Endpoint Protection

I've been blocking a lot of things from the userprofile area with SEP application control. This has saved us many many times! However, the boss is concerned as this also blocks JAVA installs and updates..........
I believe users should not (in our environment) have control over any updates or installs anyway.......... and fear that if I open things up, we'll have a lot more problems here.
For example, last Friday, in less that ONE hour, SEP stopped 3 things from getting in!
All three were stopped by my application control - EXEs attempting to run from the web browser cache while they visited web sites and on one of those computers, I noted in the JAVA logs that JAVA was attempting an install or update.
Odd, as at the time time the logs said JAVA was doing an install or update, my SEP logs show app control was blocking an exe in the web cache AND in the userprofile temp folder, pdfupd.exe.
And on the same computer at the exact same time, SEP deletes trojan.byteverify.
What exactly is that, why does it ALWAYS appear with a java install or upgrade, and why at the exact same time the pdfupd.exe was trying to run, and the same time setup[1[.exe was trying to run from the cache (it kept changing names in the cache, started out as setup and ended up some really long complex name.

So one this ONE computer, setup.exe was attempting to run in the browser cache area, pdfupd.exe was trying to run in the temp folder, and at the same time, SEP sends me this:
 

Risk name: Trojan.ByteVerify

File path: c:\Documents and Settings\Mary.Jackson\Application Data\Sun\Java\Deployment\cache\6.0\15\368dd54f-422b53a3>>AppletX.class

Event time: 2010-03-05 21:38:16 GMT

Database insert time: 2010-03-05 21:46:37 GMT

User: SYSTEM

Computer: VR008160RKZH58B

IP Address: 10.252.8.17

Domain: IVRS-SEP1

Server: VRDSMSEP1

Client Group: My Company\Client Computers\Desktop Action taken on risk: Cleaned by deletion

WHAT is trojanbyteverify, why does it appear to be a JAVA update? Is it part of a java update? Is it legit? How and why would JAVA be trying to install - the LEGIT REAL ACTUAL JAVA logs do show JAVA was attempting a valid process............. does this come in the guise of a JAVA install? Does JAVA do this thinking it's a valid part of JAVA?

 http://www.microsoft.com/technet/security/bulletin/ms03-011.mspx

Below is the link which provides information on Trojan.ByteVerify

 http://www.symantec.com/security_response/writeup.jsp?docid=2003-090514-4048-99&tabid=2

Below is the link to Microsoft Security Bulletin MS03-011, it will provide you the technical details of the vulnerability which the treat uses to compromise security on the machine. 

We don't use the Microsoft VM, or virtual machine. When I type jview, I get a not found error..............

I'm still a bit confused, though - it appears as this arrives as a JAVA class? I guess I don't understand JAVA - is that like an "applet" ?
It almost looks like JAVA is attempting an update when this is detected, when I look at the logs, it looks LEGIT, JAVA is logging it as if it's a GOOD thing, as if the user is deliberatly updating JAVA on their computer.

Embedded in a web page, correct?

And it looks like if you don't use the Virtual Machine - the microsoft piece, it won't actually work........ is that correct??
When I do the test as in that MS bulletin, and go to CMD prompt and type jview, I get an error, not a version, indicating that we are not using the Microsoft virtual machine.........
Does this sound correct?
Thanks.

We use SEP 11.5 as an intro. Many virus' that we have been seeing all point to the infected file in C:\Documents and Settings\"USERID"\Application Data\Sun\Java\Depoyment\Cache\"Random Number". These result in FakAV, Trojan.ByteVerify or Downloader.

Often SEP does not have time to remediate before the damage is done. But my thought was why did this happen in the first place.

ShadowPapa - I've been following the forum for some time. Just peeking but you have provided quite a bit of helpful information to us all. Looks like it's time for me to perhaps assist you and all the other contributors.

Here is a link from Cert discussing the JAVA vulnerability. Which by the way SUN notes that the Java 6 Update 20 addresses. I'm not holding my breath though.

www.cert.org/blogs/vuls/2008/06/signed_java_security_worse_tha.html

My thanks to the CERT contributor.

I forgot to mention one last thing. I had always thought the directory was for Java Updates due to the Deployent\Cache folders.
It actually contains Temporary Internet Files.