IBM Support

IBM Zero Trust Execution for AIX

General Page

IBM Zero Trust Execution for AIX® (ZTEA) is a real time malware defense for AIX that uses a Zero Trust (ZT) approach. ZTEA is designed to detect, and optionally prevent, the execution of all types of software-based malware (including ransomware, zero-day malware, next-generation malware, hacking tools, exploitation software, polymorphic malware, viruses, root kits, worms, and trojans). ZTEA uses a combination of up to three separate security measures to mitigate malware risk.

The 3 security measures are:
1. Allowlisting provided by AIX Trusted Execution
2. Traditional endpoint malware scanning provided by ClamAV
3. ZTEA Hash Cross-referencing

An executable is defined as any compiled file, script, library, or kernel extension loaded to memory and executed by the AIX operating system kernel.

This malware defense is implemented using ZTEA software in combination with several other security tools, including AIX Trusted Execution, ClamAV’s clamscan component, AIX syslog, and PowerSC.
Executables are validated in several ways:
  1. Any executable that has not been authorized for execution will be detected by AIX Trusted Execution
  2. Any executable that has had its content or file attributes altered in an unauthorized fashion will be detected by AIX Trusted Execution
  3. Any executable that corresponds to a known malware signature will be detected by ClamAV
  4. The hash of every executable is validated against a set of ZTEA Cross-referencing Hash Database (CRHD) files. Each hash is reported as either "Secure", "Trusted", or "Unknown".  A hash reported as “unknown” could be malware and would need additional verification to validate it is not malware.
 
ZTEA is designed to facilitate automation. For example, if new applications are installed on a system, any new software executables will automatically be authorized for execution in the AIX Trusted Execution database by ZTEA after being validated by ClamAV. ZTEA is designed to provide extensive automation for deployment, monitoring, and management. ZTEA provides support for it to be centrally monitored with PowerSC.
 
ZTEA currently only provides limited support for the prevention of file execution, aka "prevention mode".  For prevention mode, ZTEA currently only assists with configuration of the AIX Trusted Execution database.  Full support for prevention mode may be provided in a future release of ZTEA.
 
 

Relevance in 2025

  • “Ransomware was the most pervasive cyber threat to critical infrastructure in 2024 as compliants regarding such attacks jumped 9% over 2023, the FBI said on Wednesday (4/23/2025).” 5

Relevance to "Cost of a Data Breach 2023" 1

  • Unknown (zero-day) vulnerabilities were the initial attack vector in 11% of all breaches.
  • Ransomware was responsible for 24% of malicious attacks.
  • “Data breaches disclosed by the attacker, such as with ransomware, cost significantly more. Attacks disclosed by attackers had an average cost of USD 5.23 million, which was a 19.5% or USD 930,000 difference over the average cost of breaches identified through internal security teams or tools of USD 4.30 million”.
  • At USD 5.13 million, the average cost of a ransomware attack in the 2023 report increased 13% from the average cost of USD 4.54 million in the 2022 report.

Relevance to CIS Controls 2

  • CIS Control 2.5 - Allowlist Authorized Software
    “Use technical controls, such as application allowlisting, to ensure that only authorized software can execute or be accessed”
  • CIS Control 2.6 - Allowlist Authorized Libraries
    “Use technical controls to ensure that only authorized software libraries, such as specific .dll, .ocs, .so, etc., files are allowed to load into into a system process.  Block unauthorized libraries from loading into a system process.” ...
  • CIS Control 2.7 - Allowlist Authorized Scripts
    “Use technical controls, such as digital signatures and version control to ensure that only authorized scripts, such as specific .ps1, .py, etc., files are allowed to execute.  Block unauthorized scripts from executing” ...
  • CIS Control 10.1 - Deploy and Maintain Anti-Malware Software
    “Deploy and maintain anti-malware software on all enterprise assets.”

Relevance to Zero Trust

  • “Never trust, always verify – Treat every user, device, application/workload and data flow as untrusted. Authenticate and explicitly authorize each to the least privilege required that uses dynamic security policies.” 3
  • “If an organization is able to align its infrastructure around zero-trust principles, it can easily halt attackers at every stage of the ransomware lifecycle.  In case the organizational defenses fail at any point, it will still have multiple layers of protection that will stop the malware from spreading or prevent attackers from exploring the victim’s environment.” 4
 
 
ZTEA Customer Reference
 
See the Ohio Department of Administrative Services' AIX Technical Manager's recommendation for ZTEA:
 
 
ZTEA Overview with PowerSC - Video
 
See the creator of ZTEA, Stephen Dominguez, provide a technical overview and demo of ZTEA using PowerSC Custom Events for the February 2025 IBM Power Virtual Users Group:
 
 
Getting Started with ZTEA
 
The following page provides options and information for how your organization can get started with ZTEA:
Getting Started with ZTEA
 
 
 

The following table shows the features that ZTEA adds to AIX malware defense when paired with PowerSC:                                                                                                                                                                                                                 

Malware Risk Mitigation FeaturePowerSC OnlyPowerSC & ZTEA
Real time detection of malware execution 
Real time detection of unverified executables being deleted 
Real time automated learning mode for securely adding new executables to the AIX Trusted Execution database using ClamAV verification 
Coming in Version 1.0.1.0 ( Expected 1Q 2026)
  • New support for system scans designed to complement the existing zero trust executable verification
 
Real time detection of malware execution that is typically undetectable.  Zero-day malware, polymorphic malware, hacking tool, and exploitation software execution is detected using ZTEA Hash Cross-referencing. 
Detection of malware using ClamAV system scans
Reduction of ClamAV system scan frequency due to risk mitigation provided by ZTEA's real time detection of malware execution
 
Simplified, automated, and advanced configuration of AIX Trusted Execution 
Detection of unauthorized changes to files
Detection of unauthorized executables
 
 
ZTEA Malware Risk Mitigation Modes

One of three malware risk mitigation modes can be configured when deploying ZTEA on an AIX instance.  The mitigation mode that is used can be decided on a per AIX instance basis. Each successive level provides greater risk mitigation but requires more effort to properly configure.   This 3-mode approach allows you to deploy ZTEA using a strategy that best fits the security objectives and resources of your particular organization.                                                                                                                                                                                                                       

Security MeasureZTEA-StandardZTEA-TrustedZTEA-Secure
All executables validated with ClamAV
 
Unauthorized executables detected using AIX Trusted Execution
Unauthorized modification of authorized executables detected using AIX Trusted Execution
Unauthorized executables validated as either "trusted", "secure" or "unknown" using ZTEA hash cross-referencing
  
Unauthorized executables validated as either "secure", or "unknown" using ZTEA hash cross-referencing  
 
 
Maturity Model for Malware Risk Mitigation using ZTEA

The following maturity model provides guidance for understanding how different degrees of malware risk mitigation can be achieved using ZTEA.  An organization will typically begin at the Traditional stage, but they may choose to achieve a higher stage, ie, Initial, Advanced or Optimal.  Achieving higher stages can require varying levels of time.  Achieving a higher stage for an organization will depend upon the level of malware risk mitigation the organization desires to achieve.  Achieving a higher stage is determined by how the AIX Trusted Execution, ClamAV, and ZTEA Hash Cross-referencing security measures are implemented.                                                                                                                                                                            

StageAIX Trusted ExecutionClamAVZTEA Hash Cross-referencing
OptimalAIX Trusted Execution run time prevention policies are added
Strategic partial system scans are added.
Executable hashes that can’t be cross-referenced using a CRHD_S database are reported as “unknown”
AdvancedA change control process is added which tracks the installation of all new software
A weekly full system scan is added.
Executable hashes that can’t be cross-referenced using a CRHD_S or CRHD_T database are reported as “unknown”
InitialZTEA implements an allowlist by registering every executable to the AIX Trusted Execution database
AIX Trusted Execution allowlist is validated using ClamAV. ZTEA provides real time detection of malware using ClamAV.
N/A - not used at this stage.
TraditionalMalware risk is not being mitigated with AIX Trusted Execution
Malware risk is not being mitigated with ClamAV
Malware risk is not being mitigated with ZTEA Hash Cross-referencing
 
 

The coordination that ZTEA accomplishes between AIX Trusted Execution, ClamAV, and hash cross-referencing results in a malware defense synergy. The following tables detail this synergy:                                                                                                                                                                                                                                                                                                                                      

ClamAV LimitationDescriptionAIX Trusted Execution's BenefitZTEA Hash Cross-referencing's Benefit
Doesn't know where to look for malwareClamAV has no ability to know where malware may likely reside on a system. Without any direction, ClamAV would have to check every file on a system. 
ZTEA directs ClamAV to scan specific lists of files deemed suspicious using AIX Trusted Execution’s ability to detect unauthorized executables.
 
not applicable
Prone to excessive CPU scanningWithout the direction of suspicious files identified by AIX Trusted Execution, ClamAV would need to perform frequent general scans to detect malware in a timely fashion. 
ZTEA uses lists of suspicious executables generated by AIX Trusted Execution to direct ClamAV to perform specific scans on suspicious executables in real-time. Since these suspicious executables are being checked in real-time, the frequency of general ClamAV scans can be reduced.
When hash cross-referencing is properly implemented, malware risk is mitigated significantly. Since executables are cross-referenced in real-time, the frequency of general ClamAV scans can be reduced.
Can't detect zero-day malware, polymorphic malware or hacking toolsMalware signatures may not exist for new malware or hacking tools that haven’t been identified by the cyber security industry. Thus, ClamAV could not detect this type of malware.
ZTEA leverages AIX Trusted Execution to detect unauthorized executables to generate a list of files that may include malware executables undetectable by ClamAV.
When hash cross-referencing is properly implemented, zero-day malware or hacking tools would be detected and reported as "unknown" executables.
Not a real-time malware defenseMalware signatures can only be detected when ClamAV is actively scanning directories and files. A malware executable may enter a system, execute its attack, and be removed from the system in between general ClamAV scans. In this case, it would be impossible for ClamAV to detect the malware. 
AIX Trusted Execution can detect unauthorized executables in real-time. Then, ZTEA can refer an executable to ClamAV for malware detection in real time. 
Hash cross-referencing can detect malware in real-time. Hash cross-referencing would report malware as "unknown" executables.
AIX Trusted Execution LimitationDescriptionClamAV's BenefitZTEA Hash Cross-referencing's Benefit
Can’t check using malware signatures
 
AIX Trusted Execution does not perform any actions involving known malware signatures. 
ZTEA uses ClamAV to resolve this limitation using ClamAV’s malware signature checking capabilities.
 
not applicable
 
Can’t validate files registered in the AIX Trusted Execution database
 
It is possible for executables corresponding to known malware signatures to be registered in the AIX Trusted Database. 
ZTEA uses ClamAV to verify that all executables registered in the AIX Trusted Execution database do not correspond to known malware signatures.
Hash cross-referencing can be used to validate that all executables registered to the AIX Trusted Execution database are not malware.
Unregistered executables corresponding to known malware signatures can go undetected indefinitely until they are executed
In most cases, if a file is not registered in the AIX Trusted Execution database, AIX Trusted Execution would not be able to detect it until it is executed.
ClamAV would detect this malware with a full general ClamAV scan of the system.
Currently not applicable, but future releases may mitigate this risk.
 
 
Frequently Asked Questions
Q. What is the difference between ZTEA and other traditional malware defense security measures?
A. ZTEA is designed to provide comprehensive malware defense using a Zero Trust approach. ZTEA is a combination of three different but complimentary security measures: allowlisting, malware scanning, and ZTEA hash cross-referencing. ZTEA also achieves a malware defense synergy with malware scanning and allowlisting. See the section, “Malware Defense Synergy”, for a full description of this synergy.
 
Q. Should I use ZTEA if all I need is an anti-virus solution?
A. Yes, by using ZTEA, it allows you to reduce the frequency of ClamAV scans that you would normally do without using ZTEA.  Clients that don't use ZTEA would typically run daily full system malware scans with ClamAV.  However, since ZTEA monitors all executables in real-time for malware using ClamAV, it becomes less necessary to daily scan your systems.  For example, a current ZTEA customer, with hundreds of AIX LPARs, runs full system ClamAV scans only on a weekly basis because they are confident in how ZTEA uses AIX Trusted Execution and ClamAV in tandem to mitigate malware risk in real time.
 
