Topic: Java False positives (I hope) (Read 3999 times)

sevenlayermuddle · « **on:** November 28, 2013, 11:33:19 AM »

Kasperky has ding-a-linged its bell on the XP system, warning about a few Java trojans, in several .jar files "HEUR:exploit.java.generic". I do not want to just delete these files, they are archives of active files on a website.

None of the 'infected' files has been touched for months. Moreover, there are 'identical' multiple copies lying around the disk, Kaspersky scans the others as being 'safe'. I have even done a DOS compare 'cf' , which reports that the 'infected' files exactly match the 'safe' files of same name elsewhere on disk.

What do you folks think… can I relax, and assume 'false positive', or might there be more to it…

I have isolated the system from the LAN while I ponder. This a criticism I have often heard of AV, does it sometimes cause more trouble than the viruses

edit 16:20, corrected the kav warning.

broadstairs · « **Reply #1 on:** November 28, 2013, 02:16:59 PM »

By archives I presume they are compressed. This can cause a file to look like it contains a virus signature but when uncompressed they are usually fine. So if they are compressed files and since other copies are identical I would expect them to be OK and thus your system safe. The other way to view it is that since you have identical files which scan OK just delete these.

Stuart

sevenlayermuddle · « **Reply #2 on:** November 28, 2013, 04:17:25 PM »

Thanks Stuart, the files aren't compressed as such (although I think .jar are actually a form of .zip), they just snapshots that I create whenever we update the website. I like to keep all of these snapshots for ever, disks are cheap enough.

These individual files .jar have not changed for a long long time, so they should be identical in most recent snapshots. And they are identical according to dos 'fc', yet somehow kav thinks that several of the .jar files in one folder contains a Trojan, yet the identical lot of files (elsewhere) does not.

I've pretty much convinced myself it is a false-positive, but I have also sought advice from Kaspersky, let's see what they say. The annoying thing is I do take these things things seriously, and like to get to the very bottom of it when anything looks awry. As a result, I have got very little of my intended work done this morning.

sevenlayermuddle · « **Reply #3 on:** November 28, 2013, 04:39:28 PM »

Just had confirmation it was a false positive and will be fixed in next update.

10 out of 10 for kav customer service then, and feeling a little less grumpy.

burakkucat · « **Reply #4 on:** November 28, 2013, 07:05:05 PM »

Quote from: sevenlayermuddle on November 28, 2013, 04:39:28 PM

Just had confirmation it was a false positive and will be fixed in next update.

10 out of 10 for kav customer service then, and feeling a little less grumpy.

That's good to know . . . (all four of the above).

sevenlayermuddle · « **Reply #5 on:** November 28, 2013, 07:28:59 PM »

Quote from: burakkucat on November 28, 2013, 07:05:05 PM

Quote from: sevenlayermuddle on November 28, 2013, 04:39:28 PM
Just had confirmation it was a false positive and will be fixed in next update.

10 out of 10 for kav customer service then, and feeling a little less grumpy.

That's good to know . . . (all four of the above).

sevenlayermuddle · « **Reply #6 on:** November 29, 2013, 03:19:27 PM »

Oh dear.

Access is now being blocked to parts of my live website. These are files that have not changed in ten years and whilst there is a theoretical possibility that the web host has been compromised, it would not explain why the files on my own HDD also appear to be 'infected'. I am therefor continuing to assume 'false positive'.

These are 'Heuristic' detections, which means sort of 'best guess', and presumably, the person (bit of code) making guess has become perhaps just a little bit too trigger happy? $:-\$

One wider concern is, there is such a panic over Java these days that many people are just refusing to use it. As people start seeing widespread "virii" reports on more and more totally innocent Java content, the panic may become a self-fuelling prophecy, leading to demise of a very useful technology. And that would be a shame.

guest · « **Reply #7 on:** December 11, 2013, 03:48:19 PM »

Firefox 26 now blocks all Java plugins by default.

Damn good idea. Java (other than in embedded/server markets) is dead - Oracle saw to that. There is no place for it on the desktop now given Oracle's track record.

sevenlayermuddle · « **Reply #8 on:** December 11, 2013, 06:56:42 PM »

Quote from: rizla on December 11, 2013, 03:48:19 PM

Firefox 26 now blocks all Java plugins by default.

Damn good idea. Java (other than in embedded/server markets) is dead - Oracle saw to that. There is no place for it on the desktop now given Oracle's track record.

That is slghtly unsympathetic to those who wish to use legetmate websites with Java content.

As for Kaspersky, I'm not so impressed. The 'fix' appeared, so far as I could tell, to consist of whitelisting the inncocent filname's URL or, in this case its windows pathname. Copying it to another location causes the 'trojan' alert to reappear.

Can't help thinking it might be of help to virus writers if that's the case, as it would suggest Kaspersky can be easily conned into whitelisting specific pathnames, wherepon the world's your oyster

News:

Author Topic: Java False positives (I hope) (Read 3999 times)

sevenlayermuddle

Java False positives (I hope)

broadstairs

Re: Java False positives (I hope)

sevenlayermuddle

Re: Java False positives (I hope)

sevenlayermuddle

Re: Java False positives (I hope)

burakkucat

Re: Java False positives (I hope)

sevenlayermuddle

Re: Java False positives (I hope)

sevenlayermuddle

Re: Java False positives (I hope)

guest

Re: Java False positives (I hope)

sevenlayermuddle

Re: Java False positives (I hope)