I've been blocking a lot of things from the userprofile area with SEP application control. This has saved us many many times! However, the boss is concerned as this also blocks JAVA installs and updates..........
I believe users should not (in our environment) have control over any updates or installs anyway.......... and fear that if I open things up, we'll have a lot more problems here.
For example, last Friday, in less that ONE hour, SEP stopped 3 things from getting in!
All three were stopped by my application control - EXEs attempting to run from the web browser cache while they visited web sites and on one of those computers, I noted in the JAVA logs that JAVA was attempting an install or update.
Odd, as at the time time the logs said JAVA was doing an install or update, my SEP logs show app control was blocking an exe in the web cache AND in the userprofile temp folder, pdfupd.exe.
And on the same computer at the exact same time, SEP deletes trojan.byteverify.
What exactly is that, why does it ALWAYS appear with a java install or upgrade, and why at the exact same time the pdfupd.exe was trying to run, and the same time setup[1[.exe was trying to run from the cache (it kept changing names in the cache, started out as setup and ended up some really long complex name.
So one this ONE computer, setup.exe was attempting to run in the browser cache area, pdfupd.exe was trying to run in the temp folder, and at the same time, SEP sends me this:
Risk name: Trojan.ByteVerify
File path: c:\Documents and Settings\Mary.Jackson\Application Data\Sun\Java\Deployment\cache\6.0\15\368dd54f-422b53a3>>AppletX.class
Event time: 2010-03-05 21:38:16 GMT
Database insert time: 2010-03-05 21:46:37 GMT
User: SYSTEM
Computer: VR008160RKZH58B
IP Address: 10.252.8.17
Domain: IVRS-SEP1
Server: VRDSMSEP1
Client Group: My Company\Client Computers\Desktop Action taken on risk: Cleaned by deletion
WHAT is trojanbyteverify, why does it appear to be a JAVA update? Is it part of a java update? Is it legit? How and why would JAVA be trying to install - the LEGIT REAL ACTUAL JAVA logs do show JAVA was attempting a valid process............. does this come in the guise of a JAVA install? Does JAVA do this thinking it's a valid part of JAVA?