Managing Basic Application Control Settings Updated May 02, 2021 20:18 You can change general Application Control settings as necessary - for example, if you want to reduce the number of alerts, or to have a better control of the application network access and server access rules. To modify General Application Control Settings: Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client. Click Settings in the Application Control section. In Current Settings, move the Network firewall slider to one of these settings: Max. The most secure setting, but creates the most alerts. Every program must ask for, and receive, permission for network access, Internet access, and for server privileges. Auto. This default setting - not as secure as the Max setting, but minimizes alerts by working in auto-learn mode. In this mode, ZoneAlarm software auto-learns the programs that you use the most, and later grants permissions to them without alert interruptions. Min. The least secure setting, but produces the least amount of alerts. It can make your computer susceptible to attacks by the latest malware, also known as zero-day threats. Off Turns the Application Control security module completely off - the Network firewall and the DefenseNet. Note: The main status bar shows the warning YOUR COMPUTER IS AT RISK. Change the Network firewall setting back to Min, Auto, or High, or click Fix Now! in the main status bar, to turn Application Control back on. In Current Settings, move the Your DefenseNet slider to one of these settings: Auto The default setting. Application Control module queries the ZoneAlarm server for an access policy for each program that asks for network or server permissions. Then, it decides to allow or to deny access, silently, without alerts. If a program is not in the server database, an alert shows and you must decide whether to allow or to deny access to that program. Note: Network firewall must be on - in Max, Auto, or Min mode Manual For each program that asks for access permissions, you must decide to allow or to deny access, based on your knowledge or on the advice from the SmartDefense Advisor. Application Control module does not make automatic decisions. Note: Network firewall must be on - in Max, Auto, or Min mode. Off DefenseNet is completely off, and the Application Control module does not contact the ZoneAlarm server for access policy information. Configuring Advanced Application Control Settings You can further customize Application Control settings, based on application behavior, application component behavior, and other specific factors. To get to Advanced Application Control settings: Click in the ANTIVIRUS & FIREWALL panel of the ZoneAlarm software client. Click Settings in the Application Control section. Click Advanced Settings.The Application Control Settings window opens. Make necessary configuration changes: Enable advanced controls - application, service, and component controls Change OSFirewall settings Configure settings for suspicious program behaviors - connection attempts and attempts to act as a server Configure permissions for individual programs Configure permissions for program components Click OK. Enabling Advanced Controls To turn on advanced application controls: In the Application Control Settings window, select the Application Control tab. From the navigation tree in the Application Control Settings window, select Advanced Control options as necessary: Enable Advanced Application Control - prevents malicious applications that try to abuse standard Windows service calls Enable Application Interaction Control - blocks untrusted programs from launching trusted programs for Internet access Enable Timing Attack Prevention - prevents malicious programs from exploiting kernel timing vulnerabilities for execution of untrusted code Enable Microsoft Catalog Utilization (selected by default) - to prevent alerts for programs that are in the MS Windows database of known and trustworthy applications. Note - ZoneAlarm software can still show alerts about programs that are cataloged in the MS Windows database, if they try to act as a server outside of the Trusted Zone. To enable services control: In the Application Control tab, select Enable Services Control. To configure component control: Enable component control - in the Application Control tab, select Enable Component Control. Configure components: From the navigation tree, select View Components, then select a program component from the list that shows. Right-click on the Permission field. Select new permission - Allow (to automatically grant permissions), Deny (to automatically deny permissions), or Ask (to ask for permissions when component runs). Note - to change MS Windows Access Control properties, while a component is selected, click View Properties. Change properties in the window that opens. Refer to MS Windows Help for instructions. Changing OSFirewall Settings OSFirewall is enabled by default and detects when programs try to do one of these types of suspicious actions: Install ActiveX Change the hosts file Change IE search page Change which programs load at startup By default, OSFirewall reacts to those actions according to the program permissions. To change permissions for a specific program, refer to Customizing Program Access Permissions see "Configuring Permissions for Individual Programs" below. You can also change OSFirewall settings to react identically to all actions of the same suspicious activity type. To change OSFirewall settings: From the navigation tree in the Application Control Settings window, select OSFirewall. Make sure Enable OSFirewall is selected. Right-click on the OSFirewall rule you want to change, and select an action: Allow Deny Ask Use Program Settings (default) Click OK. Configuring Settings for Suspicious Program Behaviors Some programs can try to gain access to or to act as a server for the computers in your Trusted Zone or your Public Zone. By default, Application Control asks for permission for a program to connect or to act as a server on every such attempt. You can configure Application Control to always allow or always deny each type of connection. To configure settings for suspicious program behavior: From the navigation tree in the Application Control Settings window, select Advanced. In the Connection Attempts section, select one of the permissions for attempts to connect to the Trusted Zone and to the Public Zone - Always allow access, Always deny access, or Always ask for permission (default). In the Server Attempts section, select one of the permissions for attempts to act as a server to the Trusted Zone and to the Public Zone - Always accept the connection, Always deny the connection, or Always ask before connecting (default). In the Alerts & Functionality section, select relevant alerts and rules: Show alert when Internet access is denied Deny access if permission is set to ask and the TrueVector service is running but ZoneAlarm is not (selected