3 Replies Latest reply on Dec 2, 2016 10:40 AM by Kary Tankink

    HIPS Signature 3854 - False Positive?

    kenobe

      Recently we started seeing 'hits' for 3854 - Sun Java WebStart JNLP Stack Buffer Overflow Vulnerability.  That vulnerability was found in 2007 and affected Java versions 5 and 6.  Thing is, our users are on Version 7.  The event description is fairly vague.  We see the threat and source as the same IP, with Internet Explorer being the Threat Source Process Name, with a registry value of \REGISTRY\MACHINE\SOFTWARE\CLASSES\JNLPFILE\SHELL\OPEN\NEVERDEFAULT

       

      We think this is happening when using a Cisco app is opened with IE to view Cisco logs.

       

      Anyone else see this?

       

      Thanks, Ken