Video Screencast Help

Trojan.Maljava - False Positive?

Created: 09 May 2013 • Updated: 09 May 2013 | 25 comments

Hello,

We currently have one user at my work who is having an issue with the Trojan.Maljava "infection". Last week he was receiving many popups, but by simply uninstalling the new Java, those stopped. He installed the new Java this week and is getting the notification that SEP is finding the "infection" and cleaning it, but this occurs 1-5 times a day and is annoying.

I have run scans with MalwareByes, SuperAntiSpyware, and even SEP itself and every time it comes up clean, but he keeps getting this notification.

Is this just a false positive or is something seriously wrong here that NOTHING is finding this "infection"?

I understand this is a "trojan" because Java is pretty much a joke software program that has a lot of vulnerabilities, but there is clearly no infection on the users system, but this keeps occurring.

Operating Systems:

Comments 25 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Trojan.Maljava is a detection name used by Symantec to identify malicious Java files that exploit one or more vulnerabilities.

http://www.symantec.com/security_response/writeup.jsp?docid=2010-102003-2856-99

These files may have been detected probably due to the Low reputation on Files.

Secondly, Trojan.Maljava is a detection name used by Symantec to identify malicious Java files that exploit one or more vulnerabilities. 

SONAR is the real-time protection that detects potentially malicious applications when they run on your computers. SONAR uses heuristics as well as reputation data to detect emerging and unknown threats. SONAR provides "zero-day" protection because it detects threats before traditional virus and spyware detection definitions have been created to address the threats.

Understanding Heuristics:

http://www.symantec.com/avcenter/reference/heuristc.pdf

This is likely a legitimate detection based upon the settings you have set for the Sonar component. To confirm whether or not what you are seeing is intended or unintended please review the SONAR logs.

Monitors->Logs->Log Type: SONAR->Set an appropriate Time Range->View Log

Review the details for the detection that occurred to determine if the action taken was appropriate.

Review your settings for SONAR here once you have checked out the log for the detection:

Policies->Edit Virus and Spyware Protection Policy->Protection Technology: SONAR->System Change Events.

Handling and preventing SONAR false positive detections

http://www.symantec.com/docs/HOWTO55273

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

consoleadmin's picture

Trojan.Maljava is a detection method developed to identify harmful Java files. The Trojan will attempt to infect a computer by exploiting one or more software and system weaknesses. This Trojan is effective on invading a target computer in various ways. Through JavaScript files that reside on every malicious web site, it will attack defenseless visitors. Other means to spread Trojan.Maljava is via spam email messages, instant messenger applications and peer-to-peer connections.
http://www.precisesecurity.com/trojan/trojan-maljava

Thanks.

DavidC1988's picture

SEP keeps finding and cleaning these issues. I've done many scans, even with the Norton Power Eraser (which came up empty). With all the scans I've done it should've found something if it were to be an actual threat.

DavidC1988's picture

So I was trying the method of using the PowerEraser, and it didn't find anything related to the issue. 

I've researched and all the sites give a list of where this infection hides in the registry, I've went through it with a fine tooth comb and none of these registry edits exist.

Something is messed up here, either there is nothing infected or the system is going haywire.

Mithun Sanghavi's picture

Hello,

The Pop-up's you received were from Symantec Endpoint Protection, correct?

Could you post the screenshots of those Pop-ups?

Secondly, were they detected by Auto-protect OR SONAR?

What was the Action taken?

Could you check the Risk Logs :

Monitor>Logs>Risk log>Set an appropriate Time Range->View Log

and

the SONAR Logs:

Monitors->Logs->Log Type: SONAR->Set an appropriate Time Range->View Log

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

DavidC1988's picture

They are from SEP, yes.

I believe it is just Auto-Protect (We use SEP 11 with SEP Manager)

It states that they are cleaned right away, and also shows they are cleaned in SEP Manager.

They get cleaned but the infection still keeps coming.

Mithun Sanghavi's picture

Hello,

Could name the File and path of the file which it is detecting again and again.

https://www-secure.symantec.com/connect/forums/security-risk-detected-trojanmaljavagen23

Could you try disabling the Java Auto-update and check if that helps!!

Secondly, there was a recent update on Symantec Endpoint Protection definitions for Trojan.Maljava

Latest Daily Certified version May 9, 2013 revision 017

Could you check if the SEP client is carrying the Latest definitions?

