Anyone else notice that the signature "Java Envelope - Creation of suspicious files in Temp folder" doesnt seem to trip when it should. The signature "Java Envelope - Starting suspicious process from Temp folder" seems to work fine, but for every infection I have traced a vulnerable version of java writing the malware file to the temp directory it has never tripped.
I should add that it doesn't work under virusscan 8.8 Access protection rules either. I made a rule that looks for *.exe files written under common temp locations with the source process being java.exe and nothing trips. I have another rule that monitors the exact same thing but with any process and it will record just fine that java.exe wrote 12365gb5.exe to C:\users\username\appdata\local\temp
Message was edited by: Dvanmeter on 6/11/13 2:22:28 PM CDT
I did find a method to get the AP rules in AV 8.8 working. I had to put the full path of the java.exe file in order for it to trip. so rather than java.exe, I used C:\program files\java\java.exe. The only problem with using it in AP rules in Virusscan is if there is a legit file there is no way to exclude. In HIPS I could make an exception, but I am having some difficulties understanding how to make this kind of rule in HIPS. Can anyone offer me any help in HIPs in creating a custom rule that says, c:\program files\java\java.exe is not allowed to create an exe anywhere on the drive