Jump to content

[SOLVED] False Positive "JavaScrub-NoAdmin.exe"


puff_m_d
 Share

Recommended Posts

Hello Pedro,
 
I received the following blocked actions when installing the newly released Java SE RE 8 (available here: http://www.oracle.com/technetwork/java/javase/downloads/jre8-downloads-2133155.html ). I installed both the x86 and x64 bit versions since I use both browsers. The blocks only occurred with the x86 version when it launched IE11 to verify the version of JRE installed.

"2014-03-18T15:54:00.922-05:00";"Kent";"11892";"C:\Program Files (x86)\Java\jre8\bin\java.exe";"10888";"jp2launcher.exe";"3";"601";"207";"";"";"";"";"";"";"C:\Users\Kent\AppData\Roaming\Oracle\Java\Uninstall\JavaScrub-NoAdmin.exe";"B8EACCC3D0FC823C9E763B97FE7B773A";"";"";""
"2014-03-18T15:54:02.859-05:00";"Kent";"11892";"C:\Program Files (x86)\Java\jre8\bin\java.exe";"10888";"jp2launcher.exe";"3";"701";"207";"";"";"";"";"";"";"C:\Users\Kent\Desktop\JavaScrub-NoAdmin.exe";"";"";"";""

If you need any other information, just let me know...

Link to post
Share on other sites

  • Staff

Downloaded and installed the "offline" installer of Java8 without a problem:

javaw.exe_3912-2014/03/19 - 07:32:05 - C:\Program Files\Java\jre8\bin\javaw.exembae-svc-NoMod(100) - 2014/03/19 - 07:32:05 - #2# - IPCFromProtector: INJECTED: 1    (7084)jre-8-windows-x64.exe    (3912)Java is now shield -     213 - 2452mbae-svc-NoMod(423) - 2014/03/19 - 07:32:05 - #1# - MbaeLogProcessModules: Cannot enumerate loaded modules Pid: 3912 Process Name: C:\Program Files\Java\jre8\bin\javaw.exe Address: 0x00000000 -     329 - 2452mbae-svc-NoMod(125) - 2014/03/19 - 07:32:06 - #1# - IPCFromProtector: 213 -     213 - 2452mbae-svc-NoMod(218) - 2014/03/19 - 07:32:05 - #2# - IPCFromProtector: ADD_POOL: 2    (3912)Java - deployment.properties -     213 - 6528mbae-svc-NoMod(423) - 2014/03/19 - 07:32:06 - #1# - MbaeLogProcessModules: Cannot enumerate loaded modules Pid: 3912 Process Name: C:\Program Files\Java\jre8\bin\javaw.exe Address: 0x00000000 -     329 - 6528mbae-svc-NoMod(222) - 2014/03/19 - 07:32:06 - #1# - IPCFromProtector: 213 -     213 - 6528mbae-svc-NoMod(136) - 2014/03/19 - 07:32:07 - #2# - IPCFromProtector: UNINJECTED: 3    (7084)jre-8-windows-x64.exe    (3912)Java is now unshield -     213 - 6528javaw.exe_6568-2014/03/19 - 07:32:07 - C:\Program Files\Java\jre8\bin\javaw.exembae-svc-NoMod(100) - 2014/03/19 - 07:32:07 - #2# - IPCFromProtector: INJECTED: 1    (7084)jre-8-windows-x64.exe    (6568)Java is now shield -     213 - 6504mbae-svc-NoMod(136) - 2014/03/19 - 07:32:07 - #2# - IPCFromProtector: UNINJECTED: 2    (7084)jre-8-windows-x64.exe    (6568)Java is now unshield -     213 - 4912mbae-svc-NoMod(423) - 2014/03/19 - 07:32:08 - #1# - MbaeLogProcessModules: Cannot enumerate loaded modules Pid: 6568 Process Name: C:\Program Files\Java\jre8\bin\javaw.exe Address: 0x00000000 -     329 - 6504mbae-svc-NoMod(125) - 2014/03/19 - 07:32:08 - #1# - IPCFromProtector: 213 -     213 - 6504

Any hints as to how to replicate it?

 

 

EDIT: never mind, just saw it:

The blocks only occurred with the x86 version when it launched IE11 to verify the version of JRE installed.
Link to post
Share on other sites

  • Staff

The fact that it blocks JavaScrub-NoAdmin.exe is expected behavior. The normal operation would be to exclude that file and run the Java tester again.

 

However there is a bug in that the exclusion will not take effect the next time you execute JavaScrub-NoAdmin.exe. We will fix this asap.

 

Thanks for reporting!

Link to post
Share on other sites

Hello Pedro,

 

Curious minds have to ask ;) ... Why would it be an expected behavior to block a legitimate operation of the java install where it checks to see if installed version is the current release and no leftover previous versions are present? And why should you have to exclude this legitimate operation?

Link to post
Share on other sites

  • Staff

The way that some Java apps behave is very similar to how Java exploits behave, as in this example Java launching a PE file (i.e. an .EXE) from the web. That's why we sometimes block some of these actions. From a security perspective Oracle and other Java web-app developers should refrain from programming Java-apps in such a way as it doesn't exactly promote security nor the image that security is important for these companies.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.