by default)TrueVector is a ZoneAlarm security service that monitors Internet traffic and generates alerts for suspicious access attempts. It shows as vsmon.exe service in the MS Windows list of processes and continues to run, even if ZoneAlarm is not running. Require password to allow a program temporary Internet access (selected by default) If you want to return to the original settings, click Reset to default. Click OK. Configuring Permissions for Individual Programs ZoneAlarm software tracks programs that try to access the Internet or a local network, or to gain server privileges, and assigns access permissions to them. You can change permissions for individual programs on the list, add a program to the list, or remove a program from the list. To change permissions for a program on the list: In the ANTIVIRUS & FIREWALL panel, go to Settings at Application Control, and select View Programs.You can also select View Programs from the navigation tree in the Application Control Settings window. In the View Programs window that opens, select a program.The information about the highlighted program shows in the Detail area below the list of programs. Click in the fields and select parameter values: Programs The name of a program. Note: You cannot change this field. SmartDefense Defines the level of SmartDefense Advisor control: Auto - SmartDefense Advisor defines the access policy Custom - manually define the access policy and the trust level by changing the values of Outbound Trusted, Outbound Internet, Inbound Trusted, and Inbound Internet fields. Note - if you change one or more of these fields, the value in the SmartDefense field will automatically change to Custom System - the program is used by the operating system, and SmartDefense Advisor does not define the access policy for it Note - If you try to change the value in SmartDefense field or one of the other fields for a system program, a warning will show - This is the system program, are you sure you want to change it?. Be careful, changing system program policies can interfere with normal operation of your computer. Trust Level Define the actions that a program is permitted to do: Super - the program can perform suspicious actions without seeking permission, and no alerts are displayed Trusted - the program can perform suspicious actions without seeking permission, but unknown programs must ask for permission Restricted - the program can perform trusted-level actions but cannot perform suspicious actions Ask - a Suspicious Behavior alert shows during run time, and lets you decide whether to allow or to deny access Kill - the program does not get any access and cannot run No Enforcement - the program can run without any restrictions and is not monitored by ZoneAlarm NOTE: We do not recommend overwriting the default value of the Trust Level parameter, because the ZoneAlarm software assigns policies to known programs automatically, and the SmartDefense Advisor security team constantly monitors and updates the database of these programs. Outbound Trusted Defines permissions for sending data to the Trusted Zone: Allow - lets all outbound traffic go out to the Trusted Zone Deny - does not let any outbound traffic go out to the Trusted Zone Ask - at run time, asks for permission for the program to send traffic to the Trusted Zone Outbound Internet Defines permissions for sending data to the Internet: Allow - lets all outbound traffic go out to the Internet Deny - does not let any outbound traffic go out to the Internet Ask - at run time, asks for permission for the program to send traffic to the Internet Inbound Trusted Defines permissions for data sent from the Trusted Zone: Allow - lets all inbound traffic from the Trusted Zone Deny - does not let any inbound traffic from the Trusted Zone Ask - at run time, asks for permission for the program to receive inbound traffic from the Trusted Zone Inbound Internet Defines permissions for data sent from the Internet: Allow - lets in all inbound traffic from the Internet Deny - does not let in any inbound traffic from the Internet Ask - at run time, asks for permission for the program to review inbound traffic from the Internet To add a program to the list: Click Add.The Add Program window opens. Select the executable file of the program you want to add (with .exe file extension). Click Open.The Add Program window closes, and the program shows on the list. By default, after you add a program to the list, its SmartDefense setting is Auto, and all the other settings are Ask. To remove a program from the list: Select a program from the list. Click Remove.The Delete Confirmation window opens. Click Yes to confirm the deletion.The program disappears from the list. Customizing Program Options For each program, you can further customize Security options, define Send Mail privileges, and configure Expert Rules. To get to the customization options: In the View Programs tab of the Application Control Settings window, select a program and click Options. The Program Options window opens. To customize Security program options: In the Program Options window, select Security tab. Select security options, as necessary: Advanced Application Control > This program may use other programs to access the Internet Advanced Application Control > Allow Application Interaction Outbound Email Protection > Enable Outbound Email Protection for this program (selected by default) Authentication > Authenticate Components (selected by default) Authentication > Authenticate program by full path name only Authentication > Program changes frequently To define Send Mail privileges: In the Program Options window, select Send Mail tab. Select a Change the setting to allow the program to send/receive email option: Allow (default) Block Ask To configure Expert Rules: In the Program Options window, select Expert Rules tab. Click Add. Continue as the Adding Expert Rules support article describes. To change MS Windows Access Control properties for a program: In the Program Options window, select a program and click View Properties. In the window that opens, change properties as necessary. For instructions, see MS Windows Help. Configuring Permissions for Program Components You can change permissions for individual program components or remove a component from the list. Program components are DLLs that are allowed to load by trusted processes. To change permissions for a program component: From the navigation tree in the Application Control Settings window, select the View Components tab.The Components table shows the name, the description and the default Access permission for each of the detected components. Select a component. Click in the Access field and select one of these: Allow Deny Ask To remove a component from the list: Select a component. Click Remove. To learn more about a component: Click View Properties. The Windows program properties window opens. See MS Windows Help for more information on program properties.