locked
Virus Prevention, not just detection after the fact? RRS feed

  • Question

  • Why doesn't One Care prevent a trojan from installing in the first place? I keep getting one of these Java Byte Verify Trojans from somewhere. Its infecting my system while just surfing web pages, as I haven't installed any strange or questionable software at all, or any new software what so ever for that matter in over 1 1/2 years. It seems every time One Care does its scan though it detects this exploit... Java/Byteverify.B or .G or .F or dot every letter in the alphabet. I have even completely un-installed Sun's Java entirely and this still keeps getting detected during the virus scan.

    Its nice that it detects and removes it during the scan, the question I have though is why isn't One Care detecting it and warning me when its attempting to install on my system in the first place? As I look through my quarantine log I see this is rather common for One Care to allow things to infect my system, allow them to exist, and then only detect and remove them after a scan.

    I'd like to know what web site I keep getting this from, the only way I can tell is if One Care alerts me when its trying to install, not after the fact and only after it has done a scan.

    Why doesn't it just block this from the start?

    Better still, not a question for here, but why doesn't freaking Sun fix Java so this vulnerability isn't an issue in the first place.
    Sunday, May 10, 2009 4:39 AM

Answers

  • Let me try the question again, with less details now that we know why I ask what I am...


    ***************************************************************************
    Question:
    Why does One Care not detect these things as they are being placed on my system?
    ***************************************************************************


    OneCare and all other antimalware programs perform on a variety of levels.
    First, if an exploit is attempting to load into memory or execute, it will be scanned by the real time engine and hopefully blocked and removed.
    Second, if the malware is downloaded to the PC via the browser or attached to an email, it will typically not be stopped or caught by the real time engine/scan. However, when a full scan is performed of all files on the PC, the malware is then detected and action taken.
    Malware residing on the system in a dormant state is not dangerous unless you execute it.

    Finally, it is also possible, though not in this case, that malware makes it past the scanner because the scanner is not yet able to detect it. Signatures are updated frequently, allowing the engine to detect more variants and also allowing for removal of more malware variants. It is possible that malware makes it to the system today, but after a signature update, it is caught by the full scan as the signatures are now able to detect that malware.

    Finally, I'll refer you back to the original reply, which I have marked as an answer. The malware you reported cannot infect your system as you are not running the Microsoft VM. It does not affect a machine using the Sun Java VM. The bits are downloaded to your cache, but are harmless to your machine.


    -steve
    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    • Marked as answer by tony1967 Tuesday, May 12, 2009 4:16 AM
    Monday, May 11, 2009 12:14 PM
    Moderator

All replies

  • These malicious applets are designed to exploit vulnerabilities in the Microsoft VM (Microsoft Security Bulletin MS03-011). If you are using the Sun JVM as your default virtual machine, these malicious applets cannot cause any harm to your computer.

    http://java.com/en/download/help/cache_virus.xml

    Regards, Dave
    Sunday, May 10, 2009 7:05 AM
  • Additionally, you should ensure that you're only running the latest version of the Sun Java Runtime Environment which is currently Java 6 update 13 (from Control Panel > Add/Remove) and no additional versions should be present.

    Since you're repeatedly getting malicious JAR files installed to your Java cache, if you have a reasonably fast internet connection, I would eliminate cache storage then no stored malicious files should ever be found and reported during your OneCare scan:
    Control Panel > Java > General tab > Temporary Internet Files > Settings > uncheck "Keep temporary files on my computer."
    Regards, Dave
    Sunday, May 10, 2009 5:16 PM
  • I'm not using Microsoft VM nor do I have it installed, I do have the latest version of Java. I also did (and always do) look up and see what these detected items are when they turn up. Jim marked your comment as answered, but it did not answer my question or tell me anything a simple google search wouldn't already tell me (and has).

    Let me try the question again, with less details now that we know why I ask what I am...


    ***************************************************************************
    Question:
    Why does One Care not detect these things as they are being placed on my system?
    ***************************************************************************



    Why I ask:
    It seems strange that One Care would actually allow a virus (or in this case an exploit) to be installed and not even detected untill it (OneCare) runs its actual full scan. If I was actually vulnerable to this and 24 hours away from my next scan, I would be getting exploited for a full 24 hours before One Care found and did something about it.

    Is this behavior intentional as the trade off for the much better performance I notice when running One Care vs. any of the other anti virus options out there? It still seems like a flawed behavior to allow a virus or exploit in the door and take up residence on the system. I'd like to know what web site I keep getting this from so I can block the web site in my firewall. This info isn't in the One Care logs, so the only way I could find out where this keeps coming from would be an alert the minute it tries to enter my system, like when the specific web page doing it opens.

    I'd love to look up who owns the web site and just give them a black eye for trying to exploit me. This probably isn't going to be a very practical solution to the attempted repeated problem, so the only other alternative I have is to block my system from ever even accessing their web site again. I need someway of knowing what web site is doing it to be able to block them though.

    Monday, May 11, 2009 5:49 AM
  • Let me try the question again, with less details now that we know why I ask what I am...


    ***************************************************************************
    Question:
    Why does One Care not detect these things as they are being placed on my system?
    ***************************************************************************


    OneCare and all other antimalware programs perform on a variety of levels.
    First, if an exploit is attempting to load into memory or execute, it will be scanned by the real time engine and hopefully blocked and removed.
    Second, if the malware is downloaded to the PC via the browser or attached to an email, it will typically not be stopped or caught by the real time engine/scan. However, when a full scan is performed of all files on the PC, the malware is then detected and action taken.
    Malware residing on the system in a dormant state is not dangerous unless you execute it.

    Finally, it is also possible, though not in this case, that malware makes it past the scanner because the scanner is not yet able to detect it. Signatures are updated frequently, allowing the engine to detect more variants and also allowing for removal of more malware variants. It is possible that malware makes it to the system today, but after a signature update, it is caught by the full scan as the signatures are now able to detect that malware.

    Finally, I'll refer you back to the original reply, which I have marked as an answer. The malware you reported cannot infect your system as you are not running the Microsoft VM. It does not affect a machine using the Sun Java VM. The bits are downloaded to your cache, but are harmless to your machine.


    -steve
    Microsoft MVP Windows Live / Windows Live OneCare & Live Mesh Forum Moderator
    • Marked as answer by tony1967 Tuesday, May 12, 2009 4:16 AM
    Monday, May 11, 2009 12:14 PM
    Moderator