1 Reply Latest reply on Aug 8, 2013 7:13 PM by jperry

    False positives on Java Deployment cache  .class files

      After the issues with Artemis last week, we thought we were over the false positive detections.   I am now seeing what I believe is more fals positive detections of java update files on a machine.  The machine is showing several files such as:

      AppData\Local\Temp\jar_cache5724875948135010292.tmp\fon.class

      \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\9f2d13f-42b2876d\hub.class

      \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\9f2d13f-42b2876d\ins.class

      \AppData\LocalLow\Sun\Java\Deployment\cache\6.0\63\9f2d13f-719c7b6b\foe.class

       

      This list goes on.... they are detected as:

      Detecting Product Name: VIRUSCAN8800

      Detecting DAT Version: 7159.0000

      Detecting Engine Version: 5600.1067

       

      Threat Name: Exploit-FGI!CVE2012-1723

      Threat Type: Trojan

      Threat Category: Malware detected

       

      We would like to verify whether or not these are actual infections or if they are false positives as suspected.  Each file is being detected with the same threat name.  Artemis is disabled at the present time on our ePO server so this has to be tied back to the DAT file it would appear.

       

      Any suggestions or comments from McAfee VSE team or McAfee Labs??

        • 1. Re: False positives on Java Deployment cache  .class files
          jperry

          In that cache directory there should be an .idx file, this is a metadata file which will tell you where the Java applet downloaded from, you can open it in notepad and see these details. Based on the thread name and the class names this is likely an accurate detection of Java exploit CVE-2012-1723, you can upload to a site like Virus Total to confirm if other AVs are detecting it as well https://www.virustotal.com/. If the system is running less then Java 6 update 35 I would recommend scanning the system with another malware scanner as a second opinion and/or enabling Artemis and running a full system scan as a malware payload such as password stealing or rootkit malware may have been dropped.