How do you harden a ZCC / ZAPP install to prevent bypass?

I’ve been evaluating the ZCC instance deployed to my test workstation and have come across one glaring weakness that allows me to bypass the ZCC. I wanted to ask the community if there’s a way to harden the install to prevent this (perhaps it’s just my org, I wasn’t involved in the deployment).

If you have local administrator privileges you can rename the executables associated with each of the ZScaler services (ZSAService, ZSATrayManager, ZSATunnel, ZSAUpdater) and then after reboot the services fail to start.

Examining the ownership of the files themselves they all appear to be owned by the local Administrator. This differs from other products (AV, for example) which are owned by SYSTEM and protected from modification by local admins.

I’ve searched through the community and examined the ZAPP / ZCC install guides. I’ve come up empty thus far. Appreciate any feedback you can provide, thank you.

Hi,

Refer : https://help.zscaler.com/z-app/customizing-zscaler-app-install-options-msi

I’ve read through the documentation you’ve provided (I had read it before, too) but I’m not seeing where I would specify installing the agent as SYSTEM (for example). Are you able to provide a little more guidance? Thank you.

I’ve read through the documentation you’ve provided (I had read it before, too) but I’m not seeing where I would specify installing the agent as SYSTEM (for example). Are you able to provide a little more guidance? Thank you.