properly configured, they will allow exactly the traffic you want.
Note also that on most desktop or laptop Linux systems, there are no vulnerable services listening to traffic on external ports. So you don’t need to enable any iptable firewall rules at all, and you are still safe on any network. You only need to configure a firewall if you have installed and enabled externally visible services. (Windows is different – there are lots of externally accessible services with only minimal security, if the firewall is not enabled.)