two .EXEs with same name, one good, one bad

Question about Zone Alarm:

We have a proprietary program at work using a sql database, whose executable is RB.exe. The latest update on ZA Pro has identified this program as a trojan, see description and blocked its activity with the error message that RB.exe was logging keystrokes and cursor movements.

I went into ZA's program control and saw that the path to this executable was indeed located in the appropriate folder for this program - so I gave it full permission as a super trusted program to do what it needs to do. No more error messages and everything is working fine.

However, my boss has asked me the question, If I have given full permission to this executable so that our program can work, what will happen if the real trojan (whose executable is also RB.exe) gets on the machine? Have I made the machine vulnerable to the trojan?

I of course said no, the executables are located in different paths, and if ZA found another RB.exe in another path, it would raise the question again about whether to give permission and that's when we would find the discrepancy. however, now I'm wondering......

Does anyone know how ZA would treat an intrusion of an illegitimate intruder, after having given full permissions to a legitimate executable with the same name?

Any help is much appreciated. TIA,

maureen

 

Hello maureen,

I've not installed v6.0 yet - using the last v5.5, so this is "informed" (I hope) speculation for now.

I do use an application firewall - System Safety Monitor, that does on a system wide basis what ZAP is doing, so do have experience with this kind of program.

SSM checks process execution based not only based on the path, but on something called MD Hash which is a unique identifier for anything that executes on the system. So if I've given permission for Notepad for instance, if a newer version is executed - as happened with SP2 - SSM will again ask permission.

I would ask at the ZL forums if this is indeed the case. I can't imagine that it wouldn't be though, otherwise this feature would be crippled. Sygate free has a feature that does the same thing (only for anything that wants to access the Net) and will spot a different version of an executable, same path or not.

If I think of a way to test this, I'll let you know.

Regards - Charles

 

Thanks, Charles.

Guess I'll have to figure out where the ZL forum is, and post the question there.

Appreciate your help --

maureen

 

Hi maureen,

http://forums.zonelabs.com/zonelabs ZL forum

http://www.wilderssecurity.com/index.php Wilders forum - post in the "other firewall" section. This site is mostly about security issues and no registration required.

Regards - Charles

 

Charles - you were so right about creating a hash ID file - ZA calls it a fingerprint.

I took your advice, registered for the forum and posted the same question. Here is the answer I got:

Zone Alarm creates a hash of files, in this case RB.exe. It stores a digital fingerprint of the file. If something were to erase RB.exe and then drop itself in the same directory and name itself RB.exe Zone Alarm would warn you that the program had changed. If a program named RB.exe was in another directory ZA would treat it as a new program, regardless of the name and even if it was the same exact RB.exe file that you allready have given permissions to. That's what I have found while playing around.

Different directory, same name = "New Program "
Same Directory, same name but different or altered file = "Changed Program "
Musashi ​

So I guess my first thought was kind of right, but the protection extends beyond that: it seems ZA is able to also recognize any substitution or secret infection in a file that has already been approved, and it will sound an alert. Nice.

Thanks for the help. I can sleep again and I think my boss will rest better too.

- maureen

 

Thanks maureen for the post back, appreciated

Regards - Charles