Results 1 to 5 of 5

Thread: Strange behavior, replacement of mantispm.exe

  1. #1
    cjmacey Guest

    Default Strange behavior, replacement of mantispm.exe

    This morning when I booted my machine, the ZoneAlarm tray icon appeared for about thirty seconds, then disappeared. I restarted ZoneAlarm and it came up apparently normally, but then I got two alerts that maintispm was trying to access the trusted zone and then the Internet. I hurriedly unplugged the Ethernet jack and looked at the file. It apparently had just been modified. Does the MailFrontier stuff have an independent updater? I saved the copy of mantispm.exe, reinstalled the latest and greatest official update, and did a binary compare on the mantispm file old and new. They are substantially different.

    I am running the ZoneAlarm Suite on Windows XP Home.

    Operating System:Windows XP Home Edition
    Software Version:8.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    cjmacey Guest

    Default Re: Strange behavior, replacement of mantispm.exe

    More data, maybe more puzzling, maybe not. The files really differ only by 7 bytes. Still, they show as the same revision, so why are they different at all. Apparently that triggered the signature failure and caused the repeat program alerts.

  3. #3
    cjmacey Guest

    Default Re: Strange behavior, replacement of mantispm.exe

    More data. The files are actually identical. A bindiff from Freshmeat that I didn't understand how to use at first. Still, the file was modified this morning and I installed the last version over the weekend. So, when I reinstall, is something patching it again? I can't tell.

  4. #4
    johncholmes Guest

    Default Re: Strange behavior, replacement of mantispm.exe

    This seems innocent, but have you tried submitting the files in question to virustotal?
    JH

  5. #5
    cjmacey Guest

    Default Re: Strange behavior, replacement of mantispm.exe

    I checked the modification date on the reinstalled mantispm.exe and it is 2/19/09, which is what it should be. That file is identical to the file with the modification date of 4/7/09.

    Sooo, assuming this was hostile, which I can't imagine it wasn't, the most reasonable scenario is that something patched mantispm, let it run once which yielded the program alerts, and then unpatched it to avoid detection. Why else could the modification date have changed. I'm very bothered by this, but don't have a plan for what to do next, so far.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •