legit java possible FP / WIN 7 64bit with NOD 4.2.58.3

happened during in-depth scan last night, submitted for analysis. quality management though would be appreciated

 

Maybe a variant of Java/OpenStream as discussed in other AV forums as well? I've installed the latest version of Java RE 6.20 but all files inside were clean. I assume that files in the cache folder are created during an update, hence mine was empty.

 

got the same version, both 32bit as well as 64bit

I wouldn't know but doubt it due to different file location and file type, hence submitted it via NOD analysis as NOD saying probably. It probably could also be a FP. Nothing pops up with scans from other AV

 

Please submit the file per the instructions here. Submission via the program may take time as files are submitted during update by default and it may also be diffucult to locate your sample exactly.

 

d o n e

 

It doesn't seem to be FP. The idx file contains a reference to sxsxa.net which is known to have hosted Java exploits in the past.

 

is it confirmed to be hazardous/malicious? NOD does not seem to be able to clean it. the files seem to reside there since more than a month

 

yep, although did not delete the cache's sub-folders but the files are gone. remains the question of whether it makes sense from security point of view to disable java cache vs. speed. things in the cache should not be dangerous on their own, unless called for execution - which then latest should be caught be NOD? also having sandbox enabled for mixed code

 

Since the file resides in an archive, you should be prompted for an action to be performed on the archive when the scan completes. Make sure you run the scan in "cleaning" mode, ie. "Scan without cleaning" is unticked when running a custom scan and that cleaning mode is not set to "No cleaning" (by default, it's set to standard cleaning, in this case a prompt window with action selection must pop up at the end of a scan).

 

what sort of archive? NOD is reporting it as zip but obviously it is not, you got the files. Scan without cleaning is unticked, hence in cleaning mode. as you can see from the first screen shot NOD is reporting that it cannot clean it

 

Java Archives (JAR) files are valid ZIP files.

 

wouldn't it have to carry it the .jar extension? some of the files are without any, others .idx

 

File extensions only mean something to an application like Explorer, so it knows what to do with them when you double-click them. Take a look at .docx files (Word 2007 files), they're just ZIP files too and open in WinZip. It's the content that matters and that's determined in the header.

 

I have the same possible FP's, also Java tried to acces the internet, I temporarily allowed it(I have ESS) and then got 8 connection terminated pop-ups.

4 times this one:
~Snip~- probably a variant of Win32/Agent trojan connection terminated - quarantined
Threat was detected upon access to web by the application: C:\Program Files\Java\jre6\bin\java.exe.

And 4 times this one:
~Snip~ - multiple threats
connection terminated - quarantined
Threat was detected upon access to web by the application: C:\Program Files\Java\jre6\bin\java.exe.

Snipped: links to a dangerous site removed. The site was blacklisted. Please create a log from SysInspector and check it for suspicious files. You can also contact customer care who will be happy to assist you with analyzing the log and removing the infection. Since we were unable to get the malware from that site, please submit the content of your quarantine ("C:\Documents and Settings\%USER%\Local Settings\Application Data\ESET\ESET NOD32 Antivirus\Quarantine") to ESET per the instructions here with a link to this thread in the email subject.

 

Isn't all detections that starts with (probably a varitant of... Heuristic detections ?