fax

Checkpoint Antiransomware and EAM behaviour blocker

Recommended Posts

Any chance to find a more permanent solution to EAM trying to kill checkpoint anti-ransomware (luckily the anti tampering in checkpoint blocks the attempts)? Whitelisting by digital certificate?

07/10/2017 14:36:28	1912	C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\ZAAR.exe	Allowed by rule	Behavior.TrojanDownloader	
07/10/2017 13:01:25	8332	C:\Program Files (x86)\CheckPoint\Endpoint Security\TPCommon\Cipolla\ZAAR.exe	Quarantined by user	Behavior.HiddenInstallation	

The file is digitally signed by Checkpoint Security. As it updates often the only way I found is to add it to the exclusion list. I have contacted support in the past to whitelist but at every new version the problem re-appear.

Thanks,

Fax

 

Share this post


Link to post
Share on other sites

Are you sure that the file ZAAR.exe is digitally signed? What does it say in the Digital Signatures tab of the file's properties?

Also, the log exert says "Quarantined by user". Was there an alert?

As for exclusions, when it comes to running more than one security software, exclusions are often necessary to prevent issues. Two security softwares opening hooks to each other's processes can cause all sorts of weird problems, not to mention the fact that they open hooks to every other process running on the system as well.

Share this post


Link to post
Share on other sites
7 hours ago, GT500 said:

Are you sure that the file ZAAR.exe is digitally signed? What does it say in the Digital Signatures tab of the file's properties?

Yes, it digitally signed, See screenshot. 

 

7 hours ago, GT500 said:

Also, the log exert says "Quarantined by user". Was there an alert?

This must be due to the non specific logging which does not distinguish between user actions and EAM actions (Auto resolve). May be development could think of refine the logging capability to allow separating the two as this could be a common scenario,

Thanks,

Fax

Capture.JPG
Download Image

Share this post


Link to post
Share on other sites

Apparently we've blacklisted Checkpoint's digital certificate (I was told this is because they bundle ZoneAlarm's software with a bunch of PUPs), so this is why the issue is happening.

Exclusions are going to be the only way to resolve this if you want to continue using software from Checkpoint.

Share this post


Link to post
Share on other sites

Thanks GT500, make sense. I see that ZAfree installers cointain indeed PUP code (fusioncore). So, you can't simply whitelist as it will be across all signed applications.

A pity as all the ZA/Checkpoint retail packages don't have that code included. I will feedback the checkpoint developers about it but I guess this is more the fault of marketing people than the developers.

Share this post


Link to post
Share on other sites

Yes, it is unfortunate. It's probably the only way they could stay in business. Firewall software doesn't sell well enough these days to fund a business, and if you give it away for free you have to try to find some way to make money from that. Sadly some companies take that a little too far, and bundle things that are far worse than just Google Chrome...

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.