Java Viruses not being denied disk IO access
My SEPM reports a lot of Java viruses latetly. I'm running 6.21 on everything, and uninstalling previous versions. So I think I'm protected by that.
I am concerned though that I am not being denied access to these files. The file with the virus is e9853ab-3d29fb7b. When I go to open it in notepad or copy it or whatever, Symantec lets me. It is not denied access. Yet it is malware.
Why is that? A setting I have set? Because I'm not scanning archives in realtime?
At least one security risk found:
Risk name: Trojan Horse
File path: c:\Documents and Settings\nimsr\Application Data\Sun\Java\Deployment\cache\6.0\43\e9853ab-3d29fb7b>>seopack.class
Event time: 2010-07-30 05:13:46 GMT
Database insert time: 2010-07-30 05:23:48 GMT
User: SYSTEM
Action taken on risk: Left alone
Comments
If you know the file, you can submit the file to the followin link
Web URL: http://www.symantec.com/business/security_response...
Also try to run the any of the following tools
Power Eraser Overview
Web URL: https://www-secure.symantec.com/connect/videos/power-eraser-overview
Symantec Endpoint Recovery Tool (SERT)
Web URL: https://www-secure.symantec.com/connect/videos/sym...
Thanks & Regards,
Mudit Kumar
I'm not sure I understand
Symantec detects the file as a virus. It is already in the pattern files. My question is why would/is the real time not blocking access to it.
'Left Alone' and Permissions issues
Can you check out this thread http://service1.symantec.com/SUPPORT/ent-security....?
The file path is actually given as
So is 'e9853ab-3d29fb7b' a file, a folder, or an archive?
For the example given, how was the detected made (Auto-Protect, manual scan, scheduled scan)?
Here's some info on what the "Left alone" action can mean.
Title: 'Best Practices for responding to "Left Alone" in the virus or threat history log'
http://service1.symantec.com/SUPPORT/ent-security....
sandra
Symantec Technical Support Engineer, LAM/NAM // SAV/SEP for Mac
Don't forget to mark your thread as 'solved' with the answer that best helped you!
Same issues
I am having the same issue on my computers. I get 10 of these a night now, and have been all week.
The files are being found by the Scheduled Scan, not the real time scanner, which is what the Original Poster was asking about. How come these are not found right away?
The file "'e9853ab-3d29fb7b" is actually an idx file, which I think is some type of Java applet cache.
While we are glad that Symantec is finding and dealing with these files (in my case they are Quarantined), it would be nice to know why they sit on the computer till the scheduled scan.
Thanks for the help. Attached is a screen shot of my SEPM notifications I have setup.
It is possible that the files existed prior to a detection being added to the definition set, so Auto-Protect wouldn't have seen it as it was being written, but a scan done after the definitions were updated would have caught it 'sitting' on the drive. Hope that makes sense.
sandra
Symantec Technical Support Engineer, LAM/NAM // SAV/SEP for Mac
Don't forget to mark your thread as 'solved' with the answer that best helped you!
Thanks Sandara.g,
Yes that does make sense, and is possibly the problem. I have seen similar things before, but not on the scale I am seeing now.
Is there any way we can check and see if a bunch of Java virus definitions have been added this week? That way we know this is what is happening?
Detections added are noted here, but the detections are given by threat name, not type of file or specific code detected.
sandra
Symantec Technical Support Engineer, LAM/NAM // SAV/SEP for Mac
Don't forget to mark your thread as 'solved' with the answer that best helped you!
Even with current patterns, real time does not detect it
e9853ab-3d29fb7b is the file name, not the folder name. It's like a JAR file, aka a ZIP file. Inside of it is a java class which is a virus.
From what I am gathering, I am not blocked access to it because I have leave alone set and I am accessing the file across a network using the admin share to the C$ drive. And the document above says that combination is not inspected for virsus. Especially since I have scan network drives enabled, but to trust PCs running SEP.
I'm guessing the realtime is not picking it up because it knows it's an archive, and I have scanning of archives on the realtime scanner turned off, as per the recommendations found on symantec.com.
So am I safe in assuming that when java.exe unzips the jar into memory and tries to load it, that is when Symantec saves me from these Java viruses? Using Zenworks I have Java 6 build 21 on all my PCs and I have removed all previous Java versions. So I'm pretty safe, compared to others. I'd just like clarification so I know what's going on. eSet nod32, which is what I am coming from, blocked access to these files. I could not open them up in notepad remotely.
I'm guessing the realtime is not picking it up because it knows it's an archive, and I have scanning of archives on the realtime scanner turned off, as per the recommendations found on symantec.com.
So am I safe in assuming that when java.exe unzips the jar into memory and tries to load it, that is when Symantec saves me from these Java viruses?
That's exactly what happens if an archive file containing suspect content is uncompressed--Auto-Protect would intercept.
sandra
Symantec Technical Support Engineer, LAM/NAM // SAV/SEP for Mac
Don't forget to mark your thread as 'solved' with the answer that best helped you!
If it is being treated as an archive file then it sounds like SEP is working by design:
- If you right click and choose to scan an archive the infected file will be removed
- If the file is scanned as part of a scheduled scan the infected file will be removed
- If the infected file is extracted it will be detected by the real time protection as it is copied to the hard drive
If you are just viewing the archive the infected file is not removed or scanned whilst it is inside the archive container.
Would you like to reply?
Login or Register to post your comment.