Jump to content

Checkpoint Antiransomware and EAM behaviour blocker


fax
 Share

Recommended Posts

Any chance to find a more permanent solution to EAM trying to kill checkpoint anti-ransomware (luckily the anti tampering in checkpoint blocks the attempts)? Whitelisting by digital certificate?

07/10/2017 14:36:28	1912	C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\ZAAR.exe	Allowed by rule	Behavior.TrojanDownloader	
07/10/2017 13:01:25	8332	C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\ZAAR.exe	Quarantined by user	Behavior.HiddenInstallation	

The file is digitally signed by Checkpoint Security. As it updates often the only way I found is to add it to the exclusion list. I have contacted support in the past to whitelist but at every new version the problem re-appear.

Thanks,

Fax

 

Link to comment
Share on other sites

Are you sure that the file ZAAR.exe is digitally signed? What does it say in the Digital Signatures tab of the file's properties?

Also, the log exert says "Quarantined by user". Was there an alert?

As for exclusions, when it comes to running more than one security software, exclusions are often necessary to prevent issues. Two security softwares opening hooks to each other's processes can cause all sorts of weird problems, not to mention the fact that they open hooks to every other process running on the system as well.

Link to comment
Share on other sites

7 hours ago, GT500 said:

Are you sure that the file ZAAR.exe is digitally signed? What does it say in the Digital Signatures tab of the file's properties?

Yes, it digitally signed, See screenshot. 

 

7 hours ago, GT500 said:

Also, the log exert says "Quarantined by user". Was there an alert?

This must be due to the non specific logging which does not distinguish between user actions and EAM actions (Auto resolve). May be development could think of refine the logging capability to allow separating the two as this could be a common scenario,

Thanks,

Fax

Capture.JPG

Link to comment
Share on other sites

Apparently we've blacklisted Checkpoint's digital certificate (I was told this is because they bundle ZoneAlarm's software with a bunch of PUPs), so this is why the issue is happening.

Exclusions are going to be the only way to resolve this if you want to continue using software from Checkpoint.

Link to comment
Share on other sites

Thanks GT500, make sense. I see that ZAfree installers cointain indeed PUP code (fusioncore). So, you can't simply whitelist as it will be across all signed applications.

A pity as all the ZA/Checkpoint retail packages don't have that code included. I will feedback the checkpoint developers about it but I guess this is more the fault of marketing people than the developers.

Link to comment
Share on other sites

Yes, it is unfortunate. It's probably the only way they could stay in business. Firewall software doesn't sell well enough these days to fund a business, and if you give it away for free you have to try to find some way to make money from that. Sadly some companies take that a little too far, and bundle things that are far worse than just Google Chrome...

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...