Q. What is the difference between CRHD_T and  CRHD_S files?
A. A CRHD_T file is generated by ZTEA on an AIX instance that a ZTEA administrator has designated as not compromised.  A CRHD_S file is generated by ZTEA on a highly secure dedicated security reference AIX instance that a ZTEA administrator has designated as secure. 

Q. How does ZTEA affect applications and users on the system?
A. ZTEA's default mode of operation is purely detection, i.e., the default mode will not stop executables or impact a running system adversely in any way. It is designed to be deployed safely on any type of AIX system and create no adverse impact to the running system or applications.

Q. Can ZTEA be used to fulfill security regulatory requirements?
A. Yes. ZTEA is designed to fulfill requirements for allowlisting, anti-virus, and malware detection and prevention.
 
Q. Is ZTEA easy to deploy?
A. Yes. ZTEA is designed to be easily deployed and maintained. Properly implementing AIX Trusted Execution’s allow listing features typically can be very challenging. However, one of ZTEA's primary technical objectives is to reduce the time and difficulty of properly implementing AIX Trusted Execution’s allow listing features.

Q. Does ZTEA have a low impact on performance?
A. Yes. ZTEA requires no additional performance resources to be added to your existing configurations. Once an executable is validated, subsequent access to the executable in memory incur no additional CPU cycles.

Q. Does ZTEA have a learning mode?
A. Yes. When ZTEA is initially deployed, it will go through an initial learning period. This learning period will allow ZTEA to automatically register executables not already registered to the AIX Trusted Execution database. Any time ZTEA adds a new executable to the AIX Trusted Execution database, ZTEA will use ClamAV to verify that the new executable doesn’t correspond to a known malware signature. ZTEA can also cross-reference the hashes of the new executables and classify them as either: “secure”, “trusted”, or “unknown”.
 
Q. How does ZTEA detect malware on a system if an attacker has had root access to the AIX instance for weeks or months, and he has possibly compromised the local ClamAV or AIX Trusted Execution database?
A. ZTEA Hash Cross-referencing can verify the integrity of the executables on a system even if the local ClamAV or AIX Trusted Execution database has been compromised.
 
 

Minimum Software Level Requirements

  • AIX 7100-05-07-2037
  • AIX 7200-03-06-2038
  • AIX 7200-04-03-2038
  • AIX 7200-05
  • AIX 7.3
  • VIOS 4.1.0.10
  • Python 2.7
  • curl 8.3.0
  • openssl.base
  • ksh93
  • PowerSC GUI Server at 2.2.0.5 for PowerSC Custom Event support
 
Common Use Cases
  • Organizations needing to comply with regulatory or industry-specific requirements for malware or virus defense
  • Organizations wanting to implement ransomware, zero-day or polymorphic malware threat mitigation measures
  • Organizations wanting to detect suspicious activity involving unknown tools running on AIX
  • Organizations wanting to implement malware defense designed to provide extensive detection of all types of malware
  • Organizations seeking to reduce the security risk of one of the top causes of a data breach: malware
  • Organizations wanting to implement centralized monitoring and reporting of malware defense
  • Organizations wanting to adopt a malware defense designed to be easy to manage, but mitigates malware risk significantly
 
References
  1. Ponemon Institute.  Cost of a Data Breach Report 2023.  (July 2023)
  2. Center for Internet Security.  (2021).  CIS Controls v8 Guide,
  3. National Security Agency.  Embracing a Zero Trust Security Model.  (Feb 2021)
  4. Michelle Drolet.  Forbes – Why Zero Trust is Necessary in the Fight Against Ransomware. (Mar 2023)
  5. A.J. Vicens. Reuters - Complaints about Ramsomware Attacks on US Infrastructure Rise 9%, FBI says (Apr 2025)
     
 

For questions, please contact AIX Security consultant and ZTEA creator and lead developer, Stephen Dominguez, at email

 

[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SSB2BD2","label":"IBM PowerSC"},"ARM Category":[{"code":"a8m3p000000UoK2AAK","label":"PowerSC Standard (PSC)"}],"Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvzhAAA","label":"Security"}],"Platform":[{"code":"PF002","label":"AIX"}],"Version":"All Versions"}]

Document Information

Modified date:
10 November 2025

UID

ibm17145071

Page Feedback