Zscaler App Processes to Whitelist

Zscaler App Processes to Whitelist

While Zscaler has whitelisting agreements for the Zscaler App in place with specific endpoint protection vendors such as Trend Micro and Kaspersky Labs, for some endpoint protection products like anti-virus and personal firewall, you might need to perform additional whitelisting to ensure full Zscaler App functionality.

Symantec Tamper Protection is known to trigger a false positive for the Zscaler service. This is due to the way Zscaler App modifies the networking component of the operating system. You can ignore these warnings. You must also perform whitelisting for Symantec Tamper Protection.

Zscaler recommends that your users' devices have inbound rules that allow the following Zscaler App binaries and processes.

Processes Whitelist

You can use GPO to define rules that allow the following processes:

%ProgramFiles(x86)% and %ProgramFiles% are macros that represent the drive where the Windows program files are located. Typically, program files are located on the C drive. However there are exceptions, for example on Amazon WorkSpaces (AWS), program files are on the D drive.

Windows 64-bit

  • %ProgramFiles(x86)%\Zscaler\ZSATray\ZSATray.exe
  • %ProgramFiles(x86)%\Zscaler\ZSATunnel\ZSATunnel.exe
  • %ProgramFiles(x86)%\Zscaler\ZSAService\ZSAService.exe
  • %ProgramFiles(x86)%\Zscaler\ZSAUpdater\ZSAUpdater.exe
  • %ProgramFiles(x86)%\Zscaler\Updater\zscalerappupdater.exe
  • %ProgramFiles(x86)%\Zscaler\Updater\zscalerchecksumverifier.exe
  • %ProgramFiles(x86)%\Zscaler\ThirdParty\CertUtil\certutil.exe
  • %ProgramFiles(x86)%\Zscaler\ThirdParty\Filechecksum\fciv.exe
  • %ProgramFiles(x86)%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-
  • %ProgramFiles(x86)%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-
  • %ProgramData%\Zscaler

Windows 32-bit

  • %ProgramFiles%\Zscaler\ZSATray\ZSATray.exe
  • %ProgramFiles%\Zscaler\ZSATunnel\ZSATunnel.exe
  • %ProgramFiles%\Zscaler\ZSAService\ZSAService.exe
  • %ProgramFiles%\Zscaler\ZSAUpdater\ZSAUpdater.exe
  • %ProgramFiles%\Zscaler\Updater\zscalerappupdater.exe
  • %ProgramFiles%\Zscaler\Updater\zscalerchecksumverifier.exe
  • %ProgramFiles%\Zscaler\ThirdParty\CertUtil\certutil.exe
  • %ProgramFiles%\Zscaler\ThirdParty\Filechecksum\fciv.exe
  • %ProgramFiles%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-
  • %ProgramFiles%\Zscaler\ThirdParty\TAPDriver\Zscaler-Network-Adapter-
  • %ProgramData%\Zscaler


  • /Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerTunnel
  • /Applications/Zscaler/Zscaler.app/Contents/PlugIns/ZscalerService
  • /Applications/Zscaler/Zscaler.app/Contents/MacOS/Zscaler
  • /Applications/Zscaler/.Updater/autoupdate-osx.app/Contents/MacOS/ZscalerUpdater
  • Zscaler App Identifier: com.zscaler.Zscaler

Bypasses for Firewall

If you have a GPO-managed or AV-managed host firewall, you can configure an inbound firewall rule on your endpoint protection product for ZSATunnel.exe processes for all ports, protocols, and network interfaces.


  • ZSATunnel.exe: Inbound and Outbound
  • ZSATray.exe: Outbound
  • ZSAUpdater: Outbound
  • ZSAService.exe: Outbound
  • Zscalerappupdater.exe: Outbound


  • ZscalerTunnel: Inbound and Outbound
  • ZscalerService: Outbound
  • Zscaler: Outbound
  • ZscalerUpdater: Outbound