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

DavidC1988's picture

He is currently on May 9 2013 revision 004 (as with all of my current users). I just sent out a virus definitions update to all users this minute.

Path location (since it is cleaning it): C:\ProgramData\Symantec\SRTSP\Quarantine\APQA53D.tmp

Type: Trojan.Maljava (not Trojan.Maljava!Gen23 and the others that are around)

tracker0's picture

I had one user report this today as well.  The files were deleted automatically and a pop up notice on the screen.  What's weird is that the support team did not get an email as we usually do when an alert like this comes up.  One of the filenames is urn.class under the ....\AppData\LocalLow\Sun\Java\Deployment\cache... file is attached. 

image001.jpg
consoleadmin's picture

Hello

your system is updated with all latest window security patches.?

There is two common reason for virus issue(antivirus is out of date & secuirty patch not update)

So kindly check the both on the system and also follow the Technical detail of below link

http://www.symantec.com/security_response/writeup.jsp?docid=2010-102003-2856-99&tabid=2

Check and reply.

Thanks.

DavidC1988's picture

Everything is up to date. He is the only one experiencing this issue.

I've been through those technical details many times, nothing is ridding of this. I think Java itself is the bloody issue, but it is needed.

DavidC1988's picture

Client is updated to the 05-09-2013 Revision 23 virus updates, sent a remote Full Scan, so hopefully this fixes the dang issue.

Also, admin_sepm, if this does not fix the issue I am going to try what you showed in that link.

Mithun Sanghavi's picture

Hello,

In your case, the File is :

C:\ProgramData\Symantec\SRTSP\Quarantine\APQA53D.tmp

Check this Article:

Virus being detected in the quarantine folder of the Symantec Endpoint Protection client APQ*.tmp

http://www.symantec.com/docs/TECH167254

and

I would suggest you to follow the steps provided in this Thread below:

https://www-secure.symantec.com/connect/forums/security-risk-detected-trojanmaljavagen23

Hope that helps!!

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

DavidC1988's picture

When I change the "when new defintions arrive, do nothing" will this mean the program will never update again or does it mean to just ignore that quarantined/cleaned file?

Also, I am looking at my client side SEP program and do not see the Virus and Spyware protection policy as it says. 

Brɨan's picture

It just means that anything in quarantine will not be scanned when new definitions load. You're better off deleting anything in quarantine unless you know it is a true false positive.

SEP will still update and perform as expected.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Clicking on "Do Nothing" - Specifies  the client does not try to repair quarantined files when a computer receives new virus and security risk definitions.

Hope that helps!!

 

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

DavidC1988's picture

99% of the time anything in quarantine (especially for this user) I remove(d). This is messed up.

I just checked SEP Manager and it shows nothing for this user, so maybe last night's update fixed the issue. Will need to get confirmation from the user and will update later.

Mithun Sanghavi's picture

Hello,

Thank you. Please update the Symantec Forum's on the updates on this Issue.

Hope the definitions should have resolved the issue.

If not, you may work on the suggestions provided above.

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

DavidC1988's picture

I am still going to give the suggestions a try, and will keep this bookmarked for future refence. Is it ok if we keep this open for a few more days?

Brɨan's picture

You can keep it open until you get this resolved.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mithun Sanghavi's picture

Hello,

Absolutely. You can keep this OPEN till your Issue is completely resolved. smiley

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

DavidC1988's picture

Just a quick update, I have been following SEP Manager and noticed 0 new notifications for this issue *KNOCK ON WOOD* and no reports from the user. Will need to confirm tomorrow when the user is in.

Mithun Sanghavi's picture

Hello,

Thank you for the update.

This Thread is under my observation. smiley

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

DavidC1988's picture

Hi Mithun,

Thanks for supervising. I have talked to the user and he says that he has received 0 new notifications *KNOCK ON WOOD*. I told him about the SEP virus definition updates last week which may have fixed the issue. You can close this. If need be in the future I will reopen it and quote this thread :)

Mithun Sanghavi's picture

Hello David, 

In case, you feel that your issue is resolved, you would have to Mark one of the Threads above which you feel has resolved your issue as "Solved".

Thank you for the updating this Thread.

Mithun Sanghavi
Associate Security Architect

MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.