legit java possible FP / WIN 7 64bit with NOD 4.2.58.3

Discussion in 'ESET NOD32 Antivirus' started by vtol, Jul 8, 2010.

Thread Status:
Not open for further replies.
  1. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    happened during in-depth scan last night, submitted for analysis. quality management though would be appreciated

    08-07-2010 09-01-24.png 08-07-2010 09-17-28.png
     
    Last edited: Jul 8, 2010
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Maybe a variant of Java/OpenStream as discussed in other AV forums as well? I've installed the latest version of Java RE 6.20 but all files inside were clean. I assume that files in the cache folder are created during an update, hence mine was empty.
     
  3. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    got the same version, both 32bit as well as 64bit

    I wouldn't know but doubt it due to different file location and file type, hence submitted it via NOD analysis as NOD saying probably. It probably could also be a FP. Nothing pops up with scans from other AV
     
    Last edited: Jul 8, 2010
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please submit the file per the instructions here. Submission via the program may take time as files are submitted during update by default and it may also be diffucult to locate your sample exactly.
     
  5. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    d o n e
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It doesn't seem to be FP. The idx file contains a reference to sxsxa.net which is known to have hosted Java exploits in the past.
     
  7. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    is it confirmed to be hazardous/malicious? NOD does not seem to be able to clean it. the files seem to reside there since more than a month
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    Can you clear your Java cache from the control panel?
     
  9. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    yep, although did not delete the cache's sub-folders but the files are gone. remains the question of whether it makes sense from security point of view to disable java cache vs. speed. things in the cache should not be dangerous on their own, unless called for execution - which then latest should be caught be NOD? also having sandbox enabled for mixed code

    08-07-2010 13-42-03.png
     
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    I'm not using Java at the moment but while using, I set the cache to zero with no seemingly ill effects on speed.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Since the file resides in an archive, you should be prompted for an action to be performed on the archive when the scan completes. Make sure you run the scan in "cleaning" mode, ie. "Scan without cleaning" is unticked when running a custom scan and that cleaning mode is not set to "No cleaning" (by default, it's set to standard cleaning, in this case a prompt window with action selection must pop up at the end of a scan).
     
  12. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    what sort of archive? NOD is reporting it as zip but obviously it is not, you got the files. Scan without cleaning is unticked, hence in cleaning mode. as you can see from the first screen shot NOD is reporting that it cannot clean it
     
  13. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    Java Archives (JAR) files are valid ZIP files.
     
  14. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    wouldn't it have to carry it the .jar extension? some of the files are without any, others .idx
     
  15. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    668
    File extensions only mean something to an application like Explorer, so it knows what to do with them when you double-click them. Take a look at .docx files (Word 2007 files), they're just ZIP files too and open in WinZip. It's the content that matters and that's determined in the header.
     
  16. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    I have the same possible FP's, also Java tried to acces the internet, I temporarily allowed it(I have ESS) and then got 8 connection terminated pop-ups.

    4 times this one:
    ~Snip~- probably a variant of Win32/Agent trojan connection terminated - quarantined
    Threat was detected upon access to web by the application: C:\Program Files\Java\jre6\bin\java.exe.

    And 4 times this one:
    ~Snip~ - multiple threats
    connection terminated - quarantined
    Threat was detected upon access to web by the application: C:\Program Files\Java\jre6\bin\java.exe.

    Snipped: links to a dangerous site removed. The site was blacklisted. Please create a log from SysInspector and check it for suspicious files. You can also contact customer care who will be happy to assist you with analyzing the log and removing the infection. Since we were unable to get the malware from that site, please submit the content of your quarantine ("C:\Documents and Settings\%USER%\Local Settings\Application Data\ESET\ESET NOD32 Antivirus\Quarantine") to ESET per the instructions here with a link to this thread in the email subject.
     
    Last edited by a moderator: Jul 8, 2010
  17. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Isn't all detections that starts with (probably a varitant of... Heuristic detections:rolleyes: ?
     
Thread Status:
Not open for further replies.