This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False positive for javaw.exe

Hello,

I am trying to install application from OpenSTM32 Community Site | HomePage (install_sw4stm32_win_64bits-v2.9.zip from download area)

I have been using this application for years.without issues.

But the SOPHOS is indicating and blocking javaw.exe as a Ransomware!
Here is the message:

"Ransomware blocked in \Desktop\__sw4stm32_tmp\jre\bin\javaw.exe"

I belive this is a false positive. Please check your virus database.

regards,

Reinaldo.



This thread was automatically locked due to age.
Parents
  • Hi Reinaldo,

    Thanks for reaching out to the Sophos Community Forum. 

    When a ransomware detection is generated, it typically isn’t due to the file or application itself. It’s typically due to the series of operations which take place. One example is if an app were to launch a second app, then proceed to unpack many files. The operations themselves may not be malicious, but the behaviour which is taking place does resemble that of ransomware.

    Can you share the event details from Event ID 911 in the Windows Application Event log related to this detection? You can also find this information from Sophos Central by selecting "Details" on the detection event.

    If you'd like to create an exclusion, the following documentation may help. 
    - Ransomware Protection Exclusions

    If the issue only occurs on application install and you are deploying a trusted app, it may be easiest to create a temporary exclusion or to temporarily disable some of the scanning features using the Tamper Protection passcode and policy override.

    Seeing as the detection names "javaw.exe", you can also consider disabling the "Protect Java applications" option in the Threat Protection Policy. This will also depend on the security within the version of Java you're using. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • System

    - Provider

    [ Name] HitmanPro.Alert

    - EventID 911

    [ Qualifiers] 0

    Version 0

    Level 2

    Task 9

    Opcode 0

    Keywords 0x80000000000000

    - TimeCreated

    [ SystemTime] 2023-08-08T14:42:54.8541540Z

    EventRecordID 36369

    Correlation

    - Execution

    [ ProcessID] 0
    [ ThreadID] 0

    Channel Application

    Computer NB-PH-040

    Security


    - EventData

    C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe
    CryptoGuard V5
    Mitigation CryptoGuard V5 Policy CryptoGuard Timestamp 2023-08-08T14:42:54 Platform 10.0.19045/x64 v2325 06_a5- PID 21532 Enabled 0000000000000001 Application C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe Created 2023-08-08T14:42:04 Modified 2017-09-06T03:41:49 Description Java(TM) Platform SE binary 8 Filename C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe Detection Generic.Ransom.N 1*C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\rootfiles\notice.html Created L0, Write T9216 H9013|^91700|^b10224 #1 2 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\rootfiles\epl-v10.html Created L0, Write T15872 H15551|^148627|^b22230 #2 3 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\rootfiles\about.html Created L0, Write T1536 H1434|^13762|^b2018 #3 4*C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\license.html Created L0, Write T9216 H9013|^91700|^b10224 #4 5 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\feature.xml Created L0, Write T4096 H4080|^76744|^b3228 #5 6 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\feature.properties Created L0, Write T9216 H9015|^103641|^b11111 #6 7 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\epl-v10.html Created L0, Write T15872 H15551|^148627|^b22230 #7 8 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\about.html Created L0, Write T1536 H1434|^13762|^b2018 #8 9 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\META-INF\MANIFEST.MF Created L0, Write T1024 H809|^2969|^b309 #9 10 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\META-INF\ECLIPSE_.SF Created L0, Write T1024 H903|^3038|^b289 #10 11 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\META-INF\ECLIPSE_.RSA Created L0, Write T8192 H7792|^11931|^b4159 #11 12*C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\rootfiles\notice.html Created L0, Write T9216 H9013|^91700|^b10224 #12 13 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\rootfiles\epl-v10.html Created L0, Write T15872 H15551|^148627|^b22230 #13 14 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\rootfiles\about.html Created L0, Write T1536 H1434|^13762|^b2018 #14 15*C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\license.html Created L0, Write T9216 H9013|^91700|^b10224 #15 16 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\feature.xml Created L0, Write T2048 H1829|^27797|^b1649 #16 24*C:\Ac6\SystemWorkbench\features\org.eclipse.mylyn_feature_3.21.0.v20160914-0252\license.html Created L0, Write T9216 H9013|^91700|^b10224 #24 32*C:\Ac6\SystemWorkbench\features\org.eclipse.mylyn.wikitext_feature_2.10.1.v20161129-1925\license.html Created L0, Write T9216 H9013|^91700|^b10224 #32 40*C:\Ac6\SystemWorkbench\features\org.eclipse.mylyn.team_feature_3.21.0.v20160701-1337\license.html Created L0, Write T9216 H9013|^91700|^b10224 #40 48*C:\Ac6\SystemWorkbench\features\org.eclipse.mylyn.tasks.ide_3.21.0.v20160929-1805\license.html Created L0, Write T9216 H9013|^91700|^b10224 #48 Process Trace 1 C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] * "C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe" -Djre.tmpdir="C:\Windows\SysWOW64\__sw4stm32_tmp\jre" -jar "C:\Windows\SysWOW64\__sw4stm32_tmp\install_sw4stm32_win_64bits.exe" 2 C:\Windows\SysWOW64\__sw4stm32_tmp\install_sw4stm32_win_64bits.exe [26528] install_sw4stm32_win_64bits.exe 3 C:\Windows\SysWOW64\cmd.exe [28128] * cmd /c __sw4stm32_tmp\autorun.bat 4 C:\Windows\SysWOW64\cmd.exe [25280] * C:\Windows\system32\cmd.exe /c cmd /c __sw4stm32_tmp\autorun.bat 5 C:\Users\ReinaldoFlamino-Plas\AppData\Local\Temp\Temp1_install_sw4stm32_win_64bits-v2.9.zip\install_sw4stm32_win_64bits-v2.9.exe [27416] 6 C:\Windows\explorer.exe [11748] * Dropped Files 1 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\rootfiles\notice.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] Read by [4] 2 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\rootfiles\epl-v10.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 3 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\rootfiles\about.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 4 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\license.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 5 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\feature.xml Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 6 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\feature.properties Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 7 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\epl-v10.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 8 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\about.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 9 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\META-INF\MANIFEST.MF Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 10 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\META-INF\ECLIPSE_.SF Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 11 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.setup.core_1.7.0.v20170301-0747\META-INF\ECLIPSE_.RSA Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 12 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\rootfiles\notice.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 13 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\rootfiles\epl-v10.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 14 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\rootfiles\about.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 15 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\license.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 16 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\feature.xml Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 17 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\feature.properties Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 18 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\epl-v10.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 19 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\about.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 20 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\META-INF\MANIFEST.MF Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 21 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\META-INF\ECLIPSE_.SF Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 22 C:\Ac6\SystemWorkbench\features\org.eclipse.oomph.p2_1.7.0.v20170228-1751\META-INF\ECLIPSE_.RSA Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 23 C:\Ac6\SystemWorkbench\features\org.eclipse.mylyn_feature_3.21.0.v20160914-0252\p2.inf Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 24 C:\Ac6\SystemWorkbench\features\org.eclipse.mylyn_feature_3.21.0.v20160914-0252\license.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 25 C:\Ac6\SystemWorkbench\features\org.eclipse.mylyn_feature_3.21.0.v20160914-0252\feature.xml Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 26 C:\Ac6\SystemWorkbench\features\org.eclipse.mylyn_feature_3.21.0.v20160914-0252\feature.properties Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 27 C:\Ac6\SystemWorkbench\features\org.eclipse.mylyn_feature_3.21.0.v20160914-0252\epl-v10.html Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] 28 C:\Ac6\SystemWorkbench\features\org.eclipse.mylyn_feature_3.21.0.v20160914-0252\META-INF\eclipse.inf Dropped by C:\Windows\SysWOW64\__sw4stm32_tmp\jre\bin\javaw.exe [21532] Thumbprint 29980eb3a288e062249b3297f6cbd022f7b2a1bd75f83a89b86157738975a691 Digital signature certificate process based thumbprint b7092aab1ce2f805742b1ec76ed20f0a99e24604bfb43475093835b260b8b402 Cryptoguard algorithm based thumbprint 526ad815941b02831e2ac2b2807111bb1cbd34f10959a50eabad55d95fe808c5 Cryptoguard attacked files thumbprint 4c7f9778e8eef724cd9d4c75547839687619db36bfc32f9f3352094a4d1cbb53
  • Thank you for following up. 

    It looks like the detection was raised due to the large number of files dropped onto the system by javaw.exe. 

    Have you tried creating any exclusions to allow the app? 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply Children