Nov 9 ESET NOD32 virus update

Discussion in 'ESET NOD32 Antivirus' started by rrawson, Nov 9, 2010.

Thread Status:
Not open for further replies.
  1. rrawson

    rrawson Registered Member

    Joined:
    Aug 13, 2010
    Posts:
    17
    So today's eset update is flagging a whole bunch of java files in our enviroments as trojans (Java/Exploit.CVE-2010-0094.E) even files directly downloaded from Oracle.com are being flagged by the HTTP scanner. We are a Java-code shop so this is pretty bad. Anyone else having a lot of detections today?
     
  2. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
  3. ErinGoBraugh

    ErinGoBraugh Registered Member

    Joined:
    Nov 9, 2010
    Posts:
    2
    YEP! We're getting the same thing! Anyone know whats going ono_O
     
  4. rrawson

    rrawson Registered Member

    Joined:
    Aug 13, 2010
    Posts:
    17
    Column Name Value
    Threat Id Threat 764
    Date Received 2010-11-09 11:33:54
    Date Occurred 2010-11-09 11:31:02
    Level Warning
    Scanner HTTP filter
    Object file
    Name http://download.oracle.com/auth/otn...1289492845&h=6ba92b2f59356b6b8100af24118031f8
    Threat a variant of Java/Exploit.CVE-2010-0094.E trojan
    Action connection terminated - quarantined
    Information Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
    Details Ready
     
  5. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    confirmed, getting the same from that download, curiously though by the http filter after the download completed

    due to the filesize of 127 mb it cannot be submitted to the Eset lab for analysis from the NOD quarantine, as it seems to be a FP

    WIN 7 64bit / NOD 4.2.64.12

    Virus signature database: 5604 (20101109)
    Update module: 1031 (20091029)
    Antivirus and antispyware scanner module: 1292 (2010102:cool:
    Advanced heuristics module: 1114 (20100827)
    Archive support module: 1122 (20100826)
    Cleaner module: 1048 (20091123)
    Anti-Stealth support module: 1022 (20100812)
    SysInspector module: 1217 (20100907)
    Self-defense support module : 1018 (20100812)
    Real-time file system protection module: 1004 (20100727)
     
  6. ErinGoBraugh

    ErinGoBraugh Registered Member

    Joined:
    Nov 9, 2010
    Posts:
    2
  7. vtol

    vtol Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    774
    Location:
    just around the next corner
    just unpacked that dl from Oracle, the file in question with 47 mb is still too large to submit from the NOD quarantine

    09-11-2010 19-12-53.png
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,
    this FP will be addressed shortly in update 5605. During 4 hours the last update had been available, we have not received any reports of the FP until the one here posted recently. The FP does not seem to affect many users according to the statistics from ThreatSense.Net. Nevertheless, updates were temporarily stopped until a remedy is available.
     
  9. rrawson

    rrawson Registered Member

    Joined:
    Aug 13, 2010
    Posts:
    17
    Hey Marcos,

    Thanks for your help. It looks like Update 5605 didn't resolve the issue for us. It is still showing javax/management/MBeanServer.class as Java/Exploit.CVE-2010-0094
     
  10. mikvar

    mikvar Registered Member

    Joined:
    Sep 11, 2008
    Posts:
    3
    We are seeing the same thing on stations, even after the 5605 update
     
  11. Rmuffler

    Rmuffler Former Eset Moderator

    Joined:
    Jun 26, 2008
    Posts:
    995
    Location:
    San Diego, CA USA
    Hello,

    1. Please try clearing the cache and deleting the update files:
    http://kb.eset.com/esetkb/index?page=content&id=SOLN2134

    2. Then restart your computer and make sure you have the latest virus signature database update.

    Please let us know if this helps.

    Thank you,
    Richard
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We're cheching it and have preventively suspended the update. We'll keep you updated.
     
    Last edited: Nov 9, 2010
  13. flom

    flom Eset Staff

    Joined:
    Dec 11, 2008
    Posts:
    2
  14. rrawson

    rrawson Registered Member

    Joined:
    Aug 13, 2010
    Posts:
    17
    The smallest .jar that I can find with the issue is around 40-50mb, our e-mail policy can't send more than 30mb. Do you guys have an ftp that I can upload to?
     
  15. jeramy_t

    jeramy_t Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    22
    detected
    C:\Program Files\Java\jre6\lib\rt.jar » ZIP » javax/management/MBeanServer.class - a variant of Java/Exploit.CVE-2010-0094.E trojan

    now i have to re-install Java on hundreds of computers.
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We've received about 40 unique MBeanServer.class files via ThreatSense.Net out of which none is detected with the signature db 5605. Should you have a class file that is still detected, let us know here and submit it to ESET per the instructions here. Since the class file is located within a large jar file, you can extract it (e.g. using 7-zip) and submit just the small class file.

    I'd like to emphasize that jar files are only scanned by the on-demand scanner and are not quarantined automatically if there are also clean files inside.
     
  17. princ

    princ Registered Member

    Joined:
    Nov 25, 2008
    Posts:
    9
    File xyz upload to Snipped: link removed
    - upload the file to directory „samples“ (write-only)
    - notify us that you uploaded the sample file /with name of uploaded file/, please.

    Thank you for your assistance
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Surely this won't be necessary. However, I wonder how the class file was detected within the jar archive as only the on-demand scanner can scan inside and it does not quarantine archives automatically if an archive contain clean files as well.
     
  19. rrawson

    rrawson Registered Member

    Joined:
    Aug 13, 2010
    Posts:
    17
    The java files that were shown as infected yesterday afternoon all scan as clean this morning. Thanks for all your help everyone.
     
  20. jeramy_t

    jeramy_t Registered Member

    Joined:
    Aug 12, 2009
    Posts:
    22
    in our case, NOD32 was was picking up some .jar files in peoples AppData directory. This appeared that NOD was missing some trojans, so we ran a on demand scan on all pc's to see what else it missed.
    Apparently you cant trust NOD32's definitions.
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If a file has been flagged incorrectly as malware, it's possible to restore it centrally from quarantine via ERA and exclude it from scanning at the same time.
     
Thread Status:
Not open for further replies.