7 Replies Latest reply on Oct 14, 2011 10:42 AM by metalhead

    Recurring "malware detected" help needed.  False positive or?

      I'm looking for some advice with an ongoing "malware detected" (event ID 1027) alert I've been receiving on about 15 different Windows XP sp3 workstations during the last 10 days.  All VSE clients are  8.7i (8.7.0.570) 32bit with current dat's (6498 as of today).

       

      All activity is occuring during our nightly managed scans.  In every case a .class file is being deleted as a suspected trojan "Generic Exploit!XX" where the XX can be something like "gm","gf","gdr","ft".

       

      The path is always similar to the following:  c:\Documents and Settings\USER\Local Settings\Temp\

                                                                                     c:\Documents and Settings\USER\Application Data\Sun\Java\Deployment\cache\6.0

       

      Examples:  c:\Documents and Settings\USER\Local Settings\Temp\jar_cache7308059839342354159.tmp

                           c:\Documents and Settings\USER\Application Data\Sun\Java\Deployment\cache\6.0\9\63d2ecc9-34ead27a\jilo4.class

                           c:\Documents and Settings\USER\Application Data\Sun\Java\Deployment\cache\6.0\41\30616a69-3a823c02\Ump_45.class

       

      I suspect that if it's legitimate, that it's temp files downloaded during the day that aims to exploit the user's JRE versions.  Most all of the clients are using fairly recent Java- JRE 6 update 26.  In the meantime I've updated 5 of the recurring workstations to JRE 6 update 27 (can't move to JRE 7 yet) to see if this helps, but it will take some time to know if it does.
       

      Can anyone provide any advice on this.  It would be hard for me to pull the workstation and restore the file and ship it off to McAfee based on my client.

       

      Any advice would be greatly appreciated!  Let me know if you need any additional details.

       

      Thank you,

      Jared