Nov 9 ESET NOD32 virus update

So today's eset update is flagging a whole bunch of java files in our enviroments as trojans (Java/Exploit.CVE-2010-0094.E) even files directly downloaded from Oracle.com are being flagged by the HTTP scanner. We are a Java-code shop so this is pretty bad. Anyone else having a lot of detections today?

 

detection seems been added today with Virus signature database: 5604 (20101109). chance of FP? which dl from Oracle gets flagged?

https://www.wilderssecurity.com/showthread.php?p=1781455

 

YEP! We're getting the same thing! Anyone know whats going on

 

Column Name Value
Threat Id Threat 764
Date Received 2010-11-09 11:33:54
Date Occurred 2010-11-09 11:31:02
Level Warning
Scanner HTTP filter
Object file
Name http://download.oracle.com/auth/otn...1289492845&h=6ba92b2f59356b6b8100af24118031f8
Threat a variant of Java/Exploit.CVE-2010-0094.E trojan
Action connection terminated - quarantined
Information Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
Details Ready

 

confirmed, getting the same from that download, curiously though by the http filter after the download completed

due to the filesize of 127 mb it cannot be submitted to the Eset lab for analysis from the NOD quarantine, as it seems to be a FP

WIN 7 64bit / NOD 4.2.64.12

Virus signature database: 5604 (20101109)
Update module: 1031 (20091029)
Antivirus and antispyware scanner module: 1292 (2010102
Advanced heuristics module: 1114 (20100827)
Archive support module: 1122 (20100826)
Cleaner module: 1048 (20091123)
Anti-Stealth support module: 1022 (20100812)
SysInspector module: 1217 (20100907)
Self-defense support module : 1018 (20100812)
Real-time file system protection module: 1004 (20100727)

 

An FP?

 

just unpacked that dl from Oracle, the file in question with 47 mb is still too large to submit from the NOD quarantine

 

Hello,
this FP will be addressed shortly in update 5605. During 4 hours the last update had been available, we have not received any reports of the FP until the one here posted recently. The FP does not seem to affect many users according to the statistics from ThreatSense.Net. Nevertheless, updates were temporarily stopped until a remedy is available.

 

Hey Marcos,

Thanks for your help. It looks like Update 5605 didn't resolve the issue for us. It is still showing javax/management/MBeanServer.class as Java/Exploit.CVE-2010-0094

 

We are seeing the same thing on stations, even after the 5605 update

 

Hello,

1. Please try clearing the cache and deleting the update files:
http://kb.eset.com/esetkb/index?page=content&id=SOLN2134

2. Then restart your computer and make sure you have the latest virus signature database update.

Please let us know if this helps.

Thank you,
Richard

 

We're cheching it and have preventively suspended the update. We'll keep you updated.

 

Hi, could you send some sample (at least a file from quarantine) which is being detected with 5605 to samples@eset.sk ?

This:
http://download.oracle.com/auth/otn...1289492845&h=6ba92b2f59356b6b8100af24118031f8

and JRE seems to be all clean...

 

The smallest .jar that I can find with the issue is around 40-50mb, our e-mail policy can't send more than 30mb. Do you guys have an ftp that I can upload to?

 

detected
C:\Program Files\Java\jre6\lib\rt.jar » ZIP » javax/management/MBeanServer.class - a variant of Java/Exploit.CVE-2010-0094.E trojan

now i have to re-install Java on hundreds of computers.

 

We've received about 40 unique MBeanServer.class files via ThreatSense.Net out of which none is detected with the signature db 5605. Should you have a class file that is still detected, let us know here and submit it to ESET per the instructions here. Since the class file is located within a large jar file, you can extract it (e.g. using 7-zip) and submit just the small class file.

I'd like to emphasize that jar files are only scanned by the on-demand scanner and are not quarantined automatically if there are also clean files inside.

 

File xyz upload to Snipped: link removed
- upload the file to directory „samples“ (write-only)
- notify us that you uploaded the sample file /with name of uploaded file/, please.

Thank you for your assistance

 

Surely this won't be necessary. However, I wonder how the class file was detected within the jar archive as only the on-demand scanner can scan inside and it does not quarantine archives automatically if an archive contain clean files as well.

 

The java files that were shown as infected yesterday afternoon all scan as clean this morning. Thanks for all your help everyone.

 

in our case, NOD32 was was picking up some .jar files in peoples AppData directory. This appeared that NOD was missing some trojans, so we ran a on demand scan on all pc's to see what else it missed.
Apparently you cant trust NOD32's definitions.

 

If a file has been flagged incorrectly as malware, it's possible to restore it centrally from quarantine via ERA and exclude it from scanning at the same time.