Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
We have a proprietary program at work using a sql database, whose executable is RB.exe. The latest update on ZA Pro has identified this program as a trojan, see description and blocked its activity with the error message that RB.exe was logging keystrokes and cursor movements.
I went into ZA's program control and saw that the path to this executable was indeed located in the appropriate folder for this program - so I gave it full permission as a super trusted program to do what it needs to do. No more error messages and everything is working fine.
However, my boss has asked me the question, If I have given full permission to this executable so that our program can work, what will happen if the real trojan (whose executable is also RB.exe) gets on the machine? Have I made the machine vulnerable to the trojan?
I of course said no, the executables are located in different paths, and if ZA found another RB.exe in another path, it would raise the question again about whether to give permission and that's when we would find the discrepancy. however, now I'm wondering......
Does anyone know how ZA would treat an intrusion of an illegitimate intruder, after having given full permissions to a legitimate executable with the same name?
Any help is much appreciated. TIA,
maureen
Didn't find the information you thought to find? Check out these Similar Threads
I've not installed v6.0 yet - using the last v5.5, so this is "informed" (I hope) speculation for now.
I do use an application firewall - System Safety Monitor, that does on a system wide basis what ZAP is doing, so do have experience with this kind of program.
SSM checks process execution based not only based on the path, but on something called MD Hash which is a unique identifier for anything that executes on the system. So if I've given permission for Notepad for instance, if a newer version is executed - as happened with SP2 - SSM will again ask permission.
I would ask at the ZL forums if this is indeed the case. I can't imagine that it wouldn't be though, otherwise this feature would be crippled. Sygate free has a feature that does the same thing (only for anything that wants to access the Net) and will spot a different version of an executable, same path or not.
If I think of a way to test this, I'll let you know.
http://www.wilderssecurity.com/index.php Wilders forum - post in the "other firewall" section. This site is mostly about security issues and no registration required.
Charles - you were so right about creating a hash ID file - ZA calls it a fingerprint.
I took your advice, registered for the forum and posted the same question. Here is the answer I got:
Zone Alarm creates a hash of files, in this case RB.exe. It stores a digital fingerprint of the file. If something were to erase RB.exe and then drop itself in the same directory and name itself RB.exe Zone Alarm would warn you that the program had changed. If a program named RB.exe was in another directory ZA would treat it as a new program, regardless of the name and even if it was the same exact RB.exe file that you allready have given permissions to. That's what I have found while playing around.
Different directory, same name = "New Program"
Same Directory, same name but different or altered file = "Changed Program"
Musashi
So I guess my first thought was kind of right, but the protection extends beyond that: it seems ZA is able to also recognize any substitution or secret infection in a file that has already been approved, and it will sound an alert. Nice.
Thanks for the help. I can sleep again and I think my boss will rest better